Corporate Anticorruption Compliance Programs: Ten Questions Every Board Director Should Ask

WHITE PAPER January 2018 Corporate Anticorruption Compliance Programs: Ten Questions Every Board Director Should Ask The United States Department of Justice, the U.S. Securities and Exchange Commission, and non-U.S. governments and agencies have recently emphasized their continued commitments to pursuing both corporate and individual violators of the Foreign Corrupt Practices Act. Given this ongoing emphasis, corporate board members have particularly important roles to play in overseeing compliance and anticorruption programs in place at the companies they serve. This Jones Day White Paper addresses some of the most prominent FCPA-related compliance priorities requiring the attention of board members, including ensuring that corporate management is completely committed to compliance efforts, risk assessment, training relative to processes and policies, third-party due diligence, and similar concerns. ii Jones Day White Paper TABLE OF CONTENTS The Board’s Role in Overseeing Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 1. Does the Board and Senior Management Set and Communicate the Proper “Tone at the Top?” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 2. Do We Effectively Assess Our Risk? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 3. Do We Have Effective Standards, Policies, and Procedures to Address Our Risks? . . . . . . . . . . . . . . . 2 4. Do We Adequately Communicate and Train on Anticorruption Standards, Policies, and Processes? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 5. Do We Conduct Adequate Due Diligence on Third Parties? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 6. What Incentives Do We Provide for Compliance and Disincentives for Noncompliance? . . . . . . . . . . 4 7. How Do We Monitor and Audit to Detect Improper Conduct? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 8. Does the Compliance Officer Have Adequate “Clout,” Resources, and Independence? . . . . . . . . . . . 5 9. When We Discover a Problem, Do We Ensure that an Independent, Thorough, and Timely Investigation is Done? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 10. How Do We Review the Effectiveness of Our Compliance Program? . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Lawyer Contacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1 Jones Day White Paper In late November 2017, U.S. Deputy Attorney General Rod Rosenstein announced some incremental changes to how the Department of Justice (“DOJ”) will prosecute companies that violate the Foreign Corrupt Practices Act (“FCPA”). More specifically, he announced that companies will earn a presumption of declination, or in some circumstances a 50 percent mitigation of penalties, if they appropriately self-disclose, cooperate, remediate, and disgorge profits. Rosenstein also reaffirmed DOJ’s commitment to prosecuting FCPA violations not just by companies, but also by the individuals involved in the misconduct. Similarly, Chair Clayton of the Securities and Exchange Commission (“SEC”) also recently emphasized the SEC’s ongoing commitment to holding individuals accountable. And, internationally, other non-U.S. governments are increasingly both cooperating with U.S. investigators and also implementing and enforcing their own local anticorruption laws against corporations and individuals alike. Indeed, the ever-increasing FCPA risk to individuals has led to at least one “noisy resignation” by a company director who believed that the company was not taking adequate steps to ensure compliance with the FCPA and other laws. The good news for companies and their directors, however, is that the enormous risks associated with corporate misconduct can be mitigated by the company’s implementation of an effective corporate compliance program. An effective corporate compliance program serves two important purposes: First, an effective compliance program decreases the opportunities for misconduct and increases a company’s ability to detect misconduct when it occurs. Second, the existence of an effective compliance program is a factor that U.S. prosecutors consider in determining whether to bring charges and in negotiating plea agreements, and it is also a mitigating factor for purposes of criminal sentencing under the U.S. government’s Federal Sentencing Guidelines. Indeed, some countries’ antibribery laws, such as those of the United Kingdom, create an affirmative defense for companies that implement an effective compliance program. THE BOARD’S ROLE IN OVERSEEING COMPLIANCE The board of directors has an important role to play in overseeing a company’s anticorruption compliance program. The Sentencing Guidelines provide that an effective compliance program requires, among other things, that the board be knowledgeable about the content and operation of the company’s compliance program and must “exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.” In the jointly written Resource Guide to the U.S. Foreign Corrupt Practices Act (“FCPA Resource