Source: United States Department of Justice Criminal Division
Remarks as Prepared for Delivery
I have been fortunate in my career to have served as a prosecutor, as a defense attorney, and to work as a chief compliance officer of a Fortune 500 company. The detection and prevention of criminal conduct has been a constant across these three roles. Perhaps the most challenging of the three roles has been serving in compliance.
I know the resource challenges. The challenges you have accessing data. The relationship challenges. The silo-ing of your function. You are called upon to be a resource for information, an enforcer of law and policy, and somehow the primary architect of your company’s ethical culture. I have seen first-hand how a strong compliance program can ward off misconduct and empower ethical employees. Although I am the head of the Criminal Division, I believe that enforcement, while a critical tool, is not our only one. I believe that the number of prosecutions we bring is not necessarily the most accurate measure of our success.
Having served in these three positions, I know that your compliance role is perhaps the most impactful, because you have a direct role in utilizing the most effective tool in addressing crime – you are trying to prevent it in the first place. That is why we closely evaluate corporate compliance programs during our corporate investigations and after our corporate resolutions, and give significant credit to companies that build strong controls to detect and prevent misconduct.
Today, I want to describe in detail about how we evaluate corporate compliance programs to ensure that companies are designing and implementing effective compliance systems and controls, creating a culture of compliance, and promoting ethical values. As our Evaluation of Corporate Compliance Programs guidance makes clear, we expect an effective corporate compliance program to be much more than a company’s policies, procedures, and internal controls. We expect companies to implement compliance programs that: (1) are well designed, (2) are adequately resourced and empowered to function effectively, and (3) work in practice.
First, when we say that we expect a company’s compliance program to be well designed, we closely examine the company’s process for assessing risk and building a program that is tailored to manage its specific risk profile. We want to see whether the company has implemented policies and procedures that are designed to address the key risk areas identified in its risk assessments, and that those policies and procedures are easily accessible and understandable to the company’s employees and business partners. We want to know how the company is training employees, management, and third-parties on the risk areas and responsibilities applicable to those individuals. Policies, training, and other processes should address relevant high-risk elements of the company’s business model, such as third-party relationships or mergers and acquisitions. We want to see that the company has established a process for reporting violations of law or company policy that encourages employees to speak up without fear of retaliation, and that those reports are taken seriously, appropriately documented, investigated, and—if substantiated—remediated.
Second, when we are evaluating whether a compliance program is adequately resourced and empowered to function effectively, we want to know more than dollars, headcount, and reporting lines. We will review the qualifications and expertise of key compliance personnel and other gatekeeper roles. We want to know if compliance officers have adequate access to and engagement with the business, management, and the board of directors. We seek to understand whether and how a company has taken steps to ensure that compliance has adequate stature within the company and is promoted as a resource. A company’s commitment to promoting compliance and ethical values at all levels—from the chief executive on down to middle and lower-level managers—is critical.
Third, we want to see evidence that the compliance program is working in practice. We look at whether the company is continuously testing the effectiveness of its compliance program, and improving and updating the program to ensure that it is sustainable and adapting to changing risks. We want to know that a company can identify compliance gaps or violations of policy or law. Equally importantly, we want to see how the company addresses the root causes of these gaps or violations and finds ways to improve its controls and prevent recurrence of issues. We want to see examples of compliance success stories— the discipline of poor behavior, the rewarding of positive behavior, the transactions that were rejected due to compliance risk, positive trends in whistleblower reporting, and the partnerships that have developed between compliance officers and the business. We are also interested in how a company measures and tests its culture—at all levels of seniority and throughout its operations—and how it uses the data from that testing to embed and continuously improve its ethical culture.
There is a separate question of whether a company is demonstrating an ethical culture in practice. Do employees feel empowered to bring issues and questions to the management’s attention? Are managers and compliance officers providing ethical advice to salespeople even though such advice may mean loss of business? Just as we use data analytics to detect and combat criminal schemes, we urge corporations to consider what data analytic tools they can use to monitor compliance with laws and policies within their operations and to ferret out wrongdoing when it occurs.
In addition, whether and how the company responds to prior misconduct speaks to its commitment to compliance and an ethical culture. Companies that have effectively deployed capabilities to conduct independent monitoring and testing of all elements of their compliance program, not just their financial controls—for example, testing effectiveness of training, communications, and compliance culture—and made improvements to the compliance program as a result, set themselves apart. I know that many of you are working at or on behalf of companies to help them design and implement compliance programs, and some of you may be making compliance presentations to our prosecutors in the future. On a practical level, when communicating with us, it is important to demonstrate how a compliance program has been upgraded to address the root cause of the misconduct, and how it is being tested and updated to ensure that it is sustainable and adaptable to changing risk.
We prefer not to hear a ‘check-the-box’ presentation from outside counsel. We like to see the Chief Compliance Officer leading the compliance presentation and demonstrating knowledge and ownership of the compliance program. Not for show, but because we want to empower these teams. Other senior management should also participate, taking ownership of their role in the compliance program and demonstrating commitment to compliance. Based on what we learn about the company’s compliance program, we determine whether an independent compliance monitor should be imposed. We believe that monitorships are effective tools for strengthening corporate compliance programs in companies where there were compliance weaknesses that resulted in criminal conduct. Monitors can be allies to compliance officers in making recommendations that create lasting, sustainable change in corporate culture.
As the Deputy Attorney General discussed last October, we can expect to see the Department imposing independent corporate monitors whenever it is appropriate in order to satisfy our prosecutors that a company is living up to its compliance and disclosure obligations under a non-trial resolution.
