Achieving consistent legal compliance in today’s regulatory environment is a challenge severe enough to keep compliance officers awake at night and one at which even well-managed companies regularly fail.
But besides coping with governmental oversight and enforcement, companies now face a growing array of both substantive and process-oriented compliance obligations imposed by trading partners and other private organizations, sometimes but not always instigated by the government.
Embodied in contract clauses and codes of conduct for business partners, these private initiatives often create new compliance obligations, and these obligations that are contagious: increasingly accountable not only for their own compliance but also that of their supply and distribution chains, companies must seek corresponding contractual assurances from multiple third-party-partners.
Compliance is becoming privatized, and privatization is going viral.
There has been an element of privatization in the compliance arena at least since the Federal Sentencing Guidelines for Organizations were established. After all, the point of the Sentencing Guidelines is to leverage the government’s limited regulatory and enforcement resources by offering an incentive for companies to take on more of the state’s prevention, detection and enforcement burden. Corporate compliance programs augment state oversight by performing tasks that governments lack the resources or the line-of-sight to do efficiently.
But that state-incentivized privatization model still reflects the traditional vertical, two-party relationship between government and the governed. The new wave of privatization is horizontal, networked, and qualitatively different. The Sentencing Guidelines model simply mitigates the risk of compliance failure. It does not expose companies to new forms of risk, liabilities or forfeitures or to the possibility of multiple conflicting standards, but private-to-private (P2P) compliance may do so. Program elements and ethical policies become contractual obligations, vulnerable to such contractual remedies as indemnities, damages, audits, default declarations, loan acceleration and termination. P2P compliance is reshaping the compliance task portfolio and raising new questions about who is answerable to whom, internally and across company boundaries.
As major corporations require their business associates to commit to third=aprty codes of conduct (P2P Codes) and related contract clauses, compliance pressures may originate from any point in the value chain: suppliers, customers, capital markets, insurers. Compliance officers may find themselves caught in the middle between demanding customers and reluctant suppliers, or, in the other direction, between manufacturers vitally interested in how their products reach market and resellers seeking the shortest route to revenue. They may be simultaneously pitted against their own colleagues in charge of operations, procurement, sales and contracting. And unlike the Sentencing Guidelines and most other government leniency programs, many of the privatized compliance requirements are truly mandatory — at least if you want to do business with the other party.
This trend signals a growing appreciation that enterprises across the value chain share one another’s reputational and compliance risks, and that compliance processes play an important role in translating legal commands into lawful conduct.
Historically, most P2P Codes have operated at the level of policy rather than of procedure, covering key integrity risks and issues of corporate social responsibility issues in language that reflected broad consensus on compliance best practices and accepted principles of corporate citizenship. They have been easy to accept without fear of adverse side effects, and most still are. But the newer movement toward adding process or “how-to” components, of more granular and prescriptive drafting, and of embedding P2P Codes more firmly in a contractual mesh, raises a note of caution. We can hope that as P2P assurances become more routine, a consensus will emerge around generally accepted practices for demanding and enforcing assurances from one’s counterparty and its value chain.
Anyone curious about the future of privatized compliance should consider the current state of anti-corruption compliance. Encouraged by the OECD anti-bribery convention, national anti-corruption laws continue to proliferate. Several prominent NGOs including the World Economic Forum, Transparency International, the ICC, the World Bank, and the OECD itself have published detailed guidance on third-party compliance management, guidance that universally includes due diligence, flow-down of anti-corruption policies, training and communication, documentation of business associates’ compliance efforts, and imposition of audit rights, ongoing monitoring, and contract remedies such as termination.
These recommendations have been implemented by a growing number of companies. Third-party due diligence is commonplace and anti-bribery provisions appear frequently in international contracts and universally in P2P Codes, quite often with domino-style flow-down requirements. With this pattern firmly established, code and contract language that was originally drafted only for the anti-corruption context is now being extended to cover other high-priority compliance domains such as export sanctions, money laundering, data privacy and conflict minerals.
With this growing adaptation of accepted anti-corruption methodology to other risks, “FCPA” could stand for Future Compliance Paradigm Adopted.
In the next post, we’ll explore how third-party compliance obligations are imposed contractually through commercial contracts, P2P codes, or both.
Scott Killingsworth is a partner at Bryan Cave LLP and serves on the Board of Governors of the Center for Ethics and Corporate Responsibility at Georgia State University. This post is excerpted and adapted from a white paper presented at a RAND Symposium entitled “Transforming Compliance” on May 28, 2014, which will be published in September 2014 as a part of the final symposium report. The full white paper can be found here.