The 18th week of 2019 very well could have been the highlight of the year for professionals in the compliance space. On Tuesday, April 30, 2019, the Criminal Division of the U.S. Department of Justice (DOJ) released its guidance document for prosecutors of white-collar crime, The Evaluation of Corporate Compliance Programs. The DOJ’s guidelines advise federal prosecutors of certain factors to consider when evaluating the adequacy and effectiveness of corporate compliance programs for purposes of a criminal investigation. The new document is an extension of earlier guidance issued by the Criminal Division’s Fraud Section in February 2017, and represents an effort to better harmonize the prior Fraud Section publication with other Department guidance and legal standards. Later that same week, on Thursday, May 2, 2019, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) published its guidance document, A Framework for OFAC Compliance Commitments, to promote greater understanding of U.S. sanctions laws and requirements.
OFAC’s guidelines on the essential components of OFAC compliance programs and the DOJ’s guidelines for the evaluation of corporate compliance programs share a number of common themes with what have become known as the “five pillars” of Bank Secrecy Act/anti-money laundering (collectively, BSA/AML) compliance under the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) regulations. This article will briefly explore the conceptual overlap of the three compliance regimes, with particular regard to management commitment, risk assessment, internal controls, independent testing, and training in order to distill core components of compliance across the board and help financial institutions get their compliance commitments teed up in the new year.
The DOJ’s Critical Factors
The new DOJ guidelines bring to mind the seven elements of an effective compliance program as laid out in the U.S. Sentencing Guidelines. The 2019 guidance is organized around three main questions that a prosecutor would raise when evaluating corporate compliance programs: (1) whether the program is well-designed; (2) whether the program has been effectively implemented; and (3) whether the program actually works in practice.
The 2019 guidance document discusses how the three main questions can be applied in order to determine whether the compliance program is ultimately effective. First, to determine whether a compliance program is well-designed, prosecutors should consider, inter alia, (i) the quality and effectiveness of the company’s risk assessment process, (ii) whether policies and procedures give content and effect to ethical norms and are aimed at reducing the risks identified during the risk assessment, (iii) the appropriateness of training and internal communications, (iv) mechanisms for internal reporting, and (v) risk-based controls for third-party oversight.
Second, to determine whether the program has been effectively implemented, prosecutors should consider (i) the commitment by senior and middle management and conduct at the top, (ii) autonomy and resources, including the sufficiency of personnel, and (iii) incentives for compliance and disciplinary measures for non-compliance.
Third, to determine whether the program actually works in practice, prosecutors should consider (i) continuous improvement, periodic testing and review of the compliance program, (ii) whether investigations of misconduct are timely and thorough, and (iii) thoughtful analysis and timely remediation of any underlying misconduct. The 2019 guidance carries forward a number of questions from the 2017 guidance, and augments the prior guidance by inserting a number of direct references to the Justice Manual, “Principles of Federal Prosecution of Business Organizations,” bringing an air of formality not found in the earlier guidance.
OFAC’s Essential Components
According to the new OFAC guidance, an institution’s sanctions compliance program, or “SCP,” is strongly encouraged to employ a risk-based approach that is predicated on “at least five essential components of compliance: (1) senior management commitment, (2) risk assessment, (3) internal controls, (4) testing, and (5) training.” The guidance breaks down each essential component into a list of criteria through which an organization’s compliance efforts can be measured. For example, having a dedicated OFAC sanctions compliance officer may evidence senior management’s commitment to ensuring that compliance units are receiving adequate resources. When applying the guidelines to a given situation, OFAC will favorably consider subject persons that had effective SCPs at the time of an alleged sanctions violation. The OFAC guidance contains an appendix that outlines common root causes that have led to apparent violations of sanctions programs, such as the lack of a formal SCP, inconsistent applications of an SCP or improper or incomplete due diligence on the entity’s customers.
FinCEN’s Five Pillars
By statute, Congress required the Treasury Department and each financial institution supervisory agency to require every covered financial institution to establish its own internal compliance program for BSA/AML which must be in writing, be approved by the financial institution’s board of directors and must include, at minimum the following five pillars: (1) internal controls to ensure ongoing compliance with the institution’s BSA and AML requirements, (2) procedures for independent testing of the institution’s BSA and AML requirements, either by in-house personnel or an outside party, (3) designated persons responsible for coordinating and monitoring the compliance program on a day-to-day basis, (4) training for appropriate personnel, and (5) Customer Identification Program with risk-based procedures that allow the institution to form a reasonable belief that it knows the true identity of its subscribers.
Getting “Teed” Up
Bank examiners will evaluate if and how weaknesses within an institution’s compliance program and internal control environment contributed to a violation or deficiency, and in a case in which civil money penalties (CMP) are being considered, the more areas in which the institution’s compliance program or internal control environment show weakness generally will result in a higher CMP Matrix score and therefore risk of greater penalties. With this background in mind, the following themes emerge when considering the effectiveness of corporate compliance programs:
- Tone at the Top. The board of directors, executives and senior management set the tone for the rest of the company, and their commitment to, and support of, an organization’s compliance program is essential for a successful program. FinCEN has previously categorized corporate culture as “critical” to a company’s BSA/AML compliance efforts.
- Tailored Risk Assessment. Risk-based compliance programs will vary depending on a variety of factors – including the company’s size and sophistication, products and services, customers and counterparties, and geographic locations. The starting point for determining whether a compliance program has been well-designed requires an understanding of how the organization has identified, assessed, and defined its risk profile. A prosecutor would consider the effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment.
- Targeted Internal Controls. Internal controls should include policies and procedures targeted towards identifying, interdicting, escalating, monitoring, reporting as appropriate, and keeping records pertaining to the matters covered by the compliance program.
- Talent. An employee, such as a dedicated BSA officer or OFAC compliance officer should be assigned the responsibility for coordinating and monitoring the compliance program on a day-to-day basis.
- Training. An effective compliance program should provide job-specific knowledge, adequate information and periodic instruction to relevant employees, directors and officers.
- Testing. Comprehensive, independent, and objecting testing or auditing will help ensure that organizations are aware of how their compliance programs are performing and should be updated, enhanced, or revised to account for a changing risk assessment.