Posted on March 4, 2016
The United States Environmental Protection Agency recently modernized its implementation of its two primary self-disclosure incentive policies – the Audit Policy and the Small Business Compliance Policy – by creating a centralized, web-based “eDisclosure” portal to receive and automatically process regulated entities’ self-disclosed civil violations of environmental law. The Audit Policy and Small Business Compliance Policy provide penalty mitigation and other incentives for large and small businesses that discover, promptly disclose and expeditiously correct environmental violations and take steps to prevent future violations. According to EPA, the automated eDisclosure system will make the processing of more routine voluntary disclosures faster and more efficient, and save time and resources for both regulated entities and EPA. Nonetheless, while efficiency is desirable for both public and private parties, potential users of the new system should bear in mind that self-disclosure of a violation to EPA should be undertaken with the assistance of experienced environmental consultants and legal counsel.
In the future, all self-disclosed civil violations (except for disclosures under EPA’s New Owner Policy) must be made through the eDisclosure portal. Entities that disclose potential violations through the portal may qualify for one of two types of automated treatment, Category 1 or Category 2. Category 1 disclosure is available only for minor violations of the Emergency Planning and Community Right-to-Know Act (“EPCRA”). For Category 1 disclosures, the eDisclosure system automatically issues an electronic Notice of Determination (“eNOD”) confirming that the violations have been resolved with no assessment of civil penalties, on the condition that the certified eDisclosure is accurate and complete.
Category 2 Disclosures include all non-EPCRA violations, EPCRA violations where the entity can certify compliance with all of the Audit Policy’s nine conditions except that the method of violation discovery was systematic, violations of CERCLA § 103/EPCRA § 304’s chemical release reporting requirements, and EPCRA violations with ”significant economic benefit” (as defined by EPA). For these disclosures, the eDisclosure system automatically issues an electronic Acknowledgement Letter confirming EPA’s receipt of the disclosure and promising that EPA will make a determination regarding eligibility for penalty mitigation if and when it considers taking an enforcement action for environmental violations.
EPA stated in its December 9, 2015 Federal Register notice announcing the launch of the eDisclosure portal that it “is not modifying the substantive conditions in its Audit Policy or Small Business Compliance Policy.” However, anyone considering using the eDisclosure portal to self-report a civil violation of environmental law needs to be aware that EPA has significantly changed its longstanding approach to responding to Freedom of Information Act (“FOIA”) requests for such disclosures.
Since 1997, EPA has deemed resolved voluntary disclosures under the Audit Policy and Small Business Compliance Policy publicly releasable under FOIA. The agency will continue to take this approach to Category 1 disclosures submitted through the eDisclosure portal. Specifically, it will grant FOIA requests for eNODs issued for Category 1 disclosures in most cases.
However, EPA’s handling of unresolved voluntary disclosures will shift 180 degrees going forward. Until now, EPA has generally withheld unresolved disclosures pursuant to FOIA’s “law enforcement proceeding” exemption, Exemption 7(A). This exemption protects from disclosure “records or information compiled for law enforcement purposes, but only to the extent that the production of such law enforcement records or information (A) could reasonably be expected to interfere with enforcement proceedings ….” Now, simultaneous with its implementation of the eDisclosure portal, EPA has eliminated its practice of withholding unresolved disclosures and replaced it with a presumption in favor of releasing regulated entities’ voluntary disclosure information to the public. In responding to FOIA requests for individual unresolved disclosures, EPA now will determine on a case-by-case basis whether it “reasonably foresees that release would harm an interest protected by a FOIA exemption.” In doing so, it will aim “to be as accommodating as possible in responding to such requests,” with the result that it “generally expects to make Category 1 and Category 2 disclosures publicly available within a relatively short period of time after their receipt.”
