Key Elements of a Top-Notch Compliance Program

In this era of increased regulation and transparency, companies must be proactive to ensure regulatory compliance and to protect their brand. To that end, it is important for companies to ensure that they have an effective compliance program. Having a compliance program designed to establish, monitor and maintain protocols for identifying product hazards or noncompliance and regulatory reporting will help improve the ability to identify risks, enhance the ability to defend corporate decisions and minimize the risk of adverse regulatory action.

In today’s global economy, in-house counsel are called on daily to advise clients on regulatory compliance requirements and risks. In this era of heightened regulatory scrutiny and enforcement, in-house counsel are called on to integrate risk management considerations into their business processes. As strategic advisors, in-house counsel play important roles in helping companies assess current practices and think ahead.

Solutions

Companies should examine their internal product safety and regulatory compliance processes to help ensure that they position the company to identify risks and comply with any reporting obligations in a timely manner. This article will map out key elements of a product safety and regulatory compliance program and will suggest means to proactively design an effective internal program through a list of steps and checklists to equip in-house counsel with the best practices for improving their company’s state of compliance.

Regulatory climate

The number of companies facing regulatory proceedings has been on the rise in recent years. Many observers attribute the upward trend to a stricter regulatory environment and increased scrutiny from a broad range of state and federal agencies. In particular, companies are under increasing scrutiny and government regulation by the US Consumer Product Safety Commission (CPSC) and similar federal regulatory agencies, including the National Highway Traffic Safety Administration (NHTSA) and the Food and Drug Administration. These measures are having a greater financial impact on companies as well.

The past three years have seen an increased amount of rule-making from various federal regulatory agencies. Businesses can expect that the increase in governmental actions will continue in 2015. As we enter a period of continued scrutiny from regulators, we can expect company shareholders and investors to keep a more watchful eye on company activities.

Along with new rules often come new penalties for failure to comply with those rules. Regulatory agencies have increasingly adopted a holistic approach to supervision and focus not only on the outcome, such as a datasecurity breach or strict compliance with a regulatory requirement, but also on an entity’s internal controls to comply with legal requirements.

Signals from regulatory agencies

Federal regulators have grown increasingly active in recent years in two distinct areas: increasingly large penalties that agencies are seeking through civil enforcement, and an increased emphasis on mandatory compliance programs.

In 2014 we saw some of the highest civil penalty assessments in history. For example, as of May 30, the Consumer Financial Protection Bureau (CFPB) had collected more than $139 million in civil penalties in enforcement actions. In FY2013, the Environmental Protection Agency obtained a total of $1.1 billion in federal administrative and civil judicial penalties, primarily due to a record settlement of $1 billion reached with Transocean for the Deepwater Horizon oil spill in the Gulf of Mexico.

NHTSA

The US Department of Transportation’s NHTSA announced in May that General Motors would pay a record $35 million civil penalty and take part in unprecedented oversight requirements as a result of findings from NHTSA’s investigation regarding the Chevrolet Cobalt and the automaker’s failure to report a safety defect in the vehicle to the federal government in a timely manner. This action represents the single highest civil penalty ever paid as a result of a NHTSA investigation of violations stemming from a recall.

As part of the automotive manufacturer’s settlement with NHTSA, it agreed to make significant and wide-ranging internal changes to its process for review of safety-related issues in the United States and to improve its ability to take into account the possible consequences of potential safety-related defects. The manufacturer was assessed additional civil penalties for failing to respond on time to the agency’s document demands during NHTSA’s investigation.

In a press release following announcement of the penalty, US Transportation Secretary Anthony Foxx said, “[s]afety is our top priority, and today’s announcement puts all manufacturers on notice that they will be held accountable if they fail to quickly report and address safety-related defects.” Sending an even stronger message, Secretary Foxx urged Congress to support the GROW AMERICA Act, which would increase the penalties NHTSA could levy in cases like this from $35 million to $300 million.

This action is historic because the provisions of the consent order will be immediately enforceable in federal court if the manufacturer does not fully comply. The consent order’s stated purpose is to hold the manufacturer accountable, push the automaker to make institutional change and ensure that replacement parts are produced quickly and recalled vehicles are repaired promptly.

CPSC

CPSC penalties continue to increase in amount and frequency. For example, this year, a consumer product manufacturer agreed to pay a $3.1 million civil penalty to the CPSC to resolve CPSC staff’s charges that the firm knowingly failed to report to CPSC immediately, as required by federal law, a defect involving foldaway two- and three-step ladders designed for use in walk-in closets. CPSC staff charged that “the steps could break unexpectedly, posing a fall hazard to consumers.”

The manufacturer filed its report with CPSC on July 29, 2010. At that time, more than 1,200 consumers had returned their ladders to the company, and it had received notice of at least two dozen injuries. On January 20, 2011, the manufacturer and CPSC announced the recall of 38,000 ladders.

