Legal and regulatory framework
What legal role does corporate risk and compliance management play in your jurisdiction?
Compliance programmes that prevent, detect and respond to potential wrongdoing or misconduct are part of the expectations of the US government for organisations regardless of whether they operate in the US or in other countries around the world. While there is generally no legal requirement that organisations establish and maintain an effective compliance programme, having an effective compliance programme in place may serve to reduce fines, penalties and other terms of the settlement of any government investigation, whether brought on the basis of civil or criminal law. In addition, having a compliance programme that is effective is recognised as assisting in protecting the reputation of the organisation.
Laws and regulations
Which laws and regulations specifically address corporate risk and compliance management?
The primary source addressing compliance expectations is the US Federal Sentencing Guidelines (www.ussc.gov/sites/default/files/pdf/guidelines-manual/2016/GLMFull.pdf), as set forth in Chapter 8, Part B, Subpart 2.1 of those Guidelines. The Guidelines have been modified over time to reflect the ongoing evolution of compliance expectations. These Guidelines are established by the US Department of Justice (DOJ) and address how to calculate fines, penalties and prison sentences for a wide variety of offences committed by corporations and individuals. The Guidelines provide a formula for each offence that is then adjusted based on the underlying facts surrounding the conduct in question for aggravating and mitigating factors. One of the mitigating factors recognised for organisations is the existence of a compliance programme. The Guidelines set out the elements needed for a compliance programme to receive credit for reducing fines and penalties that would otherwise be due. These Guidelines are used by a variety of government agencies to guide their own regulatory and enforcement efforts.
Types of undertaking
Which are the primary types of undertakings targeted by the rules related to risk and compliance management?
All organisations, companies, corporations or other entities regardless of form are covered.
Regulatory and enforcement bodies
Identify the principal regulatory and enforcement bodies with responsibility for corporate compliance. What are their main powers?
The primary agency that considers the impact of compliance issues is the DOJ, which may bring criminal or civil enforcement actions under the laws of the United States. In general, the DOJ has wide authority to enforce the laws of the United States. Typically, this means that the DOJ uses a variety of laws to address misconduct. While there is no direct action that can be brought for failure to maintain a compliance programme on its own, the presence or absence of a compliance programme is an important factor that the DOJ considers in the resolution of many matters. The DOJ has authority to impose, as part of the resolution of any action, requirements to implement and maintain a compliance programme and often does so. The DOJ also may enforce the terms of any settlement, and therefore has ongoing oversight of how well a compliance programme is being implemented and maintained.
In addition, many other agencies may also impose compliance expectations or requirements on organisations, and often work in conjunction with the DOJ. The agencies include, among others, the Securities and Exchange Commission (SEC), the Environmental Protection Agency, the Department of Health and Human Services, the Federal Trade Commission, the Financial Industry Regulatory Authority and the Office of Foreign Assets Control (OFAC). All of the agencies may impose requirements relating to industry-specific compliance standards on organisations as part of the resolution of an investigation.
Finally, state governments and state agencies may also be involved in enforcement matters and may also require organisations to make compliance commitments as part of a settlement of an enforcement action.
Are ‘risk management’ and ‘compliance management’ defined by laws and regulations?
The elements of a compliance programme are set out in the Guidelines. In addition, these elements are widely recognised in guidelines or settlements entered into by organisations with the US government through various enforcement agencies. In general, risk management principles are recognised as part of an effective compliance programme, and are described as part of the process to control risks, and to prevent, detect and respond to wrongdoing.
Are risk and compliance management processes set out in laws and regulations?
