Ken JohnsonBefore Jim Crane came along to purchase the Houston Astros and provide us all with some of the best lessons learned for the compliance practitioner, they had a long and storied history, even if part of that history included not achieving much in the way of success. After all it took the Astros 50 years to reach the World Series (reach – not win). Before they had that inglorious run, they were known as the Houston Colt 45s and they were even more sad sack than after they re-moninkered themselves as the Astros.

In the Pantheon of baseball achievements one Houston Colt 45 stands above all. It is Ken Johnson, who died earlier this week. Johnson’s achievement – he is the only pitcher in the long and storied history of baseball, who pitched a complete game no-hitter and lost. In a game against the Cincinnati Reds, on April 23, 1964, with one out in the 9th inning, Johnson fielded a bunt by Pete Rose and threw wildly to first, allowing Rose to reach second. Rose scored two batters later on an error by second baseman Nellie Fox. The Reds won the game 1-0.

I thought about hard luck Ken Johnson in the context of the continued difficulty companies face around liability for third parties under the Foreign Corrupt Practices Act (FCPA). There are two areas that do not get as much attention that I wanted to focus on today. The first is the Questionnaire you utilize to help in the evaluation of any third party and the second is the compliance terms and conditions you should include in any commercial agreement with third parties.

Below are some of the areas that I think you should inquire into through your Questionnaire to a proposed third party:

  • Ownership Structure: Describe whether the proposed third party is a government or state-owned entity, and the nature of its relationship(s) with local, regional and governmental bodies. Are there any members of the business partner related, by blood, to governmental officials?
  • Financial Qualifications: Describe the financial stability of, and all capital to be provided by, the proposed third party. You should obtain financial records, audited for 3 to 5 years, if available. Obtain the name and contact information for their banking relationship.
  • Personnel: Determine whether the proposed agent will be providing personnel, particularly whether any of the employees are government officials. Make sure that you obtain the names and titles of those who will provide services to your company.
  • Physical Facilities: Describe what physical facilities that will be used by the third party for your work. Be sure and obtain their physical address.
  • References: Obtain names and contact information for at least three business references that can provide information on the business ethics and commercial reliability of the proposed third party.
  • PEPs: Are any of the owners, beneficial owners, officers or directors politically exposed persons (PEPs).
  • UBO: It is imperative that you obtain the identity of the Ultimate Beneficial Owner (UBO).
  • Compliance Regime: Does the proposed third party have an anti-corruption/anti-bribery program in place? Do they have a Code of Conduct? Obtain copies of all relevant documents and training materials.
  • FCPA Training and Awareness: Has the proposed third party received FCPA training, are they TRACE certified or certified by some other recognizable entity?

One thing that you should keep in mind is that you will likely have pushback from your business team in making many of the inquiries listed above. However, my experience is that most proposed agents that have done business with US or UK companies have already gone through this process. Indeed, they understand that by providing this information on a timely basis, they can set themselves apart as more attractive to US businesses.

The questionnaire fills several key roles in your overall management of third parties. Obviously it provides key information that you need to know about who you are doing business with and whether they have the capabilities to fulfill your commercial needs. Just as importantly is what is said if the questionnaire is not completed or is only partially completed, such as the lack of awareness of the FCPA, UK Bribery Act or anti-corruption/anti-bribery programs generally. Lastly, the information provided (or not provided) in the questionnaire will assist you in determining what level of due diligence to perform.

Similarly, compliance terms and conditions should be in every contract, whether such document is a simple agency or consulting agreement or a joint venture (JV) with several formation documents. The compliance terms and conditions should include representations that in all undertakings the third party will make no payments of money, or anything of value, nor will such be offered, promised or paid, directly or indirectly, to any foreign officials, political parties, party officials, candidates for public or political party office, to influence the acts of such officials, political parties, party officials, or candidates in their official capacity, to induce them to use their influence with a government to obtain or retain business or gain an improper advantage in connection with any business venture or contract in which the company is a participant.

