An Open Letter to the US Department of Justice Criminal Division

flag flying outside a building

Dear US Department of Justice Criminal Division,

On behalf of the compliance and ethics community, I write to applaud you for the publication of the Evaluation of Corporate Compliance Programs (ECCP). It sets forth sound criteria by which compliance and ethics programs can and should be evaluated in the context of a criminal investigation into allegations of corporate wrongdoing. And, as I’m sure you’re aware, it serves as a useful guidance document to compliance and ethics officers as well as conscientious business professionals desiring to implement an effective compliance and ethics program.

I also thank you for the very thoughtful update to the ECCP published in June 2020. The expansion of ECCP sections regarding risk assessments, policies and procedures, training and communications, confidential reporting structures and investigations processes, third party management, and other key internal controls are very well done. A fair application of the ECCP in making charging decisions will reward companies that have made responsible investments in their compliance and ethics programs.

From a compliance officer’s point of view, the most important part of the ECCP is Section II. B. Autonomy and Resources. In this section, you rightly observed that a compliance and ethics program’s “[e]ffective implementation ... requires those charged with a compliance program’s day-to-day oversight to act with adequate authority and stature.” The ECCP further instructs prosecutors to evaluate “whether those responsible for compliance have: (1) sufficient seniority within the organization; (2) sufficient resources, namely, staff to effectively undertake the requisite auditing, documentation, and analysis; and (3) sufficient autonomy from management, such as direct access to the board of directors or the board’s audit committee.”

The ECCP’s generalized areas of inquiry regarding a compliance officer’s autonomy and resources are well suited for the purpose of evaluating compliance programs in businesses of varying size and sophistication. But given the seemingly endless parade of companies caught engaging in systemic corporate corruption, I think it would be beneficial to further amend the ECCP to be more prescriptive by describing for prosecutors and the regulated community the attributes of a model compliance program as they relate to the compliance officer’s position and role in the corporate hierarchy. To do so, you need only consult the boilerplate language you routinely include in corporate integrity agreements (CIAs):

[T]he Compliance Officer shall be an employee and a member of senior management of the company; shall report directly to the Chief Executive Officer of the company; and shall not be, or be subordinate to, the General Counsel or Chief Financial Officer or have any responsibilities that involve acting in any capacity as legal counsel or supervising legal counsel functions for the company.

[T]he company shall appoint a Compliance Committee. The Compliance Committee shall, at a minimum, include the Compliance Officer and other members of senior management necessary to meet the requirements of this CIA (e.g., senior executives of relevant departments, such as sales, marketing, legal, medical affairs/medical information, regulatory affairs, research and development, human resources, audit, finance, manufacturing, and operations). The Compliance Officer shall chair the Compliance Committee and the Compliance Committee shall support the Compliance Officer in fulfilling his/her responsibilities (e.g., shall assist in the analysis of the company’s risk areas and shall oversee monitoring of internal and external audits and investigations).

Taking this CIA language into account, in your next ECCP iteration, I ask that you supplement Section II. B with the following language:

In a model compliance and ethics program the company’s CCO should:

  1. Be an independent member of the corporation’s senior management team;
  2. Report directly to the CEO and the board of directors;
  3. Not be legal counsel nor supervising legal counsel functions for the company; and
  4. Chair a compliance committee comprising senior management that shall support the compliance officer in fulfilling his/her responsibilities (e.g., shall assist in the analysis of the company’s risk areas) and shall oversee monitoring of internal and external audits and investigations.

Such an amendment to the ECCP would further your goal of encouraging firms to adopt an enterprise risk management model that effectively detects and prevents criminal conduct. It would also serve as another arrow in the quiver of compliance and ethics professionals fighting in the trenches for improved corporate governance. However, it will likely take much more than such an ECCP amendment to induce widespread adoption of such a compliance program architecture. Old habits die hard and persuading senior corporate management to loosen their grip on power and submit to the continuous and independent scrutiny of a compliance officer is a very hard sell.

Since your next ECCP amendments may be in the distant future, one thing you could do to accelerate the adoption of model compliance and ethics programs in the near-term is to begin a dialogue with environmental, social, and governance (ESG) rating agencies. Since a significant fraction of the investment community relies on ESG rating agencies in making investment decisions, directors and corporate executives work hard to get high marks. Currently, the “business ethics” component of ESG rating agency evaluations are fairly superficial and are generally limited to a determination of whether firms have a hotline and a code of conduct. If you could persuade ESG rating agencies to supplement their evaluation criteria to include the four program attributes in the proposed ECCP amendment above, this would likely cause many publicly traded companies to adopt your recommended governance model.

Thank you again for publishing the ECCP and the 2020 amendments. Regardless of whether you implement my recommendations, as a compliance professional, investor, and consumer, I ask that you continue to use your clout to induce firms to improve their capacity to manage their legal and ethical risks and reduce the prevalence of corporate corruption.