Several years ago, Tom Fox was kind enough to post the “FCPA Compliance Overview and Action Plan” that I cobbled together based on my experiences. Since that time I have received many calls and e-mails for more information, so I decided to post it for others to consider using in practice. My goal is to continuously tweak the plan. Your suggestions and comments are always welcome.
Note: The draft guidance is not prescriptive and does not detail specific anti-bribery measures, but instead adopts a principles-based approach, which is intended to be used as a guide used by the board in their oversight roles and management when implementing their anti-bribery compliance program.
Any company with foreign operations, “FCPA” is dirty acronym. It should not come a surprise that compliance with the Foreign Corrupt Practices Act has become a key area of focus for boards and senior management. Enforcement of the FCPA seems to be moving along and the SEC and DOJ continue to prosecute companies and individuals for fraud and other corporate misconduct. Overseeing FCPA compliance should not be taken lightly. One element of good governance dictates that boards must create and follow procedures designed to ensure compliance with applicable laws and regulations.
Directors succeed in this task by fostering a culture of high ethical standards, by prioritizing compliance oversight, and often by personally investing time and effort in the company outside the boardroom. Ethics and compliance should be near the top of the agenda at every board meeting, just as safety, environmental, and cyber hygiene often are. It is all too common for compliance review to be considered a “routine” item on the board agenda, associated with annual reviews of codes of conduct and other corporate governance staples.
The entire board of directors is responsible for compliance oversight and responsibility, whether or not a compliance or risk committee exists. It is essential for directors to stay current on developments that affect compliance. Shifts in the regulatory environment, updated best practices, issues that recently have arisen in the company or the industry, changes in laws, the hiring or firing of key personnel abroad, the company’s merger and acquisition activity—all of these elements are potentially significant to compliance oversight.
While the entire board of directors is responsible for compliance oversight, the audit committee is often tasked to assess whether management has developed and is maintaining an effective compliance program to address corruption risk. Specifically, the audit committee is often asked to assess the overall compliance structure, including the roles, resources, and responsibilities of the compliance, legal, and internal audit functions, which if not harmonized could be problematic – what I refer as the “Bermuda Triangle”; the quality, thoroughness, and age of the risk assessment; and other elements of the compliance program.
The audit committee is also responsible for overseeing the financial reporting process and controls, the internal audit function, and the external auditors, including the appointment of the company’s external auditor. It oversees management’s implementation of policies that are intended to foster an ethical environment and mitigate financial reporting risks. In this process, the audit committee has the responsibility to see that management designs, documents, and operates effective controls to reduce the risk of financial reporting fraud to an acceptable level. The Sarbanes-Oxley Act also makes the audit committee responsible for establishing mechanisms for the receipt, retention, and treatment of complaints received by the company regarding accounting, internal accounting controls, or audit matters, and confidential, anonymous submissions by employees of concerns regarding questionable accounting and auditing matters (generally referred to as the ethics or whistleblower program).
In addition, it is increasingly common for the audit committee to have a link with the compensation committee through overlapping members, joint meetings, or attendance of the audit committee chair at certain compensation committee meetings. The objective of this process is to satisfy both committees that the executive compensation structure provides sound incentives for achieving corporate strategies without unintentionally providing motivations for fraud or other unethical behavior. The focus on compensation structures will likely increase as a result of legislation and regulatory rules regarding corporate compensation policies and practices.
Sources: Harvard Law Forum and the Center for Audit Quality Anti-Fraud Report: Deterring and Detecting Financial Reporting Fraud: A Platform for Action
FCPA Compliance Action Plan
Top level commitment – “Tone and Conduct from The Top”
▪ Top-level management (usually the board of directors and senior executives) must establish a culture within their company in which bribery is unacceptable. They also should ensure that the company’s policy to operate without bribery is effectively communicated throughout the company. The draft guidance provides examples of what top-level commitment should include:
▪ A “zero tolerance policy” toward bribery in all parts of the company’s operation;
▪ Clear explanation of the consequences that employees and business partners will suffer if they violate the corporate policy;
▪ Personal involvement in the development of a code of conduct, or ensuring the publication and communication of anti-bribery measures to all employees, subsidiaries and business partners; and,
▪ Appointing a senior manager to oversee the development of an effective anti-bribery program.
“Top level commitment” is another commonly identified element of an effective compliance program. This principle, as articulated in the draft guidance, appears to combine the requirement of a strong “tone at the top,” noted by almost every respected guide on compliance programs from the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) to the US Department of Justice, and the need for a clear, firm anti-bribery policy—a principle also widely endorsed in the compliance literature and by governmental organizations.
