The combination of intense economic pressure on employees across many industry sectors and the adjustment to a new remote work environment amid the COVID-19 pandemic has created an unprecedented opportunity for insiders to exploit new or lightly tested compliance processes. Employee training programs, internal investigations and risk management meetings that were largely in-person are now remote. Amid the hardship and disruption of the pandemic, some insiders may feel more empowered to commit fraud, feeling—rightly or wrongly—that no one is watching.
As the pandemic and remote working arrangements continue, compliance professionals must revisit two fundamental questions: 1) Has the compliance program done enough to prevent, detect and remediate intentional misconduct given the changed landscape? and 2) Are the compliance program’s protocols, goals and initiatives aligned with the expectations of regulators to ensure liability is not imputed to the company for its failure to prevent, detect and remediate fraudulent conduct by employees and vendors?
Regulatory Expectations in the COVID-19 Era
A reasonable first step to address these challenges is to take advantage of the Department of Justice’s Evaluation of Corporate Compliance Programs (ECCP), which was revised on June 1, 2020. Companies responding to government investigations or developing or improving their compliance programs may find the ECCP especially useful. The 2017 edition covered 11 different topics and provided 119 questions for compliance departments to consider. Although largely consistent with the 2017 and 2019 edition, the revised 2020 ECCP provides new guidance on what is expected from compliance programs in the COVID-19 era and beyond. Key points from the update include:
- Compliance programs should be designed to be fluid. Specifically, prosecutors considering a compliance program’s adequacy should assess whether it relies on a static snapshot of one point in time or periodic risk assessments based on current trending data, and whether this has led to updated policies, procedures or controls. Importantly, in the event of a criminal offense, prosecutors are asked to evaluate a company’s compliance program both at the time of the offense and at the time of charging decision and resolution.
- Those working in the compliance department should have sufficient access to relevant sources of data “to allow for timely and effective monitoring and/or testing of policies, controls and transactions.” In other words, the compliance function should be structured to allow a company to evaluate its own program in real time so that it can leverage its own data.
- The update emphasizes a compliance program’s efficacy and accessibility. Prosecutors are asked to consider whether the company’s compliance training is working, meaning that employees are given the right training and resources to identify, evaluate and report problems or potential problems through the appropriate higher channels within the organization. Similarly, training materials and compliance resources should be internally publicized and easily accessible for employees. For example, the guidance asks whether employees are aware of and comfortable using the company’s own hotline to report malfeasance or misconduct.
- Prosecutors should evaluate not only whether a compliance program’s implementation is effective, but whether it is “adequately resourced” to function effectively. While not contrary to previous guidance, this is a slightly new gloss. Specifically, the 2020 ECCP asks prosecutors to consider a company’s investment in training and development of the compliance function.
- Prosecutors are encouraged to consider the rationale behind the formation and evolution of a company’s compliance choices. Do they seem sensible and designed to prevent, detect and remediate misconduct? Factors such as size, industry, geographic footprint and regulatory environment may all be considered.
Identifying and Plugging Compliance Gaps
Other insight into current compliance expectations can be gleaned from the Virtual Town Hall held on May 20 by the Department of Justice, Securities and Exchange Commission, and Federal Bureau of Investigation. While acknowledging constraints on revenue and resources, DOJ clearly expressed the continued expectation that companies have the right controls in place to prevent, detect and remediate problems, and that companies are testing those controls. This also includes ensuring adequate training and policies are in place. Simply put, while the COVID-19 pandemic might partially explain why or how an offense occurred, it will not serve as a persuasive defense that precludes corporate liability for a compliance gap.
The question then becomes what companies can do now to align their compliance programs with regulator expectations and to obtain the best possible outcome from those regulators if or when misconduct occurs. Regulators do not expect a compliance program to stop all wrongdoing, but they do want to see tangible efforts and real-time assessments and improvements designed to prevent, detect and remediate fraud and other misconduct.
Targeting certain areas of prevention might include identifying the seniority or experience level of internal accounting personnel, whether frequent or recent changes of external auditors keep occurring, or whether there is an important revenue stream that is highly dependent on foreign government approval.
Consistent with the new ECCP guidance, companies can reevaluate past and current policies. For example, they can reexamine current codes of conduct and employee and vendor feedback to evaluate whether to update other policies. In a remote work environment, companies might reconsider whether their information security policies adequately cover issues like employees accessing company servers from home networks, or whether their Bring Your Own Device policy effectively communicates that employee cell phones may be examined during internal investigations.
Useful data for updating a current compliance program can also be found in employee surveys, exit interviews, audit reports, prior internal investigation reports, helpline reporting trends, or any other accessible incident response data. From this data, compliance professionals can identify gaps and figure out reasonably practicable corrections.
Executive leadership can consider semi-regular virtual meetings with personnel from the audit function and/or human resources to address antifraud controls and employee questions or reports.
Compliance Lessons from the Pandemic
Because every compliance program must be uniquely tailored to the individual company that it serves, there is no uniform approach or set of practices that can be taken when assessing that program’s efficacy in guarding against inside and outside threats or regulator expectations. Companies should consider the following factors to determine if their compliance program is aligned with regulator expectations:
- Even in the current COVID-19 environment, companies are still expected to closely monitor, adapt and test their own compliance programs.
- Regulators will likely look at whether a company is effectively using its internal data to evaluate and improve preexisting compliance programs, policies and training.
- Investment in the compliance function will be assessed as part of a company’s commitment to prevent, detect and remediate fraudulent conduct.
- The efficacy of a company’s compliance program will be scrutinized with particular regard to whether employees are given the right training and resources to identify, evaluate and escalate problems within the organization.
- Regulators will also likely consider a program’s efficacy by examining the factors that went into how the company designed the compliance program to prevent, detect and remediate misconduct.