On June 1, 2020, the Criminal Division of the United States Department of Justice (DOJ) issued a revised version of its Guidelines for the Evaluation of Corporate Compliance Programs (Guidelines). The Guidelines, first issued in 2017 and updated in 2019, serve a critical function in federal law enforcement.
Federal prosecutors are instructed by various internal and external sources to evaluate the adequacy and effectiveness of a company’s compliance program as a part of determining whether to pursue criminal charges against that company and its personnel, as well as what kinds of resolutions of those charges may be appropriate.
The Guidelines instruct prosecutors on how to conduct that evaluation. In doing so, the Guidelines provide insight into what measures the DOJ believes are likely to deter and mitigate violations, and, in turn, may earn the company more positive treatment by prosecutors. In-house counsel and compliance officers undoubtedly will carefully consider these latest revisions and assess whether their companies’ compliance programs are up to date.
Although the Guidelines apply to all forms of compliance programs, one of the most important areas of consideration for companies doing business internationally is the US Foreign Corrupt Practices Act (FCPA).
The FCPA is the federal law that prohibits US companies from paying, offering, or promising anything of value to a foreign government official to obtain or retain business opportunities. The FCPA is a major enforcement priority for the DOJ and the US Securities and Exchange Commission (SEC), as the numbers demonstrate: In both 2018 and 2019, the federal government recovered more than US$2.9 billion through FCPA enforcement.
This is because of the steep penalties available under the statute, which include, per violation, imprisonment of up to five years for individuals, criminal fines of up to US$250,000 for individuals and US$2 million for corporations, civil penalties of up to US$10,000 per violation, as well as disgorgement of profits. Corporations and individuals may also be disqualified from participation in government programs if found liable for FCPA violations.
The federal government is clear in its expectation that every US company doing business internationally (as well as foreign companies doing work on behalf of US companies and other foreign companies with a US nexus) should have a comprehensive and current FCPA compliance program.
But there is a more important reason to have such a program: namely, to effectively deter and mitigate corrupt conduct. An effective program accomplishes three primary goals:
- Articulating the company’s anti-corruption stance;
- Educating the company’s employees on how to avoid, prevent, detect, and internally report possible misconduct; and
- Establishing a set of directives and a practical framework that in fact leads to internal investigations and remediation of problematic conduct.
Many of the revisions to the Guidelines are designed to address those three goals. More specifically, much of the new content focuses on three Rs: resources, results, and revisions.
The DOJ seems to be concerned that some companies are just paying lip service to compliance. “Even a well-designed compliance program may be unsuccessful in practice if implementation is lax, under-resourced, or otherwise ineffective,” states the revised version of the Guidelines.
One of the three “fundamental questions” prosecutors are directed to ask in evaluating a compliance program is whether it is “being applied earnestly and in good faith.” In the prior version of the Guidance, this assessment was based on whether the program was “being implemented effectively” — a rather vague standard.
Now, the assessment turns on the more concrete issues of whether the program is “adequately resourced and empowered to function effectively.” This change raises nuanced questions that should serve as the starting point for any internal reconsideration of a company’s compliance program, such as:
- Why has the company chosen the particular personnel structure for its compliance program?
- Is the company investing in “targeted training” of general employees that adequately train them to “timely identify and raise issues” related to compliance concerns?
- Has the company evaluated the extent to which training has impacted employee conduct?
- Is the company devoting resources to training and developing its compliance personnel?
- Is the compliance program being overseen and executed by employees with the expertise and training to fulfill their functions?
- Are these employees afforded sufficient time to perform their compliance responsibilities alongside whatever other responsibilities they may have?
- Do those employees have sufficient access to relevant sources of data to properly monitor and test for compliance, and, if impediments to that access exist, are they being addressed?
The revised version of the Guidelines also raises new questions — relevant in the context of the FCPA — about the investment in management of third parties, including whether time is spent engaging in risk management of third parties throughout the lifespan of the relationship, as opposed to merely at the outset. Third parties include merger and acquisition targets.
In the updated guidance, the DOJ highlights the importance of a “post-acquisition…process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls,” which becomes particularly relevant to FCPA compliance when acquiring businesses in areas of the world where bribery and corruption are prevalent. It is important to remember that approximately two years ago the DOJ extended its FCPA Corporate Enforcement Policy to acquiring/successor corporations in M&A transactions.
Federal prosecutors evaluate not only how effectively a compliance program prevents illegal conduct, but also how that program responds to apparent violations once detected internally. The Guidelines have always provided that implementing internal incentives to deter violations and imposing appropriate disciplinary action are both important elements of a well-functioning compliance plan.
The revised Guidelines now clarify that compliance programs must further provide for proactive monitoring of the discipline imposed following compliance investigations in order to “ensure consistency.” The DOJ now realizes that even if proper incentives and deterrents are in place on paper, when discipline is unevenly applied, it can undermine the effectiveness of a compliance program by sending the message that compliance is selective, inconsistent, or unlikely to be enforced in a meaningful manner.
Regarding the FCPA, for example, this can occur when non-compliant payments relating to key business lines or relationships are treated more leniently. Per the new guidance, companies should track and periodically review discipline imposed following compliance investigations to ensure that there are comparable results in comparable cases.
It may be worthwhile to generate and maintain a tracking document, ideally protected by the attorney-client privilege, with substantive information about compliance discipline and remediation, which can be used (or possibly produced) in the event of a DOJ or SEC investigation.
Since the original version of the Guidelines, federal authorities have emphasized that compliance programs are not static, but rather should be periodically reviewed and their procedures modified as changes in the company’s operations and risk profile warrant. The revised Guidelines underscore that programs should be updated in response not only to past issues at the company, but also to lessons learned from other companies operating in the same industry or same geographic region.
For example, in the context of the FCPA, certain industries (e.g., energy, pharmaceuticals, and financial services) have been the focus of recent enforcement activities. For companies operating in these higher-risk industries, it is even more important for in-house counsel and compliance personnel to stay abreast of enforcement activity and adjust their policies to prevent similar violations.
Companies expanding into higher risk sectors or geographies may need to expand their program in response to that heightened risk. Regardless of the industry, the ongoing program evolution is expected to be based on a full spectrum of available information, not just a snapshot at a single point in time.
While the latest revisions do not signal a shift in the DOJ’s approach to corporate compliance, they do reflect a more rigorous and pragmatic set of expectations. The nuanced questions directly raised by the revisions warrant meaningful consideration by compliance personnel and in-house lawyers responsible for compliance functions.
Now is a good time for those professionals to ask pointed questions about resourcing, tracking, and the evolution of their companies’ programs, particularly with FCPA compliance.