On April 30, 2004, the United States Sentencing Commission forwarded to Congress its recommendations for amendments to the Sentencing Guidelines for Organizations it first promulgated in 1991. The proposed amendments take effect November 1, 2004, unless Congress disapproves them during the upcoming six-month review period. While most of the proposed amendments deal with serious criminal procedure issues such as "Child Pornography," "Public Corruption," and "Drugs," the Commission also has chosen to impose more stringent guidelines governing compliance and ethics programs. While technically speaking the Guidelines relate exclusively to criminal actions, the Commission's prior compliance guidelines were widely followed and utilized as a model in the civil and administrative contexts as well. Simply put, any entity with a current compliance plan, which should be most everyone given the Sarbanes-Oxley Act of 2002, is directly impacted by these new Guidelines.
In this article, we briefly explain the role of the Sentencing Commission. We also reiterate once again the importance of compliance and ethics programs, especially for government healthcare providers, government contractors, and anyone who falls under the Sarbanes-Oxley umbrella. We then examine and contrast the new compliance and ethics Guidelines with the original 1991 version. Fortunately, the Sentencing Commission itself has made conveniently available on its webpage a number of helpful materials explaining the proposed Guidelines. The Commission's web site is located at www.ussc.gov. Pertinent materials have already, or will, also be published in the Federal Register.
What Is The U.S. Sentencing Commission?
The Commission is an independent agency situated within the judicial branch of the federal government. According to the Commission's self-description in "An Overview of the United States Sentencing Commission," available on its web site, it has three principal functions, only two of which are pertinent to compliance plans. First, the Commission establishes "sentencing policies and practices for the federal courts, including guidelines prescribing the appropriate form and severity of punishment for offenders convicted of federal crimes." In addition, the Commission has as its second responsibility to "advise and assist Congress and the executive branch in the development of effective and efficient crime policy."
The amended Guidelines, if adopted by Congress (which seems highly likely), will direct federal judges as they make sentencing decisions. While there has been some substantial debate as to whether such guidelines are too restrictive and overly limit the sentencing judge's discretion and expertise, nobody has disputed that compliance plans are extremely desirable and that those with "effective" compliance plans in operation should be accorded a degree of leniency if they should fall into the snare of the federal criminal justice system.
The 1991 Guidelines
The original Guidelines specified the now-familiar elements comprising an effective compliance plan. The guidelines enumerated such components as codes of conduct, compliance officers, effective compliance training, internal reporting systems (such as a hotline system), disciplinary sanctions and limitations on the delegation of discretionary authority to employees. The Guidelines also mandated the inclusion of devices (such as audits and internal reviews) to ensure that compliance was, in fact, being implemented. These elements also comprise the proposed amendments as well.
The government in particular hoped that compliance plans would accomplish a number of objectives. First, self-policing would ideally result in companies avoiding breaking the law in the first place. This is why government model plans put such emphasis upon training, training and more training of executives and staff. Second, effective compliance plans would theoretically identify deviations from the law, and promote voluntary disclosures that would correct the problems and reimburse the government for its losses via penalties and multiple damages. Underlying both objectives was the realization that the government simply could not oversee every procurement program or detect every deviation from the law. Self-policing would lift a portion of this routine burden from the shoulders of the government enforcers, enhance the overall operation of government programs, and leave the enforcers free to concentrate on major systemic problems.
The Explosion In Compliance And Ethics Programs
The original 1991 guidelines set off a wave of compliance and ethics plan adoptions in the mid-1990's. Much of the impetus for this development came from government agencies. For example, the Department of Defense long had insisted upon compliance plans being in place before it would enter into procurement contracts. When the Inspector General of Defense, June Gibbs Brown, moved to a similar position in the Department of Health and Human Services ("HHS"), she strongly advocated that participants in federal healthcare programs should likewise demonstrate their good faith by adopting effective compliance plans. As part of its commitment to the compliance philosophy, the OIG issued a number of model compliance plans designed for different types of healthcare providers, such as hospices, physicians, durable medical equipment suppliers, and hospitals. Eventually, the Office of Inspector General at HHS demanded what it termed "Corporate Integrity Agreements" as part of any settlement it and the Department of Justice entered into to resolve allegations of healthcare fraud or abuse. These "CIA's" were really nothing more than severely restrictive, and often terribly expensive and disruptive, compliance plans, subject to periodic monitoring by the government. Healthcare providers soon concluded that it was better to have their own compliance plan in operation, which could serve as the core of a CIA if necessary, than to allow the OIG free rein in proposing its own CIA. The most recent stimulant to compliance and ethics programs has been the Sarbannes-Oxley Act of 2002 which directly addresses requirements for enhanced compliance and ethics programs.1
Philosophy Of The New Guidelines
It is essential to understand what appears to be the motivating philosophy behind the proposed amendments. Simply put, in order to reap the benefits of a compliance plan should an entity be convicted of a federal offense, i.e., mitigation of sentence or reduction in civil penalties, such plans must now pass muster under somewhat more stringent program criteria. In other words, the proposed amendments "get serious" about compliance plans and make it clear that without a significant investment of resources and commitment to the compliance philosophy, the government will not consider plans to be "effective." The era of developing a compliance plan and letting it collect dust on the shelf is over; a new epoch of intense scrutiny of compliance plans has begun. The new criteria are so rigorous that it seems as if there may be a rebuttable presumption that a compliance plan is not "effective" until proven otherwise. A serious and continuing commitment to compliance and ethics is necessary to survive under the new system. Nothing else will satisfy this new burden.
