In this week’s installment on the ramifications of the Benczkowski Memo and recent DOJ policy changes, Jay Rosen considers how companies can use the information from the Memo to bolster their internal compliance programs.
The DOJ now mandates that companies coming before them have an effective compliance program. The days of wheeling in a large stack of documents are long gone; now, companies must have substantive evidence on not just their program, but also its effectiveness.
In December 2018, Principal Deputy Assistant Attorney General John P. Cronan, in a speech at the Practising Law Institute Event in Washington, said that companies must demonstrate they had an effective compliance program, not a paper compliance program. He stated, in assessing a compliance program, prosecutors are directed “to consider ‘whether a corporation’s compliance program is merely a “paper program” or whether it was designed, implemented, reviewed and revised, as appropriate, in an effective manner.’”
One of the strongest elements I take away from the Memo is that a company needs to demonstrate that it has an effective compliance program. From there, you can move to remediation and strengthening of the program, which the Memo also addresses.
If you begin with the premise that your company has a program, the next step is to assess the program’s strength and effectiveness, as well as its weaknesses.
What does a company do if it uncovers a problem?
Does it have the wherewithal to conduct a thorough investigation and determine whether it is something that has to be self-reported to the government? On the remediation side, has the company gone deep enough to find out the root cause of the problem? Questions such as “how did we get here?” and “what do we do to address it?” can become paramount. One of the key elements the Memo underscores is how seriously the company takes its compliance program obligation and what it does when a problem has been discovered.
This has been a consistent message from the DOJ as far back as the 2012 FCPA Guidance. However, it has become a more “front-end” concern of the strength of the investigation process. The question then becomes, how can a company demonstrate its commitment to solving the problem if one surfaces? Does the organization simply try to cauterize it and use the “one bad apple” defense, or does it conduct a deep dive into learning whether or not it’s real, the merits of it and gathering information around the issue?
This leads to such questions about the strength of the internal investigation process or whether the company has someone internally with investigator skills. For example, if someone in human resources or a transactional attorney are suddenly thrown into an investigation and they just don’t have the experience and the depth of knowledge, this can have negative effects going forward or can lead to even further problems.
The Memo implores companies to both recognize that they may not have a strong investigative process and also move to strengthen it.
Another internal area that a company can focus on is discipline for those who engage in internal controls and policies and procedures violations. But even more critical going forward is maintaining a fair process for discipline and incentives around compliance; this means that discipline is meted out fairly, with process, with consistency and transparency. It also means that a company must promote simply beyond those who may be friends and colleagues of senior management to persons who truly do merit promotion because they have engaged in business ethically and in compliance with laws and regulations.
Internal controls testing also plays a big role what a company can do, if we look at the third-party hiring issues, most generally under the Foreign Corrupt Practices Act (FCPA) or other anti-corruption legislation. A company could pose multiple internal queries, such as some of the following:
- What are the controls around cash?
- Do you have some kind of mechanism for determining where cash is being spent?
- Do you have some control over bank accounts, particularly when you are working in a variety of countries?
- Do you have some kind of control over who is making decisions about where dollars can be spent?
All of those kinds of things require internal controls. First, you must establish internal controls and second, you must test them to make sure they are both appropriate and effective.
Please join me next week for part three, when I explore how companies can externally leverage the information communicated in the Benczkowski memo and the FCPA Corporate Enforcement Policy.
In case you missed the earlier installments of this ongoing series, please see the links below.