Thank you, for that kind introduction. And thank you to the Ethics and Compliance Officers Association for inviting me to speak with you today about the important topic of corporate compliance. I understand that you have been hosting these conferences for more than 20 years, and I commend you for that!
As the Assistant Attorney General for the Justice Department’s Criminal Division, I have the privileged of leading a team of 600 talented and dedicated lawyers who work on the cutting edge of federal criminal law enforcement, as well as promoting the rule of law overseas.
While the Justice Department is often the last line of defense against fraud and corruption, all of you are the first. Criminal prosecutions can and do deter future bad behavior, but they most often serve as an after-the fact sanction for misconduct.
Your collective work is designed to ensure corporate compliance and ethical practices from the outset. The importance of your work cannot be overstated: it serves to protect the integrity of our public markets, the country’s financial systems, our intellectual property, the retirement accounts of our hardworking citizens, and our taxpayer dollars used to fund healthcare programs and government and military contracts.
A very large part of the mission of the Criminal Division is fighting major corporate fraud and corruption. Our Fraud Section employs approximately 100 prosecutors who are experienced in investigating health care fraud, defense procurement fraud, securities and financial fraud, and violations of the Foreign Corrupt Practices Act.
Our Asset Forfeiture and Money Laundering Section investigates and prosecutes international money laundering and violations of U.S. sanctions laws, and it recovers the proceeds of foreign official corruption by kleptocrats.
Unfortunately, in our fraud, corruption, money laundering, and sanctions cases, we have seen too many failures of corporate compliance.
In this day and age – more than a decade after the Sarbanes-Oxley Act – we come across very few companies that do not have any compliance program. In fact, we have seen a marked improvement in compliance programs over the years. In years past, it was not uncommon to see companies with only rudimentary compliance programs.
That situation is illustrated by a case resolved just last year, involving Weatherford International, a Swiss oil services company that trades on the New York Stock Exchange. Three subsidiaries of Weatherford International pleaded guilty to violating the anti-bribery provisions of the Foreign Corrupt Practices Act and export controls violations.
Before 2008, the company had little more than a weak paper compliance program. The subsidiaries admitted that the company did not have a dedicated compliance officer or compliance personnel, did not conduct anti-corruption training, and did not have an effective system for investigating employee reporting of ethics and compliance violations. Weatherford companies paid $252 million in penalties and fines.
It is increasingly rare that we encounter circumstances in which a company has such a feeble compliance program. And I doubt that anyone in this audience works for a company like that, or you probably would not be here.
More often, we encounter companies with compliance programs that are strong on paper, but much weaker in practice.
That concept is illustrated by our recent, landmark criminal resolution with BNP Paribas, which is the largest bank in France and the one of the largest banks in the world.
BNPP admitted to helping individuals and entities associated with Sudan, Iran, and Cuba – all of whom are prohibited by law from accessing the U.S. financial system – to clear U.S. dollar transactions through U.S. banks.
The majority of the illegal payments were made on behalf of entities in Sudan, which was subject to a U.S. embargo based on the Sudanese government’s role in facilitating terrorism and committing human rights abuses.
Between 2004 and 2012, BNPP knowingly moved more than $8.8 billion through the U.S. financial system on behalf of Sudanese, Iranian and Cuban sanctioned entities. In the case of Sudan, BNPP’s conduct gave Sudan its only significant access to world financial markets, essentially helping to prop up a corrupt and repressive regime.
BNPP’s conduct represented a massive disregard for compliance, both with the law and with its own internal policies. And these egregious violations of law occurred despite concerns expressed on more than one occasion by compliance officers, and even in written opinions by outside counsel.
Some compliance people at BNPP did raise objections to the conduct. For example, one senior compliance officer at BNPP wrote to other high-level compliance and legal employees reminding them that certain Sudanese banks with which BNPP dealt “play a pivotal part in the support of the Sudanese government which . . . has hosted Osama Bin Laden and refuses the United Nations intervention in Darfur.”
Another senior compliance officer further warned that a satellite bank system was being used to evade U.S. sanctions and stated, “As I understand it, we have a number of Arab Banks (nine identified) on our books that only carry out clearing transactions for Sudanese banks in dollars. . . . This practice effectively means that we are circumventing the US embargo on transactions in USD by Sudan.”
In response to another e-mail voicing the same concern, a high-level employee explained that these transactions had the “full support” of management at BNPP Paris.
And in a meeting of BNPP’s top management, senior compliance personnel expressed concern about the bank’s role in working with Sudanese sanctioned entities. At that meeting, the compliance team was given a very wrong message: money speaks louder than compliance with the law.
And unfortunately, rather than push back, the compliance personnel backed down, and continued to allow the illegal transactions. An email summarizing that meeting explained management’s thinking: “[t]he relationship with this body of counterparties (meaning the nine Arab banks) is a historical one and the commercial stakes are significant. For these reasons, Compliance does not want to stand in the way of maintaining this activity . . . .”
