Compliance professionals need to thank DOJ and SEC for the FCPA Guidance discussion on corporate compliance. DOJ and SEC provide important suggestions for improving compliance but they do so while reaffirming several important compliance principles.
First, and most importantly, DOJ and SEC reaffirm the requirement that a single senior manager or group of senior managers must be assigned responsibility for the compliance program, have appropriate authority, and adequate autonomy to design, implement and monitor an effective compliance program. As noted in the FCPA Guidance, tone at the top must translate into a “culture of compliance” which filters to the middle and is embraced by the bottom.
Second, DOJ and SEC require that companies devote sufficient resources to a compliance program. The FCPA Guidance notes that “DOJ and SEC have often encountered complianies with compliance programs that are strong on paper but that nevertheless have significant FCPA violations because management has failed to effectively implement the program even in the face of obvious signs of corruption.”
This quoted statement should be cited by every compliance officer seeking additional resources for its compliance program.
As to specific program elements, DOJ and SEC have outlined the factors they examine when determining whether a company’s compliance program “prevent[s] violations, detects those that do occur, and remediates them promptly and appropriately.”
In this framework, DOJ and SEC outlined the following refinements or requirements for an “effective compliance program.”
Here are some of the more important refinements and expectations in the FCPA Guidance:
1. Code of Conduct and Compliance Policies – DOJ and SEC expect a company to maintain an up-to-date code of conduct which is accessible in any relevant foreign language. In addition, company policies have to be up-to-date and accessible in any relevant language.
2. Risk Assessments – The FCPA Guidance identifies a specific “risk assessment” as “fundamental” to developing an effective compliance program. In addition, the FCPA Guidance describes the importance of tailoring compliance procedures to specific risks. For example, due diligence review of third party agents should depend on the amount of risk specific to each third party agent. A blanket rule for all third party agents is not tailored to the specific risk. A compliance program must take into account the specific risk involved in each transaction or with each third party agent or distributor.
The FCPA Guidance emphasizes the importance of assessing risk and prioritizing compliance in response to the identified risks. For example, a company’s compliance program may be found ineffective if the company spends disproportionate time reviewing potential gifts while ignoring or spending inadequate time to compliance involving a major foreign government contract.
3. Training: The FCPA Guidance describes the importance of providing training and training materials tailored to the audience. A training program for senior executives should be different than one for international sales staff.
4. Discipline: The FCPA Guidance identifies the importance of disciplinary procedures which apply to all directors, officers, and employees. In addition, positive incentives should be included such as personnel evaluations and promotions, and rewards for ethics and leadership.
5. Confidential Reporting and Internal Investigation: The FCPA Guidance refers to a possible ombudsman for reporting suspected or actual misconduct. While an ombudsman is occasionally used by some companies, it is an idea which may become more important as compliance programs mature.
6. Periodic Testing and Review: DOJ and SEC will give “meaningful credit” to testing, review and modification efforts through proactive evaluations which reflect a commitment to continuous improvement and sustainability. Employee surveys and proactive audits, including transaction testing, can be important tools to adopt in periodic testing and reviews.