Ateneo Law Entrance Exam Reviewer free essay sample

Corporate Compliance Answer Book. book Page 29 Thursday, June 17, 2010 4:20 PM 2 Implementation of Effective Compliance and Ethics Programs and the Federal Sentencing Guidelines Steven D. Gordon* How should a company go about designing and implementing a compliance program? While other chapters address the specifics of compliance programs in particular industries, this chapter considers issues relating to designing and implementing compliance and ethics programs generally. The biggest influence on the design and implementation of a compliance program is guidance from the U. S. Sentencing Commission contained in the Federal Sentencing Guidelines that apply to companies convicted of federal criminal offenses. The Sentencing Guidelines set standards that have become the * The author wishes to acknowledge Jennifer Dure, Michael Manthei, Christopher A. Myers, and Jonathan Strouse for their contributions to this chapter. 29 Corporate Compliance Answer Book. book Page 30 Thursday, June 17, 2010 4:20 PM Q 2. 1 CORPORATE COMPLIANCE ANSWER BOOK norm for virtually all companies, even though relatively few will ever be prosecuted or convicted. In fact, the most useful benefit from using the Guidelines to design and implement a compliance and ethics program is that it can help companies avoid investigations and convictions in the first place. In addition to complying with the Sentencing Guidelines, if the company is publicly held, it must comply with the SarbanesOxley Act of 2002. And if the company is a federal government contractor or subcontractor, the Federal Acquisition Regulation (FAR) comes into play. Other compliance requirements apply to other industries. Fortunately, these various guidelines and requirements do not conflict and, instead, tend to complement each other. Sentencing Guidelines Basics.. 30 Components of an Effective Compliance Program .. 32 Designing and Implementing a Compliance Program 34 Relevant Factors and Considerations 34 Requirements; Risk Areas. 35 Code of Conduct. 41 Compliance Program Administration 44 Training.. 50 Audits . 52 Reporting Systems/Whistleblowing/Non-Retaliation. 54 Rewards/Discipline 56 Sentencing Guidelines Basics Q 2. 1 What are the Federal Sentencing Guidelines? Since 1991, the sentencing of corporations and other business entities convicted of federal criminal offenses has been governed by the Federal Sentencing Guidelines (â€Å"Sentencing Guidelines†), established by the U. S. Sentencing Commission. These Sentencing Guidelines were mandatory, but in 2005, the Supreme Court ruled that it is 30 Corporate Compliance Answer Book. book Page 31 Thursday, June 17, 2010 4:20 PM Compliance Programs U. S. Sentencing Guidelines Q 2. 2. 1 unconstitutional to apply them in mandatory form. The Court left them intact as voluntary guideposts that federal courts should consult but are not bound to follow. 1 In addition to providing guidance on how convicted companies should be sentenced, the Sentencing Guidelines also contain detailed guidance from the Sentencing Commission on what it means to have an â€Å"effective† compliance and ethics program. This guidance, contained in chapter eight of the Guidelines Manual, 2 is used by hundreds of companies to design and implement their compliance programs and is also the standard used by many government agencies to evaluate company compliance and ethics programs. Q 2. 2 How do the Sentencing Guidelines relate to an effective compliance program? A company convicted of a federal offense is eligible for a reduced sentence under the Sentencing Guidelines if it has an effective compliance and ethics program and the offense occurred despite the program. 3 The Sentencing Guidelines spell out the basic elements of an effective compliance program. 4 Additionally, a prosecutor might exercise his or her discretion not to bring criminal charges if the company has a compliance program that meets the Sentencing Guidelines’ requirements. Q 2. 2. 1 Why should my company care about the Sentencing Guidelines if it conducts business honestly and is unlikely ever to face criminal prosecution? If the business is a corporation, its management probably has a duty to ensure that the business has an adequate compliance program. The Delaware Chancery Court, in the leading Caremark decision,5 held that corporate management has such a duty under Delaware law in light of the Sentencing Guidelines. Also, having an effective compliance program can show that the corporation was not at fault if an employee does engage in criminal or unethical conduct. Even ethical companies get investigated. In the event of an investigation, enforcement authorities will look at a variety of factors to determine whether there has been wrongdoing, who is at fault, and whether to bring criminal, civil, administrative, or no claims against 31 Corporate Compliance Answer Book. book Page 32 Thursday, June 17, 2010 4:20 PM CORPORATE COMPLIANCE ANSWER BOOK Q 2. 3 the company. Among the most significant factors influencing these decisions is whether the company has a compliance program that meets the Sentencing Guidelines’ requirements. Components of an Effective Compliance Program Q 2. 