All of these warnings went unheeded in favor of continued profits. The “tone at the top” in BNPP was, frankly, not just unsupportive of compliance, but against it. And, the company put its profit margins ahead of its business ethics.
BNPP may now realize that elevating illegal profit streams over compliance with the law does not pay. In July of this year, BNPP pleaded guilty in federal court to criminal charges related to its support of the Sudanese regime, as well as others, and was required to pay a record $8.8 billion monetary penalty.
If the warnings of the bank’s compliance staff had been heeded, or if the compliance team had insisted on raising their concerns to a higher level, such as the company’s board, the company may have avoided at least some of these very serious consequences.
Now, we recognize that even with proper support of a compliance program by management, perfect compliance in this increasingly global economy is incredibly difficult. Compliance departments are asked to monitor business units that are spread about the globe.
More than the geographic divide, however, there often are cultural divides from country-to-country that you must bridge. This is again demonstrated by the BNPP case.
During the investigation, we uncovered emails in which foreign bank branch employees expressly directed others to hide the criminal transactions from U.S. branch employees to ensure that the revenue stream could continue.
They directed the removal of references to Cuba, Iran, and Sudan from paperwork relating to these transactions, knowing that these references would have raised flags for diligent compliance employees.
Further emails directed an end run around U.S.-based compliance personnel. One employee wrote: “I only see the solution of going through another bank than BNPP NY for all transactions to these destinations. The other, less gratifying alternatives are to stop working in USD in these zones or to disguise the reality . . .”
There is no doubt that monitoring compliance on a global scale is a difficult, but difficulty cannot be used as an excuse to turn a blind eye to problematic business practices. Compliance programs must be put into place and—more importantly—communicated repeatedly and enforced properly throughout the entire organization.
The emphasis on compliance must be heard not only in the executive suites at headquarters, but wherever the company operates around the globe.
When considering criminal action against a company, one factor that the Justice Department evaluates is the company’s compliance program.
Under the department’s internal guidance, the Principles of Federal Prosecution of Business Organizations, prosecutors must consider “the existence and effectiveness of the corporation’s pre-existing compliance program.”
As all of you know, the United States Sentencing Guidelines also expressly include a company’s corporate compliance program as a factor in corporate sentencing in criminal cases.
There is, of course, no “off the rack” compliance program that can be installed at every company. Effective compliance programs must be tailored to the unique needs and risks faced by each company.
But there are hallmarks of good compliance programs. The department includes many of these in our non-prosecution agreements and deferred prosecution agreements, and I’d like to discuss them with you.
1. High-level commitment. A company must ensure that its directors and senior management provide strong, explicit, and visible commitment to its corporate compliance policy. Stated differently, and again, “tone from the top.”
This means that the importance of compliance should be communicated from the very top of the company. I once heard of a large company whose prominent CEO refused to put his signature on a company-wide communication announcing the company’s new compliance program.
When asked why not, he replied: “Because we don’t hire those kinds of people.” Well, he could not have been more wrong. Every company hires “those kinds of people.”
Every company hires human beings who, when they are in a tough and maybe unfamiliar situation with no clear guidance about what is expected, will sometimes choose the wrong path. And that becomes even harder when they are operating in countries with business cultures very different from our own.
2. Written Policies. A company should have a clearly articulated and visible corporate compliance policy memorialized in a written compliance code. Again, employees need to know what to do--or not do--when faced with a tough judgment call involving business ethics. Companies need to make that as easy as possible for their employees.
3. Periodic Risk-Based Review. A company should periodically evaluate these compliance codes on the basis of a risk assessment addressing the individual circumstances of the company. Companies change over time through natural growth, mergers, and acquisitions.
Compliance policies should be live organisms that also change and grow with the company. You are only as strong as your weakest flank.
I once represented a company that had an A+ compliance program. But then they acquired a Chinese subsidiary and for several years failed to communicate to their new—and then not-so new--Chinese employees the need for FCPA compliance.
The predictable result: the Chinese employees continued doing business in the way that was familiar to them. And the US parent found itself in deep violation of the FCPA.
4. Proper Oversight and Independence. A company should assign responsibility to senior executives for the implementation and oversight of the compliance program.
Those executives should have the authority to report directly to independent monitoring bodies, including internal audit and the Board of Directors, and should have autonomy from management. Compliance programs needed to be funded; they need to have resources.
And they need to have teeth and respect within the company. For years, Wall Street banks housed their compliance programs across the Hudson River, in New Jersey. They were out of sight, out of mind. They were underpaid. And nobody paid much attention to them.
Compliance programs need to have an appropriate stature within the company, or compliance will be the last thing on the mind of an employee tempted to engage in wrongdoing.
