U.S. regulators are making one thing crystal clear to companies — or at least to companies that are paying attention: There are no longer any excuses for not having an effective and comprehensive compliance policy and program.
The government’s stance is sweeping, and it showed up in three recent moves. All of them signal how important it is for companies to adopt and implement broad policies and programs that are detailed and comprehensive enough to incorporate compliance with:
While some companies, particularly those in more regulated industries, have taken notice, too many simply have not. Whether it’s a large financial institution accustomed to dealing with regulations, a small startup with a cloud-based platform, or an acquiring company or private equity fund conducting due diligence on a target’s business, now is the time to identify and address any potential gaps.
Just a few months ago, the Assistant Attorney General Makan Delrahim of the Department of Justice’s Antitrust Division announced plans to incentivize compliance, noting that it will now be considered at the charging stage in criminal antitrust investigations.
The division also updated its manual to address evaluating compliance programs during charging and sentencing, as well as processes for recommending indictments, plea agreements, and selecting monitors. Finally, the division published a guide explaining prosecutors’ evaluation of corporate compliance programs at the charging and sentencing stages.
Two months earlier, OFAC released guidance encouraging organizations subject to U.S. jurisdiction (as well as entities that conduct business with those subject to U.S. jurisdiction) to “employ a risk-based approach to sanctions compliance.”
Importantly, the OFAC guidance recommended that compliance programs be predicated on at least five essential components of compliance: management commitment; risk assessment; internal controls; testing and auditing; and training.
OFAC will consider favorably subjects with effective sanctions compliance programs at the time of an apparent violation and may mitigate a civil monetary penalty accordingly.
Subjects with effective sanctions compliance programs may also benefit from further mitigation of a penalty when the sanctions compliance program results in remedial steps being taken. Finally, OFAC may consider the existence of an effective program at the time of an apparent violation as a factor in its analysis as to whether a case is deemed “egregious.”
OFAC’s move came on the heels of the DOJ’s revised FCPA Corporate Enforcement Policy in March. If a criminal resolution is warranted for a company that has voluntarily self-disclosed misconduct, fully cooperated, and timely and appropriately remediated, it is presumed the company will not be prosecuted absent aggravating circumstances involving the nature of the offense or the offender.
If a company takes these steps, the DOJ generally will not require appointment of a monitor if a company has, at the time of resolution, implemented an effective compliance program, which is described here.
A month later, in April, the DOJ also issued updated guidance on Evaluation of Corporate Compliance Programs. The update provides a framework for prosecutors to decide whether, and to what extent, a company’s compliance program was effective at the time of the alleged offense, a charging decision, or a resolution, for purposes of deciding how to proceed with respect to resolution and any penalties.
Additionally and significantly — especially for companies that expect to buy, be sold to, or merge with another company — the DOJ now recognizes the potential benefits of corporate mergers and acquisitions. That’s particularly so when the acquirer has a robust compliance program and implements it for the merged or acquired entity.
That means that when a company uncovers misconduct by the target entity or its executives or employees through due diligence or through post-acquisition audits or compliance assessments, and voluntarily self-discloses the misconduct and takes other action consistent with the FCPA Corporate Enforcement Policy (including the timely implementation of an effective compliance program at the merged or acquired entity), there is a rebuttable presumption that the DOJ will decline to prosecute the company criminally.
Similarly, acquirers should closely evaluate the target’s OFAC- and antitrust-related compliance policies and programs, identify any gaps, and address them as quickly as possible post-closing to ensure added protection in the event of a regulatory inquiry or investigation.
The actions listed above make plain that there are significant potential benefits for companies with robust and comprehensive compliance programs. And if one isn’t in place, the sooner such a program is developed and implemented, the better.
An effective program must incorporate internal controls, including written policies and procedures, to identify, interdict, escalate, report, and keep records pertaining to activity that may fall under applicable regulations and laws.
This will ensure that an organization outlines clear expectations, defines procedures and processes pertaining to OFAC compliance (including reporting and escalation chains), and minimizes overall risks.
Policies and procedures should be enforced, weaknesses should be identified (including through root cause analysis of any compliance breaches) and remediated, and internal and/or independent external audits should be conducted by subject matter experts.
Compliance programs should also include a comprehensive, independent, and objective testing or audit function to ensure that entities are aware of where and how their programs are performing. Programs also should be kept up to date in light of constantly changing regulatory and business environments.
Testing or auditing, whether conducted on a specific element of a compliance program or at the enterprise-wide level, are central tools to ensure the program is working as designed and to identify weaknesses and deficiencies.
At the same time, compliance training must deliver to all appropriate personnel, on a periodic basis (at least annually), a comprehensive landscape of the enforcement, regulatory, and legal environment. This should include all cumulative changes since the previous training session.
Written training materials as well as written records of the training agenda, training materials, and attendance must be provided to the regulator to establish that recent and relevant training in fact was provided to an employee who may be drawn into a problematic transaction.
By following the above guidance and keeping a close eye on further moves in Washington, a company can ensure it has an effective program.
Both are important at a time when global conflicts surrounding trade and other matters, combined with a fluid political environment, have prompted regulators to take action on a variety of fronts when it comes to compliance.