Tone at the Top, Culture of Compliance, and the Yates Memo

CHEAT SHEET

  • Underneath it all. The Yates memo is the latest in a series of efforts by the US Department of Justice (DOJ) to establish individual accountability for corporate wrongdoing.
  • Trickle-down compliance. Compliance begins at the top, and senior management is responsible for conveying it to their employees.
  • Start talking. The new agenda from the DOJ requires full and earnest cooperation and disclosure of a company under investigation if criminal charges are to be avoided.
  • Root out bad apples. The DOJ and their counterparts in many countries exempt companies from liability if they can demonstrate adequate procedures to avoid malfeasance.

Several years ago, while visiting the offices of a US company operating in West Africa, we saw firsthand how a consistent tone from the top can translate into a culture of compliance that extends to even the furthest reaches of an organization. The company had a well-established reputation for safety, the importance of which was regularly emphasized by the company’s senior management. The company’s website and other public materials trumpeted the same message.

However, what impressed us most was seeing the commitment to safety in action. When you got into a company vehicle, the local country driver would not begin driving until you fastened your seatbelt. Later, while we were sitting in a conference room in the company’s offices, a member of the cleaning crew leaned far out of a window to clean the outside of the glass, and the office manager demanded that he stop.

Here was a commitment to safety and a culture of promoting safety in every respect of the company’s operations that had permeated the entire organization. Moreover, the company’s employees had embraced that culture as a feature of the company’s operations.

Much is written these days about how critical it is for organizations to have a strong tone at the top (assuming that tone is directed at some positive outcome). But the idea is not new. For example, in the seminal Nunn-Wolfowitz Task Force Report on Industry Best Practices Regarding Export Compliance Programs (Nunn-Wolfowitz), the concept of “Management Commitment” is heralded as critical to an effective compliance program. As stated in Nunn-Wolfowitz:

“Virtually all industry representatives and government personnel interviewed … agreed that senior management commitment to export compliance is the single most important aspect of an effective export compliance program.” (emphasis added)

Nunn-Wolfowitz Task Force Report, Page 8

Nunn-Wolfowitz was published in July 2000. And while the genesis of Nunn-Wolfowitz — and the work done by the Task Force that generated it — was to identify best practices for export compliance, the recommendations of the report are useful across disciplines. Said another way, the CEO’s tone from the top message, whether about safety, export compliance or another necessary function of the business, cannot simply be a pro forma statement. The CEO and company management must own the statement and drive its effective performance. How the CEO and company management “live” that statement, and hold their respective subordinate teams accountable for upholding it, determines whether the company accomplishes what the CEO said was “important.”

While it is well established that a proper tone at the top is central to a good compliance program, it can be very difficult for senior managers to maintain that tone. And even if the tone at the top is consistent, it can be challenging to create an overall culture of compliance that adheres to the message being delivered by senior management.

This article provides some suggestions on how leaders can establish an effective tone at the top, and leverage that tone to instill a strong culture of compliance. Robust compliance is essential in the context of the current, vigorous enforcement environment, not least because many governments recognize that an effective compliance culture and program can be a mitigating factor if penalties are to be imposed. Moreover, senior corporate officials have an added incentive to develop and maintain an effective tone at the top in light of the Yates Memorandum, which was released by the US Department of Justice (DOJ) in September 2015, and emphasizes the DOJ’s intention to pursue individuals for corporate wrongdoing.

Government enforcement

Effective compliance has increased in importance because governments all over the world are enforcing their laws so aggressively. Penalties have been enormous and, in some respects, have become the measure of regulatory effectiveness. Just in trade compliance, the headlines have regularly touted fines in the hundreds of millions of US dollars (for example, in the case of Alstom, Kellogg Brown & Root, and Siemens for violations of the Foreign Corrupt Practices Act (FCPA)) and even in the billions (BNP Paribas and HSBC for violations of economic sanctions and anti-money laundering laws).

As these settlements demonstrate, companies must beware: Four of the five settlements mentioned above were between the US government and non-US companies. In fact, most of the major FCPA and sanctions settlements in recent years have involved the US government taking action against a non-US party, though often with the cooperation from the government in which the non-US defendant resides. It therefore seems safe to conclude that, regardless of where you are doing business, the requirement for effective compliance as a function of a successful business is not going to change.

