The combination of intense economic pressure on employees across many industry sectors and the adjustment to a new remote work environment amid the COVID-19 pandemic has created an unprecedented opportunity for insiders to exploit new or lightly tested compliance processes. Employee training programs, internal investigations and risk management meetings that were largely in-person are now remote. Amid the hardship and disruption of the pandemic, some insiders may feel more empowered to commit fraud, feeling—rightly or wrongly—that no one is watching.
As the pandemic and
remote working arrangements continue, compliance professionals must revisit two
fundamental questions: 1) Has the compliance program done enough to prevent,
detect and remediate intentional misconduct given the changed landscape? and 2)
Are the compliance program’s protocols, goals and initiatives aligned with the
expectations of regulators to ensure liability is not imputed to the company
for its failure to prevent, detect and remediate fraudulent conduct by
employees and vendors?
Regulatory Expectations in the COVID-19 Era
A reasonable first
step to address these challenges is to take advantage of the Department of
Justice’s Evaluation of Corporate Compliance Programs (ECCP), which was revised
on June 1, 2020. Companies responding to government investigations or
developing or improving their compliance programs may find the ECCP especially
useful. The 2017 edition covered 11 different topics and provided 119 questions
for compliance departments to consider. Although largely consistent with the
2017 and 2019 edition, the revised 2020 ECCP provides new guidance on what is
expected from compliance programs in the COVID-19 era and beyond. Key points
from the update include:
- Compliance programs should be designed to be
fluid. Specifically, prosecutors considering a compliance program’s adequacy
should assess whether it relies on a static snapshot of one point in time or
periodic risk assessments based on current trending data, and whether this has
led to updated policies, procedures or controls. Importantly, in the event of a
criminal offense, prosecutors are asked to evaluate a company’s compliance
program both at the time of the offense and at the time of charging decision and
- Those working in the compliance department
should have sufficient access to relevant sources of data “to allow for timely
and effective monitoring and/or testing of policies, controls and
transactions.” In other words, the compliance function should be structured to
allow a company to evaluate its own program in real time so that it can
leverage its own data.
- The update emphasizes a compliance program’s
efficacy and accessibility. Prosecutors are asked to consider whether the
company’s compliance training is working, meaning that employees are given the
right training and resources to identify, evaluate and report problems or
potential problems through the appropriate higher channels within the
organization. Similarly, training materials and compliance resources should be
internally publicized and easily accessible for employees. For example, the
guidance asks whether employees are aware of and comfortable using the
company’s own hotline to report malfeasance or misconduct.
- Prosecutors should evaluate not only whether
a compliance program’s implementation is effective, but whether it is
“adequately resourced” to function effectively. While not contrary to previous
guidance, this is a slightly new gloss. Specifically, the 2020 ECCP asks prosecutors
to consider a company’s investment in training and development of the
- Prosecutors are encouraged to consider the
rationale behind the formation and evolution of a company’s compliance choices.
Do they seem sensible and designed to prevent, detect and remediate misconduct?
Factors such as size, industry, geographic footprint and regulatory environment
may all be considered.
Identifying and Plugging Compliance Gaps
Other insight into
current compliance expectations can be gleaned from the Virtual Town Hall held
on May 20 by the Department of Justice, Securities and Exchange Commission, and
Federal Bureau of Investigation. While acknowledging constraints on revenue and
resources, DOJ clearly expressed the continued expectation that companies have
the right controls in place to prevent, detect and remediate problems, and that
companies are testing those controls. This also includes ensuring adequate
training and policies are in place. Simply put, while the COVID-19 pandemic might
partially explain why or how an offense occurred, it will not serve as a
persuasive defense that precludes corporate liability for a compliance gap.
The question then
becomes what companies can do now to align their compliance programs with
regulator expectations and to obtain the best possible outcome from those
regulators if or when misconduct occurs. Regulators do not expect a compliance
program to stop all wrongdoing, but they do want to see tangible efforts and
real-time assessments and improvements designed to prevent, detect and
remediate fraud and other misconduct.
areas of prevention might include identifying the seniority or experience level
of internal accounting personnel, whether frequent or recent changes of
external auditors keep occurring, or whether there is an important revenue
stream that is highly dependent on foreign government approval.
Consistent with the
new ECCP guidance, companies can reevaluate past and current policies. For
example, they can reexamine current codes of conduct and employee and vendor
feedback to evaluate whether to update other policies. In a remote work
environment, companies might reconsider whether their information security
policies adequately cover issues like employees accessing company servers from
home networks, or whether their Bring Your Own Device policy effectively
communicates that employee cell phones may be examined during internal
Useful data for
updating a current compliance program can also be found in employee surveys,
exit interviews, audit reports, prior internal investigation reports, helpline
reporting trends, or any other accessible incident response data. From this
data, compliance professionals can identify gaps and figure out reasonably
can consider semi-regular virtual meetings with personnel from the audit
function and/or human resources to address antifraud controls and employee
questions or reports.
Compliance Lessons from the Pandemic
Because every compliance
program must be uniquely tailored to the individual company that it serves,
there is no uniform approach or set of practices that can be taken when
assessing that program’s efficacy in guarding against inside and outside
threats or regulator expectations. Companies should consider the following
factors to determine if their compliance program is aligned with regulator
- Even in the current COVID-19 environment,
companies are still expected to closely monitor, adapt and test their own
- Regulators will likely look at whether a
company is effectively using its internal data to evaluate and improve
preexisting compliance programs, policies and training.
- Investment in the compliance function will be
assessed as part of a company’s commitment to prevent, detect and remediate
- The efficacy of a company’s compliance
program will be scrutinized with particular regard to whether employees are
given the right training and resources to identify, evaluate and escalate
problems within the organization.
- Regulators will also likely consider a
program’s efficacy by examining the factors that went into how the company
designed the compliance program to prevent, detect and remediate misconduct.