Jay and I return for a wide-ranging discussion on some of the top compliance and ethics related stories of the week, with a focus of the release of the latest Star Wars movie, The Last Jedi:

  1. There are several FCPA 40th anniversary pieces going up these days. The FCPA Blog is looking at the top FCPA cases and enforcement actions over the past 40 years. Dick Cassin started the series, Jessica Tillipman nominated Siemens as her top case, with a nod towards Walmart.
  2. New revenue recognition rules are here. Tammy Whitehouse provides comments from top accounting practitioners in Compliance Week. Tom Fox and Matt Kelly do a special 5-part podcast series in Compliance into the Weeds. Part I-Introduction, Part II-Transaction Price, Part III-In re: software, Part IV-Auditor issues and Part V-What does it all mean?
  3. In honor the premier of the latest edition in the Star Wars oeuvre, The Last Jedi both Tom Fox and Doug Cornelius have run week-long series on compliance lessons from the Star Wars series. See Doug’s post on Compliance Building and Tom’s posts on the FCPA Compliance Report. Tom and Jay will have a five-part podcast series May the Podcast Be With You running the week of December 11 on the intersection of Star Wars and compliance.
  4. Mike Volkov asks if new FCPA Corporate Enforcement Policy has altered the balance between disclosure and non-disclosure of FCPA violations? See his post in Corruption Crime and Compliance.
  5. Does the US sanctions policy work? Sam Rubenfeld explores this question through an interview with an interview with Richard Nephew, author of The Art of Sanctions on the WSJ Risk and Compliance Journal.
  6. Law-360 runs an Expert Analysis Series of reflections from key players in FCPA enforcement over the past 40 years. The articles come from current and former DOJ prosecutors, a monitor and defense lawyers. One of our favorites was Kara Brockmeyer and Chuck Duross reflecting on their work to help create the 2012 FCPA Resource Guide. Unfortunately, the entire series sits behind a paywall and subscription is required.
  7. HSBC successfully exits its five-year DPA. Sam Rubenfeld reports in the WSJ Risk and Compliance Journal.
  8. Former VW compliance professional Oliver Schmidt sentenced to seven years for his role in the VW emissions-testing scandal. Matt Kelly writes about in in Radical Compliance. Tom and Matt take a deep dive into it on their podcast, Compliance into the Weeds-Episode 62.
  9. Join Tom’s monthly podcast series on One Month to a More Effective Compliance Program. In December, I consider discuss the use of written standards in a best practices compliance program. It is available on the FCPA Compliance Report, iTunes, Libsyn, YouTube and JDSupra.
  10. Check out May the Podcast Be With You-the intersection of Star Wars and Compliance. The five-part series premiers on December 11 and a new episode will be released each day at noon CST. The series is sponsored by Affiliated Monitors.

Today we continue our celebration and exploration of the original trilogy of Star Wars movies (plus-one) with a look at Episode VI. Return of the Jedi. In this final movie from the original three, the good guys win in the end after overcoming incredible odds, which was certainly a good result. Many fans and critics panned it for including the incredibly cute and furry Ewoks on the moon named Endor as a part of the storyline. Many thought one very tall Wookie was enough cuteness for the series. Yet the Ewoks did provide the setup to one of the movies best lines. The Ewoks thought one of Luke’s robots, C-3PO, was a god. Solo asked him to demonstrate some ‘god-like’ powers to which C- 3PO replied, “It is against my programming to impersonate a deity.”

This movie’s big reveal was that Luke and Princess Leia were twins and that she was now free to unabashedly pursue bad boy Han Solo. While Episode VI was the lowest grossing film of the original three, coming in at only $572MM worldwide, it was still a great ride and visually stunning. George Lucas’ in-house organ, Industrial Light & Magic (ILM), certainly earned their title for their special effects in the movie. The Sarlacc battle sequence was great, the speeder bike chase on the Endor moon was way cool and the space battle between Rebel and Imperial pilots was a great ride. At the Academy Awards ceremony for movies of that year, Richard Edlund, Dennis Muren, Ken Ralston, and Phil Tippett, all from ILM, received the Special Achievement Award for Visual Effects Oscar award.

