PROGRAM
Some companies only grudgingly implement anticorruption compliance programs, viewing them as an impediment to conducting business. But in many ways, the FCPA’s goals are consistent with the goals of properly functioning corporations. Any organization needs a firm grip on how its funds are being disbursed, and assurances that its corporate interests—
including its interest in avoiding crimes that can cause adverse publicity and huge fines—
are being implemented. This is particularly true for companies that have employees or intermediaries operating far from corporate headquarters. Knowing how corporate funds are being used, and why, are essential management tasks. Viewed in this way, an anticorruption compliance program is an extension of the kind of risk and asset
management that multinational corporations should adopt of their own volition as part of their internal control procedures.
67 The information presented in this Section is a general discussion of compliance principles and is provided for informational purposes only. It does not constitute legal advice and should not be relied upon for that purpose. The topics covered in this Section are covered in much greater detail in Gregory Husisian, “The Foreign Corrupt Practices Act: Risk Management and Compliance” (chapter 20). This work is published in Gregory Husisian, “U.S.
Regulation of Exports and International Conduct,” which is a treatise found within a multi-volume work
“International Trade Laws of the United States: Statutes and Strategies” (2013) (Mark Neville, ed.). Readers wishing additional information should consult that work.
68 Mark Mendelsohn, former Deputy Chief, Fraud Section, U.S. Dep’t of Justice.
1. ESTABLISHING AN ANTICORRUPTION PROGRAM:GENERAL PRINCIPLES AND THE DOJ/SECGUIDANCE
A good anticorruption compliance program serves four complementary purposes:
(1) educating employees about anti-bribery and recordkeeping requirements;
(2) effectively communicating that the company is serious about its anti-bribery initiatives, and that they are not just window dressing for employees to discard when they hinder an important sale; (3) providing a means by which employees can distinguish between clear-cut areas where few corruption-related concerns are present and those where involvement of experts is necessary; and (4) providing a means of monitoring adherence to policies and encouraging the early reporting of problems so the company can take ameliorative action.
The DOJ and the SEC have provided their views of anticorruption best practices in their FCPA Guidance. Although the FCPA Guidance states that the agencies “have no formulaic requirements regarding compliance programs,”69 it does describe the U.S. Government’s view of the elements that constitute an effective compliance program. According to the DOJ and SEC, the hallmarks of an effective FCPA compliance program include:
Commitment from Senior Management. The FCPA Guidance emphasizes the need for senior management anticorruption compliance support.70 The goal is to
communicate that the U.S. Government agencies have little patience with “paper programs” that look good as written but are not supported by senior management or otherwise taken seriously at the company.71
Oversight and Autonomy. Although the structure, size, and complexity of a
compliance program will vary by company, compliance personnel (whether found in the legal department, the audit department, or as a separate compliance department) must be separate from business operations to insulate them from profit
69 FCPA Guidance at 56.
70 FCPA Guidance at 57 (“Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company. Managers and employees take their cues from these corporate leaders. Thus, DOJ and SEC consider the commitment of corporate leaders to a “culture of compliance”
and look to see if this high-level commitment is also reinforced and implemented by middle managers and employees at all levels of a business.”).
71 FCPA Guidance at 57 (“DOJ and SEC have often encountered companies with compliance programs that are strong on paper but that nevertheless have significant FCPA violations because management has failed to effectively implement the program even in the face of obvious signs of corruption. This may be the result of aggressive sales staff preventing compliance personnel from doing their jobs effectively and of senior management, more concerned with securing a valuable business opportunity than enforcing a culture of compliance, siding with the sales team.”).
considerations.72 The FCPA Guidance also identifies a preference for giving a designated person oversight of the company’s anticorruption compliance program.73
Resources. Personnel in charge of anticorruption compliance require sufficient resources to implement the compliance program.74 For example, a company stating it will implement across-the-board due diligence on all agents should set aside sufficient funds to ensure the company can carry out that mandate.
Strong Risk Assessment. The FCPA Guidance consistently underscores the importance of using risk assessments to determine how companies should allocate their compliance resources. This means that companies should set aside and allocate resources based upon a thorough and thoughtful assessment of risk areas identified based upon the company’s scope of operations, business model, geographic locations, degree of interactions with foreign officials and state-owned entities, use of third-party agents, gifts, travel expenses, entertainment expenses, and so forth.75
Written Procedures. Whether found in the code of conduct or in separate anticorruption policies, compliance policies should be clear, concise, and easily accessible.76 Where appropriate, companies should also distribute the materials to third parties conducting business on the company’s behalf.
Training. Companies should conduct frequent training tailored to the company’s own compliance procedures. Compliance personnel should communicate policies and procedures through all levels of the company, with specialized, in-depth training reserved for directors, officers, and employees who have frequent interactions with foreign officials or state-owned entities (or who supervise individuals who do). Where
72 FCPA Guidance at 57-58.
73 FCPA Guidance at 58 (“In appraising a compliance program, DOJ and SEC also consider whether a company has assigned responsibility for the oversight and implementation of a company’s compliance program to one or more specific senior executives within an organization. Those individuals must have appropriate authority within the organization, adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively.”).
