On July 3, the Criminal Division of the U.S. Department of Justice (“DOJ”), and the Enforcement Division of the U.S. Securities and Exchange Commission (“SEC”) released an updated joint Resource Guide to the U.S. Foreign Corrupt Practices Act for the first time since the Guide was published in 2012. While the revised Guide preserves much of the guidance from the original, the revisions provide insights into recent evolutions in the government’s FCPA compliance expectations for corporations, particularly regarding identifying, disclosing, and remediating misconduct; the role of pre- and post-acquisition due diligence and post-acquisition integration; and the development, effective implementation, and continuous improvement of corporate compliance programs.
The DOJ and SEC, in the revised Guide, repeatedly emphasize the importance of voluntary disclosure, cooperation, and remediation that the DOJ outlined in the FCPA Corporate Enforcement Policy (“CEP”),[1] and they highlight examples where they have rewarded companies for such actions with declinations. The government also renews its support for mergers and acquisitions but emphasizes the need for rigorous pre- and post-acquisition due diligence and aggressive post-acquisition integration and remediation. Continuing this focus on remediation, the government adds an 11th hallmark of an effective compliance program focused on performing timely root-cause analysis and remediation of issues identified during the course of internal investigations.
The government expands its focus on not only the adequacy of the compliance program design, but also on the effectiveness of the program in practice—both at the time of the misconduct and at the time of a resolution or charging decision. The government also emphasizes that in evaluating whether a compliance program is effective, the DOJ and SEC will consider whether a company’s compliance function is adequately empowered and resourced to enable it to function effectively.
Each of these recurring themes shares a common message for corporations—the government rewards companies that proactively and timely self-police, self-report, remediate, and continuously improve their compliance programs. Companies should not only ensure they have a program in place—they should also take a hard look at whether the controls they have implemented are functioning effectively. The driving force behind the updated guidance, according to remarks given by Principal Deputy Assistant Attorney General Brian C. Rabbitt at ACI’s virtual FCPA Conference on July 14, is the government’s interest in companies successfully designing and implementing compliance programs. But, Rabbitt emphasized it is one thing to have a good compliance program on paper and another to implement it effectively in good faith, adequately resource it, and give those charged with ensuring compliance the tools they need to make sure it is actually functioning in practice.
Below, we highlight key changes in the revised Guide that are most relevant to: (1) corporate compliance programs and (2) government investigations and resolutions (which can be directly influenced by the adequacy and effectiveness of a company’s compliance program).
Compliance Programs:
1. The Government Will Reward Acquiring Companies that Mitigate FCPA Violations Through Robust Pre-Acquisition Due Diligence and, Increasingly, Post-Acquisition Integration (pp. 29 – 33)
- In the revised Guide, the government maintains that although successor liability is an integral component of corporate law, liability generally will not be imposed on an acquiring entity unless the entity was involved in the misconduct or allowed it to continue after the acquisition. (The updated Guide describes enforcement actions where the government did not seek to impose liability on acquiring companies, but it does not address several enforcement actions in recent years against post-merger parent companies for premerger conduct of one of the entities).
- The DOJ and SEC place a new emphasis on the establishment of a strong compliance program post-transaction. The revised edition adds that: “DOJ and SEC recognize the potential benefits of corporate mergers and acquisitions, particularly when the acquiring entity has a robust compliance program in place and implements that program as quickly as practicable at the merged or acquired entity.”
