by Caitlyn Chacon and Timothy Crudo
If there is one lesson to be learned from the U.S. Department of Justice’s latest update to its guidance on corporate compliance, it is the importance of data and especially of putting that data to work. The updated Evaluation of Corporate Compliance Programs, released in June, come just over a year after DOJ last revised the guidance, signaling that the government is paying attention to companies’ efforts to structure their compliance programs. Though few, the latest revisions include notable new references to the importance of data to identify and control for company-specific risks. These additions highlight a fundamental theme of the guidance: it is not enough to have a paper program loaded with policies and employee trainings that do not measure results, seek out problems, and enforce accountability. Accurate, comprehensive data and proactive use of that data are central not only to making a compliance program effective, but also, if the need arises, proving its effectiveness.
Why a Compliance Program Matters: It is Not Just About Complying
In this day and age, a nonexistent or even merely weak compliance program is a material liability. From Me Too to cyber threats, data privacy, supply chain management, and the ever-present concerns of fraud and corruption, organizations face compliance challenges that are both numerous and complex. Social media and the ease with which information can be shared (and stolen) amplify these risks. Compliance functions are necessary to guard against these threats to a company’s reputation and its bottom line.
The upside of a good compliance program is all the more apparent in light of the compelling incentives enforcement agencies offer for having one. A substantial program, even if it does not prevent all wrongdoing, can significantly reduce a corporate penalty and even may convince regulators to forego an enforcement action altogether when something does go wrong. See U.S.S.G. § 8C2.5(f) (directing that three points should be subtracted from the applicable offense level if “the offense occurred even though the organization had in place at the time of the offense an effective compliance and ethics program, as provided in § 8B2.1”).
For example, the DOJ advises that where a company voluntarily self-discloses misconduct, fully cooperates with regulators, and appropriately remediates the problem, prosecutors should presume to decline a corporate charge absent “aggravating circumstances involving the seriousness of the offense or the nature of the offender.” FCPA Corporate Enforcement Policy, U.S. Dep’t of Justice, U.S. Attorneys’ Manual 9‑24.120. While issued in the context of investigations and prosecutions of Foreign Corrupt Practices Act violations, DOJ has since announced that this guidance may also apply to other types of criminal conduct. See Rod J. Rosenstein, Deputy Attorney General for the U.S. Dep’t of Justice, Prepared Remarks for the 34th International Conference on the Foreign Corrupt Practices Act (Nov. 29, 2017) (announcing that the DOJ’s Criminal Division would use the FCPA Corporate Enforcement Policy as nonbinding guidance in criminal cases outside of the FCPA context). Corporate declination letters consistently cite a company’s compliance program and efforts to enhance that program following the discovery of malfeasance as a reason for declining to prosecute. See, e.g., Letter from Robert Zink to David W. Simon, Re: Quad/Graphics Inc. (Sept. 19, 2019) (confirming DOJ’s decision not to prosecute company based in part on its “prompt, voluntary self-disclosure of the misconduct” and “full remediation, including the steps that [it] took to enhance its compliance program”) (Sept. 19, 2019); Letter from Sandra Moser to Caz Hashemi, Re: Polycom, Inc. (Dec. 20, 2018) (confirming DOJ’s decision not to prosecute company, citing its “prompt, voluntary self-disclosure,” “thorough and comprehensive investigation,” and “took to enhance its compliance program”).
If “aggravating circumstances” make declination unavailable, a robust compliance program can make the outcome more palatable. A company with a good program is eligible for a 50% reduction from the low end of the U.S. Sentencing Guidelines’ fine range as long as it is not a recidivist. Even if a company does not voluntarily self-report misconduct, it remains eligible for up to a 25% reduction from the bottom of the range if it cooperates with the DOJ and timely remediates the problem. In a time when it is not unusual to see corporate penalties in the hundreds of millions of dollars—in December 2019, Ericsson agreed to pay over $1 billion to resolve an FCPA matter—these reductions can translate into a significant benefit.
And enforcement actions show no signs of slowing down. The Fraud Section resolved 15 corporate cases, involving more than $2.9 billion in fines and penalties, in FY 2019. U.S. Dep’t of Justice, Fraud Section: Year in Review, 2019. In the same year, the DOJ opened 35 new FCPA enforcement actions, and the SEC opened an additional 19—and that’s just FCPA matters. All of this activity signals that companies should evaluate their compliance programs, not just to identify and deter internal misconduct, but also to optimize the potential benefits of self-reporting and remediation if the need arises.