As the agency explains it, this policy shift is consistent with the 2009 memoranda from President Barack Obama and Attorney General Eric Holder in favor of federal government transparency. Nonetheless, it could reduce the perceived benefits of the Audit Policy and Small Business Compliance Policy for some in the regulated community and provide a disincentive to self-report. Moreover, at least one commentator has suggested that EPA’s new willingness to release information in response to FOIA requests may “fuel… private attorney general litigations.” This could be particularly problematic where EPA releases disclosure information through a FOIA request before it has determined whether in fact the business in question is eligible for penalty mitigation or will not be a target of enforcement action. Although EPA is trying to reassure the regulated community that this policy change will not result in more citizen suits, potential eDisclosure portal users are legitimately concerned about such arguably premature releases of disclosure information, and should carefully evaluate their circumstances before making any disclosure, especially under Category 2.
The potential for the release of unresolved disclosures to cause harm to eDisclosure users could be further exacerbated as an unintended result of the expansion of intergovernmental data exchanges such as the Environmental Information Exchange Network, a partnership of states, territories, tribes and EPA working to provide increased access to high-quality environmental data.
In sum, by introducing the eDisclosure system, EPA has streamlined the self-disclosure process for certain environmental violations, which likely will reduce the time and expense involved in making such disclosures. However, EPA has not provided any additional detail or direction for businesses to use in determining whether a specific violation meets the substantive criteria of the Audit Policy or Small Business Compliance Policy. This determination – and the ultimate decision of whether disclosure will be beneficial – should be made with careful consideration of the relevant facts and applicable law, under the guidance of knowledgeable environmental consultants and legal counsel..
Posted on January 21, 2014
The EPA Audit Policy, “Incentives for Self-Policing: Discovery, Disclosure, Correction and Prevention of Violations,” adopted in 1995, 60 Fed. Reg. 66,706 (Dec. 22, 1995), amended at 65 Fed. Reg. 19,618 (Apr. 11, 2000), was targeted by EPA for abandonment in 2012. Perhaps in response to resounding objections by industry and outside counsel, EPA has not yet dismantled this cherished avenue toward forgiveness.
For counsel productively utilizing the EPA’s Audit Policy, EPA’s announcement that it intended to abandon the Audit Policy, particularly in the context of Next Generation Enforcement and budgetary cutbacks in “boots on the ground” inspections, created significant concern that industry would be caught in a communication and policy void that would lead to more punitive yet unnecessary enforcement proceedings. While EPA has removed the possibility of e-reporting per its Audit policy electronic disclosure website, EPA has maintained regulated entities’ ability to utilize the Audit Policy by directly reporting to regional Audit Policy staff. See EPA’s Audit Policy website here. Hopefully, EPA will continue to recognize the many benefits resulting from continued support of the Audit Policy, particularly in the context of more remote enforcement strategies, fewer “boots on the ground” and heavier reliance on state enforcement resources.
Audit policy – History
In response to developing state audit privilege legislation, EPA developed an interim policy addressing the scope of “privilege” allowed for voluntary environmental audits and their findings. 60 Fed. Reg. 66,709 (March 31, 1995). Seeking to avoid litigation regarding the scope of privileged environmental audit findings, EPA’s interim policy offered incentives to conduct voluntary audits where the findings were disclosed and promptly corrected. EPA issued its final Audit Policy in 1995, with the specific purpose of enhancing protection of public health and the environment by encouraging regulated entities to voluntarily discover, disclose, correct and prevent violations of Federal enforcement law. The benefits offered by EPA’s 1995 final Audit Policy included reductions in the amount of civil penalties, possible elimination of gravity-based penalties, and a determination not to recommend criminal prosecution of disclosing entities. EPA’s adoption of the 1995 Audit Policy followed five days of dialogue, hosted by ABA’s SEER (then SONREEL) with representatives from regulated industry, states and public interest organizations which identified options for strengthening the former interim policy and included changes reflecting insight gained through this ABA dialogue, over 300 comments received and EPA’s practical experience in implementing the interim policy. Since its adoption, EPA has issued several guidance documents, including EPA’s Audit Policy Interpretive Guidance (January 1997), Audit Policy; Frequently Asked Questions (2007); and EPA’s Audit Policy: Tailored Incentives for New Owners, 73 Fed. Reg. 44, 991 (Aug. 1, 2008), all available here.
