FCPA Guide
Corporate Compliance Program
In a global marketplace, an effective compliance program is a critical component of a company’s internal controls and is essential to detecting and preventing
FCPA violations. Effective compliance programs are tailored to the company’s specific business and to the risks associated with that business. They are
dynamic and evolve as the business and the markets change. An effective compliance program promotes “an organizational culture that encourages ethical conduct and a commitment to compliance with
the law.” Such a program protects a company’s reputation, ensures investor value and confidence, reduces uncertainty in business transactions, and secures a company’s assets.302 A
well-constructed, thoughtfully implemented, and consistently enforced compliance and ethics program helps prevent, detect, remediate, and report misconduct, including FCPA violations. In addition
to considering whether a company has self-reported, cooperated, and taken appropriate remedial actions, DOJ and SEC also consider the adequacy of a company’s compliance program when deciding
what, if any, action to take. The program may influence whether or not charges should be resolved through a deferred prosecution agreement (DPA) or non-prosecution agreement (NPA), as well as the
appropriate length of any DPA or NPA, or the term of corporate probation. It will often affect the penalty amount and the need for a monitor or self-reporting. As discussed above, SEC’s Seaboard
Report focuses, among other things, on a company’s self-policing prior to the discovery of the misconduct, including whether it had established effective compliance procedures. Likewise, three of
the nine factors set forth in DOJ’s Principles of Federal Prosecution of Business Organizations relate, either directly or indirectly, to a compliance program’s design and implementation,
including the pervasiveness of wrongdoing within the company, the existence and effectiveness of the company’s pre-existing compliance program, and the company’s remedial actions. DOJ also considers the U.S. Sentencing Guidelines’ elements of an effective compliance program, as set forth in § 8B2.1 of the Guidelines. These considerations reflect
the recognition that a company’s failure to prevent every single violation does not necessarily mean that a particular company’s compliance program was not generally effective. DOJ and SEC
understand that “no compliance program can ever prevent all criminal activity by a corporation’s employees,” and they do not hold companies to a standard of perfection. An assessment of a
company’s compliance program, including its design and good faith implementation and enforcement, is an important part of the government’s assessment of whether a violation occurred, and if so,
what action should be taken. In appropriate circumstances, DOJ and SEC may decline to pursue charges against a company based on the company’s effective compliance program, or may otherwise seek
to reward a company for its program, even when that program did not prevent the particular underlying FCPA violation that gave rise to the investigation.307 DOJ and SEC have no formulaic
requirements regarding compliance programs. Rather, they employ a common-sense and pragmatic approach to evaluating compliance programs, making inquiries related to three basic questions:
• Is the company’s compliance program well designed?
• Is it being applied in good faith?
• Does it work? This guide contains information regarding some of the basic elements DOJ and SEC consider when
evaluating compliance programs. Although the focus is on compliance with the FCPA, given the existence of anti-corruption laws in many other countries, businesses should consider designing
programs focused on anti-corruption compliance more broadly.
Hallmarks of Effective Compliance Programs
Individual companies may have different compliance needs depending on their size and the particular risks associated with their businesses, among other
factors. When it comes to compliance, there is no one-size-fits-all program. Thus, the discussion below is meant to provide insight into the aspects of compliance programs that DOJ and SEC
assess, recognizing that companies may consider a variety of factors when making their own determination of what is appropriate for their specific business needs.310 Indeed, small- and
medium-size enterprises likely will have different compliance programs from large multi-national corporations, a fact DOJ and SEC take into account when evaluating companies’ compliance programs.
Compliance programs that employ a “check-the-box” approach may be inefficient and, more importantly, ineffective. Because each compliance program should be tailored to an organization’s specific
needs, risks, and challenges, the information provided below should not be considered a substitute for a company’s own assessment of the corporate compliance program most appropriate for that
particular business organization. In the end, if designed carefully, implemented earnestly, and enforced fairly, a company’s compliance program—no matter how large or small the organization—will
allow the company generally to prevent violations, detect those that do occur, and remediate them promptly and appropriately.
Commitment from Senior Management and a Clearly Articulated Policy Against Corruption
Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.
