Conduct risk management: Empowering financial institutions through the DOJ’s guidance for compliance programs

The FSGO framework not only offers guidelines but also incentivizes institutions to “to maintain internal mechanisms for preventing, detecting, and reporting criminal conduct.” Encouraging organizations to prevent and detect misconduct, as facilitated by an effective compliance and ethics program, ultimately encourages ethical conduct and compliance with all applicable laws.

Influenced by the FSGO, the Department of Justice (DOJ) has developed and released guidance, Evaluation of Corporate Compliance Programs (ECCP), to primarily assist prosecutors in making decisions regarding the effectiveness of compliance programs. However, the ECCP outlines key principles that effectively inform the development of compliance and ethics programs. Released in 2017, revised and updated most recently in 2023, the ECCP clearly signals that DOJ’s Criminal Division is committed to providing timely guidance that financial institutions can leverage to inform conduct risk management frameworks.

The ECCP organizes and groups key topics into three fundamental questions that should be asked relative to a financial institution’s compliance program around conduct risk:

• Is the compliance program well designed?
• Is the compliance program adequately resourced and empowered to function effectively?
• Does the compliance program work in practice?

The DOJ recognizes that the fundamental questions and associated topics “form neither a checklist nor a formula” and that while some may not be relevant, others “may be more salient given the particular facts at issue.” Refer to the table, Fundamental Questions and Program Assessment Topics for details. (See www.justice.gov/criminal-fraud/page/file/937501/download.)

What is critical to consider is whether your risk-based compliance program focuses appropriate resources on higher-risk areas of the company and activities where misconduct or ethical breaches are most likely to occur. As you consider the DOJ’s fundamental questions as they relate to conduct risk, you will note that the twelve topical areas may align to your institution’s Compliance Management System (CMS) and risk framework. 

1. Is the institution’s conduct risk compliance program well designed?

In applying the DOJ principles to the risk management of conduct risk, the first fundamental question to consider is whether the compliance program is designed “for maximum effectiveness in preventing and detecting wrongdoing by employees and whether corporate management is enforcing the program or is tacitly encouraging or permitting employees to engage in misconduct.”

Based on these efforts, does the institution devote appropriate resources to managing risks?  Ultimately, it is critical to evaluate the degree to which the compliance program detects and prevents particular types of misconduct.

This fundamental question largely explores the core framework elements generally comprising a CMS.  Following is a more granular view of some of these important considerations as applied to the risk management of conduct risk. 

Conduct risk—Risk assessment 

The ECCP considers effectiveness of the financial institution’s risk assessment methodology for identifying, analyzing, and managing particular risks, and how it informs the design of the financial institution’s compliance program and investment of risk management resources. The risk assessment process is also not one and done—it requires periodic updates to mitigate the risk of misconduct as the financial institution expands and changes its products and services.

Conduct risk—Policies and procedures

The ECCP assesses processes for the:

•  Design, implementation, and updating of policies and procedures;
• Efforts to monitor and implement policies and procedures across a spectrum of risks;
• Accessibility of policies and procedures by all employees and relevant third parties;
• Responsibility for the integration of policies and procedures; and
• Guidance and training provided to key gatekeepers in control processes.

The guidance states that, as a “threshold matter,” a code of conduct setting forth an institution’s commitment to full compliance with relevant federal laws should be applicable to and accessible by all employees.

Conduct risk—Training and communications 

The ECCP accounts for the steps taken by the financial institution to ensure that policies and procedures have been integrated into and fully communicated throughout the organization. This includes periodic training and certification of the board of directors, executive management, middle management, and, where appropriate, agents and business partners. Information should be tailored to the audience, and clearly understood by all employees. Also consider training that is risk-based, such that employees in relevant control functions receive appropriate training. Importantly, there should be full support and communication from the top down concerning the institution’s position on preventing, identifying and managing conduct risk at every level.

Conduct risk–Confidential reporting and investigation of potential misconduct

The ECCP emphasizes that a well-designed compliance program provides for an efficient and trusted mechanism for employees to anonymously report allegations of a breach of the institution’s code of conduct, policies, and suspected or actual misconduct. This assessment considers whether the reporting process includes proactive measures to prevent retaliation. The analysis should take into consideration the financial institution's processes related to handling investigations of complaints, escalation and routing of complaints, substance and timeliness of investigations, and appropriateness of follow-up and disciplinary actions.

 Additionally, it is important to assess the following factors:

• Awareness of anonymous reporting mechanisms and their utilization.
• Identification of responsible personnel.
• Sufficient resources and funding to support reporting, investigative mechanisms, and issue tracking.

