Jay and I return for a wide-ranging discussion on some of the top compliance and ethics related stories of the week, in this week’s fire and ice edition:

  1. Former VW Engineer Oliver Schmidt sentenced to 7 years in jail for his role in the VW emssions-testing scandal. See article by Dick Cassin in the FCPA Blog.
  2. U.K.’s Financial Regulatory Council is proposing changes to the governance code in the areas of corporate culture, diversity and sustainable long-term growth. Mara Lamos Stein reports in the WSJ Risk and Compliance Journal.
  3. Transparency International criticizes uses of it Corruption Perceptions Index. Henry Cutter reports in the WSJ Risk and Compliance Journal.
  4. Caterpillar Unit Cheated Customers, Tossed Evidence Into Ocean to Hide It. See article by James Hagerty and James Tita in the WSJ.
  5. Matthew Stephenson asks if it is time to amend US domestic bribery statutes, in light of the US Supreme Court decision in McDonnell in the Global Anti-corruption Blog.
  6. Adam Turteltaub visits with Andy Hinton the CCO at Google on the SCCE podcast, Compliance Perspectives.
  7. Roy Snell and Kristy Grant-Hart share 10 ways to get involved with the SCCE, on the SCCE blog.
  8. The SEC’s Whistleblower’s program is alive and well with three awards in the past week. See articles in the Anti-Corruption Digest and the FCPA Blog.
  9. Join Tom’s monthly podcast series on One Month to a More Effective Compliance Program. In December, I consider discuss the use of written standards in a best practices compliance program. It is available on the FCPA Compliance Report, iTunes, Libsyn, YouTube and JDSupra.

The top compliance roundtable podcast is back with a wealth of new topics, including the current regulatory climate in Washington and beyond.

  1. Matt Kelly opens with a discussion the ongoing comments by Deputy Attorney General Rod Rosenstein on compliance, the FCPA, the Yates Memo and asks: Has he really said anything? 

For Matt Kelly’s posts on speeches of Rosenstein, see the following: 

DOJ Penalty Policy Under Review

Rosenstein Talks Yates Memo, Says Diddly 

  1. Jonathan Armstrong considers the Paradise Paper and what it means for the compliance practitioner. He contrasts this data dump with that of the Panama Papers and asks if companies should be called out for engaging in legal tax avoidance as opposed to illegal tax evasion.
  1. Jay Rosen considers the number of recent comments about corporate monitors. He reviews statements by Rod Rosenstein, Dan Khan and Hui Chen. He explains the role of corporate monitors and how they can assist the compliance practitioner after an incident occurs or in a pro-active manner.

To see the DOJ statements on monitors, see the Morford Memo, the Breuer Memo and Grindler Memo.

  1. Mike Volkov returns to his DOJ roots as an anti-trust specialist in discussing the DOJ position in the ATT merger with Time Warner. He explains how both vertical and horizontal integration work in the context of an anti-trust matter; how the proposed sale of CNN would (or not) remedy anything and whether the President’s statements come into play.

The gang is back with rants which follow the discussions. 

The members of the Everything Compliance panel include:

  • Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com
  • Mike Volkov – One of the top FCPA commentators and practitioners around and the Chief Executive Officer of The Volkov Law Group, LLC. Volkov can be reached at mvolkov@volkovlawgroup.com.
  • Matt Kelly – Founder and CEO of Radical Compliance, is the former Editor of Compliance Week. Kelly can be reached at mkelly@radicalcompliance.com
  • Jonathan Armstrong – Rounding out the panel is our UK colleague, who is an experienced lawyer with Cordery in London. Armstrong can be reached at armstrong@corderycompliance.com

Jay and I return for a wide-ranging discussion on some of the top compliance and ethics related stories of the week, in our special holiday edition.

