A Corporate Monitor’s Guide to International Regulatory Compliance Scott L. Fredericksen Foley & Lardner LLP 3000 K Street, NW, Suite 600 Washington, DC 20007-5109 202.295.4799 email@example.com First published in INTERNATIONAL TRADE LAW & REGULATION, Volume 21, Issue 3, 2015 (Thomson Reuters) _______________ April 2015 _______________ A Corporate Monitor’s Guide to International Regulatory Compliance 1 A Corporate Monitor’s Guide to International Regulatory Compliance SCOTT L. FREDERICKSEN FOLEY & LARDNER LLP 3000 K STREET, NW, SUITE 600 WASHINGTON, DC 20007-5109 202.295.4799 SFREDERICKSEN@FOLEY.COM I. INTRODUCTION Recent headlines confirm what has been well known by white collar attorneys for years: U.S. enforcement of laws controlling international conduct is at an historic high. Although enforcement of these laws has always been a theoretical possibility, until a few years ago, the largest enforcement actions and penalties were generally confined to the areas of international antitrust and the Foreign Corrupt Practices Act (FCPA). Today, the battleground has grown much larger. While FCPA and antitrust enforcement continue to be areas of priority, large-scale investigations and penalties now also include anti-money laundering (AML), economic sanctions administered by the Treasury Department’s Office of Foreign Assets Control (OFAC), and export controls administered by the State Department and Commerce Departments (the International Traffic in Arms Controls (ITAR) and the Export Administration Regulations (EAR), respectively). All five of these areas have seen significant penalties (in excess of $100,000,000) assessed against individual companies, culminating in the $8.9 billion penalty levied last year against BNP Paribas for AML, economic sanctions, and related alleged violations. Further, with the widely publicized investigation into Wal-Mart likely to draw to a close in the next year or two, it is possible that we may see A Corporate Monitor’s Guide to International Regulatory Compliance 2 the first billion-dollar penalty in the FCPA realm as well, showing that the increase in enforcement attention to AML, export controls, and economic sanctions has augmented, rather than replaced, attention to the FCPA. In many of these high-profile settlements, the U.S. Government insists on the appointment of a corporate monitor – an independent institution (generally either a law firm or an accounting firm) that can review the ongoing compliance obligations generally imposed by these settlements. The expectations of the U.S. Government in these monitor situations are that there will be a thorough and probing review of the compliance program, internal controls, training, culture, and general knowledge about compliance in the area that was the subject of the Deferred- or Non-Prosecution Agreement (DPA or NPA). Generally the monitor issues a series of reports that index the company against the detailed compliance expectations contained in the DPA or NPA. Not long ago, Foley & Lardner was selected as a monitor for a medical devices company that had been found to have engaged in activities alleged to have violated the FCPA. As the leader of the investigatory team, I did not have the normal advantage of working with a known client with a known business. Rather, I needed to quickly develop a multi-faceted team that had to quickly get up to speed on the company’s business model, how it conduct business abroad, its distributor arrangements, its compliance program, its internal controls, and its training. In short, I had to set up a compliance review with the kind of probing that one would find in an in-depth financial audit. Most companies will never find themselves with the need to deal with an independent monitor. Many companies, however, are worried about the aggressive enforcement of U.S. laws governing international conduct, and are looking for guideposts to help benchmark their compliance. Seeing how A Corporate Monitor’s Guide to International Regulatory Compliance 3 these issues are handled in a corporate monitor situation should be helpful for any multinational company looking to manage its international regulatory risk For any company that is in this situation, the areas that require close examination and improvement generally fall into five areas: (1) general compliance; (2) compliance program improvements; (3) training enhancements; (4) the use of audits and compliance check-ups to ensure that compliance is actually working as envisioned; and (5) enhanced controls for the perennial problem of third parties, including agents, distributors, and subdistributors. Appropriate compliance improvements in each of these areas would be helpful to any company that is at a high risk for confronting potential violators of such high-risk legal regimes as the FCPA, export controls, anti-money laundering, economic sanctions, or antitrust laws, including those in industries that have seen frequent enforcement activity, such as the automotive, defense, energy, financial services, or pharmaceuticals/medical devices industries. II. LEARNING FROM SETTLEMENT AGREEMENTS Any company looking to enhance its compliance for these high-risk regimes, would be well advised to consider the typical requirements of a DPA or NPA. Often, these settlements contain detailed compliance requirements. As laid out in these settlement documents, the typical requirements are that the company: Establish a clearly articulated corporate policy against violations of the law. Establish a system of internal controls, designed to ensure compliance. Promulgate compliance standards and procedures designed to reduce the prospect of violations of the law. Assign responsibility to a senior corporate official for the implementation and oversight of compliance with policies, standards and procedures. A Corporate Monitor’s Guide to International Regulatory Compliance 4 Create mechanisms to ensure that