The Guidelines set out the details regarding processes involved for an effective compliance programme. In addition, for bribery and corruption risks, detailed information has been published regarding compliance programme responsibilities. This information can be found in A Resource Guide to the US Foreign Corrupt Practices Act (FCPA), published in 2012 by the DOJ and the SEC (www.justice.gov/criminal-fraud/fcpa-guidance) and in the United States Attorneys Manual (www.justice.gov/usam/united-states-attorneys-manual). In February 2017 the Fraud Section of the DOJ published its Evaluation of Corporate Compliance Programs (www.justice.gov/criminal-fraud/page/file/937501/download). This guidance includes 11 key compliance programme evaluation topics, and includes a number of common questions that the DOJ considers relevant in evaluating compliance programmes as part of a criminal investigation. In addition, in November 2017, the DOJ announced that they would permanently include in the US Attorneys Manual (www.justice.gov/usam/usam-9-47000-foreign-corrupt-practices-act-1977) core principles of its previously announced FCPA Pilot Program, which was launched in April 2016. This permanent enforcement policy strongly incentivises companies to voluntarily disclose potential misconduct, fully cooperate with the government’s investigation and remediate the alleged misconduct through an effective compliance programme and disgorgement of improper gains. If a company satisfies these three criteria, absent aggravating circumstances, it will be entitled to a presumption that the DOJ will decline to prosecute the company. In March 2018, the DOJ announced its intention to apply the principles of this FCPA enforcement policy to other white collar crimes.
In addition, in some sectors like the healthcare and pharmaceutical industries, specific guidelines have been developed that apply the compliance standards set forth in the Guidelines to specific business practices. For example, the application of compliance requirements to the pharmaceutical industry has been set forth in the OIG Compliance Program Guidance for Pharmaceutical Manufacturers (www.gpo.gov/fdsys/granule/FR-2003-05-05/03-10949) issued in 2003, and the document entitled Corporate Responsibility and Corporate Compliance: A Resource for Health Care Boards of Directors issued jointly by the Office of Inspector General of the US Department of Health and Human Services and the American Health Lawyers Association in 2003 (https://oig.hhs.gov/compliance/compliance-guidance/compliance-resource-material.asp).
Standards and guidelines
Give details of the main standards and guidelines regarding risk and compliance management processes.
The main standards and guidelines are based on the Guidelines and have been further developed through implementation of the Guidelines by various agencies and resolution of enforcement actions. These standards are generally described as follows.
Support and commitment from the top
As a foundational matter, senior management and boards of directors should create a ‘tone at the top’ that promotes a culture of compliance. In evaluating an organisation’s compliance programme, US authorities say they will consider whether senior management has clearly articulated expectations of conducting business in compliance with all laws and organisation standards, communicated these expectations in unambiguous terms, followed these standards themselves, and supported compliance with appropriate resources. While ‘tone at the top’ is necessary, a commitment to compliance must be reinforced by middle management and others throughout the organisation as compliance is the duty of individuals at all levels.
Clearly articulated and visible corporate policies
Organisations should have written policies, procedures and codes of conduct that prohibit improper conduct. The policies should cover key risk areas and provide clear standards of expected behaviour. Typically, a code of conduct is included as a key document that sets forth expectations on acceptable conduct.
Governance and oversight
The governing authority should be knowledgeable about the content and operation of the compliance programme and exercise reasonable oversight with respect to its implementation and effectiveness.
The high-level personnel of an organisation should ensure that an organisation has an effective compliance and ethics programme. Specific individuals within high-level personnel should be assigned overall responsibility for the compliance programme. In addition, specific individuals within an organisation should be delegated day-to-day operational responsibility for the compliance programme. Individuals with operational responsibility should report periodically to high-level personnel and, as appropriate, to the governing authority or an appropriate subgroup, on the effectiveness of the compliance programme. To carry out such operational responsibility, these individuals should be given adequate resources, appropriate authority and direct access to the governing authority, or an appropriate subgroup.
A dedicated compliance infrastructure, with one or more senior corporate officers responsible for compliance, is needed. US enforcement authorities will look at whether an organisation devoted adequate staffing and resources to the compliance programme given the size, structure and risk profile of the business. At a minimum, US authorities expect that lead compliance personnel will have direct access to an organisation’s governing authority, such as the board of directors or an audit committee.
An organisation should use reasonable efforts not to include within its substantial authority personnel any individual whom an organisation knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics programme. Practically, this means that an organisation should routinely check whether employees are debarred from doing business with the US government, usually through checking online exclusions databases.