Corruption and Bribery Risk Assessment
The OECD Good Practice states that a compliance program should be developed on the basis of a risk assessment as does the Resource Guide to the FCPA U.S. Foreign Corrupt Practices Act By the Criminal Division of the U.S. Department of Justice and the Enforcement Division of the U.S. Securities and Exchange Commission, which says the assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.
▪ Conduct a comprehensive review of the company and assess the potential bribery and corruption risks associated with its products and services, customers, third-party business partners and geographic locations where it operates.
▪ The risk assessment can serve as the documented rationale for the compliance program.
▪ Businesses must be aware of the current bribery risks they face in the sectors and markets in which they operate. The proper nature of any risk assessment procedures will depend on the size of the company, as well as its activities, customers and markets. But company’s are generally advised to consider the following:
▪ Whether those performing the risk assessment are “adequately skilled“; and,
▪ What data sources should inform the risk assessment. The draft guidance suggests the use of internal data (annual audit reports, internal investigation reports, focus groups and staff, client or customer complaints) and external data (analyzing publicly available information on bribery issues in particular sectors or jurisdictions).
For multinational corporations already subject to the US Foreign Corrupt Practices Act (“FCPA”) and other anti-bribery enforcement regimes, this requirement should be no surprise. Section 8B2.1 of the US Sentencing Guidelines for Organizations already list periodic risk assessments as a component of an effective compliance program. And the OECD’s Working Group on Bribery in International Business Transactions issued guidance in November 2009 that similarly advised risk assessments as a good practice for companies. Regardless of official guidance, no company can properly design a compliance program without identifying and understanding the risks it wishes to guard against.
▪ Most companies struggle with implementing internal controls to mitigate risk and support their internal anti-bribery and anti-corruption policies.
▪ Develop, document and maintain a system of internal financial controls to ensure that all payments are accurately recorded in the company’s books and records in accordance with applicable regulatory requirements.
▪ Special attention should be paid to those areas that may directly affect the anti-bribery and corruption compliance program such as procurement, on-boarding of vendors, agents, consultants, and other third-party business payees.
▪ Gifts and entertainment controls. Managing the offering and receiving of corporate gifts, entertainment and travel has become increasingly important in today’s environment of increasing regulatory oversight. Gifts given with the best of intention can be incorrectly perceived and lead to millions of dollars in government fines, as well as loss of potential business.
▪ Policy on conducting “root cause analysis” when there is a failure or break down, so any remediation that take place is treating the “actual cause” and not the “proximate cause” or the symptom(s).
Structuring and Defining Roles & Responsibilities
▪ Anti-corruption director (See Daimler)
▪ Chief Compliance Officer or Other Senior Corporate Official
▪ The assignment of responsibility to one or more senior corporate officials of implementation (see discussion within), oversight of compliance with policies, standards and procedures FCPA and other applicable anti-corruption official (the authority to report matters directly to the Board.
▪ Understanding the US Sentencing Guidelines changes that became effective on November 1, 2010, and included a change related to the Direct Report. The amendment changed the reporting structure in companies where the Chief Compliance Officer (CCO) reports to the General Counsel (GC) rather than a committee on the Board of Directors. The change reads “the individual…with operational responsibility for the compliance and ethics program…have direct reporting obligations to the governing authority or any appropriate subgroup… (e.g. an audit committee or the board of directors)”. If a company has the CCO reporting to the GC, who then reports to the Board, such structure may not qualify as an effective compliance and ethics program under the amended Sentencing Guidelines. The better practice would now appear to be that the CCO should be a direct report to the Board or appropriate subcommittee of the Board such as compliance or audit.
Risk-based Third Party Due Diligence
The fact that a bribe is paid by a third-party does not eliminate the potential for criminal or civil FCPA liability.
▪ Develop and document an investigative due diligence protocol that will assess the potential bribery and corruption risks associated with third parties such as vendors, consultants, suppliers, agents and joint venture partners.
▪ The nature and extent of the investigative due diligence should be based on the third party’s risk profile.
▪ The protocol should set forth the remedial steps that may be taken for those parties that represent an elevated risk of bribery and corruption, including, but not limited to escalated due diligence or the termination of the relationship.
▪ Types or Levels of Due diligence
▪ Basic: simple database checks
▪ Medium: more in-depth review
▪ High: reputation checks, site visits, forensic review of financial statements, and investigative procedures outside the US
Third-Party Due Diligence Committee
- New third party relationships;
- The specific contract with the third-party;
- A program to monitor third-party activities;
- A training program for the specific third-party;
- A determination of the comparability of a third-party ethics and compliance program; and
- A plan to audit the company’s high-risk third parties by sampling transactions on a regular basis and then scheduling of an on-site visit and audit.