74 FCPA Guidance at 58 (“Moreover, the amount of resources devoted to compliance will depend on the company’s size, complexity, industry, geographical reach, and risks associated with the business. In assessing whether a company has reasonable internal controls, DOJ and SEC typically consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”).
75 FCPA Guidance at 58. The FCPA Guidance summarizes the relevant factors as follows: “Factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs. When assessing a company’s compliance program, DOJ and SEC take into account whether and to what degree a company analyzes and addresses the particular risks it faces.” FCPA Guidance at 59.
76 FCPA Guidance at 57.
appropriate, companies should also give training to third-party agents and business partners.
Confidential Reporting and Internal Investigation. Mechanisms that enable
confidential reporting of suspected or actual misconduct without fear of retaliation are essential.77 Maintaining multiple lines of reporting, such as through a third-party whistleblower hotline or internally through compliance channels, is preferable. The company should also maintain procedures that help compliance personnel quickly determine which allegations require further action. If an investigation is necessary, the company should provide sufficient resources, document the company’s response, and memorialize implementing any necessary disciplinary or remedial measures.78
Accessibility. The FCPA Guidance stresses the importance of accessibility in an effective anticorruption compliance program. This includes trying to ensure both that the program is readily available and that personnel in foreign locations have access to translated versions of the compliance materials.79
Incentives and Disciplinary Measures. The FCPA Guidance highlights the value of consistently implementing positive incentives and publicizing disciplinary measures.
An effective compliance program rewards good behavior and sanctions the bad, fairly and consistently, regardless of the individual’s position.80
Third-Party Due Diligence and Oversight. The U.S. Government endorses using a risk-based compliance approach. Risk-based due diligence entails identifying third parties that are most likely to come into contact with foreign officials and to deal with state-owned entities, and the frequency of such interactions and the likelihood of the third party confronting bribery requests (as evaluated by perceived corruption indices, such as those prepared by Transparency International). The company should assess the third party’s qualifications, associations, and business reputation, and then follow up
77 FCPA Guidance at 61.
78 FCPA Guidance at 61 (“Moreover, once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken.”).
79 FCPA Guidance at 57 (“As DOJ has repeatedly noted in its charging documents, the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf. Indeed, it would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it.”).
80 FCPA Guidance at 59 (“A compliance program should apply from the board room to the supply room—no one should be beyond its reach. DOJ and SEC will thus consider whether, when enforcing a compliance program, a company has appropriate and clear disciplinary procedures, whether those procedures are applied reliably and promptly, and whether they are commensurate with the violation. Many companies have found that publicizing disciplinary actions internally, where appropriate under local law, can have an important deterrent effect, demonstrating that unethical and unlawful actions have swift and sure consequences.”).
on any identified red flags. Companies also need to monitor third-party relationships through audits, training, and other methods.
Continuous Improvement. Companies should be alert to opportunities to update compliance programs and procedures based on their experience. Companies should frequently commission updated risk assessments (i.e., annually, or following
significant changes in business operations) and periodically review all aspects of the compliance program based on its operation. The goal should be a viable, responsive compliance program that is constantly evolving to address changes in business operations, shifts in the industry, and developments in regulatory environment.81 2. IMPLEMENTING AN ANTICORRUPTION PROGRAM
A company cannot design a proper anticorruption compliance program in a vacuum. The program should reflect the individual company’s requirements, including its own
procedures for tracking payments, its specific corporate organization, and its business interests.
In implementing an anticorruption program, the organization should consider the twelve-step guide to international compliance provide in Section VII. Each of these twelve-steps is important in the anticorruption context. Organizations operating internationally should carefully follow these considerations:
Risk Identification. An important step is to consider the risks posed by the company’s business activities. This includes evaluating where the company does business, its particular product line, the degree of interaction with foreign officials (from both a regulatory and a procurement perspective), and the company’s history of compliance issues. Companies should consider not just the company’s corruption-related risk profile, but also whether it has encountered trouble in other areas (including export control, sanctions, or import violations), which could indicate a careless corporate attitude toward compliance issues. Companies also should carefully consider
interactions with state-owned entities, since the view of the U.S. Government is that all employees at these companies are foreign officials.
Survey Current Controls. Another key step is to determine what controls already exist and to evaluate their adequacy and defects. Companies should consider auditor letters and warnings from accountants as one clue as to the adequacy of internal controls;
81 FCPA Guidance at 61-62 (“Finally, a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its industry. In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.”).
another important guidepost is to examine recent corruption-related problems that have arisen at the firm and whether they are adequately addressed by existing compliance procedures.
Identify Available Resources. The company should implement controls and
compliance procedures commensurate with the resources available. A company should not, for example, put in place a program that demands substantial due diligence of every foreign agent hired if it has not decided to fund such activities. Otherwise, it risks setting itself up to look like it has failed to meet its own compliance standards.
Once the company has identified the risk and the controls necessary to moderate it, the company can develop a realistic sense of the cost of a program and the resources necessary to run it.