3 What policies and procedures should my company implement to meet the Sentencing Guidelines’ requirements? You are required to have written standards and procedures. After performing a thorough assessment of your company’s legal, compliance, and reputational risks, you should create policies addressing those risk areas. The number and types of standards and procedures a company requires depend on a number of factors, including the industry in which the company operates. Q 2. 3. 1 What are the elements of an effective compliance program that will satisfy the Sentencing Guidelines? The Sentencing Guidelines state that the two fundamental elements of an effective compliance and ethics program are: (1) (2) exercising due diligence to prevent and detect criminal conduct; and otherwise promoting an organizational culture that encourages ethical conduct and a commitment to compliance with the law. 6 Q 2. 3. 2 What specific steps must our company take to create an effective compliance program? The Sentencing Guidelines provide that, at a minimum, a company must do the following in order to have an effective compliance and ethics program: (1) (2) Establish standards and procedures to prevent and detect criminal conduct. Ensure that the company’s governing authority (board of directors, etc. ) understands the content and operation of 32 Corporate Compliance Answer Book. book Page 33 Thursday, June 17, 2010 4:20 PM Compliance Programs U. S. Sentencing Guidelines (3) (4) (5) (6) (7) Q 2. 3. 2 the program and exercises reasonable oversight with respect to its implementation and effectiveness. Specific senior manager(s) shall have overall responsibility to ensure the implementation and effectiveness of the program. Specific individuals shall be delegated day-to-day operational responsibility for the program and shall be given adequate resources and authority. They shall report periodically to senior management and shall have direct access to the board of directors or a subgroup thereof. Keep bad actors out of managerial ranks (or other key positions). Reasonable steps should be taken to screen out persons whom the company knows, or should know through the exercise of due diligence, to have a history of engaging in illegal activity or other misconduct. Take reasonable steps to communicate periodically and in a practical manner its standards and procedures to its officers, employees, and, as appropriate, its agents, by conducting effective training programs and otherwise disseminating information. Take reasonable steps to (a) ensure that the program is followed, including using monitoring and auditing to detect criminal conduct; (b) evaluate periodically the program’s effectiveness; and (c) have a system whereby employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation (although a mechanism for anonymous reporting is not required). Promote and enforce the program through appropriate incentives and disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct. Take reasonable steps to respond appropriately to criminal conduct and to prevent further similar criminal conduct, including making any necessary modifications to the compliance and ethics program. 7 33 Corporate Compliance Answer Book. book Page 34 Thursday, June 17, 2010 4:20 PM CORPORATE COMPLIANCE ANSWER BOOK Q 2. 3. 3 Q 2. 3. 3 Is there a standard compliance program that most companies can use? No. There is no â€Å"one-size-fits-all† solution. The Sentencing Guidelines recognize that an effective program must be tailored to the particular company. The Sentencing Guidelines require a company to engage in periodic risk assessments in designing, implementing, and modifying its compliance and ethics program. 8 Each company must examine the nature of its business and its own prior history to determine what sorts of criminal conduct pose the greatest risk, and then take steps designed to prevent and detect such misconduct. For example, if your company employs sales personnel who have flexibility in setting prices, you must have established standards and procedures designed to prevent and detect price-fixing. If you employ sales personnel who have flexibility to represent the material characteristics of a product, you must have established standards and procedures designed to prevent fraud. Your company should prioritize the risks that you face in terms of the severity of the criminal conduct and its likelihood of occurring, and tailor your compliance and ethics program accordingly. 9 Designing and Implementing a Compliance Program Relevant Factors and Considerations Q 2. 4 Are industry practice and standards considered in assessing the effectiveness of a compliance program? Yes. The Sentencing Guidelines recognize that the particulars of an effective compliance and ethics program are likely to be affected by applicable industry practice or the standards called for by any applicable governmental regulation. For publicly traded corporations, applicable governmental regulations would include the requirements of the Sarbanes-Oxley Act of 2002. A company’s failure to incorporate and follow applicable industry practice or to comply with applicable government regulations will weigh against a finding 34 Corporate Compliance Answer Book. book Page 35 Thursday, June 17, 2010 4:20 PM Compliance Programs U. S. Sentencing Guidelines Q 2. 