In two speeches last week Department of Justice (DOJ) Acting Principal Assistant Attorney General Trevor McFadden addressed multiple topics and issues around the Foreign Corrupt Practices Act (FCPA). The first set of remarks were made in Washington DC at the Anti-Corruption, Export Controls & Sanctions (ACES) 10th Compliance Summit (the “DC speech”). The second set were made at the American Conference Institute (ACI) 19th Conference on the FCPA in New York City (the “NYC speech”).

One of the clear exports from McFadden’s speeches is that the DOJ views businesses as leading the fight against bribery and corruption and as partners with the DOJ in this campaign. In the NYC speech he said, “We recognize that business organizations are our partner in the fight against corruption, because they are in the best position to detect risk, to take preventative measures and to educate those who act on its behalf on best practices.” The DOJ clearly expects an evolution from the corporate side on best practices. Also, an area that is important to them is the education on best practices going forward. This would seem to be not only mean internal company training but more broadly to have companies educate those up and down their contracting chain to make sure there is a concerted anti-corruption effort going forward.

McFadden emphasized that through “this cooperative effort, we can reduce corruption with effective compliance programs that prevent nefarious conduct from happening and through effective prosecutions to resolve violations in a way that punishes the conduct and deters similar future misconduct.”

At several points in the DC speech, McFadden brought forward that it is the private sector which leads the fight against bribery and corruption. This is important for several reasons. First, the government’s role should be to enforce the law and encourage compliance with the FCPA. It is up to the companies doing business across the globe to not violate the law. But as McFadden noted, “compliance requires more than good intentions” as businesses must actually do compliance. Put in the language of the Evaluation of Corporate Compliance Programs (Evaluation), released in February, a company must operationalize compliance.

Even today, there are companies which still think they do not need to have a compliance program in place because they would not countenance bribery and corruption. While admittedly they are most probably not readers of this blog, they still exist. McFadden emphasized once again the mandate to have a functioning compliance program in place.

McFadden went on to provide some key elements companies must implement or utilize to do compliance. A compliance program must be a living breathing way of doing business. Companies “must ensure that their compliance policies go beyond ink on paper and actually become a part of a company’s culture.” Once again, operationalization is the key. He touched on “an appropriate system” which should be implemented to “ensure corporate expectations are followed.”

He focused specifically on high-risk environments reflecting the mandate that as your risk increases, the management of that risk has to increase as well. Obviously, there are multiple measures to accomplish this requirement but going through the full risk management process and documenting each step you have taken will aid in that process. McFadden specifically mentioned companies which expand either organically into new markets or through the symbiosis of acquisition. On the latter score, this is one of the reasons the DOJ has continually discussed mergers and acquisitions (M&A) in the context of a best practices compliance program.

It is this final point, which also leads to the well-worn DOJ (and Securities and Exchange Commission) maxim that “no one size fits all”. Not only is each company’s compliance risk unique but that risk can change based on new products or services, new geographic territories, new partners or through M&A. McFadden stated, “a compliance program that worked for a domestic company of 500 employees will rarely be appropriate if that company triples in size or enters foreign markets.” This makes clear that a company must assess each risk as its size increases. Of course, to do so requires compliance to have a seat at the table to know when a business is expanding either organically or symbiotically.

McFadden also touched on responsibility of companies to take actions if they sustain a FCPA violation. Drawing from the four prongs of the FCPA Pilot Program, he stated, “the department regularly takes into consideration voluntary self-disclosures, cooperation and remedial efforts when making charging decisions involving business organizations.” This speaks to need to be ready to move and move quickly if evidence of a potential violation arises so a company can make a determination on self-disclosure.

McFadden’s remarks also re-emphasize the importance of the new areas of query in the Evaluation around root cause analysis. Companies must quickly and accurately determine the cause of a violation and remedy it going forward. If the company’s actions line up with the requirements of the FCPA Pilot Program, an entity could well be in line for declination from the DOJ. When McFadden’s speech is coupled with the Evaluation, it is clear the reason for the operationalization requirement of a corporate compliance program. It is through this operationalization that businesses will actually do compliance and serve up more than simply “good intentions” which usually translates into no active compliance program.

Yesterday, I considered the McFadden’s remarks in the context of the evolution of the rationale for FCPA enforcement. The basics for FCPA compliance were set long ago, yet this has not stopped innovation in compliance programs which continues up to this day. It is both right and appropriate that this innovation continue as business continue to become more efficient in the business process of compliance. Indeed it is through this evolution of corporate compliance programs that US companies have come to lead the world in both Corporate Social Responsibility and compliance standards.

Tomorrow I will consider McFadden’s remarks on DOJ enforcement of the FCPA and what it means for the compliance practitioner.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2017