Emory Corporate Governance and Accountability Review

Do Corporate Compliance Programs Really Prevent Corporate Wrongdoing? Of Course They Do!
John T. Boese John T. Boese is now Of Counsel in the DC Office of Fried Frank Harris Shriver & Jacobson, LLP, where he was a partner for over 30 years. Since leaving the Justice Department in 1977, Mr. Boese has represented defendants in civil and criminal fraud investigations and lawsuits in various industries, and in related suspension, debarment, and exclusion proceedings arising from those investigations and settlements. This has included developing corporate compliance programs and advising compliance officials, primarily in the defense and healthcare industries. He is the author of the treatise, Civil False Claims and Qui Tam Actions, initially published in 1993 and updated semi-annually by Wolters Kluwer Law & Business, and he teaches courses on the False Claims Act at various law schools. He is an Advisor to the American Law Institute’s current project entitled “Principles of Law, Compliance, Enforcement, and Risk Management for Corporations, Nonprofits, and Other Organizations.” The author is grateful to the Reporter and Associate Reporters of that project for their contributions on this subject.

Introduction

The editors posed three key questions with regard to effective corporate compliance programs. These questions were intriguing, and the answers set forth below are based on the perspective of a defense attorney who, for almost forty years, has represented corporate and individual defendants, predominantly in civil False Claims Act cases. Hopefully, these answers will stimulate thought about effective corporate compliance programs, the advantages of having them, and perhaps dampen the enthusiasm by some for forcing compliance through punitive lawsuits. The three questions are: (1) Do corporate compliance programs actually suppress information from regulatory oversight? (2) Do corporate compliance programs create an environment where employees are led to believe that wrongdoing in the corporate environment is implausible because a compliance program exists? (3) From a practical viewpoint, what kind of corporate compliance programs work better than others? Following some background to put corporate wrongdoing in context, the responses to these questions are presented in the question-and-answer format.

Corporate Wrongdoing in Context

In an era when the daily news brings one example after another of corporate and institutional wrongdoing, asking whether corporate compliance programs really prevent corporate wrongdoing seems like a legitimate question. After all, if these compliance programs are so useful, why does it seem that instances of corporate and institutional wrongdoing never end?

The answer to that question is pretty simple: blame Adam and Eve and “original sin.” Corporations and other major institutions are nothing more than groups of human beings, managed by other humans, who bring to their daily working lives all the failures that infect every other aspect of human life. We are, after all, human. Each of us is plagued by one or more of the deadly sins—greed, sloth, anger, envy, pride 1Since we are addressing chiefly institutional wrongdoing designed (at least in part) to benefit the corporation, and not individual wrongdoing without benefit to the corporation, I left out the other two deadly sins, gluttony and lust. I almost included lust, since sexual harassment remains a major source of individual wrongdoing in the workplace and a major source of institutional concern. See Lisa Rein, New Sexual-Misconduct Claims Hit Yosemite, Yellowstone in Widening Park Service Scandal, Wash. Post (Sept. 22, 2016), https://www.washingtonpost.com/news/powerpost/wp/2016/09/22/top-park-service-official-acknowledges-no-one-has-been-fired-for-sexual-misconduct/. Every complete corporate compliance program, however, must not only emphasize the impropriety of such conduct, but the need for a strong institutional response when such conduct is discovered. I know of no examples for gluttony, but I am sure there are some. —that are inherent in being human and cause much of the corporate wrongdoing we read about daily. Humans are not all perfect, not all knowing, not all good. Unfortunately, we all sometimes act stupidly, sometimes badly.

As a result, asking a corporate or non-profit institution created and populated by humans to be innocent of these human vices is impossible. No institution, corporation, or government entity is without its vices. They are populated by people who are greedy, lazy, envious, hateful, and proud. So every institution, every corporation, will eventually do something wrong, and the bigger the institution, and the more regulated the entity, the greater the possibility of corporate wrongdoing. The real question—and this is where corporate compliance programs are so critical—is not whether corporate wrongdoing occurs, but what the corporation, as an entity separate from the individuals who populate it, does in response when it discovers the wrongdoing, the steps it takes to make sure the wrongdoing does not recur, and the messages it sends to other employees and officials in the organization when such wrongdoing is discovered.

The most effective response always begins with having an effective corporate compliance program in place, which involves first putting in place (and regularly updating) the institutional structure. This structure chiefly includes: (1) the compliance office, including a chief compliance officer, assistants, and delegates in each major corporate division or entity; (2) a compliance oversight committee, usually made up of the senior compliance official, the general counsel, and senior management; and (3) a written set of compliance standards and procedures, drafted specifically to address the compliance risks the institution is expected to face. But setting up the structure is the easy part.

