The change of one word in the Department of Justice’s (DOJ) new version of the Evaluation of Corporate Compliance Programs is a potential bombshell in the eyes of Kim Danehower, corporate compliance officer at Baptist Memorial Health Care Corp. in Nashville, Tennessee.[1] Although there are also significant additions about “compensation structures” and messaging platforms in the document, which was revised in early March, she took note of DOJ’s language switcheroo in the section on whether a compliance program is well-designed.
The 2020 version stated that “The critical factors in evaluating any program are whether the program is adequately designed for maximum effectiveness in preventing and detecting wrongdoing by employees and whether corporate management is enforcing the program or is tacitly encouraging or pressuring employees to engage in misconduct.”
The updated version replaces “pressuring” with “permitting” and in the process holds managers and supervisors accountable for misconduct that happens on their watch. “That one slapped me in the face,” Danehower said. She thinks this single word will reshape training and prompt adjustment in policies at the health system, including its disciplinary policies. “Compliance officers need to stop and take note.”
DOJ’s Evaluation of Corporate Compliance Programs is guidance for white-collar fraud prosecutors who assess the effectiveness of compliance programs when deciding whether to file charges against a corporation and what the charges should be. The document, first published in 2017 and updated initially in 2020, also is used by compliance officers to benchmark their organization’s compliance program. It modifies the Principles of Federal Prosecution of Business Organizations in the Justice Manual.
In this update, DOJ for the first time said prosecutors may consider whether organizations use compensation to encourage compliance or punish noncompliance, including “recoupment or reduction of compensation due to compliance violations.” Prosecutors also are instructed to review “a corporation’s policies and procedures governing the use of personal devices, communications platforms, and messaging applications, including ephemeral messaging applications.”
The landmark changes on compensation and messaging platforms fulfill a pledge Deputy Attorney General (DAG) Lisa Monaco made in a September 2022 memo to link them to cooperation credit in criminal cases, said Matthew Krueger, former U.S. Attorney for the Eastern District of Wisconsin.[2] “Both of these things are now squarely called out as areas to inquire about in effectiveness reviews but they’re relatively new areas.”
Hitting people in their wallets for noncompliance is another expression of DOJ’s recommitment to holding allegedly culpable individuals accountable in corporate criminal cases, said attorney John Lawrence, with K&L Gates in Research Triangle Park, North Carolina. “On the criminal side often this type of guidance informs the civil side, particularly in health care,” he noted. “DOJ has clearly put out that this is an expectation.” Before organizations use compensation as a corporate-culture lever, however, they should consider the potential for lawsuits and other unintended consequences, the attorneys said.
DOJ also is attempting to keep up with changing technologies, Lawrence explained. The updated guidance reflects DOJ’s realization that it’s “having challenges accessing communications that might be key to investigations because they’re happening outside email,” he said. “It’s a critical preservation piece.”
Compensation Structures ‘Can Deter Risky Behavior’
According to the revised guidance, DOJ draws a straight line between compensation schemes and compliance culture. “Compensation structures that clearly and effectively impose financial penalties for misconduct can deter risky behavior and foster a culture of compliance. At the same time, providing positive incentives, such as promotions, rewards, and bonuses for improving and developing a compliance program or demonstrating ethical leadership, can drive compliance,” DOJ stated. “Prosecutors should examine whether a company has made working on compliance a means of career advancement, offered opportunities for managers and employees to serve as a compliance ‘champion’, or made compliance a significant metric for management bonuses.” Prosecutors are instructed to consider five factors when assessing whether compensation and consequence management indicate a positive compliance culture.
In tandem with the updated Evaluation of Corporate Compliance Programs, Monaco announced in a March 2 speech the first pilot program on compensation incentives and clawbacks.[3] It has two parts: (1) every corporate resolution with the DOJ criminal division will require the corporation to have “compliance-promoting criteria within its compensation and bonus system” and (2) the criminal division will reduce fines on corporations in a criminal resolution if they try to claw back compensation from culpable executives and employees. The corporation is then allowed to keep the money it clawed back.
Krueger noted the update is “high-level guidance” and doesn’t dictate specific ways for companies to claw back compensation. “It’s uncharted territory for DOJ,” he added. In fact, “one would question whether DOJ has the experience to do this.” In deference to that experience gap, DOJ has left companies space to experiment with ways to slap hands for noncompliance, said Krueger, with Foley & Lardner LLP in Milwaukee, Wisconsin.
He cautions organizations to tread carefully with compensation consequences for misconduct. “Clawing back executive compensation is a big deal,” Krueger said. “People need to go slowly here and work with an executive compensation expert before they add clawback provisions in their agreements.”
In fact, Lawrence suggested a leadership sit-down that includes compliance, legal, human resources and other stakeholders to consider the feasibility of clawbacks for noncompliance. Would they violate laws or regulations? What’s the risk of inviting litigation with the managers and supervisors who would be penalized? “All of that has to be weighed against the likelihood of enforcement actions,” Lawrence said.
Wading Into ‘Ephemeral’ Messaging Apps
As expected, the Evaluation of Corporate Compliance Programs addresses messaging apps. “In evaluating a corporation’s policies and mechanisms for identifying, reporting, investigating, and remediating potential misconduct and violations of law, prosecutors should consider a corporation’s policies and procedures governing the use of personal devices, communications platforms, and messaging applications, including ephemeral messaging applications. Policies governing such applications should be tailored to the corporation’s risk profile and specific business needs and ensure that, as appropriate and to the greatest extent possible, business-related electronic data and communications are accessible and amenable to preservation by the company,” DOJ said in its update. “Prosecutors should consider how the policies and procedures have been communicated to employees, and whether the corporation has enforced the policies and procedures on a regular and consistent basis in practice.”
This is a sea change. “DOJ is saying loud and clear it’s not going to accept at face value that a company can’t account for these types of messages,” such as texts and WhatsApp, Krueger said. Organizations that allow people to bring their own devices to work now are staring at a compliance and IT problem, he noted. Do they have a way to preserve business-related communications on devices that don’t go through company servers? “This creates pressure on people to review policies on how employees communicate,” Krueger noted. Even with policies requiring employees to communicate on certain channels, employees may text on others. Unless organizations audit and monitor this area and discipline employees accordingly, they risk DOJ consequences in the event of an investigation, he said.
Baptist Memorial Health Care Corp. is analyzing the clawback provisions and working toward formalizing compliance metrics as part of its executive metrics, Danehower said. “We try to bake compliance into everything we do.” But she was a little stunned at the details of the updated DOJ document. “They have put a lot of specific information in it they didn’t have before.”
Contact Krueger at mkrueger@foley.com, Lawrence at john.lawrence@klgates.com, and Danehower at kim.danehower@bmhcc.org.