Hopefully, one area that many compliance practitioners will not have much experience in is dealing with prosecutors, at least in the in-house, corporate context. Further it may be the case that most in-house lawyers come from a civil law background, as opposed to the criminal law side of the legal profession. Therefore, if an in-house compliance practitioner is required to disclose to, and work with, a federal prosecutor, the in-house practitioner usually does not have experience to draw upon in connection with the types of inquiries a Department of Justice (DOJ) prosecutor might ask during a Foreign Corrupt Practices Act (FCPA) investigation.
Over the past 9 months, and continuing for the next several months, I have been privileged to tour the US with World Check discussing various aspects of the FCPA. Another member of the team is Stephen Martin, the General Counsel of Corpedia. Stephen worked as a prosecutor in the DOJ during the Clinton administration before moving into the corporate world and has a wealth of knowledge on the types of inquiries that a prosecutor might ask during the pendency of a FCPA investigation. In his presentation Stephen suggests that, during a FCPA inquiry, your company might be asked some of the following questions:
- What resources were apportioned for compliance? If you plead that you did your best given the resources your company allocated to the compliance department, a simple question that a prosecutor might ask is along the lines of “How much did your company spend last year on yellow sticky notepads, or pencils or paper clips, you get the picture, $1MM or more? Is, or are, those items business critical but compliance is not?
- How do I know your risk assessment was objective? Did your company bring in an outside profession to perform the risk assessment under which your compliance program is based? Under the US Sentencing Guidelines, in implementing [the elements of an effective compliance and ethics program] the “organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement [as set forth in the elements] to reduce the risk of criminal conduct identified in this process”. Can you demonstrate that you periodically assessed your risk and if so how was it done?
- Were compliance risks in the C-Suite and Boardroom addressed? Even if your compliance policy is thorough in the ranks of the organization, were those at the highest level also a part of your overall compliance strategy. Not only was there an appropriate “Tone at the Top” but was this communicated throughout your organization? Was your Board active and engaged? Was there thorough reporting to the Board. Where are the records to document both?
- How was risk examined at the vendor/agent level? Did your risk assessment look at both your sales distribution model and the individuals or entities involved and has your company assessed its compliance risk with vendors in the supply chain? If yes, what methodology did your company use? How is both the methodology and results documented? If your raw work product was not retained, does your final report provide sufficient detail on the methodology that your company utilized?
- Was culture and attitude measured? This begins with the tone at the middle and lower ranks of your organization. Did the measure come down from on high ( i.e.: the Top) and if so did it percolate throughout the ranks of this organization? Has your company surveyed its employee’s attitudes regarding compliance? As with your risk assessment(s), what was the methodology and how valid is it and the results?
- How was knowledge assessed? Although this is related to the above inquiry, the focus is somewhat different. If you had live training, did you interview employees to determine the results? If there was computer training, did you require any type of test after the completion of the course and did you require some form of passing grade? How did you document the results?
- Was anyone terminated or disciplined as a result of the risk assessment? Most companies understand the need to discipline or terminate employees as a result of a FCPA investigation which finds a violation. However if your company has never terminated or even disciplined any employees as a result of a compliance assessment, this may bode poorly for you in the eyes of a prosecutor. Has your company ever looked at its top sales persons or agents outside the US in a detailed, systematic way to determine if they are within your compliance guidelines? If so what was the methodology, what was the result and how is all of this documented?
- Who among the governing authority of your company received the final report or was briefed on the outcome? While this is related to the 2nd question above, it goes further. If the very highest level was not so engaged, it speaks poorly on your company’s commitment to compliance. The Board needs to demonstrate commitment to full engagement in both the successes and the non-successes and be involved in using lessons learned to resolve any problems which may have arisen.
- How was the risk assessment outcome used? While it certainly is a positive step to follow the sentencing guidelines and perform a risk assessment, such assessment should be utilized. The UK Ministry of Justice says that your risk assessment should “inform” your compliance program. A prosecutor might conclude that your program lacks strength and vitality if your company does not use what it may have learned in a risk assessment to make any necessary or even changes suggested by a risk assessment.
This list is not exhaustive and there will be many, many more queries, both large and small from any prosecutor. However, this sample makes clear that your ability to respond, and respond with documentation, will be critical in establishing your company’s credibility in the compliance area.
Stephen and I will be continuing our FCPA presentations, hosted by World Check this spring. All of the events are free and CLE is provided. Our upcoming schedule is as follows and if you are in one of these areas I hope you can join us.
Tuesday, April 5-Portland. For details, click here.
Wednesday, April 6, Seattle. For details, click here.
Thursday, April 7, Denver. For details, click here.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2011