Compliance is a profession that requires multi-tasking – another profound grasp of the obvious. But in the multi-tasking world, some principles and strategies are more important than others.
My colleague and compliance guru Tom Fox has coined the mantra: “document, document and then make sure you document.” My contribution to this same mantra is along the same lines: “If you do not document, then in the eyes of DOJ and the SEC, it did not happen.”
Putting aside these pithy mantras, it is important to take a moment and consider the real implications of compliance documentation. A good place to start is the Hitachi enforcement action from last year.
In September of 2015, Hitachi settled an FCPA enforcement action for $19 million for bribery in South Africa. At the heart of the violation was Hitachi’s relationship with an entity that was a front for the African National Congress, or South Africa’s ruling party.
In its discussions with the SEC, Hitachi represented that it had conducted due diligence of this entity to ensure compliance with the FCPA. The SEC requested that Hitachi produce documentation of its due diligence review of the entity. After searching for the documentation, Hitachi returned to the SEC empty-handed. No due diligence report meant it did not happen (aside from Hitachi’s overall credibility gap in its representations to the SEC).
The Hitachi case is a poster child for the importance of documentation. A compliance program has to incorporate documentation as a critical means by which to guide and protect the company’s overall compliance effort.
The questions underlying a documentation system are two fold: (1) When do you document a compliance decision? and (2) How do you document a compliance decision?
My answer to number 1 usually focuses on the following principle – if a compliance decision involves the exercise of discretion requiring a good faith determination of competing considerations, it should be documented. So for example, once you have collected due diligence information for a prospective third party intermediary that identified red flags and resolved the red flags, you should document your decision to move forward with the prospective third party.
Another good example is application of a risk-ranking formula to third party representatives. In designing the risk ranking formula and assigning weights, a CCO and an Internal Auditor are exercising discretion that should be documented to confirm their good faith application of risk factors and the reasons behind the weighting factors selected as part of the formula. In this case, the documentation of the risk ranking formula is important to demonstrate how the CCO and the Internal Auditor considered various risk and weighting factors and applied their good faith judgments to the process to ensure effective risk ranking.
The second question to decide is how to document your compliance program. In this case, my recommendation is to follow simple guidelines designed to make the process as easy as possible. Formal memo writing to the files is fine but emails these days can be just as effective in demonstrating how a compliance program operated in the real world.
When documenting a compliance program, the form of documentation can differ depending on the importance of the issue. An annual compliance audit program should be documented in a memorandum since it may be reviewed by a number of people. Day-to-day compliance matters and actions or inactions can be documented in an email. These are two extremes but I am trying to make a point – some documents are more important than others.
A documentation program, however, depends on a compliance staff that applies consistent practices with the support of closely-related functions (HR, IA, Finance, Security). I am no fan of form for forms sake. Instead, a documentation program has to ensure preservation and accurate recordkeeping. If carried out effectively, documentation can be the insurance needed to protect the company and ensure consistent operation of a compliance program.