Preventing and Responding to Corporate Crime: New Focus for Compliance and Ethics Programs “Direct Reporting,” “Responding Appropriately,” and Dealing with Whistleblowers

Article Date: Tuesday, May 03, 2011

Written By: Steven Carr

A crime has been committed. An anonymous tip has come in on the company’s internal reporting “alert line” system, but before the company has an opportunity to conduct an internal investigation, it has become clear that a whistleblower also has reported the matter to State and Federal law enforcement authorities. The U.S. Attorney’s office is investigating, and an Assistant United States Attorney is calling to ask questions and to schedule interviews. What happens next? 

Unfortunately, these days, this scenario is not so hypothetical. A small number of company employees (and often, executives) find it profitable to lie, cheat, steal and  subvert company controls and systems, and their actions can result in big problems and major adverse consequences for the company.  A business organization must be prepared to answer the question, and to respond, promptly and appropriately, to crimes and other wrongdoing that may occur in the conduct of the organization’s business. The organization must also be prepared to deal with the aftermath of the crime, including both civil and criminal liability, and adverse publicity. What happens next also means learning how this happened, and finding ways to prevent such misconduct from happening again.

To prepare for scenarios like this one, business leaders and their lawyers should focus on some important new developments and regulatory changes affecting the way their organizations operate their corporate compliance and ethics programs. New requirements and guidance instruct corporations and other business organizations to focus on operational effectiveness, in order to prevent violations, and clarify how they must “respond appropriately” when criminal conduct is discovered within their ranks. These new requirements are part of a 2010 amendment to the Federal Sentencing Guidelines for Organizations (the “Guidelines”), effective November 1, 2010. The 2010 amendment also provides guidance on steps the organization must take to improve its ethics and compliance program, when a crime or other wrongdoing has been committed and detected.

And, for publicly traded companies subject to Securities Exchange Act regulations, Congress has mandated significant new protections for corporate whistleblowers that will impact the way organizations design and implement their internal reporting systems. These changes also impact how a company will respond to regulators when a whistleblower has bypassed the compliance program and reported directly to a regulator or other law enforcement agency.

In light of these recent changes, and other developments affecting corporate ethics and compliance programs, business leaders and their lawyers should ask: Does our ethics program need a tune-up?

A Cultural Imperative for Ethical Conduct
A 2004 amendment to the Guidelines (first adopted in 1991) imposed tougher requirements for ethics programs and mandated a cultural imperative for ethical behavior and compliance with law by all corporations and business organizations, large and small – including non-profit organizations, limited liability companies and other forms of business entities. All business organizations, particularly those dealing with federal agencies, and exposed to risk of non-compliance with federal law requirements, must now devote high-level attention, leadership, and sufficient resources to their ethics and compliance programs. These programs should establish an effective, ongoing process that makes ethical conduct an essential element of a successful business plan and successful operations of the organization.

The 2004 Amendment to 1991 Minimum Requirements
The criteria a corporation and other business organizations must follow in order to create “an effective compliance and ethics program” were made more rigorous in 2004. The 2004 amendment revised the seven minimum requirements that an organization must meet in order to demonstrate that its compliance and ethics program is “effective.” Establishing and maintaining an effective program is essential for an organization seeking to mitigate its punishment (including fines and terms of probation), and to reduce its “culpability score” under the Guidelines, for a criminal offense.

The Guidelines for the sentencing of organizations may be viewed and downloaded at the U.S. Sentencing Commission website, www.ussc.gov. The Guidelines for Organizations are at Chapter 8 of the Sentencing Commission’s 2010 Guidelines Manual (“Guidelines Manual”).

This article summarizes the provisions of Section 8B2.1 of the Guidelines Manual and highlights the changes in the original 1991 version of the Guidelines effected by both the 2004 amendment and the 2010 amendment. 

The key change in the 2004 amendment to the Guidelines was a simple mandate: the organization’s leaders must instill and promote a culture of ethical behavior and knowledgeable compliance with the law. The fundamental purposes of the 2004 amendment were to sharpen the focus on ethical conduct, to improve corporate compliance programs, and to prevent and detect criminal conduct within organizations. The 2004 amendment also fulfilled the Sentencing Commission’s duty to review and amend the Guidelines, as directed by Congress under the Sarbanes-Oxley Act of 2002, to ensure that the Guidelines that apply to organizations “are sufficient to deter and punish organizational criminal misconduct.” Guidelines Manual, §8B2.1, Background.
 
