In a significant development for companies relating to the Foreign Corrupt Practices Act (FCPA), in late November the U.S. Department of Justice (DOJ) announced a new FCPA Corporate Enforcement Policy (the Enforcement Policy).
The Enforcement Policy is designed to encourage companies to voluntarily disclose misconduct by providing greater transparency concerning the amount of credit the DOJ will give to companies that self-report, fully cooperate and appropriately remediate misconduct. Notably, in announcing the Enforcement Policy, the DOJ highlighted the continued critical role that anti-corruption compliance programs play in its evaluation of eligibility under the Enforcement Policy.
Both this Enforcement Policy, as well as new enforcement efforts in other countries, underscore why maintaining an appropriate anti-corruption compliance program has never been more important to companies and their boards.
By way of background, while there were questions early in 2017 whether the Trump administration would continue to prioritize FCPA enforcement, the Enforcement Policy suggests that the Trump administration will maintain the DOJ’s focus on the FCPA and will continue its efforts, first announced in the FCPA Pilot Program (described in our memorandum last year, found here), to encourage self-reporting by providing concrete benefits for companies that identify misconduct. The Enforcement Policy makes provisions of the Pilot Program permanent, and, in particular, the Enforcement Policy enhances the credit that companies will receive for “voluntarily self-disclos[ing] misconduct in an FCPA matter, fully cooperat[ing], and timely and appropriately remediat[ing]”: there is now a presumption that companies that satisfy these criteria, as now defined in the Enforcement Policy, will receive a declination so long as there are no “aggravating circumstances.” The Enforcement Policy also modestly improves the outcome for companies that satisfy the criteria but are ineligible for a declination because of those aggravating circumstances—the Enforcement Policy promises these companies a 50 percent reduction off the low end of the U.S. Sentencing Guidelines fine range, rather than the Pilot Program’s offer of a reduction up to 50 percent.
The Enforcement Policy was announced against the backdrop of increased cooperation between anti-corruption authorities in various countries, which, in turn, has greatly increased the exposure to companies for corruption-related misconduct. To highlight three recent examples:
- Rolls Royce agreed to pay over $800 million to authorities in Brazil, the United States and the United Kingdom for its role in a global bribery scheme.
- Telia agreed to pay over $965 million in criminal and regulatory penalties to U.S., Swedish and Dutch authorities (notably, the DOJ’s press release announcing the settlement thanked over 10 countries for their assistance in the investigation).
- Most recently, Keppel Offshore & Marine agreed to pay over $422 million to authorities in the United States, Brazil and Singapore.
In addition, the recent wave of corruption cases, particularly in Latin America, has led a number of countries to implement or enhance their own anti-corruption legislation targeting misconduct by companies. The trend started with Chile, Brazil and Colombia and has recently accelerated with:
- Peru passing the Corporate Corruption Act, which went into effect on January 1, 2018;
- Mexico’s General Law for Administrative Responsibility, which went into effect in July 2017; and
- Most recently, Argentina passing the Law on Corporate Criminal Liability and Compliance Programs.
These statutes share certain common characteristics, such as allowing local authorities to impose significant penalties on corporations for bribing public officials and include leniency-type programs to encourage self-reporting and provide credit for maintaining an effective anti-corruption compliance program (including as an absolute defense to liability in some instances).
In light of these recent developments, boards should continue to view an effective compliance program as an increasingly important aspect of a firm’s risk management. Among other things, a strong compliance program can both deter wrongdoing and help identify misconduct at an early stage. And, if misconduct is identified earlier, companies will be in a much better position to manage the possible financial and reputational damage, including, to the extent appropriate, by potentially taking advantage of the incentives set forth in the Enforcement Policy or other similar programs.
Given the DOJ’s emphasis on a company’s compliance program in evaluating whether to fully credit a company for timely and appropriate remediation, helpfully, in February 2017, the DOJ published its “Evaluation of Corporate Compliance Programs” (the Guidance), which takes the form of 119 specific questions (organized into 11 topics) that the DOJ may ask in making an “individualized determination” of the effectiveness of a company’s compliance program. Although the Guidance is not limited to anti-corruption compliance, we believe it can serve as a “best practices” standard against which companies can measure their own anti-corruption compliance programs.
While the Guidance is based on several prior well-known resources, including the FCPA Resource Guide, and many of the topics it covers will be familiar, there is a notable emphasis on process and evidence, which are similarly emphasized in the Enforcement Policy. Specifically, the Guidance focuses on how compliance objectives are identified and met by an organization and explicitly asks companies what data they have collected to evaluate their compliance programs.
The following is a summary of some of the key questions raised by the Guidance:
- Has there been appropriate conduct at the top? What concrete actions have members of senior management taken to demonstrate leadership in the company’s compliance efforts? Notably, the Guidance refers to “conduct” and not just tone at the top.
- Is the board exercising oversight over the compliance function? What information have the board and senior management examined in their exercise of oversight? Does the board have direct access to the compliance and control functions? Does the compliance function have a direct reporting line to the board?
- Has the company conducted an appropriate risk assessment to guide the development and execution of the company’s compliance program?
- Is the compliance function sufficiently funded in light of that risk assessment, with appropriate resources, and does it have appropriate stature within the company to ensure its effectiveness?
- How has the company responded when compliance has raised concerns about conduct? Is there an effective internal reporting mechanism, and what is the response to internal reports of misconduct?
- What has been the company’s process for designing and implementing new policies and procedures? Have policies and procedures been implemented in an effective fashion with appropriate training and guidance?
- Has the company appropriately disciplined wrongdoers? Are compliance and ethical conduct incentivized?
- Has the company assessed and attempted to manage the risk from third parties?
- What policies and procedures does the company have in place to track and remediate risks identified during the due diligence process in M&A transactions?
- How has the company tested, audited and updated its program?
- Where misconduct has been identified, what is the company’s analysis of the causes of the underlying conduct and was it remediated? This root cause analysis is highlighted in the Enforcement Policy as a requirement for receiving full remediation credit.
There is obviously no “one-size-fits-all” approach to compliance (something the Enforcement Policy itself recognizes), and each company (and its board) will need to conduct its own assessment of its risk and how best to design its anti-corruption program. However, a board can use the questions contained in the Guidance to benchmark its own compliance efforts and, to the extent it ever becomes necessary, provide some assurance that its compliance program will satisfy the heightened expectations of DOJ and other anti-corruption authorities across the globe.
 The Enforcement Policy, however, does require companies “to pay all disgorgement, forfeiture and/or
restitution resulting from the misconduct at issue” to be eligible for any credit.