The past few months have seen some interesting developments in context of the U.S. Foreign Corrupt Practices Act (FCPA). I get more questions on anti-bribery and corruption than any other compliance topic in my GRC research, these developments particularly should interest compliance professionals.
The change is not a brand new direction, but a continual evolution of focus on FCPA enforcement. In a nutshell, the US Department of Justice (DoJ) in the recent Yates Memorandum stated a renewed focus on prosecuting individuals over corporations in context of bribery and corruption. If organizations self-report wrong-doing, cooperate with investigators, and can demonstrate that they have an effective compliance the focus shifts to prosecuting the individuals and not the corporation (though in cases in which corruption is pervasive and executive management is involved this may not be the case).
The element of an organization having an effective compliance program actually comes from the DoJ recently hiring a compliance counsel to facilitate the evaluation of compliance programs to support the shift in focus.
These changes have a significant impact on legal risk and corporate liability for organizations governed by FCPA. While self-reporting and cooperation are somewhat easily understood, the grey area that many are asking about is what constitutes an effective compliance program?
The standard answer is to point to the seven elements of an effective compliance program as established in the U.S. Sentencing Commission Organizational Sentencing Guidelines. This is good and something organizations should be familiar with. At a more practical level, I would encourage organizations to look at the details of the one company that the DoJ did not prosecute and went after the individual, Mr. Peterson. This is the Morgan Stanley case in 2012.
Consider this excerpt from the press release on the DoJ website:
Morgan Stanley maintained a system of internal controls meant to ensure accountability for its assets and to prevent employees from offering, promising or paying anything of value to foreign government officials. Morgan Stanley’s internal policies, which were updated regularly to reflect regulatory developments and specific risks, prohibited bribery and addressed corruption risks associated with the giving of gifts, business entertainment, travel, lodging, meals, charitable contributions and employment. Morgan Stanley frequently trained its employees on its internal policies, the FCPA and other anti-corruption laws. Between 2002 and 2008, Morgan Stanley trained various groups of Asia-based personnel on anti-corruption policies 54 times. During the same period, Morgan Stanley trained Peterson on the FCPA seven times and reminded him to comply with the FCPA at least 35 times. Morgan Stanley’s compliance personnel regularly monitored transactions, randomly audited particular employees, transactions and business units, and tested to identify illicit payments. Moreover, Morgan Stanley conducted extensive due diligence on all new business partners and imposed stringent controls on payments made to business partners.
Using this real-world example of a company that was not prosecuted and was praised for having an effective compliance program, we learn that an effective compliance program has the following elements:
- Internal controls. The organization has to have a system of internal controls to address compliance and that is maintained.
- Policies. The organization has to have established written policies that are kept current as regulations and risk change.
- Training. The organization has to train relevant employees on policies and how to comply.
- Reminders/awareness. Beyond training, the organization should show that it regularly reminds individuals of their responsibilities to follow policies and comply.
- Compliance evidence/audit trail. The organization should be ready to demonstrate how often policies are communicated, training completed, and reminders sent.
- Compliance monitoring. The organization needs to monitor transactions and activities for improper behavior.
- Compliance audits. The organization should provide audits of compliance.
- 3rd party due diligence. The organization should conduct due diligence on business partner relationships.
- 3rd party controls. The organization should impose controls on transactions and activities in context of 3rd party relationships.
These changes should have organizations evaluating their compliance programs and determining how their compliance program maps to what is understood as effective in both the USSC Organizational Sentencing Guidelines and the Morgan Stanley detail from the DoJ.
In the next few weeks, GRC 20/20 is teaching in several activities that reinforce these concepts, these include:
- Critical Capabilities to Address Bribery & Corruption, December 3rd, 10:00a to 11:00a CST
- To Buy or Not to Buy? How to Make Your Case for Compliance Software, December 3rd, 12:00p to 1:00p CST
- How to Manage the Growing Array of Audits, December 15th, 8:00a to 9:00a CST
- Policy Management by Design: Blueprint for an Effective, Efficient & Agile Policy Management Program, December 4th, New York, NY USA
- Research Briefings
- How to Purchase 3rd Party Management Solutions, December 7th, 11:00a to 12:00p CST
- How to Purchase Compliance Management Solutions & Platforms, December 21st, 11:00a to 12:00p CST