Managers and employees take their cues from these corporate leaders. Thus, DOJ and SEC consider the commitment of corporate leaders to a “culture of compliance” and look to see if this high-level
commitment is also reinforced and implemented by middle managers and employees at all levels of a business. A well-designed compliance program that is not enforced in good faith, such as when
corporate management explicitly or implicitly encourages employees to engage in misconduct to achieve business objectives, will be ineffective. DOJ and SEC have often encountered companies with
compliance programs that are strong on paper but that nevertheless have significant FCPA violations because management has failed to effectively implement the program even in the face of obvious
signs of corruption. This may be the result of aggressive sales staff preventing compliance personnel from doing their jobs effectively and of senior management, more concerned with securing a
valuable business opportunity than enforcing a culture of compliance, siding with the sales team. The higher the financial stakes of the transaction, the greater the temptation for management to
choose profit over compliance. A strong ethical culture directly supports a strong compliance program. By adhering to ethical standards, senior managers will inspire middle managers to reinforce
those standards. Compliant middle managers, in turn, will encourage employees to strive to attain those standards throughout the organizational structure. In short, compliance with the FCPA and
ethical rules must start at the top. DOJ and SEC thus evaluate whether senior management has clearly articulated company standards, communicated them in unambiguous terms, adhered to them
scrupulously, and disseminated them throughout the organization.
Code of Conduct and Compliance Policies and Procedures
A company’s code of conduct is often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted in its charging documents,
the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf. Indeed, it would be difficult to effectively implement a
compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it. When assessing a compliance program, DOJ and SEC will
review whether the company has taken steps to make certain that the code of conduct remains current and effective and whether a company has periodically reviewed and updated its code. Whether a
company has policies and procedures that outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and documentation policies, and set forth
disciplinary procedures will also be considered by DOJ and SEC. These types of policies and procedures will depend on the size and nature of the business and the risks associated with the
business. Effective policies and procedures require an in-depth understanding of the company’s business model, including its products and services, third-party agents, customers, government
interactions, and industry and geographic risks. Among the risks that a company may need to address include the nature and extent of transactions with foreign governments, including payments to
foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments. For example, some companies with
global operations have created web-based approval processes to review and approve routine gifts, travel, and entertainment involving foreign officials and private customers with clear monetary
limits and annual limitations. Many of these systems have built-in flexibility so that senior management, or in-house legal counsel, can be apprised of and, in appropriate circumstances, approve
unique requests. These types of systems can be a good way to conserve corporate resources while, if properly implemented, preventing and detecting potential FCPA violations. Regardless of the
specific policies and procedures implemented, these standards should apply to personnel at all levels of the company.
Oversight, Autonomy, and Resources
In appraising a compliance program, DOJ and SEC also consider whether a company has assigned responsibility for the oversight and implementation of a company’s
compliance program to one or more specific senior executives within an organization. Those individuals must have appropriate authority within the organization, adequate autonomy from management,
and sufficient resources to ensure that the company’s compliance program is implemented effectively. Adequate autonomy generally includes direct access to an organization’s governing authority,
such as the board of directors and committees of the board of directors (e.g., the audit committee). Depending on the size and structure of an organization, it may be appropriate for day-to-day
operational responsibility to be delegated to other specific individuals within a company. DOJ and SEC recognize that the reporting structure will depend on the size and complexity of an
organization. Moreover, the amount of resources devoted to compliance will depend on the company’s size, complexity, industry, geographical reach, and risks associated with the business. In
assessing whether a company has reasonable internal controls, DOJ and SEC typically consider whether the company devoted adequate staffing and resources to the compliance program given the size,
structure, and risk profile of the business.
Risk Assessment
Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance
program.317 One-size-fits-all compliance programs are generally ill-conceived and ineffective because resources inevitably are spread too thin, with too much focus on low risk markets and
transactions to the detriment of high-risk areas. Devoting a disproportionate amount of time policing modest entertainment and gift-giving instead of focusing on large government bids,
questionable payments to third-party consultants, or excessive discounts to resellers and distributors may indicate that a company’s compliance program is ineffective. A $50 million contract with
a government agency in a high-risk country warrants greater scrutiny than modest and routine gifts and entertainment. Similarly, performing identical due diligence on all third party agents,
irrespective of risk factors, is often counterproductive, diverting attention and resources away from those third parties that pose the most significant risks. DOJ and SEC will give meaningful
credit to a company that implements in good faith a comprehensive, risk-based compliance program, even if that program does not prevent an infraction in a low risk area because greater attention
and resources had been devoted to a higher risk area. Conversely, a company that fails to prevent an FCPA violation on an economically significant, high-risk transaction because it failed to
perform a level of due diligence commensurate with the size and risk of the transaction is likely to receive reduced credit based on the quality and effectiveness of its compliance program. As a
company’s risk for FCPA violations increases, that business should consider increasing its compliance procedures, including due diligence and periodic internal audits. The degree of appropriate
due diligence is fact-specific and should vary based on industry, country, size, and nature of the transaction, and the method and amount of third-party compensation. Factors to consider, for
instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government
regulation and oversight, and exposure to customs and immigration in conducting business affairs. When assessing a company’s compliance program, DOJ and SEC take into account whether and to what
degree a company analyzes and addresses the particular risks it faces.
