Whether a company’s compliance program works in practice is one of the three fundamental questions prosecutors ask when evaluating corporate compliance programs. Effective implementation is a key metric for the overall effectiveness of the program. Companies may be wondering the same thing about recently updated compliance guidance from the Department of Justice (“DOJ”) and Securities and Exchange Commission (“SEC”): how does it work in practice? In other words, how have regulators applied the guidance in recent enforcement actions?
This summer, the DOJ and SEC released the second edition of A Resource Guide to the U.S. Foreign Corrupt Practices Act (“FCPA Resource Guide”), and the DOJ issued an updated version of its compliance guidance, Evaluation of Corporate Compliance Programs (“Compliance Guidance”). While the updates were not earth-shattering, they did provide an instructive view into the agencies’ priorities. Among other things, they (1) emphasized the importance of effective remediation, (2) further emphasized that the DOJ and SEC will evaluate the effectiveness of the company’s compliance program at the time of the offense as well as at the time of resolution, and (3) expanded on the notion that compliance programs are not one-size-fits-all.
We see these themes echoed in recent enforcement actions, which demonstrate the consequences of falling short of the guidelines and the benefits of aligning compliance program elements to the DOJ’s and SEC’s expectations. They also present some unanswered questions about how companies are expected to tailor their programs.
Several recent enforcement actions have a clear message for companies: Ignore misconduct at your own peril. This aligns with the emphasis on effective remediation in the updated guidance. According to the updated FCPA Resource Guide, “The truest measure of an effective compliance program is how it responds to misconduct.” This view anchors the newest hallmark of an effective compliance program, “Investigation, Analysis, and Remediation of Misconduct.” Within this hallmark, the DOJ and SEC suggest that companies should analyze root causes of misconduct to remediate and prevent future compliance breaches. The DOJ’s Compliance Guidance was also updated to add a new remediation-focused question, prompting prosecutors to ask, “Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?”
Failure to remediate is at the root of recent enforcement actions against Novartis, Herbalife, and Beam Suntory. The June 2020 Novartis settlement notes that the company is a recidivist, having settled with the SEC for similar FCPA violations in March 2016. This fact alone suggests a failure to remediate, and it resulted in a higher financial penalty for the company. Relatedly, the Novartis, Herbalife, and Beam Suntory settlements all involve issues that persisted even after they were flagged by internal audit or compliance reviews. In many cases these issues were acknowledged by the Board and management. For instance, the Novartis SEC Order (addressing conduct by Alcon) references consecutive audits rated “Needs Major Improvement” and quotes a senior Alcon executive describing a “very poorly executed” remediation exercise at the company. Similarly, the Herbalife settlement notes that executives received internal audit reports flagging excessive expense reimbursements, yet failed to act. Emphasizing that this was a known risk, the SEC Order quotes an Herbalife Board Member as saying: “Please note[,] I have questioned this every year I have been on the board, and the company has defended its position that these are reasonable within FCPA guidelines.” In perhaps the most extreme case of failure to remediate among these settlements, Beam Suntory was warned about the inadequacy of its internal controls through multiple internal audits, separate compliance reviews conducted by a global accounting firm and an Indian law firm, and an analysis of the reviews by a U.S. law firm. Beam Suntory executives ignored many of the recommendations coming out of the reviews and privately expressed concerns that further scrutiny of the company would likely uncover improper activity. Rather than trying to proactively identify and remediate misconduct, one employee is quoted as saying he hoped the company would “not have to undergo another compliance review by any department for a long time.” This attitude is counter to the proactive, data-driven, inquisitive approach encouraged by the revised compliance guidance.
These examples underscore how important it is for companies, when faced with potential misconduct, to resist the urge to look the other way or defend the indefensible. Rather, companies must be prepared to investigate and remediate the issues.
The revised FCPA Resource Guide and Compliance Guidance specify that the DOJ and SEC will evaluate a company’s compliance program at the time of the offense as well as at the time of resolution. This gives companies an incentive to improve their compliance programs prior to settlement, which may result in a reduced penalty and allow them to avoid the appointment of a monitor. Recent resolutions show that the DOJ and SEC give serious weight to these remedial actions. Since the updated guidance was released, no FCPA settlement has involved the appointment of a monitor. In each case, the company significantly improved its compliance program in ways that align with the updated guidance. For instance:
Companies that may face an impending settlement with the DOJ or SEC shouldn’t wait to strengthen their compliance programs. By following the guidelines—and paying particular attention to areas of recent focus, such as compliance program structure, resources, risk assessment, and testing capabilities—companies are more likely to receive remediation credit and less likely to be subject to a monitorship.
The DOJ and SEC recognize that there is no “one-size-fits-all” compliance program. Effectiveness is not measured by a single standard, but rather depends on whether the compliance program and controls are tailored to a company’s unique risk profile. This idea was codified in the latest version of the FCPA Resource Guide and Compliance Guidance, and we see it being put into practice. For instance, in describing its decision not to appoint a monitor in the Sargeant Marine case, the DOJ referenced the company’s “risk profile, including the small size of the Company’s ongoing operations.”
Companies should take comfort that the DOJ and SEC are following through on their promise to evaluate each company’s compliance program on its own merits. On the other hand, it is not entirely clear how the DOJ and SEC expect companies to tailor their programs, particularly for smaller operations. For instance, all DPAs involving a monitorship or self-reporting contain a standard “Attachment C” outlining compliance program requirements the company must satisfy.
Notably, the DOJ has updated the Attachment C language since the revised guidance was released to include several new and modified requirements:
The company must take several additional steps related to third-party management, including:
This updated Attachment C was first used in the August 2020 Herbalife settlement, and has also appeared in more recent settlements.
These meaningful updates to the standard compliance requirements incorporate themes highlighted in the new guidance. However, these requirements are still used as a standard—applicable to all companies entering FCPA settlements with the DOJ. This is true of a small company like Sargeant Marine or a massive one like Goldman Sachs. This means that while Sargeant Marine may have avoided a monitorship, it still has a high bar to meet in terms of the DOJ’s and SEC’s compliance expectations.
The DOJ and SEC are certainly putting the updated guidance into practice. Although the changes were relatively minor, they are clearly reflected in enforcement actions that demonstrate the consequences companies face when they fail to remediate, and the benefits for companies that enhance their programs in line with the guidance. And while the DOJ and SEC are clearly committed to the view that compliance programs should be tailored to each company’s unique risk profile, the DOJ continues to use one-size-fits-all compliance language in the DPAs. It will be interesting to see if future enforcement actions shed more light on how the DOJ and SEC will evaluate whether a program is appropriately tailored to a company’s size and risk profile.