Archive for the ‘Compliance’ Category

Lessons Learned As A Foreign Corrupt Practices Act Monitor

Thursday, July 23rd, 2015

LeasonsToday’s post is from Scott Fredericksen (Partner, Foley & Lardner) and originally appeared in International Trade Law & Regulation, Vol. 21, Issue 3, 2015 (Thomson Reuters).

*****

Not long ago, Foley & Lardner was selected as a monitor for a medical devices company that had been found to have engaged in activities alleged to have violated the FCPA. As the leader of the investigatory team, I did not have the normal advantage of working with a known client with a known business.

Rather, I needed to quickly develop a multi-faceted team that had to quickly get up to speed on the company’s business model, how it conduct business abroad, its distributor arrangements, its compliance program, its internal controls, and its training. In short, I had to set up a compliance review with the kind of probing that one would find in an in-depth financial audit.

The importance compliance lessons learned from Foley’s experience of a corporate monitor are provided below.

General Lessons

As most people who are involved in the compliance area know, establishing the right corporate culture is paramount. The key requirements include ensuring that the company has a culture of respect for compliance, that senior management is firmly behind all compliance efforts, and that there is a strong and well-funded compliance infrastructure that can catch compliance missteps from a variety of angles.

Establishing the appropriate corporate compliance culture requires constant reiteration of the compliance message. Compliance standards must be public and promulgated throughout the company, including through regular placement in company newsletters and on corporate intranets. Compliance A Corporate Monitor’s Guide to International Regulatory Compliance 6 policies should be readily accessible to employees and integrated into all aspects of employment, starting with discussions of compliance during the hiring process and references to the policy in employment contracts. Even employee performance reviews can help serve this purpose, by ensuring that employee adherence to compliance standards are part of the evaluation process.

The involvement of senior management is also essential for the development of a corporate culture focused on compliance. Placing a member of senior management in charge of compliance acts as a vital link between the executives and board members responsible for running a company and the employees on the ground who must deal with potential regulatory violations issues on a regular basis. A high-level member of management who is intimately involved in the compliance process also lends legitimacy to the company’s compliance policy and helps firmly establish the tone from the top.

This is not to say that every company needs to have a dedicated chief compliance officer. The establishment of the compliance infrastructure, like all compliance efforts, needs to be a risk-based endeavor, which means that the compliance needs of a smaller company that only operates in a handful of foreign countries may not be the same as those of a large multinational corporation that operates in a number of high-risk environments. It is common in smaller companies for compliance duties to be handled by an employee who has multiple responsibilities, such as the head of the human resources or audit departments. But at all companies, there should be a single person who is responsible for monitoring potential violations, managing due diligence, developing and providing compliance training, answering questions and resolving red flags, and testing the compliance program. This type of compliance ownership, by a person who is free from business pressures to achieve particular outcomes, is essential to ensure that compliance responsibilities are taken seriously. A Corporate Monitor’s Guide to International Regulatory Compliance.

A final issue is the adequacy of funding. Effective compliance requires hiring appropriate compliance personnel, taking time from busy employees for training, the establishment of internal controls and processes to monitor the effectiveness of the program and procedures in place, and periodic revisions to the policies and training materials. Companies should put in place programs that will be supported by commensurate resources. If, for example, a company states that it will perform due diligence on every agent it hires, then it should ensure that it has set aside sufficient resources to carry through on this commitment. Although compliance can be expensive, it pales in comparison to the multimillion dollar fines and high investigatory costs that now accompany even routine violations of U.S. regulations.

Compliance Program Improvements

A thorough and proper risk assessment forms the core of any good compliance program. No compliance program has the luxury of drawing on unlimited resources. Therefore, it is necessary to begin with a sober assessment of the regulatory risks facing the business, including those posed by its corporate profile, business model, types of products sold, areas of operation, use of third parties, degree of government interaction, and other business-profile issues that impact the degree of regulatory risk.

