DOJ’s FCPA Enforcement Plan Highlights the Need for Robust Anti-Corruption Compliance Programs
By Nathaniel Edmonds, Morgan Heavener & Ian Herbert
On April 5, 2016, the Fraud Section of the Department of Justice (“DOJ”) issued a new Foreign Corrupt Practices Act (“FCPA”) Enforcement Plan and Guidance (“Enforcement Plan”) that includes a one-year pilot program to formally incentivize corporations to self-disclose potential FCPA issues, fully cooperate with DOJ in the investigation of those issues, and remediate any corruption issues identified in an internal investigation. In particular, the Enforcement Plan details newly articulated benefits available to companies who fulfill specific obligations imposed in the categories of self-disclosure, cooperation, and remediation. The pilot program, which will be reevaluated in one year, is the most significant component of the three-part Enforcement Plan, which also includes previously announced efforts to significantly enhance prosecutorial and law enforcement resources and increase coordination with foreign prosecutors and law enforcement.
In light of these new pronouncements, companies should evaluate whether their compliance programs can meet DOJ’s newly established compliance standards to prevent misconduct in the first instance. In addition, companies should be prepared to evaluate the potential advantages of the pilot program if DOJ initiates an FCPA investigation into potential misconduct by their employees.
Newly Articulated Benefits
The pilot program articulates specific benefits that a company can receive if it meets certain criteria detailed in the Enforcement Plan.
Reduction of penalties: The Enforcement Plan specifically quantifies the potential reductions in penalties that companies can receive if they meet all the requirements under the pilot program.Companies can receive up to a 50 percent reduction off the low end of the recommended penalty range calculated under the U.S. Sentencing Guidelinesif they meet all the requirements of voluntary disclosure, full cooperation, and timely and appropriate remediation. The program, however, also places a ceiling on the cooperation credit for companies that do not voluntarily self-disclose—but otherwise meet all other requirements of cooperation and remediation—by noting that such companies will receive at most a 25 percent reduction off the bottom of the U.S. Sentencing Guidelines fine range.
Increased likelihood of declination: The Enforcement Plan notes that companies that meet all the requirements of the program will also be considered for a declination of prosecution for all the disclosed criminal offenses. Prosecutors, however, must still take into account the factors outlined in other relevant guidance, including the U.S. Attorneys’ Manual’s Principles of Federal Prosecution of Business Organization, which include the seriousness of the offense, involvement by executive management, significant profit to the company, a history of non-compliance, and prior misconduct.
Avoidance of compliance monitor: An additional benefit that a company could receive is avoidance of a DOJ-imposed a compliance monitor as part of any negotiated resolution. A compliance monitor is often required by DOJ as part of a criminal resolution to examine the anti-corruption compliance program and internal financial controls of a company to determine whether such controls are sufficient to appropriately prevent and detect improper payments that could be in violation of the FCPA. The monitor, which is paid for by the company but selected by DOJ, will often spend up to three years examining issues within the company and reporting those results to DOJ, before determining whether the company has established sufficient anti-corruption controls.
While DOJ has long touted the benefits of self-disclosure, cooperation, and remediation in published FCPA enforcement actions against companies and in its public speeches, the Enforcement Plan for the first time attempts to quantify the potential benefits for engaging in the corporate behavior that DOJ wants. Some of these past statements include the principles initially articulated in the November 2012 FCPA Resource Guide
Requirements for Credit Under the Pilot Program
In order to qualify for the benefits described above, a company must demonstrate to the FCPA Unit of the Fraud Section that it has fulfilled DOJ’s stated requirements in three categories: (1) voluntary disclosure, (2) full cooperation, and (3) timely and appropriate remediation. As the Enforcement Plan outlining the pilot program makes clear, DOJ has previously provided guidance over whether and what type of resolution is appropriate based on those three factors.
