Hro Banner
November 6, 2020

What the DOJ’s and SEC’s latest guidance means for your compliance program

This article was originally published in the November 2020 issue of the Texas Bar Journal and has been reprinted with permission. 

Introduction

            Compliance programs are essential to a company’s sustained business success. They promote a culture of ethics and integrity, compliance with all applicable laws and regulations, and provide oversight and management of a company’s existing and emerging legal, ethical, regulatory, and compliance risks. If properly designed and effectively managed, compliance programs can help detect and prevent unlawful and unethical conduct that is very costly to companies. 

            Both the U.S. Department of Justice, or DOJ, and the U.S. Securities and Exchange Commission, or SEC, recently have provided updated guidance on corporate compliance programs. Issued during the COVID-19 pandemic, this updated guidance seems calculated in part to reiterate the government’s expectation that corporations develop and deploy effective, well-resourced compliance programs, even in times of economic stress.

            This article begins by providing historical context to the recent updates to the DOJ’s and SEC’s compliance program guidance. It then discusses the DOJ’s and SEC’s key recent updates and concludes by suggesting how companies in Texas and elsewhere can incorporate the new guidance while simultaneously responding to financial pressures to reduce compliance spending.

Historical Guidance Concerning Corporate Compliance Programs

            The federal government has long offered guidance about corporate compliance programs. For example, the 1991 edition of the United States Sentencing Commission’s Guidelines Manual,1 as updated in 20042 and 2010,3 identified the ability “to prevent and detect criminal conduct by  . . .  employees and other agents” as the “hallmark of an effective program”4 and elaborated on the attributes of an effective compliance program.5 Since 1999, memoranda from deputy assistant attorneys general concerning corporate criminal enforcement, including the 1999 “Holder Memorandum,”6 the 2008 “Filip Memorandum,”7 and the 2018 “Benczkowski Memorandum,”8 have also offered compliance program guidance. Both the SEC and DOJ have also issued guidance documents that discuss compliance programs, including the SEC’s 2001 “Seaboard Report”9 and the November 2012 first edition of the joint DOJ and SEC “Resource Guide to the U.S. Foreign Corrupt Practices Act,” or the “FCPA Resource Guide.”10

            In February 2017, the DOJ’s Fraud Section issued a guidance document, titled “Evaluation of Corporate Compliance Programs” (the “Compliance Program Guidance”), which directed prosecutors, when evaluating the effectiveness of a corporate compliance program, to consider numerous questions across 11 topical areas, including risk assessment, training and communications, third-party management, confidential reporting, and investigations.11 Two years later, in April 2019, the DOJ’s Criminal Division issued an updated version of the Compliance Program Guidance, in which the Criminal Division adopted the Fraud Section’s approach and distilled the previous version’s many questions into three “fundamental questions” that the DOJ had previously articulated in the Justice Manual:  (1) “‘Is the corporation’s compliance program well designed?’”; (2) “‘Is the program being applied earnestly and in good faith?’ In other words, is the program being implemented effectively?”; and (3) “‘Does the corporation’s compliance program work’ in practice?”12

Recent DOJ and SEC Guidance

            In summer 2020, in the midst of the coronavirus pandemic, the regulators issued two updated guidance documents. First, in June 2020, the DOJ’s Criminal Division issued updated Compliance Program Guidance. Notably, although the guidance remains anchored in the previous version’s three “fundamental questions,” it reflects a heightened sensitivity to the dedication of sufficient resources to compliance, recasting one of these questions as whether the compliance program is “adequately resourced and empowered to function effectively.”13 One month later, in July 2020, the DOJ and SEC released the second edition of the FCPA Resource Guide, which reiterates these three updated “fundamental questions.”14 In doing so, the SEC’s Enforcement Division seems to have broken its eight-year silence on compliance programs and adopted the DOJ Criminal Division’s general approach.

Key Recent Guidance from the DOJ and SEC Concerning Corporate Compliance Programs

            Read together, the updated Compliance Program Guidance and FCPA Resource Guide provide new guidance for compliance programs in five primary areas.

Compliance Departments Must Be Properly Resourced and Empowered to Function Effectively

            The DOJ’s and SEC’s admonition that a corporate compliance program must be “adequately resourced”15 is consistent with other aspects of the recent guidance that focus more than ever before on the quality and training of a company’s compliance personnel as well as the resources that the company makes available to them.16 The second element—that a compliance program should be “empowered to function effectively”17—underscores the regulators’ ongoing concern that compliance personnel have sufficient status within a company to participate in key decisions and effectively monitor its operations.