The ways in which to conduct a proper risk assessment vary, but certain principles are universal. Involvement from senior management and employees that understand the company, its business model, and its specific regulatory risk points is essential. The risk assessment must be conducted free of business pressures, without clouded judgment regarding where the highest risks arise. The risk assessment also should take into account all the ways in which outside actors can implicate the company or create regulatory liability, such as agents, distributors, joint venture partners, and other third parties. A Corporate Monitor’s Guide to International Regulatory Compliance

Companies also need to update their risk assessments on a regular basis. Corporate expansions, mergers and acquisitions, establishment of new joint ventures, expansions into new countries or product lines, and new distributor arrangements are all activities that can alter the risk profile of a company. Even regulatory developments, such as enactment of broad anticorruption laws such as the UK Bribery Act or the recent ramping up of OFAC sanctions and related enforcement activity, can impact compliance requirements. Not all of these changes, or their impact on compliance efforts, are obvious, which makes a regular reassessment of risk an important compliance function.

After conducting a risk assessment, a company must decide how to allocate its compliance resources. Allocating most resources to identified high-risk areas is important. So, however, is recognizing that the risk even in low-risk areas seldom is zero, and thus deserve some compliance attention as well. A well-structured risk assessment can help balance the distribution of compliance resources.

It also is important to regularly update compliance measures. Compliance standards regularly change, driven not only by changes in the regulatory framework but also the expectation of the regulators. As a result, it is important for a company to remain educated about compliance issues, including through regularly sending compliance personnel to specialized conferences, and following developments that bear on the ever-evolving standards for an acceptable compliance program.

When changes are made, the changes to the compliance program must be appropriately promulgated throughout the company. Depending on the change, this could require anything from company-wide training to a simple email from the company’s chief compliance officer. Regular communications regarding the company’s compliance message serves the dual purposes of keeping the A Corporate Monitor’s Guide to International Regulatory Compliance 9 compliance message top-of-mind while also communicating the company’s evolving compliance efforts and its commitment to compliance.

Training Enhancements

Training is an integral part of every compliance program, and serves a function that is much greater than merely communicating information. Done properly, it is an important part of the compliance-related dialogue that helps minimize the risk of violations and while helping to discover violations that already have occurred. It also is a key cog in the central goal of communicating the importance of compliance to the organization.

Although many companies conduct training electronically, including through the use of innovative compliance presentations and on-line quizzes, in-person training remains the gold standard. Company personnel tend to pay more attention to a live presentation, and the presentation can be tailored to the requirements of the audience. Allowing time for discussion not only allows employees the opportunity to ask questions about areas that are unclear, but often reveals areas where further inquiry may be appropriate. Properly presented, in-person training can result in compliance feedback that can be incorporated to improve the overall compliance program.

No matter how training is provided, it cannot be a one-time event. Although all employees should receive initial training upon their hiring, reinforcement of the training on a periodic basis is essential. Annually is a good benchmark that works for most companies.

Finally, companies should make training relevant to the evidence. The training should use as many real-world examples as possible, such as case studies drawn from actual problems confronted by the A Corporate Monitor’s Guide to International Regulatory Compliance 10 company in the past, as well as those that are more likely to occur based on the industry and where and how the company does business.

Audits and Compliance Checkups

Compliance as envisioned by the compliance program, and compliance as it actually occurs in the field, often are two very different things. A company that implements rigorous procedures, but then fails to live up to them, often enjoys the worst of two worlds, since its failure to meet its compliance goals would be held against it in any enforcement proceeding. To avoid this possibility, compliance implementation should be monitored by direct observation, by supervision of the program, and by testing the controls.

Some of this testing can be done in the company’s normal internal audit process, and it is important that internal audit employees receive specific compliance training so they understand what to do and why they are doing it. One increasingly common way of ensuring the testing of the controls is to conduct compliance audits. These audits are intended to stress-test compliance procedures by picking high-risk transactions at random to see whether the compliance program is functioning as envisioned. Beyond this, regime-specific audit items can be created, which generally will focus on whether the company is adhering to its internal controls in a given area. They can be conducted by properly trained internal or external auditors.

The tendency at many companies is to conduct audits based upon the ease of conducting them, rather than their utility. This shows up, for example, when companies target their own foreign operations for compliance-related audits, but do not exercise their rights to audit agents or joint venture partners. It also arises when companies do not return to the lessons of their risk assessments to determine the high- A Corporate Monitor’s Guide to International Regulatory Compliance 11 risk areas that merit follow-up checks. Unlike financial audits, which tend to concentrate on areas with the highest revenue impact, compliance-based audits often need to focus on areas that may have a small revenue impact but a large compliance risk footprint. Operations in a developing country, for example, may be new and have still-small revenue, yet present an outsized compliance risk.