In addition, individuals are increasingly facing meaningful fines and, even more seriously, prison sentences. For instance, Albert “Jack” Stanley, formerly the CEO of Kellogg Brown & Root, received a prison sentence of more than two years for his role in a massive bribery scheme in Nigeria. Stanley also had to pay restitution of more than US$10 million. Kellogg Brown & Root also paid a penalty, as did several of its partners in the scheme. The total amount paid was more than one billion US dollars.

And it is not just in the United States that prison sentences can — and are — being imposed. In May 2014, Nazir Karigar was sentenced to three years in prison under Canada’s Corruption of Foreign Public Officials Act. Mr. Karigar reportedly offered bribes to officials at Air India and other members of the government of India in an effort to win a contract to provide biometric security systems.

Notably, while the bribery scheme was apparently not successful, the mere effort to make the bribes triggered liability.

Apart from penalties, companies are regularly required to introduce specific compliance measures as part of their settlement commitment. In a number of cases, the settling company has been obligated to engage a compliance monitor or consultant who has a reporting obligation to the government.

For example, in July 2015, international construction and engineering firm Louis Berger entered into a deferred prosecution agreement with the DOJ pursuant to which the firm paid a fine of more than US$17 million for violations of the FCPA. At least as onerous was that the company had to engage a compliance monitor at its own expense for a period of three years. The imposition of a monitor is both extraordinarily expensive — running into millions of US dollars — and extraordinarily disruptive to the conduct of the ongoing business.

The DOJ also required Louis Berger to take a number of specific compliance measures; in fact, one attachment to the deferred prosecution agreement lays out in great detail the particular steps the company must take to bolster its compliance program. Interestingly, the DOJ has taken a stab at helping Louis Berger maintain a strong tone at the top and develop an effective culture of compliance: among other things, the company is required to “ensure that its directors and senior management provide strong, explicit, and visible support and commitment to their corporate [compliance] program.” At least as of July 2015, this appears to be the DOJ’s attempt to articulate what an appropriate tone at the top looks like. But is this enough?

According to publicly available information, Louis Berger paid bribes totaling close to US$4 million to foreign officials in order to obtain lucrative government contracts. For anyone interested in the DOJ’s current thinking about what an effective compliance program should include, we would encourage you to spend some time lining up Attachment C to the Louis Berger deferred prosecution agreement against your organization’s compliance program.

Government guidance

In November 2012, the DOJ and the Securities & Exchange Commission (the SEC) published A Resource Guide to the U.S. Foreign Corrupt Practices Act (the FCPA Guide). The FCPA Guide provides extensive detail about the statute and how it has been interpreted, as well as information about past enforcement actions. It also includes guidance on compliance best practices.

With respect to developing and maintaining an effective tone at the top, the FCPA Guide states the following:

“Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company. Managers and employees take their cues from these corporate leaders. Thus, DOJ and SEC consider the commitment of corporate leaders to a “culture of compliance” and look to see if this high-level commitment is also reinforced and implemented by middle managers and employees at all levels of a business …”.

In short, compliance with the FCPA and ethical rules must start at the top. The DOJ and SEC thus evaluate whether senior management has clearly articulated company standards, communicated them in unambiguous terms, adhered to them scrupulously, and disseminated them throughout the organization.

The US Department of Commerce Bureau of Industry & Security (BIS), which administers controls on exports of US commercial items, takes a similar position. In its guidance on maintaining an effective compliance program, BIS indicates that “Management Commitment” to compliance is the first priority.

Further, the UK Bribery Act specifically exempts organizations from liability based on actions by the organization’s employees if the organization maintains “adequate procedures designed to prevent [employees]” from engaging in bribery. Establishing a culture of compliance is of course going to be an essential part of implementing and maintaining such “adequate procedures.”

Where the rubber really hits the road is the US Sentencing Commission Guidelines (the Guidelines). Under the Guidelines, it is a mitigating factor when imposing a monetary penalty against an organization when that organization maintained an effective compliance program. (DOJ operates under the Guidelines; although BIS and OFAC do not, they also generally view the existence of an effective compliance program as a mitigating factor in penalty determinations.)

The US Sentencing Commission is an independent agency in the judicial branch of government. Among other things, the Commission establishes sentencing policies and practices for the federal courts, including guidelines to be consulted regarding the appropriate form and severity of punishment for offenders convicted of federal crimes.

According to the Guidelines, an effective compliance program is “reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct.” Such a program, the Guidelines suggest, would typically include the following elements:

  • Standards and procedures to prevent and detect criminal conduct.
  • A governing authority that (1) is knowledgeable about the content and operation of the compliance and ethics program and (2) exercises reasonable oversight with respect to the implementation and effectiveness of the program.
  • High-level personnel within the organization have overall responsibility for the compliance and ethics program.
  • Specific personnel have day-today operational responsibility for the program, including adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.