- The Guide continues to emphasize the government’s interest in promoting, not deterring, M&A activity, and provides additional guidance for companies to consider both before and after acquisitions, including the following:
- Acquiring companies that voluntarily disclose the acquired entity’s past misconduct may be eligible for a declination, even if aggravating circumstances are applicable; and
- Where robust pre-acquisition due diligence is not possible (e.g., if access to information is limited due to competition concerns, or diligence activities are curtailed due to COVID-19-related travel restrictions), the DOJ will look to timeliness and thoroughness of post-acquisition due diligence and integration efforts.[2]
- Note: As in the original edition, the second edition of the FCPA Resource Guide does not address steps to take when entering a joint venture. It does, however, make reference to the Organisation for Economic Cooperation and Development (“OECD”) guidance as a resource to which companies can refer, and this OECD guidance does address considerations for joint venture relationships
2. Internal Accounting Controls Play a Key Role in Effective Compliance Programs, and the Government Expects Collaboration Between Compliance and Finance Functions (pp. 36, 40)
- The revised Guide reflects an awareness that relevant internal accounting controls are linked to—but separate from—an effective compliance program, noting that “although a company’s internal accounting controls are not synonymous with a company’s compliance program, an effective compliance program contains a number of components that may overlap with a critical component of an issuer’s internal accounting controls.” This revision addresses, as Senior Deputy Chief of the Fraud Section at the DOJ, Dan Kahn, noted in remarks on July 15, 2020, at ACI’s virtual FCPA Conference, criticism that the government has treated anti-corruption controls as internal accounting controls in FCPA enforcement. The updated guide makes it clear, Kahn stated, that the government views anti-corruption controls as overlapping, but separate from, internal accounting controls.
- The revised Guide adds that violations of the accounting provisions of the FCPA carry a six-year statute of limitations in criminal cases (as opposed to only mentioning the five-year statute of limitations for violations of the anti-bribery provisions in criminal cases in the original Guide).
3. Remediation of Misconduct Is the New 11th Hallmark of an Effective Compliance Program (pp. 40, 56 – 68)
- The revised Guide adds a hallmark of an Effective Compliance Program, bringing the new total to 11 hallmarks. With the additional hallmark—Investigation, Analysis, and Remediation of Misconduct—the government emphasizes the importance of timely and thorough responses to misconduct, noting that “[t]he truest measure of an effective compliance program is how it responds to misconduct.” The new hallmark calls for corporations to document investigative steps, remediation, and discipline; to conduct root-cause analyses; and to incorporate lessons learned into their compliance programs. Rabbitt elaborated further in his remarks at the July 2020 ACI Conference the importance of incorporating lessons learned into risk assessment, self-evaluation, and meaningful self-improvement. He emphasized that compliance programs should not be static, but should evolve and mature over time, as the industry and the company itself changes. The government, he explained, is not interested in change for change sake, but rather prefers changes that are tied to a meaningful assessment of risks the industry faces and companies’ individual circumstances.
- This new hallmark is indicative of the government’s evolving expectations that effective compliance programs will leverage data collection, self-assessment, and analysis to promote continuous improvement and to ensure the program is tailored to the company’s risk profile. Access to data is essential to effective self-analysis and—though not featured prominently in the revised Guide—is a key focus of the recently updated guidance for prosecutors on the Evaluation of Corporate Compliance Programs. Rabbitt raised the importance of access to relevant data in his remarks at the July 2020 ACI Conference, noting that prosecutors now place additional emphasis on data resources and access to data specifically. A key consideration in evaluating the adequacy and effective implementation of a compliance program, Rabbit explained, is whether compliance personnel have access to data that allows them to timely and effectively monitor – to test policies, controls, and transactions – to ensure the compliance program is not just designed well, but is working well in practice.
Investigations and Resolutions
4. Timely Detection and Disclosure of Wrongdoing and Effective Implementation of Compliance Programs Will Factor into Government Resolutions (p. 51)
- The revised Guide highlights that the DOJ and SEC consider “the adequacy and effectiveness of the corporation’s compliance program” both at the time of the misconduct and the time of resolution—incentivizing companies to improve their compliance programs during government investigations.[3]
- The government’s revisions clarify that a company’s compliance program factors into the resolution in determining: (1) the form of the resolution or penalty, (2) the monetary penalty, and (3) the compliance obligations that will be part of the resolution (including whether a monitor is necessary), and the length of those obligations.
- The government adds as an additional stand-alone factor: “the corporation’s timely and voluntary disclosure of wrongdoing,” raising the factors considered in enforcement decisions from 9 to 10 factors.
- A potential nod to the DOJ’s stated practice of avoiding piling on, published in May 2018, (discussed more fully later in the Guide and directly below),[4] the updated Guide notes that the DOJ will consider remedies already imposed as a result of the corporation’s cooperation with relevant government agencies when making enforcement decisions.
