In today’s regulatory environment, companies face mounting pressure from law enforcement agencies to maintain robust compliance programs to deter and detect misconduct by employees, third-party vendors and business partners. In the United States, prosecutors have long considered the effectiveness of an entity’s compliance policy to be an important factor informing charging decisions and the negotiation of deferred and non-prosecution agreements. Prosecutors’ focus on compliance measures has only increased. An emphasis on corporate compliance policies is also observed in the United Kingdom.
The U.S. Department of Justice (“DOJ”), Fraud Section recently published a list of topics and questions that it has “frequently found relevant in evaluating a corporate compliance program” in the context of a criminal investigation. In addition, the Fraud Section has announced plans to extend its Foreign Corrupt Practices Act (“FCPA”) Pilot Program, which incentivizes companies to voluntarily self-disclose FCPA-related misconduct and remediate shortcomings in their corporate controls and compliance programs.
An emphasis on corporate compliance policies is also observed in the United Kingdom. For instance, “corporate failure to prevent bribery” is a strict liability offense under section 7 of the Bribery Act of 2010 (the “Bribery Act”). The only complete defense available to a company under investigation for such an offense is proof that it had adopted “adequate procedures” to prevent bribery and corruption. Like the DOJ Fraud Section, the U.K. Ministry of Justice has developed a rubric for evaluating whether a company has adopted “adequate procedures” sufficient to avoid criminal liability under the Bribery Act.
This memorandum briefly discusses recent developments highlighting the importance of adopting rigorous compliance procedures under U.S. and U.K. law.
DOJ Compliance Program Guidance
In 2015, the DOJ Fraud Section hired a full-time compliance expert, Hui Chen, to consult on the prosecution of business entities and to help prosecutors “develop appropriate benchmarks for evaluating corporate compliance and remediation measures.”1 Under Ms. Chen’s leadership, the Fraud Section published a guidance document entitled “Evaluation of Corporate Compliance Programs” (the “DOJ Guidance”) on February 8, 2017. Drawing on a number of existing resources—including the United States Attorney’s Manual, the United States Sentencing Guidelines (the “Sentencing Guidelines”), Fraud Section corporate resolution agreements, the November 2012 Resource Guide to the FCPA published by the DOJ and the Securities and Exchange Commission—the DOJ Guidance consists of a list of topics and questions the Fraud Section may consider when making a determination with respect to a company under criminal investigation. While the DOJ Guidance is prefaced with a warning that compliance programs “must be evaluated in the specific context of a criminal investigation that triggers” prosecutorial scrutiny, the topics and sample questions provide a valuable roadmap for companies to assess the soundness of existing corporate compliance policies and to determine what steps to take in the event the company discovers misconduct.
The DOJ Guidance is divided into 11 topics:
- Analysis and Remediation of Underlying Conduct
- Senior and Middle Management
- Autonomy and Resources
- Policies and Procedures
- Risk Assessment
- Training and Communications
- Confidential Reporting and Investigation
- Incentives and Disciplinary Measures
- Continuous Improvement, Periodic Testing and Review
- Third-Party Management
- Mergers and Acquisitions
The DOJ Guidance makes clear that a company’s oversight duties do not end once it drafts and circulates compliance policies and procedures to employees. Rather, the guidance contemplates a continuing commitment to, and investment in, compliance principles at all levels of the organization. For instance, prosecutors will consider whether senior officers and the board of directors have demonstrated a commitment to compliance and remediation efforts, and whether that commitment has been communicated to mid-level managers and other employees. Another relevant consideration is whether the compliance department has been empowered to act with the degree of authority and autonomy necessary to deter and detect misconduct. This factor takes into account practical considerations such as how the compliance function “compare[s] to other strategic functions in the company in terms of stature, compensation levels, rank/title, reporting line, resources and access to key decision-makers.”
The DOJ Guidance also highlights the importance of revisiting compliance policies and procedures in light of changing risks. For instance, the guidance notes that the frequency with which the company “update[s] its risk assessments and reviewed its compliance policies, procedures, and practices” is a factor that prosecutors often consider. Other relevant factors are whether and how often the company has audited its compliance policies and controls, particularly with respect to high-risk business units such as those responsible for processing payments or managing third-party vendors.
Although the DOJ Guidance provides a series of general questions that prosecutors may consider in assessing the strength of any compliance program, it is critical that every company tailor its compliance program to “the particular risks it faces.” Thus, companies will generally receive favorable consideration for taking a bespoke approach when determining what types of information and metrics to track and how to draw reporting lines up through the organization.
Pilot Program Extension
In a March 10, 2017 speech at the American Bar Association’s National Institute on White Collar Crime, Acting Assistant Attorney General Kenneth Blanco announced that the DOJ Fraud Section’s guidance for the investigation and prosecution of FCPA offenses, commonly known as the “Pilot Program,” will “continue in full force” after April 5, 2017, when it was originally scheduled to expire.2 Under the Pilot Program, companies that meet certain criteria may earn sentencing credit in FCPA matters handled by the Fraud Section, including favorable consideration regarding the type of disposition prosecutors will pursue and reductions in fines below the minimum level recommended under the Sentencing Guidelines.3 Mr. Blanco stated that the Pilot Program would remain in place while the DOJ evaluates the “utility and efficacy” of the program, whether to extend it and what revisions, if any, to make to the program.
