This prior post went in-depth into the DOJ’s recently released “Evaluation of Corporate Compliance Programs” (ECCP) guidance document. This post continues the analysis by highlighting additional issues in the ECCP that caught my eye
For starters, there is nothing “wrong” with the ECCP per se. In fact, it is a nicely written and organized document. Substantively however, the ECCP uses the word “effective” 49 times, but there is no legal requirement that business organizations have “effective” compliance programs.
If a business organization wants to exceed the statutory standards set forth in the FCPA’s internal controls provisions (“controls sufficient to provide reasonable assurances” that certain objective are met) that is great! However, the legal and policy concern with the ECCP is that in an official U.S. government document the DOJ says it is going to base decisions about prosecutions and form of resolutions, monetary penalties, and compliance obligations in corporate criminal resolutions on specific factors, most of which, are not even found in any law passed by Congress.
From my perspective (informed by, among other things, interactions with hundreds of compliance professionals from around the world who have attended my FCPA Institute) a major frustration of the business community is that the DOJ writes or says one thing, yet acts another way in the form of actual enforcement actions.
For instance, the ECCP states:
“Prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction in a low-risk area.
Risk-Tailored Resource Allocation – Does the company devote a disproportionate amount of time to policing low-risk areas instead of high-risk areas, such as questionable payments to third-party consultants, suspicious trading activity, or excessive discounts to resellers and distributors? Does the company give greater scrutiny, as warranted, to high-risk transactions (for instance, a large-dollar contract with a government agency in a high-risk country) than more modest and routine hospitality and entertainment?”
That sounds reasonable and the same statement sounded reasonable when the DOJ and SEC stated in connection with the 2012 FCPA Guidance the same thing. For instance, as highlighted in this prior post in reference to the various hypotheticals in the FCPA Guidance concerning travel and entertainment, then SEC Director of Enforcement Robert Khuzami said that he heard from companies that they were spending compliance dollars to guard against these issues, that companies were spending a huge amount of resources on such issues and that such a focus was taking dollars away from compliance efforts as to high risk activity. Khuzami said that this was an argument he and then DOJ Criminal Division Chief Lanny Breuer have heard and that this argument “makes perfect sense.” Khuzami said that he was “interested in companies spending compliance dollars in the most sensible way” and he hoped that the guidance and the hypotheticals provided would help companies as to where they can “minimize investment and where they can maximize it.” Breuer added that the DOJ wants compliance programs “to address real matters of concern.”
Yet, what the DOJ does not seem to understand is that its enforcement actions (which frequently include allegations or findings about “golf in the morning and beer drinking in the evening,” sports tickets, flowers, cigarettes, karaoke bars, etc.) actually induces behavior that the DOJ apparently does not want to see.
As informed by many conversations with compliance professionals about this precise topic, here is what often happens when a compliance professional at a business reads an FCPA enforcement. The compliance professional will read paragraph 1 and rightly conclude that it does not apply to the company, same thing with paragraphs 2, 3, 4, and 5.
But there in paragraph 6, when the DOJ and/or SEC is talking about golf or sports tickets or wine, there it is – that is what applies to the company. There is the common denominator for the company and this often becomes the take-away point for the compliance professional.
While it is true that FCPA enforcement actions are rarely exclusively based on such things of value offered or provided to foreign officials, the fact that so many enforcement actions contain such allegations findings are included can be looked at one of two ways: (1) did the government include those type of allegations or findings in the resolution document to send a message to the corporate community about the type of conduct that needs to be on the radar screen; or (2) were the enforcement officials merely practicing their typing skills.
In short, risk-tailored resource allocation as stated in the ECCP and prior government guidance sounds great, but I question whether the DOJ truly understands that its actual enforcement actions induces behavior that the DOJ apparently does not want to see.
Under the heading “Automony and Resources, the ECCP states:
“A large organization generally shall devote more formal operations and greater resources . . . than shall a small organization. By contrast, “a small organization may [rely on] less formality and fewer resources.”
Again, there is nothing new with this statement – in fact the ECCP cites the U.S. Sentencing Guidelines – and as highlighted in this prior post the same general statement appeared in the 2012 FCPA Guidance (“small- and medium-size enterprises likely will have different compliance programs from large multi-national corporations, a fact DOJ and SEC take into account when evaluating companies’ compliance programs”) as well as the November 2017 FCPA Corporate Enforcement Policy (“implementation of an effective compliance and ethics program, the criteria for which will be periodically updated and which may vary based on the size and resources of the organization …”.).
Yet, as highlighted in this post titled “Size Matters, But To What Extent?” there appears to be no meaningful difference in enforcement agency theories (ranging from third party compliance best practices to internal controls best practices including the finance and audit function and training best practices) in large issuer enforcement actions compared to small issuer enforcement actions.
Finally, under the general heading “does the corporaton’s compliance program work in practice?” the ECCP states:
“In answering this question, it is important to note that the existence of misconduct does not, by itself, mean that a compliance program did not work or was ineffective at the time of the offense (“[t]he failure to prevent or detect the instant offense does not mean that the program is not generally effective in preventing and deterring misconduct”). Indeed, “[t]he Department recognizes that no compliance program can ever prevent all criminal activity by a corporation’s employees.” Of course, if a compliance program did effectively identify misconduct, including allowing for timely remediation and self-reporting, a prosecutor should view the occurrence as a strong indicator that the compliance program was working effectively.”
Once again, there is nothing new or novel about this statement. Indeed, as highlighted in this prior post, the SEC’s extensive 1981 FCPA Guidance stated:
“The test of a company’s internal control system is not whether occasional failings can occur. Those will happen in the most ideally managed company. But, an adequate system of internal controls means that, when such breaches do arise, they will be isolated rather than systemic, and they will be subject to a reasonable likelihood of being uncovered in a timely manner and then remedied promptly. Barring, of course, the participation or complicity of senior company officials in the deed, when discovery and correction expeditiously follow, no failing in the company’s internal accounting system would have existed. To the contrary, routine discovery and correction would evidence its effectiveness.”
Notwithstanding this sensible government guidance (then and now), numerous FCPA enforcement actions are based on (and will likely continue to be based on) corporate voluntary disclosures where, almost by definition, the misconduct was identified by a compliance program.
In short, like prior instances of government FCPA or FCPA related guidance, words on paper are all fine and dandy. However, actions speak louder than words.
FCPA Institute - Denver (May 4-5)
A unique two-day learning experience ideal for a diverse group of professionals seeking to elevate their FCPA knowledge and practical skills through active learning. Learn more, spend less. CLE credit is available.