Director of Regulatory Compliance Studies at Loyola University Chicago School of Law
Yesterday I gave a webinar on compliance program hotlines and an interesting question came in after the broadcast: “Internally staffed compliance hotlines seem like a bad idea. Doesn’t an internal hotline increase the company’s regulatory risk?” Internal hotlines could increase legal exposure if the hotline reports are ignored. Thinly staffed internal hotlines risk information being missed if the communication box isn’t checked very often or the information is buried in a mountain of other work the compliance office has on its plate. There is nothing about internally staffed hotlines that inherently increases liability; the liability turns on what a compliance program does with the information (or doesn’t do with the information). The legal exposure be that as it may, if a compliance office can’t properly manage an internal hotline in order to get the information into a good triage pipeline, then the effectiveness of the entire compliance program is threatened.
The Federal Sentencing Guidelines do not explicitly reference a “hotline,” but hotlines are the most common way to demonstrate a company is living up to §8B2.1(b)(5)’s admonishment to have a workforce reporting mechanism:
“The organization shall take reasonable steps…(C) to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.”
There are many ways to manage this expectation, anonymous electronic reporting platforms and old-fashioned drop boxes fastened to a wall are some of the approaches even as hotlines remain the most popular solution. Hotlines are typically phone numbers (usually toll free) that are publicized for the workforce to report suspected non-compliance and sometimes are even promoted to the public or consumers. It is important that the company not put restrictions on the purpose of the hotline so that callers are in no way deterred from calling and are not burdened with thinking through which hotline to call for which problems. Since the best hotlines are all things to all people, there’s a risk the hotline morphs into a gripe-line, but that’s the price to make sure someone doesn’t think twice about calling the hotline.
Amidst the debates on how best to afford workforce members an opportunity to report issues, we can lose track of making sure there is someone on the other end of a phone line when a caller calls. There is nothing in the Federal Sentencing Guidelines that remotely implies that a live human needs to be on the other end of a hotline phone number, but it is common sense to have someone there. Some companies that manage hotlines internally use voicemail for callers to leave a message when the office is closed or the person staffing the phone is otherwise busy. It would be a natural response for a person to shy away from leaving a message if the caller thought their voice would be analyzed in the recording or that the recording would be forever captured. Companies are increasingly linking voicemail to email, rendering the voicemail message easily recoverable after being deleted. Having a live human on the other end around the clock seems a good way to encourage people to provide the compliance program with information. If a live person staffs the hotline 24/7, then it would be good to mention that in training or other hotline promotions.
This gets us back to managing the hotline internally. Is the company able to staff a compliance program 24/7? If so, then having an internal hotline seems just as good as having a vendor-staffed hotline. If the organization cannot staff the hotline at all hours, then it needs to seriously think about whether its program is doing all it can to make it easy for workforce to report suspected non-compliance. And this brings us full circle to the webinar question, whether an internally staffed hotline increases a company’s risk. It seems to me this splits off into two streams: (a) Could the company have had a better compliance program by outsourcing the hotline? (b) Is an over-worked compliance office prone to dropping the ball on information reported to an internal hotline?
With respect to the first question on risk, I would say the larger the organization and the more complex the regulatory environment the more the company has a burden to make sure the hotline is staffed with a human at all hours. Once a company sets up a voicemail box for after-hours calls, it’s a fairly easy slippery step to increase reliance on the voicemail box during business hours – all sorts of excuses creep up; breaks, sick days, vacations for the person staffing the line all default to a voicemail box. What the company doesn’t know in these situations is whether the voicemail box has become a deterrent to reporting. All could appear to seem well managed. It might not be long before the company wonders why a human should staff the hotline live at any hour. If that is the road a company takes, then the effectiveness of the compliance program will grow weak. It will never know what it’s missing.
With respect to the second question on risk, an over-worked compliance office may just as easily drop the ball on an issue reported to an internal hotline as it may for an issue reported to a vendor-staffed hotline. Over-worked is over-worked. But there is a greater likelihood that a vendor-run hotline will have a tracking mechanism to log the hotline calls for reference. Having the vendor maintain a tidy call log frees up the compliance staff to manage the calls when they are lobbed over the fence from the vendor.
All in all, vendor-run hotlines seem to make sense, assuming a company can afford the price tag. Then again, the price is likely to catch up with the company one way or another, whether through vendor fees (for externally managed hotlines), increased internal staff (for internally managed hotlines), or a failed compliance program (for hotline breakdowns). So, does an internal hotline increase a company’s risk? Not necessarily, but it’s better never to find out the answer to that question.