This is Part II in our two-part series (part one here) of how the Department of Justice (DOJ) looks at compliance programs during the pendency of an enforcement action.
Today we will review how a prosecutor may review the existence and effectiveness of a Foreign Corrupt Practices Act (FCPA) compliance program based upon the Principles of Federal Prosecution of Business Organizations (“the Principles) and an analysis of what is an effective compliance program under the US Sentencing Guidelines (“the Guidelines).
Both posts are based upon the tract “Complying with the Foreign Corrupt Practices Act: A Practical Primer” (herein “the Primer”), published by the ABA Criminal Justice Section, Global Anti-Corruption Task Force.
Independent Evaluation of Compliance Programs
The Primer reports that under this analysis, prosecutors look into three broad categories to make a determination if a compliance program was in existence and effective “at the time of the FCPA violation.” These categories and their specific inquiries are as follows:
- The Existence and Design of the Compliance Program
(a) Whether a compliance program is adequately designed for maximum effectiveness in preventing and detecting wrong doing by employees;
(b) Whether the compliance program is designed to detect the particular types of misconduct most likely to occur in a particular corporation’s line of business;
(c) The comprehensiveness of a compliance program; and
(d) Whether the compliance program has established corporate governance mechanisms that can effectively detect and prevent misconduct.
2. The Administration of the Program
(a) Whether the company’s management is enforcing the program or is tacitly encouraging or pressuring employees to engage in misconduct to achieve business objectives;
(b) Whether a compliance program is being applied earnestly and in good faith;
(c) Whether a compliance program ‘works’;
(d) Whether a compliance program is merely a ‘paper program’ or whether it was designed, implemented, reviewed and revised, as appropriate, in an effective manner;
(e) Whether the company has provided for a staff sufficient to audit, document, analyze, and utilize the results of the company’s compliance efforts; and
(f) Whether the company’s employees are adequately informed about the compliance program and are convinced of the corporation’s commitment to it.
3. The Misconduct in Question
(a) The extent and pervasiveness of the misconduct in question;
(b) The nature and level of the corporate employees involved in the misconduct;
(c) The seriousness, duration and frequency of the misconduct;
(d) Whether a corporation has taken remedial actions including discipline against past violators and revisions to the company’s compliance program in light of lessons learned; and
(e) The promptness of any disclosure of wrongdoing to the government.
As the Primer points out, these factors are “not exhaustive and are often overlapping but they do provide insight into how DOJ prosecutors conduct investigations and determine whether to bring charges under the FCPA.”
I find this final section on how the DOJ analyzes compliance programs the most helpful for the compliance practitioner, particularly when they must explain to management what is required and why the resources need to be expended. Remember, this analysis is performed based upon your company’s compliance program at the time the FCPA violation arose, not after program remediation.
So just think about some of the questions posed above:
- Have we trained the appropriate employees?
- If so, how do we prove it?
- Has anyone ever been disciplined for a Code of Conduct violation or more appropriately a compliance program violation?
- If so, is it documented?
- Prior to our FCPA violation, had the company ever audited or even reviewed the state of its compliance policy?
- If so, were any changes made to the compliance program? What changes were made and why?
- Our Chief Executive Officer (CEO) signed a cover letter, written by the Legal/Compliance Department, which introduced our compliance program when we rolled it out (fill in the blank) years ago. What evidence is there of the CEO’s continued commitment to the company’s compliance program since roll-out that can be documented?
- Have we opened any new business lines or gone into any new geographic areas since the compliance program roll-out? Did we assess these new business initiatives?
- When was the last time we did a comprehensive compliance risk assessment?
- Do we have effective internal controls?
- If we believe so, how do we know?
- When was the last time a compliance audit was conducted?
- What were the results or lessons learned?
- Did the company incorporate any of these lessons learned into an enhanced or modified compliance program?
- What criteria is the sales team evaluated upon?
- Is there a compliance component to their annual review/evaluation?
- What is the budget for the Compliance Department?
