By: Linda L. Goodman
For the past 10 years, I have been developing, writing and speaking about creating a “culture of compliance” in online marketing companies. I have spoken, written and developed policies and procedures for my own clients who have come to believe that compliance is the key to their survival. In fact, creating a culture of compliance is the most important step your company will ever do to keep its reputation enhanced as well the money its sales team is so readily able to bring to the table. In addition, it often pays for itself by reducing potential fines from $1,000.00 per violation to $100.00 per violation and it keeps everyone in your company looking over each other’s back – ensuring that the profits of the company stay with the company. You create it by taking the following seven steps:
Step 1: Get Senior Management Involved.
In large or small online businesses, senior management should play an active and visible role in fostering a culture of compliance within their organization. Rules and policies by themselves mean nothing – they are unread pieces of paper or discarded e-mails. But when Senior Management holds the meeting, hands out the policy or gives the speech that the policy must be understood and violations are not acceptable and will not be tolerated, the policy takes life. In addition, a member of senior management should be named as the chief compliance officer, responsible and accountable for the development, management, and execution of the corporate compliance program.
Step 2: Risk Assessment.
The chief compliance officer with the assistance of legal counsel, needs to conduct a risk assessment to determine which activities are at risk for the commission of a violation resulting in government investigation or private litigation. This assessment is largely based upon the types of marketing undertaken by the company, the type of consumer data used or stored by the company and the type of third party independent partners the company uses.
For example, if the company is an ad agency and buys media for third parties to sell their products and services – the risk is clear. The officer knows that the company has potential liability for advertisers marketing and the third parties promotional tactics. Thus, the chief compliance officer should develop and apply policies and procedures to mitigate those risks including a trained compliance team to vet the marketing of its advertiser and a program to monitor its third party media buys.
If the company is an advertiser, then the chief compliance officer knows that it has an inherent risk within its own advertising and an additional risk for the marketing of third parties driving consumers to its website.
If the company is a data broker, then the Officer knows that how they collect, store and use the data, creates the risk of liability and implements policies accordingly.
Step 3: Written compliance policies.
After conducting a risk assessment, the chief compliance officer needs to develop a written compliance policy or policies. The policy should address and resolve each risk identified in Step 2. This policy should be easily understood and accessible to all employees, including managers and leads. It should be update as often as necessary to keep pace with changes in litigation, legislation, non-compliance issues, or new services or products. The policy should also establish internal procedures for compliance including:
- Educational training for all employees that covers the policy and what constitutes compliance and non-compliance.
- Training on the internal procedures for reporting violations, investigation and resolution.
- Creation of an auditing and monitoring mechanism tailored to the corporate compliance program.
- Creation and establishment of procedures for notification to third party partners and independent
subcontractors to ensure that they comply with the applicable laws rules and regulations. - Creation of a procedure to establish a record which not only documents the violation, but also the investigation and resolution when a violation has occurred.
- Creation of a mechanism that allows employees and partners to provide feedback and recommendations to the chief compliance officer.
Step 4: Training program.
Once the chief compliance officer has identified the risks associated with your business, and written procedures and policies designed to identify and limit compliance violations, the company must design and undertake an effective training program for its staff at all levels. The training should take into consideration: (i) the legal requirements and liabilities related to the company’s marketing in order to provide an understanding of what is required by statute, rules, regulations or best practices including the penalties for not meeting those requirements; (ii) the policies and procedures the company has developed to avoid such costly penalties; (iii) practical examples from your company as to what constitutes prohibited practices; and (iv) what should be done if the employee witnesses prohibited practices. Combined, the policies and this training are integral to the implementation of a credible compliance program that can be used as a defense if needed. Effective training helps employees determine roles and responsibilities, and when to seek advice from senior management. For the training to be effective, links should be made between the business’s policies and procedures, and the situations that employees may face in their daily activities.
Finally, the company should consider developing and implementing a recurring training program, including refresher training, regarding the compliance policies for current and new employees, including managers and leads. After training, employees should document their attendance with a written acknowledgment that they understand the corporate compliance policy, and these written acknowledgments should be recorded and maintained. The business could also monitor employee comprehension of the corporate compliance policy, and the training program could be revised and re-administered – if the employees are not getting it, there is a problem with the training program. In addition, the training program should be adjusted, modified and reissued to the employees after significant cases or changes to the law which affect the corporate compliance policies and procedures. The chief compliance officer should evaluate the effectiveness of this training at regular intervals but not less than twice a year.
Step 5: Auditing and monitoring.
Auditing and monitoring mechanisms help: (i) detect misconduct; (ii) avoid costly continued misconduct; and (ii) assess the effectiveness of the corporate compliance program. In addition, these types of mechanisms serve as a reminder to employees and managers that they are subject to oversight. The chief compliance officer should schedule monitoring and audit at regular intervals, as to third parties, external monitoring systems should be put into place with regular reporting to the chief compliance officer or his or her designee. Monitoring and auditing more often than results in a quality assurance program. The results of all audits should be recorded, maintained, and communicated to senior management. Following an audit, the business can and should address recommendations and modifications or updates to the corporate compliance policies and procedures.
Step 6: Take corrective action.
Finding and acknowledging a violation is important because it means your team is actively scouting for misconduct. More important is that once the corporation is made aware of a violation, it takes immediate action to resolve and prevent further violations of your policies. This procedure is necessary in that it: (i) demonstrates the corporation’s credibility regarding its compliance policies; and (ii) deters against future violations of the compliance policy. Businesses should consider taking corrective or disciplinary action, or providing refresher training, as appropriate, to address the violation. In taking these steps it is imperative that the corporation maintain a record of the notification, investigation and action taken in response to the contravention of the policy.
The chief compliance officer should put in place a complaint resolution procedure and system to document actions taken once a compliance issue has been brought to the corporation’s attention. More importantly, the resolution must be created to address the compliance violation notification, resulting action steps taken and then documented and retained for future use. Mostly importantly, compliance violations should respond to and resolved within a reasonable or predetermined period of time.
Step 7: Record Retention.
Good record retention practices can improve compliance and provide a defense in the event of a government claim or private civil suit by: (i) identify potential non-compliance within the company and by its third party partners; (ii) the investigation and response to the violation; (iii) adjustments in the corporations practices and procedures and monitoring; (iv) documents compliance program and its effectiveness; (vi) demonstrates that corrective actions were implemented when non-compliance was identified, thereby; (vii) establishing a defense in the event of complaints against the corporation.
The following records should be kept at a minimum:
Relating to the Company’s compliance programs:
• Compliance policies and procedures.
• Training material and documentation of attendance.
Relating to the Company’s enforcement of its compliance policy and procedures:
- Copies of any and all violations.
- Company’s response to such violations.
- Corrective action taken by the offender or termination of the offender.
- Any changes to any corporate policy or procedures as a result of notification of the offense.
That is it! You create it, teach it, enforce it, and document it. That is creating a culture of compliance.
______________________________________________________________________
This article is a publication of The Goodman Law Firm and is intended to provide information on recent legal developments. This article does not create an attorney-client relationship, nor should it be construed as legal advice or an opinion on specific situations. This may constitute “Attorney Advertising” under the Rules of Professional Conduct and under the law of other jurisdictions.
© 2014 TGLF, A.P.C.