I thought about this entry in the Star Wars oeuvre when I read that HSBC and the Department of Justice (DOJ) had petitioned the US District Court for the Eastern District of New York for the bank to be released from its five-year Deferred Prosecution Agreement (DPA) which was entered into in December 2012. Samuel Rubenfeld, writing in the Wall Street Journal (WSJ) Risk and Compliance Journal, said, “The expiration of HSBC Holdings PLC’s deferred-prosecution agreement releases the bank from its sword of Damocles, but the legacy of the agreement taught the industry some tough lessons about anti-money laundering compliance”.

Martin Arnold, writing in the Financial Times (FT), noted, “The ending of the DPA is a vindication for the outgoing management team of Douglas Flint, who retired as chairman this year, and Stuart Gulliver, who is due to hand over as chief executive to John Flint, his retail banking head, in February. Mr Flint and Mr Gulliver made it one of their priorities to clean up the bank’s anti-money laundering and sanction controls, investing more than $1bn in compliance technology and creating a financial crime risk unit that has more than 7,000 staff.” But there were more tangible effects as “the move is expected to allow HSBC to return more of the $8bn of trapped capital that regulators have forced it to keep in the US”.

HSBC obtained this result through extensive remediation in fulfilling the requirements of the DPA. Arnold cited to Stuart Levey, a former DOJ and US Treasury official, who HSBC hired as its chief legal officer in 2012, “We took the decision to apply US level standards across the entire bank, which we didn’t have to do, but it is clearly one of the reasons why the DOJ agreed to do a DPA rather than prosecute us. Of course we still have improvements to make and we always will.”

In a press release, chief executive Gulliver noted “HSBC is able to combat financial crime much more effectively today as the result of the significant reforms we have implemented over the last five years. We are committed to doing our part to protect the integrity of the global financial system, and further improvements to our own capability and contributions toward the partnerships we have established with governments in this area will remain a top priority for the bank into 2018 and beyond.”

Chad Bray, reporting in the New York Times (NYT) Dealbook column, said, “As part of the agreement, the bank bolstered its financial crime controls and added staff members in a broad reshaping of its compliance structure. An outside corporate monitor was appointed in 2013 as part of the agreement and was expected to continue to examine the effectiveness of the bank’s anti-money laundering and sanctions compliance systems.”

Rubenfeld spoke with Dan Wager, vice president of financial crime compliance at LexisNexis Risk Solutions, who “said the expiry indicates the bank addressed its systemic issues, “a task many thought was not possible.” He added that “Large financial institutions could no longer expect to spend their way out of the situation. They had to alter the systemic issues within their walls, and really truly address them.” He further added that government regulators would also learn from the HSBC enforcement action and DPA settlement resolution and that it might well become the template moving forward for remediation, concluding “Such an agreement has benefits that a criminal conviction doesn’t, he said, because it provides a roadmap for other banks to follow to enhance their compliance programs: “Some might say the entire financial system benefits from the pain of the target institution.””

At the end of the final episode of the first trilogy, Luke see the specters of Anakin Skywalker, Yoda and Obi Wan Kinobi in front of him. As the latest Death Star is destroyed, planets in the Rebel Alliance all celebrate. While I am not sure how much celebrating HSBC might be doing this week, they should have pride in making it through the five-year DPA. The bank worked very hard to overcome its miss-steps and hopefully it will continue to do so ethically and in compliance.

May the Force be with you.

