Ethics & Compliance Update

On April 7, 2010 the U.S. Sentencing Commission approved amendments to its Sentencing Guidelines. The Amendments, are effective November 1, 2010.

Directive commentary has been added to emphasize what organizations should do once they discover potentially criminal conduct.

• The organization should respond appropriately to the criminal conduct. The Amendments provide that the “organization should take reasonable steps, as warranted under the circumstances, to remedy the harm resulting from the criminal conduct. These steps may include, where appropriate, providing restitution to identifiable victims, as well as other forms of remediation. Other reasonable steps to respond appropriately to the criminal conduct may include self-reporting and cooperation with authorities.”
• The organization should act appropriately to prevent further similar criminal conduct, including “assessing the compliance and ethics program and making modifications necessary to ensure the program is effective.” The Amendments provide that “steps taken should be consistent with subsections (b)(5) and (c) and may include the use of an outside professional advisor to ensure adequate assessment and implementation of any modifications.”

The Amendments also address the kinds of reporting structures organizations must adopt. They provide:

• The Chief Compliance Officer (CCO) should report to the Board or appropriate subcommittee of the Board such as compliance or audit.
• Organizations are also encouraged to have a hotline and other mechanisms to detect any compliance and ethics violations internally

The Federal Sentencing Commission’s summary of amendments can be found at http://www.ussc.gov/2010guid/finalamend10.pdf

On July 21, 2010, President Obama signed into law the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) and its sweeping financial regulatory reforms.

• Included among the provisions is a new whistleblower program which provides substantial cash rewards for whistleblowers who voluntarily provide information to the Securities and Exchange Commission (SEC) leading to the successful prosecution of securities law violations.
• Whistleblowers who report securities violations, including violations of the Foreign Corrupt Practices Act (FCPA), that result in monetary sanctions greater than $1 million, may receive between 10 and 30 percent of the total recovery.
• The whistleblower provision also provides anti-retaliation protections, which permit civil causes of action for wrongful termination, suspension, harassment, or other discrimination because of the whistleblower’s reporting to the SEC.
• If successful, an anti-retaliation claim can result in reinstatement of seniority, two times the amount of back pay otherwise owed with interest, and compensation for litigation costs, expert witness fees and reasonable attorneys' fees.
• The Dodd-Frank act also amends the Sarbanes-Oxley and the False Claims Act to provide broader protection for whistleblowers.

SOX does not actually mandate business ethics training or adopting a Code of Ethics / Code of Conduct, but it requires that a company disclose whether or not it has adopted a Code that satisfies the definition above. If the company has not adopted such a Code, it must disclose why. This approach is often described as a "law of shame."

Section 406 of SOX requires disclosure of whether a Code of Ethics has been adopted.

Section 406 of SOX directed the Securities and Exchange Commission (SEC) to issue rules requiring each public company to disclose whether or not it has adopted a Code of Ethics (business Code of Conduct or employee Code of Conduct) that applies to the organization's key officers. The SEC adopted final rules implementing Section 406 of SOX in January 2003.

The final SEC rules define "Code of Ethics" as written standards that are reasonably designed to deter wrongdoing and to promote:

• Honest and ethical conduct, including the ethical handling of actual or apparent conflicts of interest between personal and professional relationships.
• Full, fair, accurate, timely and understandable disclosure in reports and documents that a company files with or submits to the SEC and in other public communications made by the company.
• Compliance with applicable governmental laws, rules and regulations.
• The prompt internal reporting of any violations of the Code of Ethics to an appropriate person or persons identified in the Code of Ethics.
• Accountability for adherence to the Code of Ethics.

Section 301 of SOX requires clear communication of reporting channels and protocols.

It's important to consider the importance of training when addressing general compliance with SOX. SOX requires each Audit Committee to establish a procedure for the confidential, anonymous reporting of complaints about audit and financial matters. (Section 301(4)). Such "procedures" naturally involve training and education about reporting channels and protocols.

