This week I am considering the recent settlement by the Department of Justice (DOJ) with The Boeing Company (Boeing) around its fraud in the certification of its 737 MAX aircraft. The resolution was via a Deferred Prosecution Agreement (DPA). Under the DPA, Boeing agreed to pay a total amount of $2.5 billion. According to a DOJ Press Release, this total amount consisted of “a criminal monetary penalty of $243.6 million, compensation payments to Boeing’s 737 MAX airline customers of $1.77 billion, and the establishment of a $500 million crash-victim beneficiaries fund to compensate the heirs, relatives, and legal beneficiaries of the 346 passengers who died in the Boeing 737 MAX crashes of Lion Air Flight 610 and Ethiopian Airlines Flight 302.” This enforcement involved a fraud by Boeing on the US government.

The criminal penalty could have been much higher. Boeing did receive some credit for cooperation, the DPA somewhat dryly noted “such cooperation, however, was delayed and only began after the first six months of the Fraud Section’s investigation, during which time the Company’s response frustrated the Fraud Section’s investigation.” The company did better with its remediation and also received credit under the Corporate Enforcement Policy for its extensive remediation, which included:

• creating a permanent aerospace safety committee of the Board of Directors to oversee the Company’s policies and procedures governing safety and its interactions with the FAA and other government agencies and regulators;
• creating a Product and Services Safety organization to strengthen and centralize the safety-related functions that were previously located across the Company;
• reorganizing the Company’s engineering function to have all Boeing engineers, as well as the Company’s Flight Technical Team, report through the Company’s chief engineer rather than to the business units; and
• making structural changes to the Company’s Flight Technical Team to increase the supervision, effectiveness, and professionalism of the Company’s Flight Technical Pilots, including moving the Company’s Flight Technical Team under the same organizational umbrella as the Company’s Flight Test Team, and adopting new policies and procedures and conducting training to clarify expectations and requirements governing communications between the Company’s Flight Technical Pilots and regulatory authorities, including specifically the FAA.

Boeing also made significant changes to its top leadership since the fraud including the former Chief Executive Officer (CEO) resigning after his rather pathetic performance during the crisis.

There are several points for every compliance professional. Boeing put a “permanent aerospace safety committee” on the Board. It is somewhat amazing that it did not do so before but it points to the increasingly important role of the Board in risk management. The Delaware Supreme Court in the Marchand decision (Blue Bell) made clear that companies must make certain that its highest risk is managed at the Board level. For any airline manufacturer one of its key risks is safety. This new Board committee will “oversee the Company’s policies and procedures governing safety and its interactions with the FAA and other government agencies and regulators.”

Boeing centralized product safety by pulling it from the business units and centralizing product safety into a separate corporate function. This is also a best practice for a corporate compliance function. It must be independent from reporting to or even being influenced by the business unit in performing its job. Simply put, if the business unit has authority over compliance, compliance will not be able to do its job. This same reorganization was made for Boeing’s engineering function.

As with every DPA involving violations of the Foreign Corrupt Practices Act (FCPA), there is a best practice compliance program laid out in Attachment C, which Boeing agreed to implement and continue using going forward. While the compliance program laid out in the Boeing DPA is somewhat different that the standard FCPA-violation DPA, it certainly merits study by all compliance practitioners. For instance, under Attachment C Boeing is required to “ensure that its directors and senior management provide strong, explicit, and visible support and commitment to its corporate policy against violations of U.S. fraud laws and its compliance codes, and demonstrate rigorous adherence by example. The Company will also ensure that middle management, in turn, reinforces those standards and encourages employees to abide by them. The Company will create and foster a culture of ethics and compliance with the law in its day-to-day operations.” This means senior management must provide visible and demonstrable support to creating a culture of ethics within the organization.

Under policies and procedures, the company must base its policies on periodic fraud risk assessments and should update both policies and procedures no less than annually. One or more senior executive will be in charge of fraud prevention, detection and remediation and will report directly to “independent monitoring bodies, including internal audit, the Company’s Board of Directors, or any appropriate committee of the Board of Directors, and shall have an adequate level of stature and autonomy from management as well as sufficient resources and authority to maintain such autonomy.”

Regarding training, Boeing will “ensure that its compliance code, policies, and procedures regarding U.S. fraud laws are effectively communicated to all directors, officers, employees, and, where necessary and appropriate, agents and business partners.” Moreover, this training should be “tailored to the audience’s size, sophistication, or subject matter expertise and, where appropriate, will discuss prior compliance incidents.” [emphasis supplied]

In the area of internal reporting and investigations, Boeing will “handle the investigations of such complaints in an effective manner, including routing the complaints to proper personnel, conducting timely and thorough investigations, and following up with appropriate discipline”. Discipline should be “designed to effectively enforce its compliance code, policies, and procedures” and should be “applied consistently and fairly, and in a manner consistent with the violation, regardless of the position held by, or perceived importance of, the director, officer, or employee.” But more than simply discipline, the company should be “appropriately incentivizing compliance”. [emphasis supplied]

Boeing must remedy the “harm resulting from such misconduct, and to ensure that appropriate steps are taken to prevent further similar misconduct” by performing a root cause analysis which would assess “the internal controls, compliance code, policies, and procedures and making modifications necessary to ensure the overall compliance program regarding U.S. fraud laws is effective.” Under Mergers and Acquisitions (M&A), Boeing must engage in pre-acquisition due diligence by conducting “appropriate risk-based due diligence on potential new business entities, including appropriate due diligence regarding U.S. fraud laws by legal, accounting, and compliance personnel.” [emphasis supplied]

Finally, under monitoring and testing, Boeing agreed to “ensure that its compliance program does not become stale”. It will do so by conducting periodic reviews and testing of its compliance code, policies, and procedures to evaluate and improve the effectiveness in “preventing and detecting violations of U.S. fraud laws and the Company’s code, policies, and procedures regarding U.S. fraud laws, taking into account relevant developments in the field and evolving industry standards.” If misconduct is found, “the Company will conduct a thoughtful root cause analysis and timely and appropriately remediate to address the root causes.” [emphasis supplied] It is important to note that Boeing was not required to have a corporate monitor.

Join me Monday where I conclude with final thoughts on lessons learned for the compliance professional.

[View source.]