The Department of Justice (DOJ) and Securities and Exchange Commission (SEC) issued a long-awaited Resource Guide (the Guide) on their interpretation of and enforcement strategy for the US Foreign Corrupt Practices Act (FCPA) on November 14, almost a year after Lanny Breuer, head of DOJ’s Criminal Division, announced its prospective issuance. At 103 pages of text and 418 endnotes, the Guide goes well beyond a version 2.0 of the 6-page “Layperson’s Guide to the FCPA” it replaces. The Guide responds to recommendations from the OECD Working Group on Bribery, and reflects inputs DOJ and SEC received from business groups, non-governmental organizations, and others in a series of stakeholder consultations as the Guide was being developed.[1]

Rather than signaling any major shift in DOJ or SEC’s FCPA enforcement policies, the Guide primarily serves to consolidate in one document their interpretation of the FCPA and the factors influencing their exercise of prosecutorial discretion. New features include hypotheticals on common and recurring issues, questions and answers, checklists of factors to consider when analyzing FCPA issues, the enforcement authorities’ interpretation of a number of FCPA cases and settled enforcement actions, and anonymized examples of matters in which they have declined to take enforcement action. While the Guide is non-binding[2] and offers little of substance that is new for close followers of FCPA enforcement, it is detailed and thoughtful in its approach and provides greater transparency into the analytical framework applied by enforcement authorities in FCPA matters. For these reasons, it is likely to become a well-worn reference guide on the shelves of in-house and outside FCPA practitioners alike, although – given the pace of developments in this area – it may require periodic updates to remain current.

Below we highlight a few of the Guide’s more noteworthy points with respect to DOJ and SEC’s interpretation of the FCPA’s antibribery and accounting provisions; current FCPA enforcement policy; and compliance program expectations.

FCPA Antibribery Elements

The Guide’s treatment of the elements of the FCPA’s antibribery provisions generally resists calls for bright-line guidance regarding definitions of foreign officials and instrumentalities or the size or amount of payments that will be considered “anything of value.” It nonetheless offers useful insights regarding DOJ and SEC’s interpretation of, and enforcement policy with respect to, these and other elements of the antibribery provisions.