Summary of the 2004 Amendment
The major features of the 2004 amendment included the following changes to the Guidelines:

• Organizations must promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.

• The 2004 amendment required boards of directors (the “governing authority”) and executives to assume specific responsibility (formerly assigned to “high-level personnel”) for the oversight and management of compliance and ethics programs.

• Effective oversight and management presumes active leadership in defining the content and operation of the compliance and ethics program (“the Program”).

• At a minimum, the 2004 amendment explicitly required organizations:

• To identify areas of risk where criminal violations may occur;

• To train high-level officers and employees in relevant legal standards and obligations; and

• To give compliance and ethics officers sufficient authority and resources to carry out their responsibilities.

The 2010 Amendment: “Direct Reporting” and “Responding Appropriately”
The 2010 amendment makes some truly important changes to the Guidelines regarding the sentencing of organizations. Notably, the recent amendment provides encouragement and incentives (by means of potential sentence mitigation) for an organization to adopt a structure that assigns compliance and ethics officers “direct reporting obligations” and direct personal access to the governing authority of the organization (e.g., the board of directors).

The new amendment also describes and further clarifies the reasonable steps an organization should take to “respond appropriately” after criminal conduct is detected, and steps that should be taken to prevent further similar criminal conduct, including making appropriate changes to its ethics program to address the risk and to prevent the conduct from happening again.

These recent changes in federal law mean that organizations should assess whether their current compliance and ethics program meets the new and tougher requirements for such programs. Making sure that the program meets the standards to be considered “effective” should help to prevent violations of law before they occur, and will help the organization to mitigate or reduce the punishment for a criminal offense, if the organization is accused or found guilty of a criminal offense.
 
The Seven Minimum Requirements, and Two New Emphases of the 2010 Amendment
The 2004 amendment updated and made more rigorous the seven minimum requirements originally contained in the 1991 version of the Guidelines that an organization must follow to exercise its “due diligence” in the design and implementation of an effective corporate compliance program. These seven requirements served as the framework for the creation of an “effective program to prevent and detect violations of law” that many corporations followed when the 1991 Guidelines were adopted. In addition to industry benchmarks (“applicable industry practice”) and standards called for by applicable government regulations, the 2004 amendment’s elaboration on these criteria served as guidance by which a corporation’s Program could be re-designed or improved.

In the 2010 amendment, the Sentencing Commission gives greater emphasis to Program leadership. The current guidance requires organizations to provide their compliance officers with sufficient resources to conduct and to improve the Program. These officers now also must have “direct reporting obligations” and direct access to the organization’s governing body, the decision-makers at the highest level of the organization.

In response to comments and requests from businesses and industries, the Sentencing Commission also provides more guidance and some clarifying changes to the Guidelines in the 2010 amendment to address what it means to “respond appropriately” to regulators and prosecutors when criminal conduct has been discovered and investigated internally.   

In abbreviated form, the seven minimum requirements, as revised, are as follows:

1. Standards and Procedures. The organization shall establish standards and procedures to prevent and detect criminal conduct. These standards and procedures are standards of conduct and internal controls “reasonably capable of reducing the likelihood of criminal conduct.” Each organization’s standards should be tailored to fit its own business. The standards should be based on a risk analysis of potential criminal activity and non-compliance, and the organization should implement procedures designed to enforce the standards and reduce the identified risks.1

2. Board of Directors Oversight/Operational Effectiveness. The organization’s governing authority shall be knowledgeable about the content and operation of the Program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the Program.

• Specific individual(s) within high-level personnel (individuals who exercise substantial supervisory authority and substantial discretion) shall be assigned overall responsibility for the Program.
 
• Specific individual(s) shall be delegated day-to-day operational responsibility and shall report periodically (not less than annually) to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the Program.

• This Step 2, and greater emphasis on Program leadership and their direct access to the highest level decision-makers, was one of two of the seven due diligence steps that the Sentencing Commission focuses on in the 2010 amendment.2  

• “Direct reporting obligations” is clarified in the 2010 amendment to mean “express authority to communicate personally” to the governing body “promptly on any matter involving criminal conduct or potential criminal conduct” and at least annually for review of Program implementation and effectiveness.       

