Corporate Compliance Programs: US and UK Perspectives

by Dechert LLP
Contact

Dechert LLP

In today’s regulatory environment, companies face mounting pressure from law enforcement agencies to maintain robust compliance programs to deter and detect misconduct by employees, third-party vendors and business partners. In the United States, prosecutors have long considered the effectiveness of an entity’s compliance policy to be an important factor informing charging decisions and the negotiation of deferred and non-prosecution agreements. Prosecutors’ focus on compliance measures has only increased. An emphasis on corporate compliance policies is also observed in the United Kingdom.

The U.S. Department of Justice (“DOJ”), Fraud Section recently published a list of topics and questions that it has “frequently found relevant in evaluating a corporate compliance program” in the context of a criminal investigation. In addition, the Fraud Section has announced plans to extend its Foreign Corrupt Practices Act (“FCPA”) Pilot Program, which incentivizes companies to voluntarily self-disclose FCPA-related misconduct and remediate shortcomings in their corporate controls and compliance programs.

An emphasis on corporate compliance policies is also observed in the United Kingdom. For instance, “corporate failure to prevent bribery” is a strict liability offense under section 7 of the Bribery Act of 2010 (the “Bribery Act”). The only complete defense available to a company under investigation for such an offense is proof that it had adopted “adequate procedures” to prevent bribery and corruption. Like the DOJ Fraud Section, the U.K. Ministry of Justice has developed a rubric for evaluating whether a company has adopted “adequate procedures” sufficient to avoid criminal liability under the Bribery Act.

This memorandum briefly discusses recent developments highlighting the importance of adopting rigorous compliance procedures under U.S. and U.K. law.

DOJ Compliance Program Guidance

In 2015, the DOJ Fraud Section hired a full-time compliance expert, Hui Chen, to consult on the prosecution of business entities and to help prosecutors “develop appropriate benchmarks for evaluating corporate compliance and remediation measures.”1 Under Ms. Chen’s leadership, the Fraud Section published a guidance document entitled “Evaluation of Corporate Compliance Programs” (the “DOJ Guidance”) on February 8, 2017. Drawing on a number of existing resources—including the United States Attorney’s Manual, the United States Sentencing Guidelines (the “Sentencing Guidelines”), Fraud Section corporate resolution agreements, the November 2012 Resource Guide to the FCPA published by the DOJ and the Securities and Exchange Commission—the DOJ Guidance consists of a list of topics and questions the Fraud Section may consider when making a determination with respect to a company under criminal investigation. While the DOJ Guidance is prefaced with a warning that compliance programs “must be evaluated in the specific context of a criminal investigation that triggers” prosecutorial scrutiny, the topics and sample questions provide a valuable roadmap for companies to assess the soundness of existing corporate compliance policies and to determine what steps to take in the event the company discovers misconduct.

The DOJ Guidance is divided into 11 topics:

  1. Analysis and Remediation of Underlying Conduct
  2. Senior and Middle Management
  3. Autonomy and Resources
  4. Policies and Procedures
  5. Risk Assessment
  6. Training and Communications
  7. Confidential Reporting and Investigation
  8. Incentives and Disciplinary Measures
  9. Continuous Improvement, Periodic Testing and Review
  10. Third-Party Management
  11. Mergers and Acquisitions

The DOJ Guidance makes clear that a company’s oversight duties do not end once it drafts and circulates compliance policies and procedures to employees. Rather, the guidance contemplates a continuing commitment to, and investment in, compliance principles at all levels of the organization. For instance, prosecutors will consider whether senior officers and the board of directors have demonstrated a commitment to compliance and remediation efforts, and whether that commitment has been communicated to mid-level managers and other employees. Another relevant consideration is whether the compliance department has been empowered to act with the degree of authority and autonomy necessary to deter and detect misconduct. This factor takes into account practical considerations such as how the compliance function “compare[s] to other strategic functions in the company in terms of stature, compensation levels, rank/title, reporting line, resources and access to key decision-makers.”

The DOJ Guidance also highlights the importance of revisiting compliance policies and procedures in light of changing risks. For instance, the guidance notes that the frequency with which the company “update[s] its risk assessments and reviewed its compliance policies, procedures, and practices” is a factor that prosecutors often consider. Other relevant factors are whether and how often the company has audited its compliance policies and controls, particularly with respect to high-risk business units such as those responsible for processing payments or managing third-party vendors.

Although the DOJ Guidance provides a series of general questions that prosecutors may consider in assessing the strength of any compliance program, it is critical that every company tailor its compliance program to “the particular risks it faces.” Thus, companies will generally receive favorable consideration for taking a bespoke approach when determining what types of information and metrics to track and how to draw reporting lines up through the organization.

Pilot Program Extension

In a March 10, 2017 speech at the American Bar Association’s National Institute on White Collar Crime, Acting Assistant Attorney General Kenneth Blanco announced that the DOJ Fraud Section’s guidance for the investigation and prosecution of FCPA offenses, commonly known as the “Pilot Program,” will “continue in full force” after April 5, 2017, when it was originally scheduled to expire.2 Under the Pilot Program, companies that meet certain criteria may earn sentencing credit in FCPA matters handled by the Fraud Section, including favorable consideration regarding the type of disposition prosecutors will pursue and reductions in fines below the minimum level recommended under the Sentencing Guidelines.3 Mr. Blanco stated that the Pilot Program would remain in place while the DOJ evaluates the “utility and efficacy” of the program, whether to extend it and what revisions, if any, to make to the program.