Training and communication
Organisations should take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance programme, by conducting effective training programmes and otherwise disseminating information appropriate to the respective roles and responsibilities of those required to be trained. The individuals included for this training are the members of the governing authority, high-level personnel, substantial authority personnel, organisation employees, and, as appropriate, an organisation’s agents. A compliance programme cannot be effective without adequate communication and training. While the nature and type of training given depends on the circumstances of the organisation and how it conducts business, the ultimate goal of training and communication is to make sure that individuals understand what is expected of them and are able to incorporate compliance guidelines in their everyday activities.
Moreover, it is expected that communication regarding compliance issues should not take place only in formal settings. While the nature of communication may vary based on the organisation and its business, in general it is expected that communication efforts could include such elements as internal newsletters for employees, a separate space on the intranet devoted to ethics, dissemination of examples of good practices of ethical conduct, posting of pamphlets and announcements on bulletin boards, presentation of positive results obtained from the implementation of the code of conduct and incorporation of the ethical and integrity principles and values in the organisation’s mission and vision statements. An effective compliance programme must provide resources for an organisation’s employees and relevant third parties to obtain compliance information. Specific organisation personnel should be designated to help answer questions.
Monitoring and auditing
Organisations are expected to take reasonable steps to ensure that the compliance programme is followed, including monitoring and auditing to detect criminal conduct, to evaluate periodically the effectiveness of the compliance programme and to have and publicise a system, which should include mechanisms that allow for anonymity or confidentiality, whereby organisation employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation. These mechanisms for reporting potential or actual misconduct typically include the institution of hotlines, ombudsmen or other anonymous reporting systems. Monitoring and auditing serve as the basis for determining if the policies and procedures are being implemented effectively. What activities to monitor and audit are a function of the nature of the business and the way in which an organisation operates. Accordingly, there is no set rule as to what activities should be reviewed, but it is essential for an organisation to be able to justify the efforts it undertakes in that regard.
Incentives and discipline
The compliance programme should be promoted and enforced consistently throughout an organisation through appropriate incentives to perform in accordance with the compliance programme and appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct. Organisations should reward their employees for good behaviour, and consider including the review of business ethics competencies in the appraisal and promotion of management and measuring the achievement of targets not only against financial indicators, but also against the way the targets have been met and specifically against compliance with the organisation’s policies. Incorporating adherence to compliance as a significant metric for management’s bonuses, recognising compliance professionals and internal audit staff, and making working in the compliance organisation a way to advance an employee’s career are all ways to promote compliance. While incentives are important, so are disciplinary procedures to address violations. To evaluate the credibility of a compliance programme, US authorities will assess whether an organisation has appropriate and clear disciplinary procedures, whether those procedures are applied reliably and promptly and, when applied, whether they are commensurate with the violation and used consistently.
Response to incidents
An organisation’s response to a report of potential misconduct is also critical. Organisations must have an infrastructure in place to respond to the report, conduct appropriate investigations and document the response process, in a consistent manner. After criminal conduct has been detected, an organisation should take reasonable steps to respond appropriately to the criminal conduct, to determine the root cause of the misconduct, and to prevent further similar criminal conduct, including making any necessary modifications to the compliance programme.
Risk assessment and periodic reviews
In implementing the requirements listed above, an organisation should periodically assess the risk of criminal conduct and should take appropriate steps to design, implement or modify each requirement set forth above to reduce the risk of criminal conduct identified through those processes. Periodic reviews and assessments of a compliance programme are viewed as essential, as a programme that remains static is likely to become ineffective as risks shift. For example, organisations may use employee surveys to measure their compliance culture and strength of internal controls, identify best practices and detect new risk areas, or may conduct audits to assess whether controls have been implemented effectively.
Are undertakings domiciled or operating in your jurisdiction subject to risk and compliance governance obligations?
Any organisation, regardless of the form of the entity that operates in the United States or is subject to US law, is expected to meet these compliance obligations.
