On April 30, 2019, the U.S. Department of Justice (“DOJ”) issued revised guidance for evaluating corporate compliance programs. DOJ’s Evaluation of Corporate Compliance sets forth eleven key evaluation topics that prosecutors may consider when deciding whether to file criminal charges against a company or what penalty to impose. Unlike DOJ’s original 2017 guidance, the revised version applies to the entire Criminal Division, not only the Fraud Section. Two days later, the U.S. Department of the Treasury’s Office of Foreign Asset Control (“OFAC”) issued A Framework for OFAC Compliance Commitments, a new guidance document that sets forth OFAC’s expectations for sanctions compliance programs, including an appendix of common root causes and deficiencies. Neither guidance document provides new or novel insight into the makings of an effective compliance program, but rather represent the latest elaborations on the basic principles set forth in the seminal Packard Report, later enshrined in the U.S. Sentencing Guidelines. Nonetheless, these guidance materials offer a timely reminder of the importance of investing proactively in an effective compliance program, and remediating urgently in times of trouble.
While these new guidance documents add to the growing proliferation of materials informing companies of U.S. government expectations,[1] they differ from each other and past guidance mainly in organization and structure. The real challenge for practitioners will be to identify those guidance materials that are tied most directly to their top compliance risks, and to “matrix” those requirements into a single format that can be mapped to their current compliance program, and used for audits and self-assessments. As the number of agencies, U.S. and international, continue to issue and refresh such guidance materials,[2] it becomes more important than ever for corporate compliance officials to update the elements of their internal compliance programs, to ensure their programs are properly calibrated to the most applicable, and overlapping, government guidance materials.
DOJ’s new Evaluation of Corporate Compliance reorganizes and aligns the elements set forth in its previous guidance according to the following three “fundamental questions”:
- Is the corporation’s compliance program well designed?
- Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively?
- Does the corporation’s compliance program work in practice?
All of the key program elements are now aligned according to these three categories:
Well Designed? | Implemented Effectively? | Work in Practice? |
---|---|---|
Risk assessment | Senior and middle management commitment | Continuous improvement, testing and review |
Policies and procedures | Autonomy and resources | |
Training and communication | Incentives and discipline | |
Confidential reporting and investigating* | Investigation of misconduct* | |
Third party management | Analysis and remediation of misconduct | |
Mergers and acquisitions |
Each of the eleven elements is broken into subcomponents, to help explain exactly what is intended. For instance, “Training and Communication” is divided into four sub-sections: risk-based training, form/content/effectiveness, communications about misconduct, and availability of guidance. This makes DOJ’s guidelines particularly well suited for creation of a matrix that can be used for program design and testing, and to ensure that your compliance program satisfies the government’s expectations. A chart at the end of this Alert summarizes how DOJ’s new guidance document aligns with OFAC’s, and with the COSO framework and Sentencing Guidelines requirements.
Again, though none of these elements is new, “investigations” now appears twice in the guidance—first as part of the compliance program’s design (is there an appropriate process for responding the complaints?), and second as part of the review of whether the program is actually working (were investigations independent, properly scoped, soundly conducted, documented, and the catalyst for root cause analysis and remediation?). The message here is clear: it’s critical to ensure that your investigations are conducted by qualified, objective personnel, and scoped broadly enough to root out the underlying causes and identify potential system-wide weaknesses.
Interestingly, DOJ’s new guidance is silent on a number of factors highlighted in DOJ’s recently updated Criminal Manual Section 9-47.000, which identifies those factors DOJ will consider when pursuing enforcement actions in FCPA matters. Most notably, DOJ’s new compliance guidelines are silent on the issue of whether a company’s controls “prohibit[] the improper destruction or deletion of business records, including implementing appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company’s ability to appropriately retain business records or communications or otherwise comply with the company’s document retention policies or legal obligations.” On the one hand it is understandable that DOJ sought to avoid emptying the kitchen sink into its new guidelines. On the other, its omission of such a significant, and controversial, recently released compliance obligation reinforces the point that companies must diligently survey all of the applicable government guidance materials appropriate to their risk profiles—including those emanating from the same organization, such as DOJ—and create an “elements matrix” that includes all of the compliance elements set forth in these competing and overlapping sources.
OFAC’s new Compliance Commitments is organized in more traditional fashion and focusses on the key elements found in many common sources, such as the COSO standards: (i) management commitment, (ii) risk assessment, internal controls, (iii) testing and auditing, and (iv) training. Of course, OFAC has injected OFAC-specific requirements into each of these elements, such as “Senior management ensures that its compliance unit(s) is/are delegated sufficient authority and autonomy to deploy its policies and procedures in a manner that effectively controls the organization’s OFAC risk” (emphasis added). OFAC has appended to its guidance a section entitled “Root Causes of OFAC Sanctions Compliance Program Breakdowns or Deficiencies Based on Assessment of Prior OFAC Administrative Actions,” which is intended to catalog common issues identified in prior enforcement actions. While a number of these items resemble true root causes or deficiencies (such as “Lack of a Formal OFAC [compliance program]”), many others more closely resemble violation-types, such as “Facilitating Transactions by Non-U.S. Persons (Including Through or By Overseas Subsidiaries or Affiliates)” or “Exporting or Re-exporting U.S.-origin Goods, Technology, or Services to OFAC-Sanctioned Persons or Countries.” Either way—whether root causes or enforcement categories—OFAC’s appendix highlights those issues OFAC considers most serious when meting out penalties and is worthy of attention.