Ongoing Evaluation and Evolution of Compliance Programs Including Risk Assessments Are Essential

            The updated guidance emphasizes the importance of risk assessment in determining whether a corporate compliance program is well designed. The DOJ’s updated Compliance Program Guidance, for example, encourages companies, in designing their compliance programs, to “analyze[] and address[] the varying risks presented by, among other factors, the location of [their] operations, the industry sector, the competitiveness of the market, the regulatory landscape, potential clients and business partners, transactions with foreign governments, payments to foreign officials, use of third parties, gifts, travel, and entertainment expenses, and charitable and political donations.”18 The DOJ and SEC also have advised that they “will give meaningful credit to a company that implements in good faith a comprehensive, risk-based compliance program, even if that program does not prevent an infraction in a low-risk area because greater attention and resources had been devoted to a higher risk area.”19 The DOJ and SEC have also emphasized that compliance programs must evolve in response to new information. The DOJ20 has thus underscored the importance of data analytics to obtain the information necessary to monitor and refine corporate compliance programs.21 Accordingly, the “DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and do not allow them to become stale.”22

Third Parties Must Be Effectively Managed Throughout the Life of the Relationship

            By some accounts, over the past decade, more than 90% of Foreign Corrupt Practices Act enforcement actions related to bribery schemes involved third-party intermediaries,23 making third-party relationships one of the biggest risks for international companies. Historically, the DOJ and SEC have emphasized the importance of due diligence at the beginning of a company’s relationship with a third party.24 The DOJ’s updated Compliance Program Guidance shifts the framework from upfront due diligence to managing third parties over the life of the relationship and asks, in relevant part: “Does the company engage in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process?”25 This sea change in expectations and approach means that companies can no longer rely solely on due diligence at the onboarding stage. The DOJ and SEC may well provide further guidance in this area. Nevertheless, it is apparent that companies must manage third-party relationships from cradle to grave, beginning with a robust business justification for the third-party engagement, the assignment of a business sponsor who owns the relationship, and risk-based onboarding due diligence that the company repeats every one to three years based on relative levels of risk. Companies also should execute contracts with prospective third parties that include compliance safeguards, annual certification requirements, training and spot audit requirements for higher-risk third parties, and a prohibition on paying for travel and entertainment expenses for foreign officials without a company’s prior approval.

Effective Integration of Acquisitions

            Although earlier DOJ and SEC guidance emphasized pre-acquisition FCPA due diligence,26 the regulators have acknowledged for the first time in the recent guidance “the potential benefits of corporate mergers and acquisitions, particularly when the acquiring entity has a robust compliance program in place and implements that program as quickly as practicable at the merged or acquired entity.”27 This overarching policy statement—that society may benefit when companies with strong compliance cultures acquire companies with weaker compliance—is coupled in the updated FCPA Resource Guide with a recognition that pre-acquisition due diligence necessarily has limits as well as with a greater emphasis on how acquiring companies can mitigate enforcement risk when acquiring a company with potential compliance issues.28

Internal Investigation and Remediation of Misconduct

            The updated FCPA Resource Guide focuses on internal investigations, noting that “[t]he truest measure of an effective compliance program is how it responds to misconduct.”29 It explains: “An effective investigations structure will  . . .  have an established means of documenting the company’s response, including any disciplinary or remediation measures taken.”30 Accordingly, the DOJ and SEC expect a company “to analyze the root causes of the misconduct to timely and appropriately remediate those causes to prevent future compliance breaches.”31

Conclusion

            The DOJ and SEC expect companies to maintain robust, risk-based compliance programs notwithstanding the current challenging business environment. Yet how are companies,32 including many Texas-based energy companies, to respond to this new guidance when faced with pressure to cut costs of all kinds? The answer, in part, is that companies must remain cautious as they seek to streamline compliance programs. As  Daniel Kahn, the now acting chief of the Fraud Section, recently shared: “What I would want to see is a company coming in and explaining, ‘OK, here are the cuts that we have to make in connection with our business, here are our cuts correspondingly made to compliance. But here are the reasons we felt comfortable making these cuts and why we think that we are still able to address the very real risk that we have.’”33 When adapting their compliance programs to the current business environment, companies should consider the DOJ’s and the SEC’s latest guidance on compliance programs and be prepared, should their program come under regulatory scrutiny, to justify any reduction in compliance resources. Even if a company mandates head count reductions or budget cuts, the company may still be able to maintain an effective compliance program through the optimal use of technology and by employing creative methods of communication. TBJ

Click here to download a copy of this article.

________________________ 

Notes

1.         United States Sentencing Commission, Guidelines Manual (1991), https://www.ussc.gov/ sites/default/files/pdf/guidelines-manual/1991/manual-pdf/1991_Guidelines _Manual_Full.pdf.

