Notwithstanding our overall approval of the FCPA Resource Guide (the Guide) issued by the Department of Justice (DOJ) and Securities & Exchange Commission (SEC) earlier this month, we are certainly not above a bit of criticism.
To that end, those who have investigated and settled FCPA cases after choosing to cooperate with the government will be familiar with the instruction to do “homework” following a meeting. The direction generally requires a deeper dive into specific facts or issues identified by the DOJ and/or SEC. While directed by the government, the homework instruction nonetheless allows the investigation target a lot of leeway about how to get the homework done.
The same approach infuses the Guide.
Nowhere is this approach more evident than in the Guide’s treatment of effective compliance programs. The Guide eschews “formulaic” or “check the box” approaches to compliance policies: according to the government, such approaches are inefficient and may be ineffective. Instead, the Guide indicates that the DOJ and SEC will view favorably those companies that make “thoughtful efforts to create a sustainable compliance program.”
The Guide presents three central tenets that the DOJ and SEC apparently consider when evaluating a company’s compliance program:
Is the company’s compliance program well designed?
Is it being applied in good faith?
Does it work?
Notably, all of these questions are both high-level and subjective. For one, this suggests a very lawyerly way of considering how to run a business – the Guide essentially encourages companies to apply the FCPA to the facts of how the company is run. But this approach also appears to value critical engagement by the company in its compliance processes, instead of merely throwing resources at a problem.
To be sure, the emphasis on identifying a company’s risks and implementing a compliance program accordingly is not new. This strategy is implicit in well-established hallmarks of an effective compliance program, such as commitment from senior management and third-party due diligence, among others. This emphasis also accords with guidance that the DOJ has provided in prior settlement agreements related to compliance programs.
Thankfully, too, the Guide provides some meaningful direction on elements required to construct an effective compliance program. But the DOJ and SEC are equally clear that the mere fact of certain elements in a compliance program does not make the program effective (or adequate to receive mitigation credit in an enforcement action). Certain elements are undoubtedly desirable but are not by themselves sufficient to ensure efficacy.
In this respect, the DOJ and SEC did not use the Guide to create a “safe harbor” of the sort sought by the U.S. Chamber of Commerce or that exists in the U.K. Bribery Act. Although the program must “work” to get meaningful credit should an FCPA issue arise, there is no guarantee that credit will be given for any single facet, or combination of facets, of a compliance policy. There are no objective criteria for functional compliance policies – they depend largely on whether or not they meet the subjective category of “working.”
Of course, it is the DOJ and SEC that get to make the ultimate determination about whether a program works. The need for the program to “work” therefore underscores both the importance of its actual efficacy and, critically, the ability of the company to articulate how it works. The DOJ and SEC will only give credit to companies engaging in thoughtful efforts to create a sustainable compliance policy if the government believes the efforts have indeed been thoughtful.
Companies will therefore be best able to comport with the Guide by starting at the beginning. Companies need to understand their businesses – sometimes easier said than done – and their corresponding risks. A company that primarily conducts business in the United States may miss the fact that exports to other countries require customs brokers and the attendant risks they bring. A local representative who is tight with a senior government official may provide great access to government contracts – and significant risk. Examples of risks abound and thus have to be identified in order for a compliance program to really work.
And as noted above, it is also necessary to articulate the program and the steps taken to develop and administer the program. It will therefore behoove companies to document the risk assessment effort they have undertaken, and the decisions they make as to different levels of risk. In the unhappy event of an FCPA enforcement action, the government may disagree with the decision, but if the basis is well-articulated and reasonable, it will be far more defensible – particularly under the language of the Guide – than if compliance actions are based on more ad hoc steps.
In sum, the Guide is helpful to companies looking for direction in their compliance programs, even if it does not provide clear or final answers. As any student knows, keeping up with homework will in the end help immensely during a test.