Ethics and Compliance— Policy or Program?

The U.S. Department of Justice (DOJ) has served notice to the securities and finance industry that it is no longer sufficient or acceptable to create nice-sounding compliance policies. Such policies must be part of active, robust, effective programs.

“A surprising number of companies,” says Leslie Caldwell, head of the DOJ’s Criminal Division, “still lack rigorous compliance programs. And even more companies have what appear to be good structures on paper, but fail in practice to devote adequate resources and management attention to compliance.”

The prosecutors in the DOJ’s Criminal Division will be asking the following questions and considering the answers as they assess corporate compliance programs.

  • Does the institution ensure that its directors and senior managers provide strong, explicit, and visible support for its corporate compliance policies?
  • Do the people who are responsible for compliance have stature within the company? Do compliance teams get adequate funding and access to necessary resources?
  • Are the institution’s compliance policies clear and in writing? Are they easily understood by employees? Are the policies translated into languages spoken by the company’s employees?
  • Does the institution ensure that its compliance policies are effectively communicated to all employees? Are its written policies easy for employees to find? Do employees have repeated training, which should include direction regarding what to do or with whom to consult when issues arise?
  • Does the institution review its policies and practices to keep them up to date with evolving risks and circumstances, to include mergers and acquisitions?
  • Are there mechanisms to enforce compliance policies? Those include both incentivizing good compliance and disciplining violations. Is discipline even-handed?
  • Does the institution sensitize third parties like vendors, agents, or consultants to the company’s expectation that its partners are also serious about compliance? This means taking action – including termination of a business relationship – if a partner demonstrates a lack of respect for laws and policies.

Further, says Caldwell, in anti-money laundering and sanctions contexts, prosecutors will also ask:

  • What does the institution’s “know your customer” policy look like?
  • If a financial institution operates in the U.S., whether it is a U.S.-based bank or a U.S. branch or component of a foreign bank, is it complying with U.S. laws?

It seems clear that the DOJ and the SEC, in their FCPA and other investigations, are looking for effective actions, not just well written policies. A recent LAW360 analysis piece by attorney Matt Herrington summed up that conclusion nicely. Referring to a December 2014 Securities and Exchange Commission settlement with Bruker Corporation, Herrington said:

It was the lack of activity [even with no evidence of headquarters involvement or knowledge] that created the basis for the settlement—the failure to take any steps to ensure that a nifty set of policies which had been promulgated down to the subsidiary had actually been implemented. In other words, they had a policy, but no program.

Although Assistant Attorney General Caldwell was speaking about compliance programs, the conclusion holds just as true for ethics efforts. Ethics policies must be part of active, robust, effective ethics programs.

Ethical Advocate provides comprehensive ethics and compliance solutions, including ethics and compliance training and confidential and anonymous hotlines. Contact us for more information.


Herrington, Matt. “From Anti-Corruption Policy to Anti-Corruption Program,” LAW360 Corporate news page, November 6, 2015.

For more information on the Bruker Corporation settlement, see Peter Viksnins’ “After Bruker: How Much Compliance is Enough?” The FCPA Blog, February 18, 2015,

U.S. Department of Justice. “Assistant Attorney General Leslie R. Caldwell Speaks at SIFMA Compliance and Legal Society New York Regional Seminar,” copy of prepared remarks, November 2, 2015.