2.         United States Sentencing Commission, Guidelines Manual (2004), https://www.ussc.gov/ sites/default/files/pdf/guidelines-manual/2004/manual/gl2004.pdf.

3.         United States Sentencing Commission, Guidelines Manual (2010), https://www.ussc.gov/ sites/default/files/pdf/guidelines-manual/2010/manual-pdf/2010_Guidelines _Manual_Full.pdf. 

4.         1991 Sentencing Guidelines § 8A1.2 cmt. n.3(k).

5.         See 2010 Sentencing Guidelines § 8B2.1.

6.         See Memorandum from the Deputy Attorney General, Bringing Criminal Charges Against Corporations, at 3, 6-8 (June 16, 1999), https://www.justice.gov/sites/default/ files/criminal-fraud/legacy/2010/04/11/charging-corps.pdf.

7.         See Memorandum from Mark Filip, Deputy Attorney General, Principles of Federal Prosecution of Business Organizations, at 14-16 (Aug. 28, 2008), https://www.justice.gov/ sites/default/files/dag/legacy/2008/11/03/dag-memo-08282008.pdf.

8.         See Memorandum from Brian A. Benczkowski, Assistant Attorney General, Selection of Monitors in Criminal Division Matters, at 2 (Oct. 11, 2018), https://www.justice.gov/ opa/speech/file/1100531/download.

9.         Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 and Commission Statement on the Relationship of Cooperation to Agency Enforcement Decisions, Securities Exchange Act of 1934, Release No. 44969 (Oct. 23, 2001), https://www.sec.gov/litigation/investreport/34-44969.htm.

10.       Criminal Division of the U.S. Dep’t of Justice & the Enforcement Division of the U.S. Sec. & Exch. Comm’n, A Resource Guide to the U.S. Foreign Corrupt Practices Act (2012), https://www.sec.gov/spotlight/fcpa/fcpa-resource-guide.pdf.

11.       U.S. Dep’t of Justice Criminal Division, Evaluation of Corporate Compliance Programs (Feb. 2017).

12.       U.S. Dep’t of Justice Criminal Division, Evaluation of Corporate Compliance Programs, at 2 (Apr. 2019).

13.       U.S. Dep’t of Justice, Evaluation of Corporate Compliance Programs, at 2 (June 2020), https://www.justice.gov/criminal-fraud/page/file/937501/download.

14.       Criminal Division of the U.S. Dep’t of Justice & the Enforcement Division of the U.S. Sec. & Exch. Comm’n, A Resource Guide to the U.S. Foreign Corrupt Practices Act, at 57 (2d ed. 2020), https://www.justice.gov/criminal-fraud/file/1292051/download.

15.       2020 Compliance Program Guidance at 2; FCPA Resource Guide at 57.

16.       See 2020 Compliance Program Guidance at 5-6, 9-14; FCPA Resource Guide at 59-60.

17.       2020 Compliance Program Guidance at 2; FCPA Resource Guide at 57.

18.       2020 Compliance Program Guidance at 3.

19.       FCPA Resource Guide at 60.

20.       The updated joint FCPA Resource Guide does not focus on data analytics, although, in practice, the SEC has been in lockstep with the DOJ in emphasizing the importance of using data to monitor and enhance compliance efforts.

21.       See U.S. Dep’t. of Justice, Deputy Assistant Attorney General Matthew S. Miner Delivers Remarks at the 6th Annual Government Enforcement Institute (Sept. 12, 2019), https://www.justice.gov/opa/speech/deputy-assistant-attorney-general-matthew-s-miner-delivers-remarks-6th-annual-government; 2020 Compliance Program Guidance at 3, 12.

22.       FCPA Resource Guide at 66.

23.       See Stanford Law School, Foreign Corrupt Practices Act Clearinghouse, Third-Party Intermediaries, http://fcpa.stanford.edu/chart-intermediary.html.

24.       See, e.g., 2019 Compliance Program Guidance at 6-8.

25.       2020 Compliance Program Guidance at 8.

26.       See FCPA Resource Guide at 28-30 (2012), https://www.sec.gov/spotlight/fcpa/fcpa-resource-guide.pdf.

27.       Id. at 29.

28.       See id. at 29-32.

29.       Id. at 67.

30.       Id.

31.       Id.

32.       See Clara Hudson, How the pandemic has affected corporate compliance teams, Global Investigations Review (May 22, 2020), https://globalinvestigationsreview.com/article/ jac/1227141/how-the-pandemic-has-affected-corporate-compliance-teams (discussing compliance downsizing in the energy sector).

33.       Maggie Hicks, DOJ official discusses how to address compliance budget challenges, Global Investigations Review (July 28, 2020).