Agent and Distributor Controls

No compliance program, no matter how well conceived, can perform its job unless the risks posed by third parties are adequately addressed. This is because many enforcement settlements are premised on agency principles, i.e., a determination that parties outside the company were acting on behalf of the principal, thus creating legal liability for the principal.

Dealing with agents, distributors, and other third parties presents unique and interesting challenges. Often companies work with these third parties in foreign countries because they do not understand the business culture or ins-and-outs of doing business in a particular country. Agents help fill this knowledge gap by bringing knowledge of the business environment that the company cannot fill by itself.

But the greater the separation from corporate headquarters, the greater the risk. The dangers of third parties can arise in a host of areas, including for matters handled by customs brokers, distributors, sales agents, political consultants, lobbyists, and other third parties. The consistent use of third parties, even when justified from a business perspective, by itself can be considered a compliance red flag. The oversight of third parties accordingly should be considered in every aspect of the company’s risk assessment, including with regard to the establishment of the relationship (with appropriate contractual protections), training, accounting, ongoing certifications, and even audits. A Corporate Monitor’s Guide to International Regulatory Compliance

Due diligence is also a key step when managing third-party risks. Due diligence is a potpourri of tasks that may include interviews, background checks, reviews of databases and publications, consulting third parties to provide reliable local information, using forensic accountants to review books and records to evaluate risk, visiting the office of agents, and other methods of confirming suitability, as the case may be. Once again, the application of risk-based principles will help determine how much due diligence is appropriate for various types of third parties.

At too many companies, third-party compliance oversight begins and ends with due diligence. In other words, the company conducts its third-party due diligence, places the resulting report in its file, and then moves on to conducting the business relationship without much more in the way of oversight. Ongoing review of the relationship, however, is the best way to proceed, including through periodic certifications, ensuring up-to-date training, monitoring any deviations of the relationship from the anticipated course, and the conduct of third-party audits. Due diligence is important, but it is only a limited snapshot of the past. As the relationship evolves, the company’s best source of information about the relationship becomes the data concerning its own relationship with the third party.

 

What’s The Difference?

Tuesday, July 7th, 2015

JebAs readers no doubt are aware, since August 2013 JP Morgan has been under FCPA scrutiny for its alleged hiring of so-called Chinese princelings (family members of alleged Chinese officials) to curry favor with Chinese officials in a position of influence over its business.

JP Morgan’s FCPA scrutiny soon lead to an industry sweep of the financial services industry concerning hiring practices in China and other Asian countries. Among the other banks under scrutiny are: Bank of New York Mellon Corp., Citigroup Inc., Credit Suisse Group AG, Deutsche Bank AG, Goldman Sach Group Inc., Morgan Stanley, and UBS AG.

Given the industry, the FCPA scrutiny has generated a significant amount of critical commentary.  For instance, in this Wall Street Journal editorial former SEC Commissioner Arthur Levitt called the FCPA scrutiny of the financial industry “scurrilous and hypocritical.”  He wrote:

“If you walk the halls of any institution in the U.S.—Congress, federal courthouses, large corporations, the White House, American embassies and even the offices of the SEC—you are likely to run into friends and family members of powerful and wealthy people.”

Double standard aside, in response to the FCPA scrutiny FCPA Inc. churned out clients alerts and other publications regarding best practices for hiring family members of foreign officials.

The following best practices were rightly noted (see here and here).

  • Check the educational and professional qualifications of the individual being considered for employment and ensure that they are appropriate for the position being filled.  Evidence that a relative of a government official was hired into a position for which he or she was not qualified will likely result in a finding that they were hired for improper purposes.
  • Ensure that the salary and treatment given to the relative of the government official is commensurate with the position and consistent with other individuals in a similar position.  Evidence that the relative of the government official is receiving a salary significantly higher than other individuals at a similar level and occupying similar positions suggests the additional funds may be provided to influence the related government official.
  • Confirm that the position was not created specifically for the relative of the government official.  Evidence that the position was created for a specific person will suggest that the company’s sole purpose in hiring the individual was to gain influence with the government official.
  • Make certain that, to the extent possible, the responsibilities of the relative of the government official do not fall in the realm of conduct over which the government official holds regulatory or other decision making authority.  For example, a relative of a government official charged with bank oversight should not be hired as the compliance officer for a bank subject to that authority.  Similarly, the hiring decision-maker should be independent of the business unit that may interact with the government official.
  • “An individual whose sole qualification for a prestigious Wall Street gig is a powerful mother or father in the … government should raise red flags.” If an individual “is not otherwise qualified for the position at [a] financial services company, the DOJ and SEC will ask about the basis for the hiring.”