5 that its compliance program is an effective one. 10 For healthcare companies the Department of Health and Human Services, through its Office of Inspector General, has issued a number of very specific compliance program guidances targeting specific business sectors such as hospitals and pharmaceutical manufacturers. Q 2. 4. 1 Does the company size matter? Size is a relevant factor in structuring a compliance and ethics program. A large company generally should devote more formal operations and greater resources to its program than a small company. Q 2. 4. 2 †¢ †¢ †¢ What are the differences between compliance programs for large companies and small companies? The governing authority in a small company may directly manage the compliance and ethics efforts. A small company may train employees through informal staff meetings and monitor them through regular â€Å"walkarounds† or continuous observation during normal management. A small company may use available personnel, rather than separate staff, to carry out the compliance and ethics program. 11 Requirements; Risk Areas Q 2. 5 When it comes to putting a compliance program together, where do we start? A first step is to determine whether the compliance program must satisfy the mandates of the Sarbanes-Oxley Act12 in addition to the Sentencing Guidelines. Sarbanes-Oxley, if applicable, imposes fairly detailed requirements that focus on the company’s internal control over financial reporting and its disclosure controls and procedures. A good compliance program should also address the prevention of other employee misconduct that may impose civil liability on the company or that may victimize the company itself. The foundation for designing a good compliance program is to identify the principal risks of misconduct that must be safeguarded 35 Corporate Compliance Answer Book. book Page 36 Thursday, June 17, 2010 4:20 PM CORPORATE COMPLIANCE ANSWER BOOK Q 2. 5. 1 against. This is a task that requires input from counsel and senior management. The effectiveness of the compliance program likely will be directly proportional to the time and effort invested in designing it. Q 2. 5. 1 What are the most common risk areas that we may need to address in our compliance program? Consider the following fifteen areas: 1. Accounting practices. Sarbanes-Oxley has made internal control over financial reporting and disclosure controls and procedures the foremost risk area for every public company. It also spells out in detail the procedures that must be used to address this risk area. Private companies must also protect against the risk that an officer or employee may â€Å"cook† or alter the books in order to boost performance or hide problems. Common examples include improper revenue recognition, intentional overstatement of assets, or understatement of liabilities, as well as false entries to cover up employee embezzlement and theft, or expenditures for improper or illegal purposes such as bribes. 2. USA PATRIOT Act. The PATRIOT Act aims to cut off sources of financing for terrorists by strengthening anti-money laundering laws. The PATRIOT Act greatly expanded the definition of â€Å"financial institutions† covered by anti-money laundering laws to include not only banks, savings associations, and credit unions, but also securities broker-dealers; investment companies; hedge funds; commodities brokers; mutual funds; issuers or redeemers of travelers checks; operators of credit card systems; insurance companies; telegraph companies; loan or finance companies; automobile, airplane, and boat dealers; real estate brokers; persons or companies involved in real estate closings and settlements; currency exchanges; money transmitters; pawn brokers; travel agencies; dealers in precious metals, stones, or jewels; and casinos. 13 36 Corporate Compliance Answer Book. book Page 37 Thursday, June 17, 2010 4:20 PM Compliance Programs U. S. Sentencing Guidelines Q 2. 5. 1 The PATRIOT Act requires that â€Å"each financial institution shall establish anti-money laundering programs† unless the Treasury Department issues a specific exemption. These programs must include written policies and procedures; a designated compliance officer; employee training; and periodic auditing and monitoring. 14 Further, financial institutions must implement special account opening procedures and â€Å"Know Your Customer† due diligence. 15 In addition, banks, securities broker-dealers, money services businesses, and casinos are required to file reports of suspicious transactions with the Treasury Department’s Financial Crimes Enforcement Network. 16 Finally, all persons (not only financial institutions) who receive in excess of $10,000 in cash in one transaction, or two or more related transactions, in the course of their trade or business are required to file a currency transaction report. 17 3. Conducting business with suspected terrorists. Following the September 11 attacks, Executive Order 13224 mandated creation of a list of persons, entities, and groups believed to be connected with terrorism. This order bans anyone in the United States from conducting any business with any person, entity, or group on the list, which is maintained by the Treasury Department’s Office of Foreign Assets Control (OFAC). 