New DOJ metrics for an ‘effective’ compliance program can aid in defining infractions

The unveiling of key metrics that would make up what US federal prosecutors consider an “effective” corporate and financial crime compliance program can help banking and other sectors firm up the ill-defined boundaries between civil and criminal program failures.

But companies may find the tenets, released last week by US Assistant Attorney General Leslie Caldwell at a Securities Industry and Financial Markets Association (SIFMA) seminar, tricky to implement and harmonize with current practices. At least in one instance, the guidance may also put them at odds with regulators, with a request to be less prone to close accounts engaging in suspicious activity. To read a text of Caldwell’s speech, please click here.

The delineation of the compliance metrics comes on the heels of record penalties in recent years for compliance failures, but also addresses a perceived lack of transparency, clarity and consistency by the Justice Department in why some banks paid millions and others billions of dollars for ostensibly similar illicit actions. To see a detailed analysis of the metrics by experts, please click here.

The focus on the effectiveness of compliance practices is not just happening at the US government level, but is also occurring on an international level as well. The Paris-based Financial Action Task Force (FATF), which sets global anti-money laundering (AML) standards, also in recent years has changed its assessment procedures to focus more on “effectiveness,” of country counter-financial crime programs, such as the amount of funds and assets seized, criminals convicted and number of penalties handed down against recalcitrant entities.

The metrics are a move by the Justice Department to bring more bright line boundaries to what can be at-times amorphous compliance concepts, and provide a sharper framework for when these missteps cross from the regulatory realm to the criminal context.

The metrics provide opportunities for improvement before regulators and prosecutors arrive, but also could bring new challenges in ensuring programs are deemed nimble and current, said Ryan Rohlfsen, a partner in the Chicago office of Ropes & Gray and a former federal prosecutor in the Justice Department’s criminal fraud section.

“DOJ is continuing on a pathway of really focusing on more of the nuances and taking a detailed approach and review of the issues,” in creating a truly effective compliance program to detect and deter criminal activity, he said.

“The big takeaway is that DOJ is checking to see if companies are really paying attention to this. It can’t be a paper tiger program. Compliance must be a living, breathing entity that companies have to stay on top of,” to ensure programs are addressing current risks and vulnerabilities and being implemented effectively, Rohlfsen said.

The common thread throughout the various metrics is ensuring companies embrace the notion of vigilance, and dedicate ongoing resources to a compliance program in a bid to prevent stagnation, he said.

“A company can’t just have a great policy and leave it at that or have training and just let that stand,” Rohlfsen said.  “There is really a theme of companies needing to stay vigilant, to benchmark their programs, keep them up to date and see what their peers are doing, in terms of training, testing and the appropriate procedures for someone violating the policies.”

New compliance counsel may bring bring ‘laser beam’ approach to investigations

As well, the metrics should be viewed as a continuation of Justice Department initiatives to give more attention and a higher priority to compliance and ferret out individual liability in large scale programmatic failures.

The department recently created and staffed a new position, the corporate compliance counsel, and sent out a missive to federal prosecutors, dubbed the “Yates memo,” to look for individuals responsible for compliance collapses, particularly those in higher positions of authority, when investigating more egregious cases potentially warranting hefty penalties.

The new compliance counsel, Hui Chen, most recently served as Global Head for Anti-Bribery and Corruption at Standard Chartered Bank, which itself has paid hundreds of millions of dollars to state and federal regulators for financial crime compliance failures.

The deep knowledge of compliance by Chen could mean a different tack than in past investigations, for good or ill.

The likely “approach is more of a laser beam than a sledge hammer” to determine if alleged criminal actions at an institution are a corporate criminal issue or a corporate crime by an individual that doesn’t call into question the overall effectiveness of the compliance program, which could be harder to counter for a bank, Rohlfsen said.

‘Delicate dance,’ between regulators, investigators

The stated metrics and related details could prod more formalized procedures for keeping accounts open to aid law enforcement, a move that could put the institution at odds with regulators for allowing potentially obvious criminal activity, in direct opposition to a program that is designed to deter money laundering.

On that point, the department acknowledges that the “vast majority of financial institutions file Suspicious Activity Reports (SARs) when they suspect that an account is connected to nefarious activity,” Caldwell said.