The Fraud Section considers three key factors to determine whether, and to what extent, companies will receive credit under the Pilot Program: (1) voluntary self-disclosure; (2) full cooperation; and (3) remediation. Key considerations related to each of these factors include the following:

1. Voluntary Self-Disclosure

  • Disclosure occurs “prior to an imminent threat of disclosure or government investigation.”
  • The company discloses “within a reasonably prompt time after becoming aware of the offense.”
  • The company discloses “all relevant facts known to it, including all relevant facts about the individuals involved in any FCPA violation.”

2. Full Cooperation

  • Proactive cooperation, including disclosure of facts relevant to the investigation, “even when not specifically asked to do so.”
  • When requested, “de-confliction of an internal investigation with the government investigation.”
  • Upon request, making company officers and employees (including those located overseas) available for interview by the DOJ.
  • Disclosure of overseas documents (except where such disclosure is impossible due to foreign law).

3. Remediation

  • Implementation of an effective compliance and ethics program.
  • Appropriate discipline of employees, including those identified by the company as responsible for the FCPA-related misconduct and those with oversight responsibility.
  • Adoption of measures to reduce the risk that detected misconduct will be repeated.

Companies that voluntarily self-disclose FCPA-related misconduct, cooperate fully in the government’s investigation, and timely and appropriately remediate misconduct in accordance with the Pilot Program guidance will qualify for significant mitigation credit, including up to a 50% reduction off of the lower end of the fine range under the Sentencing Guidelines and a presumption that a monitor will not be appointed. In addition, where all three conditions are met, the Fraud Section may consider a declination of prosecution. If a company does not voluntarily disclose its FCPA-related misconduct, but later fully cooperates with the investigation and takes timely and appropriate remedial measures, the company will qualify for at most a 25% reduction off of the low end of the Sentencing Guidelines fine range.

U.K. Guidance

A company will run afoul of section 7 of the Bribery Act if it fails to prevent its employees or agents from engaging in bribery. The only defense available to a section 7 charge is to prove that the company had “adequate procedures” in place to prevent bribery.

In March 2011, the U.K. Ministry of Justice (“MOJ”) published its Adequate Procedures Guidance containing six high-level (non-prescriptive) principles that a company should consider when implementing or reviewing its compliance program. While these principles are articulated in the context of preventing bribery offenses, they also reflect generally accepted international good compliance practices.

1. Proportionate Procedures

  • Company procedures should be proportionate to the bribery risks it faces and to the scale of its business activities. The procedures should account for the full spectrum of individuals and corporate entities over which the company has control.

2. Top-Level Commitment

  • Management should foster a culture in which bribery is never acceptable and show effective leadership in bribery prevention.

3. Risk Assessment

  • A risk assessment should be the starting point for any corporate compliance program. The risk assessment should be: (i) tailored to the particular company; (ii) periodic; (iii) informed; and (iv) documented. Compliance involves more than just a ‘box-ticking’ exercise.
  • Following the completion of the risk assessment, company policies and procedures should be adapted to address the identified risks.

4. Due Diligence

  • To mitigate bribery risks, the company should implement thorough due diligence procedures, taking a proportionate and risk-based approach, with a keen focus on individuals or corporate entities who perform or will perform services for the company.

5. Communication, Including Training

  • The company should seek to ensure that its bribery prevention policies and procedures are embedded and understood by all employees, supported by internal and external communication, which includes proportionate training tailored to the risks faced by the company.

6. Monitoring and Review

  • Monitoring includes internal audits and third-party audits of business partners and joint ventures. Effective monitoring should include the consideration of an external review and verification of company procedures and remediation measures where necessary.

Comparison of the U.S. and U.K. Guidance

The published guidance from both the U.K. MOJ and U.S. DOJ is broadly aligned. There are, however, some notable differences between the U.K. and U.S. approach to compliance programs. In particular in the U.K., if a company can prove that it had “adequate procedures” in place to prevent bribery, a complete defense is available to a charge under section 7 of the Bribery Act. Conversely in the U.S., the adoption of a compliance program is not a defense to FCPA liability, although prosecutors consider the adoption of effective compliance procedures to be an important factor in determining whether to prosecute and will consider this in the terms of any settlement.

Conclusion

The clear and consistent message from both U.K. and U.S. regulators and enforcement agencies is that the consequences of failing to maintain an effective compliance program can be severe. As a result, companies should broadly adhere to the published guidance of the U.K and U.S. regulators. At a minimum, companies should consider adopting the following good practices:

  • Following a detailed risk assessment, the company must tailor its compliance program to the specific risks faced by the company and, where appropriate, third-party vendors.
  • Senior management must communicate its commitment to compliance to the entire company and be actively involved in the continued monitoring of the compliance program.

Staff must receive periodic risk-based training.

Footnotes

1) Dept. of Justice, New Compliance Counsel Expert Retained by the DOJ Fraud Section (Nov. 3, 2015).

2) Kenneth Blanco, Acting Assistant Attorney General, Address at the American Bar Association National Institute on White Collar Crime (Mar. 10, 2017).

3) U.S. Dep’t of Justice, The Fraud Section’s Foreign Corrupt Practices Act Enforcement Plan and Guidance (Apr. 5, 2016).

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dechert LLP | Attorney Advertising

Written by:

Dechert LLP
Contact
more
less

Dechert LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.