In addition to these specifics, the Guidelines’ recipe for an effective compliance program includes the organization promoting “a culture that encourages ethical conduct and a commitment to compliance with the law.” As to developing this culture, the Guidelines suggest that the organization should “communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program … by conducting effective training programs and otherwise disseminating information.” And, the Guidelines emphasize, the organization needs to “have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.”

The flip side of these requirements is what the Guidelines say an organization should not do: The organization “shall use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program.”

This is strong stuff. In fact, for purposes of developing the appropriate tone at the top, this is arguably the most important takeaway from the Guidelines. The suggestions the Guidelines make about characteristics that a successful compliance program should have are all valuable — but they are steps that many organizations already take. It is frankly rare at this point to encounter an international company that does not have a code of conduct or a code of ethics, often buttressed by specific policies or procedures that address particular operational areas.

What is notable about this instruction is that the Guidelines seem to recognize that a single bad actor — or even potentially bad actor — can undermine all the good that an otherwise strong program does. If personnel see, in the senior ranks of the company, an employee who is known or perceived to be ethically challenged, it will be difficult to convince them that the company really is committed to compliance.

Government enforcement authorities certainly take the same view. Which leads to the Yates Memorandum.

The Yates Memorandum

On September 9, 2015, Deputy US Attorney General Sally Yates issued a memorandum to all US attorneys regarding individual accountability for corporate wrongdoing (the “Yates Memo”).

The point of the Yates Memo is clear: While the DOJ will continue to pursue companies for corporate wrongdoing, it will simultaneously pursue charges against individual employees. According to the Yates Memo, “[b]ecause a corporation only acts through individuals, investigating the conduct of individuals is the most efficient and effective way to determine the facts and extent of any corporate misconduct.”

And who is the ultimate target of these efforts? Corporate executives. The DOJ understands that lower-level employees facing individual civil or criminal liability are likely to cooperate against their superiors, thereby facilitating DOJ’s ability to obtain information necessary to prosecute individuals further up the corporate ladder.

The Yates Memo outlines six key principles intended to strengthen the DOJ’s pursuit of individual corporate wrongdoing:

  1. To be eligible for any cooperation credit in a criminal or civil matter, a corporation must identify all individuals involved in or responsible for the misconduct at issue, regardless of their position, status, or seniority, and provide the DOJ all facts relating to that misconduct.
  2. Criminal and civil corporate investigations should focus on individuals from the inception of the investigation.
  3. The DOJ’s criminal and civil attorneys handling corporate investigations should be in routine communication with one another.
  4. Absent extraordinary circumstances or approved DOJ policy, the DOJ will not release culpable individuals from civil or criminal liability when resolving a matter with a corporation.
  5. DOJ attorneys should not resolve matters with a corporation without a clear plan to resolve related individuals cases, and should memorialize any declinations as to individuals in such cases.
  6. Civil attorneys should consistently focus on individuals as well as the company and evaluate whether to bring suit against an individual based on considerations beyond that individual’s ability to pay (e.g., the seriousness of the conduct, past misconduct, whether it is actionable, the burden of proof, and federal resources and priorities).

Regarding the first principle, importantly, companies are required only to cooperate “within the bounds of the law and legal privileges.” This means that, among other things, companies are not required to waive the attorney-client and work-product privileges; indeed, under current DOJ policy, DOJ attorneys cannot even ask a company to waive privilege in criminal investigations.

The fifth principle may represent a significant change in overall DOJ practice (although the principle was doubtlessly already being applied in many cases). Among other things, this fifth principle may force prosecutors to bring more criminal cases against individuals than they otherwise would, resulting in an increase in both indictments and trials.

It remains to be seen the extent to which the Yates Memo represents a substantial policy change for the DOJ as opposed to a confirmation of existing practices. It also remains to be seen how meaningfully the memo will impact enforcement efforts going forward.

Recommendations

In light of the Yates Memo, and governments more generally focusing on penalizing individual wrongdoers, organization leaders should be ever more engaged in promoting compliance.

