In recent months, the US Department of Justice (DOJ) has issued important guidance for global companies on corporate compliance programs and the Foreign Corrupt Practices Act (FCPA) self-disclosure program. Taken together, this recent DOJ guidance reinforces that companies will receive significant benefit from the US government when they develop robust compliance programs that will both prevent and detect corruption – and when potential FCPA violations are promptly identified, remediated, and reported to the DOJ. Even in circumstances where misconduct is pervasive or involves upper management, a company’s exemplary actions may nonetheless result in a prosecution declination or cooperation credit.
Compliance Program Guidance
On April 30, 2019, the DOJ issued new guidance to prosecutors, drawn from a number of existing departmental sources offering varying degrees of specificity, on evaluating corporate compliance programs. This guidance updates and answers questions posed in previous guidance issued in February 2017, to reflect DOJ’s evolving view of compliance program effectiveness.
Boards and management should make use of recent expanded guidance from the US Department of Justice to ensure that their compliance programs are considered “effective” if and when an investigation arises. Companies should affirmatively answer three fundamental questions in evaluating a compliance program: 1) Is the compliance program well designed? 2) Is the program being implemented effectively and in good faith? 3) Does the compliance program work in practice?
The DOJ details specific factors that prosecutors should consider when investigating corporations and other organizations in the Justice Manual’s “Principles of Federal Prosecution of Business Organizations.” These factors include “the adequacy and effectiveness of the corporation’s compliance program” at both the time of the offense and the time of the charging decision, and remedial efforts to “implement an adequate and effective corporate-compliance program or to improve an existing one.” DOJ’s 2017 guidance offered some general questions to help prosecutors make such an assessment—although it did not provide prosecutors with corresponding answers on compliance program effectiveness.
The “effectiveness” of compliance programs also currently appears in other DOJ policy memoranda and federal sentencing guidelines, but without substantial guidance as to what prosecutors should deem effective. Specifically, Sections 8B2.1, 8C2.5(f) and 82C.8(11) of the US Sentencing Guidelines provide that consideration should be given to whether a corporation had an effective compliance program in place at the time of misconduct when calculating the appropriate fine. DOJ’s memorandum on the selection of compliance monitors (the Benczkowski Memo) also instructs prosecutors to consider, at the time of resolution, whether the corporation has made “significant investments in, and improvements to, its corporate compliance program and internal controls systems,” and whether “remedial improvements to the compliance program” have been tested to demonstrate that the program would prevent or detect similar misconduct.
DOJ’s new expanded guidance provides more specific factors for federal prosecutors to consider when determining whether a company deserves settlement credit through a demonstrated commitment to compliance. While broadly mirroring information in the Justice Manual, past DOJ memoranda and guidance, the federal sentencing guidelines, and many DOJ Deferred Prosecution Agreements and Non-Prosecution Agreements, the updated guidance provides more detail to assist prosecutors in making informed decisions about whether a corporation’s compliance program was effective at the time of the offense and is effective at the time of a charging decision or resolution. Just as importantly, the updated guidance allows corporate boards and executives to make a similar assessment and to address any shortcomings in their organization’s compliance program.
DOJ acknowledges that there is no “rigid formula” when it comes to assessing compliance programs. A company should tailor its compliance program to its specific risk profile. In doing so, however, compliance officers, board members and corporate executives should keep in mind that prosecutors will ask three “fundamental” questions in making an assessment of a company’s compliance program:
1. Is the corporation’s compliance program well designed?
DOJ takes the position that a well-designed compliance program depends on a risk assessment: has the company “identified, assessed, and defined its risk profile?” In turn, does the program devote appropriate scrutiny and resources to the range of possible risks? Prosecutors will look to whether a compliance program is appropriately designed to detect the particular types of misconduct that are likely to occur in the company’s line of business, regulatory landscape and business environment. Well-designed compliance programs also should be periodically updated, often through additional risk assessments.
Under the DOJ guidance, prosecutors will next look to a company’s compliance policies and procedures, including a code of conduct that sets forth the company’s commitment to compliance with relevant laws. The creation of well-designed policies should involve the right people—including appropriate seniority and relevant business units. Such policies should be drafted to be comprehensive, accessible and reinforced through internal controls systems.
The DOJ guidance also expects appropriately tailored training and communications, with a focus on training employees in control functions and high-risk areas. Training and guidance should be accessible and available in appropriate languages. Employees should know the company’s position concerning misconduct. Similarly, employees should have clear, accessible and confidential reporting channels for reporting misconduct—and there should be appropriate processes for investigating such reporting. Such mechanisms are considered “probative” in assessing whether a company has established mechanisms for detecting and preventing misconduct.
The DOJ guidance specifically calls out third-party management and M&A as risk areas where DOJ expects companies to have well-developed programs to assess and address potential compliance issues.
2. Is the program applied earnestly and in good faith? In other words, is the program implemented effectively?
DOJ next looks to whether a company has demonstrated a commitment to the compliance program by senior and middle management. To the government, this is perhaps one of the most important factors in assessing the effectiveness of a compliance program. Prosecutors will ask whether senior management, including the board, has “clearly articulated the company’s ethical standards, conveyed and disseminated them in clear and unambiguous terms, and demonstrated rigorous adherence by example.” Prosecutors will then evaluate whether middle management has reinforced those standards.