  1. The DOJ/SEC FCPA Guidance turned 5 years old this week. For the compliance practitioner, it is the seminal document on how to do compliance. See Tom’s article in the FCPA Compliance Report.
  2. Wal-Mart reserves $283MM to settle its outstanding FCPA matter. See article by Dick Cassin in the FCPA Blog. Henry Cutter reports in the WSJ Risk and Compliance Journal.
  3. Tom Fox and Matt Kelly explore the intersection of shareholder activism and the structure of a compliance program. See Matt’s blog posts on Radical Compliance Part I and Part II. See Tom’s blog post here. Finally Tom and Matt took a deep dive into the issue in Episode 60 of Compliance into the Weeds.
  4. The FIFA trial is ongoing in NYC. It has featured anonymous jurors, threat against witness and claims that Fox Sports paid bribes. See stories in the WSJ Risk and Compliance Report, The Daily Mail, and Reuters.
  5. Mike Volkov has a four-part series on putting ethics back into corporate culture. Part I; Part II; Part III and Part IV.
  6. Tom visited with Marc Havener and Bryan Belknap about using movie clips to expand your compliance training classroom. See Tom’s blog post here.
  7. Will there ever be another corruption conviction of a politician in the US? Sam Rubenfeld explores this question in light of the hung jury in the Menedez mistrial in WSJ Risk and Compliance Journal.
  8. SEC report indicates hundreds of millions in whistleblower bounty awards coming. See article in National Law Review.
  9. Join Tom’s monthly podcast series on One Month to a More Effective Compliance Program. In November, I consider how a 360-degree view of communications can enhance your compliance program. This month’s sponsor is the Dun & Bradstreet. It is available on the FCPA Compliance Report, iTunes, Libsyn, YouTube and JDSupra.
  10. The Everything Compliance gang put together an eBook of their reflections from the recent SCCE 2017 Compliance and Ethics Institute. It is available for download free on JDSupra. It is also available on the Affiliated Monitors site by clicking here.

The joint Department of Justice (DOJ) and Securities and Exchange Commission (SEC) 2012 FCPA Guidance came out five years ago this month. As a commentator focusing on the doing of compliance, we should pause to once again thank the government regulators and prosecutors who had a part in drafting this most remarkable of documents. I submit it is the best government generated source regarding what constituted at the time (and probably still does) a best practices compliance program. For anyone interested in exploring the lessons learned about Foreign Corrupt Practices Act (FCPA) compliance programs and what the government expects to see, the 2012 FCPA Guidance is the best document you can start with.

As a ‘Nuts and Bolts’ guy I found the DOJ/SEC formulation of their thoughts on what might constitute a best practices compliance program, denominated the “Ten Hallmarks of an Effective Compliance Program”, as the most useful part of the FCPA Guidance. While the Guidance cautions that there is no “one-size-fits-all” compliance program, it recognizes a variety of factors such as size, type of business, industry and risk profile a company should determine for its own needs regarding a FCPA compliance program. But the Guidance made clear that these ten points are “meant to provide insight into the aspects of compliance programs that DOJ and SEC assess”. In other words you should pay attention to these and use this information to assess your own compliance regime.

  1. Commitment from Senior Management and a Clearly Articulated Policy Against Corruption. It all starts with tone at the top. But more than simply ‘talk-the-talk’ company leadership must ‘walk-the-walk’ and lead by example. Both the DOJ and SEC look to see if a company has a “culture of compliance”. More than a paper program is required, it must have real teeth and it must be put into action, all of which is led by senior management. The Guidance states, “A strong ethical culture directly supports a strong compliance program. By adhering to ethical standards, senior managers will inspire middle managers to reinforce those standards.” This prong ends by stating that the DOJ and SEC will “evaluate whether senior management has clearly articulated company standards, communicated them in unambiguous terms, adhered to them scrupulously, and disseminated them throughout the organization.”
  2. Code of Conduct and Compliance Policies and Procedures. The Code of Conduct has long been seen as the foundation of a company’s overall compliance program and the Guidance acknowledges this fact. But a Code of Conduct and a company’s compliance policies need to be clear and concise. Importantly, the Guidance made clear that if a company has a large employee base that is not fluent in English such documents need to be translated into the native language of those employees. A company also needs to have appropriate internal controls based upon the risks that a company has assessed for its business model.
  3. Oversight, Autonomy, and Resources. This section begins with a discussion on the assignment of a senior level executive to oversee and implement a company’s compliance program. Equally importantly, the compliance function must have “sufficient resources to ensure that the company’s compliance program is implemented effectively.” Finally, the compliance function should report to the company’s Board of Directors or an appropriate committee of the Board such as the Audit Committee. Overall, the DOJ and SEC will “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”
  4. Risk Assessment. The Guidance states, “assessment of risk is fundamental to developing a strong compliance program”. Indeed, if there is one over-riding theme in the Guidance it is that a company should assess its risks in all areas of its business. The Guidance is also quite clear that when the DOJ and SEC look at a company’s overall compliance program, they “take into account whether and to what degree a company analyzes and addresses the particular risks it faces.” The Guidance lists factors that a company should consider in any risk assessment. They are “the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.”
  5. Training and Continuing Advice. Communication of a compliance program is a cornerstone of any anti-corruption compliance program. The Guidance specifies that both the “DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.” The training should be risk based so that those high-risk employees and third party business partners receive an appropriate level of training. A company should also devote appropriate resources to providing its employees with guidance and advice on how to comply with their own compliance program on an ongoing basis.
  6. Incentives and Disciplinary Measures. Initially the Guidance notes that a company’s compliance program should apply from “the board room to the supply room – no one should be beyond its reach.” There should be appropriate discipline in place and administered for any violation of the FCPA or a company’s compliance program. Additionally, the “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance program, and rewards for ethics and compliance leadership.”
  7. Third-Party Due Diligence and Payments. The Guidance says that companies must engage in risk based due diligence to understand the “qualifications and associations of its third-party partners, including its business reputation, and relationship, if any, with foreign officials.” Next a company should articulate a business rationale for the use of the third party. This would include an evaluation of the payment arrangement to ascertain that the compensation is reasonable and will not be used as a basis for corrupt payments. Lastly, there should be ongoing monitoring of third parties.
  8. Confidential Reporting and Internal Investigation. This means more than simply a hotline. The Guidance suggests that anonymous reporting, and perhaps even a company ombudsman, might be appropriate to have in place for employees to report allegations of corruption or violations of the FCPA. Furthermore, it is just as important what a company does after an allegation is made. The Guidance states, “once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken.” The final message is what did you learn from the allegation and investigation and did you apply it in your company?
  9. Continuous Improvement: Periodic Testing and Review. As noted in the Guidance, “compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” The DOJ/SEC expects that a company will review and test its compliance controls and “think critically” about its own weaknesses and risk areas. Internal controls should also be periodically tested through targeted audits.
  1. Mergers and Acquisitions.Pre-Acquisition Due Diligence and Post-Acquisition Integration.Here the DOJ and SEC spelled out their expectations in not only the post-acquisition integration phase but also in the pre-acquisition phase. This pre-acquisition information was not something on which most companies had previously focused. A company should attempt to perform as much substantive compliance due diligence that it can do before it purchases a company. After the deal is closed, an acquiring entity needs to perform a FCPA audit, train all senior management and risk employees in the purchased company and integrate the acquired entity into its compliance regime.

