Straight Talk on Navigating "Subregulatory" Guidance

Marcia Narine Weldon

In the opening keynote session at the 2019 Compliance Week Annual Conference, we heard from Claire McCusker Murray, the Principal Deputy Associate Attorney General of the U.S. Department of Justice (DOJ). In what seems to be a growing theme – considering the DOJ’s recent updates to its “Evaluation of Corporate Compliance Programs” and the Treasury Department’s Office of Foreign Assets Control release of its “Framework for OFAC Compliance Commitments” – enforcement and regulatory agencies are putting particular emphasis on incentivizing effective and measurable corporate compliance programs.

In what was an encouraging distillation of the ROI of compliance, Murray expressed the reason for this growing emphasis with the following:

"Companies with smart compliance programs are more investible and less risky, they make better partners for commercial ventures, and they last longer, creating more jobs along the way. American business is at its best when there is a level playing field, and a culture of compliance and fair dealing is a key component of that."

Speaking to a room full of compliance practitioners, Murray was preaching to the choir. Murray also noted that many of the top brass at the DOJ are part of that choir, with decades of collective corporate compliance experience throughout their ranks. 

While Murray touched on a number of key takeaways for the compliance industry, what I found particularly interesting was not her overview of the guidance compliance officers should be aware of, but her advice on how “guidance” in general should be approached.

The magnitude of this informal guidance has resulted in an abundance of "regulatory dark matter" that ethics and compliance professionals must identify, interpret and address.

Compliance officers and legal professionals who have spent any amount of time in the profession know there is a sea of non-law statutes that organizations must navigate. These are our FAQs, manuals, memos, bulletins, and various forms of guidance issued by regulatory and enforcement agencies. Even Murray acknowledged the criticism that though well-intending, the magnitude of this informal guidance has resulted in an abundance of “regulatory dark matter” that ethics and compliance professionals must identify, interpret and address.

Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.

Though the DOJ is working to reduce the amount of what was referred to as “subregulatory guidance,” it is not going away anytime soon, and it would behoove compliance officers to develop a measured approach to addressing these guidance docs. As, though not law, in many cases they can have the same effect as law when violated. To this point, Murray provided three key elements to consider when developing an approach to subregulatory guidance.

Considerations for Subregulatory Guidance

First, when developing an approach to implement practices that align to a certain guidance set, we need to determine which elements of the guidance are an extension of the underlying law it is built upon. As Murray stated, “The key is to distinguish between two categories of guidance, the part that mirrors what the law requires and everything else.” Here we can separate de facto legal obligations from contextual clues from the agency.

The key is to distinguish between two categories of guidance, the part that mirrors what the law requires and everything else.

Second, compliance officers should identify key language that highlights how the particular agency interprets any ambiguities in the law or guidance. Third, we should evaluate what the agency is defining as best practices that indicate compliance.

“For the first category, the response is simple: you’ll want to ensure that your business practices are consistent with the portion of the guidance that mirrors binding law.  For everything else, that’s where you make a good faith risk calculation,” Murray said.

To turn this regulatory dark matter into a bit more or a black and white operations guide, we must understand these key elements of guidance and then put them into practice and document how our organizations are going about aligning to interpretations and best practices.

Effectiveness is a soft word that needs to be qualified and quantified. These key, yet simplified, steps to measure how we effectively align with subregulatory guidance are a start to creating programs that are defensible and measurable. 


Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.


"Congratulations, You Are a C Student": Hui Chen on Understanding DOJ Guidance

If there was one thing we heard loud and clear in Hui Chen's review of the DOJ's "Evaluation of Corporate Compliance Program" guidance, it was that the Evaluation should not to be seen as a best practices document. Here's a look at more of Chen's insights on the impetus of the guidance as well as on its latest evolution.  

Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

Tame the Data Monster with a Prioritized Threat List

Information is the lifeblood of the modern corporation, but it can also be its Achilles heel. Organizations need to have an archival and retrieval process that is well documented, so that in the unfortunate case when data is missing, you’ll have a defensible argument for why it cannot be produced. Learn the key elements of data security management by designing your compliance policy around a prioritized threat list.

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.

Comments