- The Sarbanes-Oxley Act of 2002 strongly encourages training on the Code, and requires education about reporting systems.
- The Federal Sentencing Guidelines mandate training on ethics and legal compliance.
What are the Relevant Components of The Sarbanes-Oxley Act of 2002 (SOX)?
- Section 406 of SOX requires disclosure of whether a code of ethics has been adopted.
Section 406 of SOX directed the Securities and Exchange Commission (SEC) to issue rules requiring each public company to disclose whether or not it has adopted a code of ethics that applies to the organization's key officers. The SEC adopted final rules implementing Section 406 of SOX in January 2003.
The final SEC rules define the term "code of ethics" as written standards that are reasonably designed to deter wrongdoing and to promote:
- Honest and ethical conduct, including the ethical handling of actual or apparent conflicts of interest between personal and professional relationships.
- Full, fair, accurate, timely and understandable disclosure in reports and documents that a company files with or submits to the SEC and in other public communications made by the company.
- Compliance with applicable governmental laws, rules and regulations.
- The prompt internal reporting of any violations of the code of ethics to an appropriate person or persons identified in the code of ethics.
- Accountability for adherence to the code of ethics.
SOX does not actually mandate adopting a Code of Ethics / Code of Conduct, but it requires that a company disclose whether or not it has adopted a Code that satisfies the definition above. If the company has not adopted such a Code, it must disclose why. This approach is often described as a "law of shame."
- NYSE and NASDAQ Governance Standards require a Code.
Expanding upon the Section 406 concept, the SEC approved new NYSE and NASDAQ Governance Standards. Both exchanges require a "Code of Business Conduct and Ethics" covering all employees, officers and directors. Each listed company must make its Code available to the public.
The NYSE requires CEO's to certify compliance with these listing standards on an annual basis. (Final NYSE Corporate Governance Rules, Section 10.) The NYSE requires more than a Code. It mandates "compliance standards and procedures that will facilitate effective operation of the Code." These "procedures" are largely interpreted to include training and education.
- Section 301 of SOX requires clear communication of reporting channels and protocols.
It's important to consider the importance of training when addressing general compliance with SOX. SOX requires each Audit Committee to establish a procedure for the confidential, anonymous reporting of complaints about audit and financial matters. (Section 301(4)). Such "procedures" naturally involve training and education about reporting channels and protocols.
What are the Federal Sentencing Guidelines?
The Federal Sentencing Guidelines (FSG's) are rules that set out a uniform sentencing policy for convicted defendants. They were amended in November of 2004 to include critical training requirements.
The FSG's now require employers to adopt comprehensive ethics and compliance programs, and to train everyone on the fundamental components of those programs. Practically speaking, this means having a Code of Conduct or Code of Ethics and training on that Code.
How Do the Federal Sentencing Guidelines Work?
The FSG's make clear that employers can be held liable for their employees' illegal conduct. If employers take proactive steps to prevent unethical and illegal conduct through an effective ethics and compliance program (which includes training), employers can substantially mitigate potential fines and punishment for criminal violations:
The potential fine range for a criminal conviction can be significantly reduced -- in some cases up to 95 percent -- if an organization can demonstrate that it had put in place an effective compliance and ethics program and that the criminal violation represented an aberration within an otherwise law-abiding community.1
The opposite side of this equation is that an absence of effective ethics and compliance programs can be used to increase fines and punishment.
Do Ethics & Code of Conduct Training Requirements Apply to All Employers – Both Public and Private?
Yes. Unlike SOX, the FSG's apply to both public and private employers.
The Federal Sentencing Guidelines apply to "all organizations, whether publicly or privately held, and of whatever nature, such as corporations, partnerships, labor unions, pension funds, trusts, nonprofit entities, and government units." 2
While the Sarbanes-Oxley Act applies to publicly traded companies, the rules and guidelines that it established are being widely adopted by privately held companies for two reasons: (1) Sarbanes-Oxley standards make for good business practice, adding value beyond simple "check the box" compliance. Many of the Sarbanes-Oxley requirements, like training, can help to substantially mitigate risk and liability for privately held organizations; and (2) Sarbanes-Oxley type legislation is expected in the near future for privately held organizations. Leading employers are recognizing the opportunity to stay ahead of the compliance curve.
Why Are the FSG's Relevant to Civil Proceedings?
There is a long and extensive history of courts and regulatory agencies using the Federal Sentencing Guidelines to establish expected standards of conduct for employers, and to determine associated fines and penalties for not meeting those standards. The Commentary to the FSG's emphasizes that effective ethics and compliance programs go beyond the deterrence of criminal conduct to "facilitate compliance with all applicable laws."3
Who Needs to Be Trained?
Everyone.
Sections 8B2.1(b)(4)(A) & (B) of the Federal Sentencing Guidelines reference the need to train the entire workforce with a sweeping definition of "individuals" who must be trained:
The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to [members of the governing authority, high-level personnel, substantial authority personnel, the organization's employees, and, as appropriate, the organization's agents] by conducting effective training programs and otherwise disseminating information appropriate to such individuals' respective roles and responsibilities.
This requirement is further underscored in the Commentary to the Amendments:
Section 8B2.1(b)(4) makes compliance and ethics training a requirement, and specifically extends the training requirement to the upper levels of an organization, including the governing authority and high-level personnel, in addition to all the organization's employees.
How Often Does Training Have to Occur?
"Periodically."
As detailed above, Section 8B2.1(b)(4)(A) of the Federal Sentencing Guidelines refers to a periodic training requirement.
While "periodic" is not defined officially by the FSG's, employers can be guided by how that term has been interpreted in the employment law arena. The US Supreme Court and the EEOC require "periodic" harassment and discrimination prevention training for all employees and managers. A thorough review of employment law training case law shows that "periodic" is generally interpreted as every 12 – 24 months.4
California's recently passed harassment training law (AB 1825; new Government Code section 12950.1 )5 also references periodic training, and officially sets the time frame at every two years.
Based on this legislative context and a thorough review of state and federal case law from the past 5 years, ELT recommends training every year, and at least every other year.
Also, it is essential that new employees be trained as soon as possible. Under California's new harassment training statute, mandated training must occur within six months after a new manager is hired.
Can Distributing a Code of Conduct Meet the Training Requirements?
No.
The Federal Sentencing Guidelines specifically reference the need to proactively communicate the organization's ethics and compliance program by "conducting effective training programs." Clearly, distributing a Code of Conduct, whether electronically or in hard copy, does not amount to an effective education program.
Once again, given the relative infancy of the FSG requirements, employers can be informed and guided by the historical data and information regarding employment law training requirements. Following landmark decisions by the US Supreme Court in 19986, and specific training guidelines from the EEOC in 19997, there is a mountain of case law showing that distribution and even tracking of policies is not enough to meet a training requirement.
Employers with more than 200 employees should be particularly aware of the formality of the FSG's training requirement. While small employers (<200 employees) may provide training through more informal means ( i.e. staff meetings) as long as the training is effective and comprehensive, larger employers (200 employees or more) must provide more formally planned and implemented training programs.8
Does the Quality of Training Really Matter?
Yes!
The FSG's make continual reference to an "effective" training program. The new California training statute uses the same term, "effective."
Most importantly, quality training means that more is accomplished than just "checking the box."
Finally, the introduction of the organization's Code of Conduct is a message of high importance transmitted from the Board of Directors through the CEO. The more powerful the delivery of this message, the better its acceptance and durability. Without qualification, "quality" matters when the integrity and future of your organization is being presented!