Training and Continuing Advice
Compliance policies cannot work unless effectively communicated throughout a company. Accordingly, DOJ and SEC will evaluate whether a company has taken steps
to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant
employees, and, where appropriate, agents and business partners. For example, many larger companies have implemented a mix of web-based and in-person training conducted at varying intervals. Such
training typically covers company policies and procedures, instruction on applicable laws, practical advice to address real-life scenarios, and case studies. Regardless of how a company chooses
to conduct its training, however, the information should be presented in a manner appropriate for the targeted audience, including providing training and training materials in the local language.
For example, companies may want to consider providing different types of training to their sales personnel and accounting personnel with hypotheticals or sample situations that are similar to the
situations they might encounter. In addition to the existence and scope of a company’s training program, a company should develop appropriate measures, depending on the size and sophistication of
the particular company, to provide guidance and advice on complying with the company’s ethics and compliance program, including when such advice is needed urgently. Such measures will help ensure
that the compliance program is understood and followed appropriately at all levels of the company.
Incentives and Disciplinary Measures
In addition to evaluating the design and implementation of a compliance program throughout an organization, enforcement of that program is fundamental to its
effectiveness. A compliance program should apply from the board room to the supply room—no one should be beyond its reach. DOJ and SEC will thus consider whether, when enforcing a compliance
program, a company has appropriate and clear disciplinary procedures, whether those procedures are applied reliably and promptly, and whether they are commensurate with the violation. Many
companies have found that publicizing disciplinary actions internally, where appropriate under local law, can have an important deterrent effect, demonstrating that unethical and unlawful actions
have swift and sure consequences. DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and
promotions, rewards for improving and developing a company’s compliance program, and rewards for ethics and compliance leadership. Some organizations, for example, have made adherence to
compliance a significant metric for management’s bonuses so that compliance becomes an integral part of management’s everyday concern. Beyond financial incentives, some companies have highlighted
compliance within their organizations by recognizing compliance professionals and internal audit staff. Others have made working in the company’s compliance organization a way to advance an
employee’s career. SEC, for instance, has encouraged companies to embrace methods to incentivize ethical and lawful behavior:
[M]ake integrity, ethics and compliance part of the promotion, compensation and evaluation processes as well. For at the end of the day, the most effective way
to communicate that “doing the right thing” is a priority, is to reward it. Conversely, if employees are led to believe that, when it comes to compensation and career advancement, all that counts
is short-term profitability, and that cutting ethical corners is an acceptable way of getting there, they’ll perform to that measure. To cite an example from a different walk of life: a college
football coach can be told that the graduation rates of his players are what matters, but he’ll know differently if the sole focus of his contract extension talks or the decision to fire him is
his winloss record.
No matter what the disciplinary scheme or potential incentives a company decides to adopt, DOJ and SEC will consider whether they are fairly and consistently
applied across the organization. No executive should be above compliance, no employee below compliance, and no person within an organization deemed too valuable to be disciplined, if warranted.
Rewarding good behavior and sanctioning bad behavior reinforces a culture of compliance and ethics throughout an organization.
Third-Party Due Diligence and Payments
DOJ’s and SEC’s FCPA enforcement actions demonstrate that third parties, including agents, consultants, and distributors, are commonly used to conceal the
payment of bribes to foreign officials in international business transactions. Risk-based due diligence is particularly important with third parties and will also be considered by DOJ and SEC in
assessing the effectiveness of a company’s compliance program. Although the degree of appropriate due diligence may vary based on industry, country, size and nature of the transaction, and
historical relationship with the third-party, some guiding principles always apply. First, as part of risk-based due diligence, companies should understand the qualifications and associations of
its third-party partners, including its business reputation, and relationship, if any, with foreign officials. The degree of scrutiny should increase as red flags surface. Second, companies
should have an understanding of the business rationale for including the third party in the transaction. Among other things, the company should understand the role of and need for the third party
and ensure that the contract terms specifically describe the services to be performed. Additional considerations include payment terms and how those payment terms compare to typical terms in that
industry and country, as well as the timing of the third party’s introduction to the business. Moreover, companies may want to confirm and document that the third party is actually performing the
work for which it is being paid and that its compensation is commensurate with the work being provided. Third, companies should undertake some form of ongoing monitoring of third-party
relationships. Where appropriate, this may include updating due diligence periodically, exercising audit rights, providing periodic training, and requesting annual compliance certifications by
the third party. In addition to considering a company’s due diligence on third parties, DOJ and SEC also assess whether the company has informed third parties of the company’s compliance program
and commitment to ethical and lawful business practices and, where appropriate, whether it has sought assurances from third parties, through certifications and otherwise, of reciprocal
commitments. These can be meaningful ways to mitigate third-party risk.