Contrasting 2018 resolutions provide a good example. In 2018, Barclays voluntarily reported to the DOJ that some of its employees had engaged in a multimillion dollar front-running scheme involving foreign exchange transactions. The bank cooperated with DOJ, took steps to strengthen its compliance program, and agreed to pay $12.9 million in combined restitution and disgorgement, leading DOJ to decline to prosecute the company. See Letter from Benjamin D. Singer, Chief of the Securities and Financial Fraud Unit of the Fraud Section for the U.S. Dep’t of Justice Criminal Division, to Alexander J. Willscher & Joel S. Green, Counsel for Barclays PLC (Feb. 28, 2018). After the resolution was announced, DOJ officials contrasted the Barclays resolution with the outcome in a similar front-running investigation, concluded around the same time, involving HSBC Holdings PLC. Whereas Barclays paid under $13 million to U.S. regulators, HSBC paid over $100 million in penalties and disgorgement to resolve a matter involving similar conduct. See U.S. Dep’t of Justice, “HSBC Holdings Plc Agrees to Pay More Than $100 Million to Resolve Fraud Charges” (Jan. 18, 2018). In making this comparison, DOJ officials specifically called out HSBC’s failure to self-report and its disappointing initial cooperation with DOJ.
What We Can Learn From the Updated Guidance: Data, Data, and More Data
So if a good compliance program makes a difference, what makes a program good enough? As with prior versions, the updated DOJ guidance emphasizes that there is no “rigid formula” for evaluating compliance programs. After all, companies and the risks they face differ and change over time. A compliance program needs to address all risks a company faces, the foreseeable and the unforeseen: government corruption, fraud, health and safety, privacy, antitrust, sexual harassment, product quality, social responsibility, environmental risks, and the list goes on. New refinements to the guidance underscore that because numerous factors can distinguish one organization from another, prosecutors must “make a reasonable, individualized determination in each case that considers various factors including, but not limited to, the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.” (Revisions italicized). By recognizing that compliance programs must be evaluated on an individualized basis, DOJ is signaling that the guidance should not be viewed as a simple checklist. One size does not fit all.
That said, the guidance does reflect that prosecutors expect companies across the board to have increasingly more sophisticated compliance functions that are integral parts of the organization’s strategic risk management and business planning. In particular, DOJ expects more and better use of data.
The guidance has added a new “Data Resources and Access” section that advises prosecutors to consider whether compliance personnel have sufficient access to relevant data sources to enable “timely and effective monitoring and/or testing of policies, controls, and transactions.” If there are impediments limiting a compliance program’s access to data sources, the company should be prepared to explain what it is doing to address them. Another update notes that a company’s risk assessments should not be “limited to a ‘snapshot’ in time,” but instead must be based on “continuous access to operational data and information across functions.” As these additions make clear, data is a crucial resource, and compliance teams need to press for broad access to a company’s data and information systems in order to analyze and identify risk.
This concern about data access is not an academic one. The Wells Fargo Board’s 2017 Independent Directors’ Report summarizing the investigative findings of the alleged sales practices problem that has roiled the bank in recent years found that the bank’s information systems and processes were fractured and lacked coordination, resulting in missed opportunities to draw connections between issues in a way that might have more quickly revealed the extent of the problem. Independent Directors of the Board of Wells Fargo & Company, Sales Practices Investigation Report at 13 (Apr. 10, 2017). The report noted that although the bank had a great deal of information in its systems, there was no coordinated effort among the bank’s various functions to track, analyze, or report on sales practice issues.
More recently, on September 29, 2020, JPMorgan agreed to enter into a deferred prosecution agreement and pay $920 million to resolve two felony wire fraud counts based on misconduct tied to the manipulation of the precious metals and U.S. Treasuries markets. See U.S. Dep’t of Justice, “JPMorgan Chase & Co. Agrees to Pay $920 Million in Connection with Schemes to Defraud Previous Metals and U.S. Treasuries Market” (Sept. 29, 2020). The deferred prosecution agreement features over six pages devoted to DOJ’s expectations for the bank’s corporate compliance program. This section of the agreement echoes much of the updated Guidance and notably directs the bank to “ensure that compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing.” United States v. JPMorgan Chase & Co., No. 3:20-cr-00175-RNC, Dkt. No. 2, at C-6 (Sept. 29, 2020). The bank is required to use “such review and testing and its analysis of any prior misconduct” to “conduct a thoughtful root cause analysis and timely and appropriately remediate to address the root causes.” Id.
