In March 2022, Assistant Attorney General Kenneth Polite announcedthat the Justice Department’s Criminal Division will “consider requiring both the Chief Executive Officer and the Chief Compliance Officer to certify at the end of the term of [all corporate resolutions] that the company’s compliance program is reasonably designed and implemented to detect and prevent violations of the law … and is functioning effectively.”
As DOJ’s first compliance counsel expert, I worked on scores of corporate resolutions and monitorships. As a compliance professional, I have worked for and with companies under resolution and monitorships. As a researcher, I have examined how corporate compliance is measured.
These experiences have given me reasons for concern regarding this new requirement, as well as words of caution to compliance officers who are expected to make these certifications.
What Is the Standard?
The most fundamental concern is the absence of any objective standards or metrics to measure what “reasonably designed and implemented to prevent and detect violations of law” means.
If we think of corporate criminal conduct as cancer in an organization and the compliance requirements in the resolutions as treatments for that cancer, what the DOJ is asking the CEO and CCO to certify is that the organization is now in remission. When an oncologist pronounces a patient to be in remission, they do so after performing tests and scans and comparing the results to data from empirical studies against the patient’s medical history— blood cell counts, the rate and speed of tumor shrinkage, etc.
In compliance, we have no such evidence-based data. We do not even have uniform tests and scans, nor do we have consistent ways to account for the profiles of different industries and companies.
For example, we have no standards on risk calculation methodologies to perform an audit of high-risk transactions (the compliance equivalence of a scan). Is “high risk” the same for a small architecture firm and a global pharmaceutical giant, or for antitrust or trade compliance? How does a total-population audit compare to a sample-based audit? What exception rate range would indicate a program’s “reasonable” ability to detect violation?
In the absence of these basic standards, how can anyone responsibly pronounce remission?
Opinions Can Differ
The lack of objective standards or metrics means there is no basis for weighing different opinions. If the company’s CEO and CCO are willing to certify their program, but the prosecutors disagree, by what standards are they to “overrule” the certification?
Indeed, I once consulted on a case where the monitor’s reports gave me serious concerns about the company at the end of its monitorship. The monitor, however, was willing to certify the company’s compliance program.
The monitor’s certification made it difficult— if not impossible—for the prosecutors to dispute the adequacy of the company’s compliance program. If and when a company’s CEO, CCO, and its friendly monitor are willing to certify a compliance program that prosecutors find inadequate, how would the difference of opinion be settled? If they litigate, by what standard would a court make the determination?
Conflicted Compliance Officers
Polite hoped the certification requirement would “further empower” CCOs. Having served as a compliance officer in three global companies under resolution agreements, as well as having worked with scores of compliance officers at companies under resolutions, I fear this certification may have unintended adverse effects.
I remember one brave compliance officer who met with DOJ prosecutors and me in the presence of her company’s monitor, and for hours detailed—with written records—how the company leadership railroaded her efforts. She was summarily dismissed by her company as “not the right fit.” In my own in-house experience, I had my superior change my written response to the company’s monitor in order to hide compliance deficiencies.
These are stories compliance officers share around the world. When a compliance officer is the only person standing between the company and its liberation from DOJ supervision, they may find themselves between a rock and a hard place: Sign a certification you don’t believe in and risk prosecution, or lose your job by either walking away or being fired.
What Is a Responsible CCO to Do?
So, what should you do if you are the one between a rock and a hard place, or fear that you might find yourself there one day?
What you need is evidence that your program is accomplishing the goal of preventing and detecting violations of law. Counting pro-compliance messages or training attendance percentages is no longer sufficient: you must evidence how these communications and training have measurably changed attitudes, behavior, and practices to contribute to the prevention and detection of violations of law.
Start with one small test project. Pick one activity, define its objectives, and measure against them.
For example, if you are promoting your internal reporting hotline with the goal of improving both the volume and quality of reports, take your baseline measure of these data before your promotion, then measure the same data three, six, and 12 months later. Step by step, take this approach to every element of your program.
Slowly but surely, you will begin to build evidence of what works and what does not. You will then have empirical evidence to support your decision to certify or not to certify. What the company, prosecutor, or court does after that, is up to them.
This article does not necessarily reflect the opinion of The Bureau of National Affairs, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Hui Chen is a senior advisor at R&G Insights Lab and the Justice Department’s first-ever compliance counsel expert. She has served in global senior compliance lead positions at Microsoft, Pfizer, and Standard Chartered Bank.