This article was republished with permission from Tom Fox’s FCPA Compliance and Ethics Blog.
I continue my exploration of the implications from the Department of Justice (DOJ) announcement last week of a new program around Foreign Corrupt Practices Act (FPCA) enforcement (“Pilot Program”). Contemporaneously, the Fraud Section of the Criminal Division of the DOJ released a written document, entitled “The Fraud Section’s Foreign Corrupt Practices Act Enforcement Plan and Guidance“ (herein “the Guidance”), more fully laying out the specifics of this Pilot Program and providing more background and information for the compliance practitioner. I visited with Arnold & Porter LLP partner Stephen Martin on this issue recently, so today I want to consider the ongoing remediation you engage in during the pendency of your FCPA investigation.
It has been no great secret for several years that the better practice has been to remediate your compliance program while you are in the middle of the investigation. However, in the Guidance, the DOJ has laid out some very specific details on what they expect to see. Coupled with the new compliance counsel metrics introduced last fall, a Chief Compliance Officer (CCO) or compliance practitioner now has a very detailed set of expectations going forward. (For a review of the compliance counsel, see my prior blog posts here, here, here and here.)
Initially you must note that to receive credit under the remediation prong, you must fully cooperate during the investigation phase. While you can receive credit for cooperation and remediation without self-disclosure, you cannot receive remediation credit without also cooperating. This, of course, leaves open the question of whether you can make a comeback in mid-stream as we saw with Total and Weatherford, where both companies did not cooperate until some time after the investigation began. Yet both companies did receive partial credit for cooperation under the U.S. Sentencing Guidelines. Moreover, the Guidance states in its detailed list that credit can be given to reduce fines and penalties in addition to credits available under the Sentencing Guidelines. Further, this Guidance states that “an effective compliance program… may vary based on the size and resources of an organization,” but should include the following:
- Whether the company has established a culture of compliance, including an awareness among employees that any criminal conduct, including the conduct underlying the investigation, will not be tolerated;
- Whether the company dedicates sufficient resources to the compliance function;
- The quality and experience of the compliance personnel such that they can understand and identify the transactions identified as posing a potential risk;
- The independence of the compliance function;
- Whether the company’s compliance program has performed an effective risk assessment and tailored the compliance program based on that assessment;
- How a company’s compliance personnel are compensated and promoted compared to other employees;
- The auditing of the compliance program to assure its effectiveness; and
- The reporting structure of compliance personnel within the company.
While there are some items that have been a part of the discussion of what constitutes an effective compliance program for a long period of time — such as culture of compliance, performing a risk assessment and using that risk assessment to tailor your compliance program, reporting structure of the compliance function and auditing of your compliance program — there are also some new points to consider. If not new, then certainly more detailed and focused consideration of prior points.
This Guidance requires “sufficient resources to the compliance function,” independence of that function, the experience and quality of your compliance personnel, and not just the compensation paid to your compliance personnel, but how it compares to other employees, together with their promotion within your organization. These are all new areas of focus on the CCO and compliance team. If your compliance team is run on a shoestring, you will likely be downgraded for your overall commitment to doing business in compliance with the FCPA. The same is true for promotions and other opportunities for advancement within an organization. Not many organizations have such a mature compliance function that a CCO is appointed to another senior-level position within an organization.
Finally, as noted, the DOJ may now be looking at the quality of your CCO and compliance function. Laying this out is new, even if the DOJ may have informally frowned on sending an untrained or unqualified lawyer or other in to run the compliance regime. (I was once appointed head of my company’s global export control function. To say I was under-qualified is putting it mildly, so it does happen.) I think the clear implication is that the DOJ will even look at salaries. Once again, if a company tries to get by on the cheap, it may certainly come back to bite them in the end.
When I asked Stephen Martin his thoughts on this part of remediation, he said, “what does it really mean to have sufficient effort at least under this power program about a well resourced, effective and audited compliance program? They talk about the culture of compliance and what that means. That the companies are required to dedicate sufficient resources in the program, that you really have to invest in qualified experience and appropriately compensated compliance personnel.” Moreover, it is “the level and the quality of people making sure that they are C-level and that they are compensated appropriately and have the right access. They are certainly trying to take on that issue as well.”
There were two other points in the remediation sections that bear notation. The first is that there must be not only be discipline for those who violate your FCPA compliance program, but it must go further. There must be discipline for those “with oversight of the responsible individuals” for their “failure to supervise adequately.” So much for the defense of the rogue employee. Companies are now on notice that they are responsible to adequately supervise and provide oversight of front-line employees who may be in position to or incentivized by your compensation model to engage in bribery and corruption.
The second point ties acceptance for responsibility to taking steps to identify and prevent future risk from turning into a violation. On this point Martin said, “One of the things that I spent a lot of time on [was] tailoring the compliance effort based on an effective risk assessment, and that point is made clear in the Guidance as well … and really trying to think about how do you do an effective risk assessment or whether it’s in the FCPA area or much broader on a number of compliance topics… You really look at the risk of the company and you build your compliance program around it and continue to enhance the program.”
There is quite a bit in this area. Every CCO or compliance practitioner needs to read through and thoroughly understand this section. You should map out these requirements to your existing program. If you see a gap, fill it and think about how you would demonstrate effectiveness under this standard going forward if the DOJ comes knocking.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business advice, legal advice or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The author gives his permission to link, post, distribute or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at email@example.com.