Article: "Corporate Compliance Programs: No Longer a Luxury"

Corporate Compliance Programs:
No Longer a Luxury*

By Bruce E. Yannett^**
Leigh R. Schachter

Many companies view having a formal compliance program as an expensive luxury that the company neither needs nor can afford. This is especially true for startup or smaller businesses that have limited resources and often feel that they can more efficiently prevent or control improper activities by their employees on an informal basis. Recent developments in a number of legal areas, however, highlight the importance of having and implementing a formal, written compliance program.

The primary purpose of a compliance program is, of course, to prevent the company from running into legal or regulatory trouble in the first place. The most effective compliance program is the one that instills in a company's employees a culture of respect for the law, ethical conduct and company policy and which ferrets out any wrongdoers before they can do serious harm to the company or its reputation. However, in the current legal environment, having an effective compliance program is perhaps even more important if the program turns out to have been unsuccessful at preventing some unlawful or inappropriate conduct, since it may provide one of the few tools to prevent the company and possibly its individual directors from being held civilly or even criminally liable for the acts of a rogue employee.

Corporate Criminal Liability And The
Federal Organizational Sentencing Guidelines

Corporations can generally be held criminally liable for any crimes committed by their employees -- even low-level and menial employees -- if the criminal acts are committed within the scope of their employment and the company knew or should have known of the criminal conduct or the employee who committed the crime intended, at least in part, that his or her criminal conduct benefit the corporation. Thus, company management need not encourage or even know about the criminal activity for the

corporation to be held criminally liable; indeed, companies can be held liable for criminal acts of their employees that are contrary to written company policies. For example, in one of the recent cases brought by Independent Counsel Donald Smaltz as part of his investigation of Secretary of Agriculture Mike Espy, the Sun Diamond Growers Cooperative was held criminally liable for a bribery scheme undertaken by one of its vice presidents even though the scheme was against company policy and the vice president hid the illegal conduct from other company officials. U.S. v. Sun Diamond Growers of CA, 964 F. Supp. 486, 490-91 (D.D.C. 1997).

The breadth of potential corporate criminal liability means as a practical matter that whenever an employee has committed a crime in the course of his or her employment, prosecutors will have a tremendous amount of discretion as to whether to charge the corporation itself with having committed a crime. The fact that the company in question had in place a compliance program to prevent criminal conduct by its employees will often provide a strong argument for a prosecutor not to bring charges against the corporation itself. Such a program can demonstrate to a prosecutor (in ways that an informal program may not be able to) the company's commitment to compliance and the aberrant nature of the employee's conduct. The existence of the program may also allow the company to discover the conduct more quickly and possibly self-report it to the government, which may weigh against the government’s bringing charges against the company. In several recent high profile cases in which the government decided not to bring criminal charges against companies under investigation, including Salomon Brothers, Prudential Securities and Aetna Capital Management, the government cited the companies’ extensive cooperation with the government’s investigation, institution of their own internal investigations and adoption of compliance changes as substantial factors in the decision not to prosecute.

Even if a corporation is ultimately held criminally liable for the action of an employee, the federal organizational sentencing guidelines provide another powerful impetus for corporations to self-police their activities by virtue of an effective compliance program. One of the few ways that a corporation that has been convicted of a crime can reduce the potentially huge fines prescribed by the guidelines is by showing that it had at least tried, by virtue of an effective compliance program, to prevent such criminal conduct.

The organizational sentencing guidelines calculate the fine that will be imposed on a corporation convicted of a crime through a complex analysis designed to evaluate and balance the severity of the crime, the pecuniary gain the corporation stood to make by the criminal conduct, and the relative culpability of the corporation. First, a "base fine" will be assigned based on the type of offense and pecuniary gain involved. This base fine will then be adjusted by use of a multiplier that will be determined by the company's "culpability score." The multiplier can result in an actual fine of anywhere from .05-.20 of the base fine (for a culpability score of 0) to 2-4 times the base fine (for a culpability score of 10 or higher). Given that base fines can range into the tens of millions of dollars, it is imperative for corporations to have as low a culpability score as possible.

The culpability score of a convicted corporation is determined by application of a number of possible aggravating or mitigating factors. Aggravating factors include the involvement of high level corporate personnel in the commission of the offense, tolerance of the offense by substantial authority personnel, previous misconduct by the corporation, violation of previous judicial orders and obstruction of justice. The two major possible mitigating factors for a corporation are 1) self-reporting, cooperating with authorities and acceptance of responsibility, and 2) having had in place an effective compliance program. Having had a compliance program will result in the subtraction of 3 points in the culpability score (as long as the company does not unreasonably delay reporting the offense to the government and the offense is not committed or tolerated by the compliance officer or other high level personnel). This can reduce the range of potential fines by as much as 80%. Furthermore, having in place a compliance program may also allow a company to obtain early knowledge of criminal activities by its employees which, even if it does not stop the crime before it occurs, may allow the company to self-report the activity to prosecutors and thus take advantage of the five-point culpability score reduction for self-reporting.

