Every compliance program plays to two audiences. One is your people: is it effective in reaching them and preventing violations. The second is the government: is your program credible and will it convince enforcers to give you credit for your compliance work. There is quite a bit of guidance about compliance programs out there, from governments and from the private sector. Drawing from parts of these that have not received enough attention among companies, and adding points that are essential yet not fully recognized even in the government standards, this article offers ten questions to ask yourself, to see if you have caught important points that can determine the success of your compliance efforts in the antitrust/competition law area.
By Joseph E. Murphy [1]
Every compliance program plays to two audiences. One is your people: is it effective in reaching them and preventing violations. The second is the government: is your program credible and will it convince enforcers to give you credit for your compliance work.
There is abundant guidance about compliance programs available, both from governments and the private sector. Drawing from parts of these that have not received enough attention among companies, and adding points that are essential yet not fully recognized even in the government standards, this article offers ten questions to ask yourself, to see if you have caught important points that can determine the success of your compliance efforts in the antitrust/competition law area.
- Will your employees be your advocates?
- Are your program steps up to industry practice?
- Do you use screening and data analysis?
- Have you ignored incentives in your program?
- Do you have an empowered, independent, connected CECO?
- Do you communicate, or only train?
- Does your CEO actually care or just talk?
- Do you really do nothing to prevent retaliation?
- Does your program exist outside of headquarters?
- Have you isolated yourself in an antitrust silo?
I. WILL YOUR EMPLOYEES BE YOUR ADVOCATES?
Are you sure all your employees can and will present your case? When someone talks with your people, will they come away with the impression that your compliance program is deeply ingrained in the company? Why does this matter?
When it comes to convincing the antitrust enforcers that you have a program that deserves their respect (and credit), there is still an assumption that the enforcers will wait for you to put on a formal presentation before making any decisions. But this is because too many people do not read carefully what the government has said.
The Antitrust Division, in its compliance program evaluation questions, spells out very clearly that the Division is not just sitting back waiting for your presentation:
“Division prosecutors should evaluate compliance programs throughout the course of their investigation, including asking relevant compliance-related questions of witnesses, and should not wait for companies to offer a compliance presentation before beginning their evaluation of a company’s antitrust compliance program.”[2]
The Canadian Competition Bureau also takes this logical approach: “[I]nformation gathered during the investigative process that pertains to the credibility and effectiveness of a compliance program will be shared with the C[compliance] U[nit.”[3]
The important message here is that you need to assess your program by talking with your employees. What would they say about your program if asked in a grand jury? Yes, you should be able to put on a convincing presentation and show what you have done. But you need to be sure it has reached your people, all throughout the business.
II. ARE YOU UP TO INDUSTRY PRACTICE?
How does your program compare to programs in other companies, and does that matter? The Antitrust Division addresses this in language that is usually ignored by commentators:“Is the company’s antitrust compliance program . . . consistent with industry best practice?”
What does the Division mean by this, and where does this language come from? The Division here is drawing on the Federal Sentencing Guidelines standards, in the notes which include these two references:
“2. Factors to Consider in Meeting Requirements of this Guideline.—
(A) In General.—Each of the requirements set forth in this guideline shall be
met by an organization; however, in determining what specific actions are
necessary to meet those requirements, factors that shall be considered
include: (i) applicable industry practice or the standards called for by any
applicable governmental regulation; (ii) the size of the organization; and
(iii) similar misconduct.
(B) Applicable Governmental Regulation and Industry Practice.—An organization’s failure to incorporate and follow applicable industry
practice or the standards called for by any applicable governmental
regulation weighs against a finding of an effective compliance and ethics
program.[4]
Note that the literal language here reflects a drafting error in the Sentencing Guidelines. It is not that a program must only be what others do. Rather, this just represents a minimum standard.
Finally, the idea of comparing industry or best practices goes back to the 1980s and an organized attempt to develop industry-wide best compliance practices, the Defense Industry Initiative, which included conferences among member companies to discuss and demonstrate best practices. See Defense Industry Initiative (Best Practices Forum) https://connect.dii.org/events/event-description?CalendarEventKey=812e6c09-a188-410c-ad7c-680e42ad2186&Home=%2fhome Here members convene to compare notes on best compliance practices among the defense contractors.