Guide”), DOJ and SEC make clear that “compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” Likewise, DOJ’s Principles of Federal Prosecution of Business Organizations provide that in making charging decisions and assessing cooperation credit, prosecutors must consider whether the board of directors exercises independent review of the company’s compliance program and whether directors are provided with information sufficient to enable the exercise of independent judgment. Similarly, the DOJ’s February 2017 Evaluation of Corporate Compliance Programs states that in evaluating a compliance program, prosecutors should ask what compliance expertise and information has been available to the board, and whether the board has held executive or private sessions with compliance personnel. In addition to the substantial financial penalties, reputational damage, and corporate and individual criminal liability often attendant to corruption investigations, an inadequate or ineffective anticorruption compliance program increases directors’ exposure to shareholder derivative litigation. Notably, the FCPA prohibits companies from indemnifying directors for any fines that might be assessed for individual violations of the statute by directors, officers, and employees. For all these reasons, directors are well-advised to diligently oversee anticorruption compliance programs at the companies on whose boards they serve. To assist boards in the exercise of their oversight duties, below are 10 essential questions that every director should ask and be able to answer about his or her company’s anticorruption compliance program. 1. DOES THE BOARD AND SENIOR MANAGEMENT SET AND COMMUNICATE THE PROPER “TONE AT THE TOP?” The bedrock of an effective compliance program is the proper “tone at the top” set by the board and senior management. The 2 Jones Day White Paper proper “tone at the top” means that the board of directors and senior executives of the company should clearly demonstrate a commitment to compliance that is in turn reinforced and implemented by middle managers and employees at all levels of the company. “[A]n effective compliance program requires the commitment of the whole company to compliance, especially its leadership and key stakeholders.” In general terms, a company’s compliance culture will be judged by the following characteristics: (i) whether the organization explicitly encourages ethical conduct and compliance with the law; (ii) whether management “buys in” to the requirement of ethical conduct and adheres scrupulously to ethical standards thus creating an appropriate corporate culture; and (iii) whether management reinforces the company’s culture of compliance by clearly and regularly communicating and enforcing compliance with appropriate standards of ethical behavior. The board cannot, and should not, attempt to manage the corporation or directly supervise management in its implementation of a compliance program. The board must, however, set the proper “tone at the top” by, among other things, selecting ethical leaders and developing a supportive relationship with the chief compliance officer (“CCO”), who should be empowered with appropriate resources, independence, and board access. The board also has a role to play in modeling ethical behavior by appropriately addressing and remedying potential misconduct when it learns of it. On a more practical level, the board should encourage management to express its commitment to a culture of compliance by requiring management to develop and communicate clearly written codes of ethics and robust anticorruption policies, by requiring regular training and retraining on applicable policies, and by regularly reinforcing expectations of ethical behavior by all employees, in clear and understandable ways. In addition, management must be held responsible for developing procedures to ensure timely and thorough investigation of deviations from alleged misconduct by any employee, regardless of level, as well as imposition of appropriate consequences where warranted by the facts. Finally, directors can incentivize management to prioritize the creation of a culture of compliance by establishing it as a key metric by which management will be evaluated and compensated. 2. DO WE EFFECTIVELY ASSESS OUR RISK? The DOJ and SEC have repeatedly made clear that “[o]nesize-fits-all compliance programs are generally ill-conceived and ineffective.” Consequently, the government has no formulaic requirements regarding what a compliance program should look like. As a former DOJ compliance counsel recently observed, “[p]rosecutors have a common sense approach. In contrast, many compliance people tend to have a checklist approach to compliance, doing what they think the DOJ wants, not what makes the most sense.” Stated differently, an effective compliance program will be tailored to address the unique risks that the company faces in its operations. Accordingly, a sound risk assessment will consider a number of factors, including the company’s size, nature, and structure of its business; type and location of operations; whether it relies on third parties; the extent of interaction with government officials; the company’s history in the market; and many other considerations. Directors should have an understanding of the company’s primary corruption risk areas and satisfy themselves that management has accounted for those risks in creating and implementing the compliance program. And directors should require that management periodically revisit the issue, particularly after any substantial change in business model, geographic market, or acquisition. 