Compliance training: what does the DOJ look for?

Compliance training: what does the DOJ look for?An interview with Hui Chen, the U.S. Department of Justice’s Compliance Counsel Expert, 2015-2017.

Compliance training: what does the DOJ look for?

An interview with Hui Chen | Broadcat2

Hui Chen was the first-ever Compliance Counsel Expert at the United States Department of Justice, where she was the exclusive consultant to federal prosecutors in the Fraud Section, evaluating corporate ethics & compliance programs.

She is the author of the Fraud Section’s well known “Evaluation of Corporate Compliance” – predecessor document to Criminal Division’s Guidance on the same – which has been widely praised by compliance practitioners and recognized by government regulators and standard setters around the world.

She also consulted on all Fraud Section corporate monitorships, including hosting training for monitors on best practices and lessons learned.

Prior to being retained by the Department of Justice, Hui served as a senior compliance leader in industries such as technology (Microsoft), pharmaceutical (Pfizer), and financial services (Standard Chartered Bank).

Compliance training: what does the DOJ look for?

An interview with Hui Chen | Broadcat3

BROADCAT: Thanks for doing this interview.

We’d like to talk about what you looked for in compliance training when you were at the Department of Justice, and with the standard former-government-person disclaimer that you are speaking on behalf of yourself and not any current or past employer.

HUI CHEN: OK, sounds good. And yes, standard disclaimer applies.

1. At a high level, what is the Department of Justice looking for when they look at a company’s compliance training?

The Fraud Section has been pretty clear over the past few years that they want to see that the compliance team has been thoughtful in using training as a tool to prevent corporate crime.

That is, there is no magic method or amount that they are looking for, because no one is requiring people to do compliance training for the sake of doing compliance training. It’s a tool to prevent corporate crime, just like the other elements of a compliance program.

So whatever tool or method you choose, they want to see that you have thought through why that tool or method would stop people from making the kind of mistakes that landed in front of a prosecutor in the first place.

That said, it’s important to acknowledge that there are people who would commit crimes no matter how you trained them: if a driver intentionally runs down a pedestrian, it’s not the fault of driver’s ed. It’s important that companies recognize that compliance training is primarily intended to guide employees who try to do their jobs in good faith. It is very much like driver’s ed: the proof of effectiveness is how well do people who have taken the course drive—or do their jobs.

2. How would you know if a company took that sort of thoughtful approach?

You can get a sense by how the company describes what they did. A company that has taken a thoughtful approach will focus on behavior and processes: why and how employees do what they do, and how the training is designed to address those why’s and how’s. By contrast, a company that has taken a check-the-box approach will focus on how many times they trained, how much money they spent, and how many records of training activity they created.

Compliance training: what does the DOJ look for?

An interview with Hui Chen | Broadcat4

3. So basically, a focus on prevention first?

Correct. Remember, when you are sitting in front of Fraud Section prosecutors, they want to know two things:

(1) what could and should you have done to prevent the crime that landed you there, and

(2) how can they be sure you won’t do it again.

The goal is not to break the law in the first place, not generate a lot of compliance records on the assumption that the compliance program will fail.

A thoughtful company will focus on prevention and then document what they do for “defensibility,” not the other way around. It’s not that hard to tell when a company has gone straight to “defensibility.”

"The goal is not to break the law in the first place, not generate a lot of compliance records on the assumption that the compliance program will fail."

Compliance training: what does the DOJ look for?

An interview with Hui Chen | Broadcat5

4. When we think of focusing only on “defensibility,” we think of being focused on arbitrary parameters like amount, length, recordkeeping, etc.

These things can cause teams a lot of anxiety, so let’s address them directly—for example, is there a minimum amount of compliance training the Department of Justice requires per employee?

No.

5. Is there a minimum length the Department of Justice requires for a “training” for it to count?

No.

6. Is there a specific “completion rate” that the Department of Justice requires for a training or communication to count?

No.

7. Is it true that the Department of Justice only gives credit for training “courses”?

No.

8. Is there a specific way of tracking training that the Department of Justice requires for a training or communication to count?

No, not a specific way. What they want is when they are prosecuting individuals who claim they didn’t know what they did was wrong, the company can provide proof to refute that claim. That proof can be records of trainings or reminders or emails or pop-ups in the system or anything else that shows they were told what they shouldn’t or should do.

9. Is there any format that the Department of Justice categorically says won’t “count” for purposes of compliance training?

No. Again, it’s not the format that matters: it’s the thought behind format and the behavior outcome it produces.

10. Is there any format that the Department of Justice says it prefers over another?

No.

11. Does the Department of Justice require that every employee receive compliance training?

No. The Department of Justice has consistently advocated that you focus on risky employees, control function gate-keepers, and leaders.

Compliance training: what does the DOJ look for?

An interview with Hui Chen | Broadcat6

12. OK, so again: no magic format or amount, but a focus on prevention. What does that focus on prevention look like in practice?

It looks like working backwards from the things the businesspeople do that are most likely to get the company in trouble: what would be the root cause of an investigation or prosecution? It’s going to be something a businessperson did, and that’s what to focus on—train those people to do those things the right way.

My sense is that most companies work forward from abstract risk concepts instead of backwards from what is most likely to get them in trouble, and that is a problem.

