Putting Compliance Programs To The Test

How do you know if your company has an effective compliance program? The answer is crucial. If rogue employees violate the Foreign Corrupt Practices Act, having an effective compliance program becomes a factor in whether the company will face a criminal enforcement action and, if it does, whether it will be rewarded with reduced penalties. So what does an effective compliance program look like?

The FCPA doesn’t answer the question, and the Federal Sentencing Guidelines are short on details. That’s because all organizations have a different structure and no two operate the same way. So each one needs its own tailor-made program. The Federal Sentencing Guidelines describe hallmarks of an effective compliance program and what it should accomplish. And some features show up in FCPA Opinion Procedure Releases and deferred prosecution agreements. But the burden is always on each organization to figure out for itself how best to prevent, detect and respond to FCPA offenses.

So who finally decides what an effective compliance program looks like? Well, for better or worse, that’s left to the people at the Justice Department. They decide which organizations will face FCPA criminal enforcement actions, and part of their decision should involve evaluating whether the company has an effective compliance program. And how do prosecutors do that? They look to the U.S. Attorneys’ Criminal Resource Manual.

Relevant sections from the CRM appear between the lines below, with footnotes omitted and a couple of new paragraph breaks inserted, but otherwise unchanged. The provocative narrative is best read without our editorial filter — at least for anyone curious to know how their own compliance program might someday be judged.

The DOJ’s test of effectiveness, by the way, is consistent with the you’ll-know-it-when-you-see-it-approach in the Federal Sentencing Guidelines. And it comes with an even clearer message of encouragement and warning: honest compliance, even if it doesn’t prevent every FCPA violation, will be rewarded, while phony gestures will only multiply everyone’s troubles.

Here’s what the DOJ has to say to its U.S. Attorneys:

While the Department [of Justice] recognizes that no compliance program can ever prevent all criminal activity by a corporation’s employees, the critical factors in evaluating any program are whether the program is adequately designed for maximum effectiveness in preventing and detecting wrongdoing by employees and whether corporate management is enforcing the program or is tacitly encouraging or pressuring employees to engage in misconduct to achieve business objectives.

The Department has no formal guidelines for corporate compliance programs. The fundamental questions any prosecutor should ask are: “Is the corporation’s compliance program well designed?” and “Does the corporation’s compliance program work?” In answering these questions, the prosecutor should consider the comprehensiveness of the compliance program; the extent and pervasiveness of the criminal conduct; the number and level of the corporate employees involved; the seriousness, duration, and frequency of the misconduct; and any remedial actions taken by the corporation, including restitution, disciplinary action, and revisions to corporate compliance programs. Prosecutors should also consider the promptness of any disclosure of wrongdoing to the government and the corporation’s cooperation in the government’s investigation.

In evaluating compliance programs, prosecutors may consider whether the corporation has established corporate governance mechanisms that can effectively detect and prevent misconduct. For example, do the corporation’s directors exercise independent review over proposed corporate actions rather than unquestioningly ratifying officers’ recommendations; are the directors provided with information sufficient to enable the exercise of independent judgment, are internal audit functions conducted at a level sufficient to ensure their independence and accuracy and have the directors established an information and reporting system in the organization reasonably designed to provide management and the board of directors with timely and accurate information sufficient to allow them to reach an informed decision regarding the organization’s compliance with the law. In re: Caremark, 698 A.2d 959 (Del. Ct. Chan. 1996).

Prosecutors should therefore attempt to determine whether a corporation’s compliance program is merely a “paper program” or whether it was designed and implemented in an effective manner. In addition, prosecutors should determine whether the corporation has provided for a staff sufficient to audit, document, analyze, and utilize the results of the corporation’s compliance efforts. In addition, prosecutors should determine whether the corporation’s employees are adequately informed about the compliance program and are convinced of the corporation’s commitment to it. This will enable the prosecutor to make an informed decision as to whether the corporation has adopted and implemented a truly effective compliance program that, when consistent with other federal law enforcement policies, may result in a decision to charge only the corporation’s employees and agents.

Compliance programs should be designed to detect the particular types of misconduct most likely to occur in a particular corporation’s line of business. Many corporations operate in complex regulatory environments outside the normal experience of criminal prosecutors. Accordingly, prosecutors should consult with relevant federal and state agencies with the expertise to evaluate the adequacy of a program’s design and implementation. . . .