Operationalizing the Revised ‘Evaluation of Corporate Compliance Programs’

Jaclyn Jaeger
American Conference Institute (ACI)
Contact
LinkedIn
Facebook
X
Send
Embed

While the U.S. Department of Justice’s Criminal Division published its fourth version of its “Evaluation of Corporate Compliance Programs (ECCP)” guidance more than six months ago now, the insights that in-house counsel and chief compliance officers can and should be gleaning from it remain timeless.

Issued by the Fraud Section in February 2017, the ECCP has since gone through a few revisions—first updated in April 2019 and, again, in June 2020. However, the revisions that were incorporated in March 2023 mark some of the most significant changes to date.

By way of background, in September 2022, Deputy Attorney General (DAG) Lisa Monaco issued a memo incorporating several revisions into the DoJ’s corporate criminal enforcement policies and practices. That memo directed federal prosecutors to consider in their assessments of compliance programs, in part, whether the company’s compensation systems “incorporate elements such as compensation clawback provisions that enable penalties to be levied against current or former employees, executives, or directors whose direct or supervisory actions or omissions contributed to criminal conduct.”

The memo further directed prosecutors to consider whether the company implemented policies and procedures governing the use of personal devices and third-party messaging applications “to ensure that business-related electronic data and communications are preserved.” Moreover, DAG Monaco explicitly asked the Criminal Division to incorporate best practices into the ECCP regarding the use of messaging applications, “so that the Department can address these issues thoughtfully and consistently.”

The 2023 revisions to the ECCP incorporate these requests, adding sections on compensation systems as they apply to deterring misconduct and fostering an ethical culture; and policies and procedures around third-party messaging applications.

Messaging applications

In today’s digital world, the ubiquity of personal devices and a proliferation in communication channels and messaging applications have created significant and myriad practical challenges for legal and compliance teams in monitoring and preserving employee communications.

Ephemeral messaging poses particularly unique challenges, because by the very nature of its functionality, chat messages expire after a short period of time or can be self-destructed immediately by the individual users, after which time such communications are deleted permanently.

But it’s also not always feasible to outright ban these communications channels with ephemeral messaging features either—such as Signal, WhatsApp, WeChat, and Telegram—because they are so widely used in other parts of the world. This is especially challenging for multinational companies whose employees use a variety of communication channels and messaging applications in different parts of the world.

“As much as the Department of Justice wants it to be easy to control this, it’s not,” said Brian Benjet, a partner at DLA piper and co-chair of the firm’s Global Compliance group. “You have to be pragmatic and realistic.”

The revised ECCP signals that the DoJ, at least to some degree, acknowledges the challenges and is trying to be responsive to the evolving issues created by technology. For example, the ECCP states, “Policies governing such applications should be tailored to the corporation’s risk profile and specific business needs and ensure that, as appropriate and to the greatest extent possible, business-related electronic data and communications are accessible and amenable to preservation by the company.”

As a first step, have in place a written communication policy that spells out what communication channels are allowed and not allowed to be used by employees, and establish policies and procedures around that.

According to the ECCP, factors that prosecutors will consider—and, thus, questions that compliance should consider—include:

  • What electronic communication channels do the company and its employees use, or allow to be used, to conduct business? How does that practice vary by jurisdiction and business function, and why?
  • What mechanisms has the company put in place to manage and preserve information contained within each of the electronic communication channels?
  • What preservation or deletion settings are available to each employee under each communication channel, and what do the company’s policies require with respect to each?
  • What is the rationale for the company’s approach to determining which communication channels and settings are permitted?

Non-compliant and rogue employees also pose risks. “You cannot force an individual to give you their personal password on their personal device,” Benjet said. Thus, it’s also important to have a policy that permits the company to review business communications on employees’ personal devices and/or messaging applications should the company fall under investigation, which is one key factor prosecutors will consider.

The company’s policy should state, in part, “‘If you use [a prohibited communication channel or a personal device] for business communication purposes, you have to provide us with access,’” Benjet said. By having those policies and procedures in place, the company can take disciplinary action against those who violate company policy, he said.

Other questions that in-house counsel and compliance teams should be prepared to answer include:

  • What policies and procedures are in place to ensure that communications and other data is preserved from devices that are replaced?
  • What relevant code of conduct, privacy, security, and employment laws or policies govern the organization’s ability to ensure security or monitor/access business-related communications?
  • If the company has a “bring your own device” (BYOD) program, what are its policies governing preservation of and access to corporate data and communications stored on personal devices, and what is the rationale behind those policies?

Benjet noted that, in addition to having in place a written communication policy, it needs to be effectively communicated to employees. “The one thing you don’t want to happen is for an employee to say, ‘I didn’t know we weren’t allowed to use that messaging application,’” he said.

While having policies in place and training on those policies are important steps to take, equally important is ensuring that employees are actually complying with those policies, and that they are being enforced in practice.