However, the scope of any potential reduction of the monetary penalty had not previously been set forth in a publicly available framework. Consequently, companies had been faced with uncertainty about what specific steps they could take to obtain such credit and the concrete benefits corporations would receive for self-disclosure and cooperation in FCPA matters. The pilot program takes significant strides towards increasing transparency on the critical issues of how companies qualify for voluntary disclosure, cooperation, and timely and appropriate remediation.
Definition of Voluntary Disclosure
While DOJ has long lauded the potential benefits of voluntary disclosure, the Enforcement Plan provides some clarity about the steps companies must take to qualify as having made a “voluntary disclosure.” In evaluating whether a company qualifies for self-disclosure credit under the pilot program, the Fraud Section will make a careful assessment of the circumstances of disclosure, including determining whether the disclosure is truly “voluntary” or whether it was required by law, agreement, or contract.
The Enforcement Plan notes that the self-disclosure must meet the requirements described in the U.S. Sentencing Guidelines, including self-reporting “prior to an imminent threat of disclosure or government investigation.”
Finally, the Enforcement Plan emphasizes the focus on individual prosecutions articulated in the Yates Memo, noting that credit for self-disclosure requires a company to disclose “all relevant facts known to it, including all relevant facts about the individuals involved in any FCPA violation.”
What is “Full Cooperation”
Companies have often struggled to interpret DOJ’s definition of “full cooperation” when determining what they can do to receive credit. The Enforcement Plan details eleven requirements that companies must meet in order to be credited with full cooperation under the pilot program, and thus become eligible for the program’s stated benefits. These requirements do not suggest a marked shift from the factors DOJ has previously relied upon in evaluating cooperation. However, they highlight DOJ’s trend, articulated in the Yates Memo, of gathering evidence in order to prosecute culpable individuals.
disclosure on a timely basis of all relevant facts, including all facts related to involvement in the criminal activity by the corporation’s officers, employees, or agents;
proactive, rather than reactive, disclosure of relevant information;
preservation, collection, and disclosure of relevant documents and their provenance;
provision of timely updates;
where requested, de-confliction of an internal investigation with a government investigation;
provision of all facts relevant to conduct by all third parties;
making available for interviews company officers and employees, including overseas employees and former officers and employees;
disclosure of all facts identified as part of an internal investigation, including the attribution of the facts to specific sources;
disclosure of documents located outside of U.S. jurisdiction, and information about how they were found;
facilitation of third-party production of documents when not legally prohibited; and
provision of translated documents, as appropriate.
The Enforcement Plan describes compliance with the Yates Memo requirements as a prerequisite for receiving cooperation credit, while also preserving prosecutorial discretion for FCPA Unit prosecutors, stating that the Fraud Section will “assess the scope, quantity, quality, and timing of cooperation based on the circumstances of each case when assessing how to evaluate a company’s cooperation.”
Timely and Appropriate Remediation
Finally, the Enforcement Plan provides guidance regarding the Department’s expectations under the pilot program for timely and appropriate remediation, which is essentially an articulation of the principles of an effective compliance program. The plan notes that credit for remediation is conditioned, first, upon a company receiving cooperation credit, as described above.
Second, the company must demonstrate, to DOJ’s satisfaction, that it has met the remediation goals, which appear to focus less on principles and more on ensuring the proper functioning of the mechanics of a company’s compliance program, including:
a culture of compliance;
sufficient resources dedicated to the compliance function;
the quality and experience of compliance personnel;
the independence of the compliance function;
whether a company’s compliance program has adequately assessed its risks and tailored its program accordingly;
the stature of compliance personnel within a company;
the auditing of the compliance program to assure its effectiveness; and
any additional steps that demonstrate recognition of the seriousness of the company’s misconduct, acceptance of responsibility, and the implementation of measures to reduce the risks of repetition.
Third, the Enforcement Plan requires appropriate discipline of employees, including those identified as responsible for the misconduct.
