The U.S. Sentencing Commission is not the sole government agency interested in encouraging or requiring compliance efforts. The approaches (incentives vs. requirements) and details vary widely. Following publication of the Federal Sentencing Guidelines for Organizations criteria other efforts - some referencing the "seven elements" model, some not - have included:


Federal Requirements:

In 1995 - the Environmental Protection Agency (EPA) announced its "final policy" on incentives to encourage its regulated entities to "self police" and report violations. Substantial penalty reductions await those who can demonstrate they found a violation because of "an objective, documented, systematic procedure or practice reflecting the regulated entity’s due diligence in preventing, detecting, and correcting violations". Here's how the policy works today. The agency also provides "compliance assistance" in the form of tools and training.


1996 - The Federal Deposit Insurance Corporation (FDIC) issued revised "Guidelines" on what it expected to see when examining a bank with an "effective compliance program" against money laundering. The current "minimum requirements" for Anti Money Laundering (AML) programs are at 31 CFR 103.140(c). The FDIC's manual provisions for examinations of bank compliance programs are also available.

In 2003, as required by the Sarbanes-Oxley Act, the Securities and Exchange Commission (SEC) issued a final rule mandating that public companies publicly disclose whether or not they had adopted a "Code of Ethics" for their chief financial officer and chief executive officer and , if not, "why not". The rule contains broad descriptions of actions that such a "Code" should promote (e.g., honesty, compliance with the law), but the agency declined to require specific provisions. However, the SEC has been pretty clear about what it thinks makes a "culture of compliance".

Since 2004 - the SEC has required that investment companies and advisers have "Compliance Programs" consisting of (a) chief compliance officer; (2) policies and procedures; and (3) annual review of those policies and procedures for "adequacy and effectiveness of their implementation". The final rule imposing these requirements has an extensive discussion of the types of policies and procedures expected and the role of a compliance officer.

In 2008 - the General Services Administration (GSA) published a final rule requiring most government contractors to "establish and maintain" (a) a "written code of business ethics and conduct" , (b) an "ongoing business ethics awareness and compliance program", (c) training about the program, and (d) an "internal control system" with specified features - including an anonymous reporting mechanism.

In 2010 the Federal Energy Regulatory Commission explicitly adopted the Sentencing Guidelines model into its "Guidelines" for setting penalties for violations of the laws and regulations under its authority. Notably, it adopted a suggestion that companies with "effective, yet imperfect compliance programs" should receive partial credit if their efforts included only four elements: (1) active engagement and leadership by senior management, (2) effective measure to prevent violations, (3) measure supporting prompt detection, cessation and reporting of violations and (4) measures supporting remediation.

2010 - With passage of the Affordable Care Act, having a compliance program became a requirement for enrolling as a provider in the Medicare program, (See Healthcare Compliance 101) . Related regulations are still pending, but will probably look much like those governing health plans who administer the Part D drug benefit program and the "Medicare Advantage" plans.


Also in 2010 the Dodd-Frank Wall Street Reform and Consumer Protection Act was passed which included among its many provisions a whistleblower incentive program administered by the SEC that allows those providing the agency with tips that lead to successful enforcement actions to share part of any monetary sanctions over $1M. This isn't the first such program - but it generated more than a little concern that the prospect of a reward would undermine internal reporting mechanisms and compliance structures. The related final rule incentivizes initial reporting to internal compliance programs while still permitting the whistleblower to choose which route he or she takes. Chairman Schapiro explained the Commission's thinking when the final rule was announced (video).


Beginning October 1, 2012 the Commodities Futures Trading Commission (CFTC) has begun requiring certain firms to have a Chief Compliance Officer who has to be a listed member of the firm.


The US State Department has also published Compliance Program Guidelines for evaluating company efforts to comply with the Arms Export Control Act (AECA) and the International Traffic in Arms Regulations (ITAR). The details will look familiar (organizational structure, commitment, policies, training, monitoring of controls, responses to violations) although the FSGO model is not explicitly referenced. The University of Texas has a a manual and procedures tailored to meet theses requirements.


The Federal Energy Regulatory Commission has also established policy statements about what it is looking for in the compliance efforts of regulated entities in order to grant credit for them during negotiations on civil penalties. One key, according to this agency, is "the role of senior management in fostering compliance".

State Requirements

July 1, 2005 - California's requirement that drug and device manufacturers establish "Comprehensive Compliance Programs" regarding their interactions with "medical or health professionals" went into effect. The state chose to incorporate the 2003 voluntary Program Guidance for Pharma Manufacturers from the DHHS OIG (see Healthcare Compliance 101) and the voluntary code of the Pharmaceutical Research and Manufacturers Association of America as required elements of such programs. In addition companies are required to annually "declare" their compliance, make their programs publicly available via their websites and establish an annual dollar limit for its gifts to those prescribing its products.

July 1, 2009 - New York began requiring providers participating in its Medicaid program to establish an "effective" compliance program covering specified areas of their operations and annually certifying certain information about it. The Medicaid Inspector General's office maintains an online certification system conducts "effectiveness reviews" and publishes best practices, "insufficiencies" and "opportunities for enhancement". The Office also released a Guidance document for General Hospitals. and other resources.

Evaluating Performance

If the government requires that an organization have a compliance program, there's always the possibility that an agency will some day come by and, quite publicly perhaps, evaluate if those requirements are being met. That's was happening in the world of Medicare manged care plans in 2010 and 2011 as the Centers for Medicare and Medicaid Services (CMS) conducted a series of audits (33 in all) to determine if its contractors were meeting the requirement to have an "effective" Compliance Program reflecting the regulations linked above. Some contractors didn't survive the audit process.

The overall results were presented by CMS at an AHLA conference in 2011 and the slides from the presentation include both a "Compliance Plan Effectiveness Self Assessment" tool and observations on best practices that anyone in the compliance field should find of interest.

Shared by Toolbox members:

  • < Click "edit" above and start typing here>