5. Training and Guidance. A company should implement mechanisms designed to ensure that its compliance code is effectively communicated to all directors, officers, employees. This means repeated communication, frequent and effective training, and an ability to provide guidance when issues arise.
And as I said before, employees should see that the importance of compliance is being communicated from the top—whether the CEO, the Board, the General Counsel, or some other very highly respected senior-level figure within the company.
6. Internal Reporting. A company should have an effective system for confidential, internal reporting of compliance violations. I know that many companies have multiple mechanisms, which is good.
7. Investigation. A company should establish an effective process with sufficient resources for responding to, investigating, and documenting allegations of violations. What this means on the ground will depend on the company. A sophisticated multi-national corporation obviously will be expected to have more resources devoted to compliance than a small regional company.
8. Enforcement and Discipline. A company should implement mechanisms designed to enforce its compliance code, including appropriately incentivizing compliance and disciplining violations.
And the response to a violation must be even-handed. Too often, we see situations where low level employees who may have implemented the bad conduct are fired, but their boss, who saw what they were doing and did nothing—and maybe even the directed the conduct—is left in place.
This should not happen. Not only from a department perspective, but from a business perspective. Leaving in place senior managers who sanction bad behavior sends a very wrong message about the company’s true commitment to compliance and ethics.
People watch what people do much more carefully than what they say. When it comes to compliance, you must both say and do.
9. Third-Party Relationships. A company should institute compliance requirements pertaining to the oversight of all agents and business partners.
I cannot emphasize strongly enough the need to sensitize third parties, like vendors, agents, and consultants, to the importance of not compliance.
And these partners need to understand that the company really expects its partners to be compliant. This often means more than just including a boilerplate paragraph in a contract in which the partner promises to comply with the law and company policies. It means warning, and even terminating, relationships with partners who fail to behave in a compliant manner.
10. Monitoring and Testing. A company should conduct periodic reviews and testing of its compliance code to improve its effectiveness in preventing and detecting violations. Kick the tires regularly. As I said, compliance programs must evolve with changes in the law, business practices, technology and culture.
As I said, there is no “one-size fits all” compliance program. But these are guideposts that we consider important to the success of a strong program.
And as important as the compliance program itself is implementation. When we investigate a case, we look at the messages about compliance that are given to employees.
More than just reading the paper program or the code of conduct, we look at what employees are told in their day-to-day work.
We are looking at e-mails, chats, and recorded phone calls. We are talking to witnesses about the messages they received from their supervisors and management – did they receive messages about compliance, or about making money at all costs.
And we examine the incentives that a company provides to encourage compliant behavior – or not. If a company is actually encouraging compliance, if its values are to be ethical and within the law, then that message must be conveyed to employees in a meaningful way. Otherwise, the Department of Justice will not view the compliance program as credible.
And sometimes, effective implementation of a compliance program means standing apart from the other companies in your industry. We have seen significant misconduct taking place throughout an industry.
But the excuse that “everyone else is doing it” didnd’t work in grade school, and it sure won’t work when federal agents come knocking at your door.
Let’s take the LIBOR case as an example. LIBOR – the London Interbank Offered Rate – is the primary benchmark for short-term interest rates around the world. It is used as a reference rate for many interest rate contracts, mortgages, credit cards, student loans and other consumer lending products.
LIBOR necessarily depends on the integrity of the rate setting process and the bankers who provide input into that process. But an investigation by the Criminal Division, the Antitrust Division and the FBI has shown that banks and individual employees were manipulating the banks’ LIBOR submissions to benefit their trading positions, at the expense of counterparties to the trades.
To date, five global financial institutions have resolved the criminal investigation of LIBOR manipulation with the Justice Department, and each of them admitted to their misconduct. We have charged nine individuals, and two of those have pleaded guilty.
In some cases, this manipulation was boldly described in emails, as was the belief that others in the industry were engaged in similar, or worse, manipulation. For example, at the Dutch bank Rabobank, a LIBOR submitter agreed to manipulate the bank’s LIBOR contribution and wrote, “I’ll probably get a few phone calls but no worries mate… there’s bigger crooks in the market than us guys!”
The financial institutions that have resolved the LIBOR investigation so far have paid more than $4 billion to the Department of Justice and regulators. Our investigation continues, and will not stop until we have rooted out those individuals and companies responsible for this corporate financial malfeasance.
Effective compliance programs must be embedded in a company’s culture. And they need to be applied even in the face of misconduct by other companies in the same industry, even if that might mean a short-term competitive disadvantage.
A company’s executives can choose to rise above the rest -- or race to the bottom. I am telling you that the Criminal Division will hold responsible companies and individuals that knowingly violate the law, no matter if the excuse is that “everyone” was doing it.