My good friend Doug Cornelius is also running a week of Star Wars/compliance themed blog posts on his site Compliance Building. Check them out for his take on a more well-rounded Star Wars oeuvre.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017

There are numerous reasons to put some serious work into your policies and procedure. They are certainly a first line of defense when the government comes knocking. The 2012 FCPA Guidance made clear that “Whether a company has policies and procedures that outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and documentation policies, and set forth disciplinary procedures will also be considered by DOJ and SEC.” And by using the word “considered”, it is clear that this means the regulators will take a strong view against a company that does not have well thought out and articulated policies and procedures; all of which are systematically reviewed and updated. Moreover, having policies written out and signed by employees provides what some consider the most vital layer of communication and acts as an internal control Together with a signed acknowledgement, these documents can serve as evidentiary support if a future issue arises. In other words, the ‘Document, Document and Document’ mantra applies just as strongly to this area of anti-corruption compliance.

The specific written policies and procedures required for a best practices compliance program are well known and long established. The 2012 FCPA Guidance stated, “Among the risks that a company may need to address include the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.” Policies help form the basis of expectation and conduct in your company. Procedures are the documents that implement these standards of conduct.

The role of compliance policies is to protect companies, their stakeholders, including employees, third-parties and others, despite an occasional lapse. A company’s compliance policies provide a basic set of guidelines for employees and others to follow. Compliance policies should give general prescriptions and should be supplemented by more specific procedures. By establishing what is and what is not acceptable ethical and compliant behavior, a company helps mitigate the risks posed by employees who might not always make the right ethical choices.

The Evaluation of Corporate Compliance Programs builds up on the requirements articulated in the 2012 FCPA Guidance. Under Prong 4, Policies and Procedures it states, Applicable Policies and ProceduresHas the company had policies and procedures that prohibited the misconduct? How has the company assessed whether these policies and procedures have been effectively implemented? How have the functions that had ownership of these policies and procedures been held accountable for supervisory oversight? The Evaluation then goes on to ask about both accessibility and effectiveness of the compliance policies and procedures by stating, Accessibility – How has the company communicated the policies and procedures relevant to the misconduct to relevant employees and third parties? How has the company evaluated the usefulness of these policies and procedures?

Compliance policies do not guarantee employees will always make the right decision. However, the effective implementation and enforcement of compliance policies demonstrate to the government that a company is operating professionally and ethically for the benefit of its stakeholders, its employees and the community it serves.

There are five general elements to a compliance policy. It should stake out the following:

  • identify who the compliance policy applies to;
  • set out what is the objective of the compliance policy;
  • describe why the compliance policy is required;
  • outline examples of both acceptable and unacceptable behavior under the compliance policy; and
  • lay out the specific consequences for failure to comply with the compliance policy.

The Evaluation mandates there must be communication of your compliance policies and procedures throughout the workforce and relevant stakeholders such as third-parties and business venture partners. Compliance training is only one type of communication. I think that this is a key element for compliance practitioners because if you have a 30,000+ worldwide work force, simply the logistics of training can appear daunting. Small groups, where detailed questions about policies can be raised and discussed, can be a powerful teaching tool. Another technique can be the posting FAQ’s in common areas and virtually. Also, having written compliance policies signed by employees provides what some consider the most vital layer of communication. A signed acknowledgement can serve as evidentiary support if a future issue arises. Finally, never forget the example of the Morgan Stanley declination where the recalcitrant employee annually signed such certifications. These signed certifications help Morgan Stanley walk away with a full declination.

The 2012 FCPA Guidance ends its section on policies with the following, “Regardless of the specific policies and procedures implemented, these standards should apply to personnel at all levels of the company.” It is important that compliance policies and procedure are applied fairly and consistently across the organization. The Fair Process Doctrine demonstrates that if compliance policies and procedures are not applied consistently, there is a greater chance that an employee dismissed for breaching a policy could successfully claim he or she was unfairly terminated. This last point cannot be over-emphasized. If an employee is going to be terminated for fudging their expense accounts in Brazil, you had best make sure that same conduct lands your top producer in the US with the same quality of discipline.

