Elizabeth Simon (elizabeth.simon@coxinc.com) is the Immediate Past Chair of the Atlanta Compliance & Ethics Roundtable, a Regent Emeritus of the Association of Certified Fraud Examiners, and the Director of Ethics & Compliance at Cox Enterprises Inc. in Atlanta, Georgia, USA.
Looking back on 2019, you can’t help but notice how many major events have happened. From the many different guidance documents issued to the many enforcement actions taken, 2019 was a monumental year for compliance. If you haven’t used some of the guidance to shape your compliance program already, it’s time to do so now. A gap analysis of your program’s elements against the different guidance documents would be highly recommended as you work toward improving your compliance program.
A brief history of compliance
Internal compliance programs are not a new phenomenon. The first in-house compliance programs started emerging in innovative public companies in the mid-1970s. Three big events kick-started the compliance profession during that time: the establishment of the Environmental Protection Agency, the establishment of the Drug Enforcement Administration, and the passage of the Foreign Corrupt Practices Act (FCPA).
Over the past five decades, the compliance industry has evolved based on guidance that has been published by the Department of Justice (DOJ), enforcement actions, and legislation. The first major guidance that helped define a robust compliance program came out in 1991 with the updated Federal Sentencing Guidelines (FSG).[1] Those guidelines spelled out, in the definition section, the elements of a robust compliance program, which became the foundation for the compliance industry of today.
Since then, other major legislation and published guidance memos have expanded compliance programs and mandated certain elements that were previously thought of as simply encouraged, not compulsory. For example, the Sarbanes-Oxley Act of 2002 and the Dodd-Frank Act of 2010 have formed the requirements around whistleblowers and helped establish anonymous whistleblower hotlines at most companies. In 2015, the Yates Memo brought individual liability for corporate actions to the forefront of compliance professionals’ minds. The Benczkowski Memo of 2018 defined the standards for corporate monitors when companies were found to have deficient compliance programs. In 2017, DOJ issued their first corporate compliance guidance that was to apply across all types of cases in which the Criminal Division would get involved. This guidance was updated in 2019.
New compliance guidance in 2019
In 2019, three separate guidance documents were released by various authoritative bodies: DOJ Criminal Division’s Evaluation of Corporate Compliance Programs guidance (Criminal Division guidance),[2] the Department of the Treasury Office of Foreign Assets Control’s guidance on compliance (OFAC guidance),[3] and the DOJ Antitrust Division’s Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations (Antitrust guidance).[4] Each is reviewed in detail in Table 1.
An additional guidance document was issued discussing how corporations can obtain cooperation credit during False Claims Act cases.[5] While this document did not specifically spell out what a compliance program should look like, it did state that remediation that occurs after an issue has been identified will be taken into consideration. It states, “Under the policy, the Department of Justice will take into account corrective action that a company has taken in response to a False Claims Act violation. Such remedial measures may include undertaking a thorough analysis of the root cause of the misconduct, appropriately disciplining or replacing those responsible for the misconduct, accepting responsibility for the violation and implementing or improving compliance programs to prevent a recurrence.” This emphasizes the importance of a robust compliance program that can put controls in place to correct issues and prevent them from happening in the future.