Clear, Practical, Current, And Accessible Policies And Procedures
▪ There should be a clearly articulated policy against bribery and corruption that enforces a tone of compliance from the board and management.
▪ Procedures and processes that clearly set forth permitted and prohibited conduct, supervisory and compliance approvals for certain conduct and documentation of such approvals.
Documenting a Detailed Multi-year Compliance Plan
▪ Companies must embed anti-bribery policies and procedures throughout the business. “Paper compliance” is insufficient. Companies should consider establishing an implementation strategy detailing the rollout of these policies and procedures:
▪ Who bears responsibility for program implementation;
▪ How to communicate the policies and procedures internally and externally;
▪ The content and nature of anti-bribery training and how to roll it out effectively;
▪ How senior management will monitor the program’s implementation;
▪ Whether and how the company will use external assurance processes;
▪ The processes for monitoring compliance;
▪ The implementation timetable;
▪ An explicit statement of penalties for violating relevant anti-bribery policies and procedures;
▪ The date of the program’s next review; and
▪ A decision on whether to require or suggest that business partners take part in anti-corruption training courses.
Warning! “Paper Compliance” is insufficient echoes warnings issued numerous times by US enforcement officials. Indeed, US Deputy Attorney General Mark Filip’s famous 2008 memorandum on prosecuting business organizations explicitly cautions that a mere “paper program,” lacking the necessary design, implementation, and review, will not protect a company from prosecution.
Appropriate Disciplinary Procedures To Address Violations
▪ Appropriate disciplinary procedures to address, among other things, violations of FCPA, UK Bribery Act, and other applicable anti-corruption laws or compliance code by directors, agents and business partners.
Ensuring Robust Monitoring and Review (Utilizing Internal Audit)
▪ Develop and document processes and/or controls to periodically assess the effectiveness of the compliance program and potential vulnerabilities and monitor for employee compliance.
▪ Such processes may include periodic testing and validation, review of available metrics and design of self-assessment forms and exercises.
▪ Develop training materials that clearly and concisely interpret applicable legal, regulatory, policy and procedural requirements as well as the possible ramifications associated with non-compliance. The training materials should be reviewed periodically to ensure their continued adequacy.
▪ Training should be a process and provided regularly to senior management and key compliance and business personnel. Blended training is a leading practice and requires follow-up of key points.
An Effective System for Reporting Suspected Criminal Conduct and/or Violations of the Applicable Anticorruption Laws for Directors, Employees, Agents and Business Partners.
▪ Develop and maintain a system for receiving complaints containing allegations of bribery and corruption as well as a system to investigate such allegations and document the actions taken with respect to such complaints and investigations. Ensure that all allegations are captured in the system.
Other Risk Mitigation Procedures
▪ Standard provisions in contracts and agreements that include at a minimum:
▪ Anti-corruption representations and undertakings relating to compliance with FCPA, UK Bribery Act and other applicable anti-corruption laws;
▪ Rights to conduct audits of the books and records; and
▪ Rights to terminate as a result of any violation of anti-corruption laws, and regulations or representations and undertakings related to such matters.
Annual Testing of The Compliance Program
▪ The US Sentencing Guidelines state that there should be periodic reviews of a company’s compliance program, utilizing internal resources, such as a company’s Internal Audit function, and outside professional consultants. (emphasis added)
▪ A compliance program should be developed on the basis of a risk assessment addressing the individual circumstances of a company, in particular the foreign bribery risks facing the company (such as its geographical and industrial sector of operation). Such circumstances and risks should be regularly monitored, re-assessed, and adapted as necessary to ensure the continued effectiveness of the company’s internal controls, ethics, and compliance program or measures.
▪ The UK Bribery Act Consultative Guidance, recently released by the UK Ministry of Justice, requires ongoing risk review, monitoring, and review by noting that a compliance program and procedures should be reviewed regularly and encourages senior management of higher risk and larger companies to consider external verification or assurance of the effectiveness of anti-bribery policies.
In a speech, Assistant Attorney General for the Criminal Division of the US Department of Justice, Lanny Breuer, indicated that such an external verification or assurance of the effectiveness of a compliance program is a key component to assist a company in maintaining a ‘best practices’ FCPA compliance program. He noted that it is through a mechanism such as an ongoing assessment that company could continue to evaluate its own compliance program with reference to compliance standards, which are evolving. Breuer has advocated an annual compliance program assessment by each company and I do as well.
Higher risk and larger companies should consider external verification or assurance of the effectiveness of anti-bribery policies.
I welcome your comments and suggestions.
Jonathan T. Marks, CPA, CFF, CFE