Note: Part 1 of this series, “Selecting a Corporate Monitor,” covered the selection process for monitors and independent consultants and the criteria US companies should use to help identify which monitor would most closely meet their needs.1 Part 2, “How to Drive Success Under a Monitorship,” investigated the monitoring process itself and how to ensure the best possible outcome.2
This article covers the steps companies can take to reduce the risk of a formal enforcement action, which may involve the requirement to use a monitor and/or independent consultant/auditor. In appropriately framing this subject, it assumes that a company’s regulator or an enforcement agency has found potentially illegal conduct or material breaks in its risk management or compliance framework (for example, consumer, anti-money laundering, economic sanctions). It assumes further that there is no dispute about the seriousness of these issues and that there is a high likelihood that unless the company takes serious and perhaps draconian steps, a formal enforcement action is likely that could lead to civil money penalties, the imposition of an independent monitor or worse.
In the current regulatory environment of the United States, the risk of enforcement actions for companies that fail to meet their compliance obligations is ever increasing. When regulators or enforcement agencies find material breaks in a compliance program, particularly involving customer harm, systemic risk or law violations, the federal government is prepared to take severe actions to address these lapses.
Further, a plethora of guidance provided by the U.S. Department of Justice (DOJ) and others serves as the basis for determining whether or not to go forward with prosecution.3 This guidance applies not only to which compliance processes were in effect at the time of the offense but also to the steps that the company has taken in the months after the offense was detected by, or revealed to, the government.
Provided below are steps to consider when facing a potential enforcement action.
Retain qualified counsel.
When confronted with a serious regulatory issue, the first step a company should take is to retain qualified, experienced counsel. Counsel will help the company avoid missteps as it resolves the regulatory challenges it faces. When interviewing counsel, ensure that the individuals who would lead the engagement have extensive experience with the company’s regulator(s), relevant law-enforcement agencies (if applicable) and the industry in which the company competes. Counsel should be experienced corporate litigators, largely because of any follow-on actions that shareholders or other stakeholders may bring. Knowledgeable counsel will help manage and balance claims of attorney-client privilege against the need for full transparency when dealing with regulators and other agencies. Counsel should be brought in early to help direct and manage the matter along with senior leaders of the company.
Immediately start the process of remediation.
Even before the wheels of potential enforcement start to turn, begin the remediation process. Getting a jump on remediation and other corrective actions can only redound to the organization’s benefit. Speed, yet absolute thoroughness, will be the coin of the realm. This should include developing a project plan for corrective action that includes a targeted end-state operating model. There is nothing more powerful than exhibiting that you know what needs to be done. The following steps set the stage:
Engage the board.
Engage and fully inform the board of directors. Have the board establish a compliance committee comprised of a majority of independent directors with relevant backgrounds to oversee the remediation work. Using independent directors will help demonstrate effective challenge (critical analysis by objective parties) to outside stakeholders as the committee reviews the status of remediation. This committee should meet regularly with those who are affecting the remediation and determining the root cause.
Establish a remediation team.
At senior management’s or the compliance committee’s direction, the company should establish a remediation team. Typically, the remediation team would come from internal personnel who have the necessary skills and expertise to fully address the issues at stake. The remediation team should be charged with the responsibility of addressing all of the issues identified by the regulator or enforcement agency. Members of the team must have the stature, knowledge, independence and authority to direct all actions within their scope and must be able to impose and oversee changes to the compliance program.
Specifically, the remediation team must have the authority to cut across all segments of the organization. Further, the team should have direct access to senior management and the compliance committee as it conducts its work. Having the remediation team report to the compliance committee regularly on the program’s status will ensure that the committee is fully engaged and knowledgeable of the issues at hand.
Providing sufficient resources and expertise, both internal and external, will ensure the credibility of the effort. For membership on the remediation team, consider selecting only those individuals who are truly independent of the issues at stake and avoid choosing those with whom there is risk of culpability. For larger, more complex remediations, consider separating teams into “fixing the company” and “running the company” teams. This may help minimize impacts on ongoing business while appropriate focus remains on remediation.