The success of any corporate compliance program is judged on what it does, which can be broken down into four interrelated parts (all important to the discussion below):

1. Training

2. Hotlines, audits, and investigations

3. Discipline

4. Correction and restitution

Corporate compliance programs are now headed by trained, experienced managers who report (or should report) directly to the board of directors or the highest legal authority that governs the corporation. As a result of legal and enforcement developments over the last twenty years, the board and senior management now have a vested interest in making that compliance program work. 2See, e.g., In re Caremark Int’l Inc. Derivative Litig., 698 A.2d 959 (Del. Ch. 1996) (suit against Caremark’s board of directors for breach of fiduciary duty to Caremark in connection with alleged healthcare fraud violations); Sarbanes-Oxley Act of 2002, Pub. L. No. 107-204, 116 Stat. 745 (2002) (to protect investors by improving the accuracy and reliability of corporate disclosures pursuant to the securities laws); Patient Protection and Affordable Care Act (“ACA”), Pub. L. No. 111-148, 124 Stat. 119 (2010); Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111-203, 124 Stat. 1376 (2010); Memorandum from Deputy Att’y Gen. Sally Quillian Yates, Individual Accountability for Corporate Wrongdoing U.S. Dep’t Just. (Sept. 9, 2015) (the “Yates Memo), https://www.justice.gov/dag/file/769036/download.

With this background, I can now react to the specific questions asked with regard to the effectiveness of corporate compliance programs.

Question 1: Do corporate compliance programs actually suppress information from regulatory oversight?

Response: I certainly hope so.

Anyone who has manned a corporate compliance hotline can attest (and I have reviewed hotline logs of many corporations) that the vast majority of calls are either worthless or completely off base. Many deal with employment issues (“Why did he get a higher bonus than me?”) or other similar complaints. That is the type of information that should be “suppressed” from regulatory oversight. There are not enough Department of Justice (“DOJ”) lawyers, FBI agents, federal and state auditors, or other investigators and enforcement officials to respond to the thousands of minor complaints that compliance officials and hotline contractors hear every day. That is not to say that such callers or whistleblowers should not be treated with respect and receive a legitimate and timely response. But that type of information should not go to the regulators—they simply don’t have time for it if they want to focus on real wrongdoing.

If this question is directed, however, at serious allegations of corporate wrongdoing, the answer is, in my view and experience, a clear “no.” Most modern corporations keep logs of their hotline calls and complaints to compliance officials. Most corporations require that those logs include all follow-up actions. Any corporation that receives a serious allegation of wrongdoing over its hotline or through a complaint to a compliance official risks major criminal and civil sanctions—to the corporation and to responsible individuals—if those allegations are ignored.

Every government “mandatory disclosure” program allows the corporation a period of time to determine whether the allegation has merit, under either applicable facts or legal standards. 3See, e.g., Contractor Business Ethics Compliance Program and Disclosure Requirements, 48 C.F.R. §§ 2, 3, 9, 42, and 52 (FAR mandatory disclosure rule); Medicare Program: Reporting and Returning of Overpayments, 81 Fed. Reg. 7654–7684 (Feb. 12, 2016) (to be codified at 42 C.F.R. §§ 401, 405) (establishing rules for reporting and returning overpayments); False Claims Act (“FCA”), 31 U.S.C. § 3729(a)(1)(G) (obligation to repay the government liability provision). And that only makes sense. The corporation, unlike outside investigators, auditors or prosecutors, does not have to deal with assertions of attorney-client or Fifth Amendment privilege. The corporation should be able to get to the facts quicker and faster than any outside investigation. After all, the employees owe a duty of cooperation to the corporation that employs them, and that employer holds the ultimate weapon: cooperate or lose your job. Very few employees—even senior management—can afford to not cooperate in an internal investigation.

For this reason, the regulatory and enforcement agencies want and need the corporation to do the first investigation, subject always to the government doing its own investigation. I know of no lawyers, inside or outside of the corporation, willing to risk their future or their license to practice law to cover up real corporate wrongdoing that comes to their attention and which they are asked to investigate and report to the company.

Question 2: Do corporate compliance programs create an environment where employees are led to believe that wrongdoing in the corporate environment is implausible because a compliance program exists?

Response: Absolutely not.

Let’s start with the training element of every compliance program. A good corporate compliance program begins with training. But not just training to “do the right thing.” Modern compliance programs gear their training to the areas where the employees are most likely to face compliance issues. Those in the finance and accounting department are trained on proper government cost accounting rules. Factory workers are trained on proper manufacturing techniques or compliance with government specifications. Marketing personnel are trained on the limits on discussing price or market share with competitors. Overseas personnel are trained on the proper limits on financial dealings with foreign government officials. The list goes on and on, but one thing is true for every area on the list: a modern compliance program directs its compliance training to the compliance risks it faces.