Specific questions that legal and compliance should consider from an enforcement standpoint, and factors that prosecutors will consider as well, include:

  • How have the company’s data retention and business conduct policies been applied and enforced with respect to personal devices and messaging applications?
  • If the company has a policy regarding whether employees should transfer messages, data, and information from private phones or messaging applications onto company record-keeping systems in order to preserve and retain them, is it being followed in practice, and how is it enforced?
  • What are the consequences for employees who refuse the company access to company communications, and has the company ever exercised these rights?
  • Has the company disciplined employees who fail to comply with the policy or the requirement that they give the company access to these communications?

Compensation systems

Other major revisions made to the revised ECCP direct prosecutors to consider the role of compensation structures in fostering a healthy compliance culture. As Assistant Attorney General (AAG) Kenneth Polite remarked in a keynote speech at the ABA’s 38th Annual National Institute on White Collar Crime, “Compensation structures that clearly and effectively impose financial penalties for misconduct can deter risky behavior and foster a culture of compliance. At the same time, positive incentives, such as promotions, rewards, and bonuses for improving and developing a compliance program or demonstrating ethical leadership, can drive compliance.”

In many ways, the revisions to the ECCP concerning compensation structures memorialize what prosecutors have been saying for several years, but now “they are being more transparent about what their expectations are,” said Karen Popp, a partner at law firm Sidley and global co-leader of the firm’s White-Collar Defense and Investigations group. From that perspective, transparency around what the government expects is a good thing.”

“Incentives and disciplinary measures have long been elements of an effective compliance program, and many companies already have those types of incentives and disciplinary policies in place,” Popp added. “Having more transparency around those expectations will help companies address these types of issues when they have investigations.”

“One thing the Department has been very insistent on is that people at a higher level should be treated the same as people at lower levels,” Benjet said. Thus, one factor to consider from an ethics and compliance standpoint is how the company ensures disciplinary actions and incentives are being fairly and consistently applied across geographies, operating units, and levels of the company, as the ECCP suggests.

Companies should turn to the ECCP for the complete list of factors prosecutors will consider, but some examples of the types of new topics and questions to consider include:

  • Disciplinary measures – What types of disciplinary actions are available to management when it seeks to enforce compliance policies? Does the company have policies or procedures in place to recoup compensation that would not have been achieved but for misconduct attributable directly or indirectly to the executive or employee? What policies and practices does the company have in place to put employees on notice that they will not benefit from any potential fruits of misconduct?
  • Financial incentives – What percentage of executive compensation is structured to encourage enduring ethical business objectives? Are the terms of bonus and deferred compensation subject to cancellation or recoupment, to the extent available under applicable law, in the event that non-compliant or unethical behavior is exposed before or after the award was issued? Does the company have a policy for recouping compensation that has been paid, where there has been misconduct?
  • Effectiveness – What percentage of compensation awarded to executives who have been found to have engaged in wrongdoing has been subject to cancellation or recoupment for ethical violations? Taking into account the relevant laws and local circumstances governing the relevant parts of a compensation scheme, how has the organization sought to enforce breaches of compliance or penalize ethical lapses?

Clawback Pilot Program

Complementing the publication of the revised ECCP, the Criminal Division announced it is also conducting a first-of-its-kind “Compensation Incentives and Clawbacks Pilot Program.”

The pilot program provides that, when entering into criminal resolutions, companies will be required to implement compliance-related criteria in their compensation and bonus system and to report to the Criminal Division about such implementation during the term of such resolutions.

The pilot program also directs prosecutors to consider possible fine reductions “where companies seek to recoup compensation from culpable employees and others who both (a) had supervisory authority over the employee(s) or business area engaged in the misconduct and (b) knew of, or were willfully blind to, the misconduct.” In this way, the pilot program affords companies a dual incentive – the compensation recoupment and a potential penalty reduction.

If a company’s “good faith attempt” to recoup any such compensation is unsuccessful, the company may still receive a reduction of up to 25% of the amount of the compensation the company attempted to clawback. “Such reductions may be warranted where, for instance, a company incurred significant litigation costs for shareholders,” the pilot program states.

The pilot program, which applies to all corporate matters handled by the Criminal Division, will operate for three years, at which time the Criminal Division said it “will determine whether the program will be extended in duration or modified in any respect.”

Holding individuals accountable when they engage in wrongdoing is not anything new. “The clawback pilot program is another indication that DOJ wants to see that individuals involved in the misconduct are held accountable, and we’ve certainly seen over the years an effort to go after more individuals,” Popp said. “This incentivizes companies to do their part in holding individuals accountable.”

ACI will be holding a conference on November 29-30 in Washington DC that will feature expert speakers in the FCPA Space. For more information, please visit: https://www.americanconference.com/fcpa-dc/

Written by:

American Conference Institute (ACI)
American Conference Institute (ACI)
Contact
more
less

American Conference Institute (ACI) on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide