This prior post highlighted the recent revisions to the DOJ’s “Evaluation of Corporate Compliance Programs” (ECCP) guidance document. This post provides the big picture.
For starters, there is nothing per se “wrong” with the ECCP or its revisions. In fact, the ECCP is a nicely written and organized document. Substantively however, the revised ECCP uses the word “effective” or “effectively” 54 times (the original version used the word “effective” or “effectively” 51 times). However, there is no legal requirement that business organizations have “effective” compliance programs. Moreover, the revised ECCP (just like the original ECCP) is little more than a document full of questions. (Precisely, the revised ECCP contains 168 questions whereas the original ECCP contained 151 questions).
Big picture, the revised ECCP uses the word “effective” or “effectively” 3 more times than the original ECCP and the revised ECCP has 17 more questions than the original ECCP.
While the ECCP uses the word “effective” or “effectively” 54 times, there is no legal requirement that business organizations have “effective” compliance programs. Pursuant to the FCPA’s internal controls provisions, issuers shall have “internal accounting controls sufficient to provide reasonable assurances” that certain limited financial objectives are met. The FCPA then provides the following definition of “reasonably assurances” and “reasonable detail” – “such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.”
Non-issuers (a category of business organizations that far exceed issuers) aren’t even subject to the internal controls provisions.
If a business organization wants to exceed the statutory standards set forth in the FCPA’s internal controls provisions and have a so-called “effective” compliance program that is great! However, the legal and policy concern with the revised ECCP (like the original) is that in an official U.S. government document the DOJ says it is going to base decisions about prosecutions and form of resolutions, monetary penalties, and compliance obligations in corporate criminal resolutions on specific factors, most of which, are not even found in any law passed by Congress.
Another policy issue raised by the revised ECCP (as well as the original version) is what must a business organization actually do to have an “effective” compliance program. Must it have satisfactory answers to all 168 questions? What about 160 of the questions? What about 150 of the questions? What about 85 of the questions (a slight majority).
Of course, the ECCP doesn’t answer this question, but rather states that the “Criminal Division does not use any rigid formula to assess the effectiveness of corporate compliance programs.”
But real, on-the-ground compliance professionals obviously want to know the answer.
Moreover, the revised ECCP further muddies this salient issue by stating a “reasonable individualized determination” is made in each case that “consider various factors including, but not limited to, the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.”
What does this really mean?
More broadly, what does much of the ECCP really mean? The original ECCP was full of vague and ambiguous words or concepts such as: encouraging, pressuring, well-integrated, culture of compliance, appropriately tailored, efficient and trusted mechanism, properly scoped, risk-based, high-level commitment, sufficient (such as sufficient resources, autonomy, staffing, and funds), empowered, honest, meaningful efforts, stale, gap analysis, timely, thorough, properly scoped, and thoughtful.
The revised ECCP adds to this list such words and concepts like a snapshot in time, more attention, more targeted, impact, feel comfortable, timely and orderly, under-resourced, and lessons learned.
A final policy issue raised with the revised ECCP (as well as the original version and other forms of DOJ guidance) is what should happen if a business organization acts consistent with the factors (as discussed above – how many factors), but an employee nevertheless exposes the entity to legal liability. Consistent with the FCPA-like laws of many peer countries, this should be relevant as a matter of law and not merely in the opaque, inconsistent, and unpredictable world of DOJ decision making. (See here).
FCPA Institute Online
The most comprehensive online FCPA training course available. Over 12 hours of narrated instruction from Professor Koehler allowing professionals to elevate their FCPA knowledge and practical skills at their own pace.