New DOJ Policy on Compliance Monitors
The Justice Department dropped a bundle of new policies last Friday about evaluating compliance programs and corporate monitors, with potentially significant implications for corporate compliance officers and the programs you run.
Brian Benczkowski, assistant attorney general for the Criminal Division, announced the news during a speech he delivered in New York on Friday. Always be suspicious of a Trump Administration official making statements just before the weekend, but let’s parse what he said anyway.
Foremost, the Justice Department is rescinding Obama Administration policy about when prosecutors might impose a compliance monitor, in favor of new Trump Administration policies that build on older ones adopted by the Bush Administration.
The new policy is meant to curtail the appointment of corporate monitors and the scope of what monitors do (this is the Trump Administration, after all) by evaluating criteria such as:
- whether the underlying misconduct involved the manipulation of corporate books and records or the exploitation of an inadequate compliance program or internal control systems;
- whether the misconduct at issue was pervasive across the business organization or approved or facilitated by senior management;
- whether the company has made significant investments in, and improvements to, its corporate compliance program and internal control systems; and
- whether remedial improvements to the compliance program and internal controls have been tested to demonstrate that they would prevent or detect similar misconduct in the future.
The Benczkowski Memo lists a few other actions prosecutors should consider, too. For example, did the misconduct in question happen under previous senior leadership? Did it happen “within a compliance environment that no longer exists within a company?” Did the company take remedial measures such as cutting ties to offending third parties?
Prosecutors should also consider “the unique risks and compliance challenges the company faces, including the particular region(s) and industry in which the company operates and the nature of the company’s clientele.”
I can’t tell whether we should interpret that sentence as pushing prosecutors to be firm (“you should have known better about working in that part of the world”) or to be easy (“that’s just the reality of doing business in that part of the world”). But again, we’re talking about the Trump Administration here. I think we all know the safer conclusion to draw.
Above all, however, is this sentence from the Benczkowski Memo:
“In general, the Criminal Division should favor the imposition of a monitor only where there is a demonstrated need for, and clear benefit to be derived from, a monitorship relative to the projected costs and burdens. Where a corporation’s compliance program and controls are demonstrated to be effective and appropriately resourced at the time of resolution, a monitor will likely not be necessary.”
Benczkowski noted in his speech that over the last five years, corporate monitors have only been appointed in about one-third of corporate misconduct settlements anyway. Clearly he wants that number even lower.
Practical Compliance Implications
Let’s boil the Benczkowski Memo down to one core message: if a company can demonstrate that it has cleaned up its act, the Justice Department won’t appoint a monitor. So what does that mean for compliance and audit programs on a practical level?
Some points in the Benczkowski Memo seem to be good ideas. For example, one consideration is whether the misconduct “happened under different corporate leadership.”
Well, those words imply that firing executives who condoned or participated in the misconduct is something companies should do. If that’s what Benczkowski means, compliance officers should be all for it. Holding people accountable for misconduct is a hugely important part of effective ethics and compliance programs. Offering the reward of no compliance monitor is a sensible incentive to that end.
Of course, Benczkowski’s words can also mean the Justice Department won’t appoint a monitor for misconduct that happened in a subsidiary the company acquired before the company acquired the business — and lord knows, we’ve seen inherited liability concerns in plenty of FCPA enforcement actions over the years. One of Benczkowski’s deputies, Matthew Miner, gave a speech in July about extending the FCPA Corporate Enforcement Policy to inherited liability, raising the same issues Benczkowski does here.
We can imagine a few possible implications for compliance officers. First, your role in pre-acquisition due diligence might diminish, if the Justice Department retreats from imposing penalties for misconduct that happened prior to acquiring the subsidiary. (That’s certainly the message I take away from Benczkowski and Miner’s comments.) Corporate dealmakers might decide they can worry less about compliance pre-acquisition, because punishment for missing an issue won’t be there. That’s not a good idea, but juicy M&A deals make people do crazy things.
Still, that idea will only make sense if the corporate dealmakers also give you a greater role post-acquisition, to get that new compliance regime rolled out across the subsidiary pronto. Then the issue gets discovered, the C-Suite can sack any subsidiary-level nincompoops who had been violating the law, and the company has met crucial criteria for Benczkowski’s no-monitor-necessary standard.
Remember the Internal Controls
All that said, corporate compliance involves issues beyond the FCPA or errant subsidiaries you picked up in an M&A deal. So a criteria like this gives me pause:
- whether remedial improvements to the compliance program and internal controls have been tested to demonstrate that they would prevent or detect similar misconduct in the future.
Well, who will do that testing of internal controls? Who will redesign controls if that is necessary for remediation? Compliance officers should ask their internal auditors whether they have a full understanding of the company’s internal controls and risk management, especially if the misconduct in question involves non-financial processes. You’d be surprised how often the answer for auditors and board directors is “no.”
We also need to remember who within the Justice Department might be evaluating your internal controls, too. Benczkowski’s other morsel of news from Friday was that the Justice Department will not name another in-house compliance counsel to replace Hui Chen — the department’s first (and now apparently only) compliance counsel, who resigned in 2017 because President Trump is an unethical jerk.
Benczkowski uttered a few words about training more prosecutors about compliance programs, and what good programs look like; he even said the Justice Department may hire more attorneys with compliance experience. (Federal prosecutors’ salaries in Washington range from $68,000 at entry level to a max of $164,200, if you’re interested.)