policies, standards, and procedures are effectively communicated to directors, officers, employees, and third parties. Establish an effective system for reporting suspected violations of the compliance policies, standards, and procedures. Establish disciplinary procedures to address violations by directors, officers, employees, agents, and business partners. Create appropriate due diligence requirements pertaining to the retention and oversight of agents and business partners. Implement standard provisions in agreements with all agents and business partners designed to prevent violations of the applicable laws, including compliance representations, rights to conduct audits, and rights to terminate an agent or business partner as a result of any violations. These requirements dovetail with the requirements set forth in both the Federal Sentencing Guidelines and the Sarbanes-Oxley requirements for financial compliance applicable to publicly traded companies in the United States. As set forth in the Sentencing Guidelines, an effective compliance program is one where the organization “exercise[s] due diligence to prevent and detect criminal conduct,”1 by implementing a compliance program that is “reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct.”2 Sarbanes-Oxley requires that companies establish procedures designed to ensure the report of potential violations to a company’s senior management,3 with personal responsibility by senior executives that they maintain adequate procedures so that they can certify the accuracy of the company’s books and records.4 1 Sentencing Guidelines § 8B2.1(a). 2 Id. 3 17 C.F.R. Part 205. 4 Id. A Corporate Monitor’s Guide to International Regulatory Compliance 5 Maintaining corporate adherence to these goals would take a corporation a long way towards initiating its regulatory risk. III. COMPLIANCE LESSONS LEARNED AS A MONITOR DPAs and NPA are, of course, not the only source of guidance regarding the Government’s compliance expectations. Other sources include the U.S. Sentencing Guidelines, the Department of Justice’s and the Securities & Exchange Commission’s “A Resource Guide to the U.S. Foreign Corrupt Practices Act,” and other, regime-specific guidance provided by regulators. All of these sources are valuable compliance benchmarks which, if analyzed together, yield generally consistent advice regarding the importance of a company’s compliance culture, its internal controls, its training, and other compliance-related signposts. In each case, however, the most useful learning is provided by seeing how organizations actually implement compliance – in other words, the exact type of learning that comes from an in-depth, monitor-type evaluation of a company’s compliance structure. The importance compliance lessons learned from Foley’s experience of a corporate monitor are provided below. A. General Lessons As most people who are involved in the compliance area know, establishing the right corporate culture is paramount. The key requirements include ensuring that the company has a culture of respect for compliance, that senior management is firmly behind all compliance efforts, and that there is a strong and well-funded compliance infrastructure that can catch compliance missteps from a variety of angles. Establishing the appropriate corporate compliance culture requires constant reiteration of the compliance message. Compliance standards must be public and promulgated throughout the company, including through regular placement in company newsletters and on corporate intranets. Compliance A Corporate Monitor’s Guide to International Regulatory Compliance 6 policies should be readily accessible to employees and integrated into all aspects of employment, starting with discussions of compliance during the hiring process and references to the policy in employment contracts. Even employee performance reviews can help serve this purpose, by ensuring that employee adherence to compliance standards are part of the evaluation process. The involvement of senior management is also essential for the development of a corporate culture focused on compliance. Placing a member of senior management in charge of compliance acts as a vital link between the executives and board members responsible for running a company and the employees on the ground who must deal with potential regulatory violations issues on a regular basis. A high-level member of management who is intimately involved in the compliance process also lends legitimacy to the company’s compliance policy and helps firmly establish the tone from the top. This is not to say that every company needs to have a dedicated chief compliance officer. The establishment of the compliance infrastructure, like all compliance efforts, needs to be a risk-based endeavor, which means that the compliance needs of a smaller company that only operates in a handful of foreign countries may not be the same as those of a large multinational corporation that operates in a number of high-risk environments. It is common in smaller companies for compliance duties to be handled by an employee who has multiple responsibilities, such as the head of the human resources or audit departments. But at all companies, there should be a single person who is responsible for monitoring potential violations, managing due diligence, developing and providing compliance training, answering questions and resolving red flags, and testing the compliance program. This type of compliance ownership, by a person who is free from business pressures to achieve particular outcomes, is essential to ensure that compliance responsibilities are taken seriously. A Corporate Monitor’s Guide to International Regulatory Compliance 7 A final issue is the adequacy of funding. Effective compliance requires hiring appropriate compliance personnel, taking time from busy employees for training, the establishment of internal controls and