The United States Sentencing Commission[1] has recently submitted to Congress extensive amendments to the Federal Sentencing Guidelines applicable to organizations, expanding what is meant by an "effective compliance program" to prevent and detect violations of law (the "Guidelines").[2] Demonstrated adherence to the Guidelines is one of two factors that can mitigate the potential fine range for an organization's violation of federal law (in some instances up to 95%).[3]
While the Guidelines address criminal enforcement penalties, we believe that they provide a meaningful blueprint for the kind of effective compliance program that is likely to result in mitigation of fines and penalties in civil actions brought by the Securities and Exchange Commission and other regulators.[4]
The following summarizes the key elements of the Guidelines as they apply to a public company. (The Guidelines also apply to other forms of organization, including private companies and not-for-profit institutions.) The Sentencing Commission's proposals will become effective on November 1, 2004 if Congress does not take affirmative action prior to that date. No such action is anticipated.
Elements of an Effective Compliance Program
The Guidelines expand definitions and identify minimum requirements for concluding that an organization has an effective compliance and ethics program ("CEP") sufficient to reduce the "culpability score" applied in determining sentencing guideline penalties. Much of the new material is intended to reinforce the intent of other federal legislation and rules adopted in recent times that address the conduct of organizations.
Broadly, the Guidelines state that to be "effective" the CEP must require the organization to:
- exercise due diligence to prevent and detect criminal conduct, and
- promote an organizational culture that encourages ethical conduct and a commitment to compliance with law.
More specifically, the Guidelines require that the organization take the following actions, which, for convenience, we have grouped in four categories:
Creation and Oversight
Standards and procedures. Establish standards and procedures to prevent and detect criminal conduct and communicate those standards and procedures in a practical, periodic manner to all employees, directors and, as appropriate, agents of the corporation.
Board oversight. Require a "governing authority" (i.e., the board of directors) to be knowledgeable about the content and operation of the CEP and to exercise reasonable oversight of its implementation and effectiveness.
Executive management responsibility. Charge all "high-level personnel"[5]with responsibility to ensure effectiveness of the CEP, and assign specific individuals among them with overall responsibility for the CEP.
Delegated operational responsibility standards. Delegate day-to-day operational responsibility to specific individuals provided with (i) adequate resources, (ii) appropriate authority and (iii) direct access to the board (or a subcommittee thereof). In addition, persons with day-to-day operational responsibility are required to report periodically to executive management and, as appropriate, the board (or a subcommittee), at least annually, on the effectiveness of the CEP.
Operation
Meaningful training. Conduct effective training programs for and otherwise disseminate information to members of the board, high-level personnel, "substantial authority personnel"[6] and employees appropriate to the respective roles of the individuals, and, as applicable, to the corporation's agents.
Facilitate reporting of criminal conduct. Operate and publicize a system for employees to report and seek guidance regarding actual or potential criminal conduct without fear of retaliation, which can include anonymous and confidential reporting mechanisms as permitted by law. [7]
Incentives and disciplinary action. Promote and enforce the CEP consistently throughout the corporation through appropriate incentives as well as appropriate disciplinary measures for engaging in or failing to detect or prevent criminal conduct.
Ongoing Evaluation
Monitor, audit and evaluate. Take reasonable steps to ensure that the CEP is followed, specifically including monitoring and auditing to detect criminal conduct, and periodic evaluation of the CEP's effectiveness.
Ongoing risk assessment and adjustments. Periodically engage in assessment of the risk of criminal conduct and take steps to design, implement, and modify each of the foregoing elements of the CEP to reduce the risk of criminal conduct identified in the assessment process.[8]
Collateral Action
Due diligence in hiring and promotion. Make reasonable efforts, based on due diligence, to exclude from its "substantial authority personnel" individuals who have engaged in illegal activities or conduct inconsistent with an effective CEP.[9]
Criminal conduct response mechanics. When criminal conduct is detected, take reasonable steps to respond appropriately and to prevent similar conduct, including making necessary modifications to the CEP to address any systemic shortcomings.
Export CEP norms. Promote the adoption of compliance and ethics programs by smaller organizations, including those with which the organization conducts or seeks to conduct business.
The Guidelines do not offer precise details for implementation of a CEP. Instead, they are designed to encourage flexibility and independence by the organization to adopt programs and practices that fit the particular circumstances of the organization. Based on these principles, the Guidelines contemplate that "best practices" and industry-specific practices have and will continue to develop over time.
[1] The United States Sentencing Commission is an ongoing independent agency in the judicial branch created by the Sentencing Reform Act provisions of the Comprehensive Crime Control Act of 1984.
[2] Seven key criteria of an effective compliance program are identified in the commentary to the Guidelines but upon amendment will be codified in the text of the Guidelines themselves.
[3] Fine ranges are based on the seriousness of the offense and culpability. Seriousness is reflected by the greatest of pecuniary gain, pecuniary loss or the guideline offense fine table. Four factors increase culpability: (i) involvement in or tolerance of criminal activity, (ii) prior violations, (iii) violation of an earlier order and (iv) obstruction of justice. Two factors mitigate culpability: (i) an effective compliance and ethics program and (ii) self-reporting, cooperation or acceptance of responsibility.
[4] The Sentencing Commission makes it clear that an effective compliance and ethics program not only will prevent and detect criminal conduct, but also should facilitate compliance with all applicable civil and criminal laws.
[5] High-level personnel are individuals with substantial control or a substantial role in making policy within an organization (e.g., a person in charge of a major business or functional unit).
[6] Substantial authority personnel are individuals (not necessarily a part of management) who exercise a substantial measure of discretion within an organization (e.g., a person who exercises substantial supervisory authority).
[7] The Guidelines recognize the inherent value and limitations of such arrangements and therefore leave substantial flexibility to conform and implement a system that is best suited to the culture of the organization and conforms to applicable law.
[8] Organizations must periodically assess the nature, severity and likelihood of occurrence of criminal conduct to more effectively allocate compliance and ethics resources to areas of greatest need.
[9] The relatedness of any illegal activities to the responsibilities assigned to the individual need to be considered, which permits looking at how recently the illegal conduct took place.