Now what should you do when your robust compliance program fails? Or, when it works, allowing you to discover criminal misconduct? I encourage you to conduct a thorough investigation and to disclose potentially criminal misconduct to the Justice Department.
When criminal misconduct is discovered, a critical factor in the department’s prosecutorial decision making is the extent and nature of the company’s cooperation.
The department’s Principles of Federal Prosecution of Business Organizations provides that prosecutors should consider “the corporation’s timely and voluntary disclosure of wrongdoing and its willingness to cooperate in the investigation of its agents.”
Now let me flesh out the often discussed, but sometimes poorly understood, concept of cooperation.
Most companies now understand the benefits of voluntarily disclosing the misconduct before we come asking, and the benefits of conducting an internal investigation and providing facts about the misconduct to the government.
But companies all too often tout what they view as strong cooperation, while ignoring that prosecutors specifically consider “the company’s willingness to cooperate in the investigation of its agents.”
Corporations do not act, but for the actions of individuals. In all but a few cases, an individual or group of individuals is responsible for the corporation’s criminal conduct. The prosecution of culpable individuals – including corporate executives – for their criminal wrongdoing continues to be a high priority for the department.
For a company to receive full cooperation credit following a self-report, it must root out the misconduct and identify the individuals responsible, even if they are senior executives.
We are not asking that you become surrogate FBI agents or prosecutors, or that you use law enforcement tactics like body wires. And we do not need to hear you say that executive A violated a particular criminal law. All we are saying is that we expect you to provide us with facts. We will take it from there.
But a company that interviews its employees in an effort to whitewash the facts or spread the company’s narrative spin risks receiving any cooperation credit.
Additionally, for a company to receive full cooperation credit, the company must provide relevant documents and evidence, and should do so in a timely fashion.
We find that global companies are increasingly hasty to invoke foreign data privacy laws to avoid providing evidence to the department. While we recognize that some of these laws pose real challenges to data access and transfer, many do not.
As a result, we are looking closely – with an ever more skeptical eye – to ensure that these claims are honest and not obstructionist. A company that reads foreign data protection laws expansively, to restrict its disclosure of documents, when it could be read more narrowly, is in dangerous territory if it wants to receive full cooperation credit.
Although the department welcomes and encourages corporate cooperation, we do not rely upon it. We conduct our own robust investigations – often alongside that of the company – to build our own criminal cases and to pressure-test corporate claims of cooperation.
Companies claiming to cooperate while conducting lackluster investigations with little results should not be surprised when they do not get credit for their supposed efforts. And they should not be surprised when they face the consequences of our own investigations.
The benefits of corporate cooperation are clear. We often explicitly describe the benefits when we reach resolutions with companies. As just one example, earlier this year, the department announced Alcoa World Alumina’s guilty plea to FCPA charges stemming from its payment of millions of dollars in bribes to officials of the Kingdom of Bahrain.
As part of the plea, Alcoa paid $223 million in criminal fines and forfeiture. The department publicly commended Alcoa for its cooperation, which included conducting an extensive internal investigation, making proffers to the government, voluntarily making current and former employees available for interviews, and providing relevant documents to the department.
Alcoa’s cooperation was mentioned specifically as a factor that lowered the size of the criminal fine. In fact, absent cooperation, Alcoa could have faced a fine of more than $1 billion. Many people, however, want concrete examples of cases where we decided not to pursue charges at all in light of a company’s cooperation. The department is not typically in a position to disclose these declinations, and indeed many companies do not want the world to know that they were under department scrutiny.
Since it is difficult for me to publicly discuss some of the most positive results of cooperation, perhaps I can illustrate the point in reverse. In the plea agreement with BNP Paribas, the department highlighted the bank’s lack of cooperation with the government investigation as a crucial factor in the decision to require a guilty plea and record monetary penalties.
Significantly, BNPP affirmatively hampered the department’s ability to prosecute individual executives and employees for their criminal misconduct. To be sure, the breadth of the pervasive criminal misconduct in that case played a large part in the resolutions.
But, had the bank fully cooperated with the government investigation from the outset and provided the facts about the involvement of its employees, the bank would have been in a much better position on its day of reckoning.
The Criminal Division is more committed than ever to investigating corporate fraud and corruption. We will investigate regardless whether a company choses to cooperate.
But for a company to receive credit for its compliance program, it must have demonstrated effectiveness, with messages about compliance that come from the top and echo throughout the corporate hallways.
And for a company to receive full cooperation credit, it must uncover the misconduct, identify the responsible individuals, and fully disclose the facts to the department.
I want to thank you again for having me today, and I look forward to engaging with you on compliance issues over the coming years. I also want to thank you for your considerable efforts to keep your companies on the right side of the line.
I sincerely hope that you are all successful in that regard, so that we meet only at conferences like this, not across the Criminal Division conference room table discussing our investigation of your company.