No one needs to remind an antitrust lawyer about the risks of industry participants agreeing not to compete on something, even compliance standards. But here we are talking about what the government can expect in a good program. For example, if most others in the industry are doing screening and you claim it is not possible, you are very likely to lose that argument. If you have been lazy and lagged behind industry peers you will have this used against you.
III. DO YOU USE SCREENING AND DATA ANALYSIS?
The Antitrust Division expects companies to use data analysis to detect misconduct. As its guidance asks:
“Does the company use any type of screen, communications monitoring tool, or statistical testing designed to identify potential antitrust violations?”[5]
Perhaps the first reference to “screening” in a government standard was in the Chilean competition law enforcer’s standards for competition law compliance programs, which stated:
“Both monitoring and auditing can even incorporate techniques referred to as “screening,” which consists of the use of econometric tools that detect the existence of possible harmful practices that threaten competition. It is advisable, in principle, to hire specialized outside personnel for its implementation.”[6]
Screening involves the structured analysis of business data to detect unusual patterns in the business’ numbers and possible markers for collusive conduct. Thus, business numbers such as changes in market share and trends in margins may indicate patterns inconsistent with a competitive market and more indicative of collusion.[7]
The Antitrust Division Guidance provides options to satisfy this standard, and the effort should be commensurate with the size of the company. A small company should be looking for abnormal patterns in its data, but would not be expected to have a sophisticated artificial intelligence program. On the other hand a big company with significant risk is expected to use more sophisticated tools to analyze its data.
While companies should be following this guidance and reviewing their numbers for signs of improper conduct, it remains the case that there is no substitute for being with your people and really listening to them. You should also listen to customers; they may detect patterns you won’t see, because they are the victims of cartel conduct. Data can be a helpful tool, but we also need to avoid data hubris by thinking that data is a cure-all. The human element is always needed as well.
IV. HAVE YOU IGNORED INCENTIVES IN YOUR PROGRAM?
Why do businesses use incentives to drive behavior? Because they work. Why does the Antitrust Division expect incentives to be part of your compliance program? Because they work.
Among the Division’s evaluation questions are:
“What incentives does the company provide to promote performance in accordance with the compliance program. See U.S.S.G. § 8B2.1(b)(6)(A)
Has the company considered the implications on antitrust compliance of its incentives, compensation structure, and rewards? Does the company incentivize antitrust compliance?” Antitrust Division Guidance 12.
Nor is this focus in incentives unusual in program standards. The Spanish Competition Commission, in its guidance asked: “Does your company have an incentive system that promotes and fosters compliance with competition law and policies?”[8]
The Competition Commission in Singapore also observed that “Adherence to compliance policy could also be used as one of the criteria against which an individual’s and department’s performance is appraised.”[9]
In the same vein, the Canadian Competition Bureau has observed that: “Incentives work as effective tools for a business that wishes to promote compliance by employing concrete actions.”
In other words, incentives belong in any program.[10] Failure to address incentives is one of the biggest recurring weaknesses in compliance programs, and a prime reason they fall short.[11]
V. DO YOU HAVE AN EMPOWERED, INDEPENDENT, CONNECTED CECO?
The head of your compliance program, your Chief Ethics and Compliance Officer (“CECO”), needs to be empowered, independent, and connected to those with power in the organization, and must have line of sight into all parts of the business.
This is an essential point that enforcers have recognized. The Antitrust Division observes that those responsible for the program must have “sufficient autonomy, authority, and seniority . . . as well as adequate resources . . . .” The Division also asks “How often does the compliance officer or executive meet with the Board, audit committee, or other governing body?” “How does the company ensure the independence of its compliance personnel?” Antitrust Division Guidance 6.
The Spanish Competition Commission also reflects this focus in its questions: “Does the compliance officer have full autonomy and independence in performing their duties?” “Is the compliance officer in direct communication with the governing body and top executives?” Spanish Guidance 18.
The Canadian Competition Bureau addresses this important point in detail: The compliance officer should have “high visibility” and “independence, professionalism, and the authority to implement and enforce a credible and effective program across the company;” and “the opportunity to participate in senior management decision making”. “The company’s board of directors should appoint the Compliance Officer . . . .” “The Compliance Officer should only be removable by the board of directors on terms set in advance by the board.” Canadian Bulletin 11.