5. The Government Coordinates with Foreign Jurisdictions and Considers Remedies Already Imposed to Avoid Duplicative Penalties (p. 71)
- The updated Guide describes the government’s increasing practice of coordinating with foreign authorities—which the DOJ has done in at least 10 cases, and the SEC in at least five—when seeking to resolve the same misconduct (as announced by the Deputy Attorney General in 2018 and memorialized in the DOJ’s Justice Manual).[5] Rabbitt highlighted during his remarks at the July 2020 ACI Conference that the DOJ has had success cooperating with a number of “key partners” (naming the U.K.’s Serious Fraud Office (“SFO”), specifically, as an example) and predicted a number of coordinated efforts this year, including jurisdictions with which DOJ has not previously coordinated. The Guide adds that prosecutors will consider, among other things, the egregiousness of the misconduct, statutory mandates, risk of delay due to coordination with other entities, and the adequacy and timeliness of the company’s disclosure to and cooperation with the U.S. government.
6. Monitorships Are Not Supposed to Be Punitive, but That Doesn’t Mean They Are Going Away Any Time Soon (pp. 73 – 74)
- The government adds language in the revised Guide noting that a monitorship should never be imposed as a punitive measure, but it also removes language from the original FCPA Resource Guide that suggested self-monitoring can be appropriate. The removed language stated that “companies are sometimes allowed to engage in self-monitoring, typically in cases when the company has made a voluntary disclosure, has been fully cooperative, and has demonstrated a genuine commitment to reform.”
- The revised Guide emphasizes that the government will weigh both the potential benefits to the corporation and the public of imposing a monitor and the cost of the monitorship and impact on the operations of the corporation. The revised Guide also expands on the specific factors the government will consider (previously detailed in the October 2018 Memo from the DOJ regarding selection of monitors and in the DOJ’s release on the Evaluation of Corporate Compliance Programs, most recently updated in June 2020), which include:
- The risk profile of the company, including its nature, size, geographical reach, and business model ;
- The quality of the company’s compliance program at the time of resolution;
- Whether the misconduct was pervasive across the organization and
approved or facilitated by senior management;
- Whether the company has made significant investment in and improvements to the compliance program and internal accounting controls;
- Whether those improvements and controls have been tested to demonstrate that they would prevent and detect similar misconduct (i.e., whether the program and internal accounting controls are effective in practice); and
- Whether the misconduct involved the manipulation of books and records or exploitation of an inadequate compliance program or internal accounting controls.
7. The Government Consistently Emphasizes the Importance of Voluntary Disclosure of Misconduct—a Step That Companies Are Still Reluctant to Take (pp. 51 – 54; 77)
- As noted above, this edition of the Guide references the FCPA CEP throughout, emphasizing “additional incentives and benefits to companies that voluntarily self-disclose misconduct, fully cooperate, and fully remediate, including a presumption of a declination (with the disgorgement of ill-gotten profits), absent aggravating circumstances.”
- The revised Guide also provides the details of three recent declinations that resulted from the CEP—all of which involved voluntary disclosure, cooperation, and remediation—and notes that declinations that are awarded under the FCPA CEP are published on the DOJ’s website.
[1] 9-47.120 – FCPA Corporate Enforcement Policy (November 2019 (updated)).
[2] See, e.g.U.S. Dept. of Justice, FCPA Op. Release 08-02 (June 13, 2008), available at http://justice.gov/criminal/fraud/fcpa/opinion/2008/0802.pdf.
[3] See Evaluation of Corporate Compliance Programs (June 2020 (updated)).
[4] See Deputy Attorney General Rod Rosenstein Delivers Remarks to the New York City Bar White Collar Crime Institute(May 2018).
[5] The Justice Manual, available at https://www.justice.gov/jm/justice-manual, was previously known as the United States Attorneys’ Manual (“USAM”). It is a reference guide for attorneys and other employees of the U.S. Department of Justice in pursuing prosecutions of violations of federal law.