FCPA Compliance Evaluation Guidance – Now That Your Company Has the Questions, Does It Have The Answers?

Last month the Justice Department with little fanfare posted guidance on the “Evaluation of Corporate Compliance Programs.” The seven page document covers eleven topics and poses over a hundred “sample questions that the Fraud Section has frequently found relevant in evaluating a corporate compliance program.” The document acknowledges that the guidance is “neither a checklist nor a formula” and the evaluation of a company’s compliance program will be “an individualized determination in each case.” Further, the document draws upon current guidance and is not remarkable as a change in course. Nonetheless, it is an additional step by the DOJ to provide much sought after visibility into what criteria the Fraud Section will use.

Yet despite the value of having the topics and questions that this additional guidance provides, like any good students, Compliance Officers, General Counsel and Outside Counsel, hired to represent a company in an enforcement action, are now challenged to determine whether they have the right answers. They need to set about to consider how their company would answer the questions posed and whether the answers would pass muster in clearly establishing that the compliance program is operating effectively. Unfortunately, while the questions are clear, the answers are not.

In order to answer the questions posed in the DOJ guidance, let me suggest several preliminary considerations that are key.

First, any effective compliance effort must begin with strong governance and a laser focus on building and sustaining a culture of integrity. Running throughout the DOJ guidance is the accountability and responsibility of senior and mid-level management. An effective governance structure engages the three lines of defense (i.e. management, compliance and internal audit) as part of the company’s strategic planning and operations in setting the right tone and controls throughout the organization, with a properly resourced and capable compliance function, effective monitoring and testing and appropriate oversight by an engaged board.

Second, a disciplined process for documenting all compliance activities must be in place. Since the development of an effective compliance is a continuous journey, documentation should include problems identified, improvements made and internal and external benchmarks to demonstrate progress achieved. To not have the required documentation as proof that the questions asked have good answers will not pass muster with appropriately skeptical regulators and would carry about the same weight with them as a student offering his teacher the excuse that “the dog ate my homework.”

Third, the compliance function must have strong data and analytic capabilities that will be able to access and leverage data from throughout the organization and use that data to create meaningful metrics and other objective evidence. Whether for purposes of conducting risk assessments; investigations; due diligence; or continuous improvement, periodic testing and review, the process of gathering information and conducting analysis cannot otherwise be considered sufficient without employing data analytics. Yet, in survey after survey, most compliance officials express concern that their company’s use of data analytics to support the compliance function remains an area for needed improvement and enhancement.

Fourth, the guidance emphasizes the importance of effective processes for conducting risk assessments, appropriate policies and procedures, training and communications, incentives and discipline, monitoring and testing, and reporting and investigating. The key here is not merely that organizations have these processes – nearly all do. The key focus of all of the questions posed in the DOJ guidance is whether a company can demonstrate how it has effectively operationalized its policies and procedures within its business to guide the right behaviors to address the business risks and regulatory requirements that the company faces. Adequate resources for the compliance function and sufficient stature of the Compliance Officer are key. However, often the best way to demonstrate that the compliance program is operating effectively is to be able to demonstrate that the organization was willing to make the hard decisions. This is best accomplished by being able to point to concrete examples of when the company turned down an apparently good economic deal because its due diligence revealed misconduct on the part of the proposed acquiree or partner. Or, the company did not hire or terminated a vendor who was not complying with the company’s policies. Or, executives within the company were terminated or appropriately disciplined when violations of the company’s code of conduct were identified.

The topics and questions posed by the new DOJ Guidance are a great starting point for a company to begin a self-evaluation of its compliance program. However, when the rubber hits the road, the answers that will be needed to demonstrate the program’s effectiveness will only be found when there is an adequate foundation as outlined above.

Girgenti & Hedley,The New Era of Regulatory Enforcement: A Comprehensive Guide for Raising the Bar to Manage Risk (McGraw Hill 2016)