Mandatory internal compliance programs

In addition to increasing monetary penalties, some regulatory agencies are requiring companies from various industries to implement and maintain procedures designed to ensure compliance with the statutes and regulations enforced by the particular agency.

In both civil-penalty examples discussed above, the governing agency incorporated internal compliance program requirements into its settlement agreements with the auto manufacturer and consumer-product manufacturer, respectively. As part of its consent order with NHTSA, the auto manufacturer was required to establish a process for employees to report concerns regarding actual or potential safety defects or noncompliance with federal motor vehicle safety standards and provide NHTSA with written documentation describing the process and policy adopted.

The consent order also included provisions for improving employee training and reporting of safety-related defects:

• [The manufacturer] has initiated efforts to improve employee training regarding proper documentation practices and to encourage discussion of safety issues, including discussion of defects and safety consequences of defects.
• [The manufacturer] shall improve and implement company processes for the purpose of identifying and reporting safety-related defects more quickly. Such process improvements shall include but not be limited to changes for the purpose of:
  • a. improving ability to analyze data to identify potential safety-related defects;
  • b. encouraging and improving information-sharing across functional areas and disciplines;
  • c. increasing the speed with which recall decisions are made (including by clarifying the recall decision-making process to decrease the number of steps prior to making the final decision of whether to conduct a recall); and
  • d. improving communication with NHTSA regarding actual or potential safety-related defects.

Similarly, as part of its agreement with the CPSC, the ladder manufacturer agreed to maintain and enforce a system of internal controls and procedures designed to ensure that:

• information required to be disclosed by the firm to the Commission is recorded, processed and reported, in accordance with applicable law;
• all reporting made to the Commission is timely, truthful, complete and accurate; and
• prompt disclosure is made to firm management of any significant deficiencies or material weaknesses in the design or operation of such internal controls that are reasonably likely to adversely affect, in any material respect, the company’s ability to record, process and report to the Commission.

Like the auto manufacturer, this company agreed to provide written documentation of such improvements, processes and controls to CPSC staff and to make available all information, materials and personnel deemed necessary by staff to evaluate the company’s compliance with the terms of the agreement.

Mitigating penalties and brand damage

In today’s global marketplace, in response to the increased attention from regulators, companies are reviewing their compliance procedures to ensure that they are prepared for possible regulatory scrutiny. Companies can reduce the risk of noncompliance with reporting obligations and incurring penalties by developing systems for ensuring compliance with agency regulations. A compliance program should be designed to establish, monitor and maintain protocols for identifying noncompliance and reporting to the proper regulatory authority accordingly.

Additionally, companies can learn from the recent settlement agreements what the agencies may expect good compliance programs to include. A program designed to ensure compliance with the safety statutes and regulations should contain:

• written standards and policies, including one on record keeping;
• a reporting mechanism for confidential employee reporting of compliance-related questions or concerns to either a compliance officer or another senior manager with authority to act as necessary;
• effective communication of company compliance-related policies and procedures to all employees through training programs or otherwise;
• management oversight of compliance personnel; and
• records retention of all compliance-related records for at least five years and availability of such records to the agency on request.

Companies facing regulatory enforcement action can take steps to mitigate the potential adverse impact. Consider the following four measures:

• Cooperate: Open cooperation with the regulatory authority can be a factor considered in determining the appropriate penalty to impose, and communicating with the regulatory authority at this point is as important as ever. Request to meet with agency staff in person to respond to issues and inquiries; build a line of communication and establish credibility.
• Present evidence of a robust compliance system: Presenting evidence such as the type discussed above may also be helpful in mitigating a penalty. If the company can show the regulatory authority that it has good systems in place that it adheres to, even if that system failed in a particular instance that is not likely to be repeated, then a pattern of good-faith efforts toward compliance can be established. If the purpose behind penalties is deterring noncompliance, then there is little use in penalizing a company that maintains rigorous compliance standards and proactively operates in a genuine effort to maintain compliance.
• Demonstrate a good track record for reporting: A good track record of reporting to the regulatory authority and evidence that the company has incurred no prior penalties for violations are also helpful factors to present.
• Demonstrate commitment to protecting consumers: In addition, good procedures for, and a good history of, informing the public and those in the chain of distribution in order to eliminate any realized product danger will show a commitment to protecting consumers.

Key components of a robust compliance program

Top leadership commitment

A robust and effective compliance program requires commitment from top leadership and senior management personnel. In some industries, like consumer finance, top leadership commitment includes approval of entity-wide polices from boards of directors. Several federal regulatory agencies have mandated involvement of the board in the assessment and management of risk, whether arising out of a statutory requirement or an operational decision to use a vendor.