In addition to the above affirmative statements regarding conduct, a commercial contract with a third party should have the following compliance terms and conditions in it:

  • Indemnification: Full indemnification for any FCPA violation, including all costs for the underlying investigation.
  • Cooperation: Require full cooperation with any ethics and compliance investigation, specifically including the review of foreign business partner emails and bank accounts relating to your Company’s use of the foreign business partner.
  • Material Breach of Contract: Any FCPA violation is made a material breach of contract, with no notice and opportunity to cure. Further, such a finding will be the grounds for immediate cessation of all payments.
  • No Sub-Vendors (without approval): The foreign business partner must agree that it will not hire an agent, subcontractor or consultant without the Company’s prior written consent (to be based on adequate due diligence).
  • Audit Rights: An additional key element of a contract between a US Company and a foreign business partner should include the retention of audit rights. These audit rights must exceed the simple audit rights associated with the financial relationship between the parties and must allow a full review of all FCPA related compliance procedures such as those for meeting with foreign governmental officials and compliance related training.
  • Acknowledgment: The foreign business partner should specifically acknowledge the applicability of the FCPA to the business relationship as well as any country or regional anti-corruption or anti-bribery laws, which apply to either the foreign business partner or business relationship.
  • On-going Training: Require that the top management of the foreign business partner and all persons performing services on your behalf shall receive FCPA compliance training.
  • Annual Certification: Require an annual certification stating that the foreign business partner has not engaged in any conduct that violates the FCPA or any applicable laws, nor is it aware of any such conduct.
  • Re-qualification: Require the foreign business partner re-qualify as a business partner at a regular interval of no greater than every three years.

Many will exclaim, “What an order, I can’t go through with it.” By this they mean that they do not believe that they will be able to get the third party to agree to such compliance terms and conditions. I have found that while it may not be easy, it is relatively simple to get a third party to agree to these, or similar, terms and conditions. One approach to take is that they are not negotiable. When faced with such a position on non-commercial terms many third parties will not fight such a position. There is some flexibility but the Department of Justice (DOJ) will require the minimum terms and conditions that it has suggested in the various Attachment Cs to the Deferred Prosecution Agreement (DPA) and in the FCPA Guidance. But the best position I have found is that if a third party agrees with these terms and conditions, they can then use that as a market differentiator from other third parties who have not gone through the life cycle management of a third party.

Two of the under-utilized tools of third party risk management are the third party questionnaire and compliance terms and conditions. By using these relatively simple and straightforward techniques you can help avoid the hard-luck nature of Ken Johnson and losing the game when you pitch a no-hitter.

A Happy Thanksgiving to all.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2015

Eiffel Tower after attacksThe attacks in Paris and subsequent events have horrified any right-minded person. The slaughter of innocent civilians sickened the world and the outpouring of support for the city of Paris; the country of France and the French people has been universal. One of the things that I thought about in the aftermath is the intersection of corruption and terrorism. The EU open border policy and its banks notoriously lax money laundering regimes and enforcement could certainly have contributed to some of the underlying factors leading to the attack. I am sure there will be aggressive and robust responses from governments across the globe involving new and beefed up anti-money laundering (AML) laws. This is something the anti-corruption compliance practitioner and all US companies need to prepare for in the days and weeks to come, largely in response to the attacks in Paris.

Most anti-corruption compliance practitioner and most US companies do not focus on AML compliance or corporate AML controls. However, the bad guys think about how to move money around from their ill-gotten gains quite a bit, using the most innocuous types of business. In an article Los Angeles Times (LAT), entitled “Cartels use legitimate trade to launder money, US and Mexico say”, reporters Tracy Wilkinson and Ken Ellingwood described a process whereby teams of money launderers working for cartels use dollars to purchase a commodity from the US and then export the commodity to Mexico or Colombia. A key is that “Paperwork is generated that gives a patina of propriety” which means that drug money is given the appearance of legitimate proceeds from a legitimate commercial transaction. An Immigration and Customs official interviewed said, “It’s such a great scheme. You could hide dirty money in so much legitimate business, and they do. You can audit their books all day long and all you see is goods being imported and exported.” Another scheme involved several executives of Angel Toy Company, who conspired with Mexican drug cartels to launder drug money through a scheme to purchase Teddy Bears (of all things), for shipment back to and for resale in Mexico. The plan was straightforward, just under $10K of cash for each shipment of Teddy Bears, which were then resold in Mexico.

