How prosecutors view anti-corruption compliance programs

*This blog is adapted from an article written by my partner Bruce Zagaris and published in the International Enforcement Law Reporter.

If your company does not have an anti-corruption compliance program, then you should read our
blog post on why you should have an anti-corruption compliance program.
Let’s say you have a program in place, but it didn’t work. For example, your company may have violated the Foreign Corrupt Practices Act. Now you have the Department of Justice (DOJ) weighing in on what specific factors prosecutors should consider in conducting an investigation of a company, determining whether to bring charges, and negotiating a plea or other agreement.

The DOJ on June 1, 2020 issued a revision to its guidance on the Evaluation of Corporate Compliance Programs. The new DOJ guidance provides companies general principles and elements to consider when designing, implementing, and updating their compliance policies and procedures.

The DOJ explains that the purpose of the new guidance is to assist prosecutors in making informed decisions whether and to what extent the company’s compliance program was effective at the time of the offense, and is effective at the time of a charging decision or resolution. Prosecutors can then use the guidance to determine the appropriate (1) form of any resolution or prosecution; (2) monetary penalty, if any; and (3) compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligations).

The revisions to the guidance offer more information to enable companies to reevaluate existing compliance programs. Compliance programs should not remain stagnant. They need to be updated and monitored to maintain their effectiveness. The prior Compliance Program Guidance advised prosecutors to make an “individualized determination” of a compliance program. The current version recognizes that each company’s risk profile and solutions warrant particularized evaluation: “[W]e make a reasonable, individualized determination in each case that considers various factors including, but not limited to, the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.”

A prosecutor should probe three “fundamental questions” in making his or her determination: the design of the program; company resources to support the program; and does the program work in practice.

Anti-corruption program design

With respect to the compliance program’s design the “critical issues to evaluate any program are whether the program is adequately designed for maximum effectiveness in preventing and detecting wrongdoing by employees and whether corporate management is enforcing the program or is tacitly encouraging or pressuring employees to engage in misconduct.”

Related article: Anti-Corruption Compliance Programs

Risk Assessment

Prosecutors should try to understand why the company has chosen to establish the compliance program the way that it has, and why and how the company’s compliance program has evolved over time. Prosecutors must consider whether the program is appropriately “designed to detect the particular types of misconduct most likely to occur in a particular corporation’s line of business” and “complex regulatory environment[].”

For instance, prosecutors should consider whether the company has analyzed and addressed the varying risks presented by, among other factors, the location of its operations, the industry sector, the competitiveness of the market, the regulatory landscape, potential clients, and business partners, transactions with foreign governments, payments to foreign officials, use of third parties, gifts, travel, and entertainment expenses, and charitable, and political donations.

Prosecutors should also determine if the risk assessment is current and subject to periodic review. Is the periodic review limited to a “snapshot” in time or based upon continuous access to operational data and information across functions? Has the periodic review resulted in updates in policies, procedures, and controls? Do these updates account for risks discovered through misconduct or other problems with the compliance program?

The guidance states the company should have a process to track and incorporate into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region.

Policies and Procedures

Prosecutors should examine whether the company has a code of conduct that relates the company’s commitment to full compliance with relevant federal laws and that is accessible and applicable to all company employees.

The company should communicate its policies and procedures to all employees and relevant third parties. Prosecutors should determine whether the policies and procedures have been published in a searchable format for easy reference. Prosecutors should ascertain whether the company tracks access to various policies and procedures to understand what policies are attracting more attention from relevant employees.

Training and communications

Prosecutors should assess the mechanisms ways the company has used to ensure that policies and procedures are integrated into the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents, and business partners. Prosecutors should also determine whether the company has communicated information in a way tailored to the audience’s size, sophistication, or subject matter expertise.

Some companies furnish employees with practical advice or case studies to address real-life scenarios, and/or guidance on how to obtain ethics advice on a case-by-case basis as needs arise. Other companies use shorter, more targeted training sessions to enable employees to identify and raise issues in a timely manner to appropriate compliance, internal audit, or other risk management functions.

Prosecutors are directed to ascertain whether the training adequately covers prior compliance incidents, and how the company measures the effectiveness of its training curriculum.

Most importantly, prosecutors must determine whether the compliance program is disseminated to, and understood by, employees in practice to determine whether the compliance program is “truly effective.”

