The Department’s revised FCPA Corporate Enforcement Policy—which will be incorporated into the United States Attorneys’ Manual—builds on and makes permanent the Department’s 2016 FCPA Pilot Program. While much of the commentary on the revised policy has focused on the potential benefits of voluntary self-disclosure and cooperation after an issue arises, the policy also provides updated guidance to all companies on the hallmarks of an effective compliance and ethics program – an important and practical takeaway for compliance officers, in-house counsel, boards and executives.
DOJ’s Revised FCPA Corporate Enforcement Policy Formalizes the 2016 FCPA Pilot Program
The Pilot Program set out to evaluate if the Department could motivate companies to voluntarily self-disclose FCPA-related misconduct, fully cooperate with the Fraud Section, and, where appropriate, remediate flaws in controls and compliance programs. One of the key components of the Pilot Program was the potential for substantial mitigation—including declination of prosecution in certain cases and, where warranted, a credit of up to a 50 percent reduction below the low end of the applicable U.S. Sentencing Guidelines’ fine range for companies that voluntarily self-disclose misconduct and cooperate and remediate to the Department’s satisfaction. Deputy Attorney General Rod Rosenstein expressed his satisfaction with the program’s results, which he heralded as a step forward in fighting corporate crime. He also noted that during the pilot period, the DOJ saw 30 voluntary disclosures to the FCPA Unit—compared to 18 during the previous 18‑month period.
In announcing the new formalized Policy, Deputy Attorney General Rosenstein emphasized that the Department will continue to strongly encourage voluntary disclosures and set forth what he considers to be the revised Policy’s three key features:
- First, when a company satisfies the standards of voluntary self-disclosure, full cooperation, and timely and appropriate remediation, there will be a presumption that the Department will resolve the company’s case through a declination;
- Second, if a company voluntarily discloses wrongdoing and satisfies all other requirements, but aggravating circumstances compel an enforcement action, the Department will recommend a 50 percent reduction off the low end of the Sentencing Guidelines’ fine range; and
- Third, the Policy sets forth that the Department will evaluate a company compliance program, which will vary depending on the size and resources of a business.
Rosenstein conveyed the importance of these features both to those in the Department as well as to those who may find themselves in the Department’s crosshairs. Yet the key question for the vast majority of companies not currently facing the question of how to address an actual potential FCPA violation is how to put themselves in a position to maximize the potential benefits of the revised policy—and in so doing, prevent themselves from reaching that point.
What Does the Revised Policy Mean for Corporate Compliance Programs?
When read in tandem with existing guidance, and the DOJ’s recent Compliance Guidance in particular, the Revised Policy provides powerful clues to understanding what the government expects in a robust and comprehensive anti-corruption compliance program—which, if appropriately implemented, can put a company in the best position to take maximum advantage of the now-permanent Pilot Program.
In many ways, the new Policy reiterates the traits of an effective compliance and ethics program that the Department and SEC have discussed before, such as fostering a culture of compliance, dedicating sufficient resources to compliance activities and ensuring that experienced compliance personnel have appropriate access to management and to the board. There are some new nuances embedded in the Policy, however. For example, the board of directors should have compliance expertise available to it, and the compliance function should have authority and independence. In addition, the stature and compensation of personnel involved in compliance is relevant to the effectiveness of the program. Because of the limited case law interpreting the Foreign Corrupt Practices Act, companies have long looked to the SEC and DOJ’s Resource Guide to the U.S. Foreign Corrupt Practices Act, industry and NGO guidance such as the Good Practice Guidance on Internal Controls, Ethics, and Compliance, and in the Anti-Corruption Ethics and Compliance Handbook for Business, and more recently, to DOJ Deferred Prosecution Agreements (discussed here) and the Department of Justice’s February 2017 Compliance Guidance (discussed here) for compliance program best practices.
In crafting and maintaining a strong and effective compliance program that can deter and detect potential misconduct, compliance officers, in-house counsel, boards, and corporate executives should use the DOJ’s recent Compliance Guidance as a checklist of questions for every aspect of a new program or in evaluating the efficacy of an existing program. For example, the following questions are among those that a company should ask itself:
- What are the root causes of misconduct in each of a company’s areas of business and the systemic issues that may exacerbate that risk?
- How has the company addressed prior misconduct, and have policies and procedures been adjusted, where necessary, to prevent the same or similar misconduct? Has the company taken appropriate remediation?
- Does the company’s senior leadership promote ethical conduct at the top through their words and actions?
- Is the company’s governance structure such that it can properly provide oversight of compliance and control functions?
- Is adequate training provided at all levels?
- Do compliance and control personnel have the appropriate experience and qualifications for their roles and responsibilities?
- Are policies and procedures designed and implemented with the company’s specific industry, business practices, and geographic region in mind?
Programs designed with these and other questions in mind will no doubt place a company in the best possible position to have the information and tools needed to take advantage of the revised policy by securing a declination or Guidelines Range reduction through voluntary self-disclosure, full cooperation, and timely and appropriate remediation.
In our experience, designing and implementing an effective, risk-based program takes careful planning with input from a variety of stakeholders through an iterative process that constantly reevaluates and revises itself. While the Revised Policy may appear to be geared toward those already facing tough questions with respect to a potential violation—it may prove to be the most valuable for those creating and evaluating compliance programs.