DOJ CCO Certification Requirements and DOJ Compliance Mandates (Part II of III)
The new DOJ Certification requirements certainly raise a number of new issues and risks for senior management and chief compliance officers. In Part I of this series, I outlined the specific language and the Plea Agreement standards imposed on companies that enter into a Plea Agreement with DOJ for FCPA violations.
DOJ has reiterated its support for this new Certification requirement. Indeed, a DOJ official recently stated that DOJ expects to include these same requirements in future FCPA resolutions. While Companies should be focused on design and implementation of an effective ethics and compliance program that includes a specific anti-corruption compliance program, companies should be mindful of DOJ’s expectations as to ethics and compliance programs.
In a global marketplace, an effective compliance program is essential to detect and prevent key risk areas – such as anti-corruption, trade sanctions, export control violations and anti-money laundering violations – and to ensure a culture of ethics and compliance. The Department of Justice (“DOJ”) has issued three significant compliance guidance documents. These documents include: (1) DOJ Evaluation of Corporate Compliance Programs (April 2019 and revised June 2020); (2) DOJ Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations (July 2019); and (3) A Resource Guide to the U.S. Foreign Corrupt Practices Act (Nov. 2012 and revised July 2020).
In the last twenty years, DOJ has revised its form Attachment C on several occasions to incorporate new and innovative compliance program expectations. With DOJ’s new Certification requirement, Attachment C is specifically incorporated into the applicable standard for CEO and CCO certification.
Attachment C requires a Company to implement a compliance program consisting of the following key elements:
- High-Level Commitment: requires directors and senior management to provide “strong, explicit and visible support and commitment to its [compliance program].”
- Policies and Procedures: adoption of written anti-corruption compliance policy and procedures, “appropriate measures” to encourage and support observance of policy and procedures by directors, officers, employees and “outside parties” acting on behalf of the Company, and specific adoption of policies and procedures addressing: (a) gifts; (b) hospitality, entertainment and expenses; (c) customer travel; (d) political contributions; (e) charitable donations and sponsorships; (f) facilitation payments; and (g) extortion and solicitation. Under this heading, companies are required to maintain a system of financial and accounting procedures, including internal controls, “reasonably designed” to ensure the maintenance of fair and accurate books, records and accounts in accordance with the standards set forth in the FCPA itself.
- Periodic Risk-Based Review: Company will conduct periodic risk assessments, including interactions with government officials, industrial sectors of operation, existence of joint ventures, importance of licenses and permits in Company’s operations, degree of government oversight and inspection, and volume and importance of goods and personnel clearing through customs and immigration. Company will review and update if necessary its compliance policies and procedures.
- Proper Oversight and Independence: Responsibility for implementation and oversight of the Company’s anti-corruption compliance program should be assigned to one or more senior corporate executives. Corporate official (CCO) shall report directly to independent monitoring bodies, and shall have an adequate level of autonomy from management as well as sufficient resources and authority to maintain such autonomy.
- Training and Guidance: The Company shall implement: (a) periodic training for persons (directors, officers, employees, and where appropriate, third parties) in positions of leadership or trust, persons who are required to undergo training, and employees in positions exposed to corruption risks; (b) certifications and attestations by all such directors, officers, employees, agents and business partners; and (c) an effective system for providing guidance to ensure compliance with policies and procedures.
- Internal Reporting and Investigation: The Company shall maintain an effective system for internal confidential reporting concerning violations of anti-corruption laws and/or Code of Conduct, and for responding to, investigating and documenting such violations.
- Enforcement and Discipline: The Company will implement mechanisms to enforce its Code of Conduct and compliance policies, including incentivizing and disciplining relevant conduct or misconduct. In addition, the Company shall implement fair and consistent disciplinary procedures, and remediate any harm to prevent recurrence of any such violations.
- Third-Party Relationships: The Company will institute a risk-based due diligence and compliance requirements pertaining to retention and oversight of all agents and business partners.
- Mergers and Acquisitions: The Company will develop policies and procedures for mergers and acquisitions requiring that the Company conduct appropriate risk-based due diligence on potential new business entities.
- Monitoring and Testing: The Company will conduct periodic reviews and testing of its Code of Conduct and anti-corruption compliance policies and procedures to evaluate and improve its effectiveness in preventing and detecting violations.
While the specific requirements set forth in Attachment C are straight-forward, the overall weight of the elements has to be considered when a CCO is presented with a requirement for certification.