In November, the Department of Justice confirmed the rumors that had circulated all fall about an appointment it was making in its Fraud Section: Hui Chen was selected to occupy the new role of in-house compliance counsel.
Chen most recently served as Global Head for Anti-Bribery and Corruption at Standard Chartered Bank, and prior to that worked in general counsel and compliance roles at Pfizer, Inc. and Microsoft Corporation.
The precise contours of her role have not been spelled out, although they have been said to be fluid and will “evolve over time.” Leslie Caldwell, Assistant Attorney General at the DOJ’s Criminal Division, offered a glimpse into her remit in a speech on November 17.
I welcome this appointment. I love the attention being paid to the compliance function, the listening ear DOJ promises, and the reminder to firm executives and officers that compliance departments need money and sufficient staffing to be effective.
But I have questions, and I pitched a few of them to Palmina Fava, a partner in the litigation practice of Paul Hastings in New York, and someone who conducts internal investigations, plus drafts and implements global compliance programs for global firms.
* * *
First, is the DOJ basically admitting it did not have any such expertise before this point? What was the impetus behind the new role’s creation?
Andrew Weissmann, chief of the Criminal Division Fraud Section, was candid in acknowledging that while the Fraud Section has experts in a number of areas, compliance program assessment wasn’t one of them. In creating the Compliance Counsel position and hiring someone with Hui Chen’s expertise, the DOJ not only has a resource for Fraud Section attorneys when assessing the merits of a company’s compliance program, but companies are on notice that their compliance programs need to be robust and tailored to their risks in order to pass the smell test.
Hiring Ms. Chen – who has a lot of experience working in Asia and mitigating compliance risks in the region — is also a signal that companies operating in Asia should ensure that their compliance programs address the risks posed by the various customs and practices of the market. Saying to Ms. Chen, “this is how business is done in China or Korea,” is not going to get a company credit for a compliance program that fails to prevent significant, non-transparent cash gifts to government officials, for example.
Can one person handle this weighty role? The DOJ expects the companies they investigate to put significant resources into the compliance department — but they hire just one person to oversee the function at these many firms.
Ms. Chen handled significant responsibility and weighty issues in her prior roles in-house. Just as she did in-house, within the Fraud Section, she will likely be working cooperatively with her colleagues who have been evaluating compliance programs and gaps in those programs as part of their pending and prior investigations. But, as you point out, a robust and successful corporate compliance program requires the investment of significant resources and, for most companies, that means many more than one person overseeing the program.
To be more than a paper policy, companies need to monitor compliance with their policies and procedures, ensure that they are practical and tailored to the business realities their employees face in different markets around the world, and identify and fill gaps when necessary.
* * *
While we were on the topic, Palmina and I came up with our short list of strong compliance program indicators:
Ongoing training. Regulators have discussed the importance of firms offering ongoing training for their staff that keeps pace with ever-increasing regulatory obligations and with the evolving nature of the firm’s business. Regulators leave it to firms to decide how to provide the training and when — but the firms that tend to get it right offer it from the on-boarding stage and don’t drop the ball there. They carefully attempt to calculate the return on the training investment.
An eye on intermediaries. Regulators are also consistently warning firms to keep close tabs on any outside consultants they hire to oversee parts of their compliance program. The Securities and Exchange Commission issued a risk alert in November citing a 2011 survey finding 38 percent of investment advisers outsource at least some of their compliance functions. The watchdog went on to warn that adviser firms must be fully aware of how such third parties operate, hire and train their staff, securely store data and deeply understand the business they are assisting.
Keeping tabs on third parties means doing diligence on them before they are retained and exercising audit rights throughout the contract term.
Aiming at what could happen. Compliance programs should be proactively designed to address issues that may arise, tailored to the company’s strategic plans. Ms. Chen has commented on this point. For example, if a company intends to expand its business into Syria or North Korea within the next 12 to 24 months, its compliance program should explain sanctions risks and rules.
Casting a wide net. Compliance professionals should engage with all stakeholders when gauging the effectiveness of a compliance program. Ms. Chen has spoken of this issue, noting that some of her most “fascinating and helpful conversations have come from someone who processes payments in the back room.” It is these employees who sometimes have the greatest insight into accounting or payment irregularities or questionable practices happening on the shop floor.
Julie DiMauro is a contributing editor of the FCPA Blog. She works in the Regulatory Intelligence group at Thomson Reuters in New York. Follow Julie on Twitter @Julie_DiMauro and email her at [email protected].