Interestingly, the Fraud Section of the United States Department of
Justice (“DOJ”) issued guidance in 2017 entitled Evaluation of Corporate
Compliance Programs. Through issuing this guidance, the DOJ is providing some insight into the types of considerations and questions every
compliance professional should be asking to challenge the efficacy of
their conduct risk management compliance program.
At first blush, the DOJ’s guidance can be somewhat off-putting, as one
encounters terms such as “criminal investigation” and “prosecutors” in
reading it. It is important to keep in mind that this guidance is part of The
Principles of Federal Prosecution of Business
Organizations in the United States Attorney’s
Manual, not your garden variety examination and supervision manual, mind you!
In the context of a criminal investigation, it is not surprising that the corporate
compliance program will be scrutinized. The
DOJ recognizes that each bank’s risk profile
and control environment must be evaluated
on its individual merits. The following 11
topical areas covered by the DOJ may align
to your institution’s CMS framework. You be the judge as you follow the
DOJ’s thought process below.
Analysis and Remediation of Underlying
Root Cause Analysis—In the context of a misconduct investigation, the
DOJ will identify root cause and efforts on the part of the bank to analyze
and fully understand whether the underlying gap or weakness contributed
to the failure to detect misconduct, and whether any systemic issues are
associated with the finding.
Prior Indications—The DOJ due diligence will go deeper to determine
whether there were prior opportunities to detect the misconduct in question, such as reviews at the first line of defense of relevant control failures,
or allegations, complaints, or investigations involving similar issues.
Remediation—The DOJ will be interested in changes the bank has
made to reduce the risk that the same or similar issues will not occur in
the future. Maintain and continuously update your control inventory.
Senior and Middle Management
Conduct at the Top—The DOJ will closely observe senior leadership.
This will take into account their words and actions and whether corporate leaders encouraged or discouraged
the type of misconduct in question. Has
senior leadership modeled proper behavior
to subordinates, and who is telling this story?
Highlighting and sharing positive behavior
can establish aspirational goals for employees
seeking to make a difference.
Shared Commitment—What specific actions have senior leaders and other stakeholders taken to demonstrate their commitment
to compliance, including remediation efforts?
Sharing best practices for managing the bank in accordance with legal,
regulatory, and ethical guidelines should be regularly showcased and
communicated throughout the enterprise.
Oversight—As is traditionally the case with prudential regulators, the
DOJ likewise is interested in understanding the level of compliance expertise
available to the Board of Directors. The investigative questions consider
whether the Board of Directors and/or external auditors have held executive
or private sessions with the compliance and control functions. In addition,
what type of risk management information is the Board of Directors and
senior management reviewing on a regular basis?
In the context of a
it is not surprising that
the corporate compliance
program will be scrutinized.