Enforcement budgetary constraints
In the face of fierce political opposition and severe budgetary cutbacks, EPA issued public statements regarding areas where resources would be cut back or eliminated. Specifically, on April 30, 2012, EPA’s OECA issued its “National Program Manager (NPM) Guidance” to EPA’s regional offices proposing to spend no resources processing self-disclosures under the Audit Policy beginning with EPA’s 2013 Fiscal Year. In the NPM Guidance, EPA stated its position that internal compliance reviews had become more widely adopted by the regulated community as part of good management, that most violations disclosed under the Policy were not in the highest priority enforcement areas for protecting human health and the environment, and that EPA could reduce its investment in the program to a limited national presence without undermining the incentives for regulated entities to do internal compliance reviews to find and correct violations with potentially a modified Audit Policy that is self-implementing. See the FY2013 OECA NPM Guidance (Publication Number – Final: 305R12001) available here.
With the issuance of the April 2012 NPM Guidance came a strong response by regulated entities. Members of the national environmental bar, including individual practitioners, the American College of Environmental Lawyers and the Corporate Environmental Enforcement Council, reached out to the EPA and requested discussion, urging EPA to retain the Audit Policy. See e.g., related ACOEL blog postings available here, and CEEC letter to Cynthia Giles, Assistant Administrative, EPA OECA (Feb. 8, 2013), available here.
Common arguments defending the continued implementation of the Audit Policy include the fact that the Audit Policy serves as the basis for a continued culture of compliance even in landscape of dynamic changes to industry and regulation, quantifiable benefits in achieving compliance, as well as serving as a consistent baseline for states adopting their own audit policies.
EPA’s Promotion of Next Generation Enforcement
In 2012, EPA began promoting its Next Generation Compliance initiative. See Next Generation Compliance article from Environmental Forum, republished here. With EPA’s NGC, EPA is seeking to streamline federal enforcement oversight with regulations adopting “built-in” compliance, advanced pollution monitoring, electronic reporting, increased transparency and innovative enforcement strategies. EPA’s examples of “built-in” compliance include standards for manufacturers of mobile sources and air pollution control equipment, where compliance with standards are certified initially by the manufacturer, rather than relying initially on post-installation field testing. Following installation of air pollution control equipment, EPA’s approach would utilize advanced pollution monitoring to evaluate compliance of operating air pollution control equipment. Advanced pollution monitoring would also include fence-line monitoring and remote sensing techniques including infrared cameras. Examples of electronic reporting include NPDES Electronic Reporting, see 78 Fed. Reg. 46006 (July 30, 2013) (proposed rule), and EPA’s Toxic Release Inventory electronic reporting data based, TRI-MEweb, available here. With electronic reporting, greater electronic availability of data allows greater transparency of reported data. Finally, innovative enforcement strategies build on advanced monitoring, electronic reporting and third-party verification, coupled with industry sector approaches, including industry wide recognition and notification of noncompliance, followed by set compliance deadlines and, if necessary, enforcement.
EPA’s Reduced Enforcement Goals for 2014-2018
On November 19, 2013, EPA published its Draft 2014-2018 Strategic Plan, with public comment ending on January 3, 2014. 78 Fed. Reg. 69412 (Nov. 19, 2013). Comparing EPA’s proposed 2014-2018 enforcement goals to its 2011-2015 enforcement goals shows that EPA intends to significantly cut back on the number of inspections as well as many other enforcement goals. Specifically, EPA is reducing its 5-year cumulative inspection and evaluation goal from 105,000 inspections to 70,000 inspections. EPA expects to initiate fewer civil judicial and administrative enforcement cases, setting its initiation goal at 11,600 compared to an earlier 19,500, and conclude fewer cases, 10,000 compared to an earlier 19,000. Compare Draft FY 2014-2018 EPA Strategic Plan, available here, to FY 2011-2015 EPA Strategic Plan, available here.