The key is that the commodities being purchased are so mild that large bulk purchases will rarely, if ever, draw any official scrutiny. The goods purchased can be red tomatoes or bolts of cotton fabric. In either case, the commodity itself does not matter, as the simple fact of purchasing in the US, shipping into, and reselling in Mexico allows the drug cartels to “transfer earnings back home to pay bills and buy new drug supplies while converting dollars to pesos in a transaction relatively easy to explain to authorities.”

However, now money launderers use even more sophisticated tactics such as “overvaluing and undervaluing invoices and customs declarations.” There is even a new term “trade-based money-laundering” used to denominate the schemes. It was reported that in another operation, which was estimated to launder over $1MM every three weeks, money launderers were exporting from the US to Mexico polypropylene pellets that are used to make plastic. However, the money launderers inflated the value declared on the high-volume shipments and this eventually attracted suspicion of US bank investigators, “who shut down the export operation by discontinuing letters of credit that the suspected launderers were using.” One official noted, “You generate all this paperwork on both sides of the border showing that the product you’re importing has this much value on it, when in reality you paid less for it. Now you’ve got paper earnings of a million dollar and the million dollars in my bank account – it’s legitimate. It came from this here, see?”

Transactional based due diligence and internal controls are mandatory components of Foreign Corrupt Practices Act (FCPA) minimum best practices compliance program. In addition to due diligence on agents, distributors or others in the sales distribution chain, companies need to perform due diligence on those to whom they sell. If someone from Mexico suddenly comes to your business and wants to buy widgets with cash, this needs to send up a huge Red Flag.

Banks and financial institutions have led the way in fighting money laundering through their robust AML controls. Below I have listed some AML Red Flags that you can begin to use now:

  1. Legitimacy of the party and/or assets are undeterminable through due diligence or independent verification;
  2. The party proffers false, misleading or substantially incorrect information and documentation;
  3. The party suggests transactions involving cash or insists on dealing only in cash equivalents;
  4. The party refuses to disclose or to provide documentation concerning identity, nature of business, or nature and source of assets;
  5. The party refuses to identify a principal or beneficial owner;
  6. The party appears to be acting as an agent for an undisclosed principal or beneficial owner, but is reluctant to provide information, or is otherwise evasive, regarding the identity of the principal or beneficial owner;
  7. The party is a shell company and refuses to disclose the identity of the party’s beneficial owner;
  8. The party has assets that are well beyond its known income or resources;
  9. The party requests that funds be transferred to an unrelated third party and is unable to provide sufficient legitimate and independently verifiable justification for such request;
  10. The party requests a wire transfer to a jurisdiction other than the one in which the party is located and is unable to provide sufficient legitimate and independently verifiable justification for such request, particularly if located in an “offshore” bank secrecy or tax haven;
  11. The party engages in transactions that appear to have been structured so as to avoid government reporting requirements, especially if the cash or monetary instruments are in an amount just below reporting or recording thresholds;
  12. The party exhibits unusual concern about compliance with government reporting requirements;
  13. The party exhibits a lack of concern regarding risks or other transaction costs;
  14. The party wishes to engage in a transaction that lacks business sense, economic substance or apparent investment strategy;
  15. The party lacks general knowledge of its industry or lacks adequate facilities or qualified staff to perform the required tasks or work;
  16. The party requests that a transaction be processed in a manner that circumvents procedures or avoids documentation requirements;
  17. The party is included on list of Specially Designated Nationals, or similar lists maintained by the U.S. Government and the United Nations, or is associated with such individuals and entities;
  18. The party is located or has accounts or financial dealings in countries either identified as being non-cooperative with international efforts against money laundering by the Financial Action Task Force, or against whom the U.S. Treasury Department has issued an advisory;
  19. The party, or any person associated with the party, is or has been the subject of any formal or informal allegations (including in the reputable media) regarding possible criminal, civil or regulatory violations or infractions; and
  20. The independent due diligence conducted uncovers allegations that raise concerns regarding the party’s integrity.

