Without much fanfare, the United States Department of Justice (DOJ) has recently brought forward revisions to its guidance for the "Evaluation of Corporate Compliance Programs" (ECCP). US companies, companies listed on US exchanges, and companies who regularly interact with these companies or in the US should take notice of these revisions as they signal important updates to the government’s view of what a compliance program should be, and industry standards are certain to follow. US federal prosecutors use this guidance to evaluate compliance programs at corporations under criminal investigation, most importantly, when making a charging decision, settlement decision, culpability and fine determination, or decision about whether to request the imposition of a corporate monitor following a resolution. This includes assessing a corporations’ compliance program for those facing an investigation into an alleged violation of the Foreign Corrupt Practices Act (FCPA), which provides for the criminal and civil prosecution of individuals and corporations who bribe non-US government officials with the intent to obtain a business advantage. The revisions came into effect June 1, 2020.
A broad overview of the revisions reveals the majority of the changes focus on the continuous improvement of compliance programs and data availability to the compliance team for trend analysis and incorporation of lessons learned into the program. The revisions also aim at ensuring corporate compliance is equally successful across all regions and that discipline is equally applied. Finally, the revisions speak to having more monitoring and testing of corporate controls over time and ensuring adequate investment in the program to meet its needs.
As for US companies, awareness of the revised ECCP guidance is critical to Canadian companies listed on a US exchange or that have touch points with the US, as both may face exposure to enforcement risk under the FCPA. In particular, compliance reviews and risk assessments undertaken by these companies should take full account of the DOJ’s expectations as expressed in the ECCP guidance. For companies who have benchmarked their programs to the prior version of the ECCP guidance, internal compliance review/risk assessment criteria should be refreshed to include these expanded considerations.
The ECCP guidance may also be of value to Canadian corporations in evaluating their exposure to enforcement risks under the FCPA’s Canadian counterpart, the Corruption of Foreign Public Officials Act (CFPOA). The well-developed and robust guidance from the US has made it a leader in anti-corruption enforcement actions. Given the absence of any substantive guidance issued by Canadian authorities as it stands, Canadian corporations will be well served taking close notice of the ECCP as a benchmark Canadian authorities and their international equivalents may use to determine industry compliance standards. Indeed, it may prove a valuable resource for companies hoping to earn eligibility for a Remediation Agreement (Canada’s version of a Deferred Prosecution Agreement), in respect of any potential violations of the CFPOA.
Overall, the guidance should be recognized as critical to how the corporation is perceived by enforcement authorities, business partners, and the public at large should an investigation or law violation occur. Consequently, compliance programs are still expected to prevent misconduct, but programs will also be assessed as to the corporation’s compliance efforts and self-learning, regardless as to whether the program failed to prevent the actions under investigation.
Highlights from the Revised ECCP Guidance
Many parts of the ECCP have remained untouched from previous versions. As always, fundamental points of the program must address:
- Is the corporation’s compliance program well designed?
- Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
- Does the corporation’s compliance program work in practice?
The above points are the overriding factors, or the “lens” through which the effectiveness of any company’s compliance program will be assessed. Specific revisions to the guidance focus upon considerations such as:
- Continuous improvement and agility of compliance programs, including efforts to audit program effectiveness and to ensure programs are dynamic. These points were highlighted by the DOJ including questions like:
- Why and how has the corporation’s compliance program evolved over time?
- Is the risk assessment current and subject to periodic review and update?
- Does the corporation have a process for tracking and incorporating into its periodic risk assessment lessons learned either from the corporation’s own prior issues or from those of other companies operating in the same industry and/or geographical region?
- What is the corporation’s process for designing and implementing new policies and procedures and updating existing policies and procedures, and has that process changed over time?
- Have the policies and procedures been published in a searchable format for easy reference? Does the corporation track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?
- Whether online or in-person, is there a process by which employees can ask questions arising out of the trainings?
- Has the corporation evaluated the extent to which the training has an impact on employee behavior or operations?
- Does the corporation take measures to test whether employees are aware of the corporation’s method to report wrongdoing and feel comfortable using it?
- Does the corporation have a business rationale for needing a third-party in the transaction, and the risks posed by third-party partners, including the third-party partners’ reputations and relationships, if any, with foreign officials?
- Does the corporation engage in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process?
- Does the program include not only comprehensive due diligence of any acquisition targets, but also a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls?
- Does the compliance function monitor its investigations and resulting discipline to ensure consistency?
- Does the corporation review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks? Funding of and support for the program, by adding questions like:
- Is the corporation’s compliance program adequately resourced and empowered to function effectively?
- What are the reasons for the structural choices the corporation has made? Do those decisions show senior and middle management support of the program, and evidence that the program is tailored to the company and specific internal and external factors that impact the company?
- How does the corporation invest in further training and development of the compliance and other control personnel?
- Has the company provided compliance and control personnel sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions?
- Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?
- Global program consistency and disciplinary results, by including the question: is the corporate compliance program equally successful across all regions and is discipline equally applied.
The revisions to the ECCP are new and their implications going forward are yet to be established. As noted above, Canadian jurisprudence and the available law enforcement publications provide little guidance on how the task of evaluating corporate compliance program will be approached by the Royal Canadian Mounted Police and Crown Prosecutors under the nascent Remediation Agreement regime. However, the revisions to the ECCP guidance provide valuable signposts as to how compliance programs and their effectiveness may be measured at a practical level, for both content and currency. Corporations that choose to ignore these pragmatic and logical guidelines may have less negotiation room to mitigate the potentially very severe impacts of an enforcement action under the FCPA or, in Canada, under the CFPOA.