Proponents of corporate compliance programs loudly sing their praises while detractors point to ceaseless prosecutions and a parade of civil suits—often resulting in multi-billion dollar verdicts or settlements—as evidence that they are ineffective. So, are corporate compliance programs a panacea or a pretext? The truth lies somewhere in between.
As a threshold issue, corporations are for-profit institutions. Indeed, most corporations have a mandate to maximize profit for shareholders. This can encourage senior management to operate in grey areas, and regulators may later deem their actions (and board oversight of such actions) to violate a wide array of laws. Second, formalistic compliance programs are not enough to ensure internal reporting of potential fraud and are not enough to inspire companies to take appropriate corrective actions. Instead, as set forth below, companies must take steps to ensure effective implementation of compliance programs and foster a culture of corporate compliance.
The countervailing factors that motivate officers and directors to engage in or acquiesce to fraudulent conduct or, alternatively, devise and implement an effective compliance program warrant in-depth treatment in a standalone piece. Here, I turn to answering the specific questions posed with these general principles in mind.
Question 1: Do corporate compliance programs actually suppress information from regulatory oversight?
Response: Yes, often appropriately. But meritorious—and sometimes non-meritorious—allegations of misconduct tend to get reported externally where internal responses are inadequate or the company has not created a culture of compliance and reporting.
Recent reports, compiled through surveys of hundreds of senior executives from a broad range of industries, indicate that roughly two-thirds of United States companies are affected by fraud. Costs to companies, including reputational damage, can be substantial as can costs associated with remediation and investigation of fraudulent practices.
Internal reporting programs such as corporate compliance hotlines represent a company’s first line of defense against corporate fraud. Internal whistleblower hotlines are a key component of a company’s anti-fraud program: where such hotlines are implemented, tips are typically the most common method of detecting fraud. Moreover, the Sarbanes-Oxley Act (“SOX”), international guidelines from the European Union, and the U.S. Federal Sentencing Guidelines have deemed hotline reporting programs a good and necessary business practice. At the same time, internal compliance hotlines serve to screen out frivolous and baseless claims.
In my experience counseling and defending large corporations on employment matters and corporate compliance, reports to company ombudsman, managers, or human resources and compliance personnel often lack merit or do not implicate fraud. Employees often file malicious or fictitious complaints against fellow employees or the organization to ward off pending termination or to seek revenge for perceived slights. But treating employees with respect, even in these situations, can dissuade employees from unwarranted external reports.
Unfortunately, despite strong incentives to self-report credible evidence of wrongdoing, companies may conceal such evidence. Like companies, whistleblowers have incentives under various statutory regimes to report internally. For example, under the SEC whistleblower program established by the Dodd–Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”) in 2010, a whistleblower’s participation in internal compliance systems will generally increase an award and interference with or bypass of those systems can decrease an award. A whistleblower who reports conduct to the SEC within 120 days of reporting internally will also receive credit for any information the company later self-reports to the SEC.
In our experience, external reporting typically follows internal reporting when an employee felt the company response was not adequate. As of 2014, 80% of company insiders who reported potential misconduct to the SEC first raised their concerns internally to compliance personnel or their supervisors. Likewise, Guttman, Buschner & Brooks attorneys have represented countless whistleblowers bringing cases under the False Claims Act and have helped recover billions of dollars on behalf of federal and state governments. In our experience, these whistleblowers typically reported internally first and only sought representation after the company responded inadequately or dismissed concerns as “this is the way we do business.” Thus, while corporate compliance hotlines and related reporting mechanisms serve as the first line of defense against fraud, the False Claims Act, Dodd-Frank and other whistleblower protection statutes effectively incentive employees to report fraud externally when a company’s response has been ineffective or where a company has not created a culture where employees feel comfortable reporting misconduct internally.
Companies are most likely to dissuade external reporting by creating and implementing effective compliance programs as well as self-reporting credible allegations of misconduct. Such self-reporting may also result in cooperation credit. Indeed, on September 9, 2015, Deputy Attorney General Sally Yates issued a memo instructing the DOJ to seek individual accountability from individuals perpetrating wrongdoing in the course of fighting corporate fraud and misconduct. The memo was sent to every United States Attorney, the Assistant Attorney General heading up each DOJ division, the Director of the Executive Office for United States Trustees, and the Director of the FBI.
Consistent with the Yates directives, we have seen renewed focus on individual accountability in the False Claims Act cases we have litigated alongside the government over the past year. This has manifested in the government’s decision to name individual executives as defendants in complaints in intervention, the structure of settlements, and a myriad of other ways.