The Fraud Section considers three key factors to determine whether, and to what extent, companies will receive credit under the Pilot Program: (1) voluntary self-disclosure; (2) full cooperation; and (3) remediation. Key considerations related to each of these factors include the following:
1. Voluntary Self-Disclosure
- Disclosure occurs “prior to an imminent threat of disclosure or government investigation.”
- The company discloses “within a reasonably prompt time after becoming aware of the offense.”
- The company discloses “all relevant facts known to it, including all relevant facts about the individuals involved in any FCPA violation.”
2. Full Cooperation
- Proactive cooperation, including disclosure of facts relevant to the investigation, “even when not specifically asked to do so.”
- When requested, “de-confliction of an internal investigation with the government investigation.”
- Upon request, making company officers and employees (including those located overseas) available for interview by the DOJ.
- Disclosure of overseas documents (except where such disclosure is impossible due to foreign law).
- Implementation of an effective compliance and ethics program.
- Appropriate discipline of employees, including those identified by the company as responsible for the FCPA-related misconduct and those with oversight responsibility.
- Adoption of measures to reduce the risk that detected misconduct will be repeated.
Companies that voluntarily self-disclose FCPA-related misconduct, cooperate fully in the government’s investigation, and timely and appropriately remediate misconduct in accordance with the Pilot Program guidance will qualify for significant mitigation credit, including up to a 50% reduction off of the lower end of the fine range under the Sentencing Guidelines and a presumption that a monitor will not be appointed. In addition, where all three conditions are met, the Fraud Section may consider a declination of prosecution. If a company does not voluntarily disclose its FCPA-related misconduct, but later fully cooperates with the investigation and takes timely and appropriate remedial measures, the company will qualify for at most a 25% reduction off of the low end of the Sentencing Guidelines fine range.
A company will run afoul of section 7 of the Bribery Act if it fails to prevent its employees or agents from engaging in bribery. The only defense available to a section 7 charge is to prove that the company had “adequate procedures” in place to prevent bribery.
In March 2011, the U.K. Ministry of Justice (“MOJ”) published its Adequate Procedures Guidance containing six high-level (non-prescriptive) principles that a company should consider when implementing or reviewing its compliance program. While these principles are articulated in the context of preventing bribery offenses, they also reflect generally accepted international good compliance practices.
1. Proportionate Procedures
- Company procedures should be proportionate to the bribery risks it faces and to the scale of its business activities. The procedures should account for the full spectrum of individuals and corporate entities over which the company has control.
2. Top-Level Commitment
- Management should foster a culture in which bribery is never acceptable and show effective leadership in bribery prevention.
3. Risk Assessment
- A risk assessment should be the starting point for any corporate compliance program. The risk assessment should be: (i) tailored to the particular company; (ii) periodic; (iii) informed; and (iv) documented. Compliance involves more than just a ‘box-ticking’ exercise.
- Following the completion of the risk assessment, company policies and procedures should be adapted to address the identified risks.
4. Due Diligence
- To mitigate bribery risks, the company should implement thorough due diligence procedures, taking a proportionate and risk-based approach, with a keen focus on individuals or corporate entities who perform or will perform services for the company.
5. Communication, Including Training
- The company should seek to ensure that its bribery prevention policies and procedures are embedded and understood by all employees, supported by internal and external communication, which includes proportionate training tailored to the risks faced by the company.
6. Monitoring and Review
- Monitoring includes internal audits and third-party audits of business partners and joint ventures. Effective monitoring should include the consideration of an external review and verification of company procedures and remediation measures where necessary.
Comparison of the U.S. and U.K. Guidance
The published guidance from both the U.K. MOJ and U.S. DOJ is broadly aligned. There are, however, some notable differences between the U.K. and U.S. approach to compliance programs. In particular in the U.K., if a company can prove that it had “adequate procedures” in place to prevent bribery, a complete defense is available to a charge under section 7 of the Bribery Act. Conversely in the U.S., the adoption of a compliance program is not a defense to FCPA liability, although prosecutors consider the adoption of effective compliance procedures to be an important factor in determining whether to prosecute and will consider this in the terms of any settlement.
The clear and consistent message from both U.K. and U.S. regulators and enforcement agencies is that the consequences of failing to maintain an effective compliance program can be severe. As a result, companies should broadly adhere to the published guidance of the U.K and U.S. regulators. At a minimum, companies should consider adopting the following good practices:
- Following a detailed risk assessment, the company must tailor its compliance program to the specific risks faced by the company and, where appropriate, third-party vendors.
- Senior management must communicate its commitment to compliance to the entire company and be actively involved in the continued monitoring of the compliance program.
- Staff must receive periodic risk-based training.