Our post last week about the lack of clear standards for a “reasonably designed” compliance program drew lots of comment from compliance professionals — enough that the issue deserves continued exploration, since there’s plenty more to say on the subject.
First let’s consider a concrete example of the confusion that could arise here.
Imagine your company has had FCPA violations, and you’re hoping to resolve the case with the Justice Department. Let’s also imagine that the violations happened when employees collaborated with your company’s resellers in the EMEA region, to offer “discounts” to end-use customers — except, of course, those discounts never reached the customer. They became the slush fund that funneled bribes to foreign government officials.
So your company settles. As part of the agreement, it has a three-year deferred-prosecution agreement and the chief compliance officer must make annual certifications that the program is — using assistant attorney general Kenneth Polite’s own words — “reasonably designed and implemented to detect and prevent violations of the law.”
Two years later, you discover a second wave of FCPA violations. This time, the Far East team used sham contracts with overseas intermediaries; the intermediaries just passed along those funds to foreign government officials.
This is a very plausible scenario. The compliance community has seen both schemes many times over the years. For example, Microsoft suffered the first scheme with product discounts; WPP suffered the second scheme with sham vendor agreements. I just paired the two of them together. Heck, I’m sure if we sifted through the archives we could find other instances where the two schemes did happen at the same company.
So how would the Justice Department treat this recidivist behavior? What happens to the compliance officer at our hypothetical company, who has been certifying for years that the company had a reasonably designed program?
Reasonably Designed to Do What?
I still keep coming back to the only statutory definition of “reasonable” that I could find: language from the Securities Exchange Act. It says companies should maintain a system of internal controls that provides reasonable assurance over transactions, and “reasonable” is “such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.”
Now go back to our hypothetical company. The CCO had been certifying that the compliance program was reasonably designed to detect and prevent FCPA violations — but do we mean the method of FCPA violation, or the mere fact of an FCPA violation?
Because clearly the company had fair warning that one type of internal control failure (poor policies and procedures to document the need for pricing discounts) was a real risk. I’d have little sympathy for the CCO certifying assurance on that issue, and then suffering a repeat failure.
But in our hypothetical above, the company suffers a different type of internal control failure: poor third-party due diligence. Should the CCO be held liable for that failure too, because it led to the same bad result? Or is that unreasonable?
In my previous post about this issue, I gave the example of my young son escaping outside one morning because he figured out how to unlock the front door. So I installed a second deadbolt too high for him to reach. Now imagine he did run away again, because this time he opened the window and climbed down a fire escape. It would be the same bad outcome (child running away) via two very different control failures (door locks versus open windows).
That’s the same concept as our hypothetical. Should we hold the CCO to a strict liability standard, where any repeat FCPA violation invalidates the certification you signed? Or should it depend on the circumstances of how the second violation happened?
Right now, we in the compliance community don’t know. Some people say that’s how the Justice Department wants matters, so prosecutors have more discretion in how they handle individual enforcement cases.
That’s not fair to compliance officers. The Justice Department has the luxury of evaluating a compliance program after specific facts and violations arise. Compliance officers need to run a compliance program that must anticipate any possible violations before they arise. Asking them to shoulder potentially significant personal liability amid such vagueness is asking too much.
Other Reasonable Ideas
Other thoughtful voices in the compliance community offered their own suggestions, many of which are well-worth considering.
Eric Young, for example, stressed that the actual Justice Department idea is to have the CCO and the CEO both certify about the effectiveness of the compliance program, “thus requiring more attention and accountability of the CEO and his or her other C-suite executives to sub-certify.”
That’s a good point, and it drives at another concern I have: that regardless of the specific accounting control failures that might allow an FCPA violation, the Justice Department could wave those aside and say, “You had multiple violations, so clearly your control environment is bad. Please hold out your arms while we get our hammer and nails.” Sub-certifications pushed by the CEO would drive awareness of anti-corruption compliance throughout the organization.
Adam Balfour, general counsel for corporate compliance at Bridgestone Americas, suggested that companies should disclose a description of their compliance program in the Form 10-K annual report. That could include details such as number of dedicated employees (and reason for that number), where compliance reports into, how often compliance presents to the board, and so forth.
This is an excellent idea — and one that’s not new, since the SEC is already poised to adopt such a disclosure rule for companies’ cybersecurity functions. Except this plan would require formal rulemaking from the Commission; and I wonder how the Justice Department would respond to the SEC taking the lead on this issue.
Gwen Lee Hassan raised very valid questions about what a CCO would do when he or she didn’t want to certify the compliance program. Does refusing to sign itself equal an admission that the compliance program isn’t reasonably designed? “How do compliance officers maintain the kind of trust needed to accomplish real cultural change if they are forced into the role of whistleblower on an annual basis?” she asked. “Will this drive a race to mediocrity if ‘reasonable’ is our only goal? What happened to effectiveness?”
Preach, sister! I can add nothing to her points.
And as one compliance professional tartly said: “The DoJ must issue timely guidance to clarify their revised expectations of CCOs. Otherwise we are all just postulating in the wilderness.”
Exactly so. The Justice Department proposed this idea; the Justice Department needs to explain it.