Against this backdrop, as highlighted in this recent New York Times article:

“As [former Florida Governor and Republican Presidential Candidate Jeb] Bush sought to create a personal fortune for himself and his family after eight years in public office, he found a ready source of income: speeches sponsored by corporations and industry trade groups, including some that benefited from his administration’s policies.

Since 2007, Mr. Bush has delivered about 260 paid speeches, earning around $10 million in the process, according to records provided this week by his presidential campaign. The speeches, combined with his consulting and investment businesses, rapidly transformed his finances: His and his wife’s net worth soared to at least $19 million from $1.3 million over the past eight years.

The wealth he amassed from the speaking circuit pales in comparison to that collected by Hillary Rodham Clinton, a Democratic candidate. But it underscores the ease with which political figures can turn their public prominence into private riches.”

As relevent to the FCPA scrutiny of the financial services industry, as recently highlighted here by the Wall Street Journal, a release of Mr. Bush’s tax returns reveals that “over about six years as an adviser for the defunct Wall Street bank Lehman Bros. and later Barclays PLC, Mr. Bush earned, on average, between $1.3 million and $2 million.”

If the above bullet-point best practices were asked in connection with Mr. Bush’s adviser positions with Wall Street Banks, would what the answer be?

If the answers turned out to be the same as the answers regarding Wall Street’s FCPA scrutiny for allegedly hiring Chinese princelings, what’s the difference?

Let’s call a spade a spade.

We have princelings in this country too as well as individuals who bounce in and out of politics and “private” life so often that they are effectively part of the political class regardless of the precise moment in time in which the question is posed.

Is Incentive-Based Compensation A Scapegoat?

Tuesday, June 30th, 2015

ScapegoatEveryday, real business people interact with real foreign officials in the context of real business conditions.

The vast majority of these interactions do not result in Foreign Corrupt Practices Act violations.

It is only when these real people are ethically compromised that FCPA violations occur.

Examining how and why these real people were ethically compromised is interesting to ponder.

In recent months Richard Bistrong (an individual who pleaded guilty to one count of conspiracy to violate the FCPA and spent fourteen months in federal prison) has suggested that incentive-based compensation for international sales, marketing, and business development teams “create[] incentives that foster corruption.”  

Bistrong further wrote:

“There will be no shortage of sales, marketing and business development employees, with lucrative incentive compensation packages, who are going to want to push the envelope on finding a way to deliver sales success over compliance to a sales manager.  In an unstable procurement environment, where purchases are sporadic, unpredictable, yet financially significant, a sales person knows that if he or she misses a major procurement, it may or may not come back in the sales and bonus cycle.

Thus, when confronted with a corrupt transaction, the sales person may think, “I have a lot on the line here personally, this purchase won’t happen again for another year, at least, so what does my sales manager want, compliance or sales?”

Bistrong has a perspective on FCPA violations that many people do not have.

However, I find the suggestion that incentive-based compensation is to blame, at least in part, for FCPA violations to be a scapegoat.

Such a suggestion fails to recognize that millions of individuals are working today subject to incentive-based compensation structures yet will not be ethically compromised to violate their employers compliance policies or engage in criminal activity.

That a few will does not mean that the incentive-based compensation in which they work is to blame.

*****

As a courtesy, I reached out to Bistrong to comment on the above post.

He writes:

“Compensation should never be used as a scapegoat, attempt to blame, or in any way to deflect the responsibility for unethical and illegal conduct onto other individuals or business components.  The question I ask, is if compliance professionals are focusing upon incentive structures as an “unspoken” organizational message and to insure that they do not conflict with the promotion of anti-bribery compliance programs.  If perhaps they do, especially where they are indexed to personal performance in low integrity regions, then perhaps a realignment  provides an opportunity to demonstrate to front-line teams that compensation and compliance all point to the promotion and fostering of ethical conduct. Incentive compensation is a proven positive driver for business development. In the context of anti-bribery compliance, from my perspective, it requires an additional level of scrutiny to insure that it does not send a conflicting message (as opposed to a scapegoat) to front-line teams.”

