As tough as it can be to implement, our third hallmark of an effective compliance program, ethical due care and due diligence, just makes good business sense.
Today we continue our seven week blog series on the seven hallmarks of effective compliance programs. If you haven’t already, be sure to read about the first hallmark on written policies and procedures and the second hallmark on program oversight.
If a compliance offense occurs, a common misunderstanding is to consider the whole program ineffective. However, this is not necessarily the case. There’s a reason the Federal Sentencing Guidelines for Organizations (FSGO) are just that – guidelines. Because regulators recognize that one size does not fit all, that people are fallible and that no program is perfect.
Chapter eight of the guidelines mentions that compliance programs should be designed, implemented and enforced so they are generally effective at preventing and detecting criminal conduct.
“The failure to prevent or detect the instant offense does not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct,” the guidelines state.
In fact, if a violation occurs but an organization can demonstrate they have an effective compliance program, regulators can reward them with up to a 60% reduction in the potential fine. Putting in the effort to establish and enforce effective compliance programs can literally pay off. What regulators really need companies to demonstrate is due diligence.
Hallmark three involves looking for evidence that adequate controls are in place, even if they do occasionally fail. (Week 7 investigates the remediation of failed controls).
While the FSGO mentions the entire program should enforce due care, they also emphasize a focus on vetting persons of authority within an organization.
“The organization shall use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program,” the FSGO states.
Regulators search for appropriate due diligence around controls and processes to prevent personnel from being involved in illegal or unethical activities on behalf of an organization. A few measures organizations can adopt to remain vigilant include conflicts of interest trainings and surveys, appropriate policies and procedures and vigorous HR background checks.
The difficulty for many organizations is to identify potential conflicts and violations before they occur. To accomplish this, organizations should implement systems that allow employees to feel safe disclosing any conflicts or information that could result in compliance violations.
There have recently been numerous and significant high profile cases involving record breaking penalties where organizations were found to have knowledge of violations, but failed to self-report it to regulators. For example, one of the world’s largest mortgage lenders recently paid a $1.2 billion settlement for improper mortgage lending they failed to report. While it’s difficult to say exactly how much the company could have saved through self-reporting, the ability to do so and reduce culpability scores by five points could very well have eliminated any potential fines.
While public scandals concerning compliance breaches cast a shadow on any organization, regulators will often remove potential fines and penalties associated with the breach if an organization self-reports. We saw this recently in the new Foreign Corrupt Practices Act (FCPA) policy, which grew out of a positive self-reporting pilot scheme run by the Department of Justice. The pilot program would remove five points from an organization’s culpability score if the organization self-reported an issue. Effectively, this program rewards companies for their due diligence and transparency by potentially removing any penalties or fines.
Due diligence is a tough hallmark to attain. Organizations must first create and maintain a culture of ethics and compliance in the workplace. This culture grows from the implementation of the first two hallmarks – clear written policies and procedures and program oversight. Afterwards, an organization must follow through with its own ethical values and ensure the right personnel and controls are in place to ensure any unethical and noncompliant behavior is identified, reported and remediated.
This can be a difficult task when you consider the difference between a company’s legal and compliance functions in order to achieve proper due care. At times, compliance may have different interests than legal.
“Legal, by definition, may be more interested in protecting the organization,” Industry expert Hui Chen states. “Sometimes that protection may be interpreted as ‘We don’t want to know too much,’ whereas compliance always wants to know more. A good compliance function wants to know what happened, how to fix things based on what you learn about what happened and what are the system weaknesses.”
Join us next week as we explore the fourth hallmark of an effective compliance organization – training and communications.