• These high-level individuals shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.

3. Screening and Excluding Unethical Individuals. The organization shall use reasonable efforts not to include within the substantial authority personnel (people who exercise a substantial measure of discretion in acting on behalf of the organization) any individual whom the organization knew or should have known has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program. (The key point here is that the Program should include not only pre-employment background checks but also an emphasis on ethical conduct at all stages of the employment, including performance reviews.)

4. Effective Training Programs. The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures (see Step 1) by conducting effective training programs and otherwise disseminating information appropriate to individuals’ roles and responsibilities at all levels of the organization (including executives and the Board of Directors), and as appropriate, the organization’s agents. This means that the organization’s compliance Program is really an ongoing process, and must be designed to provide legal updates, periodic training and refresher courses.

5. Periodically Evaluate Effectiveness.  The organization shall take reasonable steps to ensure the Program is followed, including:

• Monitoring and auditing to detect criminal conduct;

• Evaluating periodically the effectiveness of the Program;
 
• Providing and publicizing a system and mechanisms for anonymity or confidentiality, whereby employees and agents may report or seek guidance regarding potential or actual criminal conduct, without fear of retaliation.

Notably, a feature included with the 2004 amendment also mandates that the organization “periodically assess the risk of criminal conduct . . . and take appropriate steps to design, implement or modify each requirement [of the Program, following the seven minimum requirements] to reduce the risk of criminal conduct through this [risk assessment] process.”

6. Promote and Enforce the Program. The organization’s Program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent and detect criminal conduct.

The 1991 version of the Guidelines focused on disciplinary measures. The 2004 amendment added the requirement that organizations promote an ethical culture and compliance program with “appropriate incentives.” The Sentencing Commission noted that “this addition articulates both a duty to promote proper conduct in whatever manner an organization deems appropriate, as well as a duty to sanction improper conduct.” (Emphasis added.)

7. Respond Appropriately When Criminal Conduct is Detected. The organization shall respond appropriately to the criminal conduct and to prevent further similar conduct, including making any necessary modifications to the Program.

This Step 7 was the second special focus of the 2010 amendment, providing greater clarity on what it means for an organization to “respond appropriately.” The Sentencing Commission stated its rationale for these changes to Step 7 thus:

[T]he organization should take
reasonable steps, as warranted under the
circumstances, to remedy the harm
resulting from the criminal conduct. . . .
[S]uch steps may include, where appro-
priate, providing restitution to identifi-
able victims, other forms of remediation,
and self-reporting and cooperation with
authorities.

With respect to the second aspect, the
application note provides that an organi-
zation should assess the compliance and
ethics program and make modifications
necessary to ensure the program is effec-
tive. . . . [S]uch steps . . . may include the
use of an outside professional advisor to
ensure adequate assessment and imple-
mentation of any modifications.

This application note was added in
response to public comment and testimo-
ny suggesting that further guidance . . .
may encourage organizations to take
reasonable steps upon discovery of crimi-
nal conduct. The steps outlined by the
application note are consistent with fac-
tors considered by enforcement agencies
in evaluating organizational compliance
and ethics practices.3 (Emphasis added.)

Timely and Fully Cooperating with Criminal Investigations:The Attorney-Client Privilege, Attorney Work Product, and the Facts
Both the 2004 amendment and the 2010 amendment address concerns about the relationship – often a tense relationship – between the organization’s ability to obtain credit under the Guidelines for timely and thorough cooperation with law enforcement authorities and criminal investigations, and the risks and considerations of waiver of the attorney-client privilege and the work product protection doctrine as a part of the cooperative efforts.

In the recent guidance with the 2010 amendment, the Sentencing Commission states: “The two factors that mitigate the ultimate punishment of an organization are: (i) the existence of an effective compliance and ethics program; and (ii) self-reporting, cooperation or acceptance of responsibility.”4   

The Sentencing Commission noted in 2004 that “waiver of the attorney-client privilege and of work product protection ‘is not a prerequisite to a reduction in culpability score ... unless such waiver is necessary in order to provide timely and thorough disclosure of all pertinent information known to the organization.’ The Commission expects that such waivers will be required on a limited basis.” Synopsis of Amendment, submitted to Congress May 1, 2004, at www.ussc.gov/2004guid/RFMay04-Corp.pdf .

