FCPA: A guide to compliance
The analysis covers guidance on implementing an effective compliance programme as defined by the “Resource Guide to the Foreign Corrupt Practices Act“ (FCPA) recently released by the US Department of Justice and Securities and Exchange Commission.
In a global marketplace, an effective compliance programme is a critical component of a company’s internal controls and is essential to detecting and preventing FCPA violations. Effective financial crime compliance programmes are tailored to the company’s specific business and to the risks associated with that business. They are dynamic and evolve as the business and the markets change.
An effective compliance programme promotes an organisational culture that encourages ethical conduct and a commitment to compliance with the law.
Such a programme protects a company’s reputation, ensures investor value and confidence, reduces uncertainty in business transactions, and secures the company’s assets.
A well-constructed, thoughtfully implemented, and consistently enforced compliance and ethics programme helps prevent, detect, re-mediate, and report misconduct, including FCPA violations.
The US Department of Justice (DOJ) and the US Securities and Exchange Commission (SEC) have no formulaic requirements regarding compliance programmes. Rather, they employ a common-sense and pragmatic approach to evaluating compliance programmes, making inquiries related to three basic questions:
- Is the company’s compliance programme well designed?
- Is it being applied in good faith?
- Does it work?
Our 10 point analysis contains information regarding some of the basic elements DOJ and SEC consider when evaluating compliance programmes. Although the focus is on compliance with the FCPA, given the existence of anti-corruption laws in many other countries, businesses should consider designing programmes focused on anti-corruption compliance more broadly.
1. Effective Compliance Programme
An effective compliance programme is a critical component of an issuers internal controls. Fundamentally, the design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as:
- the nature of its products or services
- how the products or services get to market
- the nature of its work force
- the degree of regulation
- the extent of its government interaction
- and the degree to which it has operations in countries with a high risk of corruption.
When it comes to compliance, there is no one-size-fits-all programme.
A company’s compliance programme should be tailored to these differences. Businesses whose operations expose them to a high risk of corruption will necessarily devise and employ different internal controls than businesses that have a lesser exposure to corruption, just as a financial services company would be expected to devise and employ different internal controls than a manufacturer.
Compliance programmes that employ a check-the-box approach may be inefficient and, more importantly, ineffective. Because each compliance programme should be tailored to an organisations specific needs, risks, and challenges, the information provided below should not be considered a substitute for a company’s own assessment of the corporate compliance programme most appropriate for that particular business organisation.
2. Commitment from Senior Management and a Clearly Articulated Policy Against Corruption
Within a business organisation, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company. Managers and employees take their cues from these corporate leaders.
A strong ethical culture directly supports a strong compliance programme. By adhering to ethical standards, senior managers will inspire middle managers to reinforce those standards. Compliant middle managers, in turn, will encourage employees to strive to attain those standards throughout the organisational structure.
3. Code of Conduct and Compliance Policies and Procedures
A company’s code of conduct is often the foundation upon which an effective compliance programme is built. The most effective codes of conduct are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.
Make certain that the code of conduct remains current and effective and periodically review and update the code.
Effective policies and procedures require an in-depth understanding of the company’s business model, including its products and services, third-party agents, customers, government interactions, and industry and geographic risks. Among the risks that a company may need to address include:
- the nature and extent of transactions with foreign governments, including payments to foreign officials
- use of third parties
- gifts, travel, and entertainment expenses
- charitable and political donations, and
- facilitating and expediting payments.
Regardless of the specific policies and procedures implemented, these conduct standards should apply to personnel at all levels of the company.
4. Oversight, Autonomy, and Resources
Companies should assign responsibility for the oversight and implementation of a company’s compliance programme to one or more specific senior executives within an organisation. Those individuals must have appropriate authority within the organisation, adequate autonomy from management, and sufficient resources to ensure that the company’s compliance programme is implemented effectively. Depending on the size and structure of an organisation, it may be appropriate for day-to-day operational responsibility to be delegated to other specific individuals within a company. The amount of resources devoted to compliance will also depend on the company’s size, complexity, industry, geographical reach, and risks associated with the business.
5. Risk Assessment
Assessment of risk is fundamental to developing a strong compliance programme.
One-size-fits-all compliance programmes are generally ill-conceived and ineffective because resources inevitably are spread too thin, with too much focus on low risk markets and transactions to the detriment of high-risk areas. Similarly, performing identical due diligence on all third party agents, irrespective of risk factors, is often counter productive, diverting attention and resources away from those third parties that pose the most significant risks.