The few—very few—compliance training programs that have impressed the Fraud Section prosecutors have involved a couple of features: trainings that are truly integrated into the day-to-day operations of the company, and training programs that could demonstrate changes in behavior or reduction of violations, etc. What is clearly not going to impress anyone is simply reciting how much time and money you have spent on training people, yet people insist on highlighting hours of training and dollar figures. That makes prosecutors roll their eyes.

13. Can you give an example of this?

Sure, in one of the earliest interviews I gave after taking the position at the Department of Justice, I said I was looking to see if accounts payable clerks knew what to look for in invoices and if salespeople knew the bounds of what they could and could not do; those are examples of what I mean by “things the businesspeople do.”

The goal is to train people to do those things correctly, not try to make them experts on the law. The DOJ does not want to turn businesspeople into experts in FCPA or healthcare or securities laws. They just want businesspeople to do business without violating these laws.

14.But that would be a lot of things, right? How would a company do that?

Yes and no. Of course the businesspeople do a lot of things, but not all of them are risky; most probably aren’t. You do it by prioritizing the riskiest things and then moving on to the next-riskiest and so on.

I don’t think anyone expects that this is an overnight process; it could take years. What you need to do is prioritize, make a plan, and get started; that is how you demonstrate a thoughtful approach.

Compliance training: what does the DOJ look for?

An interview with Hui Chen | Broadcat7

15. So essentially, you’re saying that, instead of training people on abstract legal risks and principles, companies should manage legal risks as part of business processes, then train people on those business processes?

Yes, correct. Prosecutors want to see employees being trained on how to do their jobs compliantly, not educated on legal topics. The purpose of compliance programs is to have employees take or avoid specific actions that would break the law, not to turn all employees into compliance officers.

Risk concept(e.g., “anti-corruption”)

Company trains on concept (e.g., “anti-corruption”)

Employees expected to figure out how concept applies

Employees do their day-to-day work

Risk concept(e.g., “anti-corruption”)

Company applies and manages risk in day-to-day work

Company trains on application (e.g., “how to review an invoice”)

Employees do their day-to-day work

Compliance training: what does the DOJ look for?

An interview with Hui Chen | Broadcat8

16. What about areas that do not tie neatly to something a businessperson does—for example, how should a company talk about aspects of anti-corruption that don’t tie to some type of functional thing a businessperson does (like a course on general anti-corruption concepts)?

Look, a driver’s ed course typically does not include automobile design and mechanics: you are trying to teach people to drive, not build a car. Compliance training is the same: you are trying to teach people how to do business without violating the law, not become legal experts, even a little bit. Compliance is about behavior, so I’m not sure why you would be training on something that doesn’t tie to behavior. The goal is not to make every employee a compliance expert by talking about abstract concepts; the goal is to not break the law, and the law regulates behavior.

17. OK, so just to be clear: if a company said they weren’t doing functional guidance because they felt they needed to do annual Code of Conduct training or e-learning courses on abstract risk topics (like “competition law”) first, how would you respond?

If their rationale was that they think this is what prosecutors care about—that they have to start with this because that’s what the DOJ looks for—then that

is incorrect. Again, there is no requirement for specific formats or topics like this.

If their rationale was that they thought this was the best way to prevent misconduct, on the other hand, I would ask them what I would ask of any training: to demonstrate how their Code of Conduct training or e-learning courses have changed behaviors—that is, the specific things the businesspeople do.

Let me be clear: I am not saying “don’t do Code of Conduct training.” I am saying your Code of Conduct training—just like any other compliance training—needs to be practical and behavior-focused. It’s very easy to say “we believe in integrity”—Enron said that to its employees too. What you need to do is translate that into what an employee needs to do when she is approving an expense, talking to a competitor, dealing with a customer, setting up an account, running a quality control test, or whatever it is that she does.

If they want to try and educate their employees on compliance topics in the abstract, that’s fine, but that’s something you can do after you have your employees trained on doing their specific jobs the right way. And I hope you can justify to your company management why they should waste all the employee time on abstract concepts that have nothing to do with their jobs. And if your justification is “DOJ wants to see it”—that would simply not be true.

Compliance training: what does the DOJ look for?

An interview with Hui Chen | Broadcat9

18. Great, last question: one of the formats we work in heavily at Broadcat is the checklist/flowchart that applies a concept like anti-corruption to a specific business task, like approving an invoice, which seems exactly consistent with what you are describing.

Can you describe how you would have viewed a company who uses tools like this when you were with the DOJ?

Checklists and flowcharts that help people do their jobs right is exactly consistent with what I am describing, so unsurprisingly I would have viewed it favorably.

Simple solutions are better than complicated ones; a checklist that tackles a real-world business duty is more valuable than an elaborate interactive video course on an abstract concept. Pilots rely on checklists to land their planes; surgeons use checklists to keep their patients safe; I use a checklist when I pack my bags for travel; company supervisors, accountants, and salespeople can also use checklists to prevent violations of law in doing their jobs.

Compliance training: what does the DOJ look for?

An interview with Hui Chen | Broadcat10

This interview is courtesy of Broadcat.

At Broadcat, we’ve found that compliance officers are exasperated with chasing complicated training trends that drain their budgets and time—and yet still give them anxiety about what would happen if a prosecutor came knocking. 

That’s why we created simple, practical, and customizable materials that target the high-risk business processes that prosecutors look for.

Just like the one you see on this page. 

CLICK HERE TO GET STARTED