Department of Justice Prosecutions of Organizations –  Evolving Guidance on “Cooperation” and
“Responding Appropriately”
In June 1999, the United States Department of Justice (“DOJ”) issued the original version of the Principles of Federal Prosecution of Business Organizations (“Principles”). Known as the “Holder Memo” (because authored by then-Deputy Attorney General Eric Holder, Jr., in the Clinton Administration, now Attorney General in the Obama Administration), the Principles set forth nine key factors to be considered by federal prosecutors in making charging/plea agreement decisions.5

The first revisions were issued by then-Deputy Attorney General Larry Thompson in 2003 following the Enron and WorldCom scandals. While maintaining the Holder Memo’s nine-factor format, the new Principles advocated a more scrutinizing approach, particularly in evaluation of one factor: cooperation. The Thompson Memo demanded that corporations demonstrate the “authenticity” of their cooperation,  an undertaking which many sought to accomplish by waiving their attorney-client privilege.6

That practice generated such a negative reaction that in 2006 then-Deputy Attorney General Paul McNulty penned a second revision of the Principles. The 2006 version forbade prosecutors from seeking communications protected by the attorney-client privilege without first establishing a legitimate need for the information. Unfortunately, McNulty’s changes merely created new problems. Thus, in the summer of 2008, Deputy Attorney General Mark Filip wrote to members of the Senate Judiciary Committee to announce his plans to join the tradition with the release of the “Filip Memo.”

Filip issued the new revisions to the Principles as a response to the growing concern among criminal defense attorneys and civil liberties advocates that the DOJ had used the threat of criminal indictment and prosecution (or the threat of withholding cooperation credit) to coerce corporations to waive their attorney-client privilege against their will and to provide information to the government that otherwise would be subject to this protection.7 The Filip Memo was Filip’s attempt to assure the Senate that he had heard the complaints, that he had made the requisite changes to the Principles, and that, accordingly, no congressional “help” would be necessary. The key revisions adopted by the DOJ in 2008 included the following:

Cooperation (still merely one of nine factors considered under the Principles) will be measured by the extent to which a corporation discloses relevant facts and evidence, not by its waiver of privileges.
 
• The question is: “To what extent has the corporation timely disclosed the relevant facts?”

• The question is NOT: “Has the corporation waived attorney-client privilege or work product protection in making its disclosures?”

• A corporation may voluntarily waive the privilege.

However, Federal prosecutors will no longer demand the disclosure of “Category II” information as a condition for cooperation credit.

To receive credit, a corporation need not disclose (and the government may not demand) “Category II” information, defined in the McNulty Memo as “non-factual attorney work product and core attorney-client privileged communications.” “Category I” information was defined as “purely factual information” relating to the underlying misconduct, including key documents, witness statements, and purely factual interview memoranda.

• But there are two exceptions to the no “Category II” rule under which such information and communications may be demanded:

1. Communications made in furtherance of a crime or fraud;
2. Communications that relate to an advice-of-counsel defense.

• Federal prosecutors will not consider whether the corporation has advanced attorneys’ fees to its employees in evaluating cooperation.

• Prosecutors will not consider whether the corporation has entered into a joint defense agreement in evaluating cooperation.

• Prosecutors will not consider whether the corporation has retained or sanctioned employees in evaluating cooperation.

However, whether and how a corporation disciplines culpable employees may be weighed in the evaluation under another of the nine factors under the Principles: the quality of the corporation’s compliance program and remedial measures.

The Filip revision to the Principles to eliminate the consideration whether the corporation has advanced attorneys’ fees under the Thompson Memo apparently was a response to a district court decision from 2006. In United States v. Stein, 435 F. Supp. 2d 330, 367-73 (S.D.N.Y. 2006), the Southern District of New York held that the U.S. Attorney’s Office violated the fifth and sixth amendment rights of KPMG employees by coercing KPMG, as part of its cooperation to avoid an indictment of the company, to limit payments and to condition payment of the employees’ legal fees on the employees’ willingness to speak to the government.