  • Anything of Value – Gifts, Meals, Entertainment, and Travel. The Guide recognizes that small gifts and reasonable meals, entertainment, and promotional expenses can be a legitimate part of conducting business. It suggests that corrupt intent is what causes hospitality to cross a line from proper to improper, noting that past enforcement actions generally have targeted travel and entertainment expenses that “occurred in conjunction with other conduct reflecting systemic bribery or other clear indicia of corrupt intent.”[3] While offering no de minimis exception for gifts and meals, as proposed by some commentators and critics, the Guide goes as far as stating that “it is difficult to envision any scenario in which the provision of cups of coffee, taxi fare, or company promotion items of nominal value would ever evidence corrupt intent.”[4] Additionally, the Guide notes that, while large, extravagant gifts will likely evidence corrupt intent, smaller gifts will not, unless part of a pattern evidencing a corrupt scheme to improperly influence officials. The Guide describes the “hallmarks of appropriate gift-giving” as gifts “given openly and transparently, properly recorded in the giver’s books and records, provided only to reflect esteem or gratitude, and permitted under local law"[5] It notes that effective compliance programs should include “clear and easily accessible guidelines and processes,” with many “larger companies” choosing to automate clearance processes, set monetary thresholds and annual limitations, and permit “limited exceptions” with approval by “appropriate management.”[6] Consistent with a DOJ Opinion Procedure Release (OPR) from earlier this year, the Guide endorses a hypothetical scenario involving provision of business class air travel for foreign officials in appropriate circumstances.[7] While several of the Guide’s hypothetical examples fall fairly clearly on one side or the other of a sometimes blurry line dividing appropriate from inappropriate gifts, entertainment, and travel,[8] they nonetheless may offer useful guideposts when analyzing the many more challenging questions that arise in the course of companies’ day-to-day operations.
  • Anything of Value – Charitable Contributions. The Guide emphasizes that legitimate charitable giving does not violate the FCPA, but that proper risk-based due diligence and controls are essential for ensuring donations are not “used as a vehicle to conceal” corrupt payments.[9] In its discussion of charitable contributions, the Guide sheds new light on the sole FCPA enforcement action arising solely out of charitable giving, Schering-Plough, including that there were internal documents indicating that employees viewed the payments as “dues” required to be paid to gain assistance from a government official, rather than as legitimate charitable donations.[10] Additionally, this is one of several areas in which the Guide uses formally non-binding OPRs to illustrate DOJ’s enforcement policy, citing previous OPRs for examples of what DOJ views as appropriate risk-based due diligence, ongoing monitoring, and other controls on donations.[11] The Guide’s section on charitable contributions is unique in offering an enumerated list of “questions to consider” when evaluating a proposed course of conduct.[12]
  • Foreign Officials and Instrumentalities. One of the most eagerly anticipated areas of guidance relates to the definition of “foreign official” under the FCPA, and in particular how DOJ and SEC evaluate whether an entity is an “instrumentality” such that its employees are “foreign officials.” As a threshold matter, the Guide stresses that the FCPA prohibits payments to foreign officials and not foreign governments, while advising that payments to governments – including contributions or donations – should be made with controls ensuring funds are not used for corrupt purposes, “such as the personal benefit of individual foreign officials.”[13] The Guide also reflects DOJ and SEC’s position that an “actor need not know the identity of the [bribe] recipient” to commit an offense[14] – a position that is currently contested in individual litigation[15]and has been disclaimed in recent court opinions.[16] With respect to guidance on the definition of “instrumentality,” those hoping for a bright-line test were left wanting. The Guide instead reiterates that the analysis is fact-specific – requiring consideration of an entity’s ownership, control, status, and function – and consolidates a list of non-exclusive factors approved by courts in the Esquenazi, Carson, and Aguilar cases.[17] The Guide does helpfully suggest that majority ownership or control is a dominating factor: “an entity is unlikely to qualify as an instrumentality if a government does not own or control a majority of its shares.”[18] In the same breath, however, the Guide cautions that no one factor is dispositive and that an entity with minority government shareholding or control could be deemed an instrumentality, such as where the government controls essential elements of the entity’s operations or political appointees hold important positions. Moreover, the Guide warns that bribes paid to private individuals risk prosecution under the FCPA’s accounting provisions, the Travel Act, anti-money laundering laws, and other laws.[19]
  • Promotional Expense Affirmative Defense. In addition to affirming that, absent corrupt intent, reasonable gifts, meals, and entertainment do not violate the antibribery provisions, the Guide separately addresses the availability of the affirmative defense for reasonable and bona fide travel and lodging expenses that are directly related to the promotion, demonstration, or explanation of products or services or the execution or performance of a contract. Not surprisingly, the Guide emphasizes that “trips that are primarily for personal entertainment purposes” are not bona fide.[20] It also compiles a “non-exhaustive list of safeguards” from its OPRs to guide the fact-specific analysis of whether particular expenses qualify for the affirmative defense.[21]
  • No news is good news? The Guide offers no new, major insights on the interpretation of corrupt intent, willfulness, the business purpose test, treatment of third parties, facilitating payments, or the local law affirmative defense. In each of those sections, the Guide largely restates congressional intent statements, court interpretations, or prior settled actions without adding any appreciably new information.

Accounting Provisions

  • Books and Records. The Guide’s discussion of the FCPA’s antibribery provisions notes that improper recording of expenses may be viewed as evidence of corrupt intent.[22] In its discussion of the accounting provisions, the Guide emphasizes that there is no materiality threshold for books and records violations, while observing that DOJ and SEC’s enforcement has generally has involved “misreporting of either large bribe payments or widespread inaccurate recording of smaller payments made as part of a systematic pattern of bribery.”[23]
  • Internal Controls. While the FCPA refers to systems of “internal accounting controls,” the Guide reiterates a position reflected in many DOJ and SEC enforcement actions that treat “an effective compliance program” as a “critical component of an issuer’s internal controls.”[24] These controls should include, inter alia, a tone of integrity, risk assessments, policies and procedures, communication, and monitoring.[25] The Guide as originally issued incorrectly stated that an issuer must use “best efforts” to cause subsidiaries or affiliates in which it holds “less than 50%” to devise and maintain a system of internal accounting controls.[26]In fact, the statutory requirement is one of “good faith” and “to the extent reasonable under the issuer’s circumstances,” and applies with respect to subsidiaries or affiliates in which the issuer holds “50 percentum or less” of the voting power.[27]The Guide has now been corrected in the version posted by DOJ to its website.