What is the significance of these Ten Hallmarks today? Earlier this year, the DOJ released the Evaluation of Corporate Compliance Programs (Evaluation), based on these Ten Hallmarks. In April 2016, they released the FCPA Pilot Program, through which it further refined and clarified many of the specific Hallmarks from the 2012 FCPA Guidance. Indeed, in every speech since the release of the 2012 FCPA Guidance, where the DOJ has discussed its views on compliance best practices, it is always in reference to the 10 Hallmarks of an Effective Compliance Program.

While others have leveled a variety of criticism about the 2012 FCPA Guidance, they miss the essential point that for the compliance practitioner, it is an excellent resource about operationalizing compliance by putting into the business process of your organization. Here’s to the Guidance at the ripe of age of 5. Thanks for coming into all of our (compliance) lives.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017


Jay and I return for a wide-ranging discussion on some of the top compliance and ethics related stories of the week, including:

  1. Justice Department announces 4 guilty pleas and one indictment as follow on prosecutions from the Rolls Royce corruption case. See Tom’s article in the FCPA Compliance Report. See Sam Rubenfeld’s article in WSJ Risk and Compliance Report.
  2. Dick Cassin asks if the SEC is targeting foreign companies for FCPA enforcement. See article by Dick Cassin in the FCPA Blog.
  3. Hui Chen suggests there should be more FCPA enforcement of US domestic companies, reviews monitorships and the FCPA Pilot Program. Henry Cutter interviews Chen in the WSJ Risk and Compliance Report.
  4. Saudi Arabia has a corruption crackdown. What does it mean for the compliance practitioner? See Tom’s article in FCPA Compliance Report.
  5. What happens if your General Counsel is also your CCO? Joe Murphy explores this conundrum in the SCCE Blog.
  6. What will become of the DOJ’s Evaluation of Corporate Compliance Programs? Matt Kelly explores in Radical Compliance.
  7. What do the Paradise Papers mean for the compliance practitioner. Sam Rubenfeld considers in the WSJ Risk and Compliance Journal.
  8. Mike Volkov has a two-part series on the intersection of COSO and compliance. Part I on the framework; Part II on using the framework to break down siloes.
  9. AML concerns. Adam Davidson returns to the Compliance Report-International Edition podcast to explain the intersection of money-laundering and the Trump business empire. DAG Rod Rosenstein discusses the intersection of FCPA, AML prosecutions and international investigations in a speech to Clearing House 2017 Annual Conference.
  10. Join Tom’s monthly podcast series on One Month to a More Effective Compliance Program. In November, I consider how a 360-degree view of communications can enhance your compliance program. This month’s sponsor is the Dun & Bradstreet. It is available on the FCPA Compliance Report, iTunes, Libsyn, YouTube and JDSupra.
  11. FCPA Master Class Training in NYC on November 28 & 29. For information and registration, go here.