Obviously there is a large overlap with anti-corruption due diligence and red flags. While most anti-corruption compliance practitioners understand the basic concepts behind KnowYourCustomer programs, including due diligence and policies and procedures, most of corporate America is quite far behind banks and financial institutions in the sophistication around detecting, investigating and reporting suspicious transactions. I think companies will need to take a look at the steps they place around AML compliance and the sooner the better.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2015

Johan LomuJonah Lomu died this week. If you have more than a passing interest in sports, you will recognize Lomu as one of the very few game-changers in a sport, his being rugby. I do not pretend to understand the sport very well (except that it involves running, blocking, hitting and tackling – which I do understand), yet I could even tell that he was a true original, a 6 foot 5 inch, 265 lb. behemoth who could run a 4.4 forty. He played for the New Zealand All-Blacks but not in middle as you might expect for a man his size but as winger, really just a wide-out for those who want it translated into American-football.

If you saw the movie Invictus about South Africa’s 1995 Rugby World Cup championship, you will remember the clips of a 20-year old Lomu single handedly destroying England with four tries (read: touchdowns) in the Semi-Finals. Yet South Africa was able to keep him under control to win one of the greatest finals upsets in Rugby World Cup history. Yet even at that youthful age, he had been diagnosed with a rare kidney disease that would eventually lead to his death at the age of 40. Here’s to you Jonah Lomu, to your true greatness and a true original.

I thought about Lomu when reading the comments from the Department of Justice (DOJ) and Assistant Attorney General Leslie R. Caldwell about how the DOJ will consider a company’s actions in any decision on whether or not to prosecute. These comments, changes and clarifications would appear to bookend the process that began with the Yates Memo, released back in September. Earlier this week, Deputy Attorney General Sally Quillian Yates clarified how the DOJ would be evaluating companies going forward.

Stephen Dockery, writing in the Wall Street Journal (WSJ) online publication, Risk and Compliance Report, in an article entitled “U.S. Justice Dept. Changes Corporate Credit Process in Prosecutions”, said that the DOJ explained how the process laid out in the Yates Memo would go into effect. He wrote there “will be two factors prosecutors can use in giving more favorable treatment” when making decisions on whether or not to prosecute. He quoted Yates as saying, “one focused solely on the company’s timely and voluntary disclosure and the second on its cooperation. We made this change to emphasize that while the concepts of voluntary disclosure and cooperation are related, they are distinct factors to be given separate consideration in charging decisions. In recognition of the significant value early reporting holds for us, prompt voluntary disclosure by a company will be treated as an independent factor weighing in the company’s favor.”

Dockery also noted that Yates clarified what might be considered “all relevant facts” from an investigation. Once again he quoted Yates directly, “There is nothing in the new policy that requires companies to waive attorney-client privilege or in any way rolls back the protections that were built into the prior factors. But to earn cooperation credit, the corporation does need to produce all relevant facts – including the facts learned through those interviews.” Dockery also said that Yates noted, “the Justice Department wouldn’t look favorably on companies trying to twist privilege to shield information from investigators.”

Caldwell expanded on these remarks in a speech made on Tuesday of this week, when she said, “In our view, a company that wishes to be eligible for the maximum mitigation credit in an FCPA case must do three things: (1) voluntarily self-disclose, (2) fully cooperate and (3) timely and appropriately remediate.” Regarding point 1, self-disclosure, Caldwell went on to say, “I mean that within a reasonably prompt time after becoming aware of an FCPA violation, the company discloses the relevant facts known to it, including all relevant facts about the individuals involved in the conduct.” Moreover, “To qualify, this disclosure must occur before an investigation—including a regulatory investigation by an agency such as the SEC (U.S. Securities and Exchange Commission)—is underway or imminent. And disclosures that the company is already required to make by law, agreement or contract do not qualify.”

Caldwell also expanded on Yates second prong, ongoing cooperation, she said, “Second, in line with the focus on individual accountability for corporate criminal conduct…companies seeking credit must affirmatively work to identify and discover relevant information about the individuals involved through independent, thorough investigations. Companies cannot just disclose facts relating to general corporate misconduct and withhold facts about the individuals involved. And internal investigations cannot end with a conclusion of corporate liability, while stopping short of identifying those who committed the underlying conduct.” But it means more than simply doing an investigation and turning over the results of the investigation. Full cooperation also “includes providing timely updates on the status of the internal investigation, making officers and employees available for interviews—to the extent that is within the company’s control—and proactive document production, especially for evidence located in foreign countries.”