Article 8 of SOX:

• Protects the employee who provides information about acts he/she reasonably believes to be a violation of securities laws, rules of the SEC, or laws relating to fraud against shareholders.
• Protected employees cannot be discharged, demoted, suspended, harassed, or otherwise discriminated against.

The Federal Sentencing Guidelines set out a uniform sentencing policy for convicted defendants. Judges use these guidelines to determine how severely to punish individuals and corporations that violate federal law.

Sanctions awarded against employers have grown dramatically. The average sanction was just $1.9 million shortly after the Guidelines were passed in 2002. The average sanction is now $49 million.

The Federal Sentencing Guidelines provide that public and privately held organizations can avoid up to 95% of fines and penalties imposed for violation of federal law if they provide periodic, comprehensive ethics and Code of Conduct training.

The Guidelines were amended in 2004 to apply to corporations. Under the 2004 amendments, all employers are required to:

• Adopt comprehensive ethics and compliance programs, and
• Train on the fundamentals of those programs.

The Federal Sentencing Guidelines specifically reference the need to proactively communicate the organization's ethics and compliance program by "conducting effective training programs." §8B2.1(b)(4). Clearly, distributing a Code of Conduct, whether electronically or in hard copy, does not amount to an effective education program.

Given the relative infancy of the FSG requirements, employers can be informed and guided by the historical data and information regarding employment law training requirements. Following landmark decisions by the US Supreme Court in 1998, and specific training guidelines from the EEOC in 1999, there is a mountain of case law showing that distribution and even tracking of policies is not enough to meet a training requirement. See Faragher v City of Boca Raton, 118 S Ct 2275 (1998); Burlington Industries, Inc. v Ellerth, 118 S Ct 2257 (1998); Equal Employment Opportunity Commission, Enforcement Guidance: Vicarious Employer Liability for Unlawful Harassment by Supervisors (6/18/99).

Employers with more than 200 employees should be particularly aware of the formality of the FSG's training requirement. While small employers (<200 employees) may provide training through more informal means ( i.e. staff meetings) as long as the training is effective and comprehensive, larger employers (200 employees or more) must provide more formally planned and implemented training programs. U.S. SENTENCING GUIDELINES, §8B2.1(b) cmt. Background (November 1, 2004).

The employers impacted? Everyone.

The Federal Sentencing Guidelines apply to “all organizations, whether publicly or privately held, and of whatever nature, such as corporations, partnerships, labor unions, pension funds, trusts, nonprofit entities and government units. UNITED STATES SENTENCING COMMISSION, AN OVERVIEW OF THE ORGANIZATIONAL GUIDELINES (2004).

The training audience? Everyone.

Sections 8B2.1(b)(4)(A) & (B) of the Federal Sentencing Guidelines reference the need to train the entire workforce with a sweeping definition of "individuals" who must be trained:

“The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to [members of the governing authority, high-level personnel, substantial authority personnel, the organization's employees, and, as appropriate, the organization's agents] by conducting effective training programs and otherwise disseminating information appropriate to such individuals' respective roles and responsibilities.”

This requirement is further underscored in the Commentary to the Amendments:

“Section 8B2.1(b)(4) makes compliance and ethics training a requirement, and specifically extends the training requirement to the upper levels of an organization, including the governing authority and high-level personnel, in addition to all the organization's employees.”

The Federal Sentencing Guidelines provide that training must be provided "periodically." §8B2.1(b)(4).

While "periodic" is not defined officially by the FSG's, employers can be guided by how that term has been interpreted in the employment law arena. The US Supreme Court and the EEOC require "periodic" harassment and discrimination prevention training for all employees and managers. A thorough review of employment law training case law shows that "periodic" is generally interpreted as every 12 - 24 months. See http://www.elt-inc.com/2004_national_law_of_training.pdf.

California's sexual harassment training law (AB 1825; new Government Code section 12950.1 ) (4) also references periodic training, and officially sets the time frame at every two years. See http://www.elt-inc.com/AB1825_ELT.doc.

