Taking the Heat… the 2022 Monaco Memo [part 2]
I wrote about the Monaco memo last week, and we covered a lot. You can find that here.
Now that you’ve steeled your spine, let’s get into how your program is going to be picked apart. ⛏️
The DOJ has made it clear that having an effective compliance program doesn’t provide a defense for misconduct. But that doesn’t mean that your program isn't important!
Harkening back to knowing your company’s history, compliance programs will also be assessed at two points in time: the time of misconduct, and the time when charges were filed. This means you need to understand how your program has evolved over time, the improvements you’ve made, and what you’re doing now to address risks.
Make sure there are no gaps in your timeline. While having a short memory might help with mitigating stress or moving forward from past mistakes, it’s only going to create headaches when it comes to the DOJ. You need an elephant-like recording of compliance initiatives and issues at your company, so you can match up compliance program history with the timing of the misconduct that's being investigated.
Turning to what the DOJ is going to focus on, once again this memo gets straight to the point. They want to see that your program is:
✅ Adequately resourced
✅ Working in practice
And they still expect to see aspects from their previous guidance, like:
✅ Measurement and identification of risk
✅ Monitoring of payment and vendor systems
✅ Disciplinary decisions in the HR process
✅ Senior leader’s actions match their words
If that isn’t enough, they do in fact care that all of this is followed in practice (see, I told you effective compliance programs are still important!).
So what's new?
Some new things in this memo include having data on compensation structures, having policies on clawback provisions or retroactive discipline, incentivizing compliance-promoting behaviors, and the use of non-disclosure or non-disparagement provisions.
Additionally, the DOJ joined the digital age and are explicit that they want to see your policy on Personal Devices and Third-Party Applications. They even get further into the weeds and tell you exactly what needs to be in your policy (like preserving business-related electronic data and communications), and they’ll assess whether you’ve issued clear training on this policy and can demonstrate enforcement. 😥
So, what should you take away from this part of the memo?
Just because “having an effective program” is not a defense, doesn’t mean that what you do isn't vital. It's just one more reason to make your business case that your program reduces risk in a way that saves more money than it costs (because, sadly, no one is going to do it for you).
Even though your past is going to be a factor, it doesn’t define you (just as in life!). These “moments in time” are critical. This is a marathon, not a sprint. Keep improving your program even after a misstep. No program is perfect, so showcase what you’re doing to make it better each day. Will it be enough? Maybe. Either way, doing nothing is terrible and—worst case—you’ll get feedback on what to improve directly from the regulators.
Again, the program factors are outlined in the memo 💰 with all the things you need to think about. But, did anyone else notice...IT’S (mostly) NOT NEW!? This is the same stuff the Feds have been saying for years.
The new-ish part is the compensation structure stuff. I don’t think we’ve seen this so eloquently explained in previous guidance, at least not to this depth of specificity. Bottom line: tie your leaders’ comp plans to compliance outcomes. Which ones and how? Well, that’s up to your company, but your risk assessment is a great place to start looking for points of emphasis.
The part about personal devices and third-party apps is interesting. And honestly, I love it. It shows that the Feds are getting with it tech-wise, and you need to be, too. If you don’t already have a policy on this, guess what you get to do next!? Then you gotta train on it (hey, we know some folks that can help with that! *wink*). And then you need to start enforcing it, so make sure your policy has an owner who has the resources to do that. If it’s not you, take them out to lunch and talk to them about how you can support them. It’s a big job!
Source: Jason Sudeikis | Golden Globes
And now for the wrap-up portion of the memo.
Here’s a peek behind the curtain (albeit a teeny, tiny little sliver, but a peek nonetheless). The DOJ is asking you to be accountable, and they are taking their own medicine. 💊
First, we get some insight on how monitorships will be applied. “Fact-specific” is the term used, but we can infer that a lot of those facts will be dependent on what's discovered during the accountability and assessment phases of their investigation (see everything in Part 1 and above). But here’s where you can leverage your documentation. If you’re being open and transparent (i.e., you followed the “spirit” of the request, not just the letter), it’s fair to ask about cooperation credit when prosecutors consider the resolution.
It goes on to say the process of determining monitorships will be transparent and free of any conflicts (on the prosecutor side). Ok, yeah, but hasn’t that always been the case? If not, yikes! Additionally, prosecutors will regularly communicate with the monitor, and continuously review the status of the resolution. This feels a little big brother, but is in line with their consideration of past bad behavior.
Also, all agreements will include agreed-upon facts describing the misconduct and considerations by the DOJ for entering into the agreement. This next part I love: “agreements will describe the reasoning for a monitor.” While I don’t relish the idea of folks getting in trouble, all this data will be tremendously helpful in providing insight and potential guidance on the direction the DOJ is heading with their prosecutions and resolutions.
So, what's the takeaway from this section of the memo?
Right now, not much.1 This is really more for the DOJ units. Over the next few years we’ll get a good picture on how this works (generally, these processes move at a glacial pace, so it'll take a couple beats). Does that mean an end to curveballs? Ha, we wish! But it does mean that we’ll have more direct guidance to work with. Which is always a good thing, so… #job security
One thing’s for sure, there will be lots more to come! Never a dull moment for us compliance folks!
Phew! That was a lot. Props for making it this far! Let’s keep the conversation going. Drop me a line and let me know what you think.
And if you have not already done so, click here to download our free visual breakdown of the Monaco Memo.
1 Things are moving fast! Just a few days ago, Assistant Attorney General Polite outlined the Criminal Division's updated policies on voluntary self-disclosure. You can check out his comments here, but I particularly like this little nugget:
A path that incentivizes even more robust compliance on the front-end, to prevent misconduct, and requires even more robust cooperation and remediation on the back-end, if a crime occurs.