United States: New Requirements for an Effective Compliance and Ethics Program

On April 7, 2010, the United States Sentencing Commission unanimously voted to modify the Federal Sentencing Guidelines' standards for an effective corporate compliance and ethics program. In addition to their formal purpose (establishing a range of penalties for convicted corporations), the guidelines have become an important measuring stick used by federal prosecutors and regulators in assessing whether a company should be charged with a crime at the conclusion of a federal criminal investigation or be subject to civil enforcement action. These have also become, in civil cases, a standard by which to measure a company's and board's efforts to prevent fraud. The most recent amendments clarify the steps necessary, in the eyes of the Sentencing Commission, for a corporation to effectively remediate criminal conduct. The amendments also enhance and amplify the reporting obligations for the company's compliance officer. The amendments will take effect on November 1, 2010. Corporations, particularly public companies, should be mindful of the guidelines and should review their compliance policies and programs, and their efforts to remediate wrongful conduct, in light of these amendments.

Under the Federal Sentencing Guidelines, an effective compliance and ethics program is one intended "to achieve reasonable prevention and detection of criminal conduct."¹ Maintaining an effective program—one that is both documented and is pervasive inside the corporation—can help a company avoid prosecution, advocate for a nonprosecution or deferred prosecution agreement, or mitigate the penalty imposed. As noted above, it also has benefits in civil and administrative litigation.

Standards for an Effective Compliance and Ethics Program

The guidelines encourage companies, when fashioning their program, to be mindful of "applicable industry practice or the standards called for by any applicable governmental regulation."² Under the guidelines, in order to have an "effective" program, the company must, at a minimum:

• establish standards and procedures to prevent and detect criminal conduct;
• ensure that the governing authority (most often, the board of directors) and all high-level personnel exercise reasonable oversight with respect to the implementation and effectiveness of the program, as well as assign overall responsibility for the program to high-level personnel;
• exclude from positions of substantial authority any individual that the company knows, or should know, is engaged in illegal or unethical activities;
• conduct training on and disseminate information about the program's standards and procedures;
• monitor, audit, and evaluate the program, as well as provide a mechanism for anonymous or confidential reporting;
• promote and enforce the program through appropriate incentives and disciplinary measures; and,
• respond appropriately to criminal conduct that is detected and act to prevent further similar conduct.³

The recent amendments stress that "responding appropriately" includes taking steps to provide restitution or remediate harm if there is an identifiable victim or victims, as well as self-reporting, cooperating with authorities, or undertaking other remediation. These are important steps in the civil arena also. The amendments also add that to prevent further criminal conduct after learning of misconduct, the company should take steps to assess risk and enhance the compliance and ethics program.

Involvement of "High-Level Personnel"

There is another important change. In the past, some companies have been denied credit for maintaining an effective compliance program because one or more members of "high-level personnel," including a director, officer, or "individual in charge of a major business or functional unit," participated in, condoned, or were willfully ignorant of the offense. The Commission voted to permit companies to receive credit, despite the participation of such high-level personnel in wrongful conduct, by establishing and maintaining the following four mandatory criteria as part of the company's compliance program:

• The head of the compliance program must report directly to the board of directors or an appropriate subgroup, such as the audit committee;
• The compliance program uncovered the problem before discovery outside the company was reasonably likely;
• The company promptly reported the problem to the government; and,
• No person with responsibility in the compliance program participated in, condoned, or was willfully ignorant of the criminal conduct.

The guidelines contemplate that the head of compliance must have the express authority to communicate personally and promptly with the board or an appropriate subgroup of the board (such as the company's audit committee) on any matter involving criminal, or potentially criminal, conduct, and he or she must report on the implementation and effectiveness of the compliance program at least annually.

Private Litigation

As noted, an effective compliance and ethics program also assists companies in avoiding or mitigating liability in private litigation. In derivative cases, it is powerful evidence demonstrating that the board of directors has met the "duty of care" standard. For example, in Caremark,⁴ the Delaware Court of Chancery stated: "[A] director's obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and [...] failure to do so under some circumstances may [...] render a director liable for losses caused by non-compliance with applicable legal standards."⁵

No compliance program is perfect; none can be expected to detect all violations. Corporations and boards of directors must exercise "a good faith judgment that the corporation's information and reporting system is in concept and design adequate to assure the board that appropriate information will come to its attention in a timely manner."⁶ The duty of care is satisfied in part by a showing that "adequate information flows to the board."⁷ A key for board protection is a sophisticated and dependable head of compliance with adequate resources and board access.

Recommendations

Before these changes take effect on November 7, 2010, companies should evaluate the effectiveness and structure of their compliance and ethics programs. Companies that are currently reviewing or handling evidence of misconduct, in light of the guidelines, also must address remediation and future effectiveness.

Otherwise, the company's program should take into account the size of the company, industry practices, the risks attendant to the company's business, and any wrongful or criminal conduct uncovered since the adoption of the program. When allegations of wrongdoing for which the company and members of management can held responsible arise, the person responsible for the company's compliance program should promptly report the conduct to the appropriate corporate leadership group or subgroup. That group should evaluate the involvement of any high-level personnel and should address with the compliance chief the proper remedial steps including, under the right circumstances and in consultation with counsel, the merits of self-reporting. In all of these cases, careful deliberation and regular assessment of the company's compliance efforts are recommended.

Footnotes

^{1.U.S. Sentencing Commission, Guidelines Manual, Ch. 8, Pt. B2 (2008), at 1.}

^2.Id.

^3.Id.

^{4.In re Caremark International Inc., 698 A. 2d 959 (Del. Ch. 1996).}

^{5.Id. at 970.}

^6.Id.

^7.Id.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.