Do those employees and company officials occasionally violate those laws and regulations? Of course they do, because (as discussed above) they are human and they make mistakes. But the training is intended to eliminate one key employee response: that they did not know any better. Rather than convincing the employees that corporate wrongdoing is “implausible,” this compliance training educates the employees and management that such wrongdoing is distinctly possible, that there are severe repercussions—both institutionally and personally—for a compliance failure, and that there are proper ways to avoid such a failure.

Let’s turn to the second component of any modern compliance program, the reporting (hotline) and investigation/auditing aspect. Every employee knows how to report wrongdoing. In most corporations, the hotline posters are prominently displayed in employee areas and on the company’s website. Those employees also know about the internal auditors and how they can show up at any time. Moreover, almost everyone in every major government contractor, hospital system, or pharmaceutical company (as well as many other industries) knows that one of his or her fellow employees can file a qui tam action seeking up to 30% of any losses suffered by the government. 4See The False Claims Act, 31 U.S.C. § 3730(d)(2). And, the “whistleblower” programs at the Internal Revenue Service and the SEC are getting more and more exposure. 5See 26 I.R.C. § 7623 (West 2006); 17 C.F.R. §§ 240, 249. There is simply no way an employee or manager at a corporation could be misled and conclude that a compliance program makes corporate wrongdoing “impossible.”

Finally, there are the practical effects felt by those who do commit wrongdoing. Every effective corporate compliance program contains a strong element of discipline, up to and including dismissal, for anyone who violates the compliance program. Any corporation or institution that does not effectively discipline those responsible for corporate wrongdoing does not have an effective corporate compliance program. That said, such discipline must be dispensed with fairness and understanding. Many recent government initiatives are based on “new” government interpretations of applicable laws. 6See Caring Hearts Pers. Home Servs., Inc. v. Burwell, 824 F.3d 968, 976 (10th Cir. 2016) (“This case has taken us to a strange world where the government itself—the very ‘expert’ agency responsible for promulgating the ‘law’ no less—seems unable to keep pace with its own frenetic lawmaking. A world Madison worried about long ago, a world in which the laws are ‘so voluminous they cannot be read’ and constitutional norms of due process, fair notice, and even the separation of powers seem very much at stake.”). No employee or manager can be expected to see into the future and know how a new administration or a new attorney general will enforce the law.

Correcting and mitigating the harm done (and preventing violations from continuing) is a necessary final step in an effective compliance program. If the corporation does not act to correct the compliance violation, or if the response is inadequate, dire consequences—both financial and reputational—could—indeed, in this era, almost certainly will—follow. These consequences potentially include criminal charges, a civil False Claims Act lawsuit, a Sarbanes-Oxley enforcement action, a mandatory disclosure action, and suspension, debarment or exclusion from federal government programs. Executing a settlement agreement with the government has become more difficult now that DOJ attorneys are required to focus on individuals as well as corporations in investigating and resolving violations under a formal policy that incorporates the so-called Yates Memo. 7See Dep’t of Justice, U.S. Attorneys’ Manual 4-4.000 et seq., https://www.justice.gov/usam/usam-4-4000-commercial-litigation; Dep’t of Justice, U.S. Attorneys’ Manual 9-28.000 et seq., https://www.justice.gov/usam/usam-9-28000-principles-federal-prosecution-business-organizations; Memorandum from Deputy Att’y Gen. Sally Quillian Yates, Individual Accountability for Corporate Wrongdoing, at 1 (Sept. 9, 2015), https://www.justice.gov/dag/file/769036/download. Identifying compliance violations does little good if correction and restitution do not follow.

Question 3: From a practical viewpoint, what kind of corporate compliance programs work better than others?

Response: Depends—but it all begins at the top.

There is no one answer to this question, because corporate compliance programs do not fit neatly into “one size fits all” buckets. One would not design a compliance program for a financial institution the same way one would design a program for a manufacturing company or for a healthcare company. Each type of company, and each company within the same industry, may have different compliance programs and each may be successful in deterring (as much as possible) and responding appropriately (when deterrence does not work) to compliance failures.

In my experience, here are the key factors that make one company’s compliance program better than others:

1. Real leadership and support from the top of the organization. Nothing is more important.

2. Independence of the compliance officials. Those who are responsible for assuring and enforcing the compliance program—compliance officers, auditors, general counsel—must feel independent from the management they are investigating. That includes the ability and willingness to walk away if the corporation or institution will not do the right thing.

3. Prior wrongdoing. Ironically, some of the best corporate compliance programs are in companies that have had a “near death experience.” Nothing gets the attention of employees, senior management, the board, and the shareholders better than seeing their corporate name and reputation destroyed by a criminal plea or civil fraud settlement. Nothing gets their attention like the real threat of losing business because of suspension, debarment, or exclusion from government programs.

