Project: Corporate Counsel Part I (Unintended Consequences) - Law Firms The Best Defense Against Regulatory Action Is An Effective Working Compliance Program

Friday, July 1, 2005 - 01:00
David F. Axelrod

Editor: Please tell our readers about your practice.

Axelrod: A partner in our white collar defense group, much of my practice entails advising companies conducting internal investigations and helping them to determine what to do with the results. As well as assessing whether regulatory or law enforcement agencies will take administrative or other action, I help them determine what internal remedial measures to take.

I am a member of the Practitioners Advisory Group of the U.S. Sentencing Commission and a past-chair of the Criminal and Civil Tax Penalties Committee of the American Bar Association Tax Section. I am currently a sub-committee chair of the Document Retention and E-policy Sub-committee of the ABA Business Law Section's Corporate Compliance Committee. Before joining my law firm, I was a federal prosecutor for approximately seven years.

Farrar: My practice focuses primarily on securities work with mergers and acquisitions as a sub specialty. Following the enactment of the Sarbanes-Oxley Act in 2002, I have taken the lead with a few of our firm's other experts in putting together educational programs for our clients and assisting them in developing their compliance policies, programs and procedures to deal with all of the new requirements.

Our clients include a number of financial services institutions ranging from savings and loans to insurance companies to banking institutions. We also work with retailers, manufacturers, restaurants, home builders and companies in a variety of other industries. The depth and diversity of our practice gives us a wide breadth of expertise on the full range of legal issues that corporate America faces today.

Editor: How would you characterize the legal issues that challenge U.S. corporations today?

Farrar: The legal landscape in the corporate governance realm is very different from two years ago. One of my partners is fond of saying that Sarbanes-Oxley created a sharper learning curve than any other watershed event in her 30-plus years of practice.

The barrage of laws, regulations and commentary often overwhelm in-house counsel. The big items include the Sarbanes-Oxley Act itself, regulations adopted by the SEC and the new Public Company Accounting Oversight Board and the rules of the stock exchanges and NASDAQ. In addition, many agencies have posted interpretations and FAQs related to the rules in various media. Adding to the plethora, many practitioners are raising questions and answering each other's questions on blogs and websites adding an overlay as to what current best practices may be. Most in-house counsel find the legal landscape hard to negotiate since the answers are not always in the rules but need to be flushed out in subsequent interpretative guidance. It is this uncertainty which can be extremely difficult to deal with in day-to-day operations.

Axelrod: Prosecutors' actions around the country contribute to making the legal environment much more treacherous for everyone. In the past, legal requirements were fairly easy to discern, but now corporations face a panoply of mandates from an ever-increasing number of sources.

The complexity is exponential. For example, before compliance programs became the norm, unless a problem arose, a company that does business overseas did not ordinarily need to be concerned in the past with the Bureau of Export Administration or the Office of Foreign Assets Control. Now, such a company must predict areas where problems might occur, and proactively address each area.

The best defense is often a good offense. That is, corporations today must put themselves in a position to say that they did all that was reasonably possible to prevent misconduct.

Editor: What sources of authority can help corporate counsel through the quagmire of compliance requirements?

Axelrod: The foremost source is the Federal Sentencing Guidelines. In U.S. v. Booker and U.S. v. Fanfan, the Supreme Court recently ruled that the Guidelines are unconstitutional to the extent that they require judges to enhance sentences based on facts not found by a jury. Rather than abrogating the Guidelines, the Court has authorized judges to deviate from them more freely. In the past, this would have been an academic discussion insofar as corporations were concerned because they were rarely prosecuted. That is no longer true.

Another significant source is the formal statements of the DOJ and SEC about how they decide whether to take enforcement action against errant companies. The DOJ policy is contained in the so-called "Thompson Memorandum," named for then-Deputy Attorney General (now PepsiCo General Counsel) Larry Thompson. The eight or nine considerations include whether a company has an effective compliance program, whether disciplinary action was taken against those who violated it, and any other remedial measures implemented by the company.

In every complex organization, a few employees inevitably are going to violate the law. A company can be prosecuted for acts within the scope of an employee's responsibility that were intended in any way to benefit the company. For example, if a department head decides to stay under budget for the year by improperly disposing of environmental waste, the company benefits from the reduction of disposal costs. Under those circumstances, the company may be prosecuted even if it has an explicit policy requiring proper disposal of the waste. The company's best defense may be to demonstrate that it did all it reasonably could to prevent the violation. The existence of an effective compliance program would be a powerful disincentive for the government to prosecute the company.

The SEC takes a similar approach. In 2001, the SEC issued a release explaining why it had decided against bringing an enforcement action against a company called Seaboard, despite its controller's misconduct in causing the company's books to be inaccurate, and its periodic reports misstated, and in covering up his misconduct. The SEC listed a number of considerations similar to those in the Thompson Memorandum as the basis for its determination.

Farrar: Similarly, if an employee commits an insider trading violation, an action may also be brought against the corporation if the corporation has not taken appropriate steps to ensure that its employees do not trade on "inside" information.

Axelrod: Further, the stock exchanges require listed companies to have compliance programs, and the SEC requires companies that do not have codes of ethics for senior executives to say why. The Investment Advisers Act also has its own separate compliance requirements.

These are just a few examples of the sources of compliance requirements. They are everywhere today, and there is no reason to believe this trend toward more regulatory oversight will not continue.

Editor: What are the key components of an effective compliance program?

Axelrod: Under Guidelines section 8B2.1, companies must exercise due diligence to prevent and detect criminal conduct. Specific individuals within the organization's high-level personnel must have overall responsibility for ensuring that the company has an effective compliance program. The company's governing authority, which would include the board of directors, must be knowledgeable about the content and operation of the program and must exercise reasonable oversight with respect to its implementation and effectiveness.

Someone has to "own" the compliance process day-to-day. Companies take different approaches. In some companies, the function resides with the general counsel. In others, it may reside elsewhere with "dotted line" reporting to the general counsel. Weighing the different theories about what works best, I often prefer keeping it out of the general counsel's office. If a lawyer who is also a compliance officer talks to someone, a determination must be made as to which function is involved. If the lawyer is acting as the compliance officer, the conversation may not be privileged.

Companies must use reasonable effort to ensure that management does not include those who have engaged in criminal activities or other conduct that would be inconsistent with a compliance and ethics program. Criminal record and credit checks may be required before giving someone in a corporation substantial authority.

Training is a critical component of any compliance program. Reasonable steps must be taken to communicate compliance requirements. Formal classroom settings are not required, but the Guidelines do indicate that the more sophisticated the corporation, the more formalized communication and training must be. Small companies may use more informal systems. Compliance does not have to be so burdensome that it keeps small companies from doing business because of the costs.

The company must take reasonable steps to ensure that employees follow the program, including auditing and monitoring to detect criminal and unethical conduct. Periodic risk assessment is also a necessary component.

The company must periodically assess the effectiveness of the program. The company has to have a hotline which allows for anonymous or confidential complaints, where the employees and agents can report or seek guidance on their responsibilities without giving their names.

Incentives are required to encourage conduct that is consistent with the compliance program, as are disciplinary measures to punish people who fail to follow the program. I recommend making the adherence to the company's compliance program part of employees' annual evaluations.

Finally, the company must figure out whether and how it needs to change its program if criminal conduct occurs.

Please email the interviewees at and with questions about this interview.