Lawyer Article

Published in the November 30, 2004 issue of Southeast Tech Wire.

Section 805 of the Sarbanes-Oxley Act of 2002 directs the United States Sentencing Commission (the “Sentencing Commission”) to review and amend the United States Sentencing Guidelines (the “Guidelines”) to ensure that they are sufficient to deter and punish criminal misconduct in organizations. As a result of this mandate, in April 2004 the Sentencing Commission proposed an amendment to the Guidelines to provide greater guidance to organizations and the courts regarding the criteria for an effective compliance program (the “Amendment”).¹ The Amendment, which became effective earlier this month, (1) imposes on a company’s board of directors and management the responsibility to oversee compliance programs and (2) heightens the standards for such programs. As a result, corporations and other organizations that have not already done so should review and revise their compliance programs to ensure that they comply with the terms contained in the Amendment.

Background

Organizations, like individuals, can be found guilty of criminal conduct whenever an employee or agent of the organization commits an illegal act within the apparent scope of his or her employment. Organizations are liable even if the employee acts directly contrary to company policies and instructions. The Guidelines, established by the Sentencing Commission in 1991, provide criteria for determining the punishment for an organization convicted of a criminal violation,² including factors that will increase or mitigate the punishment. The Guidelines apply to both public and private organizations. Any type of entity can be considered an organization under the Guidelines, including corporations, partnerships, limited liability companies, labor unions, pension funds, trusts and nonprofit entities.

One of the two mitigating factors for an organization’s punishment under the Guidelines is the existence of an effective compliance and ethics program.³⁴ (In addition, the existence of an effective compliance program may be a factor considered by the SEC or other regulators when determining whether to charge an organization for misconduct.) The Amendment is designed to heighten the standards for such programs and place greater responsibility for the oversight and management of the programs on boards of directors and executive officers. Depending on the circumstances, an effective compliance program can reduce the fine range for a criminal violation by up to 95 percent.

It should be noted that the United States Supreme Court is currently considering challenges to the constitutionality of the Guidelines. However, regardless of the Supreme Court’s ruling, the Guidelines are relevant because they are likely to become “best practices” and could be relied upon in contexts outside of the sentencing process.

Requirements of an Effective Compliance Program

As amended, the Guidelines provide that in order to have an effective compliance and ethics program, an organization must exercise due diligence to prevent and detect criminal conduct and otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law. At a minimum, the program must demonstrate the following components:

• Standards and Controls. The organization must adopt standards of conduct and internal control systems that are reasonably capable of reducing the likelihood of violations of the law.
• Responsibility and Oversight. The organization’s board of directors (or other governing authority if the organization is not a corporation) must be knowledgeable about the content and operation of the compliance program and must exercise reasonable oversight with respect to the implementation and effectiveness of the compliance program. Senior management of the organization must ensure the effectiveness of the program, and a member or members of senior management must have overall responsibility for the program. Specific individuals within the organization must be delegated day-to-day operational responsibility for the program and must report to senior management and, at least annually, to the board of directors or a committee thereof. The organization must provide the compliance personnel with adequate resources, appropriate authority and direct access to the board of directors or board committee.
• Selection of Personnel. The organization must use reasonable efforts to exclude from its “substantial authority personnel”⁵ any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with a compliance program.
• Training. The organization must periodically communicate, through training programs and other dissemination of information, its standards and procedures and other aspects of its compliance and ethics program to its board of directors, senior management, substantial authority personnel, employees and, as appropriate, agents.
• Ongoing Monitoring and Evaluation. The organization must use monitoring and auditing systems to ensure that the compliance program is followed and periodically evaluate the effectiveness of the compliance program. In addition, the organization must implement and publicize a system whereby employees and agents may report or seek guidance regarding potential or actual violations without fear of retaliation, and such system may provide for anonymous or confidential reports.⁶
• Incentives and Disciplinary Measures. The compliance program must be promoted and enforced through appropriate incentives for individuals to perform in accordance with the program, as well as disciplinary measures for engaging in criminal conduct or failure to take reasonable steps to prevent or detect criminal conduct.
• Response and Prevention. If criminal conduct is detected, the organization must take reasonable steps to respond appropriately to the criminal conduct and to prevent further similar conduct.

Small organizations are required to demonstrate the same degree of commitment to compliance with the law as larger organizations. The Guidelines, however, recognize that smaller organizations may be able to establish an effective compliance program through more informal procedures.

Practice Pointers

The following are some of the steps your organization may wish to take in order to comply with the revised Guidelines:

• Conduct a top-down review of your compliance program to ensure it will be considered “effective” under the Guidelines.
• Make an organizational commitment to embrace the Guidelines and adopt their goals.
• Ensure management is knowledgeable about the compliance program and can contribute meaningfully to its success. Confirm that a high-level member of management is assigned the ultimate responsibility for the program and that those with day-to-day responsibility report periodically to management and the board (or a board committee).
• Educate your board of directors regarding its oversight role in the compliance program, including the obligation that it periodically review reports submitted by those with operational responsibility for the program.
• Implement a new compliance program if your organization does not currently have one in place or if the current compliance program is inadequate, and take steps to ensure that the effectiveness of the program is regularly evaluated.

Conclusion

The Guidelines serve as a reminder that an effective compliance program is an integral part of an organization’s risk management strategy and its business. Organizations should remember that the purpose of the Guidelines’ definition of an effective compliance program is to determine if the punishment of an organization convicted of a federal crime should be mitigated. The Guidelines, therefore, are just one of the resources an organization should use to develop and evaluate its compliance program. In conducting any review of an organization’s compliance program, organizations should also consider the compliance procedures used by other governmental and self-regulating organizations.

An effective compliance program can do more than reduce the potential punishment an organization may receive if an employee violates the law. It can help an organization avoid violations of the law altogether. The Amendment provides an organization a useful and timely opportunity to evaluate and renew its commitment to having an effective compliance program.

Notes

¹The Guidelines are available at http://www.ussc.gov/2002guid/tabconchapt8.htm, and the Amendment is available at http://www.ussc.gov/2004guid/RFMay04.pdf (at pages 109 - 128). The Amendment became effective November 1, 2004.
²While the guidelines derive their authority from federal criminal law, an effective compliance program will not only prevent an detect criminal conduct but also facilitate compliance with all applicable laws.
³The second mitigating factor is the combination of the organization’s efforts in self-reporting, cooperating with the authorities or accepting responsibility.
⁴See “An Overview of the United States Sentencing Commission and the Federal Sentencing Guidelines” available at http://www.ussc.gov/.
⁵The Guidelines define “substantial authority personnel” as individuals who exercise a substantial measure of discretion in acting on behalf of the organization, such as individuals authorized to negotiate and set price levels and individuals authorized to negotiate and approve significant contracts.
⁶Note that the Sarbanes-Oxley Act also contains provisions regarding anonymous reporting and protection for whistleblowers.