United States: Addressing The Sentencing Guidelines While Maintaining an Effecive Compliance Program

The United States Sentencing Commission has proposed amending the federal Sentencing Guidelines¹ used to sentence business organizations. Unless Congress takes the extraordinary and unlikely step of rejecting the Commission's proposal, the amendments become effective November 1, 2004. ² The most striking feature of the proposal is that it will more extensively define and expand the standards, structures and procedures of an "effective" compliance program. In particular, the proposed amendment makes clear that business organizations must proactively create a "culture of compliance," and that senior management and the highest governing authority must actively and regularly participate in and be briefed on the organization's compliance efforts and status. Not only does this impact the very small number of companies who will directly interact with federal law enforcement in the future, but the proposed change has important implications for the majority of companies who will not. The Sentencing Guideline's new standards for "effective" compliance programs will likely become the generally accepted standard in legal contexts beyond federal sentencing, including Sarbanes- Oxley and the fiduciary duty of good care applicable to officers and directors.

To understand how compliance programs became part of federal sentencing, it is helpful to look briefly at organizational sentencing under the Guidelines. Congress established the United States Sentencing Commission as an independent agency within the federal judiciary charged with creating guidelines for federal sentencing proceedings because Congress believed the judiciary's discretionary sentencing practices had become too arbitrary. The Sentencing Commission's guidelines for sentencing organizations became effective on November 1, 1991. They are found in the Guidelines' Chapter Eight in three principal substantive parts: (1) Part B___ "Remedying the Harm From Criminal Conduct"; (2) Part C___ "Fines"; and (3) Part D___ "Organizational Probation."

Although calculating an organization's sentence under the Guidelines can be complex, the broad mechanics are relatively simple. Under Part B, the court crafts an order intended to remedy harm caused by the criminal violation, requiring such things as victim restitution, remedial steps to prevent or address expected future harm, and community service. Under Part C, the court determines the fine to be paid by the organization. In general, the fine range is the greater of the amount of pecuniary gain to the organization resulting from the offense, the pecuniary loss caused by the offense, or a fine range calculated by adding, subtracting and multiplying "points" prescribed by the Guidelines based on the existence or absence of defined aggravating or mitigating factors.

Probation under Part D is generally required where an organization with 50 or more employees does not have an effective compliance program in place. The Commission's statistics show that for all businesses sentenced between fiscal years 1993 and 2000, courts found that only 0.4% had an "effective" compliance program. Thus, as a condition of probation an organization is almost always required to develop and submit an "effective" compliance plan, to notify its employees and shareholders of its criminal behavior and its new program, and to make periodic reports to the court or probation officer regarding the progress of the compliance program. The court can also order the organization to submit to regular or unannounced examinations of its books and records by probation officers or experts hired by the court (and paid for by the organization), which can include "interrogation of knowledgeable individuals within the organization." One of the issues these experts will certainly review is the company's execution of the compliance program.

Although companies certainly engaged in compliance efforts prior to 1991, the Guidelines' formal articulation of an effective compliance program was the first time the concept appeared in that form under federal law. That standard quickly became the dominant view of what a compliance program should look like. But the standards and procedures defining an effective compliance program under the 1991 (and still current) guidelines were contained in the general definitions section to Chapter Eight (Application Note 3(k) of section 8A1.2), rather than a formal guideline. To underscore the importance of compliance programs, the Commission has proposed a new stand-alone guideline, section 8B2.1, entitled "Effective Program to Prevent and Detect Violations of Law."

The Commission says the intent is to emphasize the importance of an organizational culture that encourages ethical conduct and a commitment to compliance, which must include at a minimum the following components:

1. established standards and procedures to prevent and detect criminal conduct;
2. the organization's governing authority and high-level personnel are knowledgeable regarding the content and operation of the compliance program, and exercise oversight with respect to its implementation and effectiveness;
3. the organization uses reasonable efforts not to include within its "substantial authority personnel" persons who the organization knows, or should know, have engaged in illegal activities or other conduct inconsistent with an effective compliance program;
4. the organization periodically communicates, through training and other reasonable dissemination of information, its standards and procedures to the governing authority, high-level personnel, substantial authority personnel, and, as appropriate, its employees and agents;
5. the organization periodically evaluates the effectiveness of its program's effectiveness, including by monitoring and auditing to detect criminal conduct;
6. offering a means of anonymous reporting to its agents and employees so that criminal conduct can be reported without fear of retaliation;
7. encourage compliance throughout the organization by using appropriate incentives for compliance, and discipline for non-compliance or for failing to take reasonable steps to prevent or detect non-compliance; and
8. once criminal conduct is detected, taking reasonable steps to respond appropriately to prevent further similar criminal conduct, including making necessary modifications to the compliance program; in furtherance of this goal, the organization shall periodically assess the risk of criminal conduct to design, implement or modify the compliance program to reduce the risk identified in the periodic assessment.

