Kusserow’s Corner: DOJ Criminal Division Assistant Attorney General on Compliance

On October 1, 2014, Leslie R. Caldwell, Assistant Attorney General for the Criminal Division for the Department of Justice (DOJ) addressed the 22nd Annual Ethics and Compliance Conference in Atlanta, Georgia. The Criminal Division has 600 lawyers for federal criminal law enforcement with the Fraud Section, and employs approximately 100 prosecutors who are experienced in investigating health care fraud, defense procurement fraud, securities and financial fraud, and violations of the Foreign Corrupt Practices Act. She made a number of comments concerning the recognition by the DOJ of the importance of effective compliance programs. These included the following.

It is increasingly rare that for the DOJ to encounter a company with a feeble compliance program. More often, they encounter compliance programs that appear strong on paper, but are much weaker in practice. Even with proper support of a compliance program by management, compliance is incredibly difficult, in that Compliance Officers are asked to monitor business units that often spread across a large universe of program and locations. As such, compliance must extend beyond the executive suites to all locations where a company operates.

When considering criminal action against a company, the DOJ evaluates the company’s compliance program. Under the DOJ “Principles of Federal Prosecution of Business Organizations,” prosecutors must consider “the existence and effectiveness of the corporation’s pre-existing compliance program.” Caldwell further noted that the United States Sentencing Guidelines expressly include a company’s corporate compliance program as a factor in corporate sentencing in criminal cases.

The DOJ recognizes there is no “off the rack” compliance program that can be installed at every company. Effective compliance programs “must be tailored to the unique needs and risks faced by each company.” There are a number of “hallmarks of good compliance programs” that DOJ considers in making prosecutorial decisions, including:

  1. High-level commitment. Compliance begins at the director and senior management who must evidence “strong, explicit, and visible commitment to its corporate compliance.”
  2. Written Policies. A company should have a clearly articulated and visible corporate compliance policy memorialized in a written compliance code and policies.
  3. Periodic Risk-Based Review. A company should periodically evaluate these compliance codes on the basis of a risk assessment addressing the individual circumstances of the company.
  4. Proper Oversight and Independence. A company should assign responsibility to senior executives for the implementation and oversight of the compliance program, who are given the authority to report directly to independent monitoring bodies, including internal audit and the Board of Directors. They should have autonomy from management and be properly funded to carry out their responsibilities.
  5. Training and Guidance. There have to be mechanisms designed to ensure that a compliance code is effectively communicated to all directors, officers, employees. This means repeated communication, frequent and effective training, and an ability to provide guidance when issues arise.
  6. Internal Reporting. There should be an effective system for confidential, internal reporting of compliance violations.
  7. There should be an effective process with sufficient resources for responding to, investigating, and documenting allegations of violations.
  8. Enforcement and Discipline. There need to be mechanisms designed to enforce a company’s compliance code, including appropriately incentivizing compliance and disciplining violations.
  9. Third-Party Relationships. A company should institute compliance requirements pertaining to the oversight of all agents and business partners.
  10. Monitoring and Testing. There should be periodic reviews and testing of the compliance code to improve its effectiveness in preventing and detecting violations.

“If a company is actually encouraging compliance, if its values are to be ethical and within the law, then that message must be conveyed to employees in a meaningful way. Otherwise, the Department of Justice will not view the compliance program as credible. Effective compliance programs must be embedded in a company’s culture, and they need to be applied even in the face of misconduct by other companies in the same industry, even if that might mean a short-term competitive disadvantage.”

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow’s Corner Newsletter

Copyright © 2014 Strategic Management Services, LLC. Published with permission.