“Push to create a culture of compliance,” Assistant Attorney General Kenneth A. Polite advised in a keynote highlighting amendments to the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs (ECCP) in March 2023.
Over the past few years, there has been a significant shift in focus on compliant cultures within financial services, but the DOJ’s amended ECCP extends the reach of focus across all corporations.
In a move that aligns the expectations of corporations with those of financial services, the ECCP amendments focused on organizations’ corporate compliance programs surrounding communication policies, specifically with messaging applications (including ephemeral, such as Snapchat) and personal devices. The amendments were initiated to support criminal investigations, and they concern the effectiveness of company policies, data preservation and access guidelines, and compensation-related criteria to ensure compliance.
While some organizations – especially financial organizations – have taken this direction to heart (such as in the instance of Goldman Sachs terminating employees who violated communications compliance policies) there is no greater proponent of corporate compliance than financial regulators. The Securities and Exchange Commission (SEC) has brought about a range of enforcement action signaling that a lacking comprehensive compliance program can mean danger ahead.
A recap on ECCP
Changes to the ECCP focused on the relation between risk and compliance when it comes to communications, specifically with personal devices and messaging applications.
Since “each company’s risk profile and solutions to reduce its risks warrant particularized evaluation,” there is no specific set of guidelines to follow relating to the effectiveness of an organization’s compliance policies. Instead, policies should be tailored to a company’s individual needs.
The Department’s Criminal Division had already begun shaping guidelines around these points. The ECCP amendments go hand in hand with Deputy Attorney General Lisa Monaco’s guidance on Corporate Criminal Enforcement Policies, which discussed themes of voluntary self-disclosure, compensation and clawbacks, and individual accountability.
The ECCP amendments also provide transparency about actions prosecutors will take in criminal investigations when assessing compliance, including an evaluation of the effectiveness of policies around messaging apps and personal devices to confirm proper record preservation. In addition, prosecutors will investigate the distribution of these policies, including “how companies communicate the policies to employees, and whether they enforce them on a consistent basis.”
Investigations “won’t stop there.” In addition to an investigation of the communication channels organizations use and their preservation and accessibility policies (including those related to “bring your own device” programs), prosecutors will commence a further line of questioning to assess their adherence to compliance and record maintenance. Polite said:
“A company’s answers – or lack of answers – may very well affect the offer it receives to resolve criminal liability. So, when crisis hits, let this be top of mind.”
Additionally, the Department launched a pilot program for corporate compliance. This program highlighted two main objectives: the inclusion of compensation-related criteria within programs, and the introduction of reduced fines when organizations demonstrate a clawback on compensation in appropriate circumstances.
The idea behind this pilot program is to support effective compliance, as “compensation structures that clearly and effectively impose financial penalties for misconduct can deter risky behavior and foster a culture of compliance.”
Timely cooperation will prompt additional fine reductions if organizations prove they are combatting misbehavior by enforcing a “program to recoup compensation.” The Department expects these clawback rules to apply not only to the individual who engaged in misbehavior, but also any supervisors who had authority over associated employees.
The concentration on compliance continues
The ECCP amendments certainly aren’t the first updates to existing regulatory rules, and they very likely won’t be the last. Prior changes to guidelines like the Marketing Rule signify the push to keep pace with technological innovation as it redefines business approaches, and subsequent changes to regulations like SEC Rule 17a-4 and 18a-6 continue the discussion on electronic recordkeeping as it relates to critical data like communications.
Industry regulators like the Commodities and Future Trading Commission (CFTC) have continued to promote the link between culture and credibility. Recent speeches on the “zero-tolerance” view towards non-compliant culture go to show that it is only the beginning of enhanced regulatory scrutiny – and non-compliance means strict consequences.
Further, a focus on culture outside of financial conduct demonstrates that bolstering “ethical leadership” and deterring misconduct in all forms cultivates an inclusive workplace culture, which boosts productivity. Polite encouraged organizations to be “engaged more at the root causes” of criminality. The Financial Conduct Authority and Prudential Regulation Authority’s recent Consultation reflects this idea by encouraging closer monitoring of business activity and more focused strategies to thwart even the first signs of suspicious behavior.
As outlined in the ECCP amendments, it’s become essential to monitor business communications through all avenues, such as with personal devices. Perhaps controversially, this requires that employees make clear distinctions between professional and private conversations, and is an element that policies must reflect.
The focus on personal devices also begs the question – are application bans sufficient? In our 2023 industry insights report, we found that though 59% of respondents said they have banned applications like WhatsApp and WeChat, only 2.6% agreed that banning is an effective solution to withstand regulatory scrutiny. Therefore, it becomes necessary to confirm that any messaging applications your organization uses are compliant, and that all communications are captured and stored.
Regulators continue to underline that lost communications directly impact the credibility of organizations and the market as a whole by impeding investigations, while also raising questions around operational effectiveness and trust. Especially in the case of investigations, communication data can be the key determinant to prove criminal activity took place. CFTC Director of Enforcement Ian McGinley said:
“Adhering to the Commission’s recordkeeping and supervision requirements is not optional. This matter is another in a series of cases that reflects the Commission’s commitment to ensuring the Division of Enforcement can effectively investigate potential misconduct and, where needed, hold wrongdoers operating in our markets to account.”
A wider range of firms have begun to take remedial action where noncompliance is concerned by self-reporting and improving policies. True to the word of ECCP guidelines and SEC commentary, cooperation can keep organizations out of the line of fire. Gurbir S. Grewal, Director of the SEC’s Division of Enforcement stressed this matter:
“Self-report, cooperate and remediate. If you adopt that playbook, you’ll have a better outcome than if you wait for us to come calling.”
The pace of regulation isn’t slowing down
Enforcements and guidance are coming from every direction, which could leave organizations wondering – “what steps should I take next?” The bottom line of the ECCP amendments is that creating and monitoring compliance policies, communicating these policies to employees, and emphasizing accountability will mark the difference between smooth sailing and rough waters.
In his speech, Polite expressed that there is “no better time” to amend these compliance evaluations, and indeed, as technological advancements increasingly dictate modern life and business practice, it is pivotal that as the industry keeps up, organizations follow suit – or risk being next on the noncompliance list.
