DOJ and SEC: No Patience for “Paper” Compliance Program
Exclusive to Corporate Compliance Insights
The Justice Department and SEC were very clear in the FCPA Guidance – they have no patience for a “paper” compliance program. Here is the relevant quote:
“DOJ and SEC have often encountered companies with compliance programs that are strong on paper but that nevertheless have significant FCPA violations because management has failed to effectively implement the program even in the face of obvious signs of corruption.”
The FCPA Guidance statement reflects the frustration of the Justice Department and the SEC with the quality of compliance programs they see in the business world. Many companies have implemented the “paper” framework for an effective compliance program. The policies are written and adopted by the company. What is missing is perhaps the most important element – implementation.
What steps should a company take to “implement” its “paper” compliance program? Here are some suggested steps:
Assessment – the company needs to make a quick assessment of what policies, if any, have been implemented. The focus of this initial assessment should reflect the risk assessment which was conducted and the risk ranking. If third party risks were the most significant, the company should focus initially on the due diligence policies and assess what policies and procedures have been implemented. After third party risks, the company should identify less significant risks and policies designed to address those risks.
Communications – many companies begin by announcing their new anti-corruption policies and procedures. Companies that have adopted its paper program usually have announced their policies and started the process of communicating their new policies. What is usually missing is a commitment to compliance communications and training. This should be a priority for next steps in the implementation process.
Prioritizing Action Steps – once the assessment and communications efforts are initiated, the focus should turn to reducing risks. The assessment may have identified relevant interactions with foreign government officials which may create significant risks. These interactions can have varying degrees of risk – third party interactions with foreign government officials which are directly related to securing foreign government contracts are likely a higher risk than third party interactions involving routine regulatory matters.
If the risky interactions involve the company’s own business development and/or sales staff, the company needs to act quickly to control its own employees and make them aware of the anti-corruption policies and compliance requirements.
More than likely, a company trying to play catch up will have to address third party risks and the due diligence process. Again, ranking third parties by risk factors should be the initial step and guide the catch-up process. After all, in most cases, this is likely the highest risk area for companies and addressing this risk has to be an immediate priority.
Monitoring – companies with paper programs usually have done little in the area of monitoring. The policies and forms may have been drafted but it is unlikely that the monitoring process has been implemented. Given the competing risks and compliance needs, this is likely going to be the last area that a company will address when trying to move past a paper program.
The process of implementing a paper program can take a fairly long time to complete. Companies facing this process need to document every step they take, the reasons they are taking each step, and the commitment to implement the compliance program. During this interim period, it is the only protection the company will have if a violation occurs.