A Training Solution To A Training Problem

Wednesday, June 10th, 2015

Problem SolutionThe vast majority of corporate Foreign Corrupt Practices Act enforcement actions are based, in whole or in part, on the conduct of third parties (whether agents, representatives, distributors, or joint venture partners).

Against this backdrop, a recent survey found that approximately 50% of companies NEVER train third parties on anti-bribery and corruption laws and related compliance policies and procedures.

As to this survey finding, it was noted “companies may be reluctant to spend money and time to push training to third parties because they suspect they will not get much enthusiasm from third parties, who may view it as one more compliance exercise.”

That of course depends on what type of training it is.

I myself would not be enthusiastic about much of the FCPA and related training I’ve come across as it is filled with powerpoints and legalese.

FCPA and related training doesn’t have to be this way.

There is another option.

It’s the Global Anti-Bribery and Corruption Training Course I developed with Emtrain (an innovative compliance training company) and numerous companies across industry sectors have already selected it for their on-line anti-bribery training needs.

The approximate 60-minute course features several interactive components such as 20+ video clips that engage learners and illustrate real-world business scenarios that present risk and an enforcement risk spectrum that helps learners “issue spot” bribery and corruption risks. Other features of the course include:

  • Executive and non-executive versions;
  • The ability to configure the course with company-specific messages and videos from corporate leaders, company specific policies, and company employee hotline or reporting information;
  • Availability in the following languages: English, Spanish, Portuguese, Chinese (simplified), Japanese, French, Russian and others upon request.
  • The ability to use video scenes outside the e-Learning experience in live training, discussion groups, or company emails and reminders; and
  • A compliance Learning Management System enabling an administrator to launch and track training efforts and generate audit-ready training reports showing time spent on each video, screen, policy, etc.

To see what others are saying about the Global Anti-Bribery and Corruption Training Course, see here.

To preview the course, use the below button. 

 

Assistant AG Caldwell Regarding Exorbitant Pre-Enforcement Action Professional Fees and Expenses – “That’s Not Us, That’s The Companies” Who Are Responsible, Plus Other DOJ Musings

Thursday, May 28th, 2015

SoapboxThe war of words regarding who is to blame for exorbitant pre-enforcement action professional fees and expenses continued in recent weeks.

By way of background and as highlighted in this prior post, in April Assistant Attorney General Leslie Caldwell stated – “we do not expect companies to aimlessly boil the ocean.”

Certain FCPA lawyers disputed Caldwell’s assertion – see here and here.

Recently, Assistant AG Caldwell again shot-back stating – as noted in this Wall Street Journal Risk & Compliance post - “That’s not us. That’s the companies” who are responsible for the pre-enforcement action professional fees and expenses.

*****

Staying with the same topic, as noted in this recent Morgan Lewis “Lawflash,” here is what DOJ Fraud Section Chief Andrew Weissmann had to say at a recent event:

“When asked about the rising costs of Foreign Corrupt Practices Act (FCPA) investigations, Mr. Weissmann dismissed the suggestion that high investigative and defense expenses—which have cost some companies nearly half a billion dollars—are a predicate to receiving full cooperation credit. Noting some of the staggering legal fees in the hundreds of millions of dollars, Mr. Weissmann advised the audience that companies do not need to “boil the ocean” when investigating corporate misconduct. Although there may be “historical evidence” of DOJ asking companies to engage in “widespread investigations,” he assured the audience that this “is not the current Department of Justice view.”

Mr. Weissmann described a “real life example” of a multinational company that voluntarily disclosed FCPA misconduct in an unnamed foreign country by a team of individuals who also had responsibilities in three other countries. Because “there was very good reason to think that they would have engaged in the same conduct in those other countries,” Mr. Weissmann said, DOJ expected the company to investigate those countries in order to receive full cooperation credit, and the company complied. Mr. Weissmann noted that the company was neither asked nor expected to expand its investigation to the “Antarctic,” for instance, or high-risk countries (as determined by Transparency International’s Corruption Perceptions Index) where the company operated. As explained by Mr. Weissmann, “If there is an issue in one country and just speculation that the same issues could be happening elsewhere, then we should deal with the issue that is before us and come to a very quick resolution.” Investigations should be “appropriately tailored to the facts at issue,” he said, because both DOJ and the companies it investigates share the same interest in “prompt resolutions.”

