Today, we continue our exploration of the new Department of Justice (DOJ) Compliance Counsel and the metrics laid out by Assistant Attorney General Leslie R Caldwell who called for her review of compliance programs. Today we review the first criteria and tie it to one specifically made applicable to financial institution but to which I believe both should and will soon apply to non-financial institutions. These metrics are:
- Are the institution’s compliance policies clear and in writing? Are they easily understood by employees? Are the policies translated into languages spoken by the company’s employees?
- Does the institution ensure that its compliance policies are effectively communicated to all employees? Are its written policies easy for employees to find? Do employees have repeated training, which should include direction regarding what to do or with whom to consult when issues arise?
The written policies and procedures required for a best practices compliance program are well known and long established. As stated in the FCPA Guidance, “Among the risks that a company may need to address include the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.” Policies help form the basis of expectation and conduct in your company and Procedures are the documents that implement these standards of conduct.
Stephen Martin, the head of Baker and McKenzie’s Compliance Consulting Practice, and his former law partner Paul McNulty, developed one of the best formulations that I have seen of these requirements in their Five Elements of an Effective Compliance Program. In this formulation, they posit that your Code of Conduct, policies and procedures should be grouped under the general classification of ‘Standards and Procedure’. They articulate that every company has three levels of standards and controls. First, every company should have a Code of Conduct, which should, most generally, express its ethical principles. But simply having a Code of Conduct is not enough so a second step mandates that every company should have standards and policies in place that build upon the foundation of the Code of Conduct and articulate Code-based policies, which should cover such issues as bribery, corruption and accounting practices. From the base of a Code of Conduct and standards and policies, every company should then ensure that enabling procedures are implemented to confirm those policies are executed, followed and enforced.
Another way to think of policies, procedures and controls was stated by Aaron Murphy, now a partner at Aiken Gump, in his book “Foreign Corrupt Practices Act”, when he said that you should think of all three as “an interrelated set of compliance mechanisms.” Murphy went on to say, “Internal controls are policies, procedures, monitoring and training that are designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.”
John Allen, in an article in the Houston Business Journal (HBJ), entitled “Company policies are source and structure of stability”, said that written policies and procedures “are not a surefire guarantee that things won’t go wrong, they are the first line of defense if things do.” The effective implementation and enforcement of policies demonstrate to regulators and the government that a “company is operating professionally and proactively for the benefit of its stakeholders, its employees and the community it serves.” If it is a company subject to the FCPA, by definition it is an international company so that can be quite a wide community.
Allen identified five key elements to any well-constructed policy. They are:
- identify to whom the policy applies;
- establish the objective of the policy;
- explain why the policy is necessary;
- outline examples of acceptable and unacceptable behavior under the policy; and
- warn of the consequences if an employee fails to comply with the policy.
Allen notes that for polices to be effective there must be communication. He believes that training is only one type of communication. I think that this is a key element for compliance practitioners because if you have a 30,000+ worldwide work force, the logistics alone of such training can appear daunting. Small groups, where detailed questions about policies can be raised and discussed, can be a powerful teaching tool. Allen even suggests posting FAQ’s in common areas as another technique. And do not forget that one of the reasons Morgan Stanley received a declination to prosecute by the DOJ was that it sent out bi-monthly compliance reminder emails to its employee, Garth Peterson, for the seven years he was employed by the company.
The FCPA Guidance ends its section on policies with the following, “Regardless of the specific policies and procedures implemented, these standards should apply to personnel at all levels of the company.” This means that policies are applied fairly and consistently across your company. If there is not consistent application, Allen notes, “there is a greater chance that an employee dismissed for breaching a policy could successfully claim he or she was unfairly terminated.” This last point cannot be over-emphasized. If an employee is going to be terminated for fudging their expense accounts in Brazil, you had best make sure that same conduct lands your top producer in the US with the same quality of discipline.
These metrics also specifically set out that policies and procedures need to be translated into appropriate local language. This follows clear input from the FCPA Guidance, which says “it would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it.” This means that training should also be in an appropriate local language so that your employees can understand their obligations under the FCPA and your company’s expectations around ethics and compliance.
Communication of Written Program
The communication of your anti-corruption compliance program is something that must be done on a regular basis to help ensure its effectiveness. The FCPA Guidance explains, “Compliance policies cannot work unless effectively communicated throughout a company. Accordingly, DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.”
“Conducting effective training programs” is listed in the 2011 US Sentencing Guidelines as one of the factors the DOJ will take into account when a company accused of a FCPA violation is being evaluated for a sentence reduction. The US Sentencing Guidelines mandate, “(4) (A) The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subdivision (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.”
One of the key goals of any FCPA compliance program is to train the company. But more than simply training, I believe these new metrics mandate that you demonstrate the effectiveness of your compliance training. The testing and evaluation of your FCPA compliance training program is an important aspect not to overlook. In their book, entitled “Foreign Corrupt Practices Act Compliance Guidebook”, authors Martin and Daniel Biegelman explore some techniques, which can be used evaluate FCPA compliance training. They believe a general assessment of those trained on the FCPA and your company’s compliance program is only a starting point. They list five possible questions as a starting point for the assessment of the effectiveness of your FCPA compliance training:
- What does the FCPA stand for?
- What is a facilitation payment and does the company allow such payments?
- How do you report compliance violations?
- What types of improper compliance conduct would require reporting?
- What is the name of your company’s Chief Compliance Officer?
The authors set out other metrics that can be used in the post-training evaluation phase. They point to any increase in hotline use; are there more calls into the compliance department requesting assistance or even asking questions about compliance. Is there any decrease in compliance violations or other acts of non-compliance?
While many companies have focused on the written components of a best practices compliance program, I believe these new Compliance Counsel metrics require that company’s work to ensure the training is effective. It must be communicated in a manner designed to make an impression. This includes appropriate translations of the written documents and translations of your oral training presentations as well.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2015