As published in ABA Risk & Compliance Journal
How much could your bank pay in fines, restitution, or other penalties for unknowingly hiring a bad actor who violates the law? Perhaps less than you think—if your compliance team diligently considers the recently updated Federal Sentencing Guidelines for Organizations. This article explores the U.S. Department of Justice’s Criminal Division Evaluation of Corporate Compliance Program update of June 1, and includes practical considerations to help banking organizations better align their corporate compliance and ethics programs to the guidelines.
What is the FSGO?
Not familiar with the guidelines? Here are the salient points, courtesy of the U.S. Sentencing Commission:
Organizations, like individuals, can be found guilty of criminal conduct, and the measure of their punishment for felonies and Class A misdemeanors is governed by chapter eight of the sentencing guidelines.
These guidelines are designed to further two key purposes of sentencing: “just punishment” and “deterrence.” Under the “just punishment” model, the punishment corresponds to the degree of blameworthiness of the offender, while under the “deterrence” model, incentives are offered for organizations to detect and prevent crime.
Criminal liability can attach to an organization whenever an employee of the organization commits an act within the apparent scope of his or her employment, even if the employee acted directly contrary to company policy and instructions. An entire organization, despite its best efforts to prevent wrongdoing in its ranks, can still be held criminally liable for any of its employees’ illegal actions. Consequently, when the Commission promulgated the organizational guidelines, it attempted to alleviate the harshest aspects of this institutional vulnerability by incorporating into the sentencing structure the preventive and deterrent aspects of systematic compliance programs. The Commission did this by mitigating the potential fine range—in some cases up to 95 percent—if an organization can demonstrate that it had put in place an effective compliance program. This mitigating credit under the guidelines is contingent upon prompt reporting to the authorities and the non-involvement of high-level personnel in the actual offense conduct.
The organizational guidelines criteria embody broad principles that, taken together, describe a corporate “good citizenship” model, but do not offer precise details for implementation. This approach was deliberately selected in order to encourage flexibility and independence by organizations in designing programs that are best suited to their particular circumstances.
FSGO factors and criteria update
Chapter eight of the FSGO outlines seven key criteria—written policies and procedures; compliance and ethics program oversight; due care in delegating authority; training and communication; monitoring for effectiveness; enforcement and internal investigations; and remediation to prevent similar offenses upon detection of a violation—for establishing an “effective compliance program” that should be familiar territory for anyone working in compliance. In the update, DOJ states that while it makes “individualized determinations” for each institution based on factors such as size, location and regulatory schemes, there are three fundamental questions a prosecutor should ask in their evaluation of a program.
- Is the corporation’s compliance program well designed?
- Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
- Does the corporation’s compliance program work in practice?
The DOJ update takes these three questions, breaks them down by relevant topics and subtopics and asks a series of questions that institutions should duly consider related to that topic.
Broadly, the DOJ update focuses on the design and comprehensiveness of an institution’s processes for assessing risk; creating and maintaining policies and procedures; risk-based training and communications; confidential reporting; managing third-party risk; M&A due diligence; program resources and degree of empowerment (including in incentives and disciplinary decisions); and how the institution knows and can evidence that the program is working.
The above elements are the areas that the DOJ’s Criminal Division has frequently found relevant in evaluating an institution’s program—both at the time of the offense and at the time of the charging decision and resolution.
Remember that in addition to an effective program to prevent and detect violations of law, adjustments in sentencing for organizations also consider self-reporting, cooperation and acceptance of responsibility. Senior leadership and boards of banking institutions should know and understand the factors and criteria of the FSGO to help ensure their program has the necessary resources and more importantly, the empowerment to function effectively. Let us now explore what that may mean in practical terms for your bank.
Practical considerations from recent cases
Risk and compliance professionals are encouraged to review the entire DOJ update to help identify any potential areas of concern in your institution’s program. Consider them as we explore some of the compliance and ethical failures that led to recent criminal actions against banking institutions.
Certain trends emerge in reviewing the statements of facts for federal criminal cases against U.S. banks over the last several years. Fraud, anti-money laundering deficiencies and sanctions violations were the leading offenses, but also included were Foreign Corrupt Practices Act violations, foreign exchange market manipulation, interest rate benchmark manipulation, price-fixing or anti-competitive practices, tax violations and toxic securities abuses.
So, while the cases ran the gamut, there was some commonality to the actions and conditions that led to the criminal behavior. Not surprisingly, financial gain was the driving force and, in some cases, included complicity by senior leadership, compliance and risk personnel from the highest levels of the institution to the lowest.
Common conditions that led to violations of law included:
- Lack of compliance function oversight of incentive programs and sales strategies
- Acquiescence to executive or managerial approval of unlawful behavior
- Rewarding the risky behavior of violators
- Absence of compliance function authority to question activities or discipline violators
- No direct and regular reporting to senior leadership and boards by compliance function
- No practical process for all personnel to confidentially escalate issues and concerns
- Trusting but not regularly verifying controls through documented proof
- Not following bank policies and procedures and/or no consequences for violations
- Explaining away inconvenient red flags
- Insufficient initial (at hire) and ongoing due diligence of decisionmakers
Consider these conditions and what effect they may have on your institution. Ensure all personnel and third parties are equally educated to the consequences of acting unethically or contrary to policies and apply discipline equitably regardless of the offender’s position.
And finally, while the hope is that your bank never has to answer questions from federal prosecutors, understanding what those questions will be and ensuring your bank has an appropriate response will help protect your customers, shareholders and employees, and it will strengthen your overall program for years to come.