Watching the River Flow: The Evolution and Future of Compliance (Part I of III)
People disagreeing on all just about
Makes you stop and all wonder why
Why only yesterday I saw somebody on the street
Who just couldn’t help but cry
Oh, this ol’ river keeps on rollin’, though
No matter what gets in the way and which way the wind does blow
And as long as it does I’ll just sit here
And watch the river flow
Bob Dylan, Watch the River FlowI have to admit it – I still love to listen to Bob Dylan. With age, his lyrics resonate more and more. HERE is a nice version of Watch the River Flow in case you want to listen while reading this posting. Dylan’s words are particularly apt as we watch the latest developments in compliance guidance.
DOJ and OFAC issued new and important guidance. As I sit here, watching the river flow, my perspective on the impact and importance of this guidance to the compliance professional compliance programs flows like the river. Like much of life, there is good and bad.
Let’s take a step back. In looking over corporate governance for the last thirty years, there is no question that ethics and compliance is one of the most significant — if not the most significant — change. Further, in looking to the future, ethics and compliance has the real potential to reduce corporate malfeasance. And that is a big point.
Over the last thirty years, our economy has suffered from serious corporate scandals, including the savings and loan crisis in the 1980s, the Internet meltdown in the 1990s, coupled with the financial reporting scandals of the early 2000s and enactment of Sarbanes-Oxley, and finally the financial meltdown in 2008. Ethics and compliance is at the point where it can make significant contributions to reducing corporate misconduct.
White collar criminal enforcement has expanded as well. Over the last thirty years, we have seen what was typically a civil enforcement matter transformed into criminal prosecutions. At the same time, we have witnessed a major change in the role and responsibilities of federal prosecutors who have outsourced criminal investigations to defense counsel investigations and embraced deferred prosecutions and regulatory-type settlements aimed at improving corporate compliance and governance controls.
From the government’s perspective, corporate compliance program were formally recognized when the United States Sentencing Commission adopted its Organizational Guidelines included a potential reduction in a company’s base offense level for an effective corporate compliance program. The factors listed under Section 8C2.5 provided an important framework that helped companies to design and implement compliance programs, notwithstanding the fact that few companies (in the universe) actually fell under the scrutiny of the guidelines (i.e. because they were not prosecuted for cirminal offenses). Even more odd is the fact that few companies among the sentenced population ever earned the credit for having an effective compliance program.
Despite the lack of any direct application, the compliance profession and industry took to the guideline factors. Why? Because the guidelines provided the first real meaningful guidance on compliance programs. It made little sense for companies to invest in compliance programs, given the infancy of the industry, until government prosecutors acknowledged consideration of such programs in any criminal resolution. Notwithstanding their age, the sentencing guidelines provide a useful reference, and I would urge everyone to revisit the factors again and they will seem remarkably familiar. (Here)
Compliance guidance has a rich history. In the healthcare industry, the 1990s was a robust period for development of the compliance profession. HHS pushed for accountability of corporate boards and senior managers, and the separation of the compliance function from the legal department. Healthcare compliance guidance during the 1990s reflected the influence of the US Sentencing Guidelines with the establishment of seven mandated elements.
At the same time, DOJ continued to advance corporate compliance expectations and requirements with the release of formulaic Deputy Attorney General memoranda (e.g. Holder) on corporate charging policies, eventually resulting in the Filip Memo, and the un-named (Rosenstein) FCPA Corporate Enforcement Policy in 2017.
DOJ’s 2012 FCPA Guidance (with the SEC) was a watershed document — it was the first time that prosecutors explained DOJ’s prosecution strategy, corporate compliance expectations, and provided various hypothetical “safe harbors” for corporate actors who could apply the guidance to engage in conduct that might otherwise be questionable. To this day, the FCPA Guidance stands as the most important corporate compliance guidance for corporations.
Against this backdrop, DOJ and now OFAC have entered the arena again to detail how DOJ evaluates corporate compliance programs and how OFAC evaluates sanctions compliance programs for purposes of the enforcement of sanctions laws and regulations. The question then becomes what is the value of DOJ and OFAC guidance and how should companies approach review of their programs in light of this new information?
Let’s clear the field (as they say on Shark Tank) on this issue.
First, companies would be mistaken if they took the guidance and implemented their programs only in strict accordance to the guidelines.
Second, companies should use the guidelines to inform and learn from as they manage their own corporate compliance programs.
Third, DOJ and OFAC guidance provide important safe harbors for corporations — in other words, DOJ and OFAC guidance provides just what it says — “guidance.” Compliance practitioners can use this guidance to cull out safe harbors and apply them in their day-to-day work.
Fourth, corporate compliance officers have to think beyond DOJ and OFAC guidance and design their programs in reference to the state of the compliance industry, which is fast-moving and robust with innovation and technological capabilities. In other words, think beyond the guidance, think big, and set goals that reflect an industry that has eclipsed the requirements of the DOJ and OFAC guidance.
Compliance programs, like the profession, continue to evolve. Indeed, it is clear that compliance programs with the advent of new thinking, innovative approaches, additional resources and technology are fast eclipsing the basic elements of compliance defined in the guidance.