Jurisdiction

  • Antibribery Provisions. The Guide re-affirms the Government’s aggressive stance on FCPA jurisdiction, particularly with respect to non-US persons. For example, in past enforcement actions DOJ has asserted jurisdiction over non-US persons under 15 U.S.C. § 78dd-3 based on isolated meetings in – or telephone calls, emails, or wire transfers to or from – the United States.[28] It also has grounded jurisdiction on the indirect use of “correspondent accounts” that foreign banks maintain at US banks to clear dollar-denominated transactions.[29] Further, the Guide maintains that 15 U.S.C. § 78dd-3 confers jurisdiction whenever a foreign person merely causes an act to be done in the United States by an agent.[30] The Guide also continues to advance expansive theories of agency, conspiracy, and aiding and abetting to reach non-US persons “regardless of whether the foreign national or company itself takes any action in the United States.”[31] The Guide does not address recent judicial challenges by individual defendants to DOJ’s broad assertions of jurisdiction. These have included challenges both to DOJ’s expansive interpretation of the phrase “while in the territory of the United States” under 15 U.S.C. § 78dd-3,[32] as well as arguments that individual defendants had insufficient contacts with the United States to support an assertion of personal jurisdiction.[33] The Guide does not address these potential limitations to jurisdiction, and gives no indication that DOJ or SEC intend to retreat from their prior, aggressive positions in this area.
  • Accounting Provisions. While noting that the FCPA’s accounting provisions only apply directly to issuers, the Guide stresses that individuals, subsidiaries, and private companies may be liable for aiding and abetting, conspiring to commit, or causing violations by an issuer, for falsifying an issuer’s books and records, or for circumventing internal controls.[34] The Guide also highlights liability risks for certain officers or directors as control persons, for false statements to auditors, and for false certifications under the Sarbanes-Oxley Act of 2002, as well as the risk of criminal liability for companies for knowing violations of the accounting provisions and for individuals for knowing and willful violations.[35]

Parent, Successor, and Target Liability

One of the most important parts of the Guide is its section on parent, successor, and target company liability, as it represents the first attempt of DOJ and SEC to articulate explicitly the policies and principles that govern their enforcement actions in this area. As the cases have proliferated, so has confusion about even some basic premises. Groups seeking reform of the FCPA had targeted the M&A area as key for cutting back on successor liability.

  • Parent-Subsidiary Liability. The Guide begins its discussion of liability in the context of corporate transactions with a summary of parent-subsidiary liability generally.[36] It reinforces that traditional principles of parent-subsidiary liability – agency and respondeat superior – apply to FCPA cases just as they do in other areas. As a result, the Guide makes clear the agencies’ view that a parent may be held liable for the acts of its subsidiaries in at least two ways: first, directly, as a result of its own knowledge of and involvement in the acts of its subsidiary; and second, under traditional agency principles. Whether the Government will view a subsidiary as the agent of its parent depends not only on the formal relationship between the parent and subsidiary, but also on the degree of actual control the parent exercises. If an agency relationship exists, the Guide makes clear that DOJ and SEC will apply the respondeat superior doctrine and find the parent liable for the acts of its subsidiary.
  • Successor Liability vs. Liability for Acts of an Acquired Subsidiary. The Guide devotes nearly seven pages to the subject of “successor liability,”[37] beginning with a general discussion of the risks – both legal and commercial – of entering into corporate transactions without conducting sufficiently robust FCPA-focused due diligence. The Guide states clearly that DOJ and SEC view liability of a successor company for the acts of a corporate predecessor as an “integral component of corporate law” and that nothing relating to FCPA enforcement alters that principle. In its discussion of when SEC and DOJ will seek to hold acquiring companies liable for the acts of their acquired entities, however, the Guide appears to conflate two related but analytically distinct scenarios: true successor liability, where a corporate entity has acquired another entity with FCPA liabilities and subsequently merged or amalgamated with it, and liability of a buyer for the acts of an acquired company that remains a separate legal entity.
  • Enforcement Intentions and Hypotheticals. Notwithstanding the conflation of these two distinct scenarios, the Guide provides a useful restatement of DOJ and SEC’s enforcement history in this area, including when they have held acquirers liable as true successors, and when they have brought enforcement actions only against a target company that survives the transaction. A series of six hypothetical factual scenarios divided into two sections – where the acquisition target is subject to the FCPA and where it is not – is provided. The hypotheticals highlight the importance the agencies place on pre-acquisition due diligence, post-closing remediation and training, voluntary disclosure, and cooperation with any Government investigations. Where companies engage in robust efforts, the Guide indicates that the agencies are unlikely to hold them liable directly or as a successor (although the target will remain liable for any prior violations). Where companies do not, however, the Guide states that the agencies are more likely to bring an enforcement action against the acquirer. That said the Guide is clear that – where a target was not subject to the FCPA prior to an acquisition (which typically arises when the acquired company is a non-US entity operating in a local market outside of US jurisdiction) – the mere fact of an acquisition does not create successor liability for the acquiring company for the target’s pre-acquisition conduct.