DOJ will also ask whether a compliance program has appropriate autonomy and resources, focusing on whether there is sufficient seniority and authority within the organization, sufficient resources and staff to undertake the necessary work of a well-designed compliance program (including internal audit), and sufficient autonomy from management, including access to the board or audit committee.
DOJ will also look to incentives and disciplinary measures taken in response to compliance and non-compliance, respectively. It is critical that appropriate human resources processes are developed and consistently applied.
3. Does the corporation’s compliance program work in practice?
Effective compliance programs cannot exist only “on paper.” They must work in practice. Prosecutors will closely review whether a program was working when misconduct was identified, especially in circumstances where misconduct was not immediately detected. While Section 8B2.1(a) of the US Sentencing Guidelines makes clear that misconduct in and of itself does not mean that a program is ineffective, the DOJ guidance indicates that prosecutors should view identification of misconduct by a compliance program as a “strong indicator that the compliance program was working effectively.” Prosecutors will consider whether and how the company detected potential misconduct, what resources were in place to investigate the potential misconduct, and the “nature and thoroughness of the company’s remedial efforts.”
Prosecutors will evaluate whether a compliance program continued to improve and evolve through ongoing risk assessment, periodic testing and review. Internal audit should conduct periodic compliance audits based on identified risks, compliance controls should be tested, and gap assessments should be undertaken from time to time.
Finally, companies must undertake analysis and remediation of identified underlying misconduct. Root cause analyses are a key component of determining the appropriate scope and extent of remediation when compliance violations are identified.
At the American Bar Association’s Annual National Institute on White Collar Crime on March 8, 2019, Assistant Attorney General Brian Benczkowski clarified the US Department of Justice (DOJ) self-disclosure program under the FCPA Corporate Enforcement Policy. The policy includes a presumption that the government will decline to prosecute business organizations that meet the DOJ’s standards of “voluntary self-disclosure,” “full cooperation,” and “timely and appropriate remediation.” However, the policy explains that this presumption can be negated if “aggravating circumstances” exist involving the nature of the offender or the seriousness of the offense.
In providing insight on how the DOJ is applying this policy, Benczkowski explained that prompt investigation and self-disclosure of FCPA issues may allow companies to overcome aggravating factors that otherwise could prevent the DOJ from declining prosecution. He highlighted that two recent DOJ declinations “make clear that aggravating factors like high-level executive involvement in the misconduct will not necessarily preclude a declination when the company’s actions are otherwise exemplary.”
Companies have wrestled with whether to self-report potential violations of the FCPA when aggravating circumstances are present. The FCPA corporate enforcement policy states that aggravating factors include, but are not limited to, the following:
· Involvement of company executive management in the misconduct
· A significant profit to the company from the misconduct
· Pervasiveness of the misconduct within the company
If the DOJ determines that aggravating circumstances do exist warranting criminal prosecution for a company that nevertheless has voluntarily disclosed the wrongdoing, fully cooperated, and timely and appropriately remediated, the policy (1) requires the government to recommend to the sentencing judge a 50 percent reduction off the low end of the US Sentencing Guidelines fine range (except in the case of a criminal recidivist), and (2) generally will not require the appointment of an independent monitor if the company has implemented an effective compliance program.
Benczkowski’s speech provides important clarity for management and boards. While misconduct in one recent DOJ investigation “reached the highest levels of the company,” the DOJ declined prosecution because that company had voluntarily self-disclosed conduct within two weeks of when the company’s board learned of it. The rationale for the declination, according to Benczkowski, was that the swift disclosure allowed the DOJ to bring charges against the company’s former president and former chief legal officer in connection to their alleged involvement in the conduct.
Benczkowski also clarified the DOJ’s approach to crediting self-disclosures in the M&A context. When companies uncover potential FCPA violations during a corporate merger or acquisition, the DOJ will provide credit in those circumstances. Applying the self-disclosure policy “to the M&A context avoids chilling acquisition activity by law-abiding companies, who might otherwise walk away from worthwhile investments due to the risk of FCPA enforcement,” Benczkowski said. According to Benczkowski, the DOJ does not want “the good corporate actors to cede the field to higher-risk entities that may only perpetuate illegal conduct.”
While the DOJ continues to incentivize companies to identify culpable individuals while moving away from punishing corporate entities and shareholders for those individual actions, companies must affirmatively build effective compliance programs and report misconduct to accrue credit with the government. Time is of the essence in identifying who may be involved in potential FCPA violations. In instances where senior management is implicated, the board should be informed immediately to assess whether self-disclosure is appropriate. Management and boards should not be deterred by potential aggravating circumstances or factors when considering whether to self-report misconduct. The DOJ may still decline prosecution if the company’s actions in responding to the conduct are “exemplary.” When misconduct is identified post-acquisition, acquiring companies should promptly respond, remediate and consider whether to self-report. Self-disclosure credit still may apply in these circumstances.