In 2008, following the Filip Memo revisions, Siemens AG, Europe’s largest electronics and engineering company, entered into a landmark plea agreement following a bribery investigation conducted simultaneously by the DOJ and German authorities. Siemens agreed to pay a record combined fine and penalty of $800 million to U.S. authorities. Although acknowledging that Siemens provided “extraordinary” cooperation during the investigation, the DOJ required Siemens to plead guilty to felony violations of the Foreign Corrupt Practices Act and imposed an independent monitor to oversee the company’s corporate compliance system for four years as part of the plea agreement.8  

Whether or not the Siemens case signals the diminishing value of cooperation, it certainly bears out an increasing focus by the DOJ on the adequacy of corporate compliance systems. Maintaining a program that meets DOJ standards will be vital for companies in the future, not only for detecting wrongdoing in advance, but also for gaining favor in plea negotiations in the event of an investigation.

Internal Investigations and Disclosures
Business lawyers also need to consider other important questions in their conduct of internal investigations and in giving advice to their client’s executives.

First, how easy will it be for the organizations to separate privileged Category II information from the factual Category I information which they must disclose?

This is an important question, given the manner in which corporations often discover some of this information through internal investigations and attorney interviews. The investigative reports and notes are likely to include a mixture of Category I and Category II information.

And second, how clear is the line between voluntary waiver and coercion? And can officers or directors who may be individual defendants affected by a company’s waiver assert a claim that the company was coerced and that such coercion infringed on their constitutional rights?

In United States v. Balsiger, 07-CR-57 (WIEDC) (Aug. 16, 2010, available at Casemaker, Federal Libraries), 2010 U.S. Dist. LEXIS 93063, the federal district judge of the Eastern District of Wisconsin was presented with this question. The case centered on a fraud investigation of multiple parties, during which one company received word from government prosecutors that it could avoid charges only by waiving the attorney-client privilege and entering into a cooperation agreement.

When the company obliged, thus releasing a wealth of otherwise privileged communications, other individual defendants, including at least one officer or director of the company who was involved in the waiver decision, cried foul. The individual defendants sought to compare their situation and the company’s cooperation and pressure from the government to cooperate with the situation faced by the KPMG employees in the Stein case. These individual defendants, implicated by the information provided to the government by virtue of the waiver, argued to the court that the government’s action constituted unlawful coercion of the company that resulted in an infringement of their constitutional rights. The court rejected all of their arguments, questioned their standing to bring a claim of coercion, and rejected their comparison to the Stein case.

Sarbanes-Oxley and SEC Regulations Affecting Lawyer Reporting Obligations and How
Lawyers Must “Respond Appropriately”
The changes in the securities laws affecting publicly-traded companies under the Sarbanes-Oxley Act also imposed new rules of conduct for lawyers who provide legal advice relating to securities law matters and who appear and practice before the SEC. See 15 U.S.C.A §7245, titled “Rules of professional responsibility for attorneys.” The SEC has imposed rules prescribing minimum standards of conduct, including the so-called “up-the-ladder” reporting mechanism for securities law violations, to report evidence of a “material violation of securities law or breach of fiduciary duty or similar violation by the company or any agent thereof, to the chief legal officer or the chief executive officer.”

If the CLO or the CEO does not “respond appropriately” to the evidence “(adopting, as necessary, appropriate remedial measures or sanctions with respect to the violation)” then the statute and the SEC’s rules require that the lawyer report the evidence up the ladder to the audit committee of the board of directors, or to another committee of the board comprised of directors not employed by the company, directly or indirectly, or to report directly to the board of directors itself. See 17 CFR Part 205 and Section 205.3 (17 CFR §205.3).

Rule 1.13, titled Organization as Client, of the North Carolina Rules of Professional Conduct, adopted by the North Carolina State Bar, imposes similar duties on the lawyer representing an organizational client. Rule 1.13(b) states that if the lawyer for an organization “knows that an officer, employee or other person associated with the organization is engaged in action, intends to act or refuses to act in a matter related to the representation that is a violation of a legal obligation to the organization, or a violation of law which reasonably might be imputed to the organization, and is likely to result in substantial injury to the organization, the lawyer shall proceed as is reasonably necessary in the best interest of the organization.” The lawyer’s next steps may include “referring the matter to higher authority in the organization, including, if warranted by the seriousness of the matter, referral to the highest authority that can act on behalf of the organization as determined by applicable law.” 