Finally, the Enforcement Plan recognizes that whether an organization is deserving of remediation credit will be “highly case specific,” and that the criteria necessary for an effective compliance program will be periodically updated and may vary based on the size and resources of the organization.
Insights for Companies on How to Respond to the Enforcement Plan and Pilot Program
While the basic elements of the Enforcement Plan’s pilot program are fairly straightforward, companies must consider how this guidance should affect their behavior going forward—both when they have a potential issue arise, but also before they discover a problem. Companies must consider the significant differences between DOJ’s past policy and the current pilot program, including the remaining ambiguities about its implementation, before deciding how best to protect themselves from a potential FCPA prosecution. As described below, the most significant takeaway is that companies must invest more in their compliance programs before a problem arises.
Significant Differences between Prior Practice and New Policy
The one-year pilot program does not fundamentally change the DOJ’s previous efforts
In particular, companies must still examine the potential benefits and drawbacks of this new pilot program, and whether, ultimately, the newly articulated benefits of self-disclosure are sufficient to outweigh the potential additional costs in legal and accounting fees, financial penalties, management resources, and reputational risks associated with an investigation by DOJ that would not arise in a purely internal investigation. On the other hand, companies must understand the heightened risks associated with a potential violation that is ultimately discovered by the government and the potentially greater sanction for having not self-disclosed.
The pilot program does not eliminate the need for such cost-benefit analysis but provides additional transparency regarding DOJ’s mathematical computations. In particular, the 50 percent reduction in penalty could provide an incentive for some companies to attempt to meet all the requirements of the pilot program. However, the fact that companies may still receive a 25 percent reduction in penalty without self-disclosure may cause others to determine that it is not in their best interest to self-disclose. Companies appear likely to receive almost as much credit if they do not self-disclose but undertake a thorough internal investigation, conduct full and timely remediation, and fully cooperate when the DOJ otherwise identifies the misconduct.
Despite the Enforcement Plan’s effort to create additional transparency around corporate FCPA penalties, DOJ still maintains significant prosecutorial discretion over a number of factors critical for companies to understand when considering the impact of the Enforcement Plan. Negotiations surrounding FCPA matters involve numerous determinations regarding the scope of misconduct (e.g., number of countries involved), appropriate type of resolution,
Recommendations for Companies in Light of the Pilot Program
The Enforcement Plan’s requirements for companies participating in the pilot program can also be viewed as further guidance with respect to the Department’s expectations for the best practices for a company to conduct an internal investigation or create an effective compliance program. In particular, a company that has not identified specific FCPA issues should still consider whether its compliance program and other policies are up to the standards that DOJ has established as a precondition to receive the benefits of the program. We outline below considerations for each of the three categories of requirements under the program.
While the decision of whether to voluntarily disclose known misconduct to DOJ is complicated, companies who want to control that decision must know the information before DOJ does. Consequently, companies must establish a strong compliance program that will identify potential misconduct and give them the opportunity to make the decision of whether to voluntarily disclose. The program must also provide sufficient information about the potential misconduct to thoroughly analyze whether a voluntary disclosure is the best strategy.
Of particular importance, companies must establish a properly functioning monitoring and auditing system to identify and prevent as much misconduct as possible. Given the challenges of some markets, it may be impossible to prevent all misconduct. According, companies must quickly identify any misconduct that has occurred so that it can be stopped. Swiftly zeroing in on small issues before they spiral out of control will allow a company’s anti-corruption procedures and financial controls to be modified to prevent future misconduct.
In addition, the pilot program’s requirement that a company promptly “disclose all relevant facts known to it” requires that the company have the ability to quickly gather information known throughout the organization. Companies often struggle to gather facts that are not centralized in a compliance department and are instead distributed among subsidiaries around the world, often with different reporting lines and accounting systems. For example, FCPA issues identified in financial audits must be quickly brought to the attention of the compliance team to investigate and resolve. Similarly, when an issue is identified in a single region or subsidiary, the compliance team should be informed so that it can determine whether it is an isolated incident or a recurring, widespread problem. Failure to do so could prevent a company from adequately disclosing all relevant facts because they are buried in another part of the organization.
