The FCPA Resource Guide Digest: A Skinnied Down Version of the Essential Compliance Desk Reference

C-Suite executives need to understand what the DOJ and the SEC considers when determining if an organization’s compliance program meets their definition of “effective.” In fact, the DOJ and SEC have published hundreds of pages of material on the subject. Unfortunately, most occupants of the C-Suite don’t have time to digest hundreds of pages of material on effective compliance programs. Creating an effective compliance program is a complex undertaking and can’t be covered in a paragraph or two. 

The best resource to explain what it means to have an effective compliance program is something published by the DOJ and the SEC: “A Resource Guide to the U.S. Foreign Corrupt Practices Act, Second Edition” (“the Guide”). I took this 133-page document and tried to distill it down to its essence to provide organizational leaders with a primer on effective compliance programs.    

If you’re unfamiliar with it, the Guide is the primary desk reference used by U.S. prosecutors and compliance officers alike to assist them in evaluating the efficacy of compliance programs. It has also been widely applied and imitated across a broad spectrum of compliance risk domains – not just corruption.  The most important part of the Guide is a section entitled the “Hallmarks of Effective Compliance Programs” of which there are 10. Every C-Suite executive should be able to readily articulate the risks that are specific to their organization, products or services and geographic footprint. Equally important is the ability to explain the state of the company’s compliance program designed to mitigate those risks. The journey begins with having a high-level understanding of the Hallmarks of Effective Compliance programs.  

You wouldn’t think of not having locks on your doors or driving a car with no insurance. Having an effective compliance program falls into that same category. An effective compliance program protects a company’s reputation, shareholder value, significantly reduces organizational risk and protects the organization’s most valuable assets. 

Set forth below is a synopsis of the hallmarks along with some practical advice. 

Hallmarks of Effective Compliance Programs

The hallmarks are program components that regulatory and enforcement agencies are expecting to see. They are the broad categories of compliance program activities that are the building blocks of the overall compliance program framework. C-Suite executives should be familiar with them and the risks that have been identified from having performed a rigorous, ongoing risk assessment process that is the underpinning of the organization’s compliance program. In other words, you should be able to readily discuss the critical risks that have informed the design of your compliance program and the key program activities that are enabling the organization to temper those critical risks. 

Commitment from Senior Management and a Clearly Articulated Policy

Tone at the top is a tired expression and a little outdated. While it is an important concept, it doesn’t go nearly far enough to convey senior management’s duties and responsibilities when it comes to overseeing and being responsible for an effective compliance program. That is probably why the government more recently has been using the term “conduct at the top”. People don’t go to jail for setting the wrong tone. They do however go to jail for significant violations of the compliance program.  The term “conduct at the top” is the government’s way of pointing out that they will continue hold individuals accountable for illegal acts and the compliance failures that enabled them to happen.  

Boards and senior executives are expected to demonstrate their commitment to a culture of compliance through their words and their actions. They need be unambiguous in their conduct and communications when it comes to doing business the right way and the fact that business ethics, reputation and integrity are valued over goals of growth and profitability. The DOJ and SEC look to see if this unwavering commitment to ethical business practices cascades downward through to middle managers and employees at all levels of the business.

Saying all the right things isn’t nearly enough though. The program must be enforced in good faith. The program cannot exist on paper only. It must be thoroughly operationalized, embedded across the business, communicated repeatedly and through various means. Each employee must believe that they are empowered and expected to do what is right even if it is in the face of a loss of revenue, a key customer or critically important vendor or supplier. Embedding compliance also means designating managers and employees with specific compliance-related activities that can then be measured. That is all part of creating a culture of compliance which must radiate from above. 

A strong ethical culture directly supports a strong compliance program. By adhering to ethical standards, senior managers will inspire middle managers to reinforce those standards. Compliant middle managers, in turn, will encourage employees to strive to attain those standards throughout the organizational structure. Compliance and adherence to ethical rules must start at the top. DOJ and SEC evaluate whether senior management has clearly articulated company standards, communicated them in unambiguous terms, adhered to them scrupulously, and disseminated them throughout the organization.