Establish the scope of work for the remediation team.
The remediation team should be charged with first identifying and fixing the problems noted by the regulator. Making sure that those issues are fully remediated is imperative, but there is more. It is also critical to look beyond those immediate issues and explore whether there are similar issues in other lines of business, products or areas of operation. Narrowly focusing on only the issues identified will not provide sufficient comfort to a regulator after it has identified serious issues of non-compliance. Understanding the reasons for the break—examining the whole compliance and risk-management program—may be necessary. Acting to address potential parallel weaknesses will strengthen the company’s position with its regulator.
Evaluate and adjust the company’s investment in compliance.
Many failures in corporate compliance are the result of inadequate investment. An essential step in the remediation program is to evaluate the overall strength of the program and the resources dedicated to it. Putting in place new or supplemental resources and personnel, controls, monitoring and policies that might have prevented the lapses or failures from ever occurring will help the company demonstrate its renewed commitments to prevention and cultivating a culture of compliance.4
Independently validate the remediation work.
It is not sufficient to simply remediate the issues identified. Independent validation of the work is required to ensure that it is complete, thorough and operating as designed.
There are two ways in which independent validation can occur. Validation by an internal audit may be appropriate if the internal audit organization is not in any way implicated by the failures identified by regulators and has the expertise and capability to validate the remediation. Often, however, an internal audit may find itself the subject of criticism by the regulator for its failure to identify the issues in the first instance. In those cases, the company will need to retain a qualified, independent consultant with expertise and credibility to validate the remediation. Further, as part of that engagement, consider having the independent consultant assess the strength of the organization’s overall compliance program. By doing this, the company will be positioned to provide assurances to all stakeholders that the issues have been fully addressed and the program, going forward, will operate to meet regulatory expectations.
Frequent and consistent contact with your regulator
Once the remediation process is organized and in flight, it is important to fully communicate with your regulator about the company’s actions. Providing a detailed plan—with a full explanation of governance, personnel and resources—will help demonstrate that the company takes these issues seriously and is undertaking appropriate actions. Not only should senior management engage with regulators, but the compliance committee should interact directly as well. The compliance committee should meet independently with regulators, taking the time to listen to their perspectives about the sources of the problem and areas of concern. If appropriate, set a cadence for future meetings and convey an “open door policy” whereby the committee is available to meet with regulators whenever needed.
Full transparency is also necessary. Consider sharing with regulators the regular committee reporting received from internal and external resources as well as other management information and reporting that discusses the steps being taken by the company to address the problems identified. Consistent and regular interaction will ensure that the regulator remains fully informed and that the committee and company fully understand and appreciate the regulator’s concerns.
Get to the root cause of the issue.
When addressing regulatory concerns, it is essential to dig into the root causes of the problems that arose and ensure that they are appropriately addressed.
Areas of inquiry should include:
- Were the issues that caused the regulatory problems due to shortcomings in culture, training, systems, technical expertise, organizational design, oversight effectiveness, adequacy of resources, incentive and compensation structures, role clarity and/or leadership? Is there appropriate commitment to compliance and regulatory expectations?
- Have the fixes put in place addressed not only the identified issues but also underlying root causes? Has the organization looked beyond the issues identified in defined areas and extended that inquiry across the organization? Does the organization now have a well-designed and effectively operating compliance program?
- Will the fixes that have been put in place be sustainable over a period of time? What evidence can be provided to support that conclusion?
Many of these questions are sensitive and may cut into the core of how a company is run and managed. Thinking through whether to use internal or external resources to conduct this work and whether it should be conducted under attorney-client privilege are issues that ought to be discussed with counsel before this essential inquiry is undertaken.