3. DO WE HAVE EFFECTIVE STANDARDS, POLICIES, AND PROCEDURES TO ADDRESS OUR RISKS? The fundamental building blocks of an effective anticorruption compliance program are a code of conduct along with written anticorruption policies and procedures to guide management, employees, and third parties. According to the United Kingdom Ministry of Justice’s Bribery Act Guidance, a company’s code of conduct and anticorruption policies “articulate a commercial organization’s anti-bribery stance, show how it will be maintained and help to create an anti-bribery culture.” Equally important as the existence of those written documents, according to the FCPA Resource Guide, is whether they are “clear, concise and accessible to all employees and to those conducting business on the company’s behalf.” 3 Jones Day White Paper One important feature of an effective anticorruption policy is that it identify the name, title, and personal contact information of the CCO or other personnel who can answer questions about any aspect of the policy or provide guidance as to a proposed transaction or course of action. An effective anticorruption policy will also highlight and explain applicable laws, including the FCPA, the UK Bribery Act, and/or relevant local anticorruption laws in all jurisdictions where the company does business. A comprehensive policy should also provide an explanation of key terms as well as specific guidance as to permissible behavior in the company’s business environment, such as facilitating payments, giving and receiving gifts, travel and entertainment limits, and political and charitable contributions. While a robust anticorruption policy need not and cannot identify every scenario that employees or agents may encounter, the constantly changing enforcement environment mandates that anticorruption policies be reviewed, updated, and supplemented on a regular basis to keep up with the variety of factual scenarios in which bribes have been found to have been paid. An effective anticorruption policy will also account for the fact that even when a bribe cannot be proven, the company can still violate the FCPA by mischaracterizing payments in its financial records or by not maintaining internal controls adequate to provide reasonable assurances regarding the reliability of financial reporting. In short, a company must create and implement policies, processes, and internal controls specifically aimed at preventing and detecting corrupt payments. And because the FCPA does not have a materiality threshold, a company’s existing Sarbanes-Oxley controls may not always be sufficient by themselves. 4. DO WE ADEQUATELY COMMUNICATE AND TRAIN ON ANTICORRUPTION STANDARDS, POLICIES, AND PROCESSES? While written codes of ethics and anticorruption policies are a necessary measure in the prevention of bribery, they will not achieve their objective unless they are properly implemented. DOJ guidelines expressly contemplate that in determining whether to bring charges against a company, prosecutors should “attempt to determine whether a corporation’s compliance program is merely a ‘paper program’ or whether it was implemented in an effective manner.” At the most basic level, this means that companies must ensure that their codes and anticorruption policies are made available and actually read by the employees who are meant to be guided by them. In determining whether a compliance program is “paper” or “real,” the DOJ and SEC will evaluate how the concepts in the anticorruption policies and procedures are actually incorporated into a company’s operations. The only way for a company to achieve that interconnection between policies and practices is through continuous communication, training, and reinforcement. As the former DOJ compliance counsel has observed, “I always asked compliance people to point to employees in the company who have read through the standards or policies they were showing me. I don’t think I’ve ever met anybody who could actually answer that question when I put that to them.” Accordingly, current versions of key compliance program documents should, for example, be readily available on a company intranet or portal and translated into local languages for foreign subsidiaries or business units. All new employees should be required to certify that they have read the key documents upon joining the company and periodically thereafter if the compliance program has changed in a material way. A key component of an effective compliance program is that relevant anticorruption training has occurred