Best Practices for Anti-Corruption Compliance Programs – A Moving Target
The Justice Department and the SEC have pushed extraordinary changes in the field of anti-corruption compliance. If one looks back five years ago and compares the so-called best-practices from 2008 and compares them to recent pronouncements on anti-corruption compliance, the differences are stark.
Here is a summary chart on current program elements and some “best practices” cited by DOJ and the SEC in recent enforcement settlements.
If you look down the list, there are some interesting elements, additions and refinements. These include:
Annual Compliance Assessments – The requirement of annual compliance assessments is important. A company can stand still and expect its compliance program to continue working. A compliance assessment is a critical tool for improving a compliance program. A regular assessment routine should be designed with a schedule for in-depth and less intensive assessments. A stated policy for conducting such reviews and the timing and resources committed to each should be set out in advance.
Effective Training for Third Parties – This requirement has become more important in the last few years because of DOJ and SEC concern about the absence of effective control over third parties. A company does not have to conduct the training itself so long as it ensures that the third-party company provides comparable training programs to its employees.
Integration of Acquired Entities into Compliance Program – In response to poor integration practices, DOJ and the SEC have emphasized this element. DOJ and the SEC have dealt with companies that acquired companies without making any effort to integrate the acquired company into the parent company’s internal controls. This phenomena has occurred on numerous occasions in China and other Asian countries.
DOJ and the SEC have imposed this requirement with some flexibility and allowed companies to complete the integration process within eighteen months.
Two aspects of this element raise some concern. DOJ and the SEC expect the acquiring company to conduct forensic audits of the acquired company and to report to the government any violations that are discovered. These are troublesome requirements. They constrain company discretion: (1) to assign audit resources where appropriate; and (2) to require companies to disclose to the government any violations. No one hs tested these requirements but companies have to retain discretion to assign compliance resources where appropriate and disclose when they choose to disclose a violation.
Evolving International and Industry Standards – This factor requires companies to take into account evolving international and industry standards when monitoring, testing and auditing a company’s compliance function. This terminology is somewhat vague but in practice is an attempt to define “best practices” in this area.