- Is a senior person assigned to lead the company’s compliance efforts or is it everyone’s responsibility? (i.e.: if everyone is in charge then no one is in charge.)
These are just some of the questions that come to my mind in looking at how a prosecutor might review a compliance program. There are obviously many, many others. I highly recommend that you consider some of these questions plus any that you can develop. I would also urge you to download, read and then keep handy the Primer. It is free and one of the best FCPA compliance resources around.
US Sentencing Guidelines
The Primer notes that the Principles are not the only source of authority which a prosecutor might refer to in evaluating a company’s compliance program during an enforcement action. The US Sentencing Guidelines note that one of the two factors which can mitigate downwards in determing the amount of a fine and penalty is “the existence of an effective compliance and ethics program”.
Further under the Amended November 2010 Guidelines, the Primer says that the “government may now significantly reduce fines and other sanctions if an organization takes reasonable steps to achieve compliance with its standards, e.g., by utilizing monitoring and auditing systems reasonably designed to detect criminal conduct by its employees and other agents.”
The Guidelines provide in broad parameters how a prosecutor will evaluate compliance programs during the pendency of a FCPA enforcement action. As such they also provide guidance to the compliance practitioner on DOJ thinking. While there is not a specific program listed, the Guidelines place “an emphasis on the results of a program—that is, whether it is reasonably designed, implemented and enforced so that [it] is generally effective in preventing and deterring criminal conduct.”
The Primer goes on to note that an effective compliance program consists of documentation that an organization “exercise[s] due diligence to prevent and detect criminal conduct; and otherwise promote[s] an organizational culture that encourages ethical conduct and a commitment to compliance with the law.”
One of the key factors is that the Guidelines do rely on the existence of a written compliance program. This means that a prosecutor’s primary focus is on the effectiveness of a company’s compliance program. The Primer lists out the following parameters, which the Guidelines suggest that a compliance program should minimally include and I cite from the Primer in its entirety:
- The organization to “establish standards and procedures to prevent and detect criminal conduct.
- The “organization’s governing authority . . . be knowledgeable about the content and operation of the compliance and ethics program and . . . exercise reasonable oversight . . .
- High-level personnel of the organization . . . ensure that the organization has an effective . . . program . . . .
- Specific individual(s) within the organization . . . be delegated day-to-day operational responsibility for the . . . program . . . [and] shall report periodically . . . on the effectiveness of the . . . program.
- To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority.
- The “organization . . . use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known . . . has engaged in illegal activities or other conduct inconsistent with an effective . . . program.
- The “organization . . . take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the . . .program . . . by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities, to “members of the governing authority, high-level personnel, substantial authority personnel, the organization’s employees, and, as appropriate, the organization’s agents.
- The organization . . . take reasonable steps . . . to ensure that the organization’s . . . program is followed, including monitoring and auditing to detect criminal conduct.
- The organization . . . take reasonable steps . . . to evaluate periodically the effectiveness of the organization’s . . . program.
- The organization shall take reasonable steps . . . to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.
- The organization’s . . . program . . . be promoted and enforced consistently throughout the organization through appropriate incentives to perform in accordance with the . . . program; and appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct
- After criminal conduct has been detected, the organization . . . take reasonable steps to respond appropriately to the criminal conduct and to prevent further similar criminal conduct, including making any necessary modifications to the organization’s . . . program
- And in doing all of the above, “the organization . . . periodically assess the risk of criminal conduct and . . . take appropriate steps to design, implement, or modify each [above] requirement . . . to reduce the risk of criminal conduct identified through this process.
I believe that the DOJ has presented significant information to the compliance practitioner about not only it’s most current thinking on what may constitute a minimum best practices compliance program in recent Deferred Prosecution Agreements (DPAs) and Non Prosecution Agreements (NPAs) but with through the Principles and the Guidelines, the DOJ provides guidance of how a prosecutor will look at and analyze a company’s compliance program.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
Cross-posted from Tom Fox Law