Nearly five years ago, we talked about the requirements for an effective compliance program. By boiling down relevant parts of the U.S. Federal Sentencing Guidelines, we came up with ten elements that still work.
* * *
Here they are:
1. A Written Program. The organization must have standards and procedures to prevent and detect criminal conduct.
2. Board Oversight. The organization’s board of directors or equivalent must be knowledgeable about the content and operation of the compliance and ethics program and must exercise reasonable oversight of its implementation and effectiveness.
3. Responsible Persons. One or more individuals among the organization’s high-level personnel must be assigned overall responsibility for the compliance program.
4. Operating and Reporting. One or more individuals must be delegated day-to-day operational responsibility for the compliance program. They must report periodically to high-level personnel and, as appropriate, to the board of directors or its audit committee or equivalent on the effectiveness of the program. The individuals must have adequate resources, appropriate authority, and direct access to the board or audit committee.
5. Management’s Record of Compliance. The organization must use reasonable efforts not to hire or retain personnel or intermediaries who have substantial authority and whom the organization knows or should know through the exercise of due diligence have engaged in illegal activities or other conduct inconsistent with an effective compliance program.
6. Communicating and Training. The organization must take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance program, to directors, officers, executives, managers, employees, agents, and other intermediaries — by conducting effective training programs and otherwise disseminating information appropriate to the individuals’ respective roles and responsibilities.
7. Monitoring and Evaluating; Anonymous Reporting. The organization must take reasonable steps (a) to ensure that its compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct, (b) to evaluate periodically the effectiveness of the compliance and ethics program and (c) to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.
8. Consistent Enforcement — Incentives and Discipline. The organization’s compliance and ethics program must be promoted and enforced consistently throughout the organization through appropriate (a) incentives to perform in accordance with the compliance program and (b) disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.
9. The Right Response. After criminal conduct has been detected, the organization must take reasonable steps to respond appropriately and to prevent further similar criminal conduct, including making any necessary modifications to the organization’s compliance program.
10. Assessing the Risk. The organization must periodically assess the risk of criminal conduct and take appropriate steps to design, implement, or modify its compliance program to reduce the risk of criminal conduct identified through this process.
* * *
Even the best compliance program can’t always stop rogue employees from breaking the rules. The Sentencing Guidelines know that. They stipulate that failure to prevent or detect an FCPA offense ‘does not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct.’ That’s one reason why some self disclosed FCPA violations don’t become enforcement actions.
And there’s proportionality. Smaller companies aren’t required to have the same compliance structures as big ones.
Conclusion: Effective compliance programs aren’t mysterious or complicated. They don’t have to be expensive or intrusive. And they’re every company’s best protection against prosecution.
The Morgan Stanley declinations would also seem to emphasize the importance to the regulators of fastidious corporate record-keeping and detailed foreign business partner due diligence. The company provided detailed evidence of Peterson's 7 years of training attendance, certifications and receipt of 35 separate compliance "reminders" in various forms. The company also demonstrated that, consistent with its policy, it had conducted detailed due diligence on the foreign business partners involved and had also put payment restrictions in place. In this context, employee Peterson's actions notwithstanding, the DOJ and SEC declined to charge the company. Morgan Stanley avoided significant financial and reputational cost through its investment in its compliance program.
Comments are closed for this article!