18 The OFAC list is constantly updated and now is quite lengthy, consisting of thousands of names, aliases, and â€Å"doing business as† designations. Businesses, particularly those with some international component, must ensure that they are complying with the provisions of the Executive Order. Specifically, before entering into or continuing any financial relationship, businesses should check the identities of existing and potential clients and customers against the latest OFAC List. 4. Conflicts of interest; corporate opportunities. Conflicts of interest are an issue for every company. The code of ethics mandated by Sarbanes-Oxley specifically requires a company to promote the ethical handling of actual or apparent conflicts of interest between personal and professional relationships. 19 Common breeding grounds for conflicts of interest include employee relationships with the company’s suppliers and outside employment. 37 Corporate Compliance Answer Book. book Page 38 Thursday, June 17, 2010 4:20 PM Q 2. 5. 1 CORPORATE COMPLIANCE ANSWER BOOK The corporate opportunity doctrine forbids employees, officers, and directors of a company from (i) taking for themselves personally opportunities that are discovered through the use of corporate property, information, or position; (ii) using corporate property, information, or position for personal gain; and (iii) competing with the company. Analytically, this doctrine is a subset of conflicts of interest. The New York Stock Exchange (NYSE), however, has proposed to amend its rules so that each issuer listed on the Exchange would be required to adopt a code of conduct that addresses, under separate headings, both conflicts of interest and corporate opportunities. 20 Further, Sarbanes-Oxley, in order to strengthen protections against conflicts of interest, prohibits public companies from making personal loans to any director or executive officer. 21 5. Bribes, kickbacks, improper payments, inappropriate gifts. Improper payments to government officials are a potential issue for many companies, especially if the government is a customer or if the business is subject to significant government regulation. Giving bribes or gratuities to U. S. government officials is prohibited by federal law,22 and bribery of foreign government officials is prohibited by the Foreign Corrupt Practices Act. 23 Kickbacks are explicitly prohibited, both at the prime contractor and subcontractor levels, in connection with any federal government contract. 24 Kickbacks also are prohibited in exchange for the referral of business for which payment is made under federal healthcare programs, such as Medicare and Medicaid. 25 In addition, a number of states have criminal commercial bribery statutes that prohibit payments to influence the conduct of an agent or employee with respect to the affairs of the agent’s employer. 26 6. Antitrust issues. Antitrust issues such as price fixing, collusive bidding, and market allocation are a concern in many industries. 38 Corporate Compliance Answer Book. book Page 39 Thursday, June 17, 2010 4:20 PM Compliance Programs U. S. Sentencing Guidelines 7. Q 2. 5. 1 Confidential information and trade secrets. For many companies, protection of confidential information and trade secrets is a significant issue. In the healthcare industry, protection of individual health information is critical. Often such information may be a key company asset and, under Sarbanes-Oxley, the safeguarding of company assets is one of the elements of internal control over financial reporting. 27 In order to protect its proprietary data and trade secrets, a company must take the requisite steps to preserve confidentiality. At a minimum, this includes reminding employees, during the course of their employment and upon their departure, of their continuing duty to safeguard such information. In addition, written confidentiality agreements may be desirable. Further, companies must ensure that they do not become liable for misappropriating trade secrets belonging to their competitors or third parties. Employees should be warned against acquiring a competitor’s confidential or trade secret information—and against bringing such information with them from a prior employer when they join the company. 8. Product safety. If the company manufactures or processes tangible products, especially consumer goods, then product safety may well be a key risk area. Indeed, in highly regulated industries that implicate public health and safety, such as food and drugs, product safety is likely to be the single most important risk issue. Where public health and safety are implicated, defective products may trigger strict criminal liability for the company as well as its senior managers. 28 9. Workplace safety. In industries such as manufacturing, construction, or extraction of natural resources, workplace safety may be a significant issue. 10. Environmental issues. For many businesses, compliance with environmental laws is a significant concern. Some environmental statutes are drafted in such sweeping terms as to create something approaching strict criminal liability in the event of a violation. 