Three Key Takeaways

  1. The Code of Conduct, together with written compliance policies and procedures form the backbone of your compliance program.
  2. The DOJ and SEC expect a well-thought out and articulated set of compliance policies and procedures.
  3. The Fair Process Doctrine holds for the application of policies and procedures.


This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

How can you work to operationalize the Code of Conduct as articulated in the Department of Justice (DOJ) Evaluation of Corporate Compliance Programs? The Evaluation focuses not on whether a company has a paper compliance program but whether a company is actually doing compliance. A company does compliance by moving it into the functional business units as a part of an overall business process. That is what makes a compliance program effective at the business level. There are several different parts of the Evaluation that touch upon your Code of Conduct.

Prong 2, Senior Leadership and Middle Manage states the following:

Shared Commitment What specific actions have senior leaders and other stakeholders (e.g., business and operational managers, Finance, Procurement, Legal, Human Resources) taken to demonstrate their commitment to compliance, including their remediation efforts? How is information shared among different components of the company? 

The Code of Conduct process should involve these corporate disciplines. Your Code of Conduct should enshrine your company’s values. Those are set by senior management and their input and support for any Code of Conduct project, whether initial draft or update, is critical.

Prong 4, Policies and Procedures states the following:

Designing Compliance Policies and Procedures What has been the company’s process for designing and implementing new policies and procedures? Who has been involved in the design of policies and procedures? Have business units/divisions been consulted prior to rolling them out? 

This question gets to the heart of operationalization and demonstrates how a Code of Conduct can work to meet the DOJ requirements. As an early part of your design and drafting process, you should assemble a cross-functional team. This is important for several reasons. First diversity in your team will help produce a more well-rounded final product. But having such team diversity will also assist in your benchmarking effort, coupled with those who are going to help you out looking at designs and maybe helping forge the design of the Code. Finally, you can use a group to help in the drafting, redrafting and editing process. This diversity will help you to answer all of the three DOJ questions from the Evaluation in a manner consistent to support operationalization.

This project team diversity will also help to operationalize your Code of Conduct after implementation. You will have various business unit members invested in your new or revised Code of Conduct. This ownership will help not only in your internal marketing but demonstrate to employees the commitment to doing business ethically and in compliance to your entire workforce.

Prong 6, Training and Communication, states:

Form/Content/Effectiveness of Training Has the training been offered in the form and language appropriate for the intended audience? How has the company measured the effectiveness of the training?  

There are several different types of training, including live, interactive and online training. But in addition to training, your Code of Conduct can form the basis of ongoing communications throughout the organization. Through a Code of Conduct, a company has acknowledged certain risks and it can communicate those risks through effective use of a Code of Conduct. It can also serve as a jumping off point for training and communications about more focused topics and discussions led by employees outside the compliance department.

You can measure the effectiveness of your training through a variety of mechanisms including knowledge assessments, culture surveys, focus groups, tracking your internal intranet training, reporting of trends and even hotline calls. These techniques can help to drive compliance into the very fabric of your company by operationalizing compliance. Another important consideration around effectiveness for training, and the text of the Code of Conduct, is translations, or as the DOJ stated, “Has the training been offered in the form and language appropriate for the intended audience?”

Three Key Takeaways

  1. What has been the role of senior management in the creation or update of your Code of Conduct?
  2. How have you worked with employees outside the compliance function to lay the groundwork for fully operationalizing your compliance program?
  3. How have your measured the effectiveness of your Code of Conduct training?


This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Over the past few posts I have been exploring the Department of Justice’s (DOJ) new policy regarding Foreign Corrupt Practices Act (FCPA) enforcement. Deputy Attorney General Rod Rosenstein, in a speech, called it the FCPA Corporate Enforcement Policy and stated that it is now “incorporated into the United States Attorneys’ Manual.” I have considered what it means for the compliance practitioner and compliance profession going forward. Today, I want to conclude this series with some final thoughts.