What are the key risk and compliance management obligations of undertakings?
Organisations are expected to implement and maintain an effective compliance programme as described above.
Liability of undertakings
What are the risk and compliance management obligations of members of governing bodies and senior management of undertakings?
Members of governing bodies and senior management have several responsibilities regarding risk and compliance. First, governing board members have responsibility for compliance programme oversight. This means that board members must ensure that the compliance programme is effective, that it is designed to mitigate compliance risks, and that it has sufficient resources to prevent, detect and respond to potential misconduct. Second, board members must hold senior management and those responsible for the compliance programme accountable to implement the programme. Board members also must establish a ‘tone at the top’ that demonstrates to employees and external parties that the organisation expects all who are associated with it to act properly and in accordance with applicable laws and regulations as well as organisation policies.
With regard to senior management, the expectation is similar to that of members of the governing body. Senior management should ensure that the compliance programme has the resources and capabilities to implement a programme that prevents, detects and responds to potential misconduct. Senior management also has an obligation to demonstrate support for compliance through ‘tone at the top.’ This requires management to show by verbal communication and their actions that they require all employees to act in a compliant way and that misconduct will not be tolerated. This tone can be demonstrated through written and verbal communication to employees by email, in other written communication, through presentations at meetings, and through one-on-one interactions where employees are encouraged to only conduct business ethically and in accordance with applicable laws and organisation policies.
Do undertakings face civil liability for risk and compliance management deficiencies?
Those organisations that engage in misconduct involving compliance obligations under law face potential civil liability, which could include fines, disgorgement of gains, restitution and debarment from participating in government programmes. Liability occurs from a violation of applicable law or regulation, as opposed to a violation of a compliance programme requirement. For example, civil liability could occur if an organisation fails to obtain a required permit, but civil liability would not occur if an organisation’s employee failed to follow a policy requiring a permit to be obtained.
In addition, organisations may face the risk of civil liability from private litigants who may claim that the organisation failed to fulfil its obligation to manage risk through a compliance programme, resulting in loss of value to an investor who would not have experienced a loss if the programme had been managed effectively. These private legal actions may result in added defence costs as well as judgments or settlements, depending on the facts of the underlying matter.
Do undertakings face administrative or regulatory consequences for risk and compliance management deficiencies?
Administrative or regulatory action may result in being debarred from conducting business with government entities, restrictions or suspension of a licence, or fines associated with the underlying conduct. The nature of the action that could be taken is a function of the requirements of the underlying administrative provisions or regulations that specify the consequences of the violation. In instances where an organisation has settled an enforcement action, compliance obligations may be required to be undertaken as part of the settlement agreements. Failure to meet those settlement obligations relating to compliance may result in fines or penalties. For example, an organisation may have committed as part of a settlement to conduct annual training on compliance topics. Failure to complete that training obligation may result in administrative or regulatory action, including fines or penalties.
Do undertakings face criminal liability for risk and compliance management deficiencies?
Criminal liability may occur for violations of applicable law. This liability may occur, for example, if the conduct violates a law such as the FCPA, which prohibits the payment of bribes to non-US government officials to obtain an improper advantage. Payment of the bribe would result in criminal liability for the bribe payer. Organisations that face criminal liability, however, do so based on the underlying law, rather than the failure to maintain an effective compliance programme.
Liability of governing bodies and senior management
Do members of governing bodies and senior management face civil liability for breach of risk and compliance management obligations?
Those who participate in the underlying misconduct run the risk of civil liability. Generally, however, without the active involvement of governing body members or management in the misconduct, the risk of personal liability is low. Liability could occur, however, if private litigants establish that management failed in its oversight duties in a securities law action, or if as part of a government-negotiated settlement, management makes representations about the compliance programme that are later determined to be incorrect.
Do members of governing bodies and senior management face administrative or regulatory consequences for breach of risk and compliance management obligations?
In general, members do not face the risk of administrative or regulatory consequences for compliance programme management issues. Risk could occur, however, if members participate in the underlying misconduct or undertake specific obligations regarding compliance as part of a government settlement and fail to fulfil those obligations.
