Business Plan
What the DOJ’s and SEC’s latest guidance means for your compliance program.
Written by Jay G. Martin, Jeffrey D. Clark, and Eric C. Steinhart
Introduction
Compliance programs are essential to a company’s sustained business
success. They promote a culture of ethics and integrity, compliance with
all applicable laws and regulations, and provide oversight and
management of a company’s existing and emerging legal, ethical,
regulatory, and compliance risks. If properly designed and effectively
managed, compliance programs can help detect and prevent unlawful and
unethical conduct that is very costly to companies.
Both the U.S. Department of Justice, or DOJ, and the U.S. Securities and
Exchange Commission, or SEC, recently have provided updated guidance on
corporate compliance programs. Issued during the COVID-19 pandemic, this
updated guidance seems calculated in part to reiterate the government’s
expectation that corporations develop and deploy effective,
well-resourced compliance programs, even in times of economic
stress.
This article begins by providing historical context to the recent
updates to the DOJ’s and SEC’s compliance program guidance. It then
discusses the DOJ’s and SEC’s key recent updates and concludes by
suggesting how companies in Texas and elsewhere can incorporate the new
guidance while simultaneously responding to financial pressures to
reduce compliance spending.
Historical Guidance Concerning Corporate Compliance
Programs
The federal government has long offered guidance about corporate
compliance programs. For example, the 1991 edition of the United States
Sentencing Commission’s Guidelines Manual,1 as updated in
20042 and 2010,3 identified the ability “to
prevent and detect criminal conduct by . . . employees and other
agents” as the “hallmark of an effective program”4 and
elaborated on the attributes of an effective compliance
program.5 Since 1999, memoranda from deputy assistant
attorneys general concerning corporate criminal enforcement, including
the 1999 “Holder Memorandum,”6 the 2008 “Filip
Memorandum,”7 and the 2018 “Benczkowski
Memorandum,”8 have also offered compliance program guidance.
Both the SEC and DOJ have also issued guidance documents that discuss
compliance programs, including the SEC’s 2001 “Seaboard
Report”9 and the November 2012 first edition of the joint DOJ
and SEC “Resource Guide to the U.S. Foreign Corrupt Practices Act,” or
the “FCPA Resource Guide.”10
In February 2017, the DOJ’s Fraud Section issued a guidance document,
titled “Evaluation of Corporate Compliance Programs” (the “Compliance
Program Guidance”), which directed prosecutors, when evaluating the
effectiveness of a corporate compliance program, to consider numerous
questions across 11 topical areas, including risk assessment, training
and communications, third-party management, confidential reporting, and
investigations.11 Two years later, in April 2019, the DOJ’s
Criminal Division issued an updated version of the Compliance Program
Guidance, in which the Criminal Division adopted the Fraud Section’s
approach and distilled the previous version’s many questions into three
“fundamental questions” that the DOJ had previously articulated in the
Justice Manual: (1) “‘Is the corporation’s compliance program
well designed?’”; (2) “‘Is the program being applied earnestly and in
good faith?’ In other words, is the program being implemented
effectively?”; and (3) “‘Does the corporation’s compliance program work’
in practice?”12
Recent DOJ and SEC Guidance
In summer 2020, in the midst of the coronavirus pandemic, the
regulators issued two updated guidance documents. First, in June 2020,
the DOJ’s Criminal Division issued updated Compliance Program Guidance.
Notably, although the guidance remains anchored in the previous
version’s three “fundamental questions,” it reflects a heightened
sensitivity to the dedication of sufficient resources to compliance,
recasting one of these questions as whether the compliance program is
“adequately resourced and empowered to function
effectively.”13 One month later, in July 2020, the DOJ and
SEC released the second edition of the FCPA Resource Guide, which
reiterates these three updated “fundamental questions.”14 In
doing so, the SEC’s Enforcement Division seems to have broken its
eight-year silence on compliance programs and adopted the DOJ Criminal
Division’s general approach.
Key Recent Guidance from the DOJ and SEC Concerning Corporate
Compliance Programs
Read together, the updated Compliance Program Guidance and FCPA
Resource Guide provide new guidance for compliance programs in five
primary areas.
Compliance Departments Must Be Properly Resourced and Empowered to
Function Effectively
The DOJ’s and SEC’s admonition that a corporate compliance program must
be “adequately resourced”15 is consistent with other aspects
of the recent guidance that focus more than ever before on the quality
and training of a company’s compliance personnel as well as the
resources that the company makes available to them.16 The
second element—that a compliance program should be “empowered to
function effectively”17—underscores the regulators’ ongoing
concern that compliance personnel have sufficient status within a
company to participate in key decisions and effectively monitor its
operations.
Ongoing Evaluation and Evolution of Compliance Programs Including Risk
Assessments Are Essential
The updated guidance emphasizes the importance of risk assessment in
determining whether a corporate compliance program is well designed. The
DOJ’s updated Compliance Program Guidance, for example, encourages
companies, in designing their compliance programs, to “analyze[] and
address[] the varying risks presented by, among other factors, the
location of [their] operations, the industry sector, the competitiveness
of the market, the regulatory landscape, potential clients and business
partners, transactions with foreign governments, payments to foreign
officials, use of third parties, gifts, travel, and entertainment
expenses, and charitable and political donations.”18 The DOJ
and SEC also have advised that they “will give meaningful credit to a
company that implements in good faith a comprehensive, risk-based
compliance program, even if that program does not prevent an infraction
in a low[-]risk area because greater attention and resources had been
devoted to a higher risk area.”19 The DOJ and SEC have also
emphasized that compliance programs must evolve in response to new
information. The DOJ20 has thus underscored the importance of
data analytics to obtain the information necessary to monitor and refine
corporate compliance programs.21 Accordingly, the “DOJ and
SEC evaluate whether companies regularly review and improve their
compliance programs and do not allow them to become
stale.”22
Third Parties Must Be Effectively Managed Throughout the Life of the
Relationship
By some accounts, over the past decade, more than 90% of Foreign Corrupt
Practices Act enforcement actions related to bribery schemes involved
third-party intermediaries,23 making third-party
relationships one of the biggest risks for international companies.
