Up until about a year ago, it was a challenge for in-house compliance officers and outside counsel to explain why having a comprehensive and effective compliance policy that covered antitrust, anti-bribery and anti-corruption, and trade was a must, regardless of a company’s size or industry. Not any more.
U.S. regulators have made it clear that having such policies and programs can save companies millions of dollars and potentially help avoid prosecution of some violations of applicable laws. The government’s move to formalize the importance of compliance programs showed up in three recent moves.
All of them signal how important it is for companies to adopt and implement broad policies and programs that are detailed and comprehensive enough to incorporate compliance with:
- U.S. antitrust laws
- Department of Treasury Office of Foreign Assets Control (OFAC) sanctions policies
- The U.S. Foreign Corrupt Practices Act (FCPA)
If there is one takeaway from regulators’ recent moves, it is that having an effective and comprehensive compliance policy is not only a risk mitigation measure, but it also is a positive value proposition for most companies.
Whether it’s a large financial institution accustomed to dealing with regulations, a small startup with a cloud-based platform, or an acquiring company or private equity fund conducting due diligence on a target’s business, now is the time to identify and address any potential gaps.
The Incentivized Compliance Framework; What it Means for Your Company or Clients
Antitrust: Just a few months ago, Makan Delrahim, the assistant attorney general of the Department of Justice’s Antitrust Division, announced plans to incentivize compliance, noting that it now will be considered at the charging stage in criminal antitrust investigations.
The antitrust division also updated its manual to address evaluating compliance programs during charging and sentencing as well as processes for recommending indictments, reaching plea agreements, and selecting monitors. Finally, the division published a guide explaining prosecutors’ evaluation of corporate compliance programs at the charging and sentencing stages.
The guide, “Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations,” lists nine factors prosecutors should consider when evaluating the efficacy of an antitrust compliance program, including but not limited to program design and comprehensiveness, culture of compliance within the company, compliance training, monitoring and auditing techniques, reporting mechanisms, and remediation methods.
To help evaluate these factors, the guide also sets out nearly 150 issues prosecutors will explore throughout the antitrust investigation in order to judge a compliance program.
Trade and Sanctions: Two months earlier, OFAC released guidance encouraging organizations subject to U.S. jurisdiction (as well as entities that conduct business with those subject to U.S. jurisdiction) to “employ a risk-based approach to sanctions compliance.”
Importantly, the OFAC guidance recommended that compliance programs be predicated on at least five essential components of compliance: management commitment, risk assessment, internal controls, testing and auditing, and training.
OFAC will give favorable consideration to subjects with effective sanctions compliance programs at the time of an apparent violation and accordingly may mitigate a civil monetary penalty.
Subjects with an effective sanctions compliance program may also benefit from further mitigation of a penalty when the sanctions compliance program results in taking remedial steps. Finally, OFAC may consider the existence of an effective program at the time of an apparent violation as a factor in its analysis as to whether a case is deemed “egregious.”
Anti-Bribery and Anti-Corruption: In March, the DOJ issued a revised FCPA Corporate Enforcement Policy. If a criminal resolution is warranted for a company that has voluntarily self-disclosed misconduct, fully cooperated, and timely and appropriately remediated, it is presumed the company will not be prosecuted, absent aggravating circumstances involving the nature of the offense or the offender.
If a company takes these steps, the DOJ generally will not require appointment of a monitor if a company has, at the time of resolution, implemented an effective compliance program, which is described here.
Earlier this year, the DOJ also issued updated guidance on evaluation of corporate compliance programs. The update provides, for purposes of deciding how to proceed with respect to resolution and any penalties, a framework for prosecutors to decide whether and to what extent a company’s compliance program was effective at the time of the alleged offense, a charging decision, or a resolution.
Additionally, the DOJ now recognizes the potential benefits of corporate mergers and acquisitions, particularly when the acquirer has a robust compliance program and implements it for the merged or acquired entity.
Recommendations for Ensuring Compliance, Mitigating Risk
The actions listed above make plain that there are significant potential benefits for companies with robust and comprehensive compliance programs. And if one isn’t in place, the sooner such a program is developed and implemented, the better.
An effective program must incorporate internal controls, including written policies and procedures, to identify, interdict, escalate, report, and keep records pertaining to activity that may fall under applicable regulations and laws.
Compliance programs should also include a comprehensive, independent, and objective testing or audit function to ensure that entities are aware of where and how their programs are performing. Programs also should be kept up to date in light of constantly changing regulatory and business environments.
At the same time, compliance training must be delivered to all appropriate personnel on a periodic basis (at least annually). Written training materials as well as written records of the training agenda, training materials used, and attendance must be provided to the regulator to establish that recent and relevant training in fact was provided to an employee who may be drawn into a problematic transaction.
The importance of post-deal in addition to pre-deal due diligence cannot be stressed enough. When a company uncovers or suspects misconduct by the target entity, its executives, or employees as part of pre-deal due diligence, there must be a follow-on assessment after closing.
Post-acquisition audits or compliance assessments may lead to voluntary self-disclosures of misconduct. To obtain a declination of criminal prosecution, an acquirer must then take action consistent with the FCPA Corporate Enforcement Policy (including the timely implementation of an effective compliance program at the merged or acquired entity).
Taking into account potential successor liability, acquirers also should evaluate the target’s compliance policies and programs, identify any gaps, and address them as quickly as possible after closing to ensure added protection in the event of a regulatory inquiry or investigation.
Now, more than ever, companies must take preventative measures to ensure compliance, mitigate risk, and provide some cover for potential violations. As the saying goes, one can be penny wise and pound foolish.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.