Leslie Caldwell, chief of the DOJ’s criminal division, spoke at the Compliance Week Conference in Washington, D.C. Tuesday. After talking about some defenses that don’t work, she described the ten hallmarks of an effective compliance program, and she warned companies to obey all the laws they’re subject to.
Here’s part of what she said:
* * *
Too often we have heard companies say that a particular course of criminal conduct took them by surprise, when a hard look at the business practices would have identified the risk. And, far too often, we have heard companies exclaim in defense that everyone else is doing it — that others in the industry are engaged in the same misconduct.
But as you all know, an industry-wide compliance failure is not a defense to knowing and willful criminal activity.
With this principle that compliance programs should be proactive, and not merely reactive in mind, there are some general hallmarks of effective compliance programs that I’d like to share with you today.
- A company must ensure that its senior leaders provide strong, explicit and visible support for its corporate compliance policies.Corporate management must enforce compliance policies, not tacitly encourage or pressure employees to engage in misconduct to achieve business objectives.
- We look not just at the written policies, but to other messages otherwise conveyed to employees, including through in-person meetings, emails, telephone calls, incentives/bonuses, etc.; and will make a determination regarding whether the company meaningfully stressed compliance or, when faced with a conflict between compliance and profits, encouraged employees to choose profits.
- Senior executives should be responsible for the implementation and oversight of compliance.Those executives should have authority to report directly to independent monitoring bodies — for example, internal auditors or the board of directors.
- A company’s policies should be clear and in writing and should easily be understood by employees.But having written policies — even those that appear specific and comprehensive “on paper” — is not enough.
- Compliance teams need adequate funding and access to necessary resources.And they must have an appropriate stature within the company.
- A company should have an effective process — with sufficient resources — for investigating and documenting allegations of violations.
- A company periodically should review its compliance policies and practices to keep it up to date with evolving risks and circumstances, including when the company merges with or acquires another company. In particular, if a U.S.-based entity merges with, acquires or is acquired by a foreign entity, all compliance policies should be reviewed and revised accordingly.
- A company should have an effective system for confidential, internal reporting of compliance violations.
- A company should implement mechanisms designed to enforce its policies, including incentivizing compliance and disciplining violations.
- A company should sensitize third parties with which it interacts (for example, vendors, agents or consultants) to the company’s expectation that its partners are compliant. This means more than including boilerplate language in a contract.It means taking action — including termination of a business relationship — if a partner demonstrates a lack of respect for laws and policies.
Corporations also must ensure compliance with the laws of all the countries in which they operate. We appreciate that this may present a major compliance challenge, as international corporations often must bridge cultural, as well as geographic, divides. But such challenges do not justify non-compliance.
Likewise, if a foreign-based corporation or institution operates in the United States or transacts business in the United States, it must ensure compliance with U.S. laws.
For example, if a foreign bank that operates in the United States identifies suspicious activity related to a foreign account held by a customer that also maintains an account in the United States, compliance personnel in the United States should be alerted to the suspicious activity.
Overall, our message is simple: we expect corporate entities to take compliance risk as seriously as they take other business-related risks.
* * *
Assistant Attorney General Leslie R. Caldwell’s full remarks at the Compliance Week Conference in Washington, D.C. on May 19, 2015 are here.
Richard L. Cassin is the publisher and editor of the FCPA Blog. He can be contacted here.