Compliance programs, Chief Compliance Officers and liability have been the subject of a great deal of debate in recent months. Members of the Commission, for example, debated charging decisions regarding CCOs last year in comments that must have made those holding compliance positions yearn for another profession despite the intentions of the Commissioners.
At the same time, the SEC has over the years stressed compliance and its potential to minimize liability. Over a decade ago, for example, the Commission issued what is generally known as the Seaboard release, an Exchange Act Section 21(a) report of an investigation discussing cooperation and compliance that might minimize or eliminate liability. In 2012 the SEC, along with the DOJ, issued A Resource Guide to the U.S. Foreign Corrupt Practices Act (here). The Guide, built on Seaboard and concepts taken from the U.S. Sentencing Guidelines, identifies five key points regarding compliance programs: 1) Establishing an effective tone at the top of the organization; 2) adopting an appropriate code of conduct; 3) assigning responsibility; 4) training personnel and updating systems; and 5) third party due diligence.
While the Guide and its basic building blocks focus on the FCPA, the principles articulated regarding compliance programs are fundamental to virtually any corporate program. Indeed, following the issuance of the Guide, Associate Director of Enforcement Stephen Cohen emphasized those principles as the basics of effective compliance (here).
Andrew Donohue, Chief of Staff, in remarks delivered May 20, 2016 titled “New Directions in Corporate Compliance,” (here) also focused on compliance. There Mr. Donohue approached the question from the viewpoint of a CCO. He began by articulating four basic points that should be considered when evaluating a corporate compliance program:
Integrity and personal responsibility: The effectiveness of a corporate compliance program is a function of “the integrity of those people you have in your organization and their ownership of personal responsibility for themselves and the areas for which they are responsible,” according to Mr. Donohue. Without the right people, the chances of having an effective program diminish.
Culture: This is a critical point Mr. Donohue noted. The culture of the organization must be one of “always doing the right thing, not tolerating bad practices or bad actors is essential. The culture should encourage people to ask questions and to discuss openly what is the proper response . . .” In this regard there should be a correlation between ethical behavior and the reward structure.
Keep it simple and intuitive: The policies and procedures that make up the system should be simple, straight forward, written in plain English and “intuitive to those that have to comply with them.”
Role of technology: Technology provides opportunities for eliminating human error, providing increased testing and monitoring. At the same time it is not a substitute for individual responsibility, Mr. Donohue noted.
Complexity: As firms become more complex it can be more challenging to develop and implement effective compliance programs. For example, the firm may have a number of computer systems which do not effectively communicate with each other. The organization may have a number of complex areas. It is critical that there be not just those with segregated duties but personnel who understand how it all works.
While these principles are the predicates for a compliance system, for the CCO a series of pragmatic points are key. Those, according to Mr. Donohue, include:
- Knowledge of business: The CCO should know the business better than those who run it and have a deep knowledge of the regulatory regimes under which the organization operates;
- Risks: It is essential to identify the key risks faced by the organization;
- People: The CCO must understand and appreciate the people and their focus;
- Systems: It is critical to understand the systems employed, their limitations and the people involved with them; and
- Resolution: When an issue is identified it must be addressed and resolve quickly.
Perhaps the final point is most important. The effective CCO must constantly be asking “What am I missing?” Stated differently, the system must, as the Guide notes, be constantly evaluated and updated. If that is done it can improve the functioning of the business. In addition, if an issue arises which comes to the attention of the SEC or another regulator, the organization will be able to follow the advise of Mr. Cohen – address the issue first by pointing to the effective compliance program of the organization; then discuss the question as an outlier rather than waiting to the remediation stage of the discussion to mention compliance as do many firms. That approach argues for a much more favorable outcome of the regulatory inquiry since compliance is a key question in any charging decision.