Dodd-Frank Reforms and New SEC Regulation Protecting and Rewarding Whistleblowers
Counsel for organizations that are publicly traded and subject to regulation by the Securities and Exchange Commission (“SEC” or “Commission”) under the Securities Exchange Act of 1934, as amended, also should be aware of recent changes made by Congress in the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”), signed into law last summer. The Dodd-Frank Act included a new Section 21F, by which Congress mandated new whistleblower protections and payments of awards to whistleblowers who report securities law violations. The SEC has proposed Regulation 21F, to adopt new rules and to implement new Section 21F of the Exchange Act, and invited comments on the proposed rules and the whistleblower protection provisions. (See File No. S7-33-10, SEC Release No. 34-63237).

The Committee on Federal Regulation of Securities of the American Bar Association’s Section of Business Law, with support from the Committee on Corporate Laws (also a committee of the Business Law section, collectively, the “ABA Committees”) provided thoughtful and detailed comments to the SEC in a 32-page letter published Jan. 4, 2011 (“ABA Committees Letter”). The ABA Committees’ comments encouraged the SEC to adopt a final version of Regulation 21F that will “operate in tandem with, and support and strengthen, the existing matrix of laws, regulations and policies designed to encourage the reporting of serious violations of laws, require the investigation of allegations of wrongdoing, and provide meaningful and effective responses to such allegations.”

The ABA Committees also caution the SEC to be “mindful of the potential for harm that an unbalanced whistleblower program may present” including the risks of “rewarding and even encouraging wrongdoers, creating incentives (by reason of over-broad anti-retaliation provisions and substantial monetary awards) to bypass or upend effective company programs for the investigation of and response to wrongdoing, and eroding significant attorney-client protections. An unbalanced program could lead to a flood of frivolous and ill-informed whistleblower claims that would require the devotion, at considerable expense, of significant investigative resources by the Commission and the companies implicated. None of these undesirable results would benefit companies, their shareholders or the investing public generally.” (ABA Committees Letter, at page 3; emphasis added.)

Among the ABA Committees’ recommendations and rationale to the SEC were these points:

(1) Require whistleblowers to “exhaust all reasonably available internal processes a company has established for reporting compliance concerns” absent extraordinary circumstances;

(2) A whistleblower’s allegations regarding improprieties may relate to violations of securities laws, but “they may also involve state laws and other federal laws, the fiduciary duties of officers and directors; employee policies; commercial, competitive and strategic matters; and reputational considerations”;

(3) An SEC whistleblower program that does not require exhaustion of internal compliance procedures may “both cut off the information that is required for the system to operate effectively, and also delay (and in some cases, completely prevent) the company’s ability to investigate and address the range of issues that may be implicated by the allegations”;

(4) Internal compliance programs and mechanisms are “critically important” to a company and its shareholders;

(5) “Were the Commission’s whistleblower rules to interfere in any material respect with the operation of the company’s internal compliance program or undermine its ability to self-report violations of law, the consequence may be to deprive the company (and indirectly, its security holders) of significant benefits afforded under the sentencing guidelines [for organizations].” (ABA Committees Letter, pp. 16-18, and note 24.)    

Be alert for more developments on Regulation 21F, and how the SEC will respond to these and other comments about the new rules, and to take into account these new whistleblower provisions and protections and how they will affect your organization’s ethics and corporate compliance program, including those features of your program that encourage allegation reporting and other internal reporting and compliance systems.
           
Practical Implications for the Client Organization’s Ethics Program
Many organizations improved and strengthened their ethics codes and compliance programs after the 1991 Guidelines were adopted, and many have addressed and made a number of the changes in the due diligence requirements effected by the 2004 amendment. For example, the designation of a Chief Compliance Officer (“CCO”) and the creation of a compliance specialist staff position to assist the CCO in fulfilling the day-to-day operations of the Program would be positive steps forward to achieving what both the 2004 amendment and the 2010 amendment and the new Guidelines criteria now require.
To assure that your client organization’s Program is meeting all of the due diligence requirements, the CCO and the compliance specialist, with appropriate assistance from the organization’s lawyers, should focus their attention on potential Program design changes and other operational changes, including:

• Providing regular and appropriately detailed reports about the Program to the Board of Directors or the Board’s Audit or Governance Committees, and making recommendations for the Board or the appropriate subgroup of the Board to assure operational effectiveness and periodic assessments of risks and effectiveness measures.