As noted in this prior post, prior to becoming DOJ Fraud Section Chief, Weissmann was a vocal critic of various aspects of DOJ FCPA enforcement.  Set forth below is what Weissmann wrote in Restoring Balance: Proposed Amendments to the FCPA.

“The current FCPA enforcement environment has been costly to business. Businesses enmeshed in a fullblown FCPA investigation conducted by the U.S. government have and will continue to spend enormous sums on legal fees, forensic accounting, and other investigative costs before they are even confronted with a fine or penalty, which, as noted, can range into the tens or hundreds of millions. In fact, one noteworthy innovation in FCPA enforcement policy has been the effective outsourcing of investigations by the government to the private sector, by having companies suspected of FCPA violations shoulder the cost of uncovering such violations themselves through extensive internal investigations.

From the government’s standpoint, it is the best of both worlds. The costs of investigating FCPA violations are borne by the company and any resulting fines or penalties accrue entirely to the government. For businesses, this arrangement means having to expend significant sums on an investigation based solely on allegations of wrongdoing and, if violations are found, without any guarantee that the business will receive cooperation credit for conducting an investigation.”

*****

Back to Morgan Lewis’s “Lawflash” – here is what it says about other aspects of Weissmann’s recent remarks.

“Mr. Weissmann confirmed DOJ’s commitment to providing more transparency regarding cooperation credit and declinations by including greater factual details in non-prosecution agreements (NPAs) and deferred prosecution agreements (DPAs) and providing “general statistics” about declinations in a series of “anonymized examples.” Currently, because declinations are rarely, if ever, publicly announced, companies and their counsel have limited insight into how and why such determinations are made. That will change, Mr. Weissmann said, with DOJ providing the public with greater transparency about the declinations process and what companies can do to increase their chances of receiving declinations. Likewise, although DOJ’s website already contains some information about DPAs and NPAs, Mr. Weissmann assured the audience that they can expect to see more detail in the future about what exactly happened that resulted in specific dispositions to help companies assess the benefits of full cooperation.”

*****

Finally on the DOJ speech “beat,” Assistant AG Cadlwell recently delivered this speech to a paying audience at Compliance Week.

The topic?

“[C]orporate accountability.  How corporations should be holding themselves accountable by designing compliance programs that don’t just look good on paper but actually work.  Compliance programs that are designed to protect the company’s reputation, customers, counterparties and the public, as well as ensuring compliance with the law.”

In pertinent part, Caldwell stated:

“A corporation’s internal compliance policies and practices, and its compliance professionals, are the first lines of defense against fraud, abuse and corruption. As all of you know, there is no “one size fits all” compliance program.  Rather, effective compliance programs are those that are tailored to the unique needs, risks and structure of each business or industry. While a corporate compliance program must, by definition, address regulatory risk and the risk of potential violations of law, a strong compliance program will not stop there. A strong program also will aim to deter employee misconduct, whether or not that misconduct poses obvious regulatory risk.

While companies have for years appropriately adopted a “risk-based” approach to compliance, we have seen that corporations all too often misdirect their focus to the wrong type of risk.  We have repeatedly seen corporations target the risk of regulatory or law enforcement exposure of institutional and employee misconduct, rather than the risk of the misconduct itself. The result: compliance programs are too often behind the curve, effectively guarding against yesterday’s corporate problem but failing to identify and prevent tomorrow’s scandals.

In designing compliance programs, companies would be wise to examine all of their lines of business – including those not subject to regulation – and determine where specific risks are and how best to control or mitigate them. It is also critical that compliance programs take into account the operational realities and risks attendant to the particular company’s business, and are designed to prevent and detect particular types of misconduct likely to occur in a particular line of business.

For example, to comply with the Foreign Corrupt Practices Act (FCPA), businesses that tend to be exposed to corruption must employ different internal controls than businesses that have less exposure to corruption.

[...]

Too often we have heard companies say that a particular course of criminal conduct took them by surprise, when a hard look at the business practices would have identified the risk.  And, far too often, we have heard companies exclaim in defense that everyone else is doing it – that others in the industry are engaged in the same misconduct.  But as you all know, an industry-wide compliance failure is not a defense to knowing and willful criminal activity.

With this principle that compliance programs should be proactive, and not merely reactive in mind, there are some general hallmarks of effective compliance programs that I’d like to share with you today.

