In the ever-evolving landscape of compliance, the U.S. Department of Justice (DOJ) has intensified its scrutiny of corporate and executive liability, underscoring the critical role of effective compliance programs in preventing, detecting, and remediating misconduct. Lisa Monaco, the deputy attorney general, and other senior DOJ officials have emphasized the significance of robust compliance measures in mitigating legal risks and fostering ethical business practices.
Monaco, acknowledging DOJ’s commitment to accountability, stated, “With a combination of carrots and sticks—with a mix of incentives and deterrence—we’re giving general counsels and chief compliance officers the tools they need to make a business case for responsible corporate behavior.”[1] She elaborated that “companies should feel empowered to do the right thing—to invest in compliance and culture, and to step up and own up when misconduct occurs.” Kenneth Polite, former assistant attorney general for the Criminal Division, echoed this sentiment: “We closely evaluate corporate compliance programs during our corporate investigations and after our corporate resolutions, and give significant credit to companies that build strong controls to detect and prevent misconduct.”[2]
This article delves into the latest guidance—updated in March 2023—provided in the DOJ Criminal Division’s Evaluation of Corporate Compliance Programs, offering valuable insights for compliance employees at colleges and universities.[3] Although the guidance comes from DOJ’s Criminal Division, it is equally relevant to civil matters; compliance programs aligned with these guidelines will be recognized as the gold standard by many federal regulators in addition to DOJ.
Overview of DOJ’s Evaluation of Corporate Compliance Program
The updated guidance from DOJ builds on prior updates to the original guidance released in 2017. It provides a comprehensive framework for evaluating the effectiveness of corporate compliance programs. It emphasizes the need for a proactive approach, stressing that compliance should not be a mere check-the-box exercise but an integral part of an organization’s DNA while recognizing that a one-size compliance program does not fit all. This section outlines key considerations that DOJ evaluates when assessing the adequacy of a company’s compliance program.
DOJ’s guidance is structured around three “fundamental questions” a regulator should ask when evaluating a corporate compliance program:
-
Is the corporation’s compliance program well-designed?
-
Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
-
Does the corporation’s compliance program work in practice?
Monaco explained in a September 2022 DOJ memo that these factors should be assessed at two points in time: (1) the time the conduct occurred and (2) the time that DOJ (or another regulator) is evaluating the compliance program.[4] This means it is never too late to improve and adjust your compliance program. DOJ is likely to look more favorably upon an organization—including a college or university—that took immediate steps to remedy any identified gaps in its compliance program once misconduct was detected.
Is the corporation’s compliance program well-designed?
In the first core component, DOJ focuses on the design of the corporate compliance program. According to the guidance, a well-designed compliance program should be comprehensive and tailored to the specific risks and characteristics of the organization. The following are some key considerations.
Risk assessment
DOJ emphasizes the importance of a robust and dynamic risk assessment process. It encourages organizations to reassess risks periodically to ensure that the compliance program effectively addresses evolving challenges. It encourages organizations to tailor their risk assessments to their specific industry, size, and operations. Colleges and universities must be vigilant in identifying potential risks related to admissions, research, financial aid, and other areas unique to the academic environment.
Policies and procedures
The guidance underscores the need for clear and accessible policies and procedures. A well-designed program should provide guidance on a wide range of compliance-related matters, ensuring that employees are aware of the rules governing their conduct. For colleges and universities, this involves clear guidelines on academic integrity, research ethics, financial management, and other areas relevant to the institution’s mission.
Training and communication
Effective communication and training are crucial components of a well-designed compliance program. Organizations should implement regular training sessions tailored to the needs of different employee groups, promoting awareness and understanding of compliance expectations. Colleges and universities should ensure that faculty, staff, and students receive regular training on compliance matters, promoting a culture of awareness and responsibility.
Confidential reporting structure and investigation process
Another hallmark of a well-designed compliance program is a sound mechanism for employees to confidentially report misconduct allegations without fear of retaliation. The institution’s complaint-handling process must be proactive and must promote a workplace atmosphere that encourages employees to report misconduct or concerns of unethical behavior. The investigation of these complaints should be timely and thorough and include appropriate remediation and discipline where appropriate.
Third-party management
DOJ highlights the significance of effectively managing relationships with third parties. This includes partnerships with vendors, research collaborators, and contractors for colleges and universities. Implementing due diligence and monitoring mechanisms for third parties is crucial.
