The early months of the Trump administration have brought about the resignations of the two most prominent lawyers behind the U.S. Department of Justice's recent campaign against corporate wrongdoing. The departures of Deputy Attorney General and Acting Attorney General Sally Yates, and DOJ Compliance Counsel Hui Chen, coupled with the administration's business-friendly rhetoric, might tempt corporate compliance officers to conclude that the DOJ is shifting its emphasis away from corporate prosecutions.
They shouldn't. In fact, neither those high-profile defections nor the change in administration is likely to alter the mindsets of the working lawyers in the DOJ's 94 U.S. Attorney offices. Those prosecutors will not only continue pursuing the same types of cases they were pursuing before the inauguration, they'll also keep getting better at it.
Here's the reality: An effective compliance program is just as vital under President Trump as it was under President Obama. Failure to implement and maintain an effective compliance program exposes executives to as much reputational, financial and personal risk under Attorney General Jeff Sessions as it did under Attorney General Eric Holder.
There's no universal model for a compliance program—every company has to implement the policies, processes and structure that suit its organization. But every effective compliance program contains these four things:
Start at the Top
An effective compliance program requires total, authentic, conspicuous buy-in from leadership. Without it the program will fail, pure and simple. CEO and board support are required to ensure that compliance has adequate resources and are crucial to communicating that the organization takes compliance seriously. It's also a prominent factor in both the DOJ's published guidelines for evaluating corporate compliance and in the federal sentencing guidelines.
Combined with the continuing focus on personal liability in corporate wrongdoing cases, those official statements ought to be more than enough to convince leadership—assuming they'd prefer to stay out of jail and hang on to their wealth—to take compliance seriously.
And yet we consistently encounter executives and directors who treat compliance as an afterthought, or who make it clear that compliance shouldn't get in the way of growth. They might view compliance as a cost center, to be fed only enough resources to allow them to "check the box" and claim they have a compliance program.
This puzzling behavior is reminiscent of the way many executives treated diversity and inclusion in the 1990s—as an imposition with vague consequences that might be worth doing, but only for the optics and so long as it didn't interfere with sales activities. Executives and directors who take that view of compliance need to be scared straight. They need to understand that their jobs, their wealth and their freedom are on the line.
If the DOJ's explicit statements somehow fail to convince them, we find it helps to invite former federal prosecutors to regale them with first-hand accounts of investigations that led to charges and convictions. We have plenty of those stories. They're very real and they've proven highly effective in enlightening the most skeptical or cavalier business leaders.
Training, Training, Training
Training is the heart of an effective compliance program. It's the way policies are implemented and the primary vehicle for apprising employees of their obligations, their avenues for reporting wrongdoing, the organization's code of conduct and leadership's commitment to ethical, legal behavior. It's also a prominent factor in the DOJ's guidelines.
When government investigators show up—as they will at some point for most large organizations—one of the first questions they ask will go something like: When was the last time you trained?
Effective training should describe relevant laws and policies, and it should provide frequent updates as those laws and policies change, as they regularly should (more on that below). How often to train varies, but it's safe to say that no employee should go more than a year without some type of compliance training. That includes the CEO and the board. Sure, they're the busiest people in the organization. But they're also the ones most at risk for taking the fall if compliance fails at scale.
When we do compliance training for clients, we like to have the CEO in the room with whatever group we're addressing. It's a powerful way to communicate the organization's top-down commitment to ethics and compliance.
Evidence of the government's focus on encouraging and protecting employees who report corporate malfeasance is all around us. The DOJ's guidelines dedicate an entire section to how companies under investigation treat reports of wrongdoing. Since its creation in 2010, the SEC's Office of the Whistleblower has doled out more than $150 million in rewards to insiders who dropped a dime on securities violators.
Corporate compliance programs have to match that focus or, better yet, exceed it. Employees should know how to report wrongdoing (and be educated about what it looks like), feel confident that it will be appropriately addressed and feel safe that neither the organization nor anyone in it will retaliate against them if they do blow the whistle.
To achieve all of that in their reporting program, compliance officers have to create clear reporting channels and communicate how they work. Every employee should know exactly what to do when they see suspicious behavior. And they should be rewarded when those reports lead to the discovery of malfeasance.
It's also crucial to follow up on every report. Your hotline is bound to attract some odd and perhaps outlandish reports. You have to look into every single one. If employees—or government investigators—perceive that you're selectively or rarely investigating hotline reports, they'll lose confidence in the system, stop using it and, in all likelihood, report to the government instead.
Stay Current, Stay Fluid
An effective compliance program has to be as dynamic and fluid as the business itself. Advances in technology, changes in the law, even the news cycle—federal prosecutors consider headlines a powerful deterrence mechanism—can all change your risk. Your compliance program has to change with it.
So it's crucial to review and test the program on a regular basis—and to train your staff on any and all updates to policies, procedures and risks. Again, the DOJ's guidelines explicitly state that investigators will want to know how often the program was updated.
They'll also be impressed by updates based on industry best practices. That's why we encourage compliance officers to educate themselves on what other similar organizations are doing. In our experience, the compliance profession is rarely protective or proprietary as a whole. Sharing ideas and adopting measures that fit your goals helps keep you ahead of the curve.
We understand that every company's primary purpose, and every corporate officer's legal duty, is to make money. And for that reason the compliance program hasn't historically risen to the top of the CEO's or the board's priorities. But as former U.S. Attorneys who made careers out of prosecuting executives who violated the law, we understand what's at stake—and we've seen, time and again, that taking compliance seriously before there's trouble is the surest way to stay out of it.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.