Compliance Alert: US Official Delineates Features of Robust Compliance Programs . . .
US Official Delineates Features of Robust Compliance Programs and Asserts Limitations of Data Privacy Laws
Assistant Attorney General for the Criminal Division Leslie R. Caldwell articulated the “hallmarks” of effective compliance programs in a speech on May 19 that also underscored the value of corporate cooperation with government investigations and the limits of data privacy laws. Caldwell, who heads the USDOJ Criminal Division, spoke at the Compliance Week Conference in Washington, DC. She emphasized that:
- Senior corporate executives must provide strong, explicit, visible support for their compliance programs, take responsibility for implementation and oversight, and be able to report directly to independent bodies such as the board of directors.
- Compliance programs must be conveyed proactively to employees through in-person meetings, emails, and telephone calls rather than just through the distribution of a corporate policy.
- Compliance teams should have adequate funding, resources and institutional stature, and should have an effective process for investigating and documenting alleged violations. Internal investigations should uncover facts, preserve relevant documents, and identify responsible individuals, not whitewash the truth.
- Companies should revise their compliance policies periodically to reflect evolving risks and circumstances, and in particular when they engage in a merger or acquisition involving both a US-based company and a foreign entity.
- Compliance programs should have effective systems for confidential, internal reporting of compliance violations.
- Companies should enforce their compliance policies through employee incentives and disciplinary actions.
Caldwell argued that these features help insure that compliance programs do not just look good on paper, but “actually work.” She added that in order to prevent future scandals rather than just guard against repetition of past misconduct, a company should design its compliance program around risks in unregulated lines of business, not just risks in areas already subject to regulation. “Too often we have heard companies say that a particular course of criminal conduct took them by surprise, when a hard look at the business practices would have identified the risk,” Caldwell said.
Caldwell also said that if a company does uncover wrongdoing, it can receive significant credit when facing prosecution if it chooses to report the wrongdoing to authorities and cooperate with a government investigation, particularly at the early stages. To receive cooperation credit, a company must do more than comply with compulsory process, such as subpoenas. Caldwell emphasized that a company must provide a full accounting of known facts, identify responsible individuals, and provide evidence of its culpability in a timely manner. Cooperation includes helping to circumvent investigative barriers when documents and witnesses are located abroad.
Caldwell said “we recognize that some foreign data privacy laws may limit or prohibit the disclosure of certain types of data or information. Over the years, the Criminal Division has developed an understanding of certain oft-cited data privacy laws, and we will challenge what we perceive to be unfounded reliance on these laws to justify withholding requested information.” She warned that companies should not claim that large categories of information are protected from disclosure by data privacy laws. Rather, they should carefully consider the government’s request for information and produce what can be disclosed.