Based on this legislative context and a thorough review of state and federal case law from the past 5 years, ELT recommends training every year, and at least every other year.

Also, it is essential that new employees be trained as soon as possible. Under California's sexual harassment training statute, mandated training must occur within six months after a new manager is hired.

The FSG's make clear that employers can be held liable for their employees' illegal conduct. If employers take proactive steps to prevent unethical and illegal conduct through an effective ethics and compliance program (which includes training), employers can substantially mitigate potential fines and punishment for criminal violations:

“The potential fine range for a criminal conviction can be significantly reduced -- in some cases up to 95 percent -- if an organization can demonstrate that it had put in place an effective compliance and ethics program and that the criminal violation represented an aberration within an otherwise law-abiding community.” UNITED STATES SENTENCING COMMISSION, AN OVERVIEW OF THE ORGANIZATIONAL GUIDELINES (2004).

The opposite side of this equation is that an absence of effective ethics and compliance programs can be used to increase fines and punishment.

Affected organizations must:

• Adopt a written Code of Business Ethics and Conduct;
• Provide a copy of the Code to employees;
• Promote compliance with the adopted Code;
• Establish an "ongoing business ethics and business conduct awareness program" for employees; and
• Establish an internal control program aimed at:
  • The "timely discovery" of improper conduct; and
  • Ensuring "corrective measures" are "promptly instituted and carried out."

Effective December 24, 2007, clarified December 12, 2008.

The complete text of the new FAR requirements can be found at the following links:

http://acquisition.gov/far/current/html/Subpart%203_10.html
http://acquisition.gov/far/current/html/52_200_206.html
http://www.regulations.gov/fdmspublic/component/main?main=DocumentDetail&o=09000064807a4de3

The FAR requirements generally apply to any government contract worth at least $5,000,000 and which requires at least 120 days to perform, regardless of which government contracting agency is involved in the contract. §3.1004.

The Amendments also apply with minor exceptions to subcontractors providing services under the affected contracts. Id.

• Adopt a written Code of Business Ethics and Conduct;
• Provide a copy of the Code to employees; and
• Promote compliance with the adopted Code.

§52.203-13(b).

• Establish an "ongoing business ethics and business Conduct awareness program" for employees; and
• Establish an internal control program aimed at:
  • The "timely discovery" of improper Conduct; and
  • Ensuring "corrective measures" are "promptly instituted and carried out."

§52.203-13(c) et. seq.

*These periods may be extended by the contracting officer and the requirement does not apply to existing contracts that were awarded before December 24, 2007, or to task orders awarded under those contracts.

On December 12, 2008, FAR was amended to specifically define elements of the mandated compliance programs, and require contractors to disclose suspected criminal conduct in connection with government contracts. They supplement the December 2007 regulations, and provide contractors with more detailed guidance on how to meet their training and compliance obligations.

With respect to Code of Conduct training, the new amendments seek to bring the FAR requirements into closer alignment with the requirements of the Federal Sentencing Guidelines. Training must:

• Be periodic, and appropriate to each individual's duties. §52.203-13(c)(1).
• Be effective. §52.203-13(c)(1).
• Go to all "principals and employees" and where appropriate, to all "agents and subcontractors."  §52.203-13(c)(1)(ii).

The December 2008 Amendments do not specifically define how often training must be provided. However, case law in the context of harassment training and widely accepted training practices under the Federal Sentencing Guidelines strongly suggest that training must be provided every 12 to 24 months.

The training must also be provided “as appropriate” to the contractor's agents and subcontractors.  §52.203-13(c)(1)(ii). This confirms that contractors may not skirt their training obligations by limiting training to those employees specifically tasked with performance of the government contract.

Contractors that fail to comply with these new requirements could face withheld payments, loss of fee award, or even debarment, suspension or other disciplinary action. §3.1003(a)(1)-(3).

