The best primary source material for creating and maintaining an anti-corruption compliance program is still Chapter 8 of the U.S. Federal Sentencing Guidelines.
It describes the elements of an “effective compliance program” — a legal term of art with the specific meaning assigned to it by the Sentencing Guidelines.
Here are three of the reasons why an “effective compliance program” can be important.
First, a company needs one to enjoy all the benefits from the DOJ’s FCPA corporate enforcement policy (pdf) set out in the U.S. Attorney’s Manual. Defendants with an effective compliance program (among other things) are eligible for full cooperation credit, and won’t need to retain an independent monitor.
Second, corporate FCPA violators that have effective compliance programs can enjoy penalty reductions by up to 95 percent (if they’re charged at all), according to the Sentencing Guidelines.
And third, an effective compliance program is the best way to blunt the impact of the doctrine of respondeat superior.
Here’s how the the United States Sentencing Commission explained respondeat superior in its overview (pdf) of the organizational guidelines: “Criminal liability can attach to an organization whenever an employee of the organization commits an act within the apparent scope of his or her employment, even if the employee acted directly contrary to company policy and instructions.”
Respondeat superior means companies probably have no legal defense if an FCPA violation happens. But their best practical way to deal with the enforcement aftermath will be an effective compliance program.
The elements of an effective compliance program described in the Federal Sentencing Guidelines at §8B2.1 of Chapter 8 are:
1. A Written Program. The organization must have standards and procedures to prevent and detect criminal conduct.
2. Board Oversight. The organization’s board of directors or equivalent must be knowledgeable about the content and operation of the compliance and ethics program and must exercise reasonable oversight of its implementation and effectiveness.
3. Responsible Persons. One or more individuals among the organization’s high-level personnel must be assigned overall responsibility for the compliance and ethics program.
4. Operating and Reporting. One or more individuals must be delegated day-to-day operational responsibility for the compliance and ethics program. They must report periodically to high-level personnel and, as appropriate, to the board of directors or its audit committee or equivalent on the effectiveness of the program. The individuals must have adequate resources, appropriate authority, and direct access to the board or audit committee.
5. Management’s Record of Compliance. The organization must use reasonable efforts not to hire or retain personnel who have substantial authority and whom the organization knows or should know through the exercise of due diligence have engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program.
6. Communicating and Training. The organization must take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to directors, officers, executives, managers, employees and agents — by conducting effective training programs and otherwise disseminating information appropriate to the individuals’ respective roles and responsibilities.
7. Monitoring and Evaluating; Anonymous Reporting. The organization must take reasonable steps (a) to ensure that its compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct, (b) to evaluate periodically the effectiveness of the compliance and ethics program and (c) to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.
8. Consistent Enforcement — Incentives and Discipline. The organization’s compliance and ethics program must be promoted and enforced consistently throughout the organization through appropriate (a) incentives to perform in accordance with the compliance and ethics program and (b) disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.
9. The Right Response. After criminal conduct has been detected, the organization must take reasonable steps to respond appropriately and to prevent further similar criminal conduct, including making any necessary modifications to the organization’s compliance and ethics program.
10. Assessing the Risk. The organization must periodically assess the risk of criminal conduct and take appropriate steps to design, implement, or modify its compliance program to reduce the risk of criminal conduct identified through this process.
Chapter 8 also says failing to prevent or detect an FCPA offense “does not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct.”
That means the potential benefits of an effective compliance program will be available when needed most — after a violation happens.
Richard L. Cassin is the publisher and editor of the FCPA Blog.