A company that has in place a compliance program may also be able to avoid the imposition of mandatory "corporate probation," which can involve intrusive monitoring and oversight of the company’s activities by the government. For example, the probationary sentence included as part of a recent plea agreement that Royal Caribbean entered into after being indicted for illegally discharging oil waste from some of its cruise ships required Royal Caribbean to adopt a strict, detailed Environmental Compliance Program under supervision of the court, to hire an outside consultant to monitor the waste stream from cruise ships, and to file quarterly reports with the Court and the government describing the status of the Program and the results of the audits. The guidelines provide that imposition of probation is mandatory if at the time of sentencing an organization with 50 or more employees does not have in place an effective compliance program. §8D1.1(a)(3).

Individual Director Liability

A recent decision of the Delaware Chancery Court raises the specter that directors of a corporation that does not have in place an effective compliance program can be held personally liable for the increased fine caused by the company’s failure to have a compliance program in place, and possibly for the full extent of the damage to the company caused by the criminal conduct that could have been prevented through a compliance program. In re Caremark Int'l Inc. Derivative Litig., 698 A.2d 959 (Del.Ch. 1996).

The Caremark case was a derivative action brought against the Board of Directors of Caremark International Corp. alleging that the directors breached their fiduciary duties by failing to monitor effectively the conduct of company employees who violated various state and federal laws regarding payments to health care providers, which ultimately led to the company pleading guilty to criminal charges and paying substantial civil and criminal fines. The Delaware Chancery Court's opinion involved the court's approval of a settlement of the derivative action; the Chancellor approved the settlement based upon his conclusion that there was a "very low probability" that the directors would have been personally liable for having breached any duty to monitor and supervise the company's activities. In support of this conclusion, the Chancellor cited, among other things, the compliance programs that the company had instituted prior to being indicted.

The significance of this case, though, lies more in the fact that the Chancellor concluded, contrary to what earlier Delaware cases seemed to imply, that a "director's obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and the failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards." Id. at 970. In reaching this conclusion, the Chancellor explicitly noted the powerful incentives that the sentencing guidelines provide "for corporations today to have in place compliance programs to detect violations of law." Id. at 969.

Corporate Civil Liability

Several recent decisions of the United States Supreme Court make clear that an effective compliance policy might also help a company avoid certain types of civil liability for the wayward actions of its employees — in these cases, for employment discrimination and sexual harassment by corporate managers. Kolstad v. American Dental Ass'n, 67 U.S.L.W. 4552 (June 22, 1999); Burlington Indus., Inc. v. Ellerth, 118 S. Ct. 2257 (1998); Faragher v. City of Boca Raton, 118 S. Ct. 2275 (1998).

In the Burlington Industries and Faragher cases, the Court held last year that a company generally will be vicariously liable for a supervisor's sexual harassment of a company employee, even if senior company officials did not condone or even know about the harassment and the harassment did not result in any tangible employment action against the employee (i.e., vicarious liability extends to so-called "hostile environment" and not just "quid pro quo" sexual harassment). However, the Court held that a company could assert an affirmative defense to such claims if (a) the "employer exercised reasonable care to prevent and correct promptly any sexually harassing behavior" and (b) the employee "unreasonably failed to take advantage of any preventive or corrective opportunities provided by the employer." Burlington Indus., 118 S. Ct. at 2570. The Court also noted that, although not conclusive, a company's having in place as part of a compliance program anti-harassment policies and an effective complaint procedure for reporting harassment which an employee fails to take advantage of will normally suffice to establish this affirmative defense.

In the Kolstad decision, handed down this past June, the Court held that an employer can be held liable for punitive damages based on acts of discrimination by its managerial employees that are undertaken with malice or reckless disregard of another employee's federal rights without any additional showing that the manager's conduct was particularly egregious. Thus, punitive damages will now be available in the great bulk of intentional discrimination cases, which almost by definition involve a disregard of an employee's right to be free of discrimination. The Court held, though, that an employer will not be liable for punitive damages where the manager's discriminatory conduct was "contrary to the employer's good faith efforts to comply with Title VII." A compliance program with an effective equal opportunity anti-harassment component should be strong evidence of such "good faith efforts."

What Should a Compliance Program Look Like?

There is, of course, no single right answer to the question of what constitutes an effective compliance program. Specific answers to questions such as — What topics should the program address? How formal should the program be? What mechanisms are needed to enforce the program? — will all depend on the size, type of business and history of the company. However, the Commentary to the federal Sentencing Guidelines, in describing what will be considered an effective compliance program entitling a company to a reduction in its culpability score, provides a good general outline of what a compliance program might look like. Although the Guidelines focus specifically on a program to prevent criminal activity, the same factors will often apply to developing a program to prevent improper non-criminal activities (e.g., sexual harassment).