The first observation is the process the DOJ went through to come up with this new Policy. The impetus would seem to have been the expiration of the one year FCPA Pilot Program in April 2017. At the conclusion of this one year experiment, the DOJ announced it would assess the Pilot Program. It not only assessed the Pilot Program but made changes which I think make the new Policy even more effective than the Pilot Program. In addition to the enforcement aspects of increasing the discount available to companies which met the requirements of the Pilot Program down to a 100% discount, from a Pilot Program high of a 50% discount; the DOJ made the presumption companies would receive a full declination as the default response to meeting the prescripts of the new Policy. Nowhere else under federal law is there such a presumption when there is a violation of federal criminal law.

Yet beyond the presumption of a full declination, there are additional benefits to companies which fail to disclose or have aggravating factors. Mike Volkov noted these additional benefits consisted of “a guarantee of a 50 percent discount and the probable avoidance of a corporate monitor.” Further, “In the event that a company does not qualify for a voluntary disclosure but cooperates and remediates its compliance program, the company can still earn up to a 25 percent discount from the bottom of the Sentencing Guidelines range.”

As a part of its review of the Pilot Program, the DOJ brought forward language on the expectation of a best practices compliance program, which I previously examined in some depth. There was language brought forward from both the Pilot Program and the 2017 Evaluation of Corporate Compliance Programs (Evaluation). Each of these additions builds upon the 10 Hallmarks of an Effective Compliance Program incorporated through reference into the new Enforcement Policy.

These new additions to a best practices compliance program elevate both the corporate compliance function and the position of the Chief Compliance Officer (CCO) in an organization. Perhaps most importantly, the DOJ made clear there must be compliance expertise on the Board, which signals that companies should now have a compliance program subject matter expert (SME) on their Board of Directors. Hopefully companies like Wells Fargo and Uber will take notice of this new DOJ expectation. Compliance department budgets will also need to be commensurately increased.  There is also now the requirement for not only a root cause analysis but the looping the information obtained during the root cause analysis back into the remediation phase of any corporate compliance program. While myself and others have argued these were DOJ requirements based on the Pilot Program and Evaluation, it is now a part of the US Attorney’s Manual, they will be given the full credence they deserve.

James Koukios, in Episode 360 of the FCPA Compliance Report, characterized these changes as “clarification and consolidation”; another way to consider these changes are of preservation and enhancement. The DOJ preserved the foundational compliance elements found in the 10 Hallmarks of an Effective Compliance Program and enhanced compliance programs through the incorporation of those items from the Pilot Program and Evaluation. Whichever formulation you might prefer, clearly the compliance discipline was moved forward by the DOJ with the new Policy.

All of these new statements, consolidations of prior DOJ publicly released documents and items from other sources are now consolidated in one Policy. Certainly, this is a positive move forward for all parties involved in the process; prosecutors, companies and their counsel. Looking back at the DOJ statements from this year, it is clear how important the compliance function and compliance profession is in FCPA enforcement. In April Attorney General Sessions said, at the Ethics & Compliance Initiative (ECI) Annual Conference, the following about compliance practitioners, “your work seeks to prevent, by building strong cultures of compliance within your companies to deter illegal and unethical conduct. We applaud those efforts. Our department would much rather have people and companies obey the law and do the right thing, so we don’t have to see them in court. Your good work makes our jobs easier, and it makes your companies and our country better. So far, so good. The E&C community is recognized for doing their job of helping companies follow their moral compass.”

Finally, the DOJ has brought everyone into the fight against bribery and corruption. Someone as thoughtful as former Deputy US Attorney General George J. Terwilliger III, writing in the FCPA Blog, said, “The new policy is grounded in the notion that companies and the government have a shared interest in securing the rule of law, which in this context includes global commercial markets freed from the influence and corrosive effects of corruption.” When you can couple such a policy under the rule of law, it is quite an achievement. It is the final concept which makes this new Policy truly unique. Hats off to the DOJ for it.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017