The day has arrived. Today we’ll cover our last trend to watch in 2014: DPA and NPA use expanding. Since they were first used in 2000, the U.S. DOJ has disclosed 257 Deferred Prosecution Agreements (DPAs) and Non-Prosecution Agreements (NPAs). These agreements allow prosecutors to require corporate reforms and penalties in exchange for delaying the filing of charges with the opportunity to avoid charges altogether with satisfactory completion of agreed upon requirements.
In 2012, the DOJ entered into a record 37 agreements. While the pace of such agreements by the DOJ has slowed a bit in 2013, other enforcement bodies have now begun using them. The DOJ’s Antitrust Division entered into its first DPA in February, settling with the Royal Bank of Scotland. The U.S. Attorney’s Office for the District of Puerto Rico also signed its first DPA with LLC Wholesale Supply. In April, the SEC used an NPA for the first time in its settlement with Ralph Lauren in an anti-bribery case centered on illicit payments in Argentina. Also in April, DPAs were created for the first time in the United Kingdom, under the U.K. Crime and Courts Act 2013. The British version will be applicable only to economic offenses, such as fraud, money laundering and bribery and the government still must finalize guidance on the process before they go into effect, probably in 2014.
And in healthcare, the Corporate Integrity Agreement (CIA) has been a similar enforcement tool used by the Office of the Inspector General of the U.S. Department of Health and Human Services since the late 1990s.
The use of such agreements has had its critics over the years, with some arguing that they are applied inconsistently, that key details included in the agreements have not always been readily available – thus limiting their potential positive impact as “teachable moments” for other organizations – and that they may be sending the wrong message by letting some wrongdoers off the hook.
On the other side, these agreements are typically quite costly to implement, often requiring the use of expensive third party monitors that can be disruptive to the organization and are viewed as difficult to challenge. Further, these agreements have very tight timelines for actions such as implementing extensive training and ongoing reporting to government agencies, which diverts significant high-level resources into management of the agreement.
But in spite of the criticisms and implementation challenges, the expansion of the use of DPAs and NPAs in 2013 is a clear signal that they are here to stay.
Co-directors of enforcement for the SEC agree: “We recognize that insisting upon admissions in certain cases could delay the resolution of cases, and that many cases will not fit the criteria for admissions,” Andrew Ceresney and George Canellos outlined in a letter to SEC staff. “For these reasons, no-admit-no-deny settlements will continue to serve an important role in our mission and most cases will continue to be resolved on that basis.”
While the chances of being the target of a government investigation and agreement are still relatively low, the fear of it – even as a distant possibility – has focused the attention of many organizations who are preparing for the worst case scenario. Interestingly enough, it turns out that preparing for the worst may be the wisest course to ensure that the worst will never happen.
Additionally, we have seen from recent DOJ and SEC announcements around DPAs and NPAs that a paper program is no longer acceptable. More components and robustness are expected around specific ethics and compliance program requirements in order to qualify for the benefits that DPAs and/or NPAs allow. In many ways, these agreements provide a blueprint of regulators’ expectations when it comes to effective ethics and compliance programs.
One approach to prepare for the worst is to conduct a “stress test” or an assessment to determine how the program would survive a government or third-party review. Such a test will help to develop a prioritized list of opportunities for improvement and result in a plan to engage leadership and other corporate functions to proactively address gaps.
At a minimum, the stress test should include a review of:
- The existing – or a new – ethics and compliance risk assessment
- Standards, policies and procedures
- Oversight, structure and leadership
- Alignment with HR practices
- Communications and training
- Reporting and response
- Monitoring and assessment
As a bonus, a stress test will also help organizations identify and collect program documentation, which is often scattered throughout the company – not only in the ethics and compliance office but also in HR, audit, security, legal and elsewhere. Without clear and complete documentation it may be difficult to prove what program elements you have in place and what steps you’ve taken. But, if the worst happens, that is precisely what you’ll need to do – so always best to be prepared.
Thanks for sticking with us through the coverage of all ten trends we feel are critical for ethics and compliance professionals to be aware of this year.