Compliance Programs Still Matter
Critical comments of the FCPA by President Trump, coupled with a general policy position of lessening regulatory oversight of U.S. companies, have caused speculation as to whether the new administration will curtail FCPA enforcement. Against this backdrop, the Department of Justice (“DOJ”) Fraud Section quietly released this administration’s first guidance setting out its position on the contours of an effective corporate compliance program. The guidance does not signal any easing of enforcement—rather, the Fraud Section is signaling an incisive review of companies and their compliance programs’ functions, resources, and effectiveness.
U.S. prosecutors consider a number of factors (known as the “Filip Factors”) when determining whether to bring charges or negotiate a plea or other agreement in relation to a potential violation. These factors include “the existence and effectiveness of the corporation’s pre-existing compliance program and the corporation’s remedial efforts to implement an effective corporate compliance program or to improve an existing one.” As the new guidance document reiterates, the DOJ does not apply “any rigid formula to assess the effectiveness of corporate compliance programs.”
To assist companies with better understanding the DOJ’s approach to an effective compliance program, the DOJ articulates eleven topic areas, in familiar risk areas, and posits a series of questions relevant to its evaluation of a compliance program. The core take-away, consistent with statements by Hui Chen, DOJ Compliance Counsel, is that companies must operationalize compliance by embedding it in core functions, such as finance, audit, HR, supply chain, and more. This guidance amplifies that position.
The guidance reveals several key themes for companies and practitioners to consider when assessing and developing compliance programs:
Emphasis on Senior Management and the Board of Directors – The DOJ is likely to maintain its focus on the role of senior management and the board in overseeing compliance and in providing accountability within the company. Senior managers and the board should have enough insight into, and communication with, compliance and other key control functions to hold those functions accountable, and to be held accountable themselves, for compliance lapses. The guidance specifically notes that the DOJ will expect companies to have independent directors with compliance expertise who have visibility into the compliance function within the company. Also, the DOJ will look unfavorably on compliance structures that isolate senior management or the board from accountability by limiting the flow of information between senior management, compliance, the board, and other key functions.
Role of Compliance – The DOJ will want to know how the compliance program functions in practice and not just on paper. Companies structure compliance programs in a variety of ways, but the DOJ will examine the involvement of senior leadership in supporting and prioritizing compliance, and whether compliance is embedded in the company’s strategic and operational decision-making. More specifically, expect the government to focus attention on the seniority and compensation of compliance personnel, the allocation of resources and budgets to the compliance function, and the stature and reporting lines of compliance roles within the company. The government will inquire into actions taken by compliance personnel related to specific allegations, including the review steps undertaken, stakeholders informed, and remedial steps recommended and implemented. This requires that the appropriate escalation and reporting policies and processes be in place and operational.
Root Cause Analysis and Risk Assessment – Regular root cause analysis and risk assessments are key to an effective compliance program. The DOJ guidance highlights these features in the context of M&A due diligence and third-party management and oversight. Furthermore, the guidance suggests that the DOJ will consider the performance of risk assessment processes in addressing potential risks and accounting for future “manifested risks.” This will require companies to establish more sophisticated risk assessments to anticipate not only general risk areas, but also how those risks may manifest themselves in the future. Companies also should consider quantitative measures, such as Key Performance Indicators (KPIs), that will help business functions identify and address risks on an on-going basis and monitor the performance of the compliance program.
Importance of Related Business Functions and Controls – The DOJ will look beyond the compliance function when assessing the compliance environment at a company. Non-compliance control functions, such as HR and finance, and non-compliance related structures, such as compensation and incentive payment schemes, play a significant role in supporting the compliance environment and permitting or incentivizing non-compliant behavior. An adequate compliance function should consider the role these other functions play in incentivizing conduct by employees and supporting the formal compliance structures and program.
Rigorous, but appropriately calibrated, compliance programs and a strong control environment remain the standard. As reflected in the guidance, the DOJ is focused on assessing effectiveness – and it has developed, and is applying, a sophisticated understanding of the elements of an effective program. Of equal importance, strong controls are good for business because they allow the early detection of risks and deter conduct that exposes companies to potential liability both in the U.S. and in foreign jurisdictions.
Companies and practitioners are already familiar with many of the aspects of an effective compliance program that feature in the new guidance, but the release confirms that the DOJ is unlikely to substantively ease enforcement. The guidance also indicates that the DOJ places significant weight on the effectiveness of a compliance program when confronting a company that has identified potential improper conduct. Companies are well advised to constantly assess their compliance programs and the evolving risks facing their businesses, to ensure that compliance programs are appropriately calibrated to address those risks.
Although quietly issued, this guidance is but the latest signal that FCPA enforcement will continue against companies and individuals. FCPA enforcement imposes relatively modest costs on the U.S. government, as investigations are conducted, and associated expenses borne, by companies, and often result in significant financial settlements. Moreover, corruption has been increasingly connected to terrorism, and easing of enforcement could be seen as contrary to President Trump’s stated commitment to fighting terrorism. In addition, during his confirmation hearings, Attorney General Jeff Sessions expressly assured Congress in his submissions to the Judiciary Committee that he would continue to enforce the FCPA.
Regardless of what happens in the U.S., however, many other countries are stepping up enforcement of their own anti-corruption laws, making compliance programs even more important. Increased enforcement by foreign governments, such as the U.K. Serious Fraud Office and Brazil’s public prosecutors, as well as collaboration and coordination across jurisdictions, will remain the norm in the foreseeable future. Importantly, a robust compliance program serves as an affirmative defense in certain non-U.S. laws, including the U.K. Bribery Act, and contributes to a company’s ability to mitigate its exposure under others, including both the FCPA and Brazil’s Clean Companies Act.
For all of these reasons, companies are well advised to continue vigorous oversight of their control environments, conduct sophisticated and thorough assessments of the evolving risks facing their business and operations, and assure that their compliance programs are adequately designed to address those risks.