Infotech and the Law: Stricter corporate compliance standards are likely
- By Devon Hewitt
- Jul 06, 2004
An organization convicted of a criminal offense is sentenced according to Federal Sentencing Guidelines drafted by the U.S. Sentencing Commission, and a key mitigating factor in sentencing is whether the organization has an effective compliance and ethics program.
When Congress passed the Sarbanes-Oxley Act, it had the commission review the guidelines to ensure they would be effective in deterring and punishing organizational misconduct. As a result, the commission has proposed amending the guidelines to toughen compliance standards.
Unless Congress disapproves the amendment, it will go into effect Nov. 1.
The sentencing guidelines require an organization to exercise due diligence to prevent and detect criminal conduct and promote "an organizational culture" that encourages ethical conduct and compliance with law.
Commentary to the guidelines suggests that an organization has fulfilled these requirements if it follows seven steps:
-- Establish internal standards and procedures to prevent and detect criminal conduct
-- Assign a senior official to take responsibility for the organization's compliance
-- Screen personnel of substantial authority to determine if they "have the propensity to engage in illegal activities"
-- Take reasonable steps to communicate the organization's compliance program internally and to agents
-- Monitor and audit the organization's compliance activities
-- Establish disciplinary measures for noncompliance
-- If necessary, modify the compliance program after violations have been found.
The newly proposed amendment incorporates these steps, and includes additional detail and clarification of an organization's responsibility under some of the steps.
Specifically, the amendment increases accountability of an organization's senior managers, officials and governing bodies. Under the amendment, an organization's governing authority, such as the board of directors, as well as its senior personnel must know the organization's compliance program, exercise its oversight and ensure its effectiveness.
Responsibility for the organization's compliance program may be assigned to one senior person or group, who must keep the organization's governing body updated on the implementation and effectiveness of the program.
Those in charge must have direct access to the governing authority and adequate resources. The amendment also requires that training programs extend to the upper levels of management.
The amendment states that just screening high-level personnel for possible propensity for illegal activity isn't enough. An organization should not retain or hire senior employees whom it knows ? or should have known? to have engaged in criminal activity or conduct that would violate an organization's compliance objectives.
The amendment mandates that an organization periodically evaluate the effectiveness of its corporate compliance program. The amendment adds a requirement that organizations institute and publicize an internal system that let personnel report violations or seek guidance confidentially and without fear of retaliation.
Finally, the amendment creates a rebuttable presumption that a corporate compliance program is not effective if personnel with substantial authority in the organization participated in, condoned or were willfully ignorant of any criminal violation.
Although the guidelines only apply in the context of a criminal sentencing procedure, the seven steps are a benchmark for both industry and the government in assessing the effectiveness of a corporate compliance program.
The specific and generally stricter requirements imposed by the proposed amendment, therefore, should be considered applicable to all organizations.
Devon Hewitt is a partner of Government Practices at ShawPittman in McLean, Va. She can be reached at firstname.lastname@example.org.