Enforcement Guidance

The Guide’s discussion of enforcement principles, penalties, sanctions, remedies, and resolutions largely summarizes existing DOJ and SEC guidance on these topics,[38] but provides some additional information on the application of these principles in the particular context of FCPA matters. It also highlights concrete benefits that may accrue to companies with effective compliance programs, identifies factors for determining whether a monitor is appropriate, and – for the first time – provides (anonymized) examples of matters DOJ and SEC have declined to pursue.

  • Self-Reporting and Cooperation. The Guide, as expected, emphasizes the “high premium” placed on voluntary and timely self-reporting, cooperation, and the implementation of meaningful remedial measures in determining the appropriate resolution of an FCPA matter as to a company.[39] By explaining, with some specificity, that these factors may reduce a company’s culpability score under the US Sentencing Guidelines, and thereby lead to fine reductions under the Guidelines, DOJ – while not guaranteeing a specific outcome or being formulaic – provides some tangible evidence of the benefits that may be afforded to companies who self-report, cooperate, and implement meaningful remedial measures.[40] SEC makes similar statements, which are important, but given the operation of its penalty regime, it is not able to say how these factors, in specific quantitative terms, will affect its penalty determinations.[41]
  • Role of Compliance Programs.The Guide also re-affirms the Government’s long-held position that the adequacy and effectiveness of a company’s compliance program plays a significant role in the resolution of FCPA matters.[42] The adequacy and effectiveness of such programs may influence whether a Deferred Prosecution Agreement (DPA) or Non-Prosecution Agreement (NPA) is used, the length of any DPA or NPA imposed, the penalty amount, and whether a monitor or on-going self-reporting is required.[43] What is new in the Guide, as a result of declining to bring a criminal or civil action against Morgan Stanley in connection with the activities of one of its executives, is the Government’s recognition that it “may decline to pursue charges against a company based on the company’s effective compliance program, or may otherwise seek to reward a company for its program, even when that program did not prevent the particular underlying FCPA violation that gave rise to the investigation.”[44] This is as close as the Guide comes to the compliance defense that a number of commentators have sought. While some have expressed disappointment that DOJ and SEC did not go further in the Guide, this position should be no surprise.
  • Compliance Expectations for Small and Medium Enterprises.While the Government’s public acknowledgement that it may decline to pursue charges against a company based on its effective compliance program is welcome news,[45] many companies’ compliance programs will never replicate the depth and breadth of the program Morgan Stanley implemented. In response to these concerns, DOJ and SEC acknowledge in the Guide that “small- and medium-size enterprises likely will have different compliance programs from large multi-national corporations,” and assure these companies that they take these differences “into account when evaluating companies’ compliance programs.”[46] Similarly, the Guide notes that it will evaluate whether a company “devoted adequate staffing and resources” to its compliance program in light of “the company’s size, complexity, industry, geographic reach, and risks associated with the business.”[47] Despite these statements, the Government’s expectations as to the compliance measures small- and medium-sized companies will adopt and implement are likely to remain high. It will be interesting to see how the Government reacts going forward to any arguments made by these companies that, in light of their organization’s size and risks, their compliance programs were “designed carefully, implemented earnestly, and enforced fairly.”[48]
  • What is “Meaningful Credit” for Risk-Based Compliance?To encourage implementation of risk-based compliance programs, the Guide states that DOJ and SEC will give “meaningful credit to a company that implements in good faith a comprehensive, risk-based compliance program, even if that program does not prevent an infraction in a low risk area because greater attention and resources had been devoted to a higher risk area.”[49] On its face this statement is quite significant, as all companies have limited resources. How it will be applied in concrete cases remains the key issue. For example, since there is no materiality standard, it cannot be an excuse for a company to minimally monitor low-risk areas that may spawn multiple infractions over time. It also is impossible to know what, and how much, credit DOJ and SEC will give when these infractions occur. Nevertheless, the clear implication here is that whatever level of resources are devoted to lower-risk activities (such as gifts and entertainment) or jurisdictions, a greater level of resources will be expected for higher-risk activities.
