In March of this year, Assistant Attorney General Kenneth Polite, from the Criminal Division of the United States Justice Department, made a speech for his colleagues. The contents of this speech are still unknown to many executives and professionals in the legal and compliance areas, but has brought a very interesting new obligation:
1.2. DIRECTOR AND CHIEF COMPLIANCE OFFICERS WILL HENCEFORTH CERTIFY THAT (I) THE COMPANY'S COMPLIANCE PROGRAM IS REASONABLY DESIGNED AND IMPLEMENTED SO AS TO DETECT AND PREVENT BREACHES OF LAW, AND IS FUNCTIONING EFFECTIVELY, AND (II) ALL COMPLIANCE REPORTS SUBMITTED DURING THE TERM OF THE RULE ARE TRUE, ACCURATE, AND COMPLETE (IN THIS CASE, WHEN MONITORS ARE NOT ENFORCED).
Kenneth Polite's career, by the way, is very prolific: he has been a prosecutor, defense attorney and even worked as Chief Compliance Officer at Entergy Corporation, one of the 500 largest companies ranked by the Fortune magazine. Kenneth graduated in Arts at Harvard University, in 1997, and in Law at Georgetown University, in 2000.
Polite is actually the successor to Brian Benczkowski, which distinguished himself with the guidelines sent to US Justice Department prosecutors establishing key performance indicators (KPIs) that should be considered when examining compliance programs of companies under investigation.
Due to his close contact with compliance in the past, Polite demonstrated the relevance of corporate cultures supported by a solid compliance program, making it clear that his goal is not to increase the number of companies assessed or sued, but rather to work fostering strong controls to detect and prevent misconduct, through solid Compliance programs; after all, among the main attributions of a compliance program is to prevent crimes.
Polite has also made it clear that he expects companies to implement compliance programs that: (i) are well designed, (ii) are adequately resourced and empowered to function effectively, and (iii) work in practice.
With respect to the design of compliance programs, Polite stressed that the company's process for assessing risks and building a program tailored to manage its specific risk profile should be closely examined. It should be verified whether the company has implemented policies and procedures designed to address key risk areas identified in its risk assessments, and that these policies and procedures are easily accessible and understandable to the company's employees and business partners. Equally, it should also be verified whether the company is training employees, managers, and third parties on the risk areas and responsibilities applicable to these individuals.
Policies, training, and other processes must address relevant high-risk elements of the company's business model, such as third-party relationships or mergers and acquisitions. Also, whether a process has been established for reporting breacher of law or company policy that encourages employees to speak up without fear of retaliation, and that such reports are taken seriously, properly documented, investigated, and remedied.
With respect to resources, budget, headcount, and reports should not be the only concern, but also the qualifications of those who occupy the main compliance functions in the companies. Furthermore, whether these professionals have access and are able to establish adequate engagement with the business, management, and the board of directors. In addition, the culture of compliance must permeate everyone, especially upper and middle management.
As for the evidence that compliance programs work in practice, this can be seen in effectiveness tests and continuous improvement to ensure sustainability and adaptation to changing risks. An effective manner to prove this effectiveness is to see if the company can identify gaps in its compliance program and work to address them.
Another important point in Polite's speech was the role of monitors appointed by the US Justice Department, considered effective tools to strengthen corporate compliance programs in companies with weaknesses that resulted in criminal conduct. Companies have the right to appoint three monitors to the Criminal Division, which defines the choice.
Polite also drew attention to the renovation of the former Strategy, Policy, and Training Unit of the Fraud Section in the Corporate Enforcement, Compliance, and Policy (CECP) Unit, which now has the participation of prosecutors and former compliance and defense attorneys with deep experience in compliance, monitorships, and corporate enforcement matters. CECP establishes questions and polls to investigate compliance programs, offers training on compliance issues and enforcement for prosecutors within and outside the Fraud Section, in addition to working on policy issues.
As for the innovation with regard to certification, as mentioned above, Polite makes it clear that compliance functions must have true independence, authority and stature within the company, and that this step will ensure that Compliance Officers receive all relevant information and can express any concerns they may have prior to certification.
Polite ends with a sentence for reflection: “Support your compliance team now or pay later.”