Together these new guidelines create an opportunity for companies to reexamine and refresh their existing compliance programs, with focus on those issues that matter most, including:
- Whether your compliance programs have been fully integrated into business activities.[3] If your program consists largely of an overlay of written policies and procedures that are not embedded into day-to-day business processes, your program likely will not be considered by the regulators to be “real”—and for good reason.
- Whether your compliance programs are subject to continual audit and testing, to ensure they are working as intended and not subject to evasion.[4]
- Whether you are conducting and documenting robust root cause analyses when violations of law or policy are detected, and, then, promptly designing and implementing remedial measures.[5]
- Whether technology solutions are implemented effectively and tested thoroughly, and in the case of sanctions screening software whether they account for mis-spellings and imperfect data. Off-the-shelf tools may boast glitzy functionality but can fail miserably if not implemented thoughtfully and tested periodically.[6]
- If a non-U.S. company conducting business in or with the U.S., U.S. persons, U.S.-origin goods or services, or U.S. currency, whether you’ve implemented a compliance program that satisfies U.S. government expectations.[7]
- Whether you have sufficiently employed and empowered compliance officers dedicated to your top compliance risks, such as OFAC sanctions compliance officers, who have appropriate experience, training and authority.[8]
- Whether you have sufficiently centralized your compliance program, to prevent scattered and inconsistent decision making.[9]
- Whether you are conducting sufficient third-party due diligence, including for customers, supply chain, intermediaries, and counter-parties, and taking into consideration the third-parties’ ownership, geographic locations, counter-parties, transactions, and their knowledge of U.S. compliance requirements.[10]
- Whether you are conducting sufficient due diligence before M&As involving non-U.S. businesses, and whether you are timely integrating those acquisitions into your compliance program once the deal closes.[11]
At bottom, companies should take note of DOJ and OFAC’s new guidance, to ensure their compliance programs reflect, and correlate to, the agencies’ most recent renditions of what is expected of corporate compliance programs. And, if you find yourself subject to an enforcement action, these guidelines provide a clear roadmap for the steps to be taken to remediate your program and, just as importantly, lessen the severity of the government’s potential penalty.
*****
Compliance Program Element |
DOJ’s Evaluation of Corporate Compliance |
OFAC’s A Framework for OFAC Compliance Commitments |
COSO’s Internal Control – Integrated Framework Principles |
USSG §8B2.1 - Effective Compliance and Ethics Program |
Risk Assessment | Section I.A | Page 3,4 | 6,7,8,9 | §8B2.1(c) |
Policies and Procedures | Section I.B | Page 5,6 | 10,12 | §8B2.1(b)(1) |
Training and Communication | Section I.C | Page 7,8 | 13,14,15 | §8B2.1(b)(4)(B) |
Confidential Reporting Structure and Investigation Process | Section I.D | §8B2.1(b)(5)(c) | ||
Third Party Management | Section I.E | Page 6 | ||
Mergers and Acquisitions (M&A) | Section I.F | Page 4 | ||
Commitment by Senior and Middle Management | Section II.A | Page 2,3 | 1,2,3 | §8B2.1(b)(2)(A)§8B2.1(b)(2)(B) |
Autonomy and Resources | Section II.B | Page 2,3 | 3,4 | §8B2.1(b)(2)(B)§8B2.1(b)(2)(C) |
Incentives and Disciplinary Measures | Section II.C | 5 | §8B2.1(b)(6)(A) §8B2.1(b)(6)(B) | |
Continuous Improvement, Testing and Review | Section III.A | Page 6,7 | 16, 17 | |
Investigation of Misconduct | Section III.B | |||
Analysis and Remediation of Misconduct | Section III.C | Page 5, 6 | §8B2.1(b)(7) |
[1] See, e.g., Justice Manual, 9-28.300, “Principles of Federal Prosecution of Business Organizations”; Justice Manual, 9-47.000, “Foreign Corrupt Practices Act Of 1977”; United States Sentencing Guidelines §§ 8B2.1, 8C2.5(f) and 8C2.8(11); Assistant Attorney General of the United States, Memorandum on Selection of Monitors in Criminal Division Matters (Oct. 11, 2018); “Guidance on Existing AML Program Rule Compliance Obligations for MSB Principals with Respect to Agent Monitoring,” available at https://www.fincen.gov/resources/statutes-regulations/guidance/guidance-existing-aml-program-rule-compliance-obligations; BIS’s Elements of an Effective Compliance Program, available at https://www.bis.doc.gov/index.php/documents/pdfs/1641-ecp/file.
