The principal method for reducing FCPA-related risks is an anti-corruption compliance program, i.e., a corporate system of internal controls, prohibitions and procedures designed to ensure that a company complies with anti-corruption laws. Such programs are designed to prevent, detect, and address any deviations or compliance failures that may occur.
A robust anti-corruption compliance program is an essential step to address compliance risk within a company. A modest investment in an effective program upfront can prevent or mitigate expensive and burdensome issues on the backend.
The DOJ considers a company’s compliance program in deciding whether to conduct an investigation, bring charges, or negotiate a settlement agreement with a corporate target. Such decisions are made according to the Principles of Federal Prosecution of Business Organizations, which establishes that in making such decisions the DOJ will consider, among other things:
- “the existence and effectiveness of the corporation’s pre-existing compliance program”; and
- “the corporation’s remedial actions, including any efforts to implement an effective corporate compliance program or to improve an existing one, to replace responsible management, to discipline or terminate wrongdoers, to pay restitution, and to cooperate with the relevant government agencies.”
In addition, according to U.S. sentencing policy for criminally convicted organizations, U.S. courts also consider the existence of an effective compliance program and give credit for companies that have such programs in place.
Like the DOJ, the SEC considers the existence of compliance programs when deciding whether to open an investigation or bring charges, and when determining the size of sanctions.
Recent enforcement actions highlight the importance of compliance programs. Such programs have allowed companies to reduce substantially corporate entities’ sanctions or even avoid them altogether, especially when other factors like cooperation are at play. For example, FCPAméricas discusses Morgan Stanley’s avoidance of penalties here.
Effective compliance programs must be tailored to the size, nature, and particularities of the company`s business, as well as the local risks and legal requirements pertaining to its operations. They need to be dynamic and evolve as the business and the markets change. Enforcement officials consistently emphasize that there is no “one size fits all” model for compliance programs and that “check the box” programs are inadequate.
Elements of an Effective Compliance Program
To implement an effective compliance program, companies should, at a minimum, incorporate the following:
- Leadership: An effective compliance program must have real substance and “top down” commitment from senior management. Senior company officers should oversee the compliance function and should be provided with sufficient resources to do so. They should have direct access to the company`s board of directors or equivalent for compliance matters.
- Risk assessment: Compliance programs should be based on an initial risk assessment that considers the specific risks confronted by the company in its operations. Such assessments should consider, among other things, sector and geographic risks, and risks resulting from customers and the company’s sales process. Companies should regularly re-evaluate their programs to ensure their effectiveness and identify areas where enhancements might be needed (FCPAméricas discusses general Latin America risks here, here, and here, and specific risks in Brazil here, in Mexico here, and in Colombia here).
- Written code of conduct and compliance policies: Codes, policies, and procedures should be clear, concise, and accessible to all employees and to those conducting business on the company’s behalf. Depending on the risks faced by the company, such policies and procedures may cover a broad spectrum of areas, for example, prohibition of bribery; use of consultants, agents, and representatives (FCPAméricas discusses third party risk here); M&A due diligence (discussed here); gifts; hospitality, entertainment and expenses (discussed here); travel; political contributions; charitable donations, and sponsorships.
- Communication and training: The company should take steps to communicate periodically the company`s policies and procedures to employees and, where necessary, third parties. They should receive training (described here). Such trainings should be documented, repeated periodically, and have a comprehensive curriculum designed to convey the right compliance lessons and knowledge, providing examples of practical cases and common red flags.
- Anonymous reporting: Companies incorporate into their compliance programs a mechanism whereby employees and others can report suspected or actual misconduct or violations to the company’s internal policies or anti-bribery laws on a confidential basis and without fear of retaliation (FCPAméricas has discussed strategies for encouraging reporting here).
- Incentives and discipline: Companies must respond quickly to allegations of violations of anti-bribery laws and the company’s internal policies. Companies should investigate the facts and discipline the employees involved in the wrongdoing regardless of their position (FCPAméricas discusses investigations into allegations of wrongdoing here, here, and here). At the same time, companies should incentivize employees to perform in accordance with compliance programs.
- Internal controls: Compliance programs should include internal controls reasonably designed to ensure the maintenance of accurate books and records, as well as to ensure that the company`s funds are not used for bribery or other illegal purposes. The types of policies and procedures that need to be implemented will depend on the size, nature, particularities of the business and its geographic location.
- Monitoring: Companies should regularly evaluate their compliance programs to identify areas needing modification or strengthening. Monitoring allows companies to determine where to direct compliance efforts. (FCPAméricas discusses monitoring here.)
The information in the FCPAméricas blog is intended for public discussion and educational purposes only. It is not intended to provide legal advice to its readers and does not create an attorney-client relationship. It does not seek to describe or convey the quality of legal services. FCPAméricas encourages readers to seek qualified legal counsel regarding anti-corruption laws or any other legal issue. FCPAméricas gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to FCPAméricas LLC.