Elements Of The New Guidelines
This philosophy is reflected in the proposed amendments' explicit definition of an "Effective Compliance and Ethics Program" in §8B2.1.2 In order to satisfy this definition, an organization must "(1) exercise due diligence to prevent and detect criminal conduct; and (2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law." Moreover, "Such compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct." While the amendment is quick to acknowledge that failure to prevent or detect an offense does not mean the plan is not an effective one, it is clear that the Commission has adopted a "proactive" approach to compliance, reflecting a real commitment and dedication of resources. Theoretically, if an appropriate "organizational culture" is present, adherence to legal standards will follow as a matter of course.
While the traditional compliance plan elements are present in the revised criteria, they are embedded in new and more stringent implementing requirements. The amendments posit seven minimum requirements which demonstrate the presence of an appropriate organizational culture.
Establishment of standards and procedures to prevent and detect criminal conduct [§8B2.1(b) (1) and (2)] It is no longer enough simply to promulgate a code and establish a plan - no matter how well that is done. Now the organization's "governing authority" shall be conversant with the program and exercise reasonable oversight. This is really the most crucial modification the Commission has mandated, and reflects a shift in the center of gravity of compliance and ethics programs from the compliance officer and/or committee to the highest levels of management. It is required that "high-level personnel" be involved in the implementation of the program, and specific responsibility is to be assigned to such individuals. Those to whom responsibility for operating the program is delegated shall report periodically to these high level individuals regarding the effectiveness of the program.
In short, every compliance plan must include on a continuing basis the involvement of the highest level of company management in its design and implementation. As a result, compliance and ethics considerations become an element of upper management's daily responsibilities. Moreover, it is their responsibility to ensure that the organization's plan is effective, including furnishing sufficient resources to compliance officials.
Care in selecting "substantial authority personnel" [§8B2.1(b)(3)] This traditional compliance component also has been upgraded. The guidelines now impose a burden upon organizations to exclude from key positions any person "whom the organization knew or should have known through the exercise of due diligence" has in the past acted contrary to the dictates of compliance and ethics. Formerly, a company was only required to foreclose from key positions someone who has "a propensity to engage in illegal conduct."
Dissemination of compliance standards and procedures [§8B2.1(b)(4)] Once again reflecting the new guidelines' emphasis upon the role of senior management in implementing compliance, the requirements for effective training now extend not only to employees and agents, but also to "members of the governing authority, high level personnel [and] substantial authority personnel." Such training must be "on-going" and capable of providing compliance "updates" when appropriate.
Oversight of compliance plan implementation [§8B2.1(b)(5)] No matter how great a plan appears on paper, it must have actual impact. The new Guidelines impose enhanced obligations for monitoring and auditing in order to ensure the program is being followed. This requires establishing internal reporting systems, including those providing for "anonymity or confidentiality," so that "employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation." The organization should also undertake periodic audits of the compliance plan itself to assess its effectiveness.
Consistent promotion and enforcement of compliance program [§8B2.1(b)(6)] Two concerns are reflected under this category. First, incentives encouraging compliant and ethical behavior should be built into the organization's compensation and recognition systems. Second, a rigorous disciplinary system should be in place to punish violations of the compliance plan or to sanction those who fail to take "reasonable steps to prevent or detect criminal conduct." Presumably this would include an obligation on the part of all organizational employees and managers to report suspected misconduct by their fellow employees, always a difficult task under compliance plans.
Responding to Criminal Conduct that is detected [§8B2.1(b)(7)] If criminal conduct is discovered, the organization must undertake whatever changes in its structure and procedures are necessary to foreclose a recurrence of that misconduct.
Conclusion
If there was ever any doubt that compliance and ethical programs are critical components of effective corporate management, it has been dispelled permanently by the proposed amended Guidelines. Every compliance and ethics program should be reviewed to see if it passes muster under the new guidelines. Most importantly, senior management must become intimately involved on a continuing basis in the design and operation of any compliance plan. Otherwise, an organization runs the risk of its program backfiring rather than yielding the substantial benefits that can accrue if a plan is deemed "effective." 1 Another impetus for corporate boards to adopt effective compliance plans came in In re Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Ct. Chanc. Del. 1996). There, the Delaware court indicated that failure of a director to implement a compliance plan might be construed as a breach of fiduciary duty.
2 Several Commission publications, which are available on its website, are particularly helpful in reviewing the proposed amendments and assessing their impact. A major source of assistance is Amendments to the Sentencing Guidelines (May 10, 2004), which the Commission has put into a "reader-friendly" format. The amendments as sent to Congress are found in Amendments to the Sentencing Guidelines, Policy Statements and Official Commentary (May 1, 2004). Also helpful is the Commission's May 3, 2004, press release, Sentencing Commission Toughens Requirements for Corporate Compliance and Ethics Programs. The Federal Register May 19, 2004, notice is located at 69 FR 28994-29028.
Published July 1, 2004.