Recently, the Department of Justice and financial regulators have stressed the importance of holding individuals accountable for misconduct. This is not limited to individuals in risk or compliance organizations but also covers the first line of defense, such as business line leaders. Understanding fully what happened, finding the reasons for the lapses that occurred and identifying those individuals responsible are important steps in qualifying for any cooperation credit.5 In an October 2021 memorandum to the leadership of the Department of Justice, Deputy Attorney General Lisa O. Monaco stressed:
“One of the most effective ways to combat corporate misconduct is to hold accountable the individuals who perpetrated the wrongdoing. Such accountability is important for several reasons: It deters future illegal activity, it incentivizes changes in corporate behavior, it ensures that the proper parties are held responsible for their actions, and it promotes public confidence in our justice system and economy.”6
In her keynote address at the American Bar Association’s (ABA’s) 36th National Institute on White Collar Crime, Ms. Monaco noted, “Corporate culture matters. A corporate culture that fails to hold individuals accountable, or fails to invest in compliance—or, worse, that thumbs its nose at compliance—leads to bad results.”7
Taking these incremental steps will not guarantee that the government will not move forward with enforcement and the imposition of a monitor. But demonstrating a good-faith effort to improve and make right the company’s compliance program will go a long way toward achieving a more favorable outcome.
A great deal of guidance is available to companies, and it should be considered and adjusted depending on the particular circumstances and facts that are relevant to the company. In general, the approach should be very similar to what a company should do if it were under a monitorship. Although burdensome, it is certainly less burdensome than having an independent corporate monitor imposed on the company by the government.
References and additional notes
1 International Banker: “Selecting a Corporate Monitor,” John P. Carey, June 11, 2021.
2 International Banker: “How to Drive Success Under a Monitorship,” John P. Carey, September 8, 2021.
3 The U.S. Department of Justice Office of the Deputy Attorney General: Memorandum from Mark Filip, Deputy Attorney General, DOJ, to Heads of Department Components, United States Attorneys; subject: Principles of Federal Prosecution of Business Organizations, August 28, 2008. and The U.S. Department of Justice Criminal Division: “Evaluation of Corporate Compliance Programs,” June 2020. and United States Sentencing Commission: “Guidelines Manual 2021,” Charles R. Breyer, Patricia K. Cushwa and Jonathan J. Wroblewski, November 2021.
4 Although some of the previous Department of Justice guidance may now be superseded or replaced by subsequent guidance from the leadership in the Merrick B. Garland Justice Department, previous guidance, where not specifically overruled or changed, may still apply. For example, in a memorandum issued in October 2018 to all Criminal Division personnel, then-Assistant Attorney General Brian A. Benczkowski listed a number of factors to consider when determining whether a monitorship should be mandated, including whether the “misconduct occurred under different corporate leadership or within a compliance environment that no longer exists within a company”, “whether the changes in corporate culture and/or leadership are adequate to safeguard against a recurrence of misconduct” and “whether adequate remedial measures were taken to address problem behavior by employees, management, or third-party agents, including, where appropriate, the termination of business relationships and practices that contributed to the misconduct”. See: The U.S. Department of Justice Criminal Division: Memorandum from Brian A. Benczkowski, Assistant Attorney General, DOJ, to All Criminal Division Personnel; subject: Selection of Monitors in Criminal Division Matters, October 11, 2018.
5 The U.S. Department of Justice Office of the Deputy Attorney General: Memorandum from Lisa O. Monaco, Deputy Attorney General, DOJ, to Assistant Attorney General, Criminal Division, et al.; subject: Corporate Crime Advisory Group and Initial Revisions to Corporate Criminal Enforcement Policies, October 28, 2021. (“Monaco Memorandum”)
6 Ibid. at 3.
7 The U.S. Department of Justice: “Deputy Attorney General Lisa O. Monaco Gives Keynote Address at ABA’s [American Bar Association’s] 36th National Institute on White Collar,” October 28, 2021.