3 Fundamental Pieces of an FBI Compliance Program
The U.S. Department of Justice Criminal Division published its updated “Evaluation of Corporate Compliance Programs” memo in June 2020. It provides detailed information on what factors prosecutors should consider when (1) conducting their investigations of a corporation, (2) determining whether to bring charges, and (3) negotiating pleas or other agreements. One critical factor concerns the adequacy and effectiveness of a corporation’s compliance program at the time of the offense and at the time of a charging decision as well as the remedial efforts used by the corporation to address the program and improve it.
The effectiveness of a corporation’s compliance program assists the FBI and prosecutors in determining the appropriate form of any resolution or prosecution; the monetary penalty, if any, to be imposed; and the extent of compliance obligations that the corporation will be obligated to perform such as reporting or monitorship obligations.
There are three fundamental questions that prosecutors ask regarding a corporation’s compliance program each of which contains vital elements of an FBI compliance program. In this article, we explain the most important elements of a corporate compliance program within each fundamental question, as detailed in the DOJ’s memo on compliance programs.
I. Is the Corporation’s Compliance Program Well Designed?
The first question examines whether the corporation’s compliance program is effectively designed to prevent and detect wrongdoing as well as whether corporate management is adequately enforcing the program. An effective design strategy is the backbone of a successful corporate compliance program. Corporations should make it their priority to design a program that easily satisfies the following elements:
- The compliance program is designed in a manner that detects the types of misconduct most likely to occur in the corporation’s line of business. This involves examining whether the corporation has analyzed risks presented from its operations, location, size, industry, regulatory landscape, market competitiveness, clients, business partners, foreign government transactions, payments to foreign officials, and the use of gifts or donations.
- The code of conduct sets forth the corporation’s commitment to full compliance with federal law and is accessible to all employees. The code of conduct must be accessible and comprehensible to all employees. It is the corporation’s job to establish policies and procedures that incorporate management’s commitment to compliance in its day-to-day operations.
- The corporations’ training programs and communications are integral components of the compliance program. All personnel should receive periodic training and certifications—including all directors, officers, relevant employees, and agents and business partners.
- The compliance program contains an anonymous and confidential mechanism for employees to report allegations of wrongdoing. The complaint-handling process within the corporation—the corporation’s whistleblower program—should be proactive and promoted without fear of retaliation.
- The corporation maintains an effective risk-based due diligence approach towards third-party relationships. The corporation should be able to explain the business rationale for transacting with the third party as well as identify the risks posed by third-party partners.
- The compliance program includes both pre- and post-acquisition due diligence and integration procedures. Healthy due diligence and integration procedures are important parts of the compliance program because they prevent misconduct, reputational harm, and civil or criminal liability.
II. Is the Corporation’s Compliance Program Adequately Resourced and Empowered to Function Effectively?
The second question delves deeper into the compliance program by examining whether it is effective in practice as opposed to whether it is a mere “paper program.” In order to successfully satisfy this question, corporations should ensure that their compliance program meets the following elements:
- Corporate employees are regularly informed about the compliance program and the corporation’s commitment to it. It is critical that the corporation’s top leaders—including management, the broad of directors, and executives—set the tone for the business and lead by example and action.
- Those charged with the oversight of the compliance program have the adequate authority and resources to implement it. While the degree and extent of a corporation’s resources will depend on the size, structure, and risk profile of the business, effective implementation always depends on the adequate authority of those charged with oversight of the compliance program.
- The corporation establishes and implements a system for incentives for employee compliance and disincentives for employee non-compliance. The corporation must have not only a clear system in place for disciplinary actions, but it must also enforce these procedures consistently within the corporation regardless of the position or title of the personnel member who engages in the conduct.
III. Does the Corporation’s Compliance Program Work in Practice?
The last question determines whether the corporation’s compliance program was working effectively at the time of the offense. Prosecutors often examine how the misconduct was detected, what resources were in place to investigate the misconduct, and the nature of the corporation’s remedial efforts. As a result, it is incumbent upon corporations to double check that their compliance program meets the following elements:
- The corporation promotes improving, evolving, and periodically testing its compliance program. Because a company’s business and regulatory laws change over time, a corporation must continuously engage in meaningful efforts to review and update its compliance program.
- The compliance program appropriately and timely investigates allegations or suspicions of misconduct and documents the corporation’s response. This element reveals whether the corporation’s compliance program is working effectively due to its ability to monitor, identify, remediate, and document allegations or suspicions of misconduct.
- The compliance program is able to effectively pinpoint the cause of the misconduct and remediate it. An effective compliance program will be able to identify the source of the misconduct, remediate it, and prevent it from occurring in the future.
These factors represent important elements that a corporation should incorporate within its compliance program to avoid federal investigation, monetary penalties, reputational harm, and even jail time. However, the elements identified are not a checklist to be satisfied by a rigid set of criteria applicable to all corporations. The means by which prosecutors will examine corporations for an effective compliance program depends on the nature of the corporation’s business, size, location, risk profile, and numerous additional factors. It is nevertheless always critical for corporations to ensure that they have a robust compliance program in place to guard against liability under federal law and demonstrate full compliance.