In November 2015, the DOJ Criminal Division announced the hiring of Hui Chen as Compliance Counsel. Chen will aid in assessing the quality and effectiveness of companies’ corporate compliance programs under scrutiny by the DOJ, in order to assist prosecutors in evaluating corporate compliance and remediation measures. Since the appointment, DOJ Fraud Section Chief Andrew Weissmann and Chen have spoken publicly about their expectations for compliance programs and the anticipated effects of the DOJ’s aim to step up enforcement. She is helping to establish “benchmarks” for corporate compliance with companies across various industries. This will allow the DOJ to better examine compliance programs not only to see if they actually exist or meet minimum standards, but whether they are closer to better practices. The DOJ has highlighted four broad areas of inquiry when evaluating an organization’s compliance program:
- Program Design. This includes those involved in compliance program design and structure, those who have taken ownership of the program, and how far the program extends into business practices. It also highlights the importance of an effective high-risk assessment and management, or as the OIG puts it, “ongoing monitoring and auditing” of high risk areas.
- Program Operation. This includes how well compliance programs are conducting ongoing monitoring and auditing of functions and operations. The DOJ warns against “paper programs,” or as the OIG calls them, “sham programs.” When involved in reviewing programs, the OIG will look below the surface to see how the program really is operating.
- How compliance is communicated to everyone in the organization. This involves the (a) frequency with which compliance communications are delivered; (b) channels for reporting violations and irregularities; (c) level of employee knowledge about the compliance program and risks relevant to their duties; (d) corporate understanding of the challenges frontline employees face; and (e) level of comfort employees feel in raising questions and issues.
- Level of resources for the compliance program. This includes determining the sufficiency of human and financial resources, the level of attention and commitment supporting those resources, and the degree of independence of the compliance officer, especially in responding to “red flags” of potential wrongdoing.
Carrie Kusserow, who has served as Chief Compliance Officer to large health care systems and has experience as a consultant at a Big Four accounting firm believes, “The strongest message coming from the DOJ is that it is critical to be able to evidence compliance with documentation requirements. The DOJ expects companies to be taking a proactive approach in benchmarking their compliance efforts. It is also worth remembering that being able to evidence a solid compliance program will help avoid unwelcome scrutiny from the DOJ. Looking at it the other way, the absence of real compliance involvement in company deliberations increases the likelihood of enforcement actions and will lead to aggravation of penalties. The DOJ makes it clear that it is serious about looking closely at whether compliance programs are simply ‘paper’ or ‘sham’ programs, or whether the institution and its culture will actually embrace and support compliance.”
Another compliance expert, Steve Forman, CPA, who has not only been a compliance consultant but has served as a chief compliance officer for major organizations adds, “Company leadership must do more than talk about their commitment to compliance, they must evidence it. The DOJ will want evidence of an effective program, which means seeing evidence that the compliance program is able to detect and prevent misconduct. To do this, the program needs to have the whole company’s commitment to compliance, beginning at the Board and executive level.”
Tom Herrmann, JD, a nationally recognized expert on compliance programs who has served as an OIG executive in the Office of Counsel to the Inspector General notes, “For all practical purposes, all of the points the DOJ has emphasized to date concerning what makes an effective compliance program follow along the very same lines as the OIG compliance guidance documents.” Herrmann cites the following as examples of this from their public statements:
- Training should be focused on educating employees on the rules and what to do when they discover violations of those rules, such as who to contact and how.
- Communicating compliance policies and ensuring that they are understood by all relevant parties is critical to an effective compliance program.
- Consistency in compliance enforcement at all levels is necessary.
- Compliance must be part of the executive leadership to allow them to participate in leadership decision-making.
- There must be continuous updating of best practices and appropriate employee trainings.
- Compliance must have sufficient resources to perform its function effectively.
- The compliance function should be independent and autonomous within the organization.
The DOJ has advertised several metrics used to evaluate the effectiveness of corporate compliance programs, beginning with the Yates Memorandum, where the DOJ expects companies under investigation to provide information on culpable individuals to assist in the investigation. The Compliance Counsel will assist in determining whether, or to what extent, a company should be held responsible for the actions of its employees or agents. The DOJ’s stated intention is to develop and publish a comprehensive list of questions to ask when evaluating compliance program effectiveness.
Al Bassett, JD, who has twenty years of compliance experience and has spent time working with the DOJ and as a Deputy IG, expects that the list will include the following ten points:
- Do directors and executive leadership evidence strong and visible compliance support?
- Does the compliance officer have sufficient stature to be able to meet obligations?
- Is there adequate funding and access to necessary resources for the compliance program?
- Is the written compliance guidance clearly written and easily understood by employees?
- Have compliance policies been effectively communicated to and easy to find for employees?
- Do employees receive repeated training on compliance?
- Does training include directions on how to report issues that arise without fear of retaliation?
- Are policies and practices kept current to address evolving risks and circumstances?
- Are there mechanisms to enforce compliance policies in an evenhanded manner?
- Are third parties such as vendors, agents, or consultants held accountable for compliance?
As the DOJ Compliance Counsel is engaged in further analysis of compliance programs of organizations investigated by prosecutors, it can be expected that she will continue to gain insight as to what constitutes evidence of an effective compliance program. In turn, she is committed to making this information publicly available.