FCPA Resource Guide Action Items, Issue 2 – Elements of Compliance Programs
As we discussed in a previous alert on November 16, the Department of Justice ("DOJ") and Securities and Exchange Commission ("SEC") jointly published a Resource Guide to the U.S. Foreign Corrupt Practices Act (available here). The Guide provides a convenient roadmap of DOJ and SEC’s expectations regarding corporate compliance programs in one place. For in-house counsel and compliance officers, the release of the Resource Guide also provides an excellent opportunity to marshal internal support for a fresh assessment of existing compliance programs.
Though the 120-page Resource Guide covers a wide range of topics, this alert provides a concise summary of seven DOJ and SEC expectations for corporate anti-corruption compliance programs generally, what these expectations mean for companies and specific actions companies can take to help address each one.
- Tone at the Top
Enforcers often stress the need for a culture of compliance, regardless of the strength of a company’s program on paper. The Resource Guide reiterates this position. However, the Resource Guide indicates that enforcers will evaluate the culture among middle managers and line-level employees—not just the commitment from senior managers.
Action Item: In addition to training employees on anti-corruption policies, assess employees’ perceptions of the company’s commitment to compliance. This kind of assessment can help leadership identify compliance weaknesses and better determine the best way to allocate anti-corruption resources.
- Risk Assessment
In the words of the Resource Guide, "[a]ssessment of risk is fundamental to developing a strong compliance program." DOJ and SEC expressly acknowledge that one-size-fits-all compliance programs rarely work and that compliance programs should be risk-based: "DOJ and SEC will give meaningful credit to a company that implements in good faith a comprehensive, risk-based compliance program, even if that program does not prevent an infraction in a low risk area because greater attention and resources had been devoted to a higher risk area."
Action Item: Conduct regular, meaningful risk assessments and use them to guide the rest of the company’s compliance efforts. As the Resource Guide notes later, "Effective policies and procedures require an in-depth understanding of the company’s business model, including its products and services, third-party agents, customers, government interactions, and industry and geographic risks."
- Code of Conduct, and Compliance Policies and Procedures
Unlike some previous guidance, the Resource Guide specifically identifies risks that many companies should address with policies and procedures: - Payments to foreign officials - Use of third parties - Gifts, travel and entertainment expenses - Charitable and political donations; and - Facilitating and expediting payments.
Most companies already have these policies in place (with the possible exception of facilitating and expediting payments – a recent survey found that 64 percent of companies simply ban these outright).
Action Items: (1) Ensure your program addresses each of the risk areas above; (2) translate all policies and procedures into local languages; and (3) consider using web-based approval programs for gifts, travel and entertainment expenses. These recommendations (and the Resource Guide in general) indicate a preference for a centralized compliance function with communications tailored for local business units.
- Training and Continuing Advice
As the Resource Guide notes, "[c]ompliance policies cannot work unless effectively communicated throughout a company." DOJ and SEC do not offer specific recommendations on the content of the training, except to note that companies should consider tailoring their training programs to the audience – sales personnel and accounting personnel may need different training based on the scenarios they are likely to face.
Action Items: (1) Develop means to give specific advice when it is needed urgently. For larger companies, this typically means well-publicized ways to communicate with on-call in-house compliance or legal personnel. For smaller companies, this may mean retaining outside FCPA counsel ahead of time, so that they can provide timely advice when it is needed. (2) Customize anti-corruption training to the jobs, functions and specific risks faced by specific audiences.
- Incentives and Disciplinary Measures
DOJ and SEC also note the need for compliance policies to be linked with meaningful consequences. In addition to disciplinary measures for non-compliance, however, DOJ and SEC explicitly note that some companies have "made adherence to compliance a significant metric for management’s bonuses." As we explained here, under the Dodd-Frank Act, it is also critical for public companies to bring FCPA investigations under the direction of counsel as swiftly as possible to protect investigative information from disclosure.
Action Item: Develop positive incentives for ethics and compliance leadership. Require employees to report suspected violations of the FCPA internally and foster a corporate culture where internal reports are expected and clearly appreciated. For example, consider taking such reports (or lack thereof) into account when evaluating employee job performance and consider taking compliance climate metrics into account when evaluating managers and other leaders.
- Oversight, Autonomy, and Resources
The Resource Guide echoes the U.S. Sentencing Guidelines in emphasizing that companies should assign responsibility for their compliance functions to senior executives who have autonomy from management. The Resource Guide also acknowledges that another individual can be delegated day-to-day responsibility for the compliance program.
Notably, the U.S. Sentencing Guidelines require that, for maximum credit, the individual to whom day-to-day responsibility is delegated should have "direct access to the governing authority [e.g., the Board of Directors] or an appropriate subgroup of the governing authority [e.g., the Audit Committee]."
Action Item: Assign operational responsibility for the company's compliance program to a senior executive and give that individual "express authority to communicate personally" to the Board of Directors or Audit Committee.
- Continuous Improvement: Periodic Testing and Review
The Resource Guide emphasizes that no compliance program should be static. Rather, DOJ and SEC recommend that companies "regularly review and improve their compliance programs."
For companies that undertake ad hoc reviews of their compliance programs, however, the release of the Resource Guide presents a clear opportunity to update policies and procedures in light of the guidance from DOJ and SEC.
Action Item: Schedule routine testing and review processes (including those that are unannounced).
In sum, though the Resource Guide does not answer every question, it brings clarity and specificity to many of the compliance expectations that guide the DOJ and SEC’s FCPA enforcement decisions. Similarly, though the action items listed above are not required or all-inclusive, if taken they can help companies prevent, detect and mitigate FCPA and other compliance problems.
Next in The Series:
We will examine the government’s specific compliance expectations regarding third parties, M&A and confidential reporting/internal investigations in the next installments of this client alert series.