To read more, check out my blog post series on Hallmark 4.

For more information on this Hallmark, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available through Compliance Week by clicking here.

 

 

 

This Week in FCPA-Episode 19, the International Edition

Show Notes for Week ending August 26, 2016

  1. John Kerry: Corruption is ‘root cause’ of terrorism, on FCPA Blog.
  2. Eric Ben-Artzi Op-Ed piece on why he turn down his whistleblower award, as featured in the Financial Times.
  3. Lessons from History-the Tudors on compliance, from the FCPA Compliance Report.
  4. FedEx trial debacle for the DOJ, and Paul Pelletier’s recommendation to fix recent spate of ill-fated and advised DOJ prosecutions, as featured in the FCPA Blog.
  5. Hallmarks 1-5 of the Ten Hallmarks of an Effective Compliance Program, as featured in the FCPA Compliance Report.

Henry VIIII am on assignment in Oxford on a two-week study course, focusing on the Tudors. For the first week we focused on Richard III to the end of Henry VIII’s reign. Although Richard III was not a Tudor, we began with him to study the ‘bad rap’ of negative publicity he received from the Tudor court, specifically Sir Thomas Moore and most particularly Shakespeare’s play, Richard III.

In the career of Henry VIII, we discussed the role of Thomas Cromwell and the series of steps leading up to the split from Rome to obtain his divorce from Catherine of Aragon and his dissolution of the Catholic Church in England to create the Church of England. One of the questions initially posed by our tutor, Janet Dickinson, was whether there was an overarching plan to take these steps or if they were made more on an ad hoc basis in response to events on the ground.

The consensus of our group was the steps taken were in response to the changing and evolving circumstances not only in England but also on the Continent, both in Rome and in the wider sphere of European politics. Initially it appeared the Pope was inclined to grant Henry his annulment but that solution was foreclosed when greater European politics intervened. This intervention was the invasion of Italy by the Spanish King Charles V, who was the nephew of Catherine of Aragon. Charles was disinclined to allow the Pope to grant Henry an annulment of the marriage of his aunt to Henry.

Making Henry the head of the Church of England was only one part of the break from Rome. The second part was the dissolution of the Catholic monasteries and passing of Catholic Church land to the English crown, as head of the Church of England. We may never know who initially came up with these ideas, whether it was Cromwell, another advisor or even if Henry himself came up with some or all of the plans. It does seem relatively clear that Cromwell developed the legal arguments supporting the legal claim for Henry to head up the church in England.

Yet, even at this point there was no clear plan to dissolve the Catholic Church’s property in England to the English crown. This move appears to have come in response to an attempt to clarify religious doctrine after the break with Rome. These widespread popular and clerical uprisings found support among the gentry and even the nobility; all culminating in the Pilgrimage of Grace.

If you are a loyal reader of this blog, you know that I am in the midst of a two-week series on the Ten Hallmarks of an Effective Compliance Program, as it was first laid out in the 2012 FCPA Guidance. I find the series of events I outlined above, from our first week of study of the Tudor period of English history, illustrate a key theme of compliance programs. It is that compliance programs must be flexible and have the ability to evolve. Simply put, it is not in the business interest of US companies (or others subject to the Foreign Corrupt Practices Act (FCPA)) to have a static compliance program. Compliance programs must have the flexibility to respond to a wide variety of factors, including changing market conditions both inside a corporation and on the ground.

Moreover, companies need to have the flexibility to design, create and implement a compliance program that manages the risks they face. As companies mature in their compliance function, they can begin to manage more, additional and further sophisticated risks. For instance, audits of third parties should not begin when your compliance program is made operational. It should wait an appropriate period of time so that you have enough information to review and study.

Additionally chronological developments drive more and greater compliance. Transaction monitoring is one clear area that has achieved significant growth in the past few years alone. If a static approach to compliance had been advocated by the Department of Justice (DOJ) this development might have never occurred.

Finally, the times of Henry VIII informs us that companies need to be ready to respond to events on the ground. Not only must companies have a compliance response to new products or service and entry into new markets; they must respond to new and more sophisticated ways to fund bribery and corruption. The sad fact is that the funding of bribery and corruption occurs from internal funds from a company; whether it is mis-labeling marketing expenses or charitable donations, burying commission payments in unauthorized discounts or making subsidiary financial statements so complicated that home office auditors cannot read them; businesses need to respond to the ever changing landscape. The monies to fund bribes come from the company itself, thus there is always a fraud upon the company by its own employees.

