Last week, the Department of Justice (DOJ) premiered a new policy regarding Foreign Corrupt Practices Act (FCPA) enforcement. Deputy Attorney General Rod Rosenstein, in a speech, called it the FCPA Corporate Enforcement Policy and stated that it is now “incorporated into the United States Attorneys’ Manual.” There are several different points to note about compliance programs under the new Corporate Enforcement Policy. Yesterday, I considered the requirement for a root cause analysis. Today I want to consider what the DOJ says specifically about a compliance expertise.

The first thing is the incorporation of the 10 Hallmarks of an Effective Compliance Program through reference to the 2012 FCPA Resource Guide. Second is the language that makes clear that credit for a best practices compliance program is available for programs which are beyond simply the bare minimum under the US Sentencing Guidelines. Finally, is that language and concepts in this new Policy come from a variety of sources, including the DOJ’s 2016 FCPA Pilot Program and the 2017 Evaluation of Corporate Compliance Programs (Evaluation). This builds upon the 10 Hallmarks of an Effective Compliance Program incorporated through reference into the new Enforcement Policy.

 

Implementation of an effective compliance and ethics program, the criteria for which will be periodically updated and which may vary based on the size and resources of the organization, may include:

  • The company’s culture of compliance, including awareness among employees that any criminal conduct, including the conduct underlying the investigation, will not be   tolerated;
  • The resources the company has dedicated to compliance;
  • The quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk;
  • The authority and independence of the compliance function and the availability of compliance expertise to the board;
  • The effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment;
  • The compensation and promotion of the personnel involved in compliance, in view of their role, responsibilities, performance, and other appropriate factors;
  • The auditing of the compliance program to assure its effectiveness; and
  • The reporting structure of any compliance personnel employed or contracted by the company.

I would reorganize these into three general categories: (1) Quality and resources dedicated to the compliance function; (2) ongoing evaluation of a compliance program; and (3) company culture.

Quality and Resources Dedicated to Compliance

Here the DOJ has laid out the following:

  1. The resources the company has dedicated to compliance;
  2. The quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk;
  3. The authority and independence of the compliance function and the availability of compliance expertise to the board;
  4. The compensation and promotion of the personnel involved in compliance, in view of their role, responsibilities, performance, and other appropriate factors; and
  5. The reporting structure of any compliance personnel employed or contracted by the company.

1 and the first half of 3 come from the 10 Hallmarks of an Effective Compliance Program. Points 2, the second half of 3, 4 and 5 come from the DOJ’s FCPA Pilot Program, Part 3 entitled, “Timely and Appropriate Remediation in FCPA Matters”. Clearly the DOJ is articulating that it expects true compliance professionals, who understand the way compliance interacts with and supports the business. The days of a law school trained, Chief Compliance Officer (CCO) who cannot read a spreadsheet are consigned to the dustbin of non-compliance. But more than simply compliance professionalism, companies must compensate and promote compliance professionals within their organization. Simply burying someone in the compliance function of a law department because they cannot cut it will no longer suffice.

While part of the first clause of 3 derives from the Hallmark Three of the 10 Hallmarks, which required authority and autonomy for the compliance function; there is a new requirement for compliance professional “independence”. The DOJ has not taken a position on whether a General Counsel (GC) can also be the CCO. However, this new language would seem to signal the death knell for the dual GC/CCO role. It may also signal the larger issue that the CCO should have a separate reporting line to the Board, apart from through the GC.

There is however one new part which I am particularly gratified to see, which is “the availability of compliance expertise to the board.” I believe this is more than simply a reporting requirement, or that the CCO has a direct line to the Board. I believe this is a separate requirement for compliance expertise on the Board. I have long argued that there should be a compliance professional on a Board of Directors. You name any of the most recent corporate scandals; Wells Fargo, Uber Technologies, Volkswagen, Equifax and there was no compliance expertise on the Board. Clearly the better practice is for companies to have a seasoned compliance professional on the Board. I would also add the DOJ may soon expect there be a Compliance Committee separate and apart from the Audit Committee.

Once again for the compliance professional, the new FCPA Corporate Enforcement Policy makes the importance of a best practices compliance program even more critical. Clearly the DOJ is focusing more on the role, expertise and how the compliance function is treated within an organization. Pay your CCO considerably less than your GC? You may now better be able to justify that discrepancy. Legal department budget of three million dollars and compliance department is $500,000; you may be starting behind the 8-ball. Finally, this document may well portend structural changes required at the Board of Directors level, including appointment of a compliance professional and creation of a Compliance Committee. Tomorrow I will consider the requirements for an ongoing evaluation of a compliance program; and issues around company culture.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017

0 comments