When a monitorship is imposed, we follow the Criminal Division’s well-settled selection procedures. When proposing their three monitor candidates to the Division, we encourage companies to not only ensure that the candidates are eminently qualified with deep compliance experience but also that the candidates are diverse both in terms of their types of experience as well as background, in keeping with the Department’s commitment to diversity, equity, and inclusion. Monitors, of course, are not appropriate in every case. For example where a company:
- has invested—not just from a financial perspective, but from a concerted commitment from the top down—in implementing a strong compliance program;
- has been able to test its controls and demonstrate they are effective;
- has made relevant updates to its program to adapt to changing risks;
- and has cultivated a strong culture of compliance and ethical values, our prosecutors may decide not to impose a monitor.
To ensure that we are equipped with the resources to make these determinations, we have prioritized building a wealth of compliance expertise among our prosecutors and dedicating resources to strengthen our abilities to assess the effectiveness of compliance programs. We recently revamped the Fraud Section’s former Strategy, Policy, and Training Unit into the Corporate Enforcement, Compliance, and Policy (CECP) Unit to align the name with the Unit’s mission, and we’ve announced new management comprised of prosecutors and former compliance and defense lawyers with deep experience in compliance, monitorships, and corporate enforcement matters. We plan to add additional capability to the Unit. This Unit has responsibility for many aspects of the Fraud Section’s corporate criminal enforcement practice.
When a company comes in to make a compliance presentation to the Fraud Section, it will face tough and probing questions from our compliance specialists. The CECP Unit also provides training on compliance and monitorship matters to prosecutors within and outside the Fraud Section, and works on policy issues. Having these resources helps us to use a consistent approach when evaluating whether a monitor is appropriate. It also allows us to employ appropriate compliance obligations to ensure corporations are maintaining effective compliance programs post-resolution. When we determine that a monitor is not necessary, that does not mean that the company’s obligations to continue to test, improve, and demonstrate the effectiveness of its compliance program end when the resolution is papered. Companies without a monitor are still required to comply with ongoing obligations and report to the Department regarding the status of compliance obligations.
Our CECP attorneys review work plans and self-reports and continue to evaluate a company’s progress—both in reviewing and testing its compliance program and in making the appropriate enhancements to ensure that, at the end of the term of the resolution agreement, the corporation has an effective and sustainable corporate compliance program that is designed to detect and prevent recurrence of criminal misconduct. We are holding companies accountable for failing to comply with their obligations under our corporate resolutions—including obligations to implement an effective compliance program, cooperate, or report allegations of misconduct.
Companies face consequences for violating our agreements, which can and have involved breaches and extensions of the agreements, including extensions of monitorships. Just as we propose charges based on the particular facts and circumstances of a given case, so too with breaches of corporate resolutions: we tailor our proposed sanctions to the nature of any breach, to address the particular facts and circumstances at bar. Whether it’s a corporate guilty plea or an extension of a monitorship, we will pursue appropriate punishments. Our message is clear – companies that make a serious investment in improving their compliance programs and internal controls will be viewed in a better light by the Department. Support your compliance team now or pay later.
Chief Compliance Officers and their functions should have true independence, authority, and stature within the company. In order to further empower Chief Compliance Officers, for all of our corporate resolutions (including guilty pleas, deferred prosecution agreements, and non-prosecution agreements), I have asked my team to consider requiring both the Chief Executive Officer and the Chief Compliance Officer to certify at the end of the term of the agreement that the company’s compliance program is reasonably designed and implemented to detect and prevent violations of the law (based on the nature of the legal violation that gave rise to the resolution, as relevant), and is functioning effectively. In certain resolutions, we will require additional certification language.
As you are aware, when a monitor is imposed pursuant to a resolution, we do not require companies themselves to also provide annual self-reports on the state of their compliance programs since the monitor provides annual reports to the government. However, in instances where a monitor is not imposed and a company is required to provide annual self-reports on the state of their compliance programs, we will consider requiring that the CEO and the CCO will also have to certify that all compliance reports submitted during the term of the resolution are true, accurate, and complete. By taking this step, we are ensuring that Chief Compliance Officers receive all relevant compliance-related information and can voice any concerns they may have prior to certification. I have been in your CCO role. Again, I know the challenges.
Today’s announcement is not punitive in nature. No, it is a new tool in your arsenal to combat those challenges. It is the type of resource that compliance officials, including myself, have wanted for some time, because it makes it clear that you should and must have appropriate stature in corporate decision-making. It is intended to empower our compliance professionals to have the data, access, and voice within the organization to ensure you, and us, that your company has an ethical and compliance focused environment.
A final word, connecting our emphasis on strengthening compliance to some of our recent policy announcements. When you are asked about your compliance program and whether its adequately creating, maintaining, and supporting an ethical culture, the question again goes to individual accountability. We want to know about your investment in compliance, not simply because we want you to hire more consultants or buy more sophisticated training software. No, as a former Chief Compliance Officer who now serves as the head of the Criminal Division, I want to know whether you are doing everything you can to ensure that when that individual employee is facing a singular ethical challenge, he has been informed, trained, and empowered to choose right over wrong. Or if he makes the wrong choice, you have a system that immediately detects, remediates, disciplines, and then adapts to ensure that others do not follow suit. That is how powerful a role you have in improving our world. Embracing that calling, today and every day.
I look forward to working with you, individually and collectively, in preventing and combatting criminality in the workplace and our world at large. Thank you, and have a wonderful conference.