There is no one formula for establishing the right tone at the top and ensuring that it filters down to facilitate an effective culture of compliance. Nonetheless, all organizations seeking to strengthen their compliance efforts should consider the following:

A clear statement and demonstration of management commitment. Policy statements and other written communications are of course useful, but it can be particularly valuable to have senior leaders emphasize compliance in personal appearances and meetings. Encourage the CEO to attend a sales meeting and share a vignette about a recent enforcement action, or have the COO do the same at a meeting of the marketing team. And urge senior managers to attend internal compliance training meetings. This is hopefully self-perpetuating in that it gets senior leaders to complete training on time or even early, which helps get other personnel to attend and complete training themselves, and so on.

Empower senior staff to become compliance champions. While it is essential to have executive leaders promote compliance, senior staff also need to be empowered — and required — to take a leading role in the compliance effort. Even the most vigorous chief executive officer can only reach a small portion of an organization; she or he must have dedicated, empowered lieutenants to help spread the message. Both for efficiency and for strengthening compliance, it can make sense to task managers to conduct compliance training for personnel over whom they have responsibility. This further empowers these managers and helps ensure that the personnel who work with and for them see the boss as a compliance advocate.

Embed compliance in business processes. Similar to points one and two above, managers need to address the issue of compliance during business reviews, especially before opportunities are bid, to ensure the appropriate compliance checks have been made. This should be no different than evaluating the other business fundamentals of the opportunity, and it should not add too much time if done right. Many questions that go to the business case for a particular acquisition or transaction also go to the legal and risk assessment of a deal.

More fundamentally, business and compliance personnel need to know and trust each other. Go to lunch or grab a drink together so that in the time and pressure constraints of a deal, a rapport, and sensitivity to each other’s concerns is already in place.

Train personnel. Many companies have effective training programs for many of their employees. (Directors should get educated on a regular basis, too.) Often, however, the fewest training resources are dedicated to the employees — and third party representatives of the company — that create the most risk. Compliance problems often arise furthest from the center of the organization, for instance, in a foreign subsidiary where none of the employees have been to the home office. Frequently these personnel receive training online, often in English, which may not be their first language.

In these cases, in-person training may be more needed. Yes, the cost might be higher, but the risk is higher too. In accordance with point two, it may be possible to reach employees located outside the company’s home office location in person, through having trusted local managers deliver training.

Engage personnel. One way to promote compliance is to bake it into employees’ responsibilities. This can be done in a medley of ways: have personnel conduct training, require business and marketing personnel to take the lead on compliance due diligence, take business or marketing people on compliance audits, and other steps. Again, the goal is to ensure that compliance pervades the organization and its operations. Making more employees a part of the compliance effort helps ensure that compliance remains front of mind while employees engage in their regular day-to-day work.

Reward compliance successes — visibly. The rewards that can be given — an extra vacation day, a gift card, a bottle of wine or a membership in a beer of the month club — are limitless. Anything that is consistent with the organization’s normal practices will work. But here’s the key part: make the reward visible. The goal is not only to reward someone for their commitment to compliance, but also to make sure that other personnel see the extent to which the organization values compliance. At one company, the CEO announces rewards for compliance successes so that both the recipient and the compliance message get maximum visibility.

Penalize compliance mistakes — visibly. Just as in the case of compliance successes, personnel who make compliance mistakes need to be penalized. A rule of reason prevails of course — the details of a minor, inadvertent violation need not be emblazoned across the organization’s intranet. But by the same token, when a mistake is made, the employee who makes the mistake needs to be made aware that such missteps are not acceptable. Remedial training may often be warranted, and in some cases, formal discipline including termination will be advisable. Reasonable interpretation of the Yates Memo is that it will have a tangible impact on personnel decisions within organizations. Take advantage of mistakes to distribute lessons learned, or offer guidance to personnel who may encounter the same situation.

Note that in some states the company may still have a defense obligation to the terminated employee under the state corporation code. And as we are not employment lawyers, we strongly suggest conferring with the Human Resources Department and / or your employment lawyers when contemplating and meting out employee discipline!

Further Reading

See Core Elements of an Effective Export Compliance Management Program; see also OFAC’s Economic Sanctions Enforcement Guidelines.

See UK Bribery Act at Sec. 7(2).

See Guidelines at § 8C2.5, pursuant to which an organization’s culpability score can be reduced significantly if the organization maintained a compliance program in accordance with Guidelines § 8B2.1.


The authors would like to thank the many lawyers in Bass, Berry & Sims’s Compliance & Government Investigations Practice Group for their valuable input, especially with respect to developing and refining our description of the Yates Memorandum (see Section III, infra) and our compliance recommendations (see Section IV, infra).