With expanded regulations going into effect in many industries, including insurance, organizations must not only show that they have compliance and ethics programs in place, but also be able to demonstrate that their programs are working. The regulatory scrutiny of such programs is shifting from a focus on policies, procedures, and retrospective audits to proactive measures of effectiveness and desired results. Many insurance companies now seek to implement measurements that will help them prove that employees understand the importance of compliance and ethics in the workplace.
With heightened expectations of governance and transparency, financial services and insurance are at the forefront of this regulatory compliance evolution. Regulators are working hard to prevent organizations from just going through the motions of compliance and are instead requiring them to exhibit the substance behind their programs.
In late May, the final ruling implemented the securities whistle-blower incentives and protection provisions of the Dodd-Frank Act. As a result, insurers are increasingly concerned about new whistle-blower provisions and their potential impact. Whistle-blower allegations, motivated by bounty hunter payments from enforcement agencies, are likely to grow significantly as a result of pending regulations. For example, if a whistle-blower claims that an insurance company has violated privacy laws, then the investigators will examine the claim. If they determine that the violation is valid, then the whistle-blower will receive a percentage of the fine levied upon the company. A concern in the industry is that because of the allure of these financial rewards, whistle-blowers will call a regulator rather than an internal company hot line to report a suspected issue. The regulator may then demand evidence of an effective, established compliance program from the company. Building a Program
The U.S. Securities and Exchange Commission (SEC) has established a framework for evaluating cooperation in determining non-compliance and how to charge violations of the federal securities laws. This framework includes the potential for reduced sanctions for organizations that have established “effective compliance procedures.” There are several resources available for insurers as they strive to assess their compliance programs and demonstrate that they are indeed working. The most commonly cited resource is the list of seven elements of effective compliance and ethics programs that was revised in 2010 by the United States Sentencing Commission (USSC) at the same time the U.S. Federal Sentencing Guidelines were modified. These provisions set forth the attributes of savvy compliance and ethics programs. (Refer to “A Blueprint for Compliance” on pg. 38 for more information about the sentencing guidelines.)
For any compliance self-assessment, the depth and timeliness of evidence of compliance is critical to success. For instance, consider a common process such as managing the code of conduct for an organization. In this example, we will examine various techniques, from the most basic to the systematic and potentially high-risk, up through masterful approaches offering increased protections and the potential of reducing sanctions and fines resulting from poor audits and reviews.
Taking the Right Steps
At the most basic level, an insurer should publish a code of conduct and revise it periodically. However, if this is the extent of the company’s management of the code of conduct, then an audit or review can likely identify consequential deficiencies, leaving the company exposed to the possibility of maximum fines and sanctions.
Next, the company should distribute the code of conduct directly to all employees and collect attestations that the code has been read and understood. Any compliance gaps identified should be remediated, possibly through enhanced training. Going to this level is certainly an improvement, but it may still leave an auditor curious as to how the company knows its employees are aware of rules and guidelines.
Going a step further, the employee attestations could also include subject matter questions with scored results, allowing compliance officers to make an objective assessment of each employee’s understanding of the code of conduct. As sub-par scores are recorded, remediation tasks can be initiated, completed, and logged. This approach provides a more compelling body of evidence that the company is proactive in assessing and documenting the effectiveness of its code of conduct.
Having the ability to log, investigate, and track incidents related to the code of conduct—and monitor for recurring issues or trends that might require corrective actions—can also affirm commitment to compliance. Additionally, it is important to make this evidentiary information available to auditors in a well-organized, easily accessible manner. Maintaining time-based snapshots of this data can allow companies to demonstrate the optimization of their compliance programs for any point in time. Preparing for an Audit
Producing proper evidence is typically the greatest challenge for any company looking to demonstrate the effectiveness of its compliance program. This requires a determination of what the evidence needs to be, how the company will monitor it, and how often to update it so the compliance officer can say at any point, “Here is the evidence of what we have in place now, and here is evidence of the system that we had in place during the time period in question.”
