[author: John Kim]

Introduction

A corporate compliance program can be thought of as a magnet that brings a company’s compliance efforts together. It is an operational program, not simply a code of expected ethical behavior.[1]

An effective compliance program mitigates errors and protects the company from unnecessary risks, litigation, and negative publicity. In the long run, protecting the business from risk has a significant return on investment by preserving brand reputation, bolstering ethical standing, and providing a competitive advantage. Additionally, a well-run corporate compliance program can help your business attract and retain top talent. If that is insufficient impetus, consider the regulatory implications and positions.

In this article, we examine the U.S. Department of Justice’s (DOJ) newly revised Corporate Enforcement Policy (CEP), and detail methodologies and tools corporations can leverage to ensure they have a comprehensive compliance program in place that meets the new CEP and can help them avoid prosecution.

The DOJ’s Updated Incentives for Corporate Compliance [2]

In January 2023, Assistant Attorney General for the DOJ’s criminal division, Kenneth Polite, Jr., announced the most significant changes to the CEP since 2017 with the addition of more incentives for companies to avoid prosecution. The policy changes provide companies new incentives for self-disclosure, cooperation, and remediation.

If aggravating circumstances are present, a company generally will not qualify for a presumption of a declination to prosecute. But under the revised CEP, prosecutors may nonetheless determine that a declination is the appropriate outcome if the company can demonstrate that it has met each of the following three factors:

• The voluntary self-disclosure was made immediately upon the company becoming aware of the allegation of misconduct;
• At the time of the misconduct and the disclosure, the company had an effective compliance program and system of internal controls that enabled the identification of the misconduct and led to the company’s voluntary self-disclosure; and
• The company provided extraordinary cooperation with the DOJ’s investigation and undertook extraordinary remediation.

By creating a voluntary self-disclosure program in each of the DOJ’s U.S. Attorney’s offices around the country, geographic differences and uncertainties will be eliminated, according to Deputy Attorney General Lisa Monaco in a recent speech.[3] “I want every general counsel, every executive and board member to take this message to heart: where your company discovers criminal misconduct, the pathway to the best resolution will involve prompt voluntary self-disclosure to the DOJ,” Monaco said.

She pointed to a deferred prosecution agreement (DPA) the DOJ recently entered into with a Swiss multinational engineering firm, despite its history of misconduct. The company voluntarily self-disclosed a Foreign Corrupt Practices Act violation, cooperated with the DOJ, and performed extensive remediation, leading to the DPA. “What this shows is that even a company with a significant history of misconduct has a powerful incentive to make a timely self-disclosure,” Monaco said in the speech.

Putting Together an Effective Corporate Compliance Program

Recently, the Association of Certified Fraud Examiners (ACFE), in its Occupational Fraud 2022: A Report to the Nations, stated that lack of internal controls was the biggest factor contributing to occupational fraud. The report noted that “29% of victim organizations did not have adequate controls in place to prevent the fraud from occurring. Another 20% of cases involved an override of existing internal controls, meaning the victim organization had implemented mechanisms to protect against fraud, but the perpetrator was able to circumvent those controls.” The study concluded that together, “nearly half of the frauds in [the] study likely could have been prevented with a stronger system of anti-fraud controls.” The importance of internal controls, in the event the DOJ shines a light on a company, is evident as it is specifically addressed in the factors noted above.

The Global Cost of Fraud

Source: Occupational Fraud 2022: A Report to the nations®

Considering the findings from that report and the DOJ’s recent guidance, when putting together a strong corporate compliance program, there are certain questions that are essential for organizations to ask and address, including:

• Does the company have an effective compliance program in place?
• Are the company’s internal controls operating effectively?
• Has management periodically assessed the company’s risk for potential fraud and misconduct?

Once those questions have been answered, senior executives should consider several factors as they move toward creating a comprehensive compliance program that both prevents and detects fraud and related misconduct. In doing so, companies should evaluate the strength of their compliance programs in the following areas, which include but are not limited to:

• Use of Data: Companies should regularly assess risk by leveraging existing data. This may require data specialists to assist in analyzing relevant data and assess employee adherence to protocols as well as establish and monitor reporting metrics.
• Compliance Program Monitoring: Companies should consider working with independent experts who can:
  • Assist with conducting regular risk assessments to ensure the company stays proactive in keeping up with industry enforcement trends and preventing compliance violations;
  • Advise on the design and implementation of an effective system of internal controls;
  • Assist with ongoing monitoring of internal controls to ascertain whether the components of the company’s internal control are present and functioning[4] ; and
  • Conduct employee training.

Conclusion

As Monaco said in her speech: “An ounce of prevention is worth a pound of cure. Investing now in a robust compliance program is good for business, and it is good for our collective economic and national security.”

In light of these policy changes, companies would be wise to fully evaluate their compliance programs, including partnering with experts who specialize in identifying enhancement opportunities to maintain strong compliance programs. By utilizing the right expertise to build, assess, strengthen, and monitor their corporate compliance programs, companies get the type of robust compliance that the DOJ is seeking when it is considering a declination to prosecute and / or reducing the amount of penalties or fines. A strong, comprehensive compliance program can mitigate criminal prosecution, civil litigation, financial losses, and reputational damage.

Acknowledgements

We would like to thank John Kim and Megan Gilberg for providing insight and expertise that greatly assisted this research.