Earlier this month, the U.S. Department of Justice (“DOJ”) and the U.S. Department of the Treasury’s Office of Foreign Asset Controls (“OFAC”) both issued guidance regarding their expectations for corporate compliance programs. Both documents are geared towards establishing more rigid frameworks for assessing compliance programs. A common theme among both pieces of guidance appears to be the identification and allocation of responsibility to individuals, especially management. Additionally, the fact that the agencies released their guidance within days of each other could be read as a clear signal from federal authorities that they are serious about increasing their focus on individual accountability for corporate wrongdoing.
On April 30, 2019, DOJ’s Criminal Division issued updated guidance for the Evaluation of Corporate Compliance Programs. The guidance is centered around three “fundamental questions” that prosecutors are instructed to consider as they evaluate whether a corporation’s compliance program is effective for purposes of determining an appropriate criminal resolution: (1) Is the corporation’s compliance program well designed? (2) Is the program being applied earnestly, effectively, and in good faith? and (3) Does the corporation’s compliance program work in practice?
The primary thrust of this guidance is to assist prosecutors in evaluating whether a corporation’s compliance program is truly functional or merely a “paper program.” The guidance is conspicuously detailed and oftentimes resembles an examiner’s manual. For example, in connection with the first “fundamental question,” DOJ lists six separate factors for evaluating the design of an effective compliance program, each with multiple subparts and sub-subparts. The first factor instructs that compliance programs should be based on risk assessments that are not only tailored to the company’s specific business model but are also refreshed in light of new developments, both internal and external. This is then followed by three subfactors for evaluating “risk-tailoring,” followed by yet more considerations for each of these subfactors.
This detailed structure is deployed throughout the guidance as a means to allow prosecutors to identify responsible individuals. For instance, policies and procedures should identify the parties responsible not only for executing the policies but also for maintaining and integrating the policies into the company’s control structure; a sufficiently autonomous compliance department should have direct access to the board of directors or the board’s audit committee; the board of directors should be responsible for oversight of the compliance function; management and senior leaders are expected to model ethical behavior and should not tolerate undue compliance risks in pursuit of business objectives.
Two days later, on May 2, 2019, OFAC released A Framework for OFAC Compliance Commitments, outlining its expectations for sanctions compliance programs (“SCP”). The OFAC guidance also includes a list of common “root causes” for SCP failures.
Like DOJ, OFAC emphasized the importance of meaningful board oversight and the identification of parties responsible for ensuring compliance. For example, just like DOJ’s version of an effective compliance program, OFAC also expects that an effective SCP has an autonomous compliance group with a direct reporting line between the SCP function and senior management. Further, senior management should be accountable for the SCP testing and audit functions, and any failures therein to detect misconduct. Like DOJ, OFAC also expects senior managers to promote a culture of compliance through a centralized SCP, which incentivizes reporting of misconduct and penalizes misconduct.
OFAC also identified ten common “root causes” of SCP breakdowns or deficiencies based on an assessment of prior OFAC administrative actions. The list includes a lack of a formal SCP, lack of a centralized SCP, misunderstanding of OFAC regulations, and individual misconduct – particularly by supervisors and managers. Notably, each of these deficiencies point directly to a failure by management to foster a culture of compliance (e.g., failing to adopt a formal SCP; failing to ensure enterprise-wide conformity of SCP application; failing to require comprehensive education and training for employees regarding applicable regulations; and failing to model ethical conduct from the top).
The new guidance from DOJ and OFAC is an unmistakable blueprint for corporate compliance programs. The catch for corporations applying this blueprint is that they are essentially creating a roadmap for individual liability directly to senior management, including the board of directors. The Catch 22 is that corporations that do not apply this blueprint should expect federal law enforcement to aggressively challenge that decision and may find it difficult to claim that any alternative frameworks are acceptable.