Pushing Ethics and Compliance Programs in the New FCPA Corporate Enforcement Policy
The Justice Department’s aggressive enforcement program, particularly in the FCPA arena, has been the primary impetus to the growth and empowerment of the corporate compliance function. The Justice Department and SEC’s FCPA Guidance, and the specific Hallmarks of an Effective Compliance and Ethics Program is the most definitive statement on compliance expectations ever released by US prosecutors. Since 2012, the Justice Department has built on this foundation with its release of the FCPA Pilot Program in April 2016; Evaluation of Corporate Compliance Programs issued in March 2017; and with the recent adoption of a new FCPA Corporate Enforcement Policy.
In sum, the Justice Department has outlined a broad vision for the successful operation of an ethics and compliance program. While many point to the US Sentencing Guidelines as the seminal definitions for a compliance practitioner, I would argue that the Justice Department’s work listed above has defined a new, broad and much more robust set of expectations for an ethics and compliance program. As laid out by the Justice Department, a company that suffers violations, whether bribery, sanctions, antitrust, safety, anti-money laundering or other areas will be assessed based on the principles and functions described by the Justice Department, largely in the anti-corruption area.
In this context, it is important to examine the Justice Department’s recent outline of its expectations for timely and appropriate remediation in order to qualify for the benefits under the FCPA Corporate Enforcement Policy.
In order for a company to receive full credit for remediation and avail itself of the benefits of the FCPA Corporate Enforcement Policy, the company must have effectively remediated at the time of the resolution. There are four separate requirements that have to be satisfied under the remediation prong.
First, the company has to demonstrate that it analyzed the causes of underlying conduct (i.e., a root cause analysis) and, where appropriate, remediated the root causes;
The “root cause” analysis has been added as a separate requirement for remediation. The Justice Department’s intent is to ensure that the company has analyzed its financial and compliance controls to determine any deficiencies that may have caused or contributed to the company’s bribery violations. A company’s task here is much more intensive and detailed than a typical risk and compliance program assessment – instead, the analysis focuses on the violations and analyzes how the culpable individuals were able to carry out the bribery scheme without detection by the company’s internal controls.
Second, the company has to implement at the time of resolution an effective compliance and ethics program. The new FCPA Corporate Enforcement Policy specifically notes that the criteria for an effective program may be updated in the future and will vary depending on the size and resources of the company.
The specific criteria are valuable reminders of how powerful the message of compliance has become and the empowerment of compliance professionals. The criteria include:
- The company’s culture of compliance, including awareness among employees that any criminal conduct, including the conduct underlying the investigation, will not be tolerated;
- The resources the company has dedicated to compliance.
- The quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk;
This factor, coupled with factor 6 below stand as two critical requirements that elevate the stature and role of compliance professionals. The Justice Department’s expectation is clear – compliance professionals have to be competent, subject-matter experts, and given commensurate stature, pay and career development opportunities with other comparable executives. These requirements reflect the rise of the compliance profession as a separate, critical element of every corporate management structure.
4. The authority and independence of the compliance function and the availability of compliance expertise to the board;
The new FCPA Corporate Enforcement Policy modifies the original language in the FCPA Pilot Program. The original language states, “The independence of the compliance function.” The new FCPA Corporate Enforcement Policy added the term “authority” and mandated the “availability of compliance expertise to the board.”
I am not trying to make a mountain out of a molehill but the term “authority” reinforces the overall trend of maintaining an empowered CCO in corporate governance structures. The term “authority” is meant to underscore the importance of a CCO having a defined role in senior management as a member of the C-Suite. With that stature, the CCO can have line-of-sight across the organization and the important seat at the business table to coordinate and collaborate with business representatives in the corporate governance framework. Additionally, the CCO’s access to the board and regular reporting to the board is emphasized with the new language, and reflects increasing concern over the importance of regular reporting by the CCO to the board.
5. The effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment;
6. The compensation and promotion of the personnel involved in compliance, in view of their role, responsibilities, performance, and other appropriate factors;
7. The auditing of the compliance program to assure its effectiveness; and
8. The reporting structure of any compliance personnel employed or contracted by the company.
Third, the company has to demonstrate that it meted out appropriate discipline of employees, including those identified by the company as responsible for the misconduct, either through direct participation or failure in oversight, as well as those with supervisory authority over the area in which the criminal conduct occurred;
Fourth, The FCPA Corporate Enforcement Policy adds a new factor relating to document preservation requiring companies to maintain appropriate retention of business records and prohibiting the destruction or deletion of business records, including software that generates communications but does not retain business records (e.g. SnapChat). The Justice Department’s concern about document retention reflects unfortunate experiences when companies fail to retain documents or use technologies that do not retain the record of the communications.
The Justice Department’s FCPA Corporate Enforcement Policy is yet another watershed moment for ethics and compliance programs. I am not so naïve to think that every company will immediately embrace these principles and develop action plans to make sure they are implemented (although they should). Companies are slow to move unless they are under immediate threats – government enforcement or business threats. Nonetheless, the new policy is an affirmation of a long road for compliance professionals but it is an important reminder to many about the difficult work and challenges that lie ahead.