Confidential Reporting and Internal Investigation
An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of
the company’s policies on a confidential basis and without fear of retaliation. Companies may employ, for example, anonymous hotlines or ombudsmen. Moreover, once an allegation is made, companies
should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation
measures taken.
Companies will want to consider taking “lessons learned” from any reported violations and the outcome of any resulting investigation to update their internal
controls and compliance program and focus future training on such issues, as appropriate.
Continuous Improvement: Periodic Testing and Review
Finally, a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of
its customers, the laws that govern its actions, and the standards of its industry. In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably
uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become
stale. According to one survey, 64% of general counsel whose companies are subject to the FCPA say there is room for improvement in their FCPA training and compliance programs. An organization
should take the time to review and test its controls, and it should think critically about its potential weaknesses and risk areas. For example, some companies have undertaken employee surveys to
measure their compliance culture and strength of internal controls, identify best practices, and detect new risk areas. Other companies periodically test their internal controls with targeted
audits to make certain that controls on paper are working in practice. DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is
later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines. Although the nature and the
frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improvement and sustainability.
Mergers and Acquisitions: Pre-Acquisition Due Diligence and Post-Acquisition Integration
In the context of the FCPA, mergers and acquisitions present both risks and opportunities. A company that does not perform adequate FCPA due diligence prior to
a merger or acquisition may face both legal and business risks. Perhaps most commonly, inadequate due diligence can allow a course of bribery to continue—with all the attendant harms to a
business’s profitability and reputation, as well as potential civil and criminal liability. In contrast, companies that conduct effective FCPA due diligence on their acquisition targets are able
to evaluate more accurately each target’s value and negotiate for the costs of the bribery to be borne by the target. In addition, such actions demonstrate to DOJ and SEC a company’s commitment
to compliance and are taken into account when evaluating any potential enforcement action. For example, DOJ and SEC declined to take enforcement action against an acquiring issuer when the
issuer, among other things, uncovered the corruption at the company being acquired as part of due diligence, ensured that the corruption was voluntarily disclosed to the government, cooperated
with the investigation, and incorporated the acquired company into its compliance program and internal controls. On the other hand, SEC took action against the acquired company, and DOJ took
action against a subsidiary of the acquired company. When pre-acquisition due diligence is not possible, DOJ has described procedures, contained in Opinion Procedure Release No. 08-02, pursuant
to which companies can nevertheless be rewarded if they choose to conduct thorough post-acquisition FCPA due diligence. FCPA due diligence, however, is normally only a portion of the compliance
process for mergers and acquisitions. DOJ and SEC evaluate whether the acquiring company promptly incorporated the acquired company into all of its internal controls, including its compliance
program. Companies should consider training new employees, reevaluating third parties under company standards, and, where appropriate, conducting audits on new business units. For example, as a
result of due diligence conducted by a California-based issuer before acquiring the majority interest in a joint venture, the issuer learned of corrupt payments to obtain business. However, the
issuer only implemented its internal controls “halfway” so as not to “choke the sales engine and cause a distraction for the sales guys.” As a result, the improper payments continued, and the
issuer was held liable for violating the FCPA’s internal controls and books and records provisions.
Other Guidance on Compliance and International Best Practices
In addition to this guide, the U.S. Departments of Commerce and State have both issued publications that contain guidance regarding compliance programs. The
Department of Commerce’s International Trade Administration has published Business Ethics: A Manual for Managing a Responsible Business Enterprise in Emerging Market Economies,331 and the
Department of State has published Fighting Global Corruption: Business Risk Management.332 There is also an emerging international consensus on compliance best practices, and a number of
inter-governmental and non-governmental organizations have issued guidance regarding best practices for compliance. Most notably, the OECD’s 2009 Anti-Bribery Recommendation and its Annex II,
Good Practice Guidance on Internal Controls, Ethics, and Compliance,334 published in February 2010, were drafted based on consultations with the private sector and civil society and set forth
specific good practices for ensuring effective compliance programs and measures for preventing and detecting foreign bribery. In addition, businesses may wish to refer to the following
resources:
• Asia-Pacific Economic Cooperation—AntiCorruption Code of Conduct for Business;
• International Chamber of Commerce—ICC Rules on Combating Corruption;336
• Transparency International—Business Principles for Countering Bribery;337
• United Nations Global Compact—The Ten Principles;338 • World
Bank—Integrity Compliance Guidelines;
• World Economic Forum—Partnering Against Corruption–Principles for Countering Bribery.