As compared to the current provisions in the sentencing guidelines addressing corporate compliance programs, the features of the proposed amendment that are new are the Commission's decision expressly to

• Specify the responsibilities of an organization's governing authority and organizational leadership for compliance;

• Emphasize the importance of adequate resources and authority for individuals within organizations with the responsibility for the implementation of the effective program;

• Replace the current terminology of "propensity to engage in violations of law" with language that defines the nature of an organization's efforts to determine when an individual assigned substantial authority has a history of engaging in violations of law;

• Include required training and the dissemination of training materials and information within the definition of an "effective program";

• Add "periodic evaluation of the effectiveness of a program" to the requirement for monitoring and auditing systems;

• Require a mechanism for anonymous reporting; and

• Provide for the conduct of ongoing risk assessments.

Maintaining an "effective" compliance program is important not just for those few organizations who will be sentenced under the Guidelines, but for those many more organizations (particularly in today's post-Enron prosecutions climate) who will become the subjects of a federal criminal investigation. On January 23, 2003, the U.S. Department of Justice, through then- Deputy Attorney General Larry D. Thompson, issued a memorandum entitled "Principles of Federal Prosecution of Business Organizations." These Principles counsel federal prosecutors to examine nine criteria when deciding whether charges should be sought against a business entity. One of these criteria directs prosecutors to decide "[w]hether the corporation has a compliance program in place, which program is adequately designed to prevent wrongdoing by employees and is enforced by management." In particular, the Department advised its prosecutors to examine

The themes focused on by the Department of Justice in January 2003 - review and auditing of compliance matters at the highest organizational levels, dedication of resources, training of employees, and risk assessment - are among the themes emphasized by the Commission in its proposed amendment. The proposed amendment under the Guidelines should bring the Sentencing Guidelines' concept of an "effective" compliance program largely up to date with the Department of Justice's concept of effectiveness, whereas, particularly in the last few years, a gap had started to develop. There remains, however, one noticeable gap between federal prosecutors and the Guidelines in compliance theory in the area of waiver of the attorney- client privilege and work product protections. During the drafting of the proposed amendment there was much disagreement between the law enforcement community and the corporate and defense bars on whether waiver would be mandated before an organization could be credited with cooperation under the Guidelines. Law enforcement took the position that a company must waive if it wanted credit for cooperating, and the defense and corporate bars objected. The final proposed amendment ostensibly straddles the issue by stating that waiver is "not a prerequisite" to receiving credit for cooperation, but that credit may be denied if "waiver is necessary in order to provide timely and thorough disclosure of all pertinent information known to the organization." As a practical matter, this still leaves most of the power with the prosecutors, because the prosecution will tell the sentencing judge whether the prosecution's request for waiver was "necessary, timely and thorough," and a judge would be hard-pressed to disagree with the prosecution's assessment that withheld waiver impeded the investigation. Finally, and more importantly than the few points of cooperation credit at issue at sentencing, the Department of Justice is routinely demanding that companies waive attorney-client privilege and work product protection in exchange for being viewed by the Department as cooperative at the pre-indictment stage under its Principles of Federal Prosecution. Nothing in the Guidelines alters the Department's full discretion to continue doing that.

Compliance practice and theory are also relevant to companies subject to the Sarbanes-Oxley Act. Section 404 of that Act requires a company's management to present an internal control report in the company's annual report containing: (1) a statement of the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) an assessment, as of the end of the company's most recent fiscal year, of the effectiveness of the company's internal control structure and procedures for financial reporting. In addition, in order to harmonize Sarbanes-Oxley's section 404 requirements with section 302's quarterly certification requirements, the Securities and Exchange Commission adopted regulations requiring companies to perform quarterly evaluations of changes that have materially affected or are reasonably likely to materially affect the company's internal controls over financial reporting. Section 805 of Sarbanes-Oxley directed the Commission to review and amend its organizational guidelines to ensure that they are sufficient to deter and punish organizational misconduct, so that efforts undertaken to comply with the Guidelines must be viewed in conjunction with the overall Sarbanes-Oxley certification process as well.

Even those companies not subject to Sarbanes-Oxley will need to review their compliance efforts in light of the proposed guideline for purposes of ensuring that their compliance program satisfies the fiduciary duty of good care. In re Caremark International Inc. Derivative Litigation, 698 A.2d 959, 967 (Del. Ch. 1996), and McCall v. Scott, 250 F.3d 997 (6th Cir. 2001), are the two most prominent cases prescribing officer and director fiduciary responsibility to ensure a corporation has an effective compliance program. It is likely that the compliance community will adopt the Sentencing Guidelines' standards as the paradigm for an effective compliance program, consistent with the Sentencing Commission's view that it has merely codified existing best practices in compliance. In order to satisfy their fiduciary duty of good care, then, officers and directors will have to adopt compliance programs that satisfy the Sentencing Guidelines' standards.

Because the proposal is likely to be adopted by Congress in its current form, and could be given retroactive effect, business entities must take advantage of the time between now and the November 1, 2004 effective date to examine their existing compliance programs to ensure that they meet the new standard, including the new requirement that they perform appropriate risk assessments to determine what substantive areas of potential criminal liability need to be added to the formal compliance program. Management will also need to ensure that the required resources, structures, standards and procedures are all in place and communicated as appropriate to all personnel. Failure to maintain an "effective" compliance program under the new standard could very likely have meaningful negative consequences far beyond the criminal enforcement arena, including under Sarbanes-Oxley and the fiduciary duty of good care.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.