The regulations require affected contractors to institute internal controls, including suggested "periodic reviews of company business practices, procedures, policies and internal controls."  §52.203-13(c)(2)(ii)(c). This makes a robust ethics and code of conduct program an absolute essential for employers doing even modest business with the federal government.

The December 2008 Amendments also provide much greater detail regarding what Internal Control Systems should include, how they should aid in the discovery of improper conduct, and the kinds of corrective measures that should be taken. See  §52.203-13(c).

Among other things, the December 2008 Amendments provide that Internal Control Systems should include standards and procedures to facilitate the timely discovery of improper conduct and ensure that corrective measures are promptly instituted and carried out. Id.

They also provide that Internal Control Systems should provide for the following:

• Assignment responsibility at a sufficiently high level in the organization to ensure adequate resources are provided for both the training and internal control system.
• Reasonable efforts to ensure that a contractor's leaders including officers, directors, owners and others with primary management responsibility have not engaged in illegal conduct or conduct which violates the contractor's Code of Conduct.

See  §52.203-13(c) et. seq.

Periodic reviews of company practices, procedures, policies and internal compliance controls, including:

• Monitoring and auditing activities to detect criminal conduct.
• Periodic reviews of the effectiveness of the company's training and internal control programs.
• Periodic assessments of risk with appropriate steps to design, implement or modify the compliance training program and internal control system to reduce the identified risk.
• A confidential / anonymous internal "hotline" or other reporting mechanism. 
Disciplinary action for improper conduct or for failing to take reasonable steps to prevent or detect improper conduct. Id.

FAR requires affected companies to "timely disclose in writing" to the agency Office of the Inspector General whenever they have reasonable grounds to believe that there has been a violation of the False Claims Act or other provisions of federal law relating to the award or performance of a government contract. §52.203-13(b)(3).

The self-disclosure requirements are very broad under the December 2008 Amendments. The Rules provide that affected companies must disclose whenever they have reasonable grounds to believe there has been a violation of the False Claims Act or other federal law relating to the award or performance of a federal contract. Id.

Additionally, FAR provides that ethical violations will be considered in the past performance evaluations of bidding companies. They also provide that contractors can be suspended and/or debarred for a "knowing failure" to timely disclose:

• A violation of "Federal criminal law involving fraud, conflict of interest, bribery or gratuity" rules; or
• A violation of the False Claims Act.

§3.1003(a)(2).

Most organizations will not likely need to display posters on their ethics Hotline numbers.

Under §52.203-14, if a contractor has implemented a Business Ethics and Conduct awareness program, including a reporting mechanism (such as a hotline), then the contractor does not need to display any agency fraud hotline posters, other than any required DHS posters.

If a contractor has not implemented a Business Ethics and Conduct awareness program, it must display a government agency or Department of Homeland Security-approved fraud hotline poster (available from the official Contracting Officer). See §52.203-14. This requirement will most likely apply to small businesses that are not required to follow the training and internal control rules. Id.

Contractors that have represented themselves as small business concerns during the contracting process are excluded from the formal training program and internal control requirements. §52.203(c).

Additional exceptions were originally available under the December 2007 amendments for contracts are awarded under the FAR Part 12 commercial item contracts clause and for contracts to be performed outside of the United States.

However, Congress expressly revoked these exceptions in the December 2008 amendments. This has greatly extended the reach of the Amendments - making it imperative for virtually all government contractors to implement effective employee awareness and internal audit programs.

The Federal Sentencing Guidelines were amended, effective November 1, 2010. The nature of the amendments are discussed above.

Expanding upon the Section 406 concept, the SEC approved new NYSE and NASDAQ Governance Standards. Both exchanges require a "Code of Business Conduct and Ethics" covering all employees, officers and directors. Each listed company must make its Code available to the public.

NYSE Listed Company Manual:

“303A.10 Code of Business Conduct and Ethics

Listed companies must adopt and disclose a Code of Business Conduct and Ethics for directors, officers and employees, and promptly disclose any waivers of the Code for directors or executive officers.