To that end, board and management oversight is often a required element of an entity’s compliance management system. For example, the Office of the Comptroller of Currency, CFPB and state attorneys general observed that several mortgage servicers lacked adequate policies and procedures, and many of those that existed demonstrated significant weaknesses in risk management, quality control, audit and compliance practices. As a result, the new mortgage servicing rules under the Real Estate Settlement Act require servicers to adopt policies and procedures concerning borrower interaction and loss-mitigation review. Further, recent CFPB consent orders have found that the supervised entity’s board and senior management exercised ineffective oversight and control over the compliance process. A common element of these consent orders is a requirement for the entity to submit periodic reports to the board or a committee of the board.

Assign senior personnel to compliance coordinator

Companies should identify the team of individuals that will be responsible for regulatory compliance. This compliance team should include the persons responsible for monitoring the compliance program and keeping track of incidents involving the company’s products as well as members of relevant departments within the company, such as product safety, legal, public relations and marketing. A compliance coordinator should lead the team and be responsible for ensuring that compliance policies and procedures are followed.

Assign a senior person in your company to learn your respective regulatory agency’s reporting and other compliance requirements. In the typical case, a company learns about a product-safety issue or noncompliance through a variety of customer interactions that may not have been passed on to one central repository. Whether a company is large or small, information — even bad news — can permanently reside in silos when the people receiving the information don’t appreciate its implication or aren’t aware of related incidents. Without specific training and a robust initiative, employees in the field might receive a customer complaint — perhaps over the phone or in passing during an unrelated conversation — and dismiss it as insignificant, not their responsibility or not serious enough to report.

Teach your team that every product complaint or noncompliance is potentially significant. Every complaint, claim or incident report should be relayed to a central repository, logged and followed up on thoroughly. Be sure to have a trained individual call the consumer to discuss what happened and to make sure your incident report is accurate and that no details have been sugarcoated. Ask for the product to be returned so you can see for yourself what went wrong and determine whether the issue constitutes a substantial product hazard.

Be responsive and transparent with consumers

With the evolution of the Internet and social media, the consumer has an immediate voice that can be heard globally. Suggestions to consider include:

• Build trusting relationships with key customers prior to issues developing.
• Respond quickly to concerns or complaints received from customers.
• Be best-in-class in working with retailers on product recalls, retrievals and other product-safety issues.

Build open and transparent relationships with government agencies

Increasing public scrutiny of regulatory actions forces regulators to be more proactive, aggressive and media-savvy. Knowing how to work within this environment starts with recognizing that there is no greater opportunity to chart a winning strategy — one that protects business objectives, avoids unwarranted regulatory action and halts runaway litigation — than in the first moments of crisis. Government officials are eager for companies to disclose information. The savviest companies use this opportunity to get their message out first, answer critics and prove themselves to be the most credible voice. Not only can proactive, well-crafted disclosure placate regulators — if not turn them into allies — but the company’s regulatory story will also define its closing argument at trial, if needed, years later.

Take the case of one Fortune 500 company that suffered a data-breach incident and failed to notify regulators proactively. Once the regulators learned of the event months after the fact, they launched investigations and levied steep penalties. One year later, the same company experienced another incident. This time, it assembled a multidisciplinary team to proactively engage with regulators and state attorneys general. As the internal investigation was underway, the company kept regulators updated and focused on their work on protecting consumers. The regulators responded with a more lenient penalty than the previous year and issued no press release. With regulatory concerns addressed from the start, the company was in a better position to handle the ensuing litigation. This preventative approach has the potential to add credibility and reduce the company’s exposure in the future.

Keep adequate and accurate records

Keep complete and accurate records about the products you sell and compliance with regulations, both federal and internal policies and procedures. In the case of consumer products, this should include sales and purchasing records, test reports, history of complaints, warranty claims, returns and any other relevant information you may have. The information should be stored in a database and easily searchable by the individual you empower to evaluate compliance and report noncompliance to respective agencies.

Evaluate efficacy of compliance programs

Companies often read about someone else’s misfortune without appreciating that the same misfortune can happen to them. For example, Williams-Sonoma has a long history of managing product recalls — so much so that the CPSC recognized its outstanding systems a decade ago. Yet even with a compliance staff, a sophisticated database tracking system and a history of managing recalls effectively, a serious product defect fell through the cracks and cost the company dearly in 2013. Take the time to evaluate your company’s system for evaluating products, for logging and monitoring complaints, returns and claims, and for determining whether any product related issue or noncompliance has the potential to warrant reporting or corrective action.

Conclusion

A robust compliance program is a necessity for companies today. Counsel should work to develop a plan, communicate internally and examine existing internal safety and regulatory compliance processes to ensure that they position the company to identify risks and comply with any reporting obligations in a timely manner. As applicable regulations and agency enforcement actions change in the jurisdictions around the world where your company does business, you should also consider the need for appropriate changes to the company’s compliance program. Having an internal compliance program designed to establish, monitor, maintain and evaluate protocols for identifying noncompliance and regulatory reporting will help improve defensibility and minimize the risk of incurring penalties.