Finally, companies must establish a proper reporting mechanism that quickly responds to employees raising potential FCPA concerns. If a company wants to be able to control the decision over whether to make a voluntary disclosure, the company must have identified and investigated those issues before they become public. Having an effective hotline and an efficient internal investigative protocol allow a company to maintain control of issues before disgruntled employees take those issues outside of the company and perhaps to DOJ.
While the manner in which to handle a voluntary disclosure to government regulators is appropriately outside the scope of any company’s compliance program, the compliance program is critical to determining whether a company is capable of making a voluntary disclosure in the first place. If companies want to be able to take advantage of the pilot program, they must first invest in building an effective compliance program and appropriate whistleblower response system.
While a company may not voluntarily disclose, once discovered, most companies that find themselves before DOJ fully cooperate in order to get the maximum credit.
DOJ has high expectations of what qualifies as cooperation, and many companies may not have a sufficiently effective compliance infrastructure to be able to provide it. Companies should ensure that they have evaluated their internal policies and procedures so that they can quickly respond. For instance, company IT policies relating to data preservation and privacy can greatly facilitate a company’s efforts to preserve and review data, as well as to make disclosures of that data to DOJ in a cost-efficient manner. Additionally, a carefully maintained database of employment agreements, including severance agreements with departing employees, can facilitate efforts to interview current and former employees. Finally, company policies governing agreements with third parties, including, for example, requirements that certain agreements with third parties contain anti-corruption certifications and audit clauses, may impact the company’s ability to facilitate the production of documents or witnesses from third parties.
All of these actions (and many more) can make a review more effective and cost-efficient in identifying relevant facts either for an internal review or when cooperating with DOJ.
The pilot program’s third factor of remediation provides insight into the compliance infrastructure that a company should establish when FCPA problems occur. DOJ considers remediation when determining the nature of the enforcement action (including whether even to bring a charge) and whether a resolution requires additional compliance obligations, including whether to impose a compliance monitor. Consequently, companies wishing to obtain a DOJ declination or avoid a monitor should carefully examine DOJ’s statements regarding compliance both in the Enforcement Plan and in previous guidance, such as the FCPA Resource Guide.
The Enforcement Plan notes that in determining whether a company meets these remediation requirements, DOJ will assess several factors, including the culture of compliance, dedicated compliance resources, their independence and stature—including “how a company’s compliance personnel are compensated and promoted compared to other employees.”
The Enforcement Plan further notes that DOJ will also evaluate: “Any additional steps that demonstrate recognition of the seriousness of the corporation’s misconduct, acceptance of responsibility for it, and the implementation of measures to reduce the risk of repetition of such misconduct, including measures to identify future risks.”
Impact on Foreign Corporations
DOJ’s new guidance will be relevant to foreign corporations, as well. Those competing with U.S. companies must be mindful that their U.S.-based competitors will adjust their compliance programs to take into account the guidance in the Enforcement Plan, thus setting a new benchmark in terms of international best practices. This may be particularly relevant with regard to, for example, the independence and influence of the company’s compliance function and personnel, which are often not afforded the same attention in African, Asian, Central and Southern European, and Southern American companies as they are in U.S.-based companies.
In addition, the Enforcement Plan exacerbates the ever-present concerns about the application of different legal standards. The incentive to self-disclose in the U.S. may be at odds with the absence of any similar advantage in the company’s home-country. Moreover, some of the articulated requirements of cooperation, such as disclosure of third parties’ conduct or making employees available for interviews, may conflict with local data privacy or employment laws.
Thus, non-U.S. corporations should also reevaluate their compliance infrastructure, and should consider how to best address legal differences that may arise if an investigation uncovers conduct that the company may want to consider disclosing under the pilot program.