throughout the organization, including periodic training and certification for all directors, officers, relevant employees, and where appropriate, agents and business partners based on the company’s assessment of its anticorruption risks. The determination of “relevant” employees who should receive training depends on the unique characteristics of a company’s work force. Effective training materials will typically cover the company’s code of ethics and policies and procedures, as well as applicable laws, and they should give practical advice in the context of the company’s business model. The training should, however, be tailored and focused to the audience. For example, the training of sales personnel may focus on gifts and entertainment, whereas the training of accounting personnel may focus more on spotting red flags on invoices for payment. The training should also be clear in explaining the company compliance personnel who can be contacted in the event an employee encounters a questionable situation. The delivery method of the training, whether web based, in person, written handouts, or some combination thereof, will also depend on the risk assessment done at the outset of designing the compliance program. 4 Jones Day White Paper 5. DO WE CONDUCT ADEQUATE DUE DILIGENCE ON THIRD PARTIES? The use of third parties, including agents, consultants, and distributors, creates a heightened anticorruption risk for companies, as third parties can often act with less transparency than company employees. Thus, companies should consider how they use third parties and conduct an appropriate degree of due diligence based on industry, country of operation, size and nature of the functions, transactions, and historical relationships with the third parties. That due diligence process should begin before the company engages a third-party agent and may consist of one or more steps based on the relevant risk factors: First, the company should understand the corporate profile of the proposed third party, including its ownership structure, key personnel, qualifications and associations, and its relationships with current or former foreign officials. This may be achieved by requiring a potential third-party agent to complete a comprehensive questionnaire before entering into a contractual relationship. Second, the company should consider the precise role that the third party will fill and the contract terms that will govern the relationship. In many cases, such contracts will require representations or certifications of compliance with all relevant anticorruption laws and grant audit and training rights to the company. Third, the company must inform third parties of the company’s compliance program, including its code of ethics and anticorruption policies, provide access to those policies, and make clear its commitment to ethical and lawful business practices. Finally, even after a third party is approved following due diligence, the company should monitor the relationship, including updating the diligence periodically, exercising audit rights where appropriate, requesting compliance certifications, and providing periodic training. 6. WHAT INCENTIVES DO WE PROVIDE FOR COMPLIANCE AND DISINCENTIVES FOR NONCOMPLIANCE? In evaluating a company’s compliance program, prosecutors will determine whether the program is enforced consistently throughout the company. According to the FCPA Resource Guide, a “compliance program should apply from the board room to the supply room—no one should be beyond its reach.” In order to create a culture of compliance, management must therefore take appropriate remedial action whenever it discovers deviations from approved policies and procedures. Among other things, this will include documenting violations of the compliance program as well as any remedial measures taken in response, including counseling, retraining, and other disciplinary action. While local laws may sometimes not permit publicizing disciplinary actions within the company to reinforce compliance, any disciplinary measures that are taken should be clear and commensurate with the violation, and they should be applied reliably and promptly. On the flip side, positive incentives can also drive compliant behavior. Positive incentives can include financial and nonfinancial recognition, including personnel evaluations and promotions, rewards for improving and developing a company’s compliance program, and rewards for ethics and compliance leadership. Since most companies with an effective compliance program include a mechanism for employees or others to report suspected or actual misconduct on an anonymous basis without fear of retaliation, a company may also consider providing financial incentives to employees who report unethical behavior or improper conduct, particularly now that whistleblower laws provide financial incentives to employees who report illegal or improper conduct to the SEC that results in enforcement action. 