Over the last four years, at ACI’s winter International Conference on the FCPA, enforcement officials have repeatedly placed special emphasis on two specific compliance areas: risk assessments and monitoring.
To be sure, these officials have discussed many of the essential elements of an effective anti-corruption compliance program, including tone from the top, internal reporting mechanisms, trainings and third-party due diligence. But this year, as in the past, they spent an inordinate amount of time talking about the “bookends” of compliance; namely, (1) the risk assessments from which companies should design their compliance programs and (2) the monitoring and testing that should occur after implementation to ensure that the programs are implemented effectively.
Enforcement emphasis on these areas makes sense, since they are actions that provide key assurance that corporate compliance systems are more than words on paper. For the same reason, these should be key areas of focus for compliance officers. The following comments made at 2014’s ACI conference offer more detail about what SEC and DOJ officials hope to see.
The Importance of Risk Assessments. Patrick Stokes, the Deputy Chief of the FCPA Unit of the Fraud Section of the DOJ’s Criminal Division, said, “We expect companies to be thoughtful about risk assessments. What we want are companies that are thoughtfully identifying where their real FCPA risks are and focusing on those.”
He said that companies should think critically about how they engage third parties in high-risk jurisdictions, where they contract with the government sector and where they have relationships with foreign officials. He said that the DOJ does not go into a meeting expecting to see specific compliance measures. Instead, the DOJ wants companies to identify for themselves their highest risks and explain how they are addressing those risks: “Just as we don’t want companies to have a check-the-box program, we don’t have one for evaluating them.”
Mr. Stokes added, “We have no expectation that a compliance program will be perfect and is going to catch all bad conduct. We understand that bad actors will try to work around controls and try to evade them. But we expect that programs are well thought-out to prevent this.”
The Chief of the FCPA Unit of the SEC’s Enforcement Division, Kara Brockmeyer, explained further that companies need to “get out into the field” and talk to their people about how they are doing business, where they touch the government and other risks at play. She added that companies’ risk profiles often change over time. For example, a company might have a foreign-based manufacturing facility that only sells back to the United States, but then purchases another facility with significant sales to foreign government officials: “At that point risks change, and [companies] need to be focused on them.” Such changes can be detected through periodic risk assessments.
The Importance of Monitoring. In 2014, enforcement authorities once again stressed the importance of monitoring and testing compliance programs. Mr. Stokes said, “Many times companies have designed a… robust program, but [failed] to test it. What we expect is to not only have on paper a program, but to test it, to make sure it is working.”
Ms. Brockmeyer discussed how a company can leverage its internal audit department to test its compliance program. For example, a heavy reliance on petty cash creates a high risk of off-the-book payments, and internal audit can be leveraged to address this type of risk. It can check if certain third parties are included on approved vendor lists and have been subject to due diligence. It can look at reimbursements related to gifts, travel and entertainment. She said that companies can “tack on” these types of tests to regular audits, and that they do not necessarily require a separate FCPA component.
What if risk assessments and monitoring are missing? From statements made by enforcement officials, it appears that they would consider a lack of a serious risk assessment to suggest a lack of commitment, or a program that is merely paper in nature. If there is a violation, it makes it less likely that companies will get the full benefit of a compliance program. A lack of monitoring would have a similar effect – it suggests to law enforcement that a company is more interested in saying that it has a compliance program than it is in addressing actual corruption risks.
Risk assessments and monitoring are not the most talked about elements of FCPA compliance programs, but they are fundamental to getting FCPA compliance right. Enforcement officials have repeatedly made it clear that they think these issues belong in the foreground of corporate compliance efforts. In case that message has not been received, there is an excellent chance that enforcement officials will be saying it again at this year’s conference.