Earlier this year, we wrote that Illinois-based waste disposal company Stericycle, Inc. (Stericycle) had agreed in principle with the Department of Justice (the DOJ) and the Securities Exchange Commission (the SEC) to settle charges relating to an alleged conspiracy to violate the anti-bribery, books and records, and internal accounting controls provisions of the Foreign Corrupt Practices Act (the FCPA) in connection with Stericycle’s business in Latin America. On April 20, the DOJ and SEC formally announced their resolutions with Stericycle and shared details regarding the underlying conduct. Stericycle agreed to pay over $84 million to resolve these charges, of which a portion will be credited against fines the company will pay to Brazilian authorities in related proceedings.

Specifically, as agreed by Stericycle in its Deferred Prosecution Agreement with the DOJ (the DPA), between 2011 and 2016, Stericycle made approximately $10.5 million in payments—often via intermediaries—to foreign officials in Latin America to obtain business and other advantages. The conduct allegedly involved employees in Stericycle’s offices in Brazil, Mexico, and Argentina.

In light of the reduction in the number of major FCPA resolutions over the last several years, this resolution offers two key insights into the enforcement agencies’ approach.

Key Insight #1: Extensive Remedial Measures May Not be Sufficient to Prevent the Imposition of a Compliance Monitor

In entering into the three-year DPA with Stericycle, the DOJ cited the “extensive remedial measures” that the company had undertaken after discovering the wrongdoing, including, most notably, divesting its subsidiaries in Mexico and Argentina and taking steps to address associated risks in Brazil.

The company also, among other things: replaced members of senior management and directors on its Board; hired additional staff members in its compliance organization; revamped its code of conduct, policies and procedures regarding anti-corruption, management of third-parties, and related compliance training; and disciplined and terminated certain employees involved in the misconduct.

Despite these measures, DOJ required Stericycle to agree to the imposition of an independent compliance monitor for two years and to comply with self-reporting obligations for another year. The DOJ stated in the DPA that a monitorship was required because the company “to date has not fully implemented or tested its enhanced compliance program.”

The DOJ’s requirement of an independent compliance monitor in this case, even after Stericycle had already implemented various remedial measures is in line with Deputy Attorney General Lisa Monaco’s statements last year (which we covered here) and the DOJ’s associated policy shift towards the use of monitorships to ensure that companies have robust compliance programs. The imposition of a monitorship here also highlights the importance of proactively developing a compliance program over time to deter misconduct and establish cultural norms relating to compliance.

Key Insight #2: Compliance Organizations Must Evolve in Tandem with a Company’s Expansion

In its cease-and-desist order, the SEC specifically cited Stericycle’s rapid expansion in Latin America and its failure to ensure that sufficient compliance and internal accounting controls were in place in those jurisdictions.

According to the SEC, Stericycle entered the Latin American market in 1997 and quickly expanded through “the acquisition of many local businesses in Argentina, Brazil, and Mexico [in which] [t]he prior local business owners continued to run the operations.” Yet as it grew, according to the SEC, Stericycle’s accounting processes and controls remained largely decentralized “with neither uniformity nor proper oversight,” the company had no centralized compliance department, and it failed to implement FCPA policies and procedures prior to 2016.

The resolution in this case illustrates the importance of addressing compliance risks in the context of M&A deals. Companies pursuing a growth strategy that involves acquisitions should take reasonable, risk-based measures to mitigate risk, such as by conducting deal diligence to evaluate the bribery and corruption risks associated with proposed acquisitions and implementing reasonable integration measures post-closing to address risk.

Conclusion

In sum, Stericycle’s resolutions with the DOJ and SEC demonstrate the U.S. government’s continued focus on whether companies have taken adequate steps to ensure that their compliance programs can address bribery and corruption risks in their operations, particularly where—as here—companies are expanding across borders. In addition to conducting deal diligence on potential acquisitions and engaging in post-closing integration efforts, companies should evaluate whether they have reasonable risk-based controls to address bribery and corruption risks that may arise in their ongoing business operations.