Look around, corporate ethics and compliance officers. We’re suddenly peppered with new signals from the regulatory world about the importance of a strong, empowered compliance function.
We see that most obviously in the Justice Department’s new guidelines about evaluating the effectiveness of a compliance program. That guidance expressly says that when a company is in settlement talks for some infraction, prosecutors will consider whether personnel in the compliance function have sufficient seniority, resources, and autonomy to give an affirmative to one of the department’s fundamental questions: “Does the corporation’s compliance program work in practice?”
Look further, however, and you see even more evidence of how much an empowered compliance function matters. That message goes well beyond those new evaluation guidelines.
For example, just days after the Justice Department published that guidance, the Treasury Department’s Office of Foreign Assets Control released its own “Framework for OFAC Compliance Commitments.”
Yes, OFAC aimed its message at companies facing sanctions risk, while the Justice Department’s guidance dwells on the Foreign Corrupt Practices Act and corporate criminal conduct generally. So what? Their substantive point — that the compliance function should actually work, not simply exist — is identical.
Compliance officers should seize on that point as they bargain with management committees and the board for budget, reporting relationships, and the basic power to carry out strong ethics and compliance programs at your organization.
What Should an Empowered Function Look Like?
The OFAC guidance provides a few useful answers to that question. First, the guidance says, “Senior management commitment to supporting an organization’s compliance program is a critical factor” — no surprise there. Then it offers three examples.
First, the role of compliance officer should actually exist, complete with title and recognition. In OFAC’s world, that means the organization should appoint a designated sanctions compliance officer, although the person can also be responsible for Bank Secrecy Act compliance or serve as Export Control Officer.
For corporate ethics and compliance broadly, this concept might sweep in other duties like FCPA compliance or ethical sourcing. Regardless, the point still fits: a strong compliance function assigns responsibility for the program to a specific person, in a way the rest of the organization recognizes clearly.
Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.
Second, that person must be competent. OFAC’s definition of that includes two points: “(i) technical knowledge and expertise of these personnel with respect to OFAC’s regulations, processes, and actions; (ii) the ability of these personnel to understand complex financial and commercial activities, apply their knowledge of OFAC to these items”
Third, that person must have real authority to act. The compliance officer should have oversight “over the actions of the entire organization, including but not limited to senior management, for the purposes of compliance with OFAC sanctions.”
Recognition, competence, authority — those concepts are in the Justice Department guidelines too, although more obliquely. Those guidelines are foremost intended for prosecutors, as questions they might ask companies; with supplemental commentary for corporate compliance officers to follow along.
In contrast, the 12 pages of OFAC guidance includes no questions at all. It’s much more a document where OFAC defines its views on what an effective compliance program should do, and the traits it should have.
Compliance officers of any stripe can take both documents, distill them down to their core points about what an empowered compliance function should be able to do, and tell the board: “This is what regulators want to see. Here is how our organization does and doesn’t match up on those points.”
The Bigger Compliance Picture
So what benefits come from having that strong, empowered compliance function? What’s in it for boards, CEOs, and general counsels to do this? Several things.
If your compliance program doesn’t meet the expectations embedded in those evaluation guidelines, avoiding a monitor becomes that much harder.
First, fewer painful consequences from a regulatory enforcement action. For example, the Justice Department’s evaluation guidelines are a precursor to avoiding a corporate compliance monitor, always an expensive proposition. If your compliance program doesn’t meet the expectations embedded in those evaluation guidelines, avoiding a monitor becomes that much harder.
We’ve also seen multiple cases lately where companies suffered stiffer penalties specifically because they lacked a strong compliance function.
In April, federal prosecutors brought charges against the Rochester Drug Cooperative, as well as its former chief executive and chief compliance officers, for failing to prevent indiscriminate opioid sales. The CCO himself (who has pleaded guilty) spent most of his time as an operations manager, instead of tending to compliance.
Or look at FINRA’s recent action against a broker-dealer firm for not investing in a compliance program to govern its business short-selling stock. The firm didn’t have a designated compliance officer, and relied on manual procedures to investigate suspicious transactions even as business boomed.
Still, those are examples from regulatory enforcement. Companies also have many other stakeholders — customers, shareholders, business partners, the public — who want to see companies take a more thoughtful, disciplined approach to ethical conduct.
Even if we accept that regulators now use bigger carrots to encourage compliance, and smaller sticks to punish non-compliance — again, so what? All those other stakeholders still have their own sticks that they might use to pummel your company, if it has a weak ethics & compliance function that doesn’t meet their expectations.
That’s not going to change any time soon.