Assistant U.S. Attorney General Kenneth A. Polite Jr., speaking at the recent NYU Law Program on Corporate Compliance and Enforcement, discussed the Department of Justice’s approach to reviewing corporate compliance programs and provided a preview of where the Department may be headed with new post-resolution certification requirements.^[1]

Polite explained how DOJ’s analysis of a company’s compliance program is grounded in the Department’s Evaluation of Corporate Compliance Programs guidance and its three key questions, asking whether the program (1) is well designed, (2) is adequately resourced and empowered to function effectively, and (3) works in practice. For companies under investigation and making compliance presentations to DOJ, Polite stressed that “it is important to demonstrate how a compliance program has been upgraded to address the root cause of the misconduct, and how it is being tested and updated to ensure that it is sustainable and adaptable to changing risk.” These presentations should come from the company’s Chief Compliance Officer and other senior management, as opposed to outside counsel, to demonstrate the company’s ownership of the compliance program and commitment to compliance.

Reiterating Deputy Attorney General Lisa Monaco’s pronouncement from last October,^[2] Polite stated that the Department will impose “independent corporate monitors whenever it is appropriate in order to satisfy [DOJ] prosecutors that a company is living up to its compliance and disclosure obligations under a non-trial resolution.” To help select these monitors and manage post-resolution compliance obligations, DOJ has “prioritized building a wealth of compliance expertise among [its] prosecutors and dedicating resources,” including in the Fraud Section’s revamped Corporate Enforcement, Compliance, and Policy (CECP) Unit. DOJ plans to add additional capabilities to the CECP Unit in the future.

Polite also referenced another policy addressed by Monaco and the subject of our recent PHIRE Blog post—that DOJ is “holding companies accountable for failing to comply with their obligations under [DOJ’s] corporate resolutions—including obligations to implement an effective compliance program, cooperate, or report allegations of misconduct.” Consequences can and have included extensions of settlement agreements and self-reporting obligations, extensions of monitorships, and corporate guilty pleas for subsequent misconduct.

Polite then described two potential developments, meant to ensure Chief Compliance Officers and their functions have “true independence, authority, and stature within the company.”

• First, Polite has asked his team to consider “requiring both the Chief Executive Officer and the Chief Compliance Officer to certify at the end of the term of the agreement that the company’s compliance program is reasonably designed and implemented to detect and prevent violations of the law (based on the nature of the legal violation that gave rise to the resolution, as relevant), and is functioning effectively.”
• Second, for companies with self-reporting obligations, DOJ is also considering requiring the CEO and CCO “to certify that all compliance reports submitted during the term of the resolution are true, accurate, and complete.”

If implemented, these two new certifications presumably would be added to existing certification requirements commonly included by DOJ in FCPA settlement agreements:

• First, the company’s CEO and CFO must typically certify, under penalty of perjury, that the company has complied with its disclosure obligations under the settlement. These obligations usually include a requirement to disclose to DOJ during the term of the settlement all evidence or allegations of violations of the FCPA (and other laws that were the subject of the misconduct).
• Second, in “hybrid” monitorships (i.e., where a company is required to retain an independent monitor for a specific period followed by a period of self-reporting), the company is typically required to certify at the end of the independent monitorship that it has adopted and implemented all of the monitor’s recommendations. Settlement documents typically do not specify who within the company must make this certification.
• Separately, to complete an independent monitorship, the monitor must certify that the company’s compliance program is reasonably designed to detect and prevent violations of the anti-corruption laws.

Looking back at Polite’s announcements, the first new certification, regarding the design and implementation of the compliance program, mirrors the certification made by independent compliance monitors described above. A monitor’s certification follows two to three years of intense review and testing, and in such cases, monitor sign-off would likely provide assurances to the CEO and CCO signing their individual certifications. However, for companies with only self-reporting obligations, CEOs and CCOs may find it necessary to seek other assurances, such as formalized KPIs and additional internal testing, prior to self-certification.

The second new certification, regarding the accuracy of submitted reports, has parallels to the existing disclosure-obligation certification, as it relates to the completeness and truthfulness of information provided to DOJ. Though not specified by Polite, it is possible this could similarly be subject to the penalty of perjury, providing potential personal liability for CEOs and CCOs.

Polite explained that these announcements are not punitive in nature, but are “intended to empower our compliance professionals to have the data, access, and voice within the organization to ensure you, and [DOJ], that your company has an ethical and compliance focused environment.” Polite’s messaging was clear, however, on the consequences of failing to do so: “[C]ompanies that make a serious investment in improving their compliance programs and internal controls will be viewed in a better light by the Department. Support your compliance team now or pay later.”