How the Department of Justice Ruined Compliance

In 2012, the DOJ set a precedent with Morgan Stanley that would influence compliance programs around the world.

In 2012, the United States Department of Justice (DOJ) and the U.S. Securities & Exchange Commission declined to prosecute Morgan Stanley for violations of the Foreign Corrupt Practices Act (FCPA).

The case involved Garth Peterson, Morgan Stanley’s Managing Director of Real Estate in China at the time. According to prosecutors, Peterson, “engineered a deal that transferred Morgan Stanley’s interest in a multi-million dollar Shanghai real estate development to a shell company secretly controlled by Peterson and a Chinese government official. The official, who was not identified, made an instant paper profit of $2.5 million.”

The case first became known in 2009, and the eventual decision was met with widespread acclaim. In a statement, the DOJ said, “Morgan Stanley maintained a system of internal controls meant to ensure accountability for its assets and to prevent employees from offering, promising or paying anything of value to foreign government officials.”

Morgan Stanley’s cooperation and eventual declination

During the FCPA investigation, Morgan Stanley cooperated with the DOJ and provided extensive details on the compliance training and guidance Peterson received, including 35 reminders about how the company’s code of conduct prohibited bribery of foreign officials.

As a result of this documentation, it was decided that Peterson was a “rogue actor,” one rotten egg who spoiled an otherwise compliant company, and enforcement was never pursued. Peterson was also permanently barred from the securities industry, faced 9 months of jail time, was ordered to pay more than $250,000 in disgorgement, and had to relinquish the approximately $3.4 million of interest in Shanghai real estate he acquired through the scheme.

This declination forced organizations around the globe to ask themselves an important question:

“What was it about Morgan Stanley’s compliance program that caused the DOJ to offer a declination?”

Unfortunately, the answers to this question didn’t do much to further the proliferation of measurably effective compliance programs. As it turns out, championing a truly effective compliance program takes far more than reminder emails, video trainings, and conference calls.

The beginning of “check the box” compliance

Even though declinations are very rare, they can also have widespread ramifications in the application of compliance and ethics programs. In essence, the DOJ’s decision in the 2012 Morgan Stanley case marked the official government endorsement of something known as “check the box” compliance.

Officially, the DOJ recognizes that this type of compliance program isn’t enough. In practice, however, things are often different. Peterson himself validated this idea in an interview, claiming that the U.S. government was, “lying to the public and saying that they [Morgan Stanley] had this wonderful compliance program, when in fact the government knows that it wasn’t getting into people’s heads, which is what really matters.” 

Peterson elaborated further and explained, “You can have programs and e-mails, but if people just delete them; if people have to do teleconferences but instead of actually listening, all you have to do is say, ‘Garth Peterson’s on the phone,’ and they check the box that says, he’s complied … And then you either quietly hang up, or you just put your phone aside and you do your other work. That was the culture. And you know, that’s not right, but that’s the way it worked.”

Further, a former colleague shared that U.S. anti-bribery laws received “little attention” during the Chinese real estate boom, and that the majority of employees didn’t know much about the FCPA until Peterson’s actions were discovered.

The above sentiments from Peterson and the anonymous colleague were a poignant reminder of the reality regarding “check the box” compliance programs, but the effects of Morgan Stanley’s declination are still being experienced today. The Harvard Business Review article has recently highlighted the repercussions of the DOJ’s decision not to prosecute in the Morgan Stanley case:

“Over and over, prosecutors have recognized that firms with ineffective compliance programs don’t deserve credit for their supposed efforts. However, it was often challenging to distinguish substantive programs from those that were merely window dressing, since evaluating a program required considerable time and expertise. The DOJ’s decision not to prosecute Morgan Stanley in the Peterson case, for example, was seen as validating the firm’s approach to ensuring compliance, which included numerous training sessions in addition to the standard hotline and the usual employee certifications of the firm’s code of conduct.”

Giving credit where it’s due: The DOJ’s emphasis on effective compliance programs

I’d like to note that the DOJ has taken some promising steps in recent years: From November 2015 to her resignation in June 2017, Hui Chen worked as the department’s sole (and first ever) compliance consultant. 

To guide companies toward measurable effectiveness in their compliance programs, Chen drafted a document titled, “Evaluation of Corporate Compliance Programs,” which includes a comprehensive list of questions that prosecutors should consider when determining whether a compliance program is effective.

However, companies need to understand that these questions are not a checklist that leads to full, effective compliance. Having an answer to each question doesn’t constitute an effective compliance program.

The Compliance Guidelines are incredibly useful, and firms should certainly be asking themselves these hard questions, but the fact remains that the DOJ paved the way for more of these “check the box” compliance programs.

After the Morgan Stanley declination, the government signaled that, sometimes, checking enough boxes is satisfactory.

Would Morgan Stanley be prosecuted under the FCPA today?

We know that a compliance program isn’t effective if it doesn’t change human behavior, which is why programs like the one Morgan Stanley used in Garth Peterson’s era are generally viewed as a waste of time, money, and other resources at best.

But, if a similar issue occurred today, would Morgan Stanley be prosecuted? I like to think that they would, because compliance-related regulatory measures are getting stronger and smarter. While “check the box” compliance may have been enough to get them off the hook in 2012, prosecutors are increasingly looking for metrics-based proof of action throughout a company.

 

They want to see a compliance program that’s rooted in a company-wide culture of integrity

Creating such a program isn’t easy, and there are many solutions available that an organization could implement (as you likely know, Convercent has a powerful suite of cloud-based software that makes creating and analyzing compliance programs and associated human behavior much simpler.) But, I’d also like to leave you with some actionable tips and insights that don’t require new software solutions.

Corporate ethics best practices

Even if the DOJ “ruined” compliance with the Morgan Stanley declination, there is a silver lining: This case, like many other high profile cases, brought attention to the importance of proactive compliance. 

You can keep the government from knocking on your door if there is a clear company-wide commitment to acting with integrity, but what does that look like in action? Some best practices include:

  • Respect learning and communication preferences. Individual employees retain information in vastly different ways. The clearest example of this is Millennials, who might welcome things like an interactive code of conduct or technology like SMS for submitting hotline reports.  
  • Use multiple mediums. When communicating and training employees, embrace all the information delivery mechanisms we now have. Live trainings from managers, video, emails, and other traditional techniques can all be used as parts of a comprehensive program, but don’t be afraid to get creative. Try turning training into a game, offer incentives for participating, and make it memorable.
  • Keep it simple. Often, compliance-related obligations are buried in legalese. If you want employees to read and retain a policy, make the information digestible.
  • Become data-driven. You can’t measure something if you aren’t collecting data on it. Properly collecting and analyzing data allows for more informed decision-making, which is good for both companies and their employees.
  • Experiment, test, and measure. At the end of the day, maintaining compliance in an organization is about understanding human behavior. Different elements in an environment will have varying impacts on behavioral outcomes, but you won’t know what those outcomes look like until you begin testing what works and what doesn’t hit the mark. 

That last point is a particularly helpful reminder, because we must test and assess employee understanding of policy long after training events have taken place. Otherwise, there’s no way to confirm that people retained the knowledge they were trained on. In fact, without regular measurement, it’s all-too-easy to send 35 emails stating that bribery of a foreign official is a no-go and call it a success.