  • A company must ensure that its senior leaders provide strong, explicit and visible support for its corporate compliance policies.Corporate management must enforce compliance policies, not tacitly encourage or pressure employees to engage in misconduct to achieve business objectives.
  • We look not just at the written policies, but to other messages otherwise conveyed to employees, including through in-person meetings, emails, telephone calls, incentives/bonuses, etc.; and will make a determination regarding whether the company meaningfully stressed compliance or, when faced with a conflict between compliance and profits, encouraged employees to choose profits.
  • Senior executives should be responsible for the implementation and oversight of compliance.Those executives should have authority to report directly to independent monitoring bodies – for example, internal auditors or the board of directors.
  • A company’s policies should be clear and in writing and should easily be understood by employees.But having written policies – even those that appear specific and comprehensive “on paper” – is not enough.
  • Compliance teams need adequate funding and access to necessary resources.And they must have an appropriate stature within the company.
  • A company should have an effective process – with sufficient resources – for investigating and documenting allegations of violations.
  • A company periodically should review its compliance policies and practices to keep it up to date with evolving risks and circumstances, including when the company merges with or acquires another company.In particular, if a U.S.-based entity merges with, acquires or is acquired by a foreign entity, all compliance policies should be reviewed and revised accordingly.
  • A company should have an effective system for confidential, internal reporting of compliance violations.
  • A company should implement mechanisms designed to enforce its policies, including incentivizing compliance and disciplining violations.
  • A company should sensitize third parties with which it interacts (for example, vendors, agents or consultants) to the company’s expectation that its partners are compliant.This means more than including boilerplate language in a contract.It means taking action – including termination of a business relationship – if a partner demonstrates a lack of respect for laws and policies.

Corporations also must ensure compliance with the laws of all the countries in which they operate.  We appreciate that this may present a major compliance challenge, as international corporations often must bridge cultural, as well as geographic, divides.  But such challenges do not justify non-compliance.

[...]

Overall, our message is simple: we expect corporate entities to take compliance risk as seriously as they take other business-related risks.

[...]

When a compliance program works and a company suspects or discovers potential criminal wrongdoing, a company would be wise to conduct a thorough internal investigation. While we in the Criminal Division will not tell a company how it should conduct an investigation, we evaluate the quality of a company’s internal investigation, both through our own investigation and in considering what if any charges to bring against a company.  In that regard, we have seen some “best practices” with regard to internal investigations.

Good internal investigations uncover the facts.  They don’t promote corporate talking points or whitewash the truth.  The investigation should be focused on rooting out the relevant facts, identifying and interviewing the knowledgeable actors and capturing and preserving relevant documents and other evidence.  The investigation should seek to identify responsible individuals, even if those individuals hold senior positions at the company.

It is reasonable to take resources – time and money – into account.  If an internal investigation unearths criminal conduct, the inquiry should be thorough enough to identify the relevant facts, players, documents and other evidence, and to get a sense of the pervasiveness of the misconduct. But, we do not believe that it is necessary or productive for a company to employ its internal investigators to look under every rock and pebble – particularly when a company has offices or personnel around the globe that do not appear to be involved in the misconduct at issue. In fact, doing so will cost companies much more in the end, both in fees but also because it ultimately will delay our investigation and delay resolution and closure for the company.

For example, if a multi-national corporation discovers an FCPA violation in one country, and has no basis to suspect that the misconduct is occurring elsewhere, the Criminal Division would not expect that the internal investigation would extend beyond the country in which the violation was discovered.  By contrast, if the known offenders operated in multiple countries, we would expect that the internal investigation would extend into those locations as well.

Once your company learns of potential criminal conduct and confirms it through a reasonable internal investigation, the company then must choose whether to disclose the conduct to the government, and whether to cooperate in the government’s investigation. These are the company’s choices, and very few companies have a legal obligation to disclose criminal misconduct to the department.  Likewise, there is no obligation to cooperate beyond compliance with lawful process. But if a company chooses to cooperate with the government in its investigation – particularly at an early stage – the company likely will receive significant credit for such efforts when the government is contemplating what prosecutorial action to take.

In conducting an investigation, determining whether to bring charges and negotiating plea or other agreements, federal prosecutors take into account, among other factors, the corporation’s timely and voluntary disclosure of wrongdoing and its willingness to cooperate in the investigation of its agents.  Prosecutors also consider the availability of alternative or supplemental remedies such as civil or regulatory enforcement action.