Scope and Objectives Identification. The next step is to evaluate the scope and
objective of the program: who must be covered, what level of training is required, what monitoring must occur, and so forth. Many companies vary the level of training and oversight based upon the person at issue and his or her responsibilities.
Internal Control Procedures. Most multinational companies prefer to implement anticorruption controls on a company-wide basis, particularly regarding controlling payments and disbursements. Companies often create models for typical situations, including hiring agents, setting up joint ventures, hiring distributors, and conducting due diligence. It also is advantageous to have procedures in place for dealing with red flags as they arise, so potential violations can be identified and investigated in a prompt fashion.
Accounting Procedures. When establishing compliance procedures, companies should implement antibribery compliance and internal accounting controls simultaneously.
The two naturally work together, with the accounting controls being a useful tool to keep compliance on track and to ferret out substantive violations of the anticorruption laws. An effective set of accounting controls is the final step in helping to ensure illegal payments are not made (or that they are caught if they have been made). With this goal in mind, controls should incorporate review and approval guidelines designed to detect and deter questionable payments.
Testing Procedures. It is difficult to have a strong compliance program unless it is regularly tested, probed, and analyzed. Many companies now monitor procedures after the fact, including by ensuring that contracts for distribution agreements, joint
ventures, and consultants have anticorruption compliance clauses. The auditor can review a selection of high-risk transactions to determine whether appropriate compliance procedures were applied.
Reporting Procedures. Reporting procedures are a key element of any anticorruption compliance program. Companies should establish and maintain clear procedures regarding when the compliance officer will address problems, when the general counsel’s office will get involved, and when senior management and directors will be informed of potentially serious issues. The Sarbanes-Oxley financial control reporting requirements also indirectly come into play when companies are deciding how
involved senior management should be. This is because apparent compliance failures arouse suspicions that a company’s internal controls are not adequate to meet required corporate standards.
3. TYPICAL COMPLIANCE PROGRAM ELEMENTS
Most companies have a typical format for compliance policies they can adapt for anticorruption. Common elements include:
A Written Policy Statement. A policy statement is a statement that succinctly sets out the company’s commitment to comply with all anti-corruption laws and regulations. It should be more specific than the general code of conduct statements used by many companies that promise broad adherence to the law, even if the code mentions anti-corruption requirements. The policy statement should be written in straightforward, plain language. It also should stress the importance of timely and accurate accounting for all payments, regardless of their underlying purpose.
A Written Program of Compliance Procedures. A compliance program generally will include not only a complete copy of the company’s policies, but also real-world examples of some of the scenarios that can arise, such as payments for travel and lodging, dealing with foreign officials, company policy on facilitating payments, and so forth. The program should present detailed information about reporting, company procedures for approving payments, standards for entertaining government officials, and sample forms for proper expenditure accounting.
Education and Training Programs. A good education and training program has both a written and a presentation component. The program is enhanced by drawing on real-world examples, such as case studies involving actual problems confronted in the past.
Companies should train both new employees and annually for long-time employees.
Many use a mix of on-line training and in-person training, reserving the latter (and more expensive) option for employees who operate in high-risk areas or who have frequent interactions with government officials. The company should maintain an attendance log and have all employees sign acknowledgment forms showing they have reviewed the compliance materials and understand their responsibilities to comply with the company’s program.
Red Flags. Most anticorruption compliance programs contain lists of red flags—fact patterns commonly associated with potential violations. The presence of these red flags does not mean that the proposed transaction cannot go forward. It means, however, there likely is a situation that the organization should investigate. Familiarity with red flags helps sensitize employees to the kinds of issues that merit reporting to
compliance personnel.
A Methodology for Tracking Payments Accurately. A system for submitting all receipts, tracking all disbursements, and monitoring the nature of relevant transactions is part of any anticorruption compliance program. The goal is to allow the timely and accurate recording of all disbursements with sufficient detail to allow for FCPA
compliance. Although the FCPA only imposes this requirement for issuers registered under the 1934 Securities and Exchange Act, all companies operating internationally should implement a similar system given the difficulty of identifying potentially illegal payments without proper disbursement tracking.
Coverage of Common Issues. Organizations can anticipate many common situations and establish procedures in advance to deal with them. Issues typically covered by anticorruption compliance programs include policies on facilitating payments to foreign officials, policies regarding payment of promotional or marketing expenses involving foreign officials (including regarding gifts, meal, travel, and entertainment), and procedures for political contributions. Companies also can develop standardized provisions for common third-party situations, including anticorruption provisions regarding agents, joint ventures, and distributors.
A System of Discipline. Finally, a company should develop procedures to address violations of antibribery laws. Coverage should be both for direct involvement in the scheme and for failure to prevent and detect misconduct by others. Employees must know that violations of anticorruption procedures can have personal ramifications besides consequences for their employer.
4. THE PERENNIAL PROBLEM OF AGENTS AND DISTRIBUTORS
Because agents and distributors are frequently used by many companies, no compliance program can function unless it successfully deals with these intermediaries. Areas where
Because agents and distributors are frequently used by many companies, no compliance program can function unless it successfully deals with these intermediaries. Areas where