  • When are Monitors Appropriate? One recent trend in FCPA resolutions has been the decreased use of monitors. The Guide reinforces this view by stating that monitors are “not appropriate in all circumstances . . . .”[50] The Guide, nevertheless, identifies six factors DOJ and SEC will consider when determining whether a monitor is appropriate and, in particular, mentions that monitors may be appropriate “where a company does not already have an effective internal compliance program or needs to establish necessary internal controls.”[51]
  • Charging Decisions. The Guide summarizes the available dispositions in FCPA matters, such as Plea Agreements (DOJ), Civil Injunctive and Administrative Remedies (SEC), DPAs (DOJ and SEC), and NPAs (DOJ and SEC), as well as the differences between these resolutions.[52] It is silent, however, on the factors that lead to the use of one of these dispositions over another. It is also silent on the factors influencing enforcement choices when multiple potential targets are presented (for example, individuals versus companies).
  • Declinations Data.Companies and FCPA practitioners have long sought greater transparency from DOJ and SEC regarding declinations to help evaluate whether to self-report a potential FCPA violation and to better understand the credit that may be given should they decide to self-report, cooperate, and remediate in the wake of discovering potential or actual violations. The Guide responds to this request by stating that “in the past two years alone, DOJ has declined several dozen cases against companies where potential FCPA violations were alleged,”[53] identifies seven circumstances present in some or all of its recent declinations,[54] and sets forth details regarding six recent anonymized examples of declinations involving companies.[55] These disclosures are welcomed and generally helpful, though it is unclear whether any of the several dozen declinations referred to involved tips deemed not credible enough to pursue or matters not pursued due to resource issues. Also, it would be informative to companies for DOJ and SEC to continue disclosing the details of their declinations, much as they did with the six matters detailed in the Guide. It would also be helpful for DOJ and SEC to periodically release information about their levels of investigative activity and rates of declinations.
  • Declination Examples.The six declinations set forth in the Guide are instructive as to the factors that must be present for a declination to occur. Each matter appears to have involved a voluntary self-report, an internal investigation, cooperation with the government, and the implementation of remedial measures. Many involved relatively small bribes and some involved potential bribes that were detected and prevented before being paid. However, no information was provided on how long it took for DOJ or SEC to decline these matters once they were brought to the attention of the Government. Moreover, it appears that in connection with obtaining a declination, each company expended significant resources to investigate and remediate these matters, many of which, as previously noted, involved relatively small improper payments or payments that were never made. A reasonable question may be raised as to whether, given the circumstances involved in these cases, DOJ and SEC would decline these cases in the event a company undertook a prompt investigation and implemented all the aforementioned remedial measures but chose not to self-report.

Compliance Programs

The Guide identifies “hallmarks of effective compliance programs” with basic elements mirroring those set forth in prior DOJ charging documents, the OECD’s Good Practice Guidance on Internal Controls, Ethics, and Compliance,[56] and other existing compliance resources. These elements are familiar to compliance professionals, although the Guide provides some additional detail with respect to Government expectations for anti-corruption compliance programs in particular. Below we note a few items that may not be embedded in every company’s compliance program and therefore may merit additional attention.