Corporate compliance programs are one of the true success stories of modern corporate governance. These programs, which in many ways are still in their infancy, play a necessary role in an increasingly highly-regulated business environment. These programs are the real front line in the enforcement of the laws and regulations governing American businesses and non-profit institutions.

Footnotes

John T. Boese is now Of Counsel in the DC Office of Fried Frank Harris Shriver & Jacobson, LLP, where he was a partner for over 30 years. Since leaving the Justice Department in 1977, Mr. Boese has represented defendants in civil and criminal fraud investigations and lawsuits in various industries, and in related suspension, debarment, and exclusion proceedings arising from those investigations and settlements. This has included developing corporate compliance programs and advising compliance officials, primarily in the defense and healthcare industries. He is the author of the treatise, Civil False Claims and Qui Tam Actions, initially published in 1993 and updated semi-annually by Wolters Kluwer Law & Business, and he teaches courses on the False Claims Act at various law schools. He is an Advisor to the American Law Institute’s current project entitled “Principles of Law, Compliance, Enforcement, and Risk Management for Corporations, Nonprofits, and Other Organizations.” The author is grateful to the Reporter and Associate Reporters of that project for their contributions on this subject.

1Since we are addressing chiefly institutional wrongdoing designed (at least in part) to benefit the corporation, and not individual wrongdoing without benefit to the corporation, I left out the other two deadly sins, gluttony and lust. I almost included lust, since sexual harassment remains a major source of individual wrongdoing in the workplace and a major source of institutional concern. See Lisa Rein, New Sexual-Misconduct Claims Hit Yosemite, Yellowstone in Widening Park Service Scandal, Wash. Post (Sept. 22, 2016), https://www.washingtonpost.com/news/powerpost/wp/2016/09/22/top-park-service-official-acknowledges-no-one-has-been-fired-for-sexual-misconduct/. Every complete corporate compliance program, however, must not only emphasize the impropriety of such conduct, but the need for a strong institutional response when such conduct is discovered. I know of no examples for gluttony, but I am sure there are some.

2See, e.g., In re Caremark Int’l Inc. Derivative Litig., 698 A.2d 959 (Del. Ch. 1996) (suit against Caremark’s board of directors for breach of fiduciary duty to Caremark in connection with alleged healthcare fraud violations); Sarbanes-Oxley Act of 2002, Pub. L. No. 107-204, 116 Stat. 745 (2002) (to protect investors by improving the accuracy and reliability of corporate disclosures pursuant to the securities laws); Patient Protection and Affordable Care Act (“ACA”), Pub. L. No. 111-148, 124 Stat. 119 (2010); Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111-203, 124 Stat. 1376 (2010); Memorandum from Deputy Att’y Gen. Sally Quillian Yates, Individual Accountability for Corporate Wrongdoing U.S. Dep’t Just. (Sept. 9, 2015) (the “Yates Memo), https://www.justice.gov/dag/file/769036/download.

3See, e.g., Contractor Business Ethics Compliance Program and Disclosure Requirements, 48 C.F.R. §§ 2, 3, 9, 42, and 52 (FAR mandatory disclosure rule); Medicare Program: Reporting and Returning of Overpayments, 81 Fed. Reg. 7654–7684 (Feb. 12, 2016) (to be codified at 42 C.F.R. §§ 401, 405) (establishing rules for reporting and returning overpayments); False Claims Act (“FCA”), 31 U.S.C. § 3729(a)(1)(G) (obligation to repay the government liability provision).

4See The False Claims Act, 31 U.S.C. § 3730(d)(2).

5See 26 I.R.C. § 7623 (West 2006); 17 C.F.R. §§ 240, 249.

6See Caring Hearts Pers. Home Servs., Inc. v. Burwell, 824 F.3d 968, 976 (10th Cir. 2016) (“This case has taken us to a strange world where the government itself—the very ‘expert’ agency responsible for promulgating the ‘law’ no less—seems unable to keep pace with its own frenetic lawmaking. A world Madison worried about long ago, a world in which the laws are ‘so voluminous they cannot be read’ and constitutional norms of due process, fair notice, and even the separation of powers seem very much at stake.”).

7See Dep’t of Justice, U.S. Attorneys’ Manual 4-4.000 et seq., https://www.justice.gov/usam/usam-4-4000-commercial-litigation; Dep’t of Justice, U.S. Attorneys’ Manual 9-28.000 et seq., https://www.justice.gov/usam/usam-9-28000-principles-federal-prosecution-business-organizations; Memorandum from Deputy Att’y Gen. Sally Quillian Yates, Individual Accountability for Corporate Wrongdoing, at 1 (Sept. 9, 2015), https://www.justice.gov/dag/file/769036/download.