Conduct risk—Third-party management   

The DOJ guidance reminds us that well-designed compliance programs perform risk-based due diligence of third-party relationships, including any international vendors or partners. Financial institutions should always review the qualifications and associations of prospective and existing third-party partners, especially for any history of misconduct or wrongdoing. In addition, the institution’s business rationale for the relationship with the third party should be clearly understood, including the risks posed by the third-party.  Also, contract terms with third parties should specifically describe the services to be performed, whether the third party or subcontractor is performing the work, and compensation should be commensurate with the work performed. Moreover, there should be adequate, ongoing monitoring of third-party relationships through updated due diligence, training, audits, and/or annual compliance certifications.

Conduct risk–Mergers and acquisitions  

The ECCP assesses processes for conducting comprehensive due diligence of acquisition targets, as well as the acquiring organization’s capability to timely and orderly integrate acquired entities into existing compliance program structures and internal controls. It is crucial to avoid inheriting issues from another institution that may have neglected risk management concerning potential misconduct.

2. Is the financial Institution’s conduct risk compliance program adequately resourced and empowered to function effectively? 

The second fundamental DOJ question relative to an effective management of conduct risk focuses on how well compliance programs are implemented. A well-implemented conduct risk management program is appropriately resourced, subject to qualified, independent review and validation, and revised and updated, as appropriate. Pay close attention to the method used for assessing and addressing applicable risks and whether appropriate controls are established to mitigate known risks. In addition, sufficiency of staffing to audit, document, analyze, and utilize the results of the institution’s compliance efforts should be reviewed. The guidance goes further to determine “whether the corporation’s employees are adequately informed about the compliance program and are convinced of the corporation’s commitment to it.” 

Importance of a culture of compliance in managing conduct risk

The ECCP guides an assessment of the overall environment and the important role of senior and middle management in creating and fostering a culture of compliance throughout the financial institution. The DOJ underscores the importance of “high-level commitment by company leadership” for ensuring the creation of a strong culture of compliance in managing ethics and risks relating to potential misconduct.

The focus also looks to the board of directors and available compliance expertise to provide information and awareness to ensure proper decisions and oversight of the institution’s remediation of misconduct.

Autonomy and resources

The ECCP emphasizes the importance of a compliance program structure and organizational reporting to support autonomy that is sufficient to assure adequate authority to manage conduct risk, wherever it arises within the financial institution.  Backing this up is the sufficiency of personnel and resources with appropriate seniority to perform the day-to-day activities effectively of the compliance function relative to the size, structure, and risk profile of the financial institution.

Compensation structures and consequence management

Implementing an effective compliance program for managing conduct risk includes attention to compensation structures and clarity of process in consequence management. It is critical to assess the effectiveness of established incentives for the purpose of driving compliant behavior as well as disincentives, or real consequences, for non-compliance. Moreover, it is important to communicate to employees that unethical conduct will not be tolerated and that there are consequences, regardless of position or title. With respect to deterring risky behavior, the DOJ emphasizes that compensation structures that impose financial penalties for misconduct can “deter risky behavior and foster a culture of compliance.” There are multiple factors for determining whether compensation and consequence management processes promote a positive compliance culture, including: 

Human resources process. Consideration for determining who participates in disciplinary decisions by type of misconduct starts with Human Resources.  The ECCP questions how transparent institutions are with employees regarding disciplinary processes. For example, in cases where an executive has been removed from the institution because of a compliance violation, how transparent has the institution been with employees about the terms of the separation? Are reasons for discipline consistently communicated to employees? Is the same process followed for each instance of misconduct? Does the institution take steps to restrict disclosure or access to information about the disciplinary actions? Are there actions taken to protect the institution from whistleblowing or outside scrutiny?

Disciplinary measures. The ECCP questions what disciplinary actions are established that management can take to enforce compliance. Is there a policy and process for recovering compensation in cases of misconduct?  What is the process for putting employees on notice for misconduct?  Are there policies and procedures established to recover compensation that would not have been achieved, absent the misconduct? Overall, for any particular type of misconduct, does the financial institution make a good faith effort to follow established policies and processes?

Consistent application. The ECCP guides a determination of whether disciplinary actions and incentives have been fairly applied across the organization. Fair and consistent application of disciplinary actions and incentives, and a compliance function that monitors for conduct risk are keys to ensuring an effective conduct risk program. Also consider whether the institution tracks disciplinary actions, maintains metrics, and ensures consistency across the enterprise, regardless of geography, operating unit, or level of the organization.