Implications of NGC and Reduction in Inspections
EPA’s Next Generation Compliance approaches, coupled with significantly reduced inspections, may seem like a relief to some. However, EPA’s NGC emphasizes remote monitoring methods and automatic electronic reporting. In other words, data will be reported electronically, potentially without the necessary context required for a full compliance evaluation. However, numbers alone do not allow a conclusive compliance determination. Reliance on mere data without the context achieved with an in-person inspection raises risks that enforcement actions, albeit reduced in number, may be allowed to proceed despite facts that mitigate against taking such action. Of course, this risk varies depending upon the regulatory program and may be less significant where delegated states maintain sufficient budgets for inspections. However, this concern remains magnified where qualitative data, such as, for example, fence-line monitoring and use of remote infrared cameras, may be relied upon in the Clean Air Act enforcement context to create a presumption of noncompliance, potentially collected in a manner that is divorced from actual quantitative point-source emission data and permitted parametric operating conditions which facilities rely on to demonstrate ongoing compliance. While regulated entities maintain documentation demonstrating ongoing compliance, the threat remains that such NGC techniques could mire entities in unnecessary enforcement actions where an in-person inspection could preempt such proceedings.
In this uncertain enforcement environment, regulated entities will likely want to continue to directly rely on the assurance provided by EPA’s Audit Policy, as well as state audit policies adopted pursuant to, and maintained consistent with, EPA’s Audit Policy and the policies and principles therein.
As of January 2014, EPA continues to allow regulated entities to avail themselves of EPA’s Audit Policy by reporting to named regional EPA Audit Policy staff. Hopefully, EPA’s dismantling of its electronic Audit Policy reporting program constitutes sufficient savings to allow EPA’s regional offices to continue accepting Audit Policy disclosures.
Posted on January 7, 2013
Environmental practitioners and their clients have benefitted greatly from the EPA’s historic implementation of the EPA Audit Policy. Thus, the level of concern that has been expressed by environmental practitioners in response to EPA’s statements that the Audit Policy may not live through 2013 is not surprising. For background, see Linda Bochert’s posting, “Dear EPA: please don’t abandon your Audit Policy!”, and FY2013 OECA National Program Manager Guidance.
EPA has discussed the basis for its proposal to abandon the Audit Policy in terms of perceived decreasing utility, which creates difficulty in justifying the expense of implementation. The explanation goes something like this: with the maturity of the environmental programs, regulated industry knows that it needs to comply by now, thus the incentives provided by the Audit Policy are no longer necessary. Also, along with industry outgrowing the original purpose of the Policy, the cost of implementing the policy does not justify its continued implementation in this era of shrinking budgets, particularly given the relatively minor noncompliance events reported pursuant to the Audit Policy.
Has EPA really considered the entire calculus? And, assuming one buys into the external benefits provided by the continued implementation of the Audit Policy, given what’s at stake, isn’t it worth developing options for implementation that don’t impose the same level of staff investment?
Many believe that the Audit Policy has served a purpose far greater than the mere forgiveness of the gravity component of the reported noncompliance events. For many years, the EPA Audit Policy has provided regulated entities with a mechanism to conduct compliance audits with confidence that noncompliance issues can be corrected without fear of punitive enforcement action. The Audit Policy continues to serve this purpose, despite the maturity of the environmental programs, because the nature of regulated entities and industry sectors is so dynamic. Regulated entities are in a constant state of change, as are many EPA programs at any one time. EPA’s assertion that the EPA’s Audit Policy is no longer needed contemplates regulated entities and applicable regulations as static and monolithic bodies and does not recognize the constant state of change across industry sectors and within individual entities, particularly in response to new and modified regulations. Industry sectors also vary in their inherent levels of sophistication and adaptability to changing regulatory requirements, depending in large part upon the degree to which the industry has been pervasively regulated in the past. New regulations across an industry sector upset the equilibrium and demand new management models and compliance approaches, requiring a period of education, acquisition of staff, operational and cultural adaptation to the new requirements. Adaptation within industry sectors can be slowed when immediate demands are placed on sector resources for all entities in that sector simultaneously such as occurs with new industry sector-wide regulation, prioritizing rapid reaction to new regulation over comprehensive proactive compliance. In this regulatory environment, the Audit Policy continues to serve the same purpose as it always has, to encourage a culture of compliance in the dynamic landscape in which regulated entities operate.