Mergers and acquisitions
DOJ’s guidance does not discourage mergers or acquisitions but stresses the value of robust due diligence in the process. That diligence should include both pre- and post-acquisition diligence to reduce the risk that may be associated with the institution that is being merged or acquired. Under DOJ’s newly announced “safe harbor” policy, an organization that discloses misconduct detected through the due diligence process within six months of closing the acquisition will presumptively not be prosecuted for that misconduct if they remediate the problem within a year, disgorge any ill-gotten gains, and implement an appropriate compliance program going forward. For colleges and universities, this guidance is particularly important in the current environment of increasing merger activity among universities struggling financially.
Is the program being applied earnestly and in good faith?
This component considers the implementation of the compliance program. DOJ emphasizes that having a well-designed program is not sufficient; it must also be applied earnestly and in good faith throughout the organization. The following are some key considerations.
Commitment from senior leadership and middle management
The guidance highlights the importance of a strong commitment from senior leadership. Senior leaders should actively support and participate in the compliance program, fostering a culture where compliance is viewed as integral to the organization’s success. Effective implementation of a strong compliance program also requires middle management’s involvement and commitment, ensuring that compliance policies are integrated into daily operations. As Monaco put it in her September 2022 memo, there should be a “commitment to fostering a strong culture of compliance at all levels of the corporation—not just within [the organization’s] compliance department.”
Autonomy and resources
An effective compliance program must have the autonomy and resources it needs to accomplish its compliance objectives. Compliance officers must have the authority and position within the institution to implement the compliance program. DOJ looks to see if the compliance officers have: (1) sufficient seniority within the organization, (2) sufficient resources and staff to effectively undertake auditing and analysis, and (3) sufficient autonomy from management— such as direct access to the board of directors or the board’s audit committee. For colleges and universities with varying structures and decentralized models or highly complex reporting structures, satisfying these objectives can be particularly tricky. In addition, shrinking student enrollments and state support have made resource allocation more difficult.
Notably, DOJ recently made headlines when the Criminal Division indicated it would ask chief compliance officers to certify that their organization’s compliance program meets certain fundamental requirements and is “reasonably designed” to detect and prevent legal violations. This caused some consternation in the compliance community, which DOJ attempted to ease by emphasizing that its goal was to empower compliance professionals, not hold them individually responsible for their organization’s failures. To date, this requirement has only appeared in certain DOJ resolutions as a condition of a deferred or non-prosecution agreement with the company. When such an agreement is in effect, a chief compliance officer leading an institution should be aware of their obligations regarding these certifications.
Compensation structures and consequence management
An effective compliance program should include a compensation structure that incentivizes compliance and disincentivizes noncompliance. This creates a balanced approach, rewarding adherence to ethical standards and addressing instances of misconduct. The company should have policies that provide clear consequences for misconduct and procedures to identify, investigate, discipline, and remediate misconduct or violations of the company’s policies, as well as clear rewards or incentives for compliant conduct. Colleges and universities should clearly communicate that unethical conduct will not be tolerated and that swift consequences, regardless of the position or title, will result if misconduct occurs. As Polite noted, DOJ is “going to be closely examining how companies discipline bad actors and reward the good ones.”[5] This means that DOJ expects organizations to “claw back” compensation from the bad actors, where possible, as well as implement deferred compensation models that allow the organizations to evaluate whether compliance goals have been achieved before compensation is paid.
Does the corporation’s compliance program work in practice?
The third core component shifts the focus to the practical effectiveness of the compliance program. It assesses whether the program is achieving its intended outcomes and preventing misconduct. Key considerations under this component are as follows.
Continuous improvement, periodic testing, and review
The guidance encourages organizations to conduct regular tests and reviews of their compliance programs. This involves using data analytics, periodic audits, and other monitoring mechanisms to evaluate the program’s effectiveness in identifying and addressing potential issues. An effective compliance program should evolve based on lessons learned from investigations and external developments. Colleges and universities should regularly review and update their compliance programs to address emerging risks and the ever-changing regulatory landscape.
Investigations of misconduct
A robust compliance program should include a well-defined process for conducting investigations into alleged misconduct. DOJ emphasizes the significance of thorough and timely investigations, allowing organizations to learn from incidents and enhance their compliance measures. That requires a robust reporting mechanism in addition to a prompt and thorough investigative process. Educational institutions should establish clear channels for reporting misconduct and ensure that investigations are conducted impartially and transparently.
Analysis and remediation of any underlying misconduct
Following the identification of misconduct, the compliance program should conduct a thoughtful root cause analysis of misconduct and implement timely and appropriate remedial actions to address the root causes. For colleges and universities, those remedial actions may include revisions to current policies or increased auditing and monitoring of high-risk areas, such as the administration of Title IV and investigation of Title IX complaints.