The Enforcement Plan provides some welcome guidance for companies navigating decisions of self-disclosure and cooperation in connection with potential FCPA violations. Such companies now have further information to more accurately calculate the potential benefits to such decisions, and the 50 percent reduction in potential penalties provided for by the pilot program creates a significant incentive for disclosure.
However, in practical terms, the effects of the program on changing corporate behavior are far from certain. As noted, DOJ has long touted the benefits to corporations of self-disclosure, cooperation, and remediation, and those benefits have often been reflected in more favorable settlements with companies that meet such requirements. The requirements listed in the pilot program are extensive, and without specific prior instances of companies receiving full credit for meeting those requirements, companies otherwise inclined not to disclose FCPA violations may find a 50 percent reduction in potential penalty insufficient, or insufficiently certain, to justify the risks associated with self-disclosure—especially when they can receive almost as much if they cooperate after DOJ begins its own investigation. Similarly, the parameters of what constitutes “full cooperation” have not changed dramatically since the FCPA Resource Guide and the Yates Memo. Consequently, the Enforcement Plan is unlikely to significantly change the calculus of companies evaluating whether to voluntarily disclose or how to cooperate.
The most valuable part of the Enforcement Plan is the insight it provides into what matters most to the FCPA Unit when considering remediation—a strong, effective compliance department. Consequently, companies should use this announcement to ensure that their compliance function is strong, including taking the following three actions:
Empower the company’s compliance function so that it is well-staffed, appropriately compensated, and has sufficient clout within the organization to accomplish its critical function of preventing misconduct and detecting improper behavior;
Evaluate the effectiveness of the company’s anti-corruption compliance program by conducting a thorough anti-corruption risk assessment, including analyzing the strength of the financial controls and information systems, risks from major government touch-points, and the implementation of FCPA training and awareness among key stakeholders; and
Ensure the proper functioning of the anti-corruption program by closing any remaining gaps in the compliance infrastructure, building off of the 10 Hallmarks of Effective Compliance Programs previously identified in the DOJ FCPA Resource Guide and in published FCPA enforcement actions.
While the Enforcement Plan’s pilot program is unlikely to significantly change the calculus of companies considering self-disclosure or cooperation with DOJ, the continued emphasis on the establishment of strong compliance programs should encourage companies to reevaluate their current compliance infrastructure and ensure that they are doing all they can to prevent a major DOJ FCPA investigation or, at least, be well-prepared to respond when the next FCPA crisis occurs.
the nature and seriousness of the offense, including the risk of harm to the public, and applicable policies and priorities, if any, governing the prosecution of corporations for particular categories of crime (see USAM 9-28.400);
the pervasiveness of wrongdoing within the corporation, including the complicity in, or the condoning of, the wrongdoing by corporate management (see USAM 9-28.500);
the corporation's history of similar misconduct, including prior criminal, civil, and regulatory enforcement actions against it (see USAM 9-28.600);
the corporation's willingness to cooperate in the investigation of its agents (see USAM 9-28.700);
the existence and effectiveness of the corporation's pre-existing compliance program (see USAM 9-28.800);
the corporation’s timely and voluntary disclosure of wrongdoing (see USAM 9-28.900);
the corporation's remedial actions, including any efforts to implement an effective corporate compliance program or to improve an existing one, to replace responsible management, to discipline or terminate wrongdoers, to pay restitution, and to cooperate with the relevant government agencies (see USAM 9-28.1000);
collateral consequences, including whether there is disproportionate harm to shareholders, pension holders, employees, and others not proven personally culpable, as well as impact on the public arising from the prosecution (see USAM 9-28.1100);
the adequacy of remedies such as civil or regulatory enforcement actions (see USAM 9-28.1200); and
the adequacy of the prosecution of individuals responsible for the corporation's malfeasance (see USAM 9-28.1300).
U.S. Attorneys’ Manual, Section 9-28.300