The U.S. Department of Justice’s Criminal Division recently released an update to the guidance document “Evaluation of Corporate Compliance Programs.”
Immediately thereafter, the Department of the Treasury’s Office of Foreign Assets Control published “A Framework for OFAC Compliance Commitments,” which provides guidance on effective sanctions compliance programs. The OFAC is the primary federal agency that enforces economic and trade sanctions.
Updated DOJ Guidance
The updated DOJ guidance covers various compliance program expectations and threshold questions that prosecutors ask while evaluating whether to initiate criminal charges against an offending corporation. In many respects, the new guidance mirrors factors considered by many a Federal Trade Commission (FTC) attorney when investigating violation of consumer protection laws and considering enforcement against Internet marketers and data-driven businesses.
First, whether the corporations compliance program is well designed.
The “critical factors in evaluating any program are whether the program is adequately designed for maximum effectiveness in preventing and detecting wrongdoing by employees and whether corporate management is enforcing the program or is tacitly encouraging or pressuring employees to engage in misconduct.”
Accordingly, prosecutors examine “the comprehensiveness of the compliance program,” ensuring that there is not only a clear message that misconduct is not tolerated, but also policies and procedures – from appropriate assignments of responsibility, to training programs, to systems of incentives and discipline – that ensure the compliance program is well-integrated into the company’s operations and workforce.
The starting point for a prosecutor’s evaluation of whether a company has a well-designed compliance program is to understand the company’s business from a commercial perspective, how the company has identified, assessed, and defined its risk profile, and the degree to which the program devotes appropriate scrutiny and resources to the spectrum of risks.
Prosecutors consider whether the program is appropriately “designed to detect the particular types of misconduct most likely to occur in a particular corporation’s line of business” and “complex regulatory environment.” For example, prosecutors consider whether the company has analyzed and addressed the varying risks presented by, among other factors, the location of its operations, the industry sector, the competitiveness of the market, the regulatory landscape, potential clients and business partners, transactions with foreign governments, payments to foreign officials, use of third parties, gifts, travel, and entertainment expenses, and charitable and political donations.
Prosecutors also consider “the effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment” and whether its criteria are “periodically updated.”
Prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction in a low-risk area. Prosecutors therefore consider, as an indicator of risk-tailoring, “revisions to corporate compliance programs in light of lessons learned.”
Organizations should address risks in written compliance policies and procedures with an experienced FTC attorney, ensuring clearly communication to employees and relevant third parties. Periodic compliance training and an investigation process are crucial to mitigate exposure.
Second, whether the compliance program is implemented effectively.
It is the DOJ’s perspective that effective compliance begins with a culture of compliance established by management. DOJ tends to review efforts taken by company leaders to encourage legal compliance, punish wrongdoing and document corporate compliance.
Third, whether the compliance program works in practice.
Prosecutors evaluate how a corporate compliance program works while deciding whether criminal charges are warranted. Companies are expected to employ compliance audits and update risk assessments. Investigations and remedial structures should be effective and the results well documented.
OFAC Compliance Framework
The OFAC’s framework encourages companies to implement tailored risk-based sanctions compliance programs. At OFAC’s discretion, those with such programs may be eligible for reduced monetary penalties.
The framework identifies five key components, including management commitment, risk assessment, internal controls, testing and auditing, training.
Takeaway: Both the updated DOJ guidance and the OFAC framework provide meaningful insight into how companies should design and implement compliance programs. The DOJ and OFAC also recognize that compliance will vary from company to company, and industry-to-industry. Performance marketers should take notes as the considerations outlined by the DOJ and OFAC are strikingly similar to issues considered by the FTC and state attorneys general when evaluating wrongdoing and potential civil liability..
Contact the author at email@example.com in order to discuss recent trends in advertising compliance enforcement policy, or if you are the subject of an FTC investigation (CID) or enforcement action. You can also follow FTC lawyer on National Law Review.
Richard B. Newman is an FTC compliance lawyer and Internet marketing attorney at Hinch Newman LLP.
Attorney advertising. Informational purposes only. Not legal advice.