Historically, the DOJ and SEC have emphasized the importance of due
diligence at the beginning of a company’s relationship with a third
party.24 The DOJ’s updated Compliance Program Guidance shifts
the framework from upfront due diligence to managing third parties over
the life of the relationship and asks, in relevant part: “Does the
company engage in risk management of third parties throughout the
lifespan of the relationship, or primarily during the onboarding
process?”25 This sea change in expectations and approach
means that companies can no longer rely solely on due diligence at the
onboarding stage. The DOJ and SEC may well provide further guidance in
this area. Nevertheless, it is apparent that companies must manage
third-party relationships from cradle to grave, beginning with a robust
business justification for the third-party engagement, the assignment of
a business sponsor who owns the relationship, and risk-based onboarding
due diligence that the company repeats every one to three years based on
relative levels of risk. Companies also should execute contracts with
prospective third parties that include compliance safeguards, annual
certification requirements, training and spot audit requirements for
higher-risk third parties, and a prohibition on paying for travel and
entertainment expenses for foreign officials without a company’s prior
approval.
Effective Integration of Acquisitions
Although earlier DOJ and SEC guidance emphasized pre-acquisition FCPA
due diligence,26 the regulators have acknowledged for the
first time in the recent guidance “the potential benefits of corporate
mergers and acquisitions, particularly when the acquiring entity has a
robust compliance program in place and implements that program as
quickly as practicable at the merged or acquired entity.”27
This overarching policy statement—that society may benefit when
companies with strong compliance cultures acquire companies with weaker
compliance—is coupled in the updated FCPA Resource Guide with a
recognition that pre-acquisition due diligence necessarily has limits as
well as with a greater emphasis on how acquiring companies can mitigate
enforcement risk when acquiring a company with potential compliance
issues.28
Internal Investigation and Remediation of Misconduct
The updated FCPA Resource Guide focuses on internal investigations,
noting that “[t]he truest measure of an effective compliance program is
how it responds to misconduct.”29 It explains: “An effective
investigations structure will . . . have an established means of
documenting the company’s response, including any disciplinary or
remediation measures taken.”30 Accordingly, the DOJ and SEC
expect a company “to analyze the root causes of the misconduct to timely
and appropriately remediate those causes to prevent future compliance
breaches.”31
Conclusion
The DOJ and SEC expect companies to maintain robust, risk-based
compliance programs notwithstanding the current challenging business
environment. Yet how are companies,32 including many
Texas-based energy companies, to respond to this new guidance when faced
with pressure to cut costs of all kinds? The answer, in part, is that
companies must remain cautious as they seek to streamline compliance
programs. As Daniel Kahn, the now acting chief of the Fraud Section,
recently shared: “What I would want to see is a company coming in and
explaining, ‘OK, here are the cuts that we have to make in connection
with our business, here are our cuts correspondingly made to compliance.
But here are the reasons we felt comfortable making these cuts and why
we think that we are still able to address the very real risk that we
have.’”33 When adapting their compliance programs to the
current business environment, companies should consider the DOJ’s and
the SEC’s latest guidance on compliance programs and be prepared, should
their program come under regulatory scrutiny, to justify any reduction
in compliance resources. Even if a company mandates head count
reductions or budget cuts, the company may still be able to maintain an
effective compliance program through the optimal use of technology and
by employing creative methods of communication.TBJ
JAY G. MARTIN
is senior counsel in the Litigation Department and the Compliance,
Investigations & Enforcement Practice Group of Willkie Farr &
Gallagher in Houston. Prior to joining Willkie in May 2019, he served as
the associate general counsel and chief compliance officer at Baker
Hughes and Baker Hughes GE, where he was responsible for leading and
directing the company’s comprehensive global compliance program across
120 countries. Prior to joining Baker Hughes, Martin was a partner at
three major law firms and was assistant general counsel of Mobil Oil
Corporation’s Worldwide Exploration and Production Division in Fairfax,
Virginia. He has been a featured speaker at more than 90 industry and
legal seminars and has also written 78 articles on legal and compliance
subjects.
JEFFREY D. CLARK
is a partner in Willkie Farr & Gallagher, where he represents
corporations and individuals in a variety of civil and criminal
investigations and enforcement matters, including grand jury
investigations and SEC enforcement actions. His practice includes
conducting internal corporate investigations and advising corporate
management and boards regarding enforcement matters. Clark specializes
in Foreign Corrupt Practices Act matters and has substantial expertise
in other types of international business and white-collar litigation.
Prior to joining Willkie, he was the deputy chief of the Special
Prosecutions (Corruption) and Criminal Divisions of the U.S. Attorney’s
Office for the District of New Jersey. As a federal prosecutor, Clark
prosecuted and supervised all manner of white-collar criminal and
terrorism cases.
ERIC C. STEINHART
is an associate in the Litigation Department and the Compliance,
Investigations & Enforcement Practice Group of Willkie Farr &
Gallagher in Washington, D.C. A 2015 graduate of Georgetown University
Law Center, he previously clerked for Judge Ellen L. Hollander, U.S.
District Judge for the U.S. District Court for the District of
Maryland.