29 39 Corporate Compliance Answer Book. book Page 40 Thursday, June 17, 2010 4:20 PM Q 2. 5. 1 CORPORATE COMPLIANCE ANSWER BOOK 11. Government contracts issues. As detailed in chapter 15 on government contractors, new mandatory compliance and ethics program requirements went into effect on December 12, 2008, for many government contractors and subcontractors. The new requirements amend the Federal Acquisition Regulation (FAR) and are modeled to a large extent on the Federal Sentencing Guidelines criteria for effective compliance and ethics programs. 30 In addition to the specific elements of a compliance and ethics program that must be implemented, the new FAR provisions also require mandatory reporting of violations of federal criminal law, violations of the civil False Claims Act, and â€Å"significant† overpayments. Companies engaged in contracting with the federal government are especially vulnerable to liability for business misconduct. A number of statutes impose civil liability upon government contractors for engaging in fraudulent conduct or failing to comply with applicable procurement and contracting rules. 31 Further, an array of criminal statutes may be applied to contractors who engage in fraud or other misconduct. 32 The most common types of fraud encountered in government contracting include defective pricing, cost mischarging, product substitution, progress payment fraud, antitrust violations, kickbacks, bribery, gratuities, and conflicts of interest. 33 12. Insider trading. Another risk for publicly held companies is that directors, officers, or employees may engage in insider trading in the company’s shares. The NYSE considers this risk so significant that it identifies insider trading as one of the issues to be addressed by the code of conduct it has proposed for listed companies. 34 13. International business practices. U. S. laws that may create significant risks for companies engaged in international business include export control laws and the Foreign Corrupt Practices Act (FCPA). Export control laws and regulations prohibit the export of certain commercial products, strategic goods, defense articles and their related technologies, and the furnishing of 40 Corporate Compliance Answer Book. book Page 41 Thursday, June 17, 2010 4:20 PM Compliance Programs U. S. Sentencing Guidelines Q 2. 6 defense ser vices, unless licensed by the appropriate federal agency—either the Department of Commerce or the Department of State. Note that an â€Å"export† can occur anywhere when equipment or technical data is released or made available to a foreign person, whether within the United States or abroad. The FCPA prohibits bribery in the conduct of business abroad. In general, the FCPA prohibits corrupt payments to foreign officials or political parties (whether made directly or through intermediaries) for the purpose of obtaining or keeping business. 35 14. Employee relations. Discrimination and harassment issues are a concern for virtually all employers. Federal statutes and regulations forbid discrimination in the workplace based on race, color, sex, religion, national origin, marital status, age, or disability. 36 Discrimination or harassment can subject a company to civil liability for compensatory damages and, in cases involving malice or reckless indifference, to punitive damages as well. 37 15. Other issues. There are a number of additional issues that are less common but very significant to particular businesses or industries. Certain highly regulated industries, such as banking and healthcare, face numerous compliance risks that derive from the specialized laws and regulations that govern their conduct. Other businesses, though not highly regulated, may have particular attributes that create significant compliance risks. For example, marketing organizations are vulnerable to charges of fraudulent sales techniques. Compliance programs must be designed to combat these risks. Code of Conduct Q 2. 6 Is a code of conduct a required part of a compliance program? A code of ethical conduct is a centerpiece of a compliance program. The Sentencing Guidelines and Sarbanes-Oxley now make a 41 Corporate Compliance Answer Book. book Page 42 Thursday, June 17, 2010 4:20 PM CORPORATE COMPLIANCE ANSWER BOOK Q 2. 6. 1 code of ethics virtually mandatory for all companies. Furthermore, both the NYSE and NASDAQ have proposed rules that would mandate that listed companies adopt codes of business conduct and ethics. 38 Sarbanes-Oxley effectively requires every publicly traded corporation to adopt a code of ethics that applies to its principal executive officer, principal financial officer, principal accounting officer or controller, or persons performing similar functions. 39 Q 2. 6. 