processes to monitor the effectiveness of the program and procedures in place, and periodic revisions to the policies and training materials. Companies should put in place programs that will be supported by commensurate resources. If, for example, a company states that it will perform due diligence on every agent it hires, then it should ensure that it has set aside sufficient resources to carry through on this commitment. Although compliance can be expensive, it pales in comparison to the multimillion dollar fines and high investigatory costs that now accompany even routine violations of U.S. regulations. B. Compliance Program Improvements A thorough and proper risk assessment forms the core of any good compliance program. No compliance program has the luxury of drawing on unlimited resources. Therefore, it is necessary to begin with a sober assessment of the regulatory risks facing the business, including those posed by its corporate profile, business model, types of products sold, areas of operation, use of third parties, degree of government interaction, and other business-profile issues that impact the degree of regulatory risk. The ways in which to conduct a proper risk assessment vary, but certain principles are universal. Involvement from senior management and employees that understand the company, its business model, and its specific regulatory risk points is essential. The risk assessment must be conducted free of business pressures, without clouded judgment regarding where the highest risks arise. The risk assessment also should take into account all the ways in which outside actors can implicate the company or create regulatory liability, such as agents, distributors, joint venture partners, and other third parties. A Corporate Monitor’s Guide to International Regulatory Compliance 8 Companies also need to update their risk assessments on a regular basis. Corporate expansions, mergers and acquisitions, establishment of new joint ventures, expansions into new countries or product lines, and new distributor arrangements are all activities that can alter the risk profile of a company. Even regulatory developments, such as enactment of broad anticorruption laws such as the UK Bribery Act or the recent ramping up of OFAC sanctions and related enforcement activity, can impact compliance requirements. Not all of these changes, or their impact on compliance efforts, are obvious, which makes a regular reassessment of risk an important compliance function. After conducting a risk assessment, a company must decide how to allocate its compliance resources. Allocating most resources to identified high-risk areas is important. So, however, is recognizing that the risk even in low-risk areas seldom is zero, and thus deserve some compliance attention as well. A well-structured risk assessment can help balance the distribution of compliance resources. It also is important to regularly update compliance measures. Compliance standards regularly change, driven not only by changes in the regulatory framework but also the expectation of the regulators. As a result, it is important for a company to remain educated about compliance issues, including through regularly sending compliance personnel to specialized conferences, and following developments that bear on the ever-evolving standards for an acceptable compliance program. When changes are made, the changes to the compliance program must be appropriately promulgated throughout the company. Depending on the change, this could require anything from company-wide training to a simple email from the company’s chief compliance officer. Regular communications regarding the company’s compliance message serves the dual purposes of keeping the A Corporate Monitor’s Guide to International Regulatory Compliance 9 compliance message top-of-mind while also communicating the company’s evolving compliance efforts and its commitment to compliance. C. Training Enhancements Training is an integral part of every compliance program, and serves a function that is much greater than merely communicating information. Done properly, it is an important part of the compliance-related dialogue that helps minimize the risk of violations and while helping to discover violations that already have occurred. It also is a key cog in the central goal of communicating the importance of compliance to the organization. Although many companies conduct training electronically, including through the use of innovative compliance presentations and on-line quizzes, in-person training remains the gold standard. Company personnel tend to pay more attention to a live presentation, and the presentation can be tailored to the requirements of the audience. Allowing time for discussion not only allows employees the opportunity to ask questions about areas that are unclear, but often reveals areas where further inquiry may be appropriate. Properly presented, in-person training can result in compliance feedback that can be incorporated to improve the overall compliance program. No matter how training is provided, it cannot be a one-time event. Although all employees should receive initial training upon their hiring, reinforcement of the training on a periodic basis is essential. Annually is a good benchmark that works for most companies. Finally, companies should make training relevant to the evidence. The training should use as many real-world examples as possible, such as case studies drawn from actual problems confronted by the A Corporate Monitor’s Guide to International Regulatory Compliance 10 company in the past, as well as those that are more likely to occur based on the industry and where and how the company does business. D. Audits and Compliance Checkups Compliance as envisioned by the compliance program, and compliance as it actually occurs in the field, often are two very different things. A company that implements rigorous procedures, but then