Although the U.S. Government maintains a (somewhat) integrated approach to sanctions and export controls, the other laws governing international conduct are administered in a piecemeal fashion. Enforcement is divided between the Departments of Justice,
Commerce, State, and Treasury, the SEC, the Federal Reserve, other federal agencies, and even state banking authorities. This is not the structure that would be imposed if these laws were being implemented for the first time today. The U.S. Government is trying to break down inter-agency barriers through enforcement actions that bridge these barriers, including through the adoption of inter-agency coordination mechanisms.
With the U.S. Government taking a more unified approach to enforcement, multinational corporations should take the same view, only from a compliance perspective.
Unfortunately, many multinational corporations instead operate Balkanized compliance programs—programs that feature little coordination across divisions or countries or that are narrowly directed at only a subset of the laws the U.S. Government has issued regulating exports or international conduct.
The reasons companies take this Balkanized approach varies. Sometimes, it is because the company has been built over time through merger activity and organic growth, with more focus being given to business opportunities than to the risks of legal violations. In others it is because a general decentralization of business activities has produced decentralized compliance structures. Regardless of the reason, many foreign subsidiaries that operate independently of the United States have only a tenuous appreciation for the extra-territorial application of U.S. regulations, resulting in further incentive for global compliance
standards to vary and for cross-coordination of compliance efforts to lag.
A compliance approach that has grown without conscious thought given to the overall implementation plan would benefit from a holistic reexamination of the overall compliance structure. Taking this kind of integrated approach to regulatory risk management does not mean that the same compliance standards should govern dealings in each country, much less each division. While this kind of lockstep compliance approach may be acceptable sometimes (such as in dealing with the increasingly global anti-bribery rules), it does not make sense where the regulations themselves distinguish between the activities of U.S. and non-U.S. persons (such as for sanctions and export controls). It means, however, that companies must consider how U.S. regulations could impact foreign behavior, including through application to U.S. citizens tangentially involved, and by applying novel theories
45 The topics covered in this Section are covered in much greater detail in Gregory Husisian, “U.S. Export Controls and Sanctions: Risk Management and Compliance” (chapter 18) at 18-17 to 18-20. This work is published in Gregory Husisian, “U.S. Regulation of Exports and International Conduct,” which is a treatise found within a multi-volume work “International Trade Laws of the United States: Statutes and Strategies” (2013) (Mark Neville, ed.).
Readers wishing additional information should consult that work.
of extra-territoriality, agency principles, aiding and abetting, and facilitating charges, and using the threat of debarment to force settlements on entities that might not otherwise appear to be directly covered by U.S. law.
Whether because of poor coordination between different divisions and subsidiaries or because of uneven application of compliance standards that emphasizes some U.S.
obligations more than others for reasons other than the risk profile of the company, the end result of this piecemeal approach is fragmented compliance. Companies that may have model compliance approaches in some areas or for some divisions or subsidiaries simultaneously can feature poor compliance strategies in other areas.
Whatever the reason for this type of fragmentation, companies should not maintain this result in the current enforcement environment. The U.S. Government is taking a more global view of the laws that cover companies that operate internationally. As illustrated by the enforcement actions outlined in the introduction, this view is now being carried over into some of the settlements with the highest penalties.
With the U.S. Government looking at the laws regulating international conduct of U.S.
persons as a common mosaic, companies at risk also need an integrated approach.
Handling all international areas together from a compliance perspective has several advantages, including:
Common Procedures. Employees are busy, and compliance usually is not their primary focus. Creating one set of procedures is advantageous from implementation, training, and operational standpoints.
Cross-Fertilization. Integrating compliance reveals cross-trends. FCPA controls for government officials can reveal illicit contracts, know-your-customer guidelines can reveal FCPA risk areas, and sanctions scanning can reveal AML concerns.
Implementing Best Practices. An integrated approach allows an organization to implement best practices quickly across the entire organization.
Dealing with Workforce Mobility. In many multinational corporations, people frequently move from division to division and from country to country. Differing compliance standards multiply confusion as the rules change with every stop.
Centralization. Since many of the most stringent regulations originate in the United States, their nuances often are best understood by U.S. counsel or compliance staffs.
Having consistent, well thought out standards facilitates oversight by these compliance personnel.
Standards Convergence. In some areas, such as for the FCPA and anti-money
laundering, U.S.-style prohibitions are being adopted by other countries. This increases the value of taking a coordinated approach across jurisdictions, divisions, and
subsidiaries.
Facilitation Standards and U.S. Citizens. Even where the U.S. Government does not impose U.S. standards on foreign subsidiaries, it often imposes liability on U.S.
persons involved in certain transactions, including through applying agency principles, prohibitions on U.S. person involvement in the transaction, and application of rules forbidding facilitation or aiding and abetting regulated conduct. Maintaining different standards across divisions and countries multiplies the compliance burden of screening covered U.S. nationals from these types of transactions.
Ease of Auditing. While many multinational corporations perform various types of compliance audits (especially banks, for AML and BSA purposes), many trust their compliance programs are working where they do not seem to be unearthing any problems. The growing trend, however, is for companies to perform periodic audits to confirm that well-conceived programs are being followed on the ground and to identify small problems before they become systemic. An integrated approach leverages audit capabilities across compliance areas and different areas of the world.
Increased Visibility for Compliance. The traditional challenge of encouraging
companies and employees to take compliance seriously, rather than viewing it as a cost and distraction from making sales, is naturally promoted by creating a centralized and higher-visibility compliance function.
Ease of Board-Level Monitoring. Compliance needs necessarily jostle with strategic concerns for board-level attention. Integrated compliance allows for the systematic presentation of compliance-related information to the board of directors. This is a strong consideration with Sarbanes-Oxley increasing the requirements of board-level monitoring.
For all these reasons, an integrated compliance approach is most likely to yield dividends for companies looking to best spend their scarce compliance resources. Looking at all international compliance measures together—both across legal regimes and across international borders—is most likely to reveal ways that organizations can reallocate compliance resources to best minimize risk. Guidance regarding concrete steps that multinational organizations can take to implement this approach is found in Section VIII.
VII. ATWELVE-STEP PROGRAM FOR INTERNATIONAL COMPLIANCE46
Many companies concerned about compliance find themselves in a quandary regarding how best to implement their international regulatory risk management. They may well know they face heightened risk but are not clear regarding the best way to proceed. This Section summarizes the typical steps that most multinational companies should consider when evaluating their international regulatory risk management procedures and internal controls. Through careful implementation of these measures, most multinational organizations should be able to implement the kinds of compliance that U.S. regulators would consider to be industry best practices.