2017 was a very significant year for every compliance practitioner and compliance program. The year brought two important documents on compliance programs. It began with the Evaluation of Corporate Compliance Programs (Evaluation) released in February 2017 and ended with the Department of Justice (DOJ) announcing a new Policy regarding Foreign Corrupt Practices Act (FCPA) enforcement in November 2017. Building upon the Ten Hallmarks of an Effective Compliance Program, as first articulated in the 2012 FCPA Guidance, there are now specific points, issues and questions a compliance professional can use to more fully operationalize your compliance program. You now have a full set of information to create a more effective compliance program.
In November 2017, Deputy Attorney General Rod Rosenstein announced the new FCPA Corporate Enforcement Policy. This new Policy incorporated the Ten Hallmarks of an Effective Compliance Program through reference to the 2012 FCPA Resource Guide as continued best practices and added new information on the DOJ’s expectations for more fully operationalizing compliance. The DOJ further incorporated language and concepts from a variety of sources, including the 2016 FCPA Pilot Program and the 2017 Evaluation.
The new Policy had the following language regarding the implementation of an effective compliance and ethics program.
- The company’s culture of compliance, including awareness among employees that any criminal conduct, including the conduct underlying the investigation, will not be tolerated;
- The resources the company has dedicated to compliance;
- The quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk;
- The authority and independence of the compliance function and the availability of compliance expertise to the board;
- The effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment;
- The compensation and promotion of the personnel involved in compliance, in view of their role, responsibilities, performance, and other appropriate factors;
- The auditing of the compliance program to assure its effectiveness; and
- The reporting structure of any compliance personnel employed or contracted by the company.
I would reorganize these into three general categories: (1) Quality and resources dedicated to the compliance function; (2) ongoing evaluation of a compliance program; and (3) company culture.
In February 2017, the DOJ released its Evaluation of Corporate Compliance Programs. The Evaluation is an 11-part list of questions which encapsulated the DOJ’s thinking on what constitutes a best practices compliance program. Within the list are some 46 different questions that a Chief Compliance Officer (CCO) or compliance practitioner can use to benchmark a compliance program. In short, it is an incredibly valuable and most significantly useful resource for every compliance practitioner.
The Evaluation follows the seminal Ten Hallmarks of an Effective Compliance Program. If there is one over-riding theme in the Evaluation, it is the DOJ’s emphasis on doing compliance as the questions posed are designed to test how far down your compliance program is incorporated into the fabric of your organization. The Evaluation is not simply a restatement of the Ten Hallmarks, as it clearly incorporates the DOJ’s evolution in what constitutes a best practices compliance program, and it certainly builds upon the information put forward in the 2016 FCPA Pilot Program regarding effective compliance programs, most particularly found in Prong 3, entitled “Remediation”.
The Evaluation arose from two separate observations made by Hui Chen when she joined the Fraud Section as Compliance Counsel. The first came from her initial training to Fraud Section “prosecutors in December 2015, shortly after I started there. I walked through the components of compliance programs and talked about how I would be probing companies on these topics.” It was decided that a list of questions would be helpful for the prosecutorial staff to assist in assessing compliance programs for companies in a FCPA investigation.
The second observation by Chen came from her initial meetings with companies regarding their compliance programs. She felt that many of the compliance program presentations and responses to questions during these sessions did not provide any substantive information on what made these company’s remediated compliance programs effective. She said, “We wanted people to see that we put a lot of emphasis on evidence and data. Don’t just tell us that you have a hotline. Show us how you know it’s working and how you’re using the information that you gain from these hotlines.”
Chen said companies needed to do more than come before the DOJ and say that they had a great compliance portal and “show us screenshots of it.” Companies needed to demonstrate compliance program effectiveness through such information as “hit rates and how you use that data to help you refine how you communicate with your audience.” The same was true for the requirement of strong leadership by senior management and tone from the top. Chen related, “If you tell us you have a strong, talented top, show us what concrete actions your leaders have taken personally to demonstrate that. It’s not just some words that they say” but show the evidence. (Here please note the three most important things in compliance still matter: Document, Document, and Document).
Chen emphasized the Evaluation is not simply to be used or even considered as a checklist. It is designed to have CCOs and compliance professionals think about their compliance programs by asking questions. She explained, “Questions invite people to think. I like to call them evaluation questions. My goal is really to get people to really think about what they’re doing, what is the goal they’re trying to accomplish, how are they going to measure the results, how do they know it’s working. I’m a big fan of asking questions. The result of that, I’m hoping is that people really get to think about what they’re doing and why they’re doing it and how do they know that they’re successful at it.”
The Evaluation added a new component of root cause analysis because Chen believed it is “important that companies begin by looking at what happened. That really drives everything in terms of their presentation to the Justice Department.” Chen went on to explain it is not simply performing a root cause analysis after a FCPA violation comes to light, “I think that set of questions needs to be asked of any type of manifest at risk that the compliance officer sees. If you can’t pay attention to small failures that might have resulted in no harm at all then you are going to end up missing the failures that do result in harm.” The Evaluation also required compliance practitioners to consider the structure of their compliance program and how it inter-related to their company’s risk profile. In other words, how well is compliance operationalized?
I began 2017 with a 31-day podcast series on how to create a more effective compliance program. However, with the addition of the Evaluation and new Policy, I wanted to provide the most up-to-date information on what goes into a best practices compliance program. Therefore, beginning on January 1, 2018, I will provide a new podcast series of 31-days to a More Effective Compliance Program, incorporating information from both the Evaluation and new Policy. It will provide the compliance practitioner with a thorough grounding in the key aspects of a best practices compliance program based on the latest information from the regulators.
The Evaluation and Policy have laid out what compliance practitioners need to put into their compliance programs. Over the next 31 days, I will be exploring the best way to more fully operationalize a compliance program using the DOJ resources. I hope you will join me as we engage in 31 days to a more effective compliance program. It will be available on the FCPA Compliance Report, iTunes, Libsyn, YouTube and JDSupra.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2017