We have always known that businesses must either operate within the confines of the law or risk prosecution by the government. In the early days, when there were relatively few rules that applied to business conduct, it was much easier to discern the scope of allowable behavior. However, several decades ago, this began to change. Now, the “rules of the game” are more numerous and significantly more complex. Consider the following:
On May 15, 2010, a North Carolina food distributor is approached by Ignacio Gutierrez of Mega Empacodora De Frutas S.A. de C.V., a fruit company based in Mexico. Distributor agrees to buy fruit from Gutierrez and Company. Distributor makes all necessary customs declarations and receives its first delivery on June 15, 2010.
Has Distributor violated the law? Yes.
Although Distributor made all required import declarations, this alone did not fulfill its obligations under U.S. law. Distributor was also required to query all parties to this transaction (including transporters and their vessels) against lists of debarred persons and entities maintained by the U.S. Treasury Department’s Office of Foreign Asset Controls (OFAC) – an office which primarily regulates exports. Had it done so, it would have discovered that six days before it received its first shipment, both Gutierrez and Company were listed as Specially Designated Narcotics Traffickers (SDNT) under the Drug Kingpin Act and barred from doing business with all U.S. persons.
Since 2000, OFAC has designated more than 700 individuals and corporate entities as SDNT (Source: Source: http://treas.gov/press/releases/tg738.htm, 7/2/2010). Penalties for trading with such persons range from civil penalties to criminal fines up to $10 million. Corporate officers may also be sentenced to up to 30 years in prison and fined up to $5 million dollars.
OFAC regulations and the Drug Kingpin Act are not unique. Most laws regulating corporate conduct include similar punishment provisions. However, the example underscores the ease with which a company can run afoul of the law – even when trying to do the right thing.
So, what does this mean for Distributor? Oddly, the answer may depend as much on what happened before the violation as anything else. More and more, both the decision to prosecute violations and the extent of sanctions imposed turns on the presence or absence (and quality) of Distributor’s corporate compliance and ethics program.
Origin of Corporate Compliance Programs
The concept of corporate compliance was first introduced in 1991, through the Federal Sentencing Guidelines for Organizational Defendants. Under the Guidelines, if an organizational defendant was found to have created and maintained an “effective” compliance program prior to the violation, it would earn credits that could, in effect, lessen the penalty assessed against it. For organizations that had taken no steps toward compliance, the opposite was true. Since then, the existence of an effective compliance program has become the touchstone in both the initial decision to prosecute and the extent of liability imposed on corporate officers and directors.
What is an “Effective” Compliance Program?
An “effective” compliance and ethics program requires more than just lip-service to the notion of compliance. An organization must “exercise due diligence to prevent and detect criminal conduct,” and “promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.” On the other hand, both prosecutors and the courts realize that no plan – no matter how well designed – will be 100% effective. Therefore, as long as the program is designed, implemented, and enforced so as to be generally effective in preventing and deterring criminal conduct, the failure to detect or prevent any single instance of conduct will not render it ineffective.
Because risks differ among industries and companies, the specifics of each program will vary. However, to be generally effective under the Guidelines, the program must at a minimum require:
- The establishment of standards and procedures to prevent and detect criminal conduct;
- Programmatic oversight by the Board of Directors (or highest level governing body in the organization);
- Designation of one or more high-level employees to be responsible for day-to-day program operation;
- Allocation of sufficient resources to achieve the program’s objectives;
- Training of personnel, employees, and agents on their respective duties under the program;
- Reasonable steps to ensure program compliance/effectiveness;
- Consistent promotion and enforcement of the program throughout the organization;
- Appropriate responses to criminal conduct detected, to prevent future occurrences; and
- Periodic reassessment to identify and mitigate new risks of criminal conduct.
Notes on the Cost of Compliance
As with any new program, there will be costs associated with a compliance program. However, many companies are surprised to learn that much of the required infrastructure is already in place. Most are already engaged in some form of compliance; workplace safety and anti-discrimination/harassment are common examples. Many times, the mechanisms put in place to address these select risks can be modified for use in a broader compliance program.
Companies should also consider the cost of lost opportunity. Arguably, the most widely recognized of all compliance statutes is the Sarbanes-Oxley Act of 2002, Pub. L. No. 107-204, which requires publicly traded U.S. companies to develop compliance programs aimed at deterring and detecting financial fraud. While the Act itself only applies to publicly traded companies, it also extends liability for the conduct of companies with which they do business. As a result, there is a growing trend among companies subject to the Act to do business with only those companies that have an effective compliance program already in place.
One added bonus is that the same techniques utilized in an effective compliance program (help lines, investigations, and other internal controls) often lead to the prevention and detection of internal fraud, waste, and abuse. Since this can account for upwards of 6% of a company’s revenue, the savings realized by catching or deterring even some of this conduct can more than cover the cost of the entire program (Source: Frank & Newman-Limata, “A New Audience for COSO – SEC & PCAOB Requirements for Anti-Fraud Programs & Control,” Prevention of Corporate Liability Current Report 36, 32, BNA April 19, 2004).
Plan. Protect. Prosper.
Protus3 specializes in security system design, security consulting, corporate investigations and other investigative services. Partner with Protus3 and we will examine each situation to identify threats and develop solutions for your best outcome.