Commentary: No Code of Business Conduct and Ethics can replace the thoughtful behavior of an ethical director, officer or employee. However, such a Code can focus the board and management on areas of ethical risk, provide guidance to personnel to help them recognize and deal with ethical issues, provide mechanisms to report unethical Conduct, and help to foster a culture of honesty and accountability.

Each Code of Business Conduct and Ethics must require that any waiver of the Code for executive officers or directors may be made only by the board or a board committee.

Each Code of Business Conduct and Ethics must also contain compliance standards and procedures that will facilitate the effective operation of the Code. These standards should ensure the prompt and consistent action against violations of the Code.

Each listed company may determine its own policies, but all listed companies should address the most important topics, including the following:

• Conflicts of interest. A "conflict of interest" occurs when an individual's private interest interferes in any way - or even appears to interfere - with the interests of the corporation as a whole. A conflict situation can arise when an employee, officer or director takes actions or has interests that may make it difficult to perform his or her company work objectively and effectively. Conflicts of interest also arise when an employee, officer or director, or a member of his or her family, receives improper personal benefits as a result of his or her position in the company. Loans to, or guarantees of obligations of, such persons are of special concern. The listed company should have a policy prohibiting such conflicts of interest, and providing a means for employees, officers and directors to communicate potential conflicts to the listed company.
• Corporate opportunities. Employees, officers and directors should be prohibited from (a) taking for themselves personally opportunities that are discovered through the use of corporate property, information or position; (b) using corporate property, information, or position for personal gain; and (c) competing with the company. Employees, officers and directors owe a duty to the company to advance its legitimate interests when the opportunity to do so arises.
• Confidentiality. Employees, officers and directors should maintain the confidentiality of information entrusted to them by the listed company or its customers, except when disclosure is authorized or legally mandated. Confidential information includes all non-public information that might be of use to competitors, or harmful to the company or its customers, if disclosed.
• Fair dealing. Each employee, officer and director should endeavor to deal fairly with the listed company's customers, suppliers, competitors and employees. None should take unfair advantage of anyone through manipulation, concealment, abuse of privileged information, misrepresentation of material facts, or any other unfair-dealing practice. Listed companies may write their codes in a manner that does not alter existing legal rights and obligations of companies and their employees, such as "at will" employment arrangements.
• Protection and proper use of listed company assets. All employees, officers and directors should protect the listed company's assets and ensure their efficient use. Theft, carelessness and waste have a direct impact on the listed company's profitability. All listed company assets should be used for legitimate business purposes.
• Compliance with laws, rules and regulations (including insider trading laws). The listed company should proactively promote compliance with laws, rules and regulations, including insider trading laws. Insider trading is both unethical and illegal, and should be dealt with decisively.
• Encouraging the reporting of any illegal or unethical behavior. The listed company should proactively promote ethical behavior. The listed company should encourage employees to talk to supervisors, managers or other appropriate personnel when in doubt about the best course of action in a particular situation. Additionally, employees should report violations of laws, rules, regulations or the code of business conduct to appropriate personnel. To encourage employees to report such violations, the listed company must ensure that employees know that the listed company will not allow retaliation for reports made in good faith.

Website Posting Requirement: A listed company must make its code of business conduct and ethics available on or through its website.

Disclosure Requirements: A listed company must disclose in its annual proxy statement or, if it does not file an annual proxy statement, in its annual report on Form 10-K filed with the SEC that its code of business conduct and ethics is available on or through its website and provide the website address.

To the extent that a listed company's board or a board committee determines to grant any waiver of the code of business conduct and ethics for an executive officer or director, the waiver must be disclosed to shareholders within four business days of such determination. Disclosure must be made by distributing a press release, providing website disclosure, or by filing a current report on Form 8-K with the SEC. “

Amended: November 25, 2009 (NYSE-2009-89).

