February 21, 2018
US companies that conduct business abroad should still count anti-bribery/anti-corruption (ABC) compliance as a top legal and compliance risk issue, even though Foreign Corrupt Practices Act (FCPA) enforcement under the Trump administration witnessed an overall decline in FCPA enforcement actions in 2017. Indeed, the Department of Justice (DOJ) brought roughly the same number of FCPA enforcement actions in 2016 as it did in 2017 and has already commenced an enforcement action in 2018. And while there were considerably fewer Securities and Exchange Commission (SEC) enforcement actions in 2017 than in 2016, enforcement of the FCPA continues to be a high-priority area for the SEC. Compliance professionals, therefore, should still take routine and periodic stock of their current ABC compliance program to ensure that it aligns with regulator expectations.
Emphasis on Program Effectiveness
A review of your ABC compliance program should focus on three fundamental aspects: design, implementation, and effectiveness:
- The design aspect considers whether your ABC compliance program maintains the compliance program elements required by applicable standards and guidelines, such as Section 8B2 of the U.S. Sentencing Guidelines (“Effective Compliance and Ethics Program”), ISO 37001 (Anti-Bribery Management Systems), and the DOJ/SEC’s “Resource Guide to the U.S. Foreign Corrupt Practices Act.”
- The implementation aspect reviews how the design elements are implemented within your company and tailored to its individual business and operational aspects.
- The effectiveness aspect addresses whether your compliance program as designed and implemented is working to accomplish its objectives, which should be to prevent and detect violations of bribery and corruption laws as well as to promote an organizational culture that encourages compliance with these laws.
While all of these aspects are important, you should make sure to specifically assess your program’s effectiveness. In 2017, the DOJ made it clear that many facets of its evaluation of corporate compliance programs include an assessment of the “effectiveness” of the program. Most recently, on November 29, 2017, the DOJ officially announced its revised FCPA Corporate Enforcement Policy (the Policy), which states that when a company has self reported FCPA violations, has fully cooperated with the DOJ, has appropriately remediated the alleged misconduct in a timely manner, and has implemented an effective compliance program, there will be a presumption of declination (absent aggravating circumstances). For these reasons, a focus on program effectiveness is crucial when conducting a compliance program review and assessment.
Consideration of Foreign Laws and Future ABC Enforcement
An appropriate ABC program also should consider whether it adequately addresses foreign laws dealing with bribery and corruption in those foreign jurisdictions where a company may operate or do business (including through third-party intermediaries and affiliates). As the SEC’s co-director of its enforcement division stated late last year, cooperation and coordination of anti-bribery and anti-corruption enforcement “among regulators and law enforcement worldwide is on a sharply upward trajectory.” Regardless of the Trump administration’s future enforcement of the FCPA, therefore, companies should be mindful that criminal and civil enforcement actions abroad are increasing in number such that an ABC compliance program review should remain a top priority. Additionally, enforcement actions tend to involve facts and issues from several years in the past, so ABC incidents occurring within a company today may result in enforcement under a subsequent administration. As a result, compliance program leadership should not lose focus on their ABC compliance programs, because issues occurring today could be the subject of an enforcement action in a few years.
Conducting an Appropriate ABC Compliance Program Review
Considering the current enforcement environment, companies should take a systematic approach to reviewing their ABC compliance posture to ensure that their programs are designed, implemented, and effective under applicable ABC standards and guidance by doing the following:
1. Assess Yourself — Assuming your company is not already aware of ABC or FCPA-specific violations, the first step your company should undertake is a deliberate, systematic assessment exercise to identify inherent operational ABC risks, implemented compliance program controls, compliance design and implementation gaps, program effectiveness, potentially emerging risk areas, and previously unknown actual violations. Even if company leadership is already aware of some potential ABC violations, undertaking an assessment exercise can give a more complete picture of your company’s compliance posture, enabling better decision-making on how to proceed with law enforcement and regulators.
2. Review and Enhance Your Compliance Program — After completing the gap analysis exercise from the first step, companies should shore up their compliance programs through a combination of fixing the gaps identified, comparing against peer companies and available guidance, and enhancing their compliance programs through an infusion of the latest technology-enabled compliance and risk-monitoring techniques. In addition, as outlined above, companies should ensure that such a compliance program effectively identifies and mitigates noncompliance risks. Companies should also ensure that the compliance program is in tune with how each company currently does business. For example, ABC program areas focus on issues such as customer vetting, gifts and hospitality, facilitation payments, and third- and fourth-party risk issues. Books and records maintenance need to consider all the current company locations, personnel and stakeholders, processes, systems, and tools that may touch upon such issues. For example, if a company relies heavily on communications through ad hoc means (messenger apps) instead of emails, and storage and sharing of important records through cloud services instead of on-premises applications and solutions, that company’s compliance program should recognize such realities and ensure that the company’s ABC program elements address these channels.
Finally, in our experience, an aspect of compliance that companies often overlook at their own peril and to their detriment is ensuring that their compliance culture is healthy and that all personnel and relevant stakeholders are committed to ABC compliance. Accordingly, we recommend that in addition to the policies and procedures side of compliance, companies also proactively review and enhance their culture of compliance.
3. Proactive Investigation and Root Cause Analyses — Companies should promptly investigate and remediate all potential ABC violations that may be uncovered during steps one and two above. Companies also can uncover potential ABC violations by auditing high-risk transactions/activities and actors, and by setting up confidential reporting mechanisms as well as routine auditing and monitoring programs.
Investigations of identified issues should be timely, thorough, and result in identification of specific root causes and implementation of focused, on-point remediation actions to prevent recurrence by shoring up the company’s compliance program. It is also important to reasonably attribute improper and noncompliant behavior to specific individuals when warranted and hold them accountable to demonstrate that your company is serious about compliance.
1. Stanford Law School, Foreign Corrupt Practices Act Clearinghouse, Statistics & Analytics, available at: http://fcpa.stanford.edu/statistics-analytics.html.
2. See SEC Spotlight, SEC Enforcement Actions: FCPA Cases, available at: https://www.sec.gov/spotlight/fcpa/fcpa-cases.shtml; see also Steven R. Peikin, co-director, SEC enforcement division, speech: “Reflections on the Past, Present, and Future of the SEC’s Enforcement of the Foreign Corrupt Practices Act,” New York University School of Law (Nov. 9, 2017), available at: https://www.sec.gov/news/speech/speech-peikin-2017-11-09.
3. U.S. Department of Justice, Criminal Division, Fraud Section, “Evaluation of Corporate Compliance Programs,” available at: https://www.justice. gov/criminal-fraud/page/file/937501/download.
4. Steven R. Peikin, co-director, SEC enforcement division, speech: “Reflections on the Past, Present, and Future of the SEC’s Enforcement of the Foreign Corrupt Practices Act,” New York University School of Law (Nov. 9, 2017), available at: https://www.sec.gov/news/speech/speechpeikin-2017-11-09.