A company wishing to show leadership on this important point could also recruit a CECO from another company to have on its board of directors, and could have a strong employment contract for the CECO.
VI. DO YOU COMMUNICATE, OR ONLY TRAIN?
Often it seems compliance work is weakened by a failure of imagination. Given the many innovative communications methods we experience when online, it has to be a deep failure for compliance experts to limit their efforts to conventional training. Here we hit an odd discrepancy. Although the Sentencing Guidelines clearly uses both the words “training” and “communicate,” they are often read as if they only referred to training. But training without other, recurring communication is a weak way to promote compliance.
Compliance professionals need to be up-to-date on the state of the art in communications. If apps and short video clips work for other purposes, why not use them in compliance? People remember stories better than lectures. Why not use any tool that can illustrate antitrust risks in a memorable way? Why not provide short examples of those who broke the rules and were held accountable? Having just been exposed to the addictive characteristics of TikTok, a logical question is whether the short video format could be used to present short but pointed compliance messages. Will employees remember it? That is always the question.
Each day we experience a constant stream of messages. Why not observe which ones work for you, and then see what you can use to develop effective communications tools? Do posters work in your environment? Do your employees still read emails? Will a series of short video compliance dramas reach your people? Consider also just taking one of your marketing and advertising experts out to lunch and hearing from experts about what really works to reach people. Training, if it is a very high priority, may happen once a year. People receive communications messages constantly. If you want to compete effectively for their attention, you should not limit yourself to a one shot approach.
VII. DOES YOUR CEO ACTUALLY CARE OR JUST TALK?
There are powerful sayings about the powerlessness of mere talk. When enforcers call for commitment and leadership by the top executives, it can never mean mere talk. The question is, how do the CEO and other leaders show support for the compliance program. For example, the Antitrust Division Guidance (p. 5) asks “What concrete actions have [senior leaders] taken to demonstrate leadership in the company’s antitrust compliance … efforts?” The International Chamber of Commerce, in its toolkit on compliance (which was referenced in the Antitrust Division’s Guidance as a useful resource), provides a helpful list of things senior managers can do. It includes “[a]ttendance of your company’s senior management at training sessions with lower level employees” and “Senior managers … consistently asking about compliance in meetings/business briefings.”[12]
VIII. DO YOU REALLY DO NOTHING TO PREVENT RETALIATION?
There are many areas the various government guidance materials cover well. But there is one that they, and most compliance programs, almost completely fail to address in any useful way: retaliation. There are few things more toxic to effective compliance programs than retaliation, yet it is one of the most prevalent occurrences and one of the least addressed in practical terms.
Generally, every governmental guidance, and every company’s policy says the same thing: Don’t retaliate. Don’t tolerate retaliation. That’s it, not a word more. But if you are a compliance person you can count on one thing in this area: you are underestimating this risk. Retaliation is not some exotic category of risk rarely seen in the real world. To the contrary, absent serious intervention it will happen. Those who speak up will be knocked down.
Some standards do talk about allowing people to report “anonymously or confidentially” and “without fear of retaliation.” And when it comes to reporting, these standards will call for allowing “anonymous and confidential” reporting. But these concepts are very limited in their effectiveness, given how devoutly people try to figure out who called, and probably in most work units can figure this out fairly quickly. (Note, too, that the enormously broad language of privacy laws like GDPR will invite those who are targets of whistleblower reports to use this broad law to undercut investigations and smoke out those who file reports.) Merely calling for confidential treatment will not prevent bosses and colleagues from figuring out who blew the whistle and finding ways to get even.
Yet despite this ostensible concern about retaliation, these guidance materials typically provide no details on how to prevent retaliation. The Canadian Bulletin does use strong words on this point, calling for programs to: “ensure that staff can report contraventions . . . confidentially and without the threat of retaliation.” (p. 18) “Anyone reporting a concern or cooperating in an investigation should be guaranteed the strongest of protections from retaliation by others in the business, including management.” (p. 19) The Bulletin offers this guidance: Companies, in assessing their program, should check whether, for a reporting system, “are employees willing to use it, or whether there is a fear of retaliation.” (p. 22).
