Designing Compliance: What US Justice Department Guidance Tells Banks
16 Jul 2019

A recent update to the US Justice Department’s guidance on assessing corporate compliance programmes is intended to help federal prosecutors determine when to pursue criminal indictments or prosecution agreements with companies, but that shouldn’t deter compliance professionals from reviewing the document. There are lessons within for heads of compliance and financial crime teams too. 

Most importantly, the guidance can serve as a self-assessment tool for anti-money laundering specialists and others seeking to resolve weaknesses in their firms’ policies and procedures. Such an analysis may help any organisation that transacts with US dollars, given that the DOJ claims criminal jurisdiction over foreign entities that use the world’s strongest currency. What follows is overview of what the update means for compliance professionals based on three fundamental questions prosecutors are instructed to ask. 

Is the programme effectively designed?

This is the first fundamental question a US prosecutor must answer, and in doing so officials must determine whether a corporation’s compliance controls have been properly implemented to prevent and detect regulatory breaches and whether managers at all levels enforce the programme. Few will be surprised to learn that prosecutors must consider whether the programme is designed in such a way that it will probably detect the most likely types of misconduct that may occur given the organisation’s business sector and its regulatory environment. 

Whether policies and procedures effectively demonstrate the organisation’s commitment to comply with all relevant laws and regulations will also be considered. Prosecutors must also evaluate how a company periodically reviews its compliance risks in light of changes in its business sector and legal obligations, including those that pertain to travel and entertainment expenses, gifts, payments to foreign officials, use of agents and political and charitable donations. Naturally, the Justice Department expects that such changes are reflected in corporate compliance programmes. 

US prosecutors must separately assess a corporation’s efforts to communicate regulatory obligations to staff and relevant third parties, including through proper training. This entails not only engaging agents and suppliers when necessary, but also determining whether staff and others have fully understood key compliance requirements. The DOJ expects that all training is “specific” to the role that each person undertakes. It is noteworthy that, when addressing the need for specific training, the department cites “relevant compliance functions”, “high risk and control employees” and “supervisory employees”, thus underlining the importance of these functions and staff. When an organisation operates overseas, the DOJ expects, in appropriate cases, that native languages will be used in training fora and materials. Interestingly, the guidance tasks prosecutors with assessing “whether the corporation’s employees are adequately informed about the compliance programme and are convinced of the corporation’s commitment to it.”  

Whistleblowing procedures and their ability to provide anonymity to staff and others, and independent investigation of such disclosures, are recognised as key elements in an effective programme. Once again, relevant training and communication of whistleblowing procedures are deemed to be crucial to an effective programme.

How corporations manage their risks when dealing with vendors, agents, distributors and other third parties is another consideration for US attorneys. The DOJ expects that an effective programme will address the size and the nature of the transaction as well as the qualifications and associates of third-party agents, including their reputation and relationships with government officials. There must also be a business rationale for using a particular agent.

Prosecutors are asked to examine the contract terms involving agents, including whether there is a specific description of the services to be provided and confirmation that the third party is actually doing the work. DOJ officials may also examine relevant fees to see if they are in line with industry practice. Once the contract has been signed, the DOJ will expect the organisation to conduct ongoing monitoring and risk assessment of its agents, including monitoring compliance with contractual terms. It also expects that an effective programme will include regular exercise of the contractual right of audit. Where “red flags” or issues are detected, their resolution will be assessed, as will any “read across” reviews of agents providing similar services

In cases when a corporation seeks to acquire or merge with a peer organisation, the prosecutor must review whether the compliance policies require a comprehensive pre-acquisition due diligence examination of the peer organisation to be undertaken in order to determine adherence to relevant legal and regulatory obligations. The resolution of any identified issues will be tracked by prosecutors as will the level of involvement of the compliance function in any due diligence exercise.

Is the programme effectively implemented?

This is the second fundamental question prosecutors are obligated to answer, and it seeks to determine whether the programme is simply a set of policies and procedures that are merely maintained in a compliance manual or whether those policies and procedures are consistently implemented and enforced at all levels throughout the organisation. Once again, the “tone at the top” of the board of directors and the senior executives, both in terms of their words and actions, is recognised as  critical to the success of any compliance programme. Middle management plays an equal role in implementation, as recognized by the guidance.