[2] See, e.g., OECD’s Good Practice Guidance on Internal Controls, Ethics, and Compliance, available at http://www.oecd.org/daf/anti-bribery/44884389.pdf; International Organization for Standardization, “Compliance Management Systems – Guidelines,” ISO 19600; Committee of Sponsoring Organizations (“COSO”), Internal Control – Integrated Framework Principles” available at https://www.coso.org/Documents/COSO-ICIF-11x17-Cube-Graphic.pdf.
[3] DOJ advises that policies and procedures must be “well-integrated into the company’s operations and workforce,” including “appropriate assignments of responsibility, to training programs, to systems of incentives and discipline.” See Evaluation, Section I, at 3. OFAC requires that a company’s policies and procedures “capture the organization’s day-to-day operations and procedures” and be enforced through internal and/or external audits. OFAC also states that integration should include “consultations with relevant business units and confirm the organization’s employees understand the policies and procedures.” See Commitments at 5,6.
[4] DOJ advises companies to engage in regular testing and review to determine when policies, procedures and practices need to be updated to reflect new business needs. See Evaluation Section III.A at 15,16.
[5] Prosecutors will evaluate whether a company’s root cause analysis contemplates both “what contributed to the misconduct and the degree of remediation needed to prevent similar events in the future.” See Evaluation Section III at 14; OFAC stresses that upon learning of a negative testing result, audit finding or compliance escape, organizations should “take immediate and effective action, to the extent possible, to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.” See Commitments, at 6,7.
[6] OFAC identifies “Filter Faults” such as failing to update “sanctions screening software to incorporate updates to the SDN Lists or SSI List” and failing to “include pertinent identifiers such as SWIFT Business Identifier Codes for designated, blocked or sanctioned financial institutions” as a frequent root cause in enforcement actions. See Commitments, at 11.
[7] OFAC warns that companies with foreign-based operations and/or subsidiaries located outside the U.S. should ensure that approvals, contracts and procurement activity pertaining to their non-U.S. locations are also OFAC-compliant. Additionally, OFAC specifies that “although no organizations subject to U.S. jurisdiction may be involved in the underlying transaction – such as the shipment of goods from a third-country to an OFAC-sanctioned country – the inclusion of a U.S. financial institution in any payments associated with the transaction often results in a prohibited activity.” See Commitments, at 9,10.
[8] DOJ guidance directs prosecutors to evaluate whether “compliance and control personnel have the appropriate experience and qualifications for their roles and responsibilities.” See Evaluation Section II.B at 12; OFAC evaluates “the quality and experience of the personnel dedicated to the SCP, including: (i) the technical knowledge and expertise of these personnel with respect to OFAC’s regulations, processes, and actions; (ii) the ability of these personnel to understand complex financial and commercial activities, apply their knowledge of OFAC to these items, and identify OFAC-related issues, risks, and prohibited activities; and (iii) the efforts to ensure that personnel dedicated to the SCP have sufficient experience and an appropriate position within the organization, and are an integral component to the organization’s success.” See Commitments, at 2.
[9] OFAC states that de-centralized compliance programs lead to violations because “…lack of a formal escalation process to review high-risk or potential OFAC customers or transactions, an inefficient or incapable oversight and audit function, and miscommunications regarding the organization’s sanctions-related policies and procedures.See Commitments, at 11.
[10] DOJ guidance stresses companies should practice “risk-based” due diligence, and prosecutors should analyze whether a company ensures that “contract terms with third parties specifically describe the services to be performed, that the third party is actually performing the work, and that its compensation is commensurate with the work being provided in that industry and geographic region.” See Evaluation Section I.E at 7,8; OFAC advises that multiple administrative actions involve “improper or incomplete due diligence by a company or corporation on its customers, such as their ownership, geographic locations(s), counter-parties, and transactions, as well as their knowledge and awareness of OFAC sanctions.” See Commitments, at 11.
[11] DOJ warns that “Pre-M&A due diligence enables the acquiring company to evaluate more accurately each target’s value and negotiate for the costs of any corruption or misconduct to be borne by the target,” and “Flawed or incomplete due diligence can allow misconduct to continue at the target company, causing resulting harm to a business’s profitability and reputation…” See Evaluation Section I.F at 9; OFAC advises that “Compliance functions should also be integrated into the merger, acquisition, and integration process. Whether in an advisory capacity or as a participant, the organization engages in appropriate due diligence to ensure that sanctions-related issues are identified, escalated to relevant senior levels, addressed prior to the conclusion of any transaction, and incorporated into the organization’s risk assessment process.” See Compliance Commitments, at 4.