DOJ Sends a Message to Chief Compliance Officers
In its recent settlement with Johnson & Johnson, the Justice Department sent an important message to the compliance community by outlining “enhanced” compliance requirements. This was the first time that the Justice Department identified compliance program elements beyond “minimum” requirements.
What is DOJ’s purpose in outlining these “enhanced” requirements? Should companies implement these elements as part of an overall compliance program? It depends. DOJ is not suggesting that these requirements are the new “minimum” standard but it is clear that adopting them will increase protection for companies. Many of the enhanced requirements build on the minimum requirements and some come from compliance programs implemented under the supervision of a corporate monitor. Chief Compliance Officers should carefully review and consider which elements make sense.
1. Compliance Department – A senior executive will serve as the Chief Compliance Officer (CCO) and shall report to the Audit Committee of the Board. There shall be heads of compliance within each business sector and corporate function. There shall be a Global Compliance Leadership Team which reports to the CCO.
2. Gifts, Hospitality and Travel – Gifts are limited to those in “modest” value and appropriate under the circumstances. Hospitality and travel is limited to reasonably priced meals, accommodations and incidental expenses and should be a part of education programs, training, business meetings or conferences. Hospitality and travel are limited to the officials not others.
3. Complaints and Reports – In addition to maintaining a mechanism for making reports, the company shall create a “Sensitive Issue Triage Committee” to review and respond to any such FCPA issues as may arise.
4. Risk Assessments and Audits – The company will conduct risk assessment in markets where it has customers who are foreign governments. The company will annually conduct FCPA audits for a minimum of five operating companies who are in high risk markets and after the initial audit every three years for any such operating entity. These audits shall include, at a minimum: (1) on site visits by auditors and where appropriate legal and compliance personnel; (2) review of payments to health care providers; (3) creation of action plans from these audits; and (4) review of the books and records of distributors and agents.
5. Acquisitions – To the extent possible, conduct a pre-acquisition FCPA audit of any acquisition target and after acquisition a full FCPA audit within 18 months and training of all relevant personnel and business representatives within one year of acquisition.
6. Relationships with Third Parties – The company shall conduct a thorough due diligence of all third party representatives including: (1) a review of the qualifications and business reputation of the third party; (2) written rationale for the use of the third party; and (3) a review of the FCPA risk areas. Due diligence is to be conducted by a local business and compliance representative and elevated for review if Red Flags appear or as appropriate. Contracts with such third parties are to include appropriate FCPA compliance terms and conditions including; (i) representatives and undertakings of the third party to compliance; (ii) right to audit; and (iii) right to terminate.
7. Training – Annual training to all directors, officers and employees who could “present corruption risk” to the company. The company shall provide enhanced and more in-depth training to those involved in company sponsored FCPA audits or those on the company acquisition team. Last, the company shall provide training to “relevant third parties acting on the companies behalf” at least every three years.
8. Annual Certifications – The company shall implement a system of certifications from each of the company’s corporate-level functions, divisions, and business units in each foreign country confirming that their local standard operating procedures adequately implement the company’s anticorruption policies and procedures, including training requirements, and that they are not aware of any FCPA or other corruption issues that have not already been reported to corporate compliance.”