Consider these specific steps to address this pervasive risk:
- Include retaliation as a separate risk, to be addressed in your risk assessment and risk abatement plans.
- Hire a whistleblower from another company to an important position in your company. That will demonstrate a real commitment.
- Survey employees on how they feel about reporting misconduct in your company. See Canadian Bulletin 19.
- Train managers on how to respond to concerns and how to avoid retaliation.
- Follow up with those who have raised concerns. Compare their treatment over time. If you do this and find no difference you are likely not looking carefully enough.
- Severely discipline those who threaten or engage in retaliation and then publicize this as broadly as possible (while shielding the actual identity of the person).[13]
IX. DOES YOUR PROGRAM EXIST OUTSIDE OF HEADQUARTERS?
In compliance and ethics, we recognize that compliance does not just happen by waving a magic wand or spreading magic compliance dust (credit to Kristy Grant-Hart for this magic compliance dust concept). A program does not happen in a company unless there is a manager or managers with specific responsibility for making this happen. This point is generally recognized when applied to corporate headquarters. But logic and experience compel the next point: If you want your program to reach all departments and all locations there also needs to be managers there to make this happen. In other words, there need to be field compliance people. The titles for these positions may vary, and include: ethics ambassadors, compliance coordinators, compliance liaisons, compliance champions, compliance and ethics leaders, ethics liaisons, facility compliance officers, and business unit compliance officers.
Unfortunately, this is an area where much of the guidance, including that from the Antitrust Division, falls flat. Is there someone in your sales offices, someone in your bidding unit, someone in HR responsible for helping to get the word out about compliance, and also giving feedback to the CECO, so the program is working effectively throughout the business? Of course the local compliance person need not be full time, but this important responsibility should be part of this person’s job description and part of their evaluation. The CECO should play a role in this, having a say on who is selected in each business unit, and distinct input on the person’s assessment. There should also be some training for this role. It is best if this role counts as a positive in issues like promotability.[14]
X. HAVE YOU ISOLATED YOURSELF IN AN ANTITRUST SILO?
Maybe, if you were doing antitrust compliance work in the 1960s you could legitimately focus just on antitrust and not worry about how other compliance risks are handled. But the 60s are long past. It makes no sense to pretend that antitrust is a company’s only risk, or that somehow it is significantly different from all other types of compliance risk. Antitrust compliance efforts should not be isolated in an antitrust silo. Antitrust is just one risk and needs to be integrated into a strong, overall compliance and ethics program.
If, instead, it is treated as standalone then it can lose the independence and access to power that is so necessary for effective compliance program leadership. It is not realistic to think that each compliance area will have full access to the board, sufficient independence to act, and full line of sight into all of the businesses’ operations. Instead, separation breeds duplication, training fatigue, and resentment by employees of what they perceive as wasteful interruptions. It is essential to coordinate compliance efforts for efficiencies of scale, minimal intrusion in the business, and effective use of resources.
This is an important point recognized by the OECD in the context of compliance programs to fight corruption. Referring to the Good Practice Guidance that addresses bribery the OECD’s Working Group on bribery says that:
“It recognises that to be effective, such programmes or measures should be interconnected with a company’s overall compliance framework.”[15]
In the context of competition law compliance, the Canadian Competition Bureau noted that “[to] evaluate the effectiveness of an existing program, the Compliance Officer could … [minotior] developments from areas of corporate compliance outside of competition law and, when appropriate, incorporate their best practices into the program.”
Similarly, the International Chamber of Commerce, in its antitrust compliance toolkit, observes that options may include “Recognizing that antitrust risk is just one of the risks your company may face, and integrating the antitrust programme with other compliance programmes, controls and governance policies.”[16]
Those engaging in antitrust compliance work should recognize that they are operating in a field that is separate from the practice of antitrust law – the field of compliance and ethics. It has its own literature, professional standards, and accumulated learning. No compliance person should be cut off from the experience and wisdom the rest of the field offers.
XI. CONCLUSION
These 10 questions are offered as a stimulus to broaden the thinking about antitrust compliance. It does not purport to be comprehensive; government materials like the Antitrust Division Guidance, the Canadian Bulletin and the Sentencing Guidelines are excellent sources of overall guidance. But even with these it is important to keep challenging ourselves and staying up with developments in our field. We should always be challenging ourselves to keep ahead of antitrust violations and be successful in our missions.
