On November 14, 2012, the Department of Justice (“DOJ”) and Securities and Exchange Commission (“SEC”) issued “A Resource Guide to the U.S. Foreign Corrupt Practices Act,” a highly anticipated joint guidance aimed at assisting companies with FCPA compliance. Attorneys at Kelley Drye have reviewed this guidance, and wish to offer a distillation of some of its important highlights to our clients.
The guidance may have fallen short of expectations, in that it offers very little “new” or “prospective” advice. Nonetheless, it is valuable as a centralized compendium of Government policy concerning various aspects of FCPA compliance. Perhaps most notably, the guidance goes into great detail in laying out what the DOJ and SEC see as the “hallmarks” of an effective FCPA compliance program – something that Kelley Drye emphasized the importance of in our FCPA advisory of March 23 2012. Below, we discuss some of the highlights of the SEC and DOJ’s commentary on this subject.
Hallmarks of an Effective FCPA Compliance Program
The guidance stressed that an effective, proactive FCPA compliance program is one of the key tools a company has to protect itself from FCPA liability. The guidance states, “[a] well-constructed, thoughtfully implemented, and consistently enforced compliance and ethics program helps prevent, detect, remediate, and report misconduct, including FCPA violations.” Perhaps more importantly, the “DOJ and SEC also consider the adequacy of a company’s compliance program when deciding…whether or not charges should be resolved through a deferred prosecution agreement (DPA) or a non-prosecution agreement (NPA) … [and it] will often affect the penalty amount and the need for a monitor or self-reporting.” Whether a company has an effective compliance program can dramatically impact whether and how the Government will pursue action against an FCPA violator.
The DOJ and SEC recognize that one particular compliance model does not exist, and that programs must be specifically tailored to a company’s needs. However, the guidance explains that to be effective, a compliance program needs the following characteristics:
Demonstrated Commitment from Senior Management
The guidance emphasizes the importance of a company creating a “culture of compliance,” and notes that “compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” FCPA compliance must be a top-down endeavor, as upper-level executives set an example for everyone to follow. It is therefore important that the DOJ and SEC see that senior management has clearly articulated and widely disseminated company anti-corruption standards in order to receive credit for its compliance efforts.
Clear, Accessible Code of Conduct and Compliance Policies and Procedures
The SEC and DOJ want to be certain that all employees have a hand in FCPA compliance. To that end, all employees should be aware of, and have access to, company-wide policies and practices. The guidance emphasizes that these policies should be “clear, concise and accessible to all employees,” and that they should “detail proper internal controls, auditing practices, and documentation policies, and set forth disciplinary procedures.” A compliance program can only operate effectively if all employees are able to participate, so the SEC and DOJ will look to make sure that proper communication of standards throughout the company has occurred.
Independent and Powerful Oversight Executives
A compliance program cannot have real value if it is beholden to the company’s upper-management. Thus, the guidance stresses the importance of an independent compliance staff with real authority to intervene. “Individuals must have appropriate authority within the organization, adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively.” The Government will look to see whether a “company devoted adequate staffing and resources to the compliance program given the size, structure and risk profile of the business.” It is of utmost importance that those in charge of compliance have genuine authority to take appropriate remedial action – a toothless compliance program will be unlikely to garner any plaudits from the SEC or DOJ.
Appropriate Risk Assessment
The guidance emphasizes that a one-size-fits-all approach will not suffice in establishing a company’s FCPA risk assessment mechanism. For example, companies should not focus on policing smaller, less significant transactions at the expense of allowing focus on larger bids or risky activities to wane. Further, “performing identical due diligence on all third-party agents, irrespective of risk factors, is often counter-productive, diverting attention and resources away from the third parties that pose the most significant risks.” Each company faces its own unique set of corruption risks, and so the SEC and DOJ will consider the extent to which a company has analyzed company-specific risks in crafting its compliance program. The guidance further advises that, as the company grows and the risk of FCPA violation increases, “compliance procedures, including due diligence and periodic internal audits,” should increase as well.
Regular Training and Continuing Education
Compliance programs can only function when employees are kept up to date with the latest policies and procedures. Companies should demonstrate a proactive interest in this goal by offering, if not requiring, attendance at regular training and continuing education programs. Training should be audience and situation-specific; different types of training are needed for sales staff and accounting staff, with curricula that address real life situations those employees may encounter.
Appropriate Disciplinary Procedures and Incentive Rewards
In evaluating a compliance program’s effectiveness, DOJ and the SEC will determine whether a company appropriately and effectively sanctions those responsible for compliance violations and lapses. The guidance states that “[a] compliance program should apply from the board room to the supply room – no one should be beyond its reach.” A company must apply disciplinary techniques “reliably and promptly” against anyone who warrants them, particularly higher-level executives who are at risk for incurring significant FCPA violations on larger transactions. Likewise, companies should encourage self-policing and reporting of potential FCPA violations, by offering incentive programs that reward those employees who call attention to potential violations, or who otherwise contribute to the company’s compliance culture.
Third Party Due Diligence
Often, payments that are targeted under the FCPA are facilitated by third parties, such as agents, consultants or distributors. This can make corrupt payments more difficult to track. Because of this, it is important to exercise extra care when third parties are involved in significant transactions. The guidance stresses that companies must understand the qualifications and associations of third party partners and should weigh the business necessity for involving the third party in the subject transactions. In addition, companies should frequently monitor their third party relationships to ensure third party compliance.
Confidential Reporting and Internal Investigations
The guidance explains that employees will be far more likely to alert compliance personnel to potentially violative behavior if they can be assured that they have a secure and anonymous channel for doing so. To that end, companies may establish anonymous hotlines or employ ombudsmen to accept reports. Moreover, companies must act on those reports, and conduct thorough internal investigations which will, when necessary, punish those responsible and result in improvements to their compliance programs.
Periodic Testing and Review
Finally, the guidance stresses that “[a] good compliance program should constantly evolve.” As businesses change over time, so do the environments in which they operate, the customers with whom they work, and the laws that are applicable to their operations. Additionally, internal investigations will sometimes expose program weaknesses that require fixes and enhancements. “Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” As stated – compliance programs are not one-size-fits-all, nor should they remain static as a business grows. The DOJ and SEC will be far more likely to credit a company’s compliance program when they see that effort has been invested in periodic testing and updates.
This advisory captures only a portion of the guidance’s overall scope. It is certainly recommended that anyone who plays a role in his or her company’s FCPA compliance operations thoroughly peruse the guidance, as it serves as an effective reference manual that touches upon SEC and DOJ policy with regard to many different aspects of FCPA regulation. As noted, maintenance of a thorough and pro-active compliance program forms the bedrock of an effective FCPA deterrence system. It is therefore strongly encouraged that clients carefully examine their own company’s existing compliance programs to make sure that they touch upon these “highlights” outlined by the joint guidance. Maintenance of an effective program can impact the DOJ and SEC’s charging and punishment decisions regarding FCPA violations. The importance of crafting a compliance program that hits on each of these benchmarks cannot be understated, as doing so may ultimately save a company from incurring significant financial and reputational costs.
DOJ/SEC Publication: “A Resource Guide to the U.S. Foreign Corrupt Practices Act”