Introduction

Earlier this year, the Fraud Section of the Department of Justice’s (DOJ) Criminal Division surprised compliance officers with guidance on how regulators measure the effectiveness of third-party compliance programs. The release of the Evaluation Corporate Compliance Programs guidance aims to clear up confusion regarding what regulators look for when assessing corporate compliance programs during investigations.

The guidance does not serve as a definitive roadmap, and authorities stress that the document provides neither a “checklist nor a formula”. Instead, it provides compliance officers with an understanding of law enforcement’s mindset and focuses during an investigation of misconduct.

Relating the Guidance to Your Compliance Program

While we recommend that compliance officers review the document in its entirety, we’ve identified the themes we believe unmask several of the government’s overarching priorities when assessing a company’s compliance efforts.

Due Diligence is Only One Element of a Broader ABAC Program

Effective third-party due diligence requires that a program subjects all third parties to the appropriate scrutiny. A risk-based approach helps standardize the vetting process and determine the appropriate level of diligence. However, performing due diligence by itself does not serve as a comprehensive FCPA program for multinational organizations. The day-to-day management and workflow of a compliance program, including the process of data collection, housing documents, and creating an auditable trail, is every bit as important.

Adjudication is a Process, Not Simply a Task

Investigators seek to understand to what extent a compliance program achieves its anti-bribery and anti-corruption purpose. When due diligence uncovers red flags, companies should have mechanisms in place to resolve them, such as discussions with stakeholders or a legal review. Adjudication is not simply the approval or denial of a third-party relationship; however, it should encompass a systematized process whereby further vetting is required to understand the severity of a red flag, the scope of the intended business relationship, and the relationship between the two.

Continuous Program Improvement

Government investigators aim to discover if a company has a reactive or proactive mindset as it relates to compliance. Once a company uncovers a violation, regulators want to see evidence that the company has committed time, effort, and resources to prevent similar incidents.

One of the primary goals of a government investigation is to determine whether the company had suitable mechanisms in place to detect the misconduct, and, if so, whether they acted on the information it uncovered appropriately. In self-defense, it is crucial that organizations have an ABAC program in place before alleged misconduct occurs.

Beyond the third-party specifics, regulators seek to understand that the compliance program is operating well on a strategic level and that processes are continually evaluated for overall program effectiveness. The absence of this element could expose a broader issue of a defunct compliance program that could fail to identify potential risks.  However, the expectation is that multinationals are actively managing their compliance program and auditing the process for gaps that require remediation.

Organizational Structure and Leadership Oversight

DOJ and SEC enforcement actions, particularly those that result in stiff penalties and fines, often describe how much the company’s executives knew about the misconduct and how little they did with that information. To that end, the government’s investigators routinely dedicate part of their investigative efforts to establishing the level of “institutional knowledge” regarding violations of the FCPA. How much did the company’s senior leadership know about the violation, and what did they do with that information? If they didn’t have visibility into the area where the misconduct happened, why not? Further, if executives knew the company had contravened the FCPA did they act with the appropriate sense of urgency to halt the activity?

While many companies place their compliance departments at, or near the top of their organization charts, does that positioning give them the power to influence broader operational activities to ensure compliance with the FCPA? Regulators want to know if the compliance department plays an active role in the company’s strategic and operational decisions. If not, enforcement agencies might believe compliance is an “afterthought” and the resulting misconduct an eventuality the company was ill-prepared to stop.

Conclusion

To determine a company’s level of sophistication as it relates to FCPA compliance, the DOJs asks the company to link its understanding of risk with its third-party management process, and in turn, how it manages for such exposure. A company that is unable to make the connection between risk and the company’s compliance program calls into question their ability to create a credible and defensible compliance program.

The questions provided in the guidance can help companies conduct a very quick assessment of a new or existing third-party compliance program. Yet, we see a great deal of merit in taking the time to answer all the questions included in the guidance. The lessons learned from the exercise can help companies identify weaknesses and make long-lasting changes to shore up their efforts to tackle bribery and corruption.

While the guidance helps illuminate the inner workings of the DOJs prosecutor’s mindset, companies can expect the government’s investigators to weigh the facts of each case to arrive at an “individualized determination”.  Despite its limitations, the guidance provides another example of the DOJ’s efforts to educate companies on what it deems acceptable, and by extension, raise expectations regarding the company’s responsibilities in complying with the FCPA.