Code of Conduct and Compliance Policies and Procedures

The code of conduct is the foundation upon which an effective compliance program is built. It should be in plain language, concise and accessible to all employees. Accessible doesn’t just mean it is available on the Intranet. It also means that it has been translated into every language spoken by company employees and everyone is aware of its existence and how to access it. The code should be reviewed periodically and updated to allow for changes to the risk environment, the laws in the countries in which the company is operating and other new developments.

In determining whether a company has an effective compliance program, prosecutors assess whether a company has policies and procedures that outline responsibilities for compliance, describe internal controls in sufficient detail, have incorporated internal audit into the process, have delineated policies on how to properly document policies and compliance-related activities and have predetermined disciplinary procedures for confirmed instances of compliance program violations. The DOJ and the SEC recognize that compliance policies and procedures will vary greatly based on a company’s size, business operations, complexity and identified risks. What is most important is that the program exists, it has been operationalized, people know about it and the critical risks it has been designed to mitigate. In order for policies and procedures to meet the government’s definition of “effective”, this requires an in-depth understanding of the company’s business model, its products and services, third-party agents, customers, the universe of its government interactions, and industry and geographic risks.

Oversight, Autonomy, and Resources

What is often cited as having undermined a compliance program and prevented the government from concluding it is effective lies with oversight, autonomy and resources. The DOJ and SEC expect the company to have designated one or more senior executives to oversee the design, implementation and operation of the compliance program. Those individuals are further expected to have appropriate authority within the organization, autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively. The last one is the most challenging and the most frequently overlooked. Compliance departments run lean and there’s a fine line between lean and understaffed.  If you’re a global organization with 20,000 employees and operations on 6 continents, a 2-person compliance team is probably not going to cut it. 

As for autonomy, the government expects compliance leaders to have direct access to organizational leadership such as committees of the board of directors. Depending on the size and structure of an organization, it may be appropriate for day-to-day operational responsibility to be delegated to other specific individuals within the company. What the DOJ and SEC is looking for in this area is that the company has thoroughly examined its risk, historical compliance needs, prior regulatory and investigative activities and has designed and staffed its compliance team based upon a thoughtful process.  

Risk Assessment

Preconceptions about risk and risk levels are frequently wrong and prone to overlooking entire categories of risk. A compliance program that has been designed and implemented without first performing a comprehensive risk assessment is doomed from the start. If the senior leadership team cannot explain the organization’s critical risks, how they were identified and the key compliance activities that are designed to mitigate those critical risks, no one is going to conclude that your compliance program meets the government’s definition of “effective”. 

Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program. Many organizations waste thousands of manhours doing busy work because the processes and systems in place to mitigate risk are not well-designed and not tailored to the company’s unique risk profile. The government will give significant credit to a company that has implemented a comprehensive, risk-based compliance program, even if that program does not prevent a violation. On the other hand, failing to prevent a violation on a high-risk transaction because the program itself is not risk-based and properly designed will result in the company not receiving full cooperation credit. As a company’s risk increases, the program should be sufficiently flexible that it can strenghten its compliance programs proportionately. Such increases could include things like due diligence investigation and periodic internal audits.

Risk factors include country and industry sector, the nature of a given business opportunity, background of business partners, interactions with foreign governments that are at “arms-length”, government regulation and oversight, and the extent to which customs and immigration officials have routine oversight over the company’s ability to operate. DOJ and SEC take all of these factors into account in determining whether and to what degree a company has adequately analyzed their risks and allowed for them in the design and implementation of their compliance program. 

Training and Continuing Advice

Most companies do not receive high marks for compliance training and “continuing advice”. Compliance expectations and obligations are sometimes communicated through word of mouth or not at all. Senior leadership is expected to be on top of this issue as well and to take ownership making sure that the compliance program is at the top of the training and communication agenda. Making a significant investment in the design, implementation and oversight of a world class compliance program and then failing to train on it and issue regular communications of its importance to the overall success of the company is a leadership failure. Compliance policies cannot work unless they have been effectively communicated throughout a company. Compliance training typically covers company policies and procedures, instruction on applicable laws, practical advice to address real-life scenarios, and case studies. Training should be tailored for the targeted audience and presented in the local language. In addition to the existence and scope of a company’s compliance program, the training should provide guidance and advice on how to comply with the company’s ethics and compliance program, including how to seek compliance advice and raise issues when needed.