Confidential reporting structure and investigation process

Prosecutors should determine whether the compliance program has an efficient and trusted mechanism by which employees can anonymously or confidentially report allegations of a breach of the company’s code of conduct, company policies, or suspected or actual misconduct. For instance, does the company’s compliance process include proactive measures to create a workplace atmosphere without fear of retaliation, appropriate processes for the submission of complaints, and processes to protect whistleblowers.

A new wrinkle in the Guidance is that prosecutors should ascertain whether the reporting and investigating mechanisms are sufficiently funded, and whether the company collected, tracked, analyzed, and used information from its reporting mechanisms. Prosecutors should inquire whether the company periodically analyzes the reports or investigation findings for patterns of misconduct or other red flags for compliance weakness.

Third party management

Prosecutors should assess whether the company knows the business rationale for requiring the third party in the transaction and the risks posed by third-party partners, including the third-party partners’ reputations and relationships, if any, with foreign officials. For instance, a prosecutor should analyze whether the company has ensured that contract terms with third parties specifically describe the services to be performed, that the third party is actually performing the work, and that its compensation is commensurate with the work being provided in that industry and geographical reason.

Another new requirement is that prosecutors should determine whether the company engaged in ongoing monitoring of the third-party relationships, be it through updated due diligence, training, audits and/or annual compliance certifications by the third party.

Paper tiger anti-corruption compliance programs not given credence

If you have an anti-corruption compliance program that does not expressly take into the current risks of your company due to its geographical exposure, its products and services, any new facts and circumstances, such as the need of key employees to work remotely, it is not going to hold much sway with a prosecutor.

The prosecutor must determine if the company’s compliance program has sufficient resources and empowered to function effectively. Prosecutors should probe whether a compliance program is a “paper program” or one “implemented, reviewed, and revised, as appropriate, in an effective manner.” Prosecutors should also determine “whether the corporation has provided for a staff sufficient to audit, document, analyze, and utilize the results of the corporation’s compliance efforts.”

Commitment by senior and middle management

Prosecutors should ascertain whether senior, including the board of directors and executives, and middle management are proactively involved in the compliance program.

Autonomy and resources

Prosecutors should address the sufficiency of the personnel and resources within the compliance function, particularly, whether those responsible for compliance have: (1) sufficient seniority within the organization; (2) sufficient resources, namely, staff to effectively undertake the requisite auditing, documentation, and analysis; and (3) sufficient autonomy from management, such as direct access to the board of directors or the board’s audit committee.

Incentives and disciplinary measures

Prosecutors must determine whether incentives for compliance and disincentives for non-compliance are established. Prosecutors should assess whether the company has clear disciplinary procedures in place, enforces them consistently across the organization, and ensures that the procedures are commensurate with the violations. To what extent do the company’s communications tell its employees that unethical conduct will not be tolerated and will bring swift consequences, regardless of the position or title of the employee who engages in the conduct.

Does the company’s compliance program work in practice?

One of the key and challenging questions prosecutors must answer in evaluating a compliance program following misconduct is whether the program was working effectively at the time of the offense, especially where the misconduct was not immediately detected.

Continuous improvement, periodic testing, and review

A company’s business changes over time, as do the environments in which it operates (e.g., the coronavirus pandemic,) the nature of its customers, the laws that govern its actions, and the applicable industry standards. Hence, prosecutors should consider whether the company has engaged in meaningful efforts to review its compliance program and ensure that it is updated and current. Companies survey employees to gauge the compliance culture and evaluate the strength of controls, and/or conduct periodic audits to ensure that controls are operating well, through the nature and frequency of evaluations may depend on the company’s size and complexity.

Investigation of misconduct

An effective compliance program has a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents. An effective investigations structure will also document the company’s response, including any disciplinary or remediation measures taken.

Analysis and remediation of any underlying misconduct

An effective compliance program can be tested by the extent to which a company can conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate to address the root causes.

What companies should do

Companies should take the opportunity of the DOJ’s revisions to the guidance to update their compliance plans, especially in the context of assessment of specific risks, such as new contracts, new products, new third party agents, and changed environment, including the pandemic and remote work. They should re-evaluate the accessibility and use of policies and procedures as well as their training programs.

Data driven efforts assessing the effectiveness of a compliance program are increasingly required. Depending on the size of the company, a third party review carries more weight than an internal review. Companies may want to engage an anti-corruption compliance lawyer to assist in creating, revising or assessing an anti-corruption compliance program.