7. HOW DO WE MONITOR AND AUDIT TO DETECT IMPROPER CONDUCT? Misconduct can occur despite the existence of an otherwise effective compliance program. Therefore, only by regular monitoring and auditing can a company ensure that its program is effective in preventing and detecting misconduct. “Monitoring” refers to compliance-promoting activities or processes that are embedded into the business to create close to real-time prevention and detection of wrongdoing. Some examples of monitoring in its most simple form may include, for example, the attendance of compliance personnel in business strategy meetings or compliance personnel conducting surveys of employees or visiting work sites. Other more 5 Jones Day White Paper complex examples of monitoring may include using data analytics to spot potential red flags in sales or payment data, or surveilling employee email. Compliance “auditing” is different from “monitoring” in that “audits” are typically backward looking and not integrated within regular business processes. In its most robust form, an anticorruption audit will test for adherence to company policies and procedures, as well as test financial transactions for potential corruption red flags. Anticorruption compliance audits are typically conducted by internal audit personnel as part of an annual audit plan. There may be times, however, where circumstances warrant special anticorruption audits outside the normal audit plan. Those cases are often quasi-investigative in nature, and companies would be well advised to consult with lawyers about conducting the audit in a manner that will protect any privilege that may exist for the auditor’s work. Directors should ensure that internal audit includes anticorruption auditing, if appropriate. They should further take steps to satisfy themselves that the CCO or other management raise with the audit committee any material findings stemming from anticorruption audits. 8. DOES THE COMPLIANCE OFFICER HAVE ADEQUATE “CLOUT,” RESOURCES, AND INDEPENDENCE? The Sentencing Guidelines require that a “high-level person” within the organization be assigned responsibility for management oversight and implementation of the compliance program and that such person periodically, and at least annually, report to the board. That person, usually the CCO, must also have “adequate autonomy” from management, as well as sufficient resources to ensure that the compliance program is implemented effectively. Depending on the size and complexity of an organization, the CCO may delegate the day-to-day administration and oversight of the compliance function to others within the company, such as legal or human resources, or to other personnel in specific business units or subsidiaries, or to employees based on geographic location. Whatever the organizational structure devised by a company based on its unique characteristics, the DOJ and SEC will look beyond the organizational charts to satisfy themselves that, in practice, there is a real compliance function headed by a CCO with real clout and resources to perform his job. Directors should develop a supportive relationship with the CCO. That means that in addition to simply providing the CCO with periodic, and at least annual, access to the board, the board should foster an environment where the CCO is encouraged to speak frankly and privately with the board. The CCO should be encouraged to “speak truth to power” in the C-Suite and in the boardroom. The board empowers the CCO with the clout, credibility, and independence needed to do the job when it gives the CCO a “seat at the table” in the boardroom. 9. WHEN WE DISCOVER A PROBLEM, DO WE ENSURE THAT AN INDEPENDENT, THOROUGH, AND TIMELY INVESTIGATION IS DONE? A company must investigate and remediate misconduct when it learns of it. As a threshold matter, that means that a company must have an effective mechanism for employees to report potential misconduct. Once it learns of potential misconduct, a company must investigate in a timely and thorough fashion. Companies are often well advised to adopt policies surrounding the handling of internal investigations. Whether a formal policy or not, companies should ensure that investigators are both qualified and sufficiently independent from the subjects of the investigation. For the board’s part, directors should satisfy themselves that management will appropriately bring to its attention all potentially material allegations of misconduct. At a minimum, the board should be made aware of alleged misconduct related to accounting, internal accounting controls, or auditing matters. Such allegations, and particularly allegations directed at senior management, may prompt the board to launch its own investigation with the help of outside counsel that is independent from management. Regardless of who investigates, the board should satisfy itself that the company has sufficiently remediated any wrongdoing, as appropriate. There is a wide spectrum of possible remedial steps depending on the nature of the alleged misconduct, but 6 Jones Day White Paper in any case, the board should satisfy itself that appropriate steps are taken to prevent and detect future similar misconduct. In the event of serious