1 Joseph E. Murphy has 40 years’ experience in the field of organizational compliance and ethics. He practices law in the compliance and ethics field through Joseph E. Murphy, PC and is co-founder of Integrity Interactive Corporation (now part of SAI Global).
2 U.S. Department of Justice Antitrust Division, Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations 2-3 (July 2019) https://www.justice.gov/atr/page/file/1182001/download (hereinafter “Antitrust Division Guidance”).
3 Competition Bureau Canada, Bulletin – Corporate Compliance Programs 6 (June 3, 2015), http://www.competitionbureau.gc.ca/eic/site/cb-bc.nsf/vwapj/cb-bulletin-corp-compliance-e.pdf/$FILE/cb-bulletin-corp-compliance-e.pdf (hereinafter “Canadian Bulletin”).
4 U.S.S.G. section 8B2.1 Commentary app. note 2 (A) & (B) (emphasis added). https://www.ussc.gov/guidelines/2018-guidelines-manual/annotated-2018-chapter-8 (hereinafter “Sentencing Guidelines”).
5 U.S. Department of Justice, Antitrust Division, Compliance Guidance, Article10.
6 Fiscalía Nacional Económica (FNE), “Competition Compliance Programs: Complying with Competition Law” 14 (June 2012), http://www.fne.gob.cl/wp-content/uploads/2012/06/Programas-de-Cumplimiento.pdf.
7 Abrantes-Metz, Bajari & Murphy, “Antitrust Screening: Making Compliance Programs Robust,” http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1648948.
8 Comision Nacional de los Mercados y la Competencia, Antitrust Compliance Guidelines 16 (June 10, 2020) https://www.cnmc.es/sites/default/files/editor_contenidos/Competencia/Normativas_guias/202006_Guia_Compliance_FINAL_eng.pdf (hereinafter “Spanish Guidance”).
9 “Conducting a Compliance Programme,” Singapore Government, Competition Commission Singapore https://www.cccs.gov.sg/faq/compliance-with-competition-law.
10 The white paper Murphy, “Using Incentives in Your Compliance and Ethics Program” (SCCE; 2012), https://assets.hcca-info.org/Portals/0/PDFs/Resources/library/814_0_IncentivesCEProgram-Murphy.pdf explores the broad variety of ways companies can do this.
11 See Joseph E. Murphy, Policies in conflict: Undermining corporate self-policing, 69 Rutgers U.L. Rev. 421, 473-76 (2017), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3685529.
12 International Chamber of Commerce, The ICC Antitrust Toolkit: Practical antitrust compliance tools for SMEs and larger companies 9 (2013), https://iccwbo.org/publication/icc-antitrust-compliance-toolkit/ (hereinafter “ICC Toolkit”). More examples can be found in Murphy, “Tone at the top: How the CEO can do more than just talk,” Compliance & Ethics Professional 80 (Oct. 2014). For example, instead of just attending a training session, have the CEO be the first to attend (and actually ask questions). The CEO can also personally champion tough discipline for senior people who go against the compliance program.
13 Further steps to address retaliation are available in materials from the US Equal Employment Opportunity Commission, “EEOC Enforcement Guidance on Retaliation and Related Issues” (Aug. 25, 2016)(V. “Promising Practices”) See https://www.eeoc.gov/laws/guidance/enforcement-guidance-retaliation-and-related-issues.
14 See Murphy, “Field & Business Unit Compliance & Ethics Managers – Bibliography,” https://www.linkedin.com/pulse/field-business-unit-compliance-ethics-managers-joe-murphy-ccep-1e/?trackingId=T1eKyM3isF%2Bc1%2F0Q4dKVlg%3D%3D.
15 OECD, Recommendation of the Council for Further Combating Bribery of Foreign Public Officials in International Business Transactions, Appendix II, Introduction, http://www.oecd.org/daf/anti-bribery/44884389.pdf.
16 ICC Antitrust Compliance Toolkit, Article 4. See https://iccwbo.org/publication/icc-antitrust-compliance-toolkit/.