Financial incentive system. The ECCP questions whether institutions under review analyze the impact of financial rewards and other incentives on compliance.  Moreover, it asks what role Compliance plays relative to the designing and awarding of financial incentives at senior levels of the organization. Are executives incented to encourage ethical business objectives? Does the institution have a policy for recouping compensation that has been paid where there has been misconduct?

Effectiveness. Overall, the common thread for determining effectiveness of a conduct risk management program includes identifying and tracking metrics that have been collected, as well as the measures taken by the institution to analyze and support the overall effectiveness of compensation structures and consequence management.  Does the institution perform root cause analyses in areas where certain misconduct is reported?

3. Does the institution's conduct risk compliance program work in practice?

The third fundamental question focuses on determining whether a compliance program works in practice. In pursuing this, the DOJ guidance further breaks down the question into three areas of focus:  Continuous improvement, periodic testing, and review; investigation of misconduct; and analysis and remediation of any underlying misconduct.

Continuous improvement, periodic testing, and review

The DOJ guidance reminds us that the existence and detection of misconduct is not indicative of a non-working compliance program. The guidance directs consideration of a variety of factors to determine whether the program was effective at the time of misconduct, and at the time of a charging decision.

The DOJ points out that effective compliance programs should continuously improve and evolve. This is a contextual observation that accounts for changes in a financial institution’s business model over time; changes in the environment in which it operates; the composition of its customer base; the laws, regulations and guidance governing its operations; and the applicable industry standards. It is important to track improvement and sustainability, particularly in cases where previous findings and “lessons learned” are leveraged in making program enhancements, to demonstrate continuous improvement in the program. Conduct risk compliance programs should also encompass taking “reasonable steps” to perform risk-based audits, conduct control testing, and review the alignment of policies, procedures, processes, and actual practices. 

Investigation of misconduct

The ECCP stresses the importance of timeliness and thoroughness of investigations of allegations or suspicions of misconduct by the institution, any of its employees, or agents, and documented details regarding disciplinary or remedial actions.  The ECCP guides a substantive assessment of the process, which considers whether investigations are properly scoped, and measures taken to ensure that the investigation is conducted independently and objectively. Other considerations include assessing whether root causes were identified during investigations. Additionally, it is important to consider whether the investigation identified system vulnerabilities and accountability lapses, as well as the presence of a formal process for responding to investigative findings.

To ensure the independence of the investigative process, consider whether employees responsible for investigating and deciding matters of misconduct are compensated in a manner that empowers them to enforce the institution’s policies and code of ethics.

Importantly, the ECCP recognizes that “messaging applications have become ubiquitous in many markets and offer important platforms for companies to achieve growth and facilitate communication.” Thus, the ECCP guides those policies governing the use of personal devices as well as various communications platforms and messaging applications, including ephemeral messaging. There should be a risk-based approach to preserve business-related electronic data and communications for record retention and retrieval to support investigations. 

Overall, it is important that financial institutions consider how the policies and procedures have been communicated to employees, and whether policies and procedures have been enforced. This evaluation takes into consideration the following factors related to communication channels:

• Purpose: The purpose of each channel is assessed, considering its intended use and functionality within the organization.
• Employee access: The level of employee access to preservation and deletion settings for each channel is examined to determine the control and management of data and communications.
• Data preservation policies: The existence of policies and procedures addressing the preservation of data and communications is evaluated to ensure proper data retention and compliance.
• "Bring your own device" rules: Rules governing the use of personal devices and their impact on the preservation and access to data and communications are considered.
• Personal device access: Policies regarding the access to personal devices by the company, and the implications for data and communication preservation, are examined.
• Consequences for refusal: The consequences for employees who refuse access to company communications are reviewed to ensure appropriate accountability within the organization.

By analyzing these aspects, the evaluation aims to assess the effectiveness and compliance of communication channels and associated policies within the institution.

Analysis and remediation of any underlying misconduct

The ECCP guides that there should also be consideration of “any remedial actions taken by the corporation, including, for example, disciplinary action against past violators uncovered by the prior compliance program.” It is very important to demonstrate good faith in conducting a root cause analysis, and that remediation was implemented to address the root cause. 

Closing thoughts

With the present and future uncertainties and challenges facing financial institutions, having a strong compliance program that includes a robust conduct risk management program is essential. The DOJ’s ECCP provides guidance that serves as a useful and informative framework for financial institutions to apply in building an effective framework for managing conduct and ethics.