To read more and provide your own input on how you believe EPA should approach the future of the EPA Audit Policy, click here.
Posted on June 22, 2012
If you have ever helped a client gain the enforcement protections available under the EPA Audit Policy, be concerned: EPA is reducing its Audit Policy work effort to a “minimal national presence”.
Why? Resources, of course. EPA has too much to do and too few people to do it. As part of the FY 2013 Office of Environmental Compliance Assurance National Program Manager Guidance (OECA NPM), EPA evaluated what it does in light of tightening budgets and overall agency priorities. The EPA Audit Policy came up short: it has resulted in a significant number of annual disclosures, but they are not in the areas of highest priority, and the agency believes traditional enforcement yields greater benefits.
EPA adopted the Audit Policy in 1995 and updated it in 2000. It incentivizes regulated entities to conduct audits, timely self-disclose violations, promptly correct, and put in place systems to avoid repeats. If you do that, any penalty EPA might otherwise apply – for the “gravity” of the violation, or to recover any “economic benefit” gained from noncompliance – can be forgiven. Everyone wins – EPA gets compliance and compliance evaluation systems that protect against future violations; the business gets the certainty and comfort of knowing that if it looks for and finds noncompliance, it won’t be harmed financially; and the public gets the benefit of the environmental improvements.
EPA solicited comments on draft OECA NPM Guidance through March 19, 2012. On April 30, 2012 EPA adopted the final FY 2013 OECA NPM, which included the following at page 15:
Audit Policy/Self-Disclosures: Since implementation of the Audit Policy began in 1995, EPA‘s enforcement program has increased its understanding of environmental compliance auditing, and believes that internal reviews of compliance have become more widely adopted by the regulated community, as part of good management. In addition, EPA has found that most violations disclosed under the Policy are not in the highest priority enforcement areas for protecting human health and the environment. EPA believes it can reduce investment in the program to a limited national presence without undermining the incentives for regulated entities to do internal compliance reviews to find and correct violations. As we reduce investment in this program, EPA is considering several options, including a modified Audit Policy program that is self-implementing.4(emphasis added)
4 Note: To meet the agency wide schedule, the final OECA NPM Guidance is being issued now, although we have not completed discussions on the content and schedule for the budget adjustments portion of the Guidance. Some of the budget adjustments outlined in this final guidance may be revised as we continue work on implementation plans.
I choose to read this to mean it’s not too late to let EPA know what we think. If the planned cutbacks are enacted, they will go into effect for FY 2013, i.e., on October 1, 2012. Creative ideas for ways EPA can address its resource issues and keep the Policy active and vibrant are needed now.
We all recognize the challenges of diminishing resources, changing priorities, and committed constituencies. Regardless, if you agree with me that the Audit Policy has been and should continue to be a valuable tool in the compliance toolbox – for industry, EPA and the public -- and want to let EPA know that, please contact me. Let’s see how ACOEL members can constructively contribute to this discussion.
Posted on February 6, 2009
In December, 2008, the Board of Environmental, Health and Safety Auditor Certifications (BEAC) issued its Performance and Program Standards for the Professional Practice of Environmental, Health and Safety Auditing. BEAC is the largest organization which certifies the competence of EHS auditors based on a written test and experience. These standards codify existing “best practices” in the EH&S auditing profession and the design and implementation of auditing programs. They should be particularly helpful to those of us who work with companies to develop compliance assurance programs.
Ever since Congress passed Sarbanes-Oxley in 2002, business entities requesting environmental, health and safety (EHS) compliance audits have had a stronger need for confidence that the audit reports are complete, accurate and reliable. Recall that SOXA Section 302(a) requires that the “Principal executive officer or officers and the principal financial officer or officers . . . certify in each annual or quarterly report” that, based on the officers’ knowledge, the report does not contain any untrue statement of material fact or omit any material facts and that the officers have designed and maintained internal controls to ensure that material information relating to the company is provided to them.