As a company’s risk for FCPA violations increases, that business should consider increasing its compliance procedures, including due diligence and periodic internal audits. The degree of appropriate due diligence is fact-specific and should vary based on industry, country, size, and nature of the transaction, and the method and amount of third-party compensation. Factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.
6. Training and Continuing Advice
Companies should ensure that relevant policies and procedures have been communicated throughout the organisation, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.
Such training should typically cover company policies and procedures, instruction on applicable laws, practical advice to address real-life scenarios, and case studies. The information should be presented in a manner appropriate for the targeted audience, including providing training and training materials in the local language and providing different types of training with sample situations that are similar to the situations they might encounter.
7. Incentives and Disciplinary Measures
In addition to evaluating the design and implementation of a compliance programme throughout an organisation, enforcement of that programme is fundamental to its effectiveness.
The DOJ and SEC will consider whether, when enforcing a compliance programme, a company has appropriate and clear disciplinary procedures, whether those procedures are applied reliably and promptly, and whether they are commensurate with the violation. Many companies have found that publicising disciplinary actions internally, where appropriate under local law, can have an important deterrent effect, demonstrating that unethical and unlawful actions have swift and sure consequences.
No matter what the disciplinary scheme or potential incentives a company decides to adopt, no executive should be above compliance, no employee below compliance, and no person within an organisation deemed too valuable to be disciplined, if warranted. Rewarding good behaviour and sanctioning bad behaviour reinforces a culture of compliance and ethics throughout an organisation.
An effective compliance programme should include a mechanism for an organisations employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation. Once an allegation is made, companies should have in place an efficient, reliable and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or re-mediation measures taken.
8. Third-Party Due Diligence and Payments
Experience demonstrates that third parties, including agents, consultants, and distributors, are commonly used to conceal the payment of bribes to foreign officials in international business transactions. Risk-based due diligence is particularly important with third parties and will help the effectiveness of a company’s compliance programme.
Although the degree of appropriate due diligence may vary based on industry, country, size and nature of the transaction, and historical relationship with the third-party, some guiding principles always apply. As part of risk-based due diligence companies should:
- understand the qualifications and associations of its third-party partners, including its business reputation, and relationship, if any, with foreign officials. The degree of scrutiny should increase as red flags surface
- have an understanding of the business rationale for including the third party in the transaction. Among other things, the company should understand the role of and need for the third party and ensure that the contract terms specifically describe the services to be performed. Additional considerations include payment terms and how those payment terms compare to typical terms in that industry and country, as well as the timing of the third party’s introduction to the business. Moreover, companies may want to confirm and document that the third party is actually performing the work for which it is being paid and that its compensation is commensurate with the work being provided
- undertake some form of ongoing monitoring of third-party relationships. Where appropriate, this may include updating due diligence periodically, exercising audit rights, providing periodic training, and requesting annual compliance certifications by the third party
- inform third parties of the company’s compliance programme and commitment to ethical and lawful business practices and, where appropriate, whether it has sought assurances from third parties, through certifications and otherwise, of reciprocal commitments.
9. Continuous Improvement: Periodic Testing and Review
Finally, a good compliance programme should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its industry. Companies should take the time to review and test its controls, and it should think critically about its potential weaknesses and risk areas.
10. Mergers and Acquisitions: Pre-Acquisition Due Diligence and Post-Acquisition Integration
In the context of the FCPA, mergers and acquisitions present both risks and opportunities. A company that does not perform adequate FCPA due diligence prior to a merger or acquisition may face both legal and business risks. Perhaps most commonly, inadequate due diligence can allow a course of bribery to continue thus harming a business’ profitability and reputation, as well as potential civil and criminal liability.
In contrast, companies that conduct effective FCPA due diligence on their acquisition targets are able to evaluate more accurately each targets value and negotiate for the costs of the bribery to be borne by the target. In addition, such actions demonstrate a company’s commitment to compliance.
DOJ maintains a website dedicated to the FCPA and its enforcement at www.justice.gov/criminal/fraud/fcpa/
Individuals and companies wishing to disclose information about potential FCPA violations are encouraged to contact the FCPA Unit at the telephone number (202) 514-7023 or email: FCPA.Fraud@usdoj.gov
We deliver concise due diligence on businesses, vendors, agents, individuals, customers and other counter-parties to satisfy financial crime compliance and AML demands, so that our clients can operate with confidence. TenIntelligence assists clients undertake detailed risk assessments and implement tailored programmes in order to overcome their compliance challenges and to deter financial crime.