These examples highlight the importance of giving an organization’s compliance program broad access to data so that it can connect the dots and mitigate problems quickly. Companies that make data unavailable to the compliance functions or whose compliance functions do not seek out and use company data proactively to develop metrics as part of program monitoring risk coming out on the wrong side of a prosecutor’s “is this program good enough?” analysis.
Another update to the guidance instructs prosecutors to consider the extent to which a company evaluates whether employee training has an impact on employee behavior or company operations. This kind of evaluation necessarily entails analyzing data that reflects the behaviors or operations the organization is interested, or should be interested, in measuring. This revision further underscores the importance of data to the compliance function. It also indicates more broadly that prosecutors expect companies to understand what is working and what is not, modify as necessary, and be prepared to show their homework if regulators ask.
These updates reflect how the role of compliance has evolved, particularly with the advent of big data. It is not enough for compliance executives to design programs and controls, wait for problems to come to them through tip lines or otherwise, and then respond. Prosecutors now expect compliance programs to use data and other tools to hunt for problems and find them first.
The Costs of Compliance
As DOJ and other regulators elevate their standards around what makes an effective compliance program, companies will need to evaluate their programs and, if necessary, raise their game. Doing so comes at a cost, of course, but reluctance to do so runs the risk of bad outcomes not only with government watchdogs, but also with customers, investors, and the public.
Despite what should be lessons learned from well publicized corporate failures going back decades, studies continue to show that corporate misconduct remains rampant. According to a recent report by the Association of Certified Fraud Examiners, fraud cases are often never reported publicly, and a typical organization loses 5% of its annual revenue to employee-committed fraud every year. Association of Certified Fraud Examiners, Report to the Nations: 2020 Global Study on Occupational Fraud and Abuse, at 4 – 5, 8 (2020). Of the approximately 2,500 fraud cases analyzed in ACFE’s 2020 study, the average loss per case exceeded $1.5 million. And of the nearly 2,600 executives interviewed for EY’s 2018 Global Fraud Survey, more than 10% were aware of a significant fraud occurring in their company in the prior two years. Ernst & Young, Integrity in the Spotlight: The Future of Compliance, 15th Global Fraud Survey, at 8 (2018). EY’s survey also found that the propensity of those respondents who would justify fraud to meet their financial targets has increased on a global level since 2016. Corporate malfeasance remains a serious problem.
It is also worth noting for those at the top who set the tone and allocate the resources that these programs protect not only the company, but its directors as well—a point that may help ensure that a compliance program gets the resources and attention that regulators think it deserves. A board’s alleged failure to oversee a company’s compliance controls is generally evaluated under the generous standard set out in In re Caremark International Inc. Derivative Litigation, a standard touted as “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.” 698 A.2d 959, 967 (Del. Ch. 1996). But a string of recent Delaware cases may—may—suggest that a board’s conduct in the future will draw closer judicial scrutiny. Four times in the last year, Delaware courts have permitted Caremark claims to proceed against directors who allegedly made no efforts to ensure they were “informed of a compliance issue intrinsically critical to the company’s business operation.” Marchand v. Barnhill, 212 A.3d 805, 822 (Del. 2019); see also In re Clovis Oncology, Inc. Derivative Litig., C.A. No. 2017-0222-JRS, 2019 WL 4850188 (Del. Ch. Oct. 1, 2019); Inter-Mktg. Grp. USA, Inc. v. Armstrong, C.A. No. 2017-0030-TMR, 2020 WL 756965 (Del. Ch. Jan. 31, 2020); Hughes v. Hu, C.A. No. 2019-0112-JTL, 2020 WL 1987029 (Del. Ch. Apr. 27, 2020). Whether these decisions bode a trend in director liability is an article for another day, but they should further emphasize, if only as a point of director self-preservation, that attention to compliance matters.
Caitlyn Chacon is associate in the White Collar Defense and Government Enforcement practice group at Coblentz Patch Duffy & Bass LLP, where she counsels clients in various white collar, regulatory, and commercial litigation matters.
Tim Crudo is the head of the White Collar Defense and Government Enforcement practice group at Coblentz Patch Duffy & Bass LLP, where he focuses on white collar, securities, and corporate governance matters.