The goal of any best practices compliance program is to prevent, detect and remediate. To achieve this the DOJ and Securities and Exchange Commission (SEC) give companies a wide latitude to achieve these goals. The FCPA Guidance says “each compliance program should be tailored to an organization’s specific needs, risks, and challenges, the information provided below should not be considered a substitute for a company’s own assessment of the corporate compliance program most appropriate for that particular business organization. In the end, if designed carefully, implemented earnestly, and enforced fairly, a company’s compliance program—no matter how large or small the organization—will allow the company generally to prevent violations, detect those that do occur, and remediate them promptly and appropriately.”

I have long been drawn to the lessons of history and what they teach us in the present day in the field of compliance. The reason the events of the 1520s and 1530s can and do resonate today are that they are based on the actions of people. I find these lessons build into how companies should think about compliance in the 21st century.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Roman Numbers 1-10.2I.     Training

The communication of your anti-corruption compliance program is something that must be done on a regular basis to ensure its effectiveness. The FCPA Guidance explains, “Compliance policies cannot work unless effectively communicated throughout a company. Accordingly, DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been com­municated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.”

“Conducting effective training programs” is listed in the 2011 US Sentencing Guidelines as one of the factors the DOJ will take into account when a company accused of a FCPA violation is being evaluated for a sentence reduction. The US Sentencing Guidelines mandate, “(4) (A) The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subdivision (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.”

While most people tend to overlook the issue of attendance at training, it is an issue that should also be considered. You should determine that all senior management and company Board members have attended FCPA compliance training. You should review the documentation of attendance and confirm this attendance. Make your department, or group leaders, accountable for the attendance of their direct reports and so on down the chain. Evidence of training is important to create an audit trail for any internal or external assessment or audit of your training program.

One of the key goals of any FCPA compliance program is to train company employees in awareness and understanding of the FCPA; your specific company compliance program; and to create and foster a culture of compliance. Up until recently, we had not heard anything from the DOJ around the testing the effectiveness of compliance training, however, beginning in the fall of 2015 through the announcement of the FCPA enforcement Pilot Program, they to talk about whether you have determined the effectiveness of your training.

You can begin with a baseline measurement of employees who participated in your compliance training through a general assessment of those trained on the FCPA and your company’s compliance program is a starting point. Some questions to use for the assessment of the effectiveness of your FCPA compliance training could include the following:

  1. What does the FCPA prevent?
  2. Does your company allow facilitation payments?
  3. How do you report compliance violations at your company?
  4. What types of improper compliance conduct should you report?
  5. What is the name of your company’s Chief Compliance Officer?

For high-risk employees, you can have a more focused evaluation. You can give some circumstances an employee might face when traveling or doing business abroad. As always, you need to document the training, attendance at the training and then the post-training testing. 

II.     Communication

Ethical leadership is absolutely mandatory to have a successful compliance program, whether it is based upon the FCPA or the UK Bribery Act. Senior management must not only be committed to doing business in compliance with these laws but they must communicate these commitments down to the organization. But leadership is not limited only to senior management within an organization. Tone at the Top begets Tone in the Middle; which begets Tone at the Bottom. At each rung there is the need for compliance leadership. Yet these communications can come in many forms. Consider the Morgan Stanley declination that specifically mentioned the ongoing compliance reminders as one of the reasons the company received a declination.

All of this leads me to consider the message of compliance inside of a corporation and how it is distributed. In a compliance program, a large portion of your consumers/customers are your employees. Social media presents some excellent mechanisms to communicate the message of compliance going forward. Many of the applications that we use in our personal communication are free or available at very low cost. So why not take advantage of them and use those same communication tools in your internal compliance marketing efforts going forward.

Another key issue seems to be that problem that companies do not write the way they speak, and do not speak the language of their employee base. In many ways, compliance is a brand and that compliance brand needs to make sure that the message of compliance will resonate with your audience, whether that be your employee base, third parties working for your company, even senior management or the Board. This is where social media can help you and the compliance function to hone your message through social media. Part of this is based on experimenting on what message to send and how to send it throughout your organization.

This means that you will need to work to groom your message but also continue to plug away to send that message out. I think the Morgan Stanley declination will always be instructional as one of the stated reasons the DOJ did not prosecute the company as they sent out 35 compliance reminders to its workforce, over 7 years. Social media can be used in the same cost effective way, to not only get the message of compliance out but also to receive information and communications back from your customer base, the company employees.

The key to training and communication is that they be done effectively. Whether you utilize one of the myriad of compliance training professionals, online training companies or another mechanism, the bottom line is that you need to risk rank your training attendees and follow up by measuring training effectiveness. If you can neither think of anything else nor have the budget for professional consultants, you can always start with the FCPA Guidance and use the hypotheticals as your training materials. I still maintain that in communications you are only limited by your own imagination. By keeping the communications fun, fresh and relevant, you can help keep the eye on compliance in your organization.

