Over the past 15 months the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) has made clear through three Foreign Corrupt Practices Act (FCPA) enforcement actions and speeches, their priorities in investigations, remediations and best practices compliance programs. Every compliance professional should study each of these enforcement actions closely for the lessons learned and direct communications from the DOJ. They should guide not simply your actions should you find yourself in an investigation but also how you should think about the priorities.

The three FCPA enforcement actions are ABB from December 2022; Albemarle from November 2023 and SAP from January 2024. Taken together they point a clear path for the company which finds itself in an investigation, using extensive remediation to avoid a monitor and insight for the compliance professional into what the DOJ expects in a best practices compliance program on an ongoing basis.

Over a series of blog posts, I will lay out what I believe are the Top Ten lessons from these enforcement actions for compliance professionals who find themselves in an enforcement action. Today we continue  with Number 3, Extensive Remediation. The DOJ expects extensive remediation, well documented with data analytics to support everything you have done. Each of the companies engaged in extensive remediation.

ABB

The Plea Agreement reported that ABB “engaged in extensive remedial measures, including hiring experienced compliance personnel and, following a root-cause analysis of the conduct described in the Statement of Facts, investing significant additional resources in compliance testing and monitoring throughout the organization; implementing targeted training programs, as well as on-site supplementary case-study sessions; conducting continuing monitoring and testing to assess engagement with new training measures; restructuring of reporting by internal project teams to ensure compliance oversight; and promptly disciplining employees involved in the misconduct.” This final point was expanded on in the SEC Order which reported that all employees involved in the misconduct were terminated.

At this point, there are not many specific components of the ABB remediation available, but we do know that ABB was given credit for hiring “experienced compliance personnel,” starting with the hiring of Natalia Shehadeh, SVP and Chief Integrity Officer, and then allowing Shehadeh to hire a dream team of compliance professionals to work with her.

Albemarle

The NPA cited several remedial actions by the company which helped Albemarle obtain the superior result in terms of the discounted fine and penalty. These steps were taken during the pendency of the DOJ investigation so that when the parties were ready to resolve the matter, Albemarle had built out an effective compliance program and had tested it. The NPA provided that Albemarle engaged in the following remedial efforts.

• Strengthening its anti-corruption compliance program by investing in compliance resources, expanding its compliance function with experienced and qualified personnel, and taking steps to embed compliance and ethical values at all levels of its business organization;
• Transformed its business model and risk management process to reduce corruption risk in its operation and to embed compliance in the business, including implementing a go-to-market strategy that resulted in eliminating the use of sales agents throughout the Company, terminating hundreds of other third-party sales representatives, such as distributors and resellers, and shifting to a direct sales business model;
• Provided extensive training to its sales team and restructuring compensation and incentives so that compensation is no longer tied to sales amounts;
• Used data analytics to monitor and measure compliance program’s effectiveness; and
• Engaged in continuous testing, monitoring and improvement of all aspects of its compliance program beginning almost immediately following the identification of misconduct.

SAP

SAP also did an excellent job in its remedial efforts. Whether SAP realized that as a recidivist in dire straits it was in after the publicity in South Africa around is corruption or some other reason, the company made major steps to create an effective, operationalized compliance program which met the requirement of the Hallmarks of an Effective Compliance Program as laid out in the 2020 FCPA Resource Guide, 2^nd edition.

The remedial actions by SAP can be grouped as follows.

1. Root Cause, Risk Assessment and Gap Analysis. Here the company conducted a root cause analysis of the underlying conduct then remediating those root causes, conducted a gap analysis of internal controls, remediating those found lacking; and then performed a comprehensive risk assessment focusing on high-risk areas and controls around payment processes, using the information obtained to enhance its compliance risk assessment process;
2. Enhancement of Compliance. Here the company significantly increasing the budget, resources, and expertise devoted to compliance; restructuring its Offices of Ethics and Compliance to ensure adequate stature, independence, autonomy, and access to executive leadership; enhanced its code of conduct and policies and procedures regarding gifts, hospitality, and the use of third parties; enhanced its reporting, investigations and consequence management processes;
3. Change in sales models. On the external sales side, SAP eliminated its third-party sales commission model globally, and prohibiting all sales commissions for public sector contracts in high-risk markets and enhanced compliance monitoring and audit programs, including the creation of a well-resourced team devoted to audits of third-party partners and suppliers. On the internal side, SAP adjusted internal compensation incentives to align with compliance objectives and reduce corruption risk;
4. Data Analytics. Here SAP expanded its data analytics capabilities to cover over 150 countries, including all high-risk countries globally; and comprehensively used data analytics in its risk assessments.

Each of these entities worked quite diligently in rebuilding their compliance programs, literally from the ground up. Whatever the faults of their prior compliance programs, each company was quite diligent in revamping their compliance regimes. While each company built out a program based upon their own risk; there is quite a bit of guidance which you can draw from if your company finds itself in this position.

[View source.]