Corporate compliance & internal controls: how much is enough?

Enforcement of anti-corruption and anti-bribery regulations, including the Foreign Corrupt Practices Act (“FCPA”) and the UK Bribery Act, remains a priority for government investigators in both the U.S. and abroad. The U.S. Department of Justice (“DOJ”) continues to prosecute companies and, increasingly, individuals for violations of the FCPA, and foreign governments have placed an increased focus on anti-corruption initiatives.

In this environment of heightened enforcement, companies face the difficult task of implementing adequate and effective compliance programs in a rapidly changing global business world. Indeed, U.S. public companies are required to have effective internal controls,¹ including processes and procedures to curtail bribery and corruption. The difficult question faced by many companies, then, is not whether to have a compliance program, but what that program should entail. In other words, how much is enough?

A recent FCPA enforcement action provides some insight into how much compliance DOJ may consider to be enough. This article provides an overview of that action and the compliance program at issue in that case, then offers practical suggestions for companies attempting to balance the need for compliance with the practicalities of today’s cost-conscious business environment.

The Peterson Case

In April 2012, the Securities and Exchange Commission (“SEC”) and DOJ simultaneously filed a civil enforcement action and an indictment against Garth Peterson, a former Morgan Stanley executive. Both the SEC and DOJ alleged that Peterson, a senior executive in Morgan Stanley’s Shanghai office, evaded Morgan Stanley’s internal controls and made improper payments to a Chinese government official.²

Unlike many cases involving alleged payments by an employee to a foreign government official, the company—here, Morgan Stanley—did not face criminal charges. Pointing to Morgan Stanley’s internal controls, “which provided reasonable assurances that its employees were not bribing government officials,” DOJ “declined to bring any enforcement action against Morgan Stanley related to Peterson’s conduct.”³

At first blush, DOJ’s decision not to prosecute Morgan Stanley for the self-enriching conduct of a single employee seems reassuring for companies with stringent codes of conduct and internal controls that might still fear being forced to bear the consequences of an employee’s conduct—even where that conduct violates the company’s own policies. DOJ’s decision in the Peterson case not to prosecute the company seems to acknowledge that, at least in some instances, the company should not suffer for the actions of an employee. Upon closer inspection, however, the Peterson case does raise questions as to the extent of the efforts that are required to show that a company’s compliance program “provided reasonable assurances that its employees were not bribing government officials.”

Morgan Stanley’s policies and procedures were, in a word, robust. The Complaint and Information describe a compliance program with “over 500 dedicated compliance officers,” including “anti-corruption specialists who were responsible for drafting and maintaining policies and procedures,” “regularly surveilled and monitored client and employee transactions,” conducted random audits of key personnel, business units, and transactions, and reviewed employee expense reports to detect potentially improper payments.⁴ In addition, Morgan Stanley required annual certifications for its Code of Conduct, maintained a toll-free compliance hotline, and regularly conducted anti-corruption and anti-bribery training both in-person and online.⁵ More specifically, over a six-year period Morgan Stanley:

• Trained Asia-based personnel (where Peterson was located) on its anti-corruption policies at least 54 times, or roughly nine times a year;
• Trained Peterson on the FCPA at least seven times;
• Provided Peterson with at least 35 “compliance reminders” regarding the FCPA; and
• Required Peterson to certify his compliance with the FCPA on a regular basis.⁶

Though lengthy, this list represents only some of Morgan Stanley’s anti-corruption processes and procedures. Given Peterson’s alleged conduct and Morgan Stanley’s efforts to educate, audit, and detect, it is not surprising that DOJ elected not to pursue a case against the company in this instance. DOJ seems to have considered Morgan Stanley’s compliance program to be an outstanding example, and it wanted to reward the company for its efforts. That a company was not prosecuted based on strong compliance procedures is a significant development in the world of FCPA compliance, and it is also a reflection of a principle that more and more commentators think should be a global norm.⁷ An interesting question for attorneys and compliance professionals, however, is whether—in future cases—the government will view Morgan Stanley’s processes and procedures as the new standard for industry best practices or whether other less robust programs will achieve the same result.

For many companies, implementing policies and procedures as extensive as Morgan Stanley’s may not only be unaffordable, but also unworkable and unnecessary. Morgan Stanley operates in a heavily regulated industry with extensive operations throughout the world. What about smaller companies, or those with less of a global footprint? Recognizing that it is impossible to know precisely how DOJ will respond in these situations, it seems unreasonable to view Peterson as setting the minimum standard for an effective compliance program. Rather, Peterson highlights the urgency of having an appropriate anti-bribery compliance program today, and indeed suggests a number of positive steps that even small companies can take on a cost-effective basis.

Compliance after Peterson

There are several cost-effective, simple steps that all companies, however small, can take now to improve or “check” existing compliance efforts in the wake of Peterson:

• Train Often. It sounds simple, but training employees—early, often, and in different mediums—is an effective way of communicating the importance of a company’s anti-corruption initiatives. If necessary later, such training also illustrates to enforcement authorities a company’s substantial efforts in communicating that message. “Training often” does not necessarily mean a company has to initiate numerous trainings exclusively on anti-corruption issues. Use training sessions on other topics as opportunities to remind employees about the FCPA or other anti-corruption issues. Short discussions of recent cases or new developments not only keeps anti-corruption a “front of mind” issue, but can also invite discussion on real-world situations and how to deal with complicated issues.
• Document Your Efforts. Training, certifications, audits, and even hotline responses are meaningless without the proper documentation. Creating and maintaining a central repository of compliance-related information allows companies to explain their compliance efforts easily if the need ever arises. In the Peterson case, Morgan Stanley was able to identify the number of times it had provided training in Asia generally and to Peterson specifically. In fact, Morgan Stanley was able to show that it had informed Peterson that employees of the state-owned entity at issue were government officials for purposes of the FCPA.⁸ Recording that level of detail allows companies to plan proactively to address any issues that may arise later.
• Assess Efficacy of Existing Processes. Implementing compliance processes is an essential first step to an effective compliance program. It is equally important to review those processes on a regular basis once they are in place to confirm that they do, in fact, address the company’s needs. For example, many companies have a compliance “hotline” in the form of online reporting, an actual telephone number for employees to call, or both. But is the hotline available in multiple languages? Is there a defined process for addressing tips and questions from the hotline? And is that process—along with its results—well documented and communicated to relevant senior management? Even if the hotline, or any other process or policy, is working well, conducting periodic assessments provides greater insight into the overall effectiveness of the company’s compliance efforts.
• Target Compliance Efforts. In a changing business world and an ever-evolving regulatory landscape, an effective compliance program should evolve to mirror business realities. Corporate growth into high-risk areas may require new or revised compliance initiatives. Hotline reports regarding entertainment issues may lead to increased training on gifts and entertainment across the company or to specific offices or regions. Targeting compliance efforts to address specific business needs allows a company to show that its compliance program is both dynamic and responsive—not merely a “plan on paper.”

Each of these steps—training, documentation, assessment, targeting—is a simple way to refine and improve existing policies in a meaningful, but cost-effective way. While not every company needs (or can afford) 500 compliance professionals, every company can takes steps to increase its education efforts, improve its record-keeping, and audit the effectiveness of its own policies and procedures.