The Year 2016 in Compliance

by Thomas Fox

Greetings from Venice where my wife and I are spending the next few days so this blog post is my first Travel Edition of 2016. Last week I wrote about my thoughts on some of the significant Foreign Corrupt Practices Act (FCPA) criminal and civil enforcement actions from 2015 and some of the larger corruption stories across the globe. Today I want to peer into the not-to-distant veiled future of 2016 to see where enforcement and compliance may be headed going forward.

Regarding FCPA enforcement first and foremost on everyone’s mind is Wal-Mart. There are currently two versions of the Wal-Mart FCPA investigation. The first was articulated by the Pulitzer Prize winning New York Times (NYT) and its 2012 stories about massive corruption in its Mexican subsidiary, all leading to the subsidiary contributing 20% profit to the company’s bottom line for over five years. The converse version was articulated by the Wall Street Journal (WSJ) in an article from 2015 that basically said there was little evidence of bribery by the company in Mexico, although the company’s internal investigation did turn up some instances of very small bribes being paid in India. At this point it is unclear which version, if either, is correct.

What is clear is that Wal-Mart has spent massively to upgrade its compliance function, with some reports that the costs are north of $600MM. Moreover, Wal-Mart has taken its rightful place as an industry leader in talking about not only compliance but also ethics as part of its overall business strategy going forward. For those who have claimed the Wal-Mart scandal has always been much ado about nothing, they seemingly miss this key point that it is the doing of compliance that leads to more robust compliance. It was only after the NYT broke its story that Wal-Mart brought its compliance program forward into the 21st Century through this massive spending. I somehow doubt the company would be the industry leader in compliance it is today, if the NYT had not broken its story. Whatever the final fine and penalty may be, the creation of a best in class compliance program may well be the final legacy of the Wal-Mart FCPA scandal.

The Yates Memo caused quite a stir when it was announced and in subsequent Department of Justice (DOJ) public commentary throughout the fall and winter. The parameters of its mechanics are still being worked out. However the commentaries have raised some serious questions about how it will all work out in practice. One school of thought says that companies will now rush to throw lower level employees under the bus as soon as possible to protect senior level employees. Another school says that the implication is to demean the importance of an effective compliance program because you do not even get to that issue until you have identified culpable individuals and turned over that information to the DOJ. Yet another school of thought suggests that the focus of internal investigations may change from a root cause analysis to determine what happened so that remedial actions could be brought to bear; to naming names first and foremost, with the issues of underlying cause and attendant remedy to make sure the conduct does not continue or happen again moved to the back burner.

The one thing I am confident of at this point is that the Yates Memo will put even more pressure on internal investigations. Companies which may have assigned investigations to internal functionaries, whether in-house lawyers or other investigators, may now have to go to outside counsel much sooner rather than later, if they want cooperation credit going forward. Coupled with the expansion of whistleblower protections and whistleblower complaints to Securities and Exchange Commission (SEC) and other regulators, a company must focus significant resources on putting together a robust investigation protocol and following it.

The announcement of the new DOJ Compliance Counsel was something that had been reported back in the summer. The position was filled by Hui Chen, an ex-DOJer and corporate compliance practitioner, who will evaluate compliance programs for companies under FCPA investigation. She will use articulated metrics to evaluate the state of a company’s compliance program, at the time the incident occurred. The difficulty for any company is that you are always measured at the time of disclosure and review, not the three to five years back when the incident arose so a company is held to a standard which did not exist at the time.

This means there will be even more pressure on Chief Compliance Officers (CCOs) and compliance practitioners to institute a best practices compliance program sooner rather than later. It also means that your program must evolve and you must be able to show evolution and change (i.e. Document, Document, and Document). Further one of the specific metrics is resources so any corporate claim that ‘we spent all we could’ will be very closely scrutinized and if your program does not meet minimum standards, securing any credit for having a compliance program in place will be very difficult to achieve.

I think the first British Deferred Prosecution Agreement (DPA) by the Serious Fraud Office (SFO) under the UK Bribery Act will help the SFO move forward in its enforcement of the world’s most robust anti-corruption law. Not only should the SFO be able to turn back the annual attacks on it and calls to weaken the law but companies clearly now see value in self-disclosure. It could well portend a greater and more aggressive prosecutorial stance by the SFO particularly if SFO Director David Green has his term extended in 2016.

Finally, I think the compliance function will move to become much more integrated into and a more important corporate discipline within every organization of significant size going forward into 2016 and beyond. The 30 day period beginning with the Yates Memo to the Schrems decision by the European Court of Justice invalidating the safe harbor provision for the transfer of certain data from Europe to the US, to the Volkswagen (VW) scandal all make clear the need for not only robust compliance functions but also the elevation of the CCO to the ranks of any Chief Executive Officer’s (CEO’s) key and most trusted advisor.

Donna Boehme and others led the fight make the structural move and to get the CCO function out of the shadow and realm of the General Counsel’s (GC’s) office and the legal department. This debate should be fully closed now after these portentous events. Simply put, the legal function in a corporation is designed to protect the company. The compliance function’s role, as laid out by Roy Snell, is to “prevent, find and fix problems.” Put another way, the role of legal is to tell the truth. The role of compliance is to tell the whole story. VW is never going to pull out of the spiral its is currently in by playing legal games with regulators, states attorneys general or John Q. Public by hiding behind the law. It is only through transparency that VW will regain its prominence. That is one of the reasons that I believe the Wal-Mart FCPA enforcement action is so significant. It demonstrates that as bad as the facts are, may be or were even reported, a company can make a comeback with all three groups by putting in place a robust compliance function.

It is this new importance on the compliance function, the CCO and compliance practitioners that I see as the biggest happening going forward into 2016.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Thomas Fox, Compliance Evangelist | Attorney Advertising

Written by:

Thomas Fox

Compliance Evangelist on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.