Applying DOJ’s corporate compliance guidance to colleges and universities
Now, let’s apply DOJ’s guidelines specifically to the context of colleges and universities, recognizing the unique challenges and opportunities within the academic environment.
Tailoring risk assessments to educational settings
Educational institutions should conduct risk assessments considering factors such as student admissions, financial aid, Title IV, Title IX, the Clery Act, and other state and federal regulations. By tailoring risk assessments to the specific challenges of the academic sector, colleges and universities can proactively address potential compliance issues. Risk matrices prepared specifically for the higher education community can be helpful in this effort.
Promoting ethical conduct in research
Given the emphasis on research integrity, colleges and universities should prioritize compliance efforts related to academic research. This involves clear guidelines on data integrity, authorship, and conflicts of interest while fostering a culture of transparency and ethical conduct in research endeavors.
Engaging stakeholders through effective training
Colleges and universities should implement training programs that engage faculty, staff, and students to create a robust compliance culture. These programs should not only cover legal and ethical standards but also emphasize the institution’s commitment to integrity and responsible conduct.
Monitoring academic partnerships and collaborations
Educational institutions often engage in partnerships and collaborations with other entities. Compliance programs should extend to monitor and manage these relationships, ensuring that third parties align with the institution’s values and adhere to ethical and legal standards.
Enhancing student and employee reporting mechanisms
Establishing accessible and confidential reporting mechanisms is crucial for educational institutions. Students and employees should feel empowered to report misconduct without fear of reprisal, promoting a culture of accountability and transparency.
Key points for compliance professionals in higher education
As compliance professionals in colleges and universities navigate the complex regulatory landscape, several key takeaways emerge from DOJ’s guidelines.
Holistic risk assessment
Prioritize a comprehensive risk assessment process that considers the unique challenges and opportunities within the academic setting. This includes academic research, admissions processes, and financial operations. Private, public, nonprofit, and proprietary institutions will each have differing compliance concerns and risks that should be assessed. Risk assessment should be an ongoing process to better respond to changes both inside and outside the institution.
Adaptability and continuous improvement
Embrace a culture of continuous improvement, regularly reviewing and updating compliance programs to address emerging risks and evolving regulatory requirements in the dynamic field of higher education. Colleges and universities are expected to continually adapt their compliance programs based on lessons learned and evolving risks. This involves modifying policies and procedures, enhancing training programs, and making necessary adjustments to address emerging risks and changes in the educational environment.
Stakeholder engagement
Engage stakeholders—including faculty, staff, students, and third parties—through effective communication programs. Foster a shared commitment to ethical conduct and compliance within the academic community.
Transparent reporting and investigation
Establish transparent reporting mechanisms for students and employees, ensuring that investigations are prompt, impartial, and conducted with integrity. This builds trust and reinforces the institution’s commitment to accountability.
Third-party oversight
Implement robust oversight mechanisms for third-party relationships, including vendors, collaborators, and contractors. Conduct due diligence to ensure that external entities align with the institution’s values and comply with ethical and legal standards. Colleges and universities that merge with or acquire other institutions should conduct careful pre- and post-transaction due diligence and consider disclosing any misconduct uncovered to take advantage of DOJ’s safe harbor program.
Conclusion
To conclude, DOJ’s updated guidance on corporate compliance programs provides a valuable roadmap for colleges and universities striving to uphold ethical standards and navigate the complexities of the regulatory landscape. A well-designed program applied earnestly and in good faith, and proven to work in practice, is essential for colleges and universities seeking to successfully navigate the complex regulatory compliance landscape. By aligning their compliance efforts with the principles outlined in DOJ’s guidance, compliance professionals in colleges and universities can foster a culture of integrity, accountability, and continuous improvement and place themselves in a much better position if a regulatory inquiry or investigation does take place.
Takeaways
-
One size does not fit all. Make sure to communicate with your stakeholders to determine a structure that works for your organization, focusing on the three overarching questions provided in the guidance.
-
Consider mapping out your program in a comprehensive compliance plan document, which can be shared across your institution to familiarize people with it.
-
One of the key focus areas of the guidance is assessing whether your program “works” in practice. Monitoring and auditing are key components of testing effectiveness.
-
Focus on the tone in the middle, not just the top. Forge relationships with compliance champions at lower levels of management (e.g., department chairs, not just deans) and work closely with those individuals to achieve compliance goals.
-
Compliance guidance can seem daunting; do not let perfect be the enemy of good as you work to implement and update your plan. Good faith efforts matter.