To receive cooperation credit, a company must do more than comply with subpoenas or other compulsory process.  Companies must provide a full accounting of the known facts about the conduct or events under review, and affirmatively must identify responsible individuals (and provide evidence supporting their culpability), including corporate executives and officers – and they must do so in a timely way. A company’s cooperation may be particularly helpful where the criminal conduct continued over an extended period of time, and the knowledgeable or culpable individuals and/or the relevant documents are dispersed or located abroad. Under these circumstances, cooperation includes helping to circumvent barriers to the investigation by making knowledgeable personnel available for interviews or testimony, and by producing documents and other evidence that otherwise may not be readily accessible to the government.

We recognize that some foreign data privacy laws may limit or prohibit the disclosure of certain types of data or information.  Over the years, the Criminal Division has developed an understanding of certain oft-cited data privacy laws, and we will challenge what we perceive to be unfounded reliance on these laws to justify withholding requested information.  Companies should avoid this by giving careful consideration to the government’s requests for information, refraining from making broad “knee jerk” claims that large categories of information are protected from disclosure and producing what can be disclosed.

[...]

Corporate accountability through a strong, tailored compliance program and thorough internal investigations should be the standard for your companies.

[...]

Corporate accountability through compliance, investigations and protections against breaches is a good practice for all of your companies.  And in the Criminal Division, I am emphasizing accountability on our side as well, particularly through our work with regulators and other law enforcement agencies, and through increased transparency about our decision-making where possible.

Many of the cases handled by the Criminal Division also involve parallel investigations or civil or enforcement actions by civil or regulatory authorities.  Even if certain misconduct could be pursued civilly or through regulatory action, criminal investigation and prosecution often is appropriate.

It is department policy that criminal prosecutors and civil attorneys coordinate with one another and with agency attorneys, to the extent permissible, to protect and advance the government’s overall interests.  Early and effective coordination is critical to ensuring the efficient use of resources and the best ultimate outcome.

We have heard concerns expressed about regulatory “piling on.”  We agree that there is the potential for unfairness when a company is asked to pay penalties and fines to different regulators and enforcement authorities based on the same set of facts.

Different law enforcement authorities have distinct and important functions.  Companies know who their regulators are, and they know that they are subjecting themselves to those regulatory schemes and the laws of the countries in which they operate.  But we are trying to address this concern and are mindful of making sure that companies are not punished unfairly.

Since becoming Assistant Attorney General, one of my priorities has been to ensure that the Criminal Division is as transparent as possible about its decision making.  While we are limited in the information we can disclose to the public about matters in which we decline to prosecute, when we file charges, secure a guilty plea or enter into a deferred prosecution or non-prosecution agreement, the Criminal Division will place in the public record detailed information explaining the rationale for the particular resolution whenever possible.

Whether we secure a guilty plea or enter into an NPA or DPA, these resolutions generally have the same key components: admissions, a detailed statement of facts, remediation and/or enhanced compliance requirements and penalties.  Depending on the facts and circumstances of a particular case, the Criminal Division also may require the imposition of a compliance monitor. Companies would be wise to study these publicly-available documents to measure their compliance or to assess their exposure.

In our view, increased transparency benefits everyone.  From the Criminal Division’s perspective, if companies know the benefits that likely will flow from self-reporting or cooperating with the government’s investigation, we are confident that more companies will be willing to voluntarily disclose identified misconduct and cooperate, including against culpable individuals. In addition, transparency takes a significant amount of the guess work out of assessing the likely benefits of cooperation, as well as the costs of refusing to cooperate or offering limited or partial assistance.

Regardless of the form of resolution, the Criminal Division is committed to enforcing compliance with its terms.  In particular, when a company that is subject to the terms of an NPA or a DPA violates the terms of the agreement, if proportional to the breach, the Criminal Division will not hesitate to tear up the agreement and prosecute the offending entity based on the admitted statement of facts. If we do so, as with the other resolutions, the Criminal Division will be transparent and include its rationale in publicly-filed documents. In addition to statements contained in public filings in cases investigated or prosecuted by the Criminal Division, our commitment to transparency also is effectuated by the participation of Criminal Division personnel in conferences such as this one.”