The field of environmental auditing—more broadly EHS auditing—began informally in the late 1970s in response to the wave of complex environmental legislation and regulations which carried up to $25,000 per day for violations. Environmental engineering firms and some law firms offered to assist companies in carrying out compliance audits. Once familiarity with the relevant regulations was demonstrated by the auditors, companies did not bother to require any third-party verification of their qualifications, or ask if there were any “standards” they followed. This has also been true for the related field of environmental site assessments performed as part of the due diligence in a commercial acquisition. However, perhaps as a sign of the times, when EPA codified its “All Appropriate Inquiry” rule providing protection against Superfund liability for innocent landowners, bona fide purchasers and contiguous landowners in 2005 (40 C.F.R. Part 312), it included minimum qualifications requirements for an “environmental professional” in terms of education and experience.
Three years ago the Board of Environmental, Health & Safety Auditor Certifications (BEAC) asked its four-person Standards Board, on which I serve, to review its very slender 1999 standards for auditors and audit programs and design a new set of standards consistent with the current needs and state of the art. The rewrite was completed in December following more than a year of public and peer review and comments on drafts. The new standards are currently being printed and information on them will soon be available at the BEAC web site: www.beac.org.
The New BEAC Standards
The purpose of the BEAC auditing standards is to provide auditors and audit program designers with minimum and broadly worded “standards”. These can be relied on by any auditor or business entity who wants to represent that their audit was conducted, or program designed, consistent with BEAC standards. Our purpose was to codify “best practices” which have been widely in use for a number of years, not to try to push the envelope. Furthermore, the standards are flexible and broadly worded, recognizing that audit assignments come in many sizes and shapes. Similarly, entities designing an internal auditing program come in different sizes and shapes and vary widely in their needs.
The standards are organized into four main sections addressing (1) independence, (2) due professional care (qualifications), (3) performance of audit work, and (4) audit program design. Following the text of the standards themselves in each section there is “guidance” designed to provide practical tips on how to get the job done. The following paragraphs summarize briefly the key elements of each section.
Section 1 requires that auditors must be objective and independent of the activities they audit, free of any conflict of interest. Similarly, an audit program should be designed to ensure that the auditors are independent, that they are not pressured or influenced by entities which they audit, and that they report their results directly to senior management.
Section 2 requires that auditors must have adequate qualifications, skills and experience appropriate to the nature of the task they will be performing. The standards spell out the specifics. An anticipated benefit to an auditor is that if he or she carries out an audit in compliance with the standards, that should be a presumptive defense to a malpractice claim in the event that an apparent violation was allegedly missed during the audit. The auditing program requirements include responsibility to ensure auditor competence and proper supervision.
With respect to Performance of Audit Work, the standards address the planning and scoping phase, preparation, field work and reporting. This includes general requirements for document review, personnel interviews, site inspections and “any other appropriate procedure for the gathering, evaluation and recording of information relevant to the scope and objective of the audit.” An audit report is then normally prepared which sets forth each finding of noncompliance. Reporting procedures should ensure that the reports are accurate and complete. Experienced environmental auditors should find all of this familiar and reassuring.
With respect to the Audit Program design, the standards require that program goals, objectives and scope be defined in a written charter adopted and published by senior management. Subjects such as the scope of the audit program, frequency of audits and procedures to ensure auditor competency are included. Periodic management review is required to be sure that the audit program is carrying out the company’s objectives and has adequate resources in terms of personnel and funding.
The content of the program standards draws on EPA’s “Elements of Effective Environmental Auditing Programs” (published initially in 1986 and reaffirmed in 1994), Justice Department policies describing effective environmental compliance programs, and elements of the ISO-14001 standards, among other sources.
This has necessarily been the briefest of overviews—hardly a comprehensive discussion. No one is required to adopt or follow these new standards. However, hopefully they will provide guidance and reassurance both to EHS auditors and those who design and operate compliance assurance programs and want to “get it right.”
© Ridgway M. Hall, Jr. 2009