“But, in appropriate cases, we encourage those institutions to consider whether to take more action: specifically, to alert law enforcement authorities about the problem, who may be able to seize the funds, initiate an investigation, or take other proactive steps.”

Some banks take more action by “closing the suspicious account, but sometimes that may just prompt the criminals to move the illicit funds elsewhere,” Caldwell said.  “So, we encourage you to speak with regulators and law enforcement about particularly suspicious activity.”

Doing that can be a “delicate dance,” Rohlfsen said, if it appears the bank allowed illicit activity to continue even after it had concluded something was amiss. In those cases, the bank may need to prod the federal investigators to allay examiners’ concerns and note formally the bank was working on their behalf. Banks may also have to create more calibrated and defined thresholds for when they keep suspect accounts open to allay regulatory fears.

Banks have been aiding undercover sting operations for years, but more recently have engaged in a broad-based “de-risking” of customers, regions and products that carried too much compliance risk, penalty exposure or simply drew too much regulatory scrutiny and monitoring resources.

One other part of the Caldwell speech that could be particularly difficult is an exhortation to share suspicious activity across borders, say from a foreign country to the US or vice versa.

Part of what the department considers an effective compliance is “sharing information about potentially suspicious activity with other branches or offices.”

“For example, if a foreign branch of a U.S. bank identifies suspicious activity related to an account held by a customer that also maintains an account with the bank in the U.S., compliance personnel in the U.S. should be alerted to the suspicious activity,” Caldwell said.

But that could be violating privacy or other laws in the foreign country, creating a scenario where the bank must choose which jurisdiction to upset, Rohlfsen said, adding that institutions in such cases should contact both privacy and financial regulators and federal investigators to see what they advise.

‘Paper programs’ a problem

The Justice Department will also be giving more attention to the disparities between a program in writing and implementation, Caldwell said.

In this after the fact review, the department looks closely at whether compliance programs were simply “paper programs,” or whether the institution and its culture actually support compliance.

“We look at pre-existing programs, as well as what remedial measures a company took after discovering misconduct – including efforts to implement or improve a compliance program,” Caldwell said, adding that investigators will also look at messages conveyed to employees, including through in-person meetings, emails, telephone calls and compensation.

“We look at whether, as a whole, a company tolerated compliance failures year after year because the alternative would have meant a reduction in revenues or profits.”

To be sure, Caldwell noted, that while it’s important for institutions to be mindful of regulatory priorities and guidance in devising and carrying out a tailored, risk-based compliance program, they should not take a “narrow, cramped view of compliance – that it requires only adherence to specific regulations,” because that would “ultimately will inure to the company’s detriment.”

Caldwell also crushed the idea that a stronger compliance program can be an effective “defense” against criminal penalties from ever occurring, but that the soundness of the compliance program can be a mitigating factor in terms of penalty size and remediation breadth.

Even so, there are some bright spots.

Most banks, according to Caldwell, won’t find themselves in the unenviable position of jousting with the new corporate counsel.

“The vast majority of compliance violations do not result in criminal prosecution,” Caldwell said. “Rather, the Criminal Division pursues charges when the offending conduct is intentional and particularly egregious or pervasive.”

The Justice Department is not interested in prosecuting mistakes or accidents, or bad business judgments.

“And we are not looking to prosecute compliance professionals,” Caldwell said. “To the contrary, we view you as the good guys and as our allies.  And we want to make sure that when we review a pre-existing compliance program, or suggest remedial measures, that we get it right.”

So while the new hire at the Justice Department and the depth and detail in these tenets may cause compliance officers to quake, there is opportunity amidst the trepidation, said David Caruso, chief operating officer of TransparINT, a compliance technology company.

“There is the chance this can be very helpful” to the compliance and corporate communities as a whole, said Caruso, who has been in financial crime compliance for more than 20 years in a range top positions and head of his own consulting firm.

“DOJ is giving companies a framework, telling them this is how you avoid the most serious and severe penalties that we can impose on you,” he said. “It doesn’t mean, however, that if you have all of these you will never face a penalty. But the penalty associated with a compliance failure will not be very significant, and may be barely newsworthy.”