Stronger focus on board oversight, individual accountability in DOJ fraud section corporate guidance

By Brian Monroe
February 23, 2017

Companies trying to prove to federal prosecutors they have an effective corporate compliance program must first demonstrate that the board level has broad understanding and oversight of compliance issues, ensure compliance staffers are “empowered” and that training is living, leveled and evolving.

Those are just some of the critical tenets released this month by the U.S. Department of Justice’s fraud section in a terse but revealing eight-page missive. The document was crafted to aid companies in creating compliance programs to defend against, uncover and remediate suspected instances of fraud, corruption and other corporate misdeeds.

The 11 sections covered in the guidance – ranging from the autonomy and resources of compliance officers to continuous improvement protocols to keep training honed – mirror many of the prongs of the classic anti-money laundering (AML) program requirements in place at banks, but in some cases go further to make it clear the function should be a top-of-mind issue for boards, senior executives and business line managers.

Some of the key considerations, detailed this time around in the form of questions, include “the existence and effectiveness of the corporation’s pre-existing compliance program” and the corporation’s remedial efforts “to implement an effective corporate compliance program or to improve an existing one,” according to the Justice Department.

But the guidance is only that, and will not be a complete shield for missteps.

The guidance “provides some important topics and sample questions that the Fraud Section has frequently found relevant in evaluating a corporate compliance program,” according to the piece, though the “topics and questions below form neither a checklist nor a formula.”

In any particular case, the “topics and questions set forth below may not all be relevant, and others may be more salient given the particular facts at issue,” the document added, imploring readers to be intuitive, creative and analyze the unique vulnerabilities at their institutions.

The guidance – the first issued by the fraud section since a new president and attorney general have come on board – is an indicator that at least certain areas of compliance are still a priority for the new administration, which is actively weakening some corruption and transparency safeguards put in place by the prior regime.

The questions in the document are an amalgam of several prior pieces of guidance from federal authorities, including U.S. attorneys, prior fraud section settlements and resolutions, U.S. anti-corruption rules and even best practices form international financial watchdog bodies, including the Organization for Economic Cooperation and Development and the United Nations.

What are the 11 sections in the Justice Department fraud section guidance?

  • Analysis and Remediation of Underlying Conduct
  • Senior and Middle Management
  • Autonomy and Resources
  • Policies and Procedures
  • Risk Assessment
  • Training and Communications
  • Confidential Reporting and Investigation
  • Incentives and Disciplinary Measures
  • Continuous Improvement, Periodic Testing and Review
  • Third Party Management
  • Mergers & Acquisitions

The Justice Department fraud section guidance follows prior guidance in November 2015 detailing the metrics of an “effective” corporate and financial crime compliance program, a project spearheaded by the hiring that same month of Hui Chen as compliance counsel, a new position specifically created to parse out previously amorphous concepts into accessible steps.

To read ACFCS coverage of the prior guidance, please click here and a related sidebar of expert analysis, please click here.

The latest guidance also gets into more detail on the risks of third parties, a major focal point in U.S. corruption enforcement cases in what was a record 2016, and touches on a risk area not given much ink in the compliance context: mergers and acquisitions.

The conclusion: corporations must not only create, update, self-asses and remediate their programs – before or after a formal enforcement action – they must also take the reinforced and upgraded compliance program and graft it to companies they are absorbing, paying particular attention to system integration and fixing any due diligence or other problems at the target firm.

What are some examples of the questions from the Justice Department’s Fraud Section tied to compliance program effectiveness and what is some of the context behind why prosecutors are focusing on those areas?

Conduct at the Top – How have senior leaders, through their words and actions, encouraged or discouraged the type of misconduct in question? What concrete actions have they taken to demonstrate leadership in the company’s compliance and remediation efforts? How does the company monitor its senior leadership’s behavior? How has senior leadership modeled proper behavior to subordinates?

Context: The phrase “tone at the top” has woven its way into a significant number of AML enforcement actions in recent years, so it’s no surprise those concepts and expectations have become ensconced in precepts meant for corporations beyond banks. The question also forces companies to clearly state how it is watching the watchers.

Shared Commitment – What specific actions have senior leaders and other stakeholders (e.g., business and operational managers, Finance, Procurement, Legal, Human Resources) taken to demonstrate their commitment to compliance, including their remediation efforts? How is information shared among different components of the company?

Context: For many banks caught in enforcement actions, the major problems extended beyond the AML compliance department and were endemic and entrenched in the regions of the bank historically a foil for fincrime staffers: profit-driven business line managers. So this question pushes corporates to tackle that tension, tame it and prove growth and progression of understanding and implementation at those levels.

Oversight – What compliance expertise has been available on the board of directors? Have the board of directors and/or external auditors held executive or private sessions with the compliance and control functions? What types of information have the board of directors and senior management examined in their exercise of oversight in the area in which the misconduct occurred?

Context: In fincrime compliance circles in recent years, there has been a growing realization that if the board doesn’t have the requisite expertise to understand the issues coming before them – AML, cybercrime, convergence – they will not be able to realize the risks at play, resources needed or regulatory penalty exposure. That’s why this question address several layers of a problem by requiring an active, informed, engaged and accountable board.

Stature – How has the compliance function compared with other strategic functions in the company in terms of stature, compensation levels, rank/title, reporting line, resources, and access to key decision-makers?

Empowerment – Have there been specific instances where compliance raised concerns or objections in the area in which the wrongdoing occurred? How has the company responded to such compliance concerns? Have there been specific transactions or deals that were stopped, modified, or more closely examined as a result of compliance concerns?

Context: These two questions are part and parcel of the same larger issue to bedevil compliance departments at nearly any size of institution. There are several surefire ways to hamstring a compliance department. But at the top of that list is not giving the department resources to have officers with the requisite experience in line with the risks of the company.

Moreover, if somehow the compliance staffers can fight to get funding, if they are overruled by business line managers – which has happened in dozens of AML enforcement actions in recent memory – then the issues uncovered by analysts in the trenches never get addressed, calls to drop risky clients and ventures get overruled and the team billed as the first line of defense ends up getting the last seat at the board’s table.