In keeping with its renewed focus on individual liability, the Yates memo articulated several changes to DOJ policy regarding the definition of “cooperation credit” for corporations. These changes are applicable to criminal as well as civil enforcement matters. Corporations historically have received and continue to receive more favorable settlement terms when the government concludes they provided material cooperation with respect to a government investigation. But companies have struggled to understand what it means to “cooperate” in a post-Yates world.
In a September 27, 2016 speech, Principal Deputy Associate Attorney General Bill Baer provided some insight as to what such cooperation now entails, highlighting the importance of prompt and material assistance. Merely responding to a subpoena or civil investigative demand (“CID”) will not qualify as cooperation. Rather, a company hoping to obtain cooperation credit is expected to provide specific information about any and all employees involved in wrongdoing that is unknown to DOJ and that materially assists in its investigations. Thus, while meritless claims not implicating fraud are properly vetted and disposed of through company screening without ever coming to the attention of government regulators and investigators, an effective compliance program will also develop mechanisms to affirmatively identify and provide material information to regulatory agencies investigating the company.
Question 2: Do corporate compliance programs create an environment where employees are led to believe that wrongdoing in the corporate environment is implausible because a compliance program exists?
Response: No. But implicit or explicit directives from management can lead to false beliefs that particular actions comport with the law.
A corporate compliance program should and generally does sensitize employees to the fact that wrongdoing isplausible. A strong compliance program often identifies the relevant laws applicable to an employees’ day-to-day activities and may include fact patterns the company has identified as violative of relevant laws. For example, compliance training for pharmaceutical sales representatives is likely to and should inform employees that promoting off-label uses of company drugs can be deemed to be a violation of the Federal Food, Drug, and Cosmetic Act and likewise expose the company to liability under the False Claims Act.
Having said that, we have represented relators in False Claims Act cases in which company management has been warned by its own third-party regulatory consultants that certain conduct and types of interactions with physicians is proscribed. These companies have nonetheless directed such conduct in business plans, training documents, and other written directives to sales representatives. Similarly, employee performance reviews may—in writing—encourage conduct that is deemed by the government to be unlawful. Managers may also encourage such conduct when accompanying employees on sales detailing visits.
Thus, the existence of written policies and a compliance program does not itself create an environment where employees believe wrongdoing is implausible. But written directives, communications, and training by management can cause employees to believe that particular conduct is appropriate and in conformity with stated company policies and cause them to ignore other signs or evidence that such conduct is—in fact—unlawful.
Question 3: From a practical viewpoint, what kind of corporate compliance programs work better than others?
Response: Corporate compliance programs that incorporate the principles of communication, responsiveness, and transparency
Above all, compliance programs should be transparent and comprehensible to employees (and management), and the goals of enforcement mechanisms should be clearly communicated. Measures also must be implemented to ensure prompt and efficient responses to allegations of corporate wrongdoing. How this manifests will vary from industry to industry and company to company. It largely depends on the service or product a company offers, specific rules and regulations that govern the company, the size and geographic breadth of a company, and a myriad of other factors.
In addition to general principles of communication, responsiveness, and transparency, certain key factors tend to underlie effective compliance programs:
1. Guidelines: companies should have explicit guidelines that instruct employees how to perform their jobs in a legal and ethical manner, including training programs, codes of conduct, and written performance standards.
2. Surveillance: companies should have official policies and procedures that detail the manner in which they will monitor employees and how (and to whom) employees can report wrongdoing.
3. Sticks and Carrots: companies should identify and implement sanctions for wrongdoing as well as rewards in the form of promotions and positive reviews for demonstrated competence and compliance with company guidelines. A program can be well-drafted on paper but useless in practice if a company does not punish misconduct or reward behavior it wishes to incentivize.
4. Leadership: it is not enough to have formal procedures in place to foster compliance. The “water cooler” conversation and conduct of top-level management are equally important. The “tone at the top” and informal communications as set by leadership behavior is critical, but it is equally critical for top management to monitor and instill the same behavioral norms in middle management.
5. Independence of compliance personnel. Local management are rarely trained as investigators, and may be part of the problem. Likewise, local human resources personnel may appear to employees to be aligned with management and unlikely to take employee concerns seriously, disincentivizing employees from raising concerns about potential misconduct. Accordingly, effective compliance programs often provide mechanisms for employees to report concerns to independent third parties (such as ombudsmen) specifically trained in addressing employee concerns. Depending on the nature of the complaint, legal personnel, compliance officers, or human resources personnel may need to become involved after the initial investigation has begun.
Corporate compliance programs play an important role in modern corporate governance. But they are only as good as management’s commitment to effective resolution of employee concerns and implementation of corrective action when credible misconduct has been identified. Companies have strong incentives to get it right.