Some may wonder why insurers would need to maintain this historical information. Keep in mind that when a whistle-blower submits an allegation to the government, it can take regulators months or even years to confront the company with the allegation of a compliance or ethics breach due to bureaucracy or work backlogs. Therefore, the company must have the ability to look back to the time frame in question produce evidence that regulations were in effect at that specific time and that employees were compliant.
This information must be provided accurately, consistently, and confidently to regulators for it to be effective, even if the whistle-blower’s allegation is upheld. No compliance program can prevent every potential issue. However, if the company can show that it was doing the right things with a true intent of preventing issues, then there could be a reduction in fines and sanctions. If a company is found in violation of regulations and was doing nothing (or perhaps the bare minimum) to stay compliant, then it will likely incur higher fines and sanctions, as well as negative publicity. From the perspective of the board of directors, demonstrating compliance is viewed as a critical component in the protection of the insurer’s brand.
Seven Elements of Effective Programs
For most insurers, a manual means by which to show the effectiveness of their compliance programs is virtually impossible and usually problematic. Because of this, companies in regulated industries should consider automating their processes with a “compliance system of record.” Even if the company is following a pre-existing or company-created checklist, the seven elements of effective compliance and ethics programs, stemming from the Federal Sentencing Guidelines, should be closely examined:
1. Establish policies, procedures, and controls. Organizations must establish standards, procedures, and controls to prevent and detect unethical conduct. These standards in addition to internal controls can help in reducing misconduct. They should be incorporated into a written code of conduct that enables audit systems and other procedures to have a reasonable chance of preventing and detecting wrongdoing.
2. Exercise effective compliance and ethics oversight. Organizations must involve multiple layers of management in the compliance and ethics process with the goal of ensuring program effectiveness. Designated individuals must be knowledgeable in terms of the program’s requirements. The tone at the top of the organization is important, but if the “tone in the middle” is broken, then the marching orders from the top cannot succeed. Guidelines should impose specific duties on various levels of management, including the board of directors, senior management, and individuals with primary responsibility for the compliance and ethics programs. 3. Exercise due diligence to avoid delegation of authority to unethical individuals. Organizations must use reasonable efforts to avoid delegating substantial authority to individuals with a history of engaging in illegal activities or other behavior that would defy the tenets of a program. Many organizations are increasingly outsourcing a variety of operations to third parties. Outsourcing functions that are beyond an organization’s core strengths makes good business sense. However, organizations must also use proper safeguards to ensure they are dealing with reputable and ethical partners, as they cannot outsource their liability along with operational functions.
4. Communicate and educate employees on compliance and ethics programs. The organization must take reasonable steps to communicate its standards, procedures, and other aspects of its programs periodically and in a practical manner throughout all levels.
5. Monitor and audit compliance and ethics programs for effectiveness. Organizations must ensure that their employees follow the guidelines set forth for compliance and ethical behavior, as well as create mechanisms for auditing and reporting on the effectiveness of the programs.
6. Ensure consistent enforcement and discipline of violations. Organizations should consistently promote the value and importance of such programs. Organizations can reward those actions that demonstrate adherence to an ethical culture and discipline individuals who fail to adhere to the ethical standards in place.
7. Respond appropriately to incidents and take steps to prevent future incidents. The guidelines require that organizations not only take appropriate investigative actions in response to suspected compliance and ethics violations, but also require them to take appropriate measures to preserve the confidentiality of investigations.
Protecting the Corporate Brand
With a “compliance system of record,” policies, assessments, audits, incidents, investigations, and corrective action, plans can be linked back to applicable laws and regulations to create a dynamic body of evidence and ensure a continual audit-ready state for the organization.
As a result of the USSC’s modifications to the Federal Sentencing Guidelines, companies should establish compliance and ethics programs rooted in the seven elements and evaluate existing corporate programs to ensure that they conform. In doing so, organizations are eligible to receive benefits such as reduced fines and sentences or deferred prosecution. Aside from gains such as reducing the likelihood and severity of civil enforcement actions, establishing an effective compliance and ethics program just makes good business sense. A sound compliance regimen can enable insurers to better protect the corporate brand and minimize the consequences of any misconduct that occurs.