Prosecutors are required to consider the compliance department itself, in terms of both quantity and quality of staff and the authority compliance officers wield within the company. Such matters as the independence of the compliance team should be reviewed, including whether there is a direct reporting line to the board of directors or the audit committee. Equally, a judgement will be needed on the resources available to the team in order to allow them to perform their role properly, which the DOJ suggests is to “audit, document, analyse and utilise the results of the corporation’s compliance efforts.” The ability of the compliance team to conduct effective and independent investigations, with outside assistance, must also be evaluated. The guidance invites prosecutors to view the remuneration of compliance team members to staff in the rest of the organisation as a gauge for how the firm prioritizes its regulatory obligations.

Unsurprisingly, the role of incentives within the organisation should be addressed by prosecutors. A company that rewards its employees with bonuses solely based on meeting financial targets may not be one that shields itself best from criminality. Conversely, prosecutors may more positively view companies that factor good compliance into remuneration decisions.

The guidance instructs prosecutors that an effective programme will have a consistent record of clear disciplinary procedures and dissuasive sanctions against those individuals, regardless of seniority, who infringe compliance procedures and policies. Disclosing sanctions against employees, while maintaining the privacy of specific individuals, will be regarded positively by prosecutors.

Does the programme work in practice?

This final fundamental question addresses whether the programme minimises compliance risks both at the time of the breach and in the future. The guidance places great emphasis on an organisation continually improving, testing and reviewing its programme so that it can effectively respond to previously unidentified issues.  Given the current importance of the “compliance culture” within an organisation, the DOJ will assess how the organisation measures this aspect of culture, how staff at all levels perceive the commitment and how the organisation responds to its findings.

Proper funding to investigate allegations of misconduct on a thorough and timely basis is recognised as a critical factor for having an effective compliance programme. Where misconduct is found, root cause analysis is deemed to be important so that similar issues may be detected across the organisation. The incorporation of a “lessons learned” exercise into the organisation’s training media is also deemed to be a key element of the compliance function. Prosecutors must separately consider whether the revised programme and remediation efforts have been adequately tested in order to prevent similar failures in the future.

Preventing prosecutions

The ability of an organisation to effectively prevent and detect legal and regulatory breaches will help it minimise criminal, civil, financial and reputational risks. Like many criminal and regulatory authorities around the world, the DOJ believes, for a variety of reasons, that “prevention is better than cure”. To support its view, it has provided a “roadmap” to organisations to help themselves.

It is important to note that, by necessity, the guidance addresses US laws only. Users of the guidance should consider important differences between their own local laws and those in the United States. One example is the US Foreign Corrupt Practices Act, which addresses bribery of foreign officials and not private-sector entities. In many developed countries, anti-bribery laws address corruption in both the private and pubic sector.

The guidance does not adopt “a one size fits all” philosophy in that its recognises that organisations will have different businesses, products, risk profiles, size and geographic reach. Hence, the inherent compliance risks each organisation faces will be unique. Nevertheless, each programme should be well designed, effective and practical. Importantly, the guidance instructs US prosecutors that a material compliance breach does not by itself mean that a programme is ineffective. Rather, they should consider the factors outlined in the guidance in their totality before concluding whether they should bring criminal charges.

Likewise, senior compliance and financial crime staff should carefully review the guidance as a whole so that they can reasonably say they’ve done their best to prevent a material breach.

Denis O’Connor is both a Fellow of the Institute of Chartered Accountants in England & Wales and the Chartered Institute of Securities and Investment. He was a member of the British Bankers’ Association Money Laundering Committee from 2003 -10; and a member of the JMLSG’s Board and Editorial Panel between 2010 and 2016.

He has been a frequent speaker at industry conferences on financial crime issues, both in the UK and abroad.

This article is expressing personal opinions and is meant for information purposes only. The article does not intend to replace professional or legal advice. It is recommended that readers seek independent professional or legal advice, or speak to authorised persons/organisations.

Advance your CPD minutes for this content, by signing up and using the CPD Wallet