fails to live up to them, often enjoys the worst of two worlds, since its failure to meet its compliance goals would be held against it in any enforcement proceeding. To avoid this possibility, compliance implementation should be monitored by direct observation, by supervision of the program, and by testing the controls. Some of this testing can be done in the company’s normal internal audit process, and it is important that internal audit employees receive specific compliance training so they understand what to do and why they are doing it. One increasingly common way of ensuring the testing of the controls is to conduct compliance audits. These audits are intended to stress-test compliance procedures by picking high-risk transactions at random to see whether the compliance program is functioning as envisioned. Beyond this, regime-specific audit items can be created, which generally will focus on whether the company is adhering to its internal controls in a given area. They can be conducted by properly trained internal or external auditors. The tendency at many companies is to conduct audits based upon the ease of conducting them, rather than their utility. This shows up, for example, when companies target their own foreign operations for compliance-related audits, but do not exercise their rights to audit agents or joint venture partners. It also arises when companies do not return to the lessons of their risk assessments to determine the high- A Corporate Monitor’s Guide to International Regulatory Compliance 11 risk areas that merit follow-up checks. Unlike financial audits, which tend to concentrate on areas with the highest revenue impact, compliance-based audits often need to focus on areas that may have a small revenue impact but a large compliance risk footprint. Operations in a developing country, for example, may be new and have still-small revenue, yet present an outsized compliance risk. E. Agent and Distributor Controls No compliance program, no matter how well conceived, can perform its job unless the risks posed by third parties are adequately addressed. This is because many enforcement settlements are premised on agency principles, i.e., a determination that parties outside the company were acting on behalf of the principal, thus creating legal liability for the principal. Dealing with agents, distributors, and other third parties presents unique and interesting challenges. Often companies work with these third parties in foreign countries because they do not understand the business culture or ins-and-outs of doing business in a particular country. Agents help fill this knowledge gap by bringing knowledge of the business environment that the company cannot fill by itself. But the greater the separation from corporate headquarters, the greater the risk. The dangers of third parties can arise in a host of areas, including for matters handled by customs brokers, distributors, sales agents, political consultants, lobbyists, and other third parties. The consistent use of third parties, even when justified from a business perspective, by itself can be considered a compliance red flag. The oversight of third parties accordingly should be considered in every aspect of the company’s risk assessment, including with regard to the establishment of the relationship (with appropriate contractual protections), training, accounting, ongoing certifications, and even audits. A Corporate Monitor’s Guide to International Regulatory Compliance 12 Due diligence is also a key step when managing third-party risks. Due diligence is a potpourri of tasks that may include interviews, background checks, reviews of databases and publications, consulting third parties to provide reliable local information, using forensic accountants to review books and records to evaluate risk, visiting the office of agents, and other methods of confirming suitability, as the case may be. Once again, the application of risk-based principles will help determine how much due diligence is appropriate for various types of third parties. At too many companies, third-party compliance oversight begins and ends with due diligence. In other words, the company conducts its third-party due diligence, places the resulting report in its file, and then moves on to conducting the business relationship without much more in the way of oversight. Ongoing review of the relationship, however, is the best way to proceed, including through periodic certifications, ensuring up-to-date training, monitoring any deviations of the relationship from the anticipated course, and the conduct of third-party audits. Due diligence is important, but it is only a limited snapshot of the past. As the relationship evolves, the company’s best source of information about the relationship becomes the data concerning its own relationship with the third party. IV. CONCLUSIONS Institutionalizing effective compliance is like getting your oil changed – unexciting, and with results that cannot be easily seen. An internal investigation, however, is the engine seizure that occurs after the lack of routine maintenance – exciting, perhaps, but costly in terms of the costs of forensic investigators, legal fees, and perhaps government fines. Every company should strive to be in the category of routine maintenance, not in the business of managing internal investigations. The DPAs and NPAs in high-profile settlements provide a roadmap as to government expectations for such high-risk legal regimes as the FCPA, export controls, economic A Corporate Monitor’s Guide to International Regulatory Compliance 13 sanctions, anti-money laundering, and antitrust. Most multinational corporations will find that benchmarking their compliance efforts against these expectations, and implementation of the “lessons learned” summarized above, will pay substantial compliance dividends in the increasingly risky task of conducting international business.