Finally Caldwell added a third prong which Yates did not discuss, that being remediation. She noted that remediation includes a “company’s overall compliance program as well as its disciplinary efforts related to the specific wrongdoing at issue. For example, when examining remediation we consider whether and how the company has disciplined the employees involved in the misconduct. We also examine the company’s culture of compliance including an awareness among employees that any criminal conduct, including the conduct underlying the investigation, will not be tolerated.”

This is where the new DOJ Compliance Counsel comes into the picture. Caldwell said, “We look forward to her insights on issues such as whether the compliance program truly is thoughtfully designed and sufficiently resourced to address the company’s compliance risks and whether proposed remedial measures are realistic and sufficient.” I was interested to read that Caldwell also said this new person would also “be interacting with the compliance community to seek input about ways we can work together to advance our mutual interest in strong corporate compliance programs.” While her remarks this week did not go into the detail she did in her previous speech outlining the metrics the new Compliance Counsel will use in evaluating corporate compliance programs, Caldwell clearly referenced those standards as well.

The Yates remarks clarifying how “businesses will get an extra shot at favorable treatment based on their disclosure of wrongdoing to the government” and Caldwell’s speech further laying out the parameters and what will be expected in the form of a corporate compliance programs should be welcome news to every Chief Compliance Officer (CCO) and compliance practitioner. These two pieces of information, coupled with Caldwell’s earlier remarks on the Compliance Counsel metrics, lay out for you, with the most precision yet, how to move forward towards obtaining the best possible outcome if you are embroiled in a Foreign Corrupt Practices Act (FCPA) investigation. If your management wants to know what credit it will receive and the roadmap of how to get the best possible result, the DOJ has laid it out for you.

I further believe these series of remarks serve as a bookend to the information announced in the Yates Memo in September. That Memo set forth the expectations for prosecutors in white-collar cases, including FCPA matters, to prosecute more individuals. You see what substantive cooperation means and how your compliance program will be evaluated. The DOJ has laid it out for you in plain back and white.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2015


Third BirthdayYesterday the FCPA Professor reminded us that the joint Department of Justice (DOJ) and Securities and Exchange Commission (SEC) FCPA Guidance came out three years ago this month. As a commentator focusing the doing of compliance, I think it should give us pause to once again thank the government regulators and prosecutors who had a part in drafting this most remarkable of documents. I submit it is the best government generated source regarding what constituted at the time (and probably still does) a best practices compliance program. So for anyone interested in exploring the lessons learned about Foreign Corrupt Practices Act (FCPA) compliance programs and what the government expects to see, the FCPA Guidance is the best document you can review.

As a ‘Nuts and Bolts’ guy I found the DOJ/SEC formulation of their thoughts on what might constitute a best practices compliance program, denominated the “Ten Hallmarks of an Effective Compliance Program”, as the most useful part of the FCPA Guidance. While the Guidance cautions that there is no “one-size-fits-all” compliance program, it recognizes a variety of factors such as size, type of business, industry and risk profile a company should determine for its own needs regarding a FCPA compliance program. But the Guidance made clear that these ten points are “meant to provide insight into the aspects of compliance programs that DOJ and SEC assess”. In other words you should pay attention to these and use this information to assess your own compliance regime.

