A New Vision And Big Role For Chief Compliance Officers

Since taking office, Assistant Attorney General Kenneth Polite has had a focused message about corporate compliance: Chief Compliance Officers must be empowered with true independence, resources, and stature within a company to do what is required to create and maintain a culture of accountability.

COMPLIANCE IS THE RIGHT CHOICE FINANCIALLY

Few things draw attention better than a promise to increase the bottom line.

Speaking at a Compliance Week event on May 17, Polite remarked that compliance departments are too often "labeled as cost centers not contributing to the bottom line," and as such are frequently not given the tools and resources they need for the job. Polite believes that companies should turn this view on its head, because organizations that do not invest in compliance proactively face a significantly greater risk of prosecution, while companies that do "will be viewed in a better light by the Department of Justice and by [the] Criminal Division."

For example, a company's investments in compliance, under Polite's watch, will pay dividends by reducing the chances of a compliance monitorship being imposed. While monitorships are useful tools for the Department of Justice (DOJ) "to evaluate and test a company's compliance program and internal controls," monitorships are also restrictive and expensive - something few companies welcome.

CCOS SHOULD BE EMPOWERED TO EFFECT CULTURAL CHANGE

Polite has repeatedly sketched out the profile of his ideal CCO: impressive, informed, and empowered with resources and access to drive meaningful change within the company. How closely a company's CCO fits that profile will inform how the company itself will be viewed by Polite's Criminal Division.

Polite knows that the CCO is "called upon to be a resource for information, an enforcer of law and policy, and somehow the primary architect of [a] company's ethical culture." It is therefore Polite's "expectation," as he told the audience at an American Health Law Association conference in Baltimore, that CCOs have "a seat at the table," and "true independence, authority, and stature within their organizations."

Polite believes that prosecutions alone cannot ensure public safety or good corporate governance. Rather, Polite's "ultimate goal is to prevent corporate crime in the first instance," "both by holding individual wrongdoers accountable and by creating an enforcement regime that incentivizes responsible corporate citizenship." CCOs have a "powerful role" in crafting such a culture, and Polite would like to see them be empowered with the tools they need to effect such change.

CCOS SHOULD BE LEADING THE CHARGE IN DOJ PRESENTATIONS

Experienced CCOs who take a front-and-center role during presentations to DOJ, demonstrating knowledge and ownership of a company's compliance program, can play a pivotal role in influencing how Polite's Criminal Division will respond.

Speaking on this point at a Compliance Week event in May 2022, Polite discussed a specific example of a presentation by a company to prosecutors who were considering criminal charges against it. During the presentation, an investigator posed a question directly to the CCO, but general counsel answered instead. "That single act gave me all the information that I needed," Polite said, because it "demonstrated that - literally and figuratively - that chief compliance officer had no voice in that organization."

Instead, Polite wants to "see the Chief Compliance Officer leading the compliance presentation and demonstrating knowledge and ownership of the compliance program." Ideally, "[o]ther senior management should also participate, taking ownership of their role in the compliance program and demonstrating commitment to compliance." Companies that do so, Polite promised, can expect "significant credit" for building "strong controls to detect and prevent misconduct."

DATA COLLECTION IS KEY

Under Polite's watch, compliance programs also should be prepared to generate data to identify troubling markers of misconduct and to prove that companies are responding appropriately.

Since taking office, Polite has frequently mentioned that his tenure as a CCO taught him the important role that compliance programs play in preventing crime "in the first place." He has also complained that prosecutors' biggest challenge is trying to keep up with the ever-evolving schemes perpetrated by bad actors.

Tech- and data-driven investigative activity appears to be Polite's answer to effectively monitoring the modern industrial landscape.

Polite made clear at an American Health Law Association conference that corporate leaders should not only invest in sophisticated data analysis, but also be prepared to show how they use data analysis to improve and enhance compliance. Those comments came on the heels of similar remarks by HHS Inspector-General Christi Grimm, who warned that investigators increasingly use data to focus on outliers and trends that signal potential misconduct. Corporate leaders must therefore "make sure [to] have accurate and timely data" within their own compliance programs, so the government can "fight fire with fire."

Polite echoed Grimm's warning, emphasizing the "importance of data in the compliance function" and asserting that CCOs need data to identify problematic patterns within their own business and to demonstrate to prosecutors that the company appropriately responds to these patterns and other markers of misconduct.

POLITE WANTS TO HEAR ABOUT COMPLIANCE WINS

Who said the AAG's message is all doom and gloom? Polite also wants to learn about "compliance success stories," or how well the company's compliance program is doing overall. Aligning with his emphasis on data-driven compliance programs, Polite expects that companies using analytics to enhance compliance will be able to generate a track record of wins.

Polite's comments imply that "success stories" should come in three forms:

• He expects to see a proven history of transactions "that were rejected due to compliance risk."

• Compliance programs should generate evidence of "positive trends in [] whistleblower reporting," sweetened with "rewards for positive behavior."

• Polite wants to know about the "productive partnerships" that have developed "between compliance officers and [] business functions."

Polite sees a positive track record as "evidence that the compliance program is working in practice." And he wants to hear about it from companies themselves.

CCOS MAY BE REQUIRED TO CERTIFY COMPLIANCE PROGRAMS

As part of his push for increased CCO input, Polite has called attention to a new tool in DOJ's arsenal: requiring CCOs to certify their company's compliance program at the end of the term of an agreement.

This was first announced at ACAMS's 2022 Hollywood Conference in March, where Polite said that, for all "corporate resolutions, including guilty pleas, deferred prosecution agreements, and non-prosecution agreements," prosecutors would be instructed to "consider requiring both the Chief Executive Officer and the Chief Compliance Officer to certify at the end of the term of the agreement that the company's compliance program is reasonably designed and implemented to detect and prevent violations of the law (based on the nature of the legal violation that gave rise to the resolution, as relevant), and is functioning effectively."

Some cases may warrant "additional certification language." For companies that are required to provide annual self-reports on the state of their compliance programs, Polite has instructed his team to "consider requiring the CEO and the CCO to certify that all compliance reports submitted during the term of the resolution are true, accurate, and complete."

Polite has repeatedly framed this new policy as "empowering" and intended to ensure "that Chief Compliance Officers receive all relevant compliance-related information and can voice any concerns they may have prior to certification." It is not "intended to be punitive" to CCOs. As Polite noted, this should "guarantee a seat at the table that all compliance officers should have in an organization with a functioning compliance program."

CONCLUSION

The Assistant Attorney General's remarks since taking office paint a clear picture of what he expects to see: gone are the days when CCOs and compliance programs are overruled by business considerations. Instead, companies should empower CCOs, grant them resources and visibility to lead change, and recognize that putting an impressive, informed CCO in front of DOJ investigators will yield significant mileage. Companies that fail to do so can expect greater scrutiny from the Criminal Division and other possible repercussions.