Incentives and Disciplinary Measures

The term the “carrot and the stick” is frequently used to describe incentives and disciplinary measures. Most companies have the stick figured out, it’s the carrot that they struggle with most often. Disciplining individuals for violations of the compliance program is of course important. It is far less common for companies to reward their employees for exceptional behavior that exemplifies the ideals of the company’s compliance program.  Rarer still is a situation in which executives’ and managers’ performance evaluations include compliance activities in their goals and measure their compliance performance alongside their other skills. If the company’s goal is to achieve platinum level compliance, then every member of management should be evaluated in part on the role that they played in achieving that goal.

Enforcement of the compliance program is fundamental to its effectiveness. It must be applied evenly across the organization from the board room and C-Suite to the loading dock. Applying disciplinary measures unevenly can have devastating consequences to morale and ethical culture and call the effectiveness of the program into question. The DOJ and SEC will examine whether the company has clearly stated disciplinary procedures, whether those procedures are applied timely and consistently, irrespective of title, and whether the punishment fits the crime.

A leading industry practice is publicizing disciplinary actions internally. It can have a deterrent effect and be an important part of the company’s overall training and continuing advice activities.

Positive incentives can also drive compliance. Performance evaluations and promotions, on the spot incentive awards improvements to the compliance program and ethical leadership all serve to promote a strong ethical culture. Recognizing compliance professionals and internal audit staff for their accomplishments that furthered the compliance program are also a leading practice. The most effective way to communicate that acting with ethics is an organizational priority is to reward it. Incentivizing good behavior and punishing bad behavior provides a strong foundation for a culture of compliance and ethics.

Third-Party Due Diligence and Payments

According to Stanford University Law School’s Foreign Corrupt Practices Act Clearinghouse, between 2001 and 2019, there was 268 FCPA enforcement actions of which 246 (or 91.7%) bribes were paid by third parties as opposed to officers or employees of the defendant company.  Sales agents, distributors, JV partners, resellers, freight forwarders, customs brokers, lawyers and accountants are all categories of third-party intermediary that have been implicated in bribery prosecutions.  Global companies, particularly those who ship products internationally or rely on third parties in other ways to bring their products and services to market, are heavily reliant on virtual armies of third-party intermediaries to operate internationally. They are a necessary evil who can act on an organization’s behalf, represent them in the marketplace and potentially trigger significant liability under the FCPA, sanctions or anti-money laundering laws. Third-party intermediaries are by far the highest risk within the FCPA compliance world. This is where companies go wrong. This is where problems arise.

Third parties are commonly used to conceal the payment of bribes to foreign officials in international business transactions. When the company performs its risk assessment, it should entail a comprehensive examination of all categories of third party who can act on the company’s behalf as these are inherently higher risk third parties. Other factors should also be applied to the intermediary population are the economic size the relationship, whether they interact with foreign government officials on the company’s behalf, payment terms especially sales commissions, contingency fees or success fees and if the intermediary employs former foreign government officials. Intermediaries should be categorized in accordance with these and other risk factors and the higher risk entities should be held to a heightened standard of care. This heightened standard of care is most often, the performance of escalating levels of investigative due diligence, a type of background investigation that examines compliance risk. Third party due diligence programs are of critical importance and are often the centerpiece of a compliance program. 

Confidential Reporting and Internal Investigation

A company’s approach to confidential reporting and internal investigations is a window into the entire compliance program. If your organization is not receiving a steady volume of reports, you should ask yourself why. It may be because the company has not publicized its confidential reporting channels which is easily remedied. It could however be an indicator that employees, officers and vendors are reluctant to use them because of fear of retaliation or a symptom of an organizational culture that does not penalize bad behavior. 

Recent scholarly studies of public companies and their use of confidential reporting channels have revealed that companies that have active, well-publicized hotlines spend an average of 20% less on legal expenses that those with less active hotlines. The DOJ and the SEC have stated that in order for a compliance program to be effective, it should include a mechanism for employees and others to report misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation.

Having a confidential reporting channel alone is not enough. Once an allegation is received, companies are expected to have a formalized process in place to investigate the allegation, document the results along with any disciplinary actions or compliance remediation steps that were taken. Some investigations reveal weaknesses in internal controls or other problems. The company’s investigative policy should include a process to take “lessons learned” from the investigation and make appropriate changes to internal controls, the compliance program and compliance training.