  1. Commitment from Senior Management and a Clearly Articulated Policy Against Corruption. It all starts with tone at the top. But more than simply ‘talk-the-talk’ company leadership must ‘walk-the-walk’ and lead by example. Both the DOJ and SEC look to see if a company has a “culture of compliance”. More than a paper program is required, it must have real teeth and it must be put into action, all of which is led by senior management. The Guidance states, “A strong ethical culture directly supports a strong compliance program. By adhering to ethical standards, senior managers will inspire middle managers to reinforce those standards.” This prong ends by stating that the DOJ and SEC will “evaluate whether senior management has clearly articulated company standards, communicated them in unambiguous terms, adhered to them scrupulously, and disseminated them throughout the organization.”
  2. Code of Conduct and Compliance Policies and Procedures. The Code of Conduct has long been seen as the foundation of a company’s overall compliance program and the Guidance acknowledges this fact. But a Code of Conduct and a company’s compliance policies need to be clear and concise. Importantly, the Guidance made clear that if a company has a large employee base that is not fluent in English such documents need to be translated into the native language of those employees. A company also needs to have appropriate internal controls based upon the risks that a company has assessed for its business model.
  3. Oversight, Autonomy, and Resources. This section begins with a discussion on the assignment of a senior level executive to oversee and implement a company’s compliance program. Equally importantly, the compliance function must have “sufficient resources to ensure that the company’s compliance program is implemented effectively.” Finally, the compliance function should report to the company’s Board of Directors or an appropriate committee of the Board such as the Audit Committee. Overall, the DOJ and SEC will “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”
  4. Risk Assessment. The Guidance states, “assessment of risk is fundamental to developing a strong compliance program”. Indeed, if there is one over-riding theme in the Guidance it is that a company should assess its risks in all areas of its business. The Guidance is also quite clear that when the DOJ and SEC look at a company’s overall compliance program, they “take into account whether and to what degree a company analyzes and addresses the particular risks it faces.” The Guidance lists factors that a company should consider in any risk assessment. They are “the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.”
  5. Training and Continuing Advice. Communication of a compliance program is a cornerstone of any anti-corruption compliance program. The Guidance specifies that both the “DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.” The training should be risk based so that those high-risk employees and third party business partners receive an appropriate level of training. A company should also devote appropriate resources to providing its employees with guidance and advice on how to comply with their own compliance program on an ongoing basis.
  6. Incentives and Disciplinary Measures. Initially the Guidance notes that a company’s compliance program should apply from “the board room to the supply room – no one should be beyond its reach.” There should be appropriate discipline in place and administered for any violation of the FCPA or a company’s compliance program. Additionally, the “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance program, and rewards for ethics and compliance leadership.”
  7. Third-Party Due Diligence and Payments. The Guidance says that companies must engage in risk based due diligence to understand the “qualifications and associations of its third-party partners, including its business reputation, and relationship, if any, with foreign officials.” Next a company should articulate a business rationale for the use of the third party. This would include an evaluation of the payment arrangement to ascertain that the compensation is reasonable and will not be used as a basis for corrupt payments. Lastly, there should be ongoing monitoring of third parties.
  8. Confidential Reporting and Internal Investigation. This means more than simply a hotline. The Guidance suggests that anonymous reporting, and perhaps even a company ombudsman, might be appropriate to have in place for employees to report allegations of corruption or violations of the FCPA. Furthermore, it is just as important what a company does after an allegation is made. The Guidance states, “once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken.” The final message is what did you learn from the allegation and investigation and did you apply it in your company?
  9. Continuous Improvement: Periodic Testing and Review. As noted in the Guidance, “compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” The DOJ/SEC expects that a company will review and test its compliance controls and “think critically” about its own weaknesses and risk areas. Internal controls should also be periodically tested through targeted audits.
  1. Mergers and Acquisitions.Pre-Acquisition Due Diligence and Post-Acquisition Integration.Here the DOJ and SEC spell out their expectations in not only the post-acquisition integration phase but also in the pre-acquisition phase. This pre-acquisition information was not something on which most companies had previously focused. A company should attempt to perform as much substantive compliance due diligence that it can do before it purchases a company. After the deal is closed, an acquiring entity needs to perform a FCPA audit, train all senior management and risk employees in the purchased company and integrate the acquired entity into its compliance regime.

What is the significance of these Ten Hallmarks today? Last week, Assistant Attorney General Leslie R. Caldwell laid out the metrics under which the DOJ’s new Compliance Counsel would evaluate a company’s compliance program. They are still working off these Ten Hallmarks. Then yesterday, Caldwell laid out the three key factors that a company must sustain to hope for a Declination. (I will explore all three points in full in a further blog post). Point three was the remediation steps that a company takes during the pendency of the investigation. Obviously, taking disciplinary action against the culpable individuals is a critical component but I also believe that upgrading the part of your compliance regime which may have caused, contributed to or allowed the compliance failure to occur, must be remediated. This is where the Ten Hallmarks can provide you solid advice on what you should do going forward.

While others have leveled a variety of criticism about the FCPA Guidance, I think they miss the essential point that for the compliance practitioner, it is an excellent resource about doing compliance. So here’s to the Guidance at the ripe of age of 3. Thanks for coming into all of our (compliance) lives.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2015