NASDAQ Listing Rules

“Section 5610. Code of Conduct

Each Company shall adopt a code of conduct applicable to all directors, officers and employees, which shall be publicly available. A code of conduct satisfying this rule must comply with the definition of a "code of ethics" set out in Section 406(c) of the Sarbanes-Oxley Act of 2002 ("the Sarbanes-Oxley Act") and any regulations promulgated thereunder by the Commission. See 17 C.F.R. 228.406 and 17 C.F.R. 229.406. In addition, the code must provide for an enforcement mechanism. Any waivers of the code for directors or Executive Officers must be approved by the Board. Companies, other than Foreign Private Issuers, shall disclose such waivers within four business days by filing a current report on Form 8-K with the Commission or, in cases where a Form 8-K is not required, by distributing a press release. Foreign Private Issuers shall disclose such waivers either by distributing a press release or including disclosure in a Form 6-K or in the next Form 20-F or 40-F. Alternatively, a Company, including a Foreign Private Issuer, may disclose waivers on the Company's website in a manner that satisfies the requirements of Item 5.05(c) of Form 8-K.

IM-5610. Code of Conduct

Ethical behavior is required and expected of every corporate director, officer and employee whether or not a formal code of conduct exists. The requirement of a publicly available code of conduct applicable to all directors, officers and employees of a Company is intended to demonstrate to investors that the board and management of Nasdaq Companies have carefully considered the requirement of ethical dealing and have put in place a system to ensure that they become aware of and take prompt action against any questionable behavior. For Company personnel, a code of conduct with enforcement provisions provides assurance that reporting of questionable behavior is protected and encouraged, and fosters an atmosphere of self-awareness and prudent conduct.

Rule 5610 requires Companies to adopt a code of conduct complying with the definition of a "code of ethics" under Section 406(c) of the Sarbanes-Oxley Act of 2002 ("the Sarbanes-Oxley Act") and any regulations promulgated thereunder by the Commission. See 17 C.F.R. 228.406 and 17 C.F.R. 229.406. Thus, the code must include such standards as are reasonably necessary to promote the ethical handling of conflicts of interest, full and fair disclosure, and compliance with laws, rules and regulations, as specified by the Sarbanes-Oxley Act. However, the code of conduct required by Rule 5610 must apply to all directors, officers, and employees. Companies can satisfy this obligation by adopting one or more codes of conduct, such that all directors, officers and employees are subject to a code that satisfies the definition of a "code of ethics."

As the Sarbanes-Oxley Act recognizes, investors are harmed when the real or perceived private interest of a director, officer or employee is in conflict with the interests of the Company, as when the individual receives improper personal benefits as a result of his or her position with the Company, or when the individual has other duties, responsibilities or obligations that run counter to his or her duty to the Company. Also, the disclosures a Company makes to the Commission are the essential source of information about the Company for regulators and investors — there can be no question about the duty to make them fairly, accurately and timely. Finally, illegal action must be dealt with swiftly and the violators reported to the appropriate authorities. Each code of conduct must require that any waiver of the code for Executive Officers or directors may be made only by the board and must be disclosed to Shareholders, along with the reasons for the waiver. All Companies, other than Foreign Private Issuers, must disclose such waivers within four business days by filing a current report on Form 8-K with the Commission, providing website disclosure that satisfies the requirements of Item 5.05(c) of Form 8-K, or, in cases where a Form 8-K is not required, by distributing a press release. Foreign Private Issuers must disclose such waivers either by providing website disclosure that satisfies the requirements of Item 5.05(c) of Form 8-K, by including disclosure in a Form 6-K or in the next Form 20-F or 40-F or by distributing a press release. This disclosure requirement provides investors the comfort that waivers are not granted except where they are truly necessary and warranted, and that they are limited and qualified so as to protect the Company and its Shareholders to the greatest extent possible.

Each code of conduct must also contain an enforcement mechanism that ensures prompt and consistent enforcement of the code, protection for persons reporting questionable behavior, clear and objective standards for compliance, and a fair process by which to determine violations.”

Adopted Mar. 12, 2009 (SR-NASDAQ-2009-018); amended July 22, 2010 (SR-NASDAQ-2008-014).