For more information on this Hallmark, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available through Compliance Week by clicking here.

To listen to my podcast on this Hallmark, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

 

 

 

 

 

 

 

 

 

 

Roman Numbers 1-10.2I.     Autonomy

The DOJ has made clear over the years the importance of this hallmark. In the FCPA Guidance it states, “In appraising a compliance program, DOJ and SEC also consider whether a company has assigned respon­sibility for the oversight and implementation of a com­pany’s compliance program to one or more specific senior executives within an organization.” But this person must also have the expertise and resources to adequately fill that role. This last point was made clear when the DOJ announced its Pilot Program in April 2016.

Here we refer to the 2011 Amendments to the US Sentencing Guidelines, §8B2.1 (b)(2)(C), which specified:

Specific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program. To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.

There once was an ongoing debate in the compliance world about whether a company can or should combine or separate the role of the Chief Compliance Officer (CCO) from that of the General Counsel (GC). However it would appear that initial debate has ended because of the differences in focus. The GC and legal department are present to protect the company. The CCO and compliance function exist to prevent, detect and remedy issues as they arise.

In the 2015 Deloitte/Compliance Week Compliance Trends Survey, it reported, “Out of 364 respondents, 57 percent now say their CCO reports directly to either the chief executive officer (CEO) or the board. This number has fluctuated over time (from as low as the mid-40s), but is now clearly marching upward. Fifty-one percent say the CCO has a seat on the executive management committee, and 59 percent say the CCO job is a stand-alone position. Fifty-five percent say they regularly brief the board on the company’s overall ethics and culture.” These changes “suggest that most CCOs, especially those at larger corporations, now have an opportunity to participate in high-level discussions about corporate strategy, values, and culture.”

Neither the DOJ nor SEC have taken a formal position on which approach they favor. Whichever structure your company may utilize, it is incumbent that any CCO must have “sufficient authority and independence to oversee the integrity of the compliance program.” Indeed the DOJ Pilot Program specifies this with the following language, “The independence of the compliance function”. Some indicia of independence would include a reporting line to the company’s Board of Directors and Audit/Compliance Committee with, more importantly, “unfiltered” access to the Board. There should also be employment protection including an employment contract with a “nondiscretionary escalation clause” and a requirement for Board approval for any change in the terms and conditions of employment, including termination. There must also be sufficient resources in the form of an independent budget and adequate staff to manage the overall compliance program.

II.     Oversight

A Board’s duty under the FCPA is well known. In the FCPA Guidance there are two specific references to the obligations of a Board. The first in Hallmark No. 1, it states, “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second here in Hallmark 3, where it discusses that the CCO should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The DOJ’s Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment?

A Board must not only have a corporate compliance program in place but also actively oversee that function. Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask the tough questions. But it is more than simply having a compliance program in place. The Board must exercise appropriate oversight of the compliance program and indeed the compliance function. The Board needs to ask the hard questions and be fully informed of the company’s overall compliance strategy going forward.

III.    Resources 

Funding your compliance program is always one of the biggest challenges for any CCO. Short of being in the middle of a worldwide FCPA investigation you are never going to receive all the funding you want or even think that you are going to need. But this corporate reality is not going to save you if the government comes knocking. The FCPA Guidance provides the following, “Moreover, the amount of resources devoted to compliance will depend on the company’s size, complexity, industry, geographical reach, and risks associated with the business. In assessing whether a company has reasonable internal controls, DOJ and SEC typically consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.” In the Pilot Program it requires only “the company dedicates sufficient resources to the compliance function.”

But there are some things that a CCO might do to try and obtain the resources needed. One thing you can do is have a list of information prepared and be ready to present to the Board or CEO who may provide funding is for your compliance function. If you lay out the information in a coherent manner, it would allow the Board or senior management to get some perspective on the compliance function; what you are asking for and why.

Once again recognizing that every compliance function will always be resource constrained, you can look to other areas in your company to assist the compliance function. An obvious starting place is Human Resources (HR). Internal Audit is another function that you may want to look at for assistance as they should have access to your company’s accounting systems, which allows them to pull data for ongoing monitoring. This may allow you to move towards continuous controls monitoring, on an internal basis. A corporate IT department has several functions that can assist compliance. Finally, do not forget your business teams. You can embed a compliance champion in all divisions and functions around the company. You can take this a step further by placing a Facility Compliance Officer at every site or location where you might have a large facility or corporate presence.

For more information on this Hallmark, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available through Compliance Week by clicking here.

You can listen to a podcast on this Hallmark No.3 by clicking here.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016