1 What are the legal requirements for a code of conduct? Sarbanes-Oxley mandates that the code consist of written standards that are reasonably designed to deter wrongdoing and to promote: (1) (2) (3) (4) (5) honest and ethical conduct, including the ethical handling of actual or apparent conflicts of interest between personal and professional relationships; full, fair, accurate, timely, and understandable disclosure in reports and documents that a registrant files with, or submits to, the SEC and in other public communications made by the registrant; compliance with applicable governmental laws, rules, and regulations; the prompt internal reporting of violations of the code to an appropriate person or persons identified in the code; and accountability for adherence to the code. 40 The Sentencing Guidelines impose more general requirements for a code of conduct. They require that the company establish standards and procedures to prevent and detect criminal conduct, and take reasonable steps to communicate periodically and in a practical manner its standards and procedures to all employees and agents by conducting training programs and otherwise disseminating information. Q 2. 6. 2 What are the elements of a good code of conduct? A corporate code of ethical conduct should accomplish several distinct, but related, objectives: 42 Corporate Compliance Answer Book. book Page 43 Thursday, June 17, 2010 4:20 PM Compliance Programs U. S. Sentencing Guidelines Q 2. 6. 2 1. Address, in a direct, practical manner, the compliance risk issues that are relevant to the particular company. The code should alert employees to the principal risks and spell out their duty to avoid them. Some of the most effective codes follow up their discussion of the relevant standards with sample questions and answers applying the standard(s) to common situations that employees are likely to encounter. 2. Identify the personnel who administer the company’s compliance program, from the senior executive(s) in charge of the program down through any lower-level contact personnel. In addition, the code should outline the system for reporting suspected misconduct. Employees and agents must be able to report or seek guidance regarding potential or actual criminal conduct without fear of retaliation. Furthermore, it is desirable (and sometimes required) that the system permit confidential, anonymous reporting. 41 The code should state unequivocally that any employee may contact compliance personnel to discuss potential violations of the code without fear of retribution and, if applicable, that anonymous reporting is an option. The code should encourage employees to contact compliance personnel whenever an ethical issue arises and they are uncertain about whether or how the code applies. 3. Announce that employees who violate code provisions will be sanctioned for their misconduct, indicating the range of sanctions that may be applied. The sanctions may range from a reprimand for minor or unintentional violations up to termination for cause for serious violations. The Sentencing Guidelines note that disciplinary actions sometimes may need to be taken not only against the actual offender but also against individuals who fail to take reasonable steps to prevent or detect the misconduct. 42 Thus, the code should also state that an employee who witnesses a violation and fails to report it may be subject to discipline, as may a supervisor or manager to the extent that the violation reflects inadequate supervision or lack of diligence. 4. Be distributed to all company employees and agents in writing and/or by making it available on the company’s website. Many companies require that employees certify that they have received and read the code of conduct. Some companies make this an annual 43 Corporate Compliance Answer Book. book Page 44 Thursday, June 17, 2010 4:20 PM CORPORATE COMPLIANCE ANSWER BOOK Q 2. 6. 3 ritual. Such certifications can provide useful evidence of the company’s good faith and diligence if an issue ever arises. However, the certifications can end up undercutting the company’s position if they are incomplete or out of date. Thus, if a company decides to utilize employee certifications, it must diligently monitor them to ensure that they are complete and up to date. Q 2. 6. 3 How many codes of conduct should a company have? Sarbanes-Oxley mandates a code of ethics only for a select group of senior corporate officials: a company’s principal executive officer, principal financial officer, principal accounting officer or controller, or persons performing similar functions. In contrast, the Sentencing Guidelines and the proposed NYSE and NASDAQ rules require a code that is broadly applicable to a company’s officers, employees, and (as appropriate) agents. For most companies, it would seem simplest to have only one code of conduct that applies to all officers, employees, and agents, and that either applies the Sarbanes-Oxley standards to all such persons, or else â€Å"adds on† the specific Sarbanes-Oxley requirements for the specified senior officers who are subject to them. Multiple codes of conduct applicable to different groups of officers and/or employees are likely to breed problems for the company. Compliance Program Administration Q 2. 7 How do we administer and enforce a compliance program? 1. Establish comprehensive written policies and procedures that implement the Code of Conduct and that address the specific risk areas you have identified. 2. Conduct effective training programs and otherwise disseminate information about the compliance program to officers and employees. 3. Establish and publicize a system for reporting violations. 44 Corporate Compliance Answer