Last week, in yet another very soft release, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) released the updated A RESOURCE GUIDE TO THE U.S. FOREIGN CORRUPT PRACTICES ACT SECOND EDITION (2020 Resource Guide). The reason for this update was stated in the forward which read in full:
We are pleased to announce the publication of the Second Edition of A Resource Guide to the U.S. Foreign Corrupt Practices Act. The Guide was originally published by the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) in November 2012 to provide companies, practitioners, and the public with detailed information about the statutory requirements of the Foreign Corrupt Practices Act (FCPA) while also providing insight into DOJ and SEC enforcement practices through hypotheticals, examples of enforcement actions and anonymized declinations, and summaries of applicable case law and DOJ opinion releases. Then and now, the Guide represents one of the most thorough compilations of information about any criminal statute, and remains relevant to this day.
Although many aspects of the Guide continue to hold true today, the last eight years have also brought new cases, new law, and new policies. The Second Edition of the Guide reflects these updates, including new case law on the definition of the term “foreign official” under the FCPA, the jurisdictional reach of the FCPA, and the FCPA’s foreign written laws affirmative defense. It addresses certain legal standards, including the mens rea requirement and statute of limitations for criminal violations of the accounting provisions. It reflects updated data, statistics, and case examples. And it summarizes new policies applicable to the FCPA that have been announced in the DOJ’s and SEC’s continuing efforts to provide increased transparency, including the DOJ’s FCPA Corporate Enforcement Policy, Selection of Monitors in Criminal Division Matters, Coordination of Corporate Resolution Penalties (or Anti-Piling On Policy), and the Criminal Division’s Evaluation of Corporate Compliance Programs.
Foreign bribery is a scourge that must be eradicated. It undermines the rule of law, empowers authoritarian rulers, distorts free and fair markets, disadvantages honest and ethical companies, and threatens national security and sustainable development. This updated Guide is meant not only to summarize the product of the dedicated and hardworking individuals who combat foreign bribery as part of their work for the U.S. government, but also to help companies, practitioners, and the public—many of whom find themselves on the front lines of this fight—prevent corruption in the first instance. We hope that the Guide will continue to be an invaluable resource in those efforts.
Obviously this 2020 Resource Guide has been sometime in coming and represents the work of many dedicated professionals in the DOJ and SEC. It is a welcomed resource for every compliance practitioner. Today, I want to focus on the primary changes and additions to the Hallmarks of an Effective Compliance Program. The first change to note is the expanded definition to the questions “Is it [a corporate compliance program] being applied in good faith” with the addition of the queries, “In other words, is the program adequately resourced and empowered to function effectively?” This language comes from the 2020 Update to the Evaluation of Corporate Compliance Programs (2020 Update). This change clearly reflects the need for a company to do far more than have a paper compliance program in place which presaged many of the changes brought forward in the 2020 Update.
However, the biggest change is the addition of a new Hallmark, entitled “Investigation, Analysis, and Remediation of Misconduct”, which reads in full:
The truest measure of an effective compliance program is how it responds to misconduct. Accordingly, for a compliance program to be truly effective, it should have a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents. An effective investigations structure will also have an established means of documenting the company’s response, including any disciplinary or remediation measures taken.
In addition to having a mechanism for responding to the specific incident of misconduct, the company’s program should also integrate lessons learned from any misconduct into the company’s policies, training, and controls. To do so, a company will need to analyze the root causes of the misconduct to timely and appropriately remediate those causes to prevent future compliance breaches.
There are many interesting aspects to this new Hallmark, not the least that it begins with “The truest measure of an effective compliance program is how it responds to misconduct.” This builds upon the language found in the “Confidential Reporting and Internal Investigations Hallmark, which stated, “once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response,”. Now beyond being properly funded, you must have a “well-functioning mechanism” for the “timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents.”
This clearly mandates that once an allegation or even suspicion comes to the attention of compliance, it must be properly triaged, your investigation protocol should kick in with a detailed and effective investigation that is completed in a reasonable time and provide a response to the investigative findings. Moreover, an investigation is not the ending point and should be followed with a robust root cause analysis. This builds upon several sources.
Initially, the FCPA Corporate Enforcement Policy brought forward this requirement for a root cause analysis with the following language:
Demonstration of thorough analysis of causes of underlying conduct (i.e., a root cause analysis) and, where appropriate, remediation to address the root causes.
The 2020 Evaluation also raised the following questions under “Root Cause Analysis – What is the company’s root cause analysis of the misconduct at issue? Were any systemic issues identified? Who in the company was involved in making the analysis?”
Well known fraud investigator Jonathan Marks, defined a root cause analysis as “a research based approach to identifying the bottom line reason of a problem or an issue; with the root cause, not the proximate cause the root cause representing the source of the problem.” He contrasted this definition with that of a risk assessment which he said “is something performed on a proactive basis based on various facts. A root cause analysis analyzes a problem that (hopefully) was previously identified through a risk assessment.” He went on to note, “Root cause analysis is a tool to help identify not only what and how an event occurred, but also why it happened. When we are able to determine why an event or failure occurred, we can then recommend workable corrective measures that deter future events of the type observed.”
The 2020 Resource Guide is a most welcomed document from the DOJ and SEC. It brings forward the top FCPA and compliance resource from the past decade into this decade. I will be exploring other aspects of the 2020 Resource Guide in subsequent blog posts.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2020