The US authorities have long fostered and supported a culture of “soft enforcement” whereby companies adopt rigorous internal compliance programs to detect and deter violations of law by their employees, partners and agents. Companies that do so are often rewarded by being permitted to conduct their own internal investigations rather than be subjected to an intrusive and disruptive public investigation and by more lenient punishment and penalties. Over time, non-US companies subject to enforcement in the United States for violations of US law, including the US securities, anti-trust, anti-corruption (e.g., FCPA), anti-money laundering and other laws, have begun to adopt similar compliance structures.
Partly as a result of increased cooperation among enforcement agencies of various nations, there is a developing consensus about the policies and procedures a company must adopt to prevent and detect violations of law by its employees, partners and agents. The elements of an effective compliance program were first set out in FCPA settlement agreements and in the US federal sentencing guidelines for organizations promulgated by the US Sentencing Commission (the “Commission”). These principles were largely adopted by the OECD in its 2010 Good Practice Guidance on Internal Controls, Ethics, and Compliance. Most recently, the UK Bribery Act’s offense for failing to prevent corruption provides for an affirmative defense to companies that have “adequate procedures” designed to prevent bribery, and the official guidance, issued in March 2011, reflects many of the same principles as the OECD and US models. Establishing an effective compliance and ethics program is therefore essential for a company seeking to avoid or mitigate punishment (including fines and terms of probation) for a violation.
In summary, companies must promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law. The consensus requires boards of directors and executives to assume responsibility for the oversight and management of compliance and ethics programs. Effective oversight and management presumes active leadership in defining the content and operation of the program. At a minimum, the consensus requires companies to identify areas of risk where violations may occur; train employees on relevant legal standards and obligations; and give their compliance and ethics officers sufficient authority and resources to carry out their responsibilities (e.g., designate a compliance officer with sufficient authority and resources).
A company should have an effective program to prevent and detect violations of law. For such a program to be considered effective, there are several key elements. The following elements have become a benchmark against which compliance programs are measured:
Strong explicit and visible support and commitment for ethics, compliance and internal controls from the highest levels of the company.
A clearly articulated and visible policy, applicable regardless of local customs or practices.
Individual accountability for compliance at all levels of the organization including directors, officers, employees, vendors and business partners.
Chapter 5
A Compliance Manual for Non-US Companies | September 2014 84
Clear policies on:
• gifts;
• hospitality and entertainment; • travel;
• political contributions and lobbying; • charitable donations and sponsorships; • facilitation payments; and
• solicitations and extortion.
Risk-based procedures for vetting, due diligence (including periodic updating) and oversight of vendors and business partners.
A system of internal controls and procedures to ensure fair and accurate books, records and accounts. Risk-based compliance monitoring to evaluate, in light of evolving standards, the program’s effectiveness
in preventing and detecting violations of policy and law.
Guidance and training, both periodically and on demand, in local languages on a risk-based scale to all employees, vendors and business partners.
A helpline and other channels for reporting compliance concerns outside of regular management channels. Appropriate and consistent incentives and disciplinary processes that investigate and address violations of
policy and law.
Periodic assessment and evaluation of the compliance program in light of previous events and new developments.
Implemented correctly, the Sarbanes-Oxley Act certification procedures discussed under “Chapter 3: Disclosure” can serve as one part of such an assessment procedure. It is important to note that most violations of anti-corruption laws occur when immaterial amounts are paid to an official, so an assessment of any compliance program must look for transactions below the usual definition of “material.”
We suggest that your existing compliance procedures become part of a larger effort to meet the definition of an “effective” compliance program. Many of the key elements already may have been adopted by the Company so the effort to meet the requirements of an “effective” program need not be costly. Meeting these standards will provide the directors with the broadest protection from personal liability and may also affect an underwriter’s terms for director and officer insurance coverage.
Chapter 5
Self-Audit Checklist
The following is a self-audit checklist for the Company to use as a starting point to determine whether it has an effective compliance program:
Comprehensive risk assessment in the last two years. A clear and concise policy.
Visible senior sponsorship of ethics, compliance and controls. Policy and procedures in local business language.
Chief compliance officer within three levels of, and with direct access to, the Board of Directors. Compliance officer known by name to top regulators.
Key employees, vendors and partners vetted in writing for compliance conduct.
Compliance training materials, policies and procedures in several media and in local languages. Compliance training in several levels of intensity based upon risk exposure.
Compliance training and understanding tested and documented. An actively used compliance hot line.
Risk-based compliance monitoring.
Centralized monitoring of complaints and subpoenas.
Internal audit work program developed with compliance function. Crisis team identified by name.
Crisis plan in writing.
Documented compliance lessons learned.