Continuous Improvement: Periodic Testing and Review

Risks are constantly changing and evolving. Because risks are dynamic, compliance programs should include processes for self-assessment and periodic updating of the program and the internal controls underlying it. Are they working properly and addressing the organization’s most critical risks? Most often, continuous improvement-related activities such as periodic testing and review in performed by the company’s internal audit. Businesses change over time. So do business conditions, customers, the legal landscape and industry standards. Effective compliance programs that are being followed will periodically uncover compliance weaknesses and require enhancements. Because of this, DOJ and SEC expect companies to regularly review and improve their compliance programs and will give credit to efforts to create a compliance program that has been reviewed and improved over time.

Mergers and Acquisitions: Pre-Acquisition Due Diligence and Post-Acquisition Integration

If your company is involved in acquisitions, the evaluation of potential acquisition targets must be aligned with your compliance program. A failure to integrate an acquisition into the compliance program could result in the company being held responsible for illegal acts by the acquired entity that took place before the acquisition. This is known as “successor liability”. Successor liability stemming from undiscovered bribery activity can give rise to devasting financial consequences. 

By not performing adequate FCPA due diligence prior to a merger or acquisition, you may face both legal and business risks. If it is determined that inadequate due diligence then allowed a bribery scheme to continue after the deal has closed, it will harm profitability and reputation, and likely result in civil and criminal liability. That is why it is important that companies conduct effective FCPA due diligence on their acquisition targets. This enables the company to properly evaluate the target’s value by factoring the cost of remediating any compliance problems identified during due diligence into the purchase price. Doing this on the front end demonstrates to the DOJ and SEC the company’s commitment to compliance and will be viewed favorably by the government when evaluating any potential enforcement action.

Pre-acquisition due diligence may not always be possible or may not provide enough access to data, business records or personnel. This very common scenario should be factored into how the acquiring entity goes about post-merger integration. This has been a reality of the marketplace for several years now, given that auction type transactions have become increasingly popular.

Broadly, there must be a commitment by the acquirer to do post-closing diligence as quickly as is practicable. The acquirer’s anticorruption compliance programs must be implemented at the newly acquired company along with whatever other compliance programs and internal controls would be appropriate to ensure continued compliance with laws. And any issues that are discovered during that post-close diligence should be disclosed within a reasonable time period for the acquirer to expect the avoidance of successor liability. If you disclose within the first six months, you are almost certainly within the government’s grace period. If it takes 12 months, you’re probably still within that grace period but you should certainly not exceed 18 months.

Post-close due diligence is an opportunity to examine the business, accounting, banking, audit and legal files that were not made available as part of due diligence. The expectations of post-close diligence are that they will go a level deeper than what could be done pre-close. Pre-acquisition, you may get access to general ledger information, account, supporting documentation but almost certainly, you're not going to get access to employee emails, management interviews, internal investigation reports, confrontational interviews of employees and other information of a highly sensitive nature.

Investigation, Analysis, and Remediation of Misconduct

If you’ve been paying attention, you no doubt realized that we are now on hallmark number 11 out of 10. Some compliance guidance issued by the DOJ has unofficially introduced an 11th hallmark - “root cause analysis.” The truest measure of an effective compliance program is how it responds to misconduct. For a compliance program to be truly effective, it should have a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents. An effective investigations structure will also have an established means of documenting the company’s response, including any disciplinary or remediation measures taken.

In addition to having a mechanism for responding to the specific incident of misconduct, the company’s program should also integrate lessons learned from any misconduct into the company’s policies, training, and controls. To do so, a company will need to analyze the root causes of the misconduct to timely and appropriately remediate those causes to prevent future compliance breaches.

Now that you’ve familiarized yourself with the hallmarks, you’re in a much better position to answer the 3 primary questions that the DOJ asks in evaluating corporate compliance programs:

• Is the company’s compliance program well designed?
• Is it being applied in good faith? In other words, is the program adequately resourced and empowered to function effectively?
• Does it work in practice?

As an organizational leader, you must understand that a major fraud, corruption or misconduct matter could have devastating financial, reputational and legal consequences for the company. Understanding what these risks are and ensuring that your compliance program is robust, well-funded and empowered to act will significantly lower the company’s susceptibility to being negatively impacted and significantly increase your chances at achieving your company’s strategic objectives.