In my practice, I frequently assist clients with risk assessments, program reviews, and developing improvements to their existing anti-bribery and anti-corruption compliance programs, policies and procedures. Based on some recent experience, here is a brief list of key improvements companies can make to their ABAC compliance programs now and the related questions they should be asking as part of that effort.
Of course, any successful review should be based on and incorporate recent agency guidance (including the Second Edition of the FCPA Resource Guide and the DOJ’s guidance on the Evaluation of Corporate Compliance Programs), focus areas in recent enforcement actions, and evolving industry standards.
1. Understand and improve accessibility to your ABAC programs.
In what language(s) is the ABAC policy published? We frequently see ABAC policies that are available in English only. If this is the case for your company’s ABAC policy, consider translating it into additional languages, starting with those where you have the most employees. For example, do you have a large office in Hong Kong? Translate your policies in Cantonese. A major subsidiary in Moscow? Add Russian to the list. While it’s often hard to keep up with expanding operations, we see a lot of lag in translating policies and procedures into relevant languages.
How user-friendly is it? If the ABAC policy is available online, consider making the document searchable so that employees can quickly find the information they seek. Also, ask yourself if it’s easy to read and digest. If the reader requires a law degree to understand what’s required of them, then you’ve likely missed the mark. I usually ask myself whether my parents could understand a particular set of policies and procedures. If I don’t think they could, then it’s time to do some streamlining.
Where can employees find the company’s ABAC policy? Many companies post their compliance policies and procedures on their intranets (and a growing number on their public websites). This is great for office-bound (home or otherwise) employees. But in some cases, this might not reach everyone. For employees working in the field in remote locations without internet or cell service, consider sending them hard copies. It may sound a bit old-fashioned, but it’s better than overlooking them.
2. Address commercial bribery.
Is the ABAC policy focused solely on bribery of government officials? If your company drafted its ABAC policy with an eye toward the FCPA, then it might not address commercial bribery. Companies ignore commercial bribery at their peril. Not only does Section 1 of the UK Bribery Act address it, but the DOJ can also enforce state commercial bribery statutes via the Travel Act. Remember, the DOJ penalized Control Components Inc. a few years back for both FCPA and Travel Act violations, and a growing number of individual enforcement actions also include Travel Act charges. In addition, the SEC has been known to use the books and records and internal controls provisions of the FCPA to penalize private sector bribery, as seen in the agency’s enforcement action against FalconStor Software, Inc. Companies should therefore broaden the scope of their ABAC policies so that they prohibit bribery of anyone, including government officials as well as private sector business partners.
3. Prohibit non-U.S. political contributions.
Do employees contribute company funds to political candidates or parties outside the U.S.? We’ve seen a trend away from allowing non-U.S. political contributions. They are, by definition, fraught with heightened FCPA risks. After all, the FCPA treats improper payments to political parties and candidates for office in the same way it treats bribes to sitting government officials. As a result, writing a check to a political party or a candidate for office requires heightened scrutiny, and it might not be worth the effort. Some companies view this as an area where they can reduce FCPA exposure by eliminating or significantly restricting these high-risk payments. Indeed, Tesla’s ABAC policy prohibits all political contributions without prior legal department approval, regardless of whether they are U.S.-based or not.
4. Incorporate root cause analysis.
When misconduct occurs, is the company analyzing and addressing the root cause? The DOJ places a lot of emphasis on “root cause analysis” in its Evaluation of Corporate Compliance Programs guidance.
They want to see companies getting to the bottom of why misconduct occurred and implementing changes to prevent it from happening again. Review what your company’s ABAC policy has to say about investigations: it probably sets forth that the company will investigate all credible reports of potential misconduct. Consider adding that as part of the investigation, the company will evaluate the root cause of the misconduct and implement appropriate remediation measures where needed. Of course, the company would need to put this into practice, too.
ABAC policies and procedures should certainly be tailored to a company’s own specific risks and needs. However, the issues above are universal for companies with global operations. Where existing ABAC policies and procedures do not already address them, they are a means of making small changes that have a big impact.