The U.S. Department of Justice (DOJ) has made another update to its Evaluation of Corporate Compliance Programs (ECCP) guidance announced by Assistant Attorney General Kenneth A. Polite on March 3, 2023. The updates expand upon Deputy Attorney General Lisa Monaco Memorandum released in September of 2022 (discussed in a prior Ankura post available here).
The ECCP guidance (issued in 2017 and revised in 2020) outlines the many factors that prosecutors will consider when evaluating the effectiveness of a corporate compliance program. It is a crucial guidance document that all compliance programs can use to evaluate their own program to ensure it is working to meet the standards and expectations set out in the ECCP guidance. An effective compliance program, as described in the ECCP, can have a direct impact on decisions related to the form of any resolution, monetary penalty, and required compliance obligations following cases of wrongdoing. While the ECCP is built to address criminal misconduct, many of the same concepts apply to cases of civil misconduct as well. The March 2023 updates focus on two areas of the guidance: compensation structure and consequence management, and the use of personal devices and communications.
First, major updates and revisions were made in the ECCP section on compensation structures and consequence management. The updates expand upon the prior version of the guidance which already stated that the “establishment of incentives for compliance and disincentives for non-compliance” is a hallmark of an effective compliance program. The updated ECCP goes into more detail on some of the aspects that prosecutors will consider when assessing the effectiveness of a compliance program.
These include the following, among others:
- Whether data is being tracked relating to disciplinary actions in order to evaluate the effectiveness of the actions taken;
- Whether compliance is incentivized by using compensation systems that defer or escrow compensation tied to compliance-related conduct;
- Whether the recoupment or reduction of compensation due to compliance violations is actually enforced; and
- Whether “compliance” is a factor used in career advancement considerations or as a significant metric for bonuses.
In addition to the listed considerations, the DOJ has added details and emphasis on the human resource process and disciplinary measures following instances of compliance violations or misconduct.
Second, the DOJ added that it would now review a company’s policies and procedures related to the “use of personal devices, communications platforms, and messaging applications, including ephemeral messaging applications.” The updates to the ECCP include that these policies need to be tailored to the company’s risk profile and specific business needs. Some of the factors prosecutors will consider are the types of communication channels used and what controls are placed on them, the policy environment including how any “bring your own device” program is structured, and the company’s risk management of such devices and communications.
While the seven elements of an effective compliance program, and the federal sentencing guidelines on which they are based, have long included discipline, enforcement, and incentives as hallmarks of effectiveness, many compliance programs may have under-focused on these elements. And many compliance programs may not have considered business communications on personal devices outside of the HIPAA risk. When reviewing compliance program effectiveness, discipline and enforcement almost appear to be ‘the forgotten element,’ as there is so little time or focus dedicated to this element. Dashboards and reports to leadership and the board of directors frequently do not include data regarding discipline and enforcement of compliance violations. Risk assessments frequently do not include accountability for compliance and fairness and consistency of discipline, resulting in compliance work plans devoid of initiatives to evaluate risk and effectiveness of the same. Perhaps since discipline and enforcement are driven by human resources (HR) and management, compliance programs have not always understood how to prioritize or develop this element to maturation. However, without accountability for compliance, the compliance program becomes hollow and lacks the ‘teeth’ needed to truly impact the prevention and detection of fraud, waste, and abuse.
Incentives tend to be rarely utilized or underdeveloped in compliance programs. This may be because of a lack of understanding regarding the importance of incentives to a culture of compliance or possibly because of the multidisciplinary approach that is necessary to develop a robust approach to compliance incentives. It may be that the compliance program is so reactive that it never takes the time to prioritize developing a proactive approach to incentives. Regardless of the reasons, compliance programs need to make plans to develop or further evolve these essential elements. The updated guidance in the ECCP gives concrete parameters of how incentives for compliance should be structured, granting an organization’s compliance officer and leadership better tools for implementing these important incentives.
Key Takeaways and Steps for Compliance Programs:
- Communicate with leadership and the board the updates from the ECCP, including areas of operations that may need review and update as well as necessary updates to the compliance program to ensure effectiveness.
- Work with leadership and HR to plan, build, incorporate, and communicate clear compliance-related goals and metrics into job descriptions, career advancement criteria, and bonus considerations.
- Work with operations to update or implement policies and procedures to align with the ECCP changes.
- Consider how your compliance program manages the discipline, enforcement, and incentives element, and further evolve toward effectiveness:
- Include organizational perceptions on accountability and fairness and consistency of discipline in compliance or employee engagement surveys
- Audit disciplinary records for compliance violations for fairness and consistency
- Determine what to report to leadership and the board regarding accountability, discipline, and enforcement for compliance violations
- Prioritize development of incentives for compliance from both the compliance program (i.e., small rewards, accolades, and announcements) and the organization (i.e., aligning compensation and bonus structures with compliance priorities)
- Ensure compliance risk assessments and work plans consider compensation structures and personal devices.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.