The Commentary sets out three specific factors that should generally influence the type of compliance program a company needs to have:

(1) Size of the organization. The level of formality required in a compliance program will generally increase with the size of the company. While the Commentary only states that a "larger" organization should generally have written policies governing the standards and procedures to be followed by employees and agents, putting into place a written corporate Code of Conduct is a relatively simple step that almost any company should undertake.

(2) Nature of the business. The type of potential misconduct that a compliance program should address depends to a great extent on the nature of the company's business. Thus, a company that handles hazardous materials should have in place procedures to ensure compliance with environmental laws; a company with substantial government contracts should address issues of procurement law and the giving of illegal bribes or gratuities; a company that has a sales force which has the flexibility to make representations about a product to the public must take steps to prevent possible misrepresentations or fraud.

There are certain types of activities, though, that almost any company's compliance program should address, including: accurate accounting of transactions; safeguarding of company assets; improper payments, gifts or kickbacks; conflicts of interests; and, for public companies, insider trading. Additionally, all companies should address, either as part of their general compliance program or as part of a separate program, labor and human relations issues such as racial, religious or sexual discrimination or harassment, accommodations for individuals with disabilities, and labor-management issues.

(3) Prior history of the organization. A company's prior history of legal trouble indicates that the company must pay particular attention to preventing a recurrence of such activities. The Commentary notes that recurrence of such misconduct will "cast doubt" on whether the company took all reasonable steps to prevent such misconduct.

Within this framework, the Commentary to the Sentencing Guidelines lists a series of seven steps that, at a minimum, should be part of a company's due diligence efforts to establish an effective program to prevent improper conduct by its employees and agents:

(1) Have established compliance standards and procedures. As described above, these usually will be set out in a company's Code of Conduct.

(2) Assign a high-level executive to oversee the compliance program. For larger companies, this will usually entail the appointment of a Chief Compliance Officer who reports directly to the board of directors on compliance issues and, in companies with geographically dispersed and independent divisions, appointment of a compliance officer for each division who in turn reports to the Chief Compliance Officer.

(3) Use diligence to ensure that substantial discretionary authority is not delegated to individuals who have a propensity to engage in illegal conduct. This involves identifying those positions in the company where there is a potential for misuse of authority — e.g., those that involve substantial financial dealings with third parties (such as purchasing agents or sales representatives) — and putting into place procedures to ensure that appropriate background checks are conducted for those individuals.

(4) Take steps to communicate effectively the company's compliance standards and procedures to all employees and agents. This can be accomplished by disseminating the company's Code of Conduct to all current and future employees (and requiring them to sign an acknowledgment that they have read and will abide by it), sending out periodic reminders to employees about the importance of complying with the Code of Conduct and by conducting periodic training programs for employees on compliance issues. It is critical that employees recognize that the company's Code of Conduct is not simply a statement of lofty goals but rather that the company and its senior management are committed to ensuring that employees follow it in practice.

(5) Taking reasonable steps to ensure that compliance standards are being observed. Simply establishing a compliance program on paper is insufficient; the company must take steps to monitor and audit its operations to ensure that employees are actually complying with legal and company standards. The Guidelines Commentary also notes that a company should have in place a well-publicized reporting system whereby employees can report illegal or improper conduct without fear of retribution.

(6) Enforce compliance standards consistently through disciplinary measures, including the disciplining of those who fail to detect inappropriate conduct. Of course, the level of discipline to be applied in any given circumstance must be determined on a case-by-case basis. However, the company should attempt to ensure that similar offenses are punished similarly and that the level of discipline is sufficient to convey the seriousness with which the company views such conduct and to deter others from committing similar violations.

(7) Reassess the compliance program on a regular basis and modify the program as necessary. This reassessment might be effectuated by periodically submitting a questionnaire to some or all employees inquiring into their satisfaction with and recommendations for changes to the compliance program. Reassessment is particularly important where the program has been found to have failed to prevent violations.

It is also important that the company carefully document the compliance program it adopts and the steps that are taken to implement and enforce the program. This will ensure that the company will have clear evidence of the existence of, and its commitment to, the program, should this evidence become necessary in a civil or criminal proceeding.

Conclusions

Adopting an effective compliance program will often involve the expenditure of a significant amount of company resources, including both time and money. Given the potential liabilities that a company — and possibly its senior management and directors — face in the absence of such a program, however, companies simply cannot afford not to make this investment.

* Unpublished manuscript. Copyright 1999. Bruce E. Yannett and Leigh R. Schachter of Debevoise & Plimpton.

** Bruce E. Yannett is a partner and Leigh R. Schachter is an associate with the New York office of Debevoise & Plimpton. They practice in the areas of white collar criminal litigation and internal investigations.

This article appeared in Andrews Publications White Collar Crime Reporter,
October 1999, Volume 13, Number 9.

© 1999 Debevoise & Plimpton