Do members of governing bodies and senior management face criminal liability for breach of risk and compliance management obligations?
If members of governing bodies and senior management participate in the underlying criminal misconduct, there may be liability. Without active involvement in the criminal misconduct, the risk of criminal liability to board members and senior management is low for failing to implement compliance programme obligations.
Corporate compliance defence
Is there a corporate compliance defence? What are the requirements?
There is no corporate compliance defence. Having an effective compliance programme, however, may result in the reduction of fines, penalties and other adverse actions in the settlement of the enforcement action.
Discuss the most recent leading cases regarding corporate risk and compliance management failures?
In 2017 and 2018, there were a number of settlements involving the failure of organisations to manage compliance risks. Notable settlements included:
- In September 2017, Telia Company AB agreed to pay US$965 million to resolve FCPA violations in Uzbekistan, with some of those payments being allocated to Dutch and Swedish authorities. Its Uzbek subsidiary, Coscom LLC, agreed to plead guilty to FCPA violations.
- In November 2017, SBM Offshore NV agreed to pay US$238 million to resolve FCPA offences in Brazil, Angola, Equatorial Guinea, Kazakhstan, and Iraq. SBM entered into a deferred prosecution agreement with the DOJ. One of its subsidiaries pleaded guilty to conspiracy to violate the anti-bribery provisions of the FCPA.
- In December 2017, Keppel Offshore & Marine Ltd and its subsidiaries agreed to pay penalties totalling more than US$422 million to authorities in the United States, Brazil and Singapore, of which US$105 million will paid to the US. The US company, Keppel Offshore & Marine USA Inc, pleaded guilty to conspiracy to violate the anti-bribery provisions of the FCPA.
- In February 2018, US Bancorp agreed to pay penalties, both civil and criminal, of US$613 million after being charged with having a defective anti-money laundering compliance programme and seeking to hide the weaknesses from federal regulators. The company, among other actions, had restricted its transaction monitoring systems to levels based upon staffing levels and available resources, rather than based on the risks present in the transactions.
- In February 2018, Rabobank National Association, a subsidiary of Dutch-based Rabobank, forfeited more than US$368 million, pleading guilty to defrauding the US and to obstructing an examination by the US Office of the Comptroller of the Currency. Prior to the plea, the former anti-money laundering investigations manager for the bank had pleaded guilty to aiding and abetting anti-money laundering violations.
In addition, several individuals were sentenced to prison for FCPA violations, and a number of individuals were charged or had pleaded guilty and are awaiting sentencing. For example:
- In July 2017, Dmitrij Harder, a Russian national living in Pennsylvania, was sentenced in federal court in Philadelphia to 60 months in prison for bribing an officer at the European Bank for Reconstruction and Development and ordered to forfeit US$1.9 million. He had previously pleaded guilty in 2016 to violating the FCPA.
- In September 2017, Amadeus Richers, a German citizen living in Brazil, was sentenced to time served plus three years of supervised release. He had previously pleaded guilty to conspiracy to violate the FCPA and admitted that from 2001 until 2004 he and his co-conspirators paid US$3 million in bribes to officials at Telecommunications D’Haiti.
- In September 2017, Frederic Pierucci, a French citizen, was sentenced to 30 months in prison for bribing officials in Indonesia. Pierucci was vice president of global sales for an Alstom SA subsidiary in Connecticut. He was also fined US$20,000 by the federal court in New Haven, Connecticut. He had previously pleaded guilty in 2013 to an FCPA conspiracy and a substantive FCPA offence.
Are there risk and compliance management obligations for government, government agencies and state-owned enterprises?
There are no specific obligations for government entities or agencies regarding implementing or maintaining compliance programmes. Government employees, like private sector employees who engage in misconduct, may be charged under applicable law.
Framework covering digital transformation
What are the key statutory and regulatory differences between public sector and private sector risk and compliance management obligations?
There are no specific compliance obligations of governments or government agencies.