• Working with legal counsel and auditors to design and implement process changes to evaluate Program effectiveness, to conduct periodic risk assessments, and to provide training updates.
 
• Reviewing the organization’s standards, procedures and controls across the enterprise and business units to address and reduce risks of criminal activity and noncompliance, and to assure consistent and appropriate discipline and a response plan for any misconduct detected within any of the business units.

Next Steps
All business organizations now must devote high-level attention, leadership and sufficient resources to assure that their ethics and compliance programs establish a dynamic, ongoing process that makes ethical conduct an essential element of an effective business plan.
Your Chief Compliance Officer and other leaders of your client organization should consult with legal counsel to assess whether the organization’s ethics and compliance program is effective and meets the requirements mandated by the 2004 amendment and 2010 amendment to the Guidelines, the evolving guidance from the DOJ, and, as applicable, the SEC’s new Regulation 21F requirements and protections for corporate whistleblowers.

Steven Carr is a founding member of Ellinger & Carr, PLLC. Before private law practice, he served as associate general counsel for Progress Energy and in other corporate counsel positions. Steven has counseled corporate and non-profit clients on ethics and corporate governance, drafted and implemented Codes of Ethics and ethics and compliance programs, written extensively and served as a speaker on corporate compliance and ethics programs since the 1991 Guidelines were adopted. The author gratefully acknowledges research assistance provided for this article by Christian Kucab, a 2L law student of the Duke University School of Law. 

End Notes
1. The Sarbanes-Oxley Act of 2002, affecting public companies regulated by the Securities and Exchange Commission under the Securities Exchange Act of 1934, also imposed new requirements for codes of ethics for senior financial officers. See Section 406 of the Act, 15 U.S.C.A. §7264. The statute defines the code of ethics to mean and include “such standards as are reasonably necessary to promote (1) honest and ethical conduct . . . (2) full, fair, accurate, timely and understandable disclosure in the periodic reports required to be filed by the issuer; and (3) compliance with applicable governmental rules and regulations.” The SEC’s implementing rules add the word “laws” to “governmental rules and regulations.” See 17 CFR §229.406(b)(3).   
2. Under the 2010 amendment, the organization may be eligible for a decrease in its culpability score for an effective Program but only if (1) the Program leaders have “direct reporting obligations” to the governing board, (2) the Program detected the offense before discovery outside the organization, or before such discovery was reasonably likely, (3) the organization promptly reported the offense to appropriate governmental authorities, and (4) no individual with Program operational responsibility participated in, condoned or was willfully ignorant of the offense.      
3. Amendments to the Sentencing Guidelines, May 3, 2010, compilation, pp. 19-20, available at http://www.ussc.gov .
4. Introductory commentary, Chapter 8, Sentencing of Organizations, available at http://www.ussc.gov/Guidelines/2010_guidelines/Manual_PDF/Chapter_8.pdf .
5. Memorandum from Eric Holder, Deputy Attorney Gen., Dep’t. of Justice, on Bringing Criminal Charges Against Corps. to Dep’t Component Heads and U.S. Attorneys (June 16, 1999), available at http://www.justice.gov/criminal/fraud/docs/reports/1999/chargingcorps.html .
6. Memorandum from Larry D. Thompson, Deputy Attorney Gen., Dep’t of Justice, on Principles of Fed. Prosecution of Bus. Orgs. To Heads of Dep’t Components and U.S. Attorneys (Jan. 20, 2003), available at http://www.justice.gov/dag/cftf/corporate_guidelines.htm .
7. Memorandum from Mark R. Filip, Deputy Attorney Gen., Dep’t of Justice, on Principles of Fed. Prosecution of Bus. Orgs. (August 28, 2008), available at http://justice.gov/opa/documents/corp-charging-guidelines.pdf .
8. Press Release, Dep’t of Justice, Siemens AG and Three Subsidiaries Plead Guilty to Foreign Corrupt Practices Act Violations and Agree to Pay $450 Million in Combined Criminal Fines (Dec. 15, 2008), available at http://www.usdoj.gov/opa/pr/2008/December/08-crm-1105.html.

Views and opinions expressed in articles published herein are the authors' only and are not to be attributed to this newsletter, the section, or the NCBA unless expressly stated. Authors are responsible for the accuracy of all citations and quotations.