  • Management Commitment.While the Guide continues to emphasize the importance of tone at the top, it also underlines the importance of a message from the middle in sustaining a culture of compliance.[57]The very worthwhile CEO message is important, but cascaded reinforcing messages from middle management also are needed. Companies that have been on a serious compliance “journey” for some time will recognize the importance of this comment, which has not previously been officially stated by the agencies.
  • Policies and Procedures. Consistent with existing guidance, the Guide notes that policies and procedures should address risks related to payments to officials; use of third parties; gifts, travel, and entertainment; charitable and political contributions; and facilitating and expediting payments. The Guide further suggests that policies and procedures should “outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and documentation policies, and set forth disciplinary procedures,” while acknowledging that the types of policies and procedures will depend on the size and business model of the company.[58] Finally, the Guide advises “periodically” updating a Code of Conduct to ensure it remains “current and effective."[59]
  • Risk Assessments. The Guide reiterates the importance of risk assessments in designing compliance programs and that “one-size-fits-all” programs are “generally…ineffective."[60] It also cautions against devoting “a disproportionate amount of time [to] policing modest entertainment and gift-giving instead of focusing on” higher-risk areas like “large government bids, questionable payments to third-party consultants, or excessive discounts to resellers and distributors."[61]While this guidance is welcome, it is unlikely DOJ or SEC will excuse on this basis a pattern of small but improper payments.
  • Communication.In describing “effective” communication of compliance policies, the Guide suggests that periodic training and certifications should be required for “all” officers, directors, and “relevant employees” and, “where appropriate,” for agents and business partners.[62]Further, the Guide recommends providing training and related materials in the local language, tailoring training programs to specific audiences (such as particular functional groups), and implementing measures to provide ethics and compliance advice on an urgent basis. These steps, while representing good practice for larger companies, could impose a significant burden on smaller companies.[63]
  • Incentives and Discipline. The Guide encourages companies to incentivize compliant behavior and suggests rewards for improving and developing the compliance program and for ethics and compliance leadership.[64]Examples include having management bonuses depend at least in part upon a compliance standard of performance in addition to financial and commercial performance targets, and participating in the compliance effort as a way to advance an employee’s career by making ethical and lawful behavior part of the promotion, compensation and evaluation process.[65]
  • Continuous Improvement.The Guide states that compliance programs should “constantly evolve” and that an organization should “regularly review” its compliance program and “periodically” test its controls with the goal of “continuous improvement and sustainability” of the compliance program and internal controls.[66] The call for “regular” reviews and “constant” evolution appears to raise the bar beyond the “periodic” reviews and updates called for in prior DOJ charging documents and OECD guidance.[67]
  • Third Parties.The Guide also discusses the important topic of managing risks related to third-party business partner.[68] While recognizing that due diligence performed can vary based on location, industry, nature of the transaction, and prior relationships with the third party, the Guide also cautions that certain “guiding principles always apply."[69] These include (1) understanding the third party’s qualifications, associations, business reputation, and relationship with officials; (2) understanding the business rationale for using the third party and the proposed payment terms, as well as “confirming and documenting” the third party is “actually performing the work” and that its “compensation is commensurate” with the work provided; and (3) monitoring the relationship on an ongoing basis, including, “where appropriate,” by updating due diligence, exercising audit rights, providing periodic training, and requesting annual compliance certifications.[70]Certain of these steps, particularly in the third category, appear burdensome for low-risk relationships. Further, and although not entirely unexpected, the Guide fails to provide guidance as to how much additional review or diligence should be conducted when red flags arise. For example, a hypothetical offered by DOJ and SEC involving third-party due diligence states that the given facts “warrant[] further inquiry” or “warrant significant scrutiny."[71]However, more helpful to companies would have been a statement as to the standards DOJ and SEC will apply, in hindsight, to judge the sufficiency and reasonableness of the steps taken in such circumstances.
  • Mergers and Acquisitions.The Guide emphasizes the legal and business risks of failing to conduct appropriate due diligence prior to mergers and acquisitions. Conversely, it notes examples in which DOJ and SEC have declined to take enforcement action where companies conducted appropriate pre- and post-merger due diligence, voluntarily disclosed any corruption to the government, and promptly integrated the acquired entity into its compliance programs and controls.[72]

Conclusion

While the Guide does not represent a sea change in DOJ or SEC policy in the realm of FPCA enforcement and compliance, it is a useful primer on many issues that companies and individuals will face when trying to comply with the law and on the approach DOJ and SEC will bring to the table if their conduct comes to be scrutinized. Given the Guide’s heavy reliance on past enforcement actions as “precedent,” combined with the rapid pace at which DOJ and SEC continue to bring enforcement actions, we believe the Guide will remain most useful if it benefits from periodic updates to reflect any evolution in enforcement policy and practice.