wrongdoing, the board may need to consider whether to self-report the misconduct to the authorities—a decision that can have a material financial and reputational impact on the company. On November 29, 2017, DOJ adopted a new FCPA corporate enforcement policy that added new incentives to encourage companies to self-disclose FCPA violations to the DOJ. Of significance, the revised enforcement policy creates a presumption of declination for companies if they self-disclose, fully cooperate with the DOJ’s investigation, remediate, and disgorge any ill-gotten profits. But, to be eligible for such cooperation credit, DOJ and SEC will require a company to completely disclose all relevant facts about all individuals involved or responsible for the misconduct at issue, regardless of their position, status or seniority, and provide to the DOJ all facts relating to that misconduct. The DOJ’s and SEC’s focus on holding individuals accountable for corporate misconduct was reemphasized in a memorandum authored by former Deputy Attorney General Sally Yates. Attorney General Sessions has recently made clear that DOJ will retain that focus in the Trump Administration, and Deputy Attorney General Rod Rosenstein confirmed the government’s “resolve to hold individuals accountable for corporate wrongdoing.” 10. HOW DO WE REVIEW THE EFFECTIVENESS OF OUR COMPLIANCE PROGRAM? The essential question for any anticorruption compliance program is “does it work?” This can be a difficult question to answer, but it can be done by measuring and evaluating quantitative and qualitative data. For example, a company can readily measure how many employees received anticorruption training, how many reports it received through its reporting hotline, how many third-party intermediaries were the subject of diligence, how many potential transactions were scrutinized based on compliance concerns, or how many audits of its compliance program have occurred in a given year. However, an important part of answering the effectiveness question is not susceptible to quantitative analysis. In order to measure whether a company is promoting an organizational culture that encourages ethical conduct and a commitment to compliance with law, a company should consider how it engages with its employees on this issue. Senior management should include references to the company’s commitment to ethics and a culture of compliance in written communications with employees and at “town hall” type meetings with employees or groups of employees. Conducting surveys or focus groups of personnel can reveal important perceptions of the workplace environment and whether a shared culture of compliance and commitment to ethical business conduct exist. Directors should periodically receive analyses measuring the effectiveness of the company’s anticorruption compliance program and ask hard questions about the program’s effectiveness. As a former DOJ compliance officer has noted, a sign that a company has a good compliance program is that it has a “self-critical” approach to compliance. While there is no set checklist for evaluating the effectiveness of an anticorruption compliance program, in the end directors should satisfy themselves that management remains “self-critical” of its anticorruption compliance program, and that processes and procedures evolve with the underlying business. CONCLUSION After a record collection of fines and penalties in FCPA enforcement cases and the largest financial settlement in history to resolve a bribery case in 2016, FCPA enforcement shows no signs of slowing down in 2018 under the new administration. Attorney General Sessions has stated that DOJ “will continue to enforce the FCPA and other anticorruption laws,” and SEC Chair Clayton has confirmed that there will be no shift away from priorities like fighting corruption under the FCPA. Given continued aggressive prosecution of FCPA in the United States and enactment of stringent anticorruption laws in other countries, anticorruption compliance should be a top priority for every global company. By asking these essential 10 questions in the boardroom, directors can ensure that their companies implement an effective anticorruption compliance program that will withstand government scrutiny should a potential violation be discovered. © 2018 Jones Day. All rights reserved. Printed in the U.S.A. Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm. LAWYER CONTACTS For further information, please contact your principal Firm representative or one of the lawyers listed below. General email messages may be sent using our “Contact Us” form, which can be found at www.jonesday.com/contactus/. Joshua S. Roseman Dallas +1.214.969.4898 jsroseman@jonesday.com Henry Klehm III New York +1.212.326.3706 hklehm@jonesday.com Roman E. Darmer Irvine +1.949.553.7581 rdarmer@jonesday.com Karen P. Hewitt San Diego +1.858.314.1119 kphewitt@jonesday.com Hank B. Walther Washington +1.202.879.3432 hwalther@jonesday.com Emmanuel E. Ubiñas Dallas +1.214.969.3670 eeubinas@jonesday.com Jacqueline Vallette Houston +1.832.239.3818 jvallette@jonesday.com