What the DOJ’s and SEC’s latest guidance means for your compliance program.
Written by Jay G. Martin, Jeffrey D. Clark, and Eric C. Steinhart
Compliance programs are essential to a company’s sustained business success. They promote a culture of ethics and integrity, compliance with all applicable laws and regulations, and provide oversight and management of a company’s existing and emerging legal, ethical, regulatory, and compliance risks. If properly designed and effectively managed, compliance programs can help detect and prevent unlawful and unethical conduct that is very costly to companies.
Both the U.S. Department of Justice, or DOJ, and the U.S. Securities and Exchange Commission, or SEC, recently have provided updated guidance on corporate compliance programs. Issued during the COVID-19 pandemic, this updated guidance seems calculated in part to reiterate the government’s expectation that corporations develop and deploy effective, well-resourced compliance programs, even in times of economic stress.
This article begins by providing historical context to the recent updates to the DOJ’s and SEC’s compliance program guidance. It then discusses the DOJ’s and SEC’s key recent updates and concludes by suggesting how companies in Texas and elsewhere can incorporate the new guidance while simultaneously responding to financial pressures to reduce compliance spending.
Historical Guidance Concerning Corporate Compliance
The federal government has long offered guidance about corporate compliance programs. For example, the 1991 edition of the United States Sentencing Commission’s Guidelines Manual,1 as updated in 20042 and 2010,3 identified the ability “to prevent and detect criminal conduct by . . . employees and other agents” as the “hallmark of an effective program”4 and elaborated on the attributes of an effective compliance program.5 Since 1999, memoranda from deputy assistant attorneys general concerning corporate criminal enforcement, including the 1999 “Holder Memorandum,”6 the 2008 “Filip Memorandum,”7 and the 2018 “Benczkowski Memorandum,”8 have also offered compliance program guidance. Both the SEC and DOJ have also issued guidance documents that discuss compliance programs, including the SEC’s 2001 “Seaboard Report”9 and the November 2012 first edition of the joint DOJ and SEC “Resource Guide to the U.S. Foreign Corrupt Practices Act,” or the “FCPA Resource Guide.”10
In February 2017, the DOJ’s Fraud Section issued a guidance document, titled “Evaluation of Corporate Compliance Programs” (the “Compliance Program Guidance”), which directed prosecutors, when evaluating the effectiveness of a corporate compliance program, to consider numerous questions across 11 topical areas, including risk assessment, training and communications, third-party management, confidential reporting, and investigations.11 Two years later, in April 2019, the DOJ’s Criminal Division issued an updated version of the Compliance Program Guidance, in which the Criminal Division adopted the Fraud Section’s approach and distilled the previous version’s many questions into three “fundamental questions” that the DOJ had previously articulated in the Justice Manual: (1) “‘Is the corporation’s compliance program well designed?’”; (2) “‘Is the program being applied earnestly and in good faith?’ In other words, is the program being implemented effectively?”; and (3) “‘Does the corporation’s compliance program work’ in practice?”12
Recent DOJ and SEC Guidance
In summer 2020, in the midst of the coronavirus pandemic, the regulators issued two updated guidance documents. First, in June 2020, the DOJ’s Criminal Division issued updated Compliance Program Guidance. Notably, although the guidance remains anchored in the previous version’s three “fundamental questions,” it reflects a heightened sensitivity to the dedication of sufficient resources to compliance, recasting one of these questions as whether the compliance program is “adequately resourced and empowered to function effectively.”13 One month later, in July 2020, the DOJ and SEC released the second edition of the FCPA Resource Guide, which reiterates these three updated “fundamental questions.”14 In doing so, the SEC’s Enforcement Division seems to have broken its eight-year silence on compliance programs and adopted the DOJ Criminal Division’s general approach.
Key Recent Guidance from the DOJ and SEC Concerning Corporate
Read together, the updated Compliance Program Guidance and FCPA Resource Guide provide new guidance for compliance programs in five primary areas.
Compliance Departments Must Be Properly Resourced and Empowered to Function Effectively
The DOJ’s and SEC’s admonition that a corporate compliance program must be “adequately resourced”15 is consistent with other aspects of the recent guidance that focus more than ever before on the quality and training of a company’s compliance personnel as well as the resources that the company makes available to them.16 The second element—that a compliance program should be “empowered to function effectively”17—underscores the regulators’ ongoing concern that compliance personnel have sufficient status within a company to participate in key decisions and effectively monitor its operations.
Ongoing Evaluation and Evolution of Compliance Programs Including Risk Assessments Are Essential
The updated guidance emphasizes the importance of risk assessment in determining whether a corporate compliance program is well designed. The DOJ’s updated Compliance Program Guidance, for example, encourages companies, in designing their compliance programs, to “analyze and address the varying risks presented by, among other factors, the location of [their] operations, the industry sector, the competitiveness of the market, the regulatory landscape, potential clients and business partners, transactions with foreign governments, payments to foreign officials, use of third parties, gifts, travel, and entertainment expenses, and charitable and political donations.”18 The DOJ and SEC also have advised that they “will give meaningful credit to a company that implements in good faith a comprehensive, risk-based compliance program, even if that program does not prevent an infraction in a low[-]risk area because greater attention and resources had been devoted to a higher risk area.”19 The DOJ and SEC have also emphasized that compliance programs must evolve in response to new information. The DOJ20 has thus underscored the importance of data analytics to obtain the information necessary to monitor and refine corporate compliance programs.21 Accordingly, the “DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and do not allow them to become stale.”22
Third Parties Must Be Effectively Managed Throughout the Life of the Relationship
By some accounts, over the past decade, more than 90% of Foreign Corrupt Practices Act enforcement actions related to bribery schemes involved third-party intermediaries,23 making third-party relationships one of the biggest risks for international companies. Historically, the DOJ and SEC have emphasized the importance of due diligence at the beginning of a company’s relationship with a third party.24 The DOJ’s updated Compliance Program Guidance shifts the framework from upfront due diligence to managing third parties over the life of the relationship and asks, in relevant part: “Does the company engage in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process?”25 This sea change in expectations and approach means that companies can no longer rely solely on due diligence at the onboarding stage. The DOJ and SEC may well provide further guidance in this area. Nevertheless, it is apparent that companies must manage third-party relationships from cradle to grave, beginning with a robust business justification for the third-party engagement, the assignment of a business sponsor who owns the relationship, and risk-based onboarding due diligence that the company repeats every one to three years based on relative levels of risk. Companies also should execute contracts with prospective third parties that include compliance safeguards, annual certification requirements, training and spot audit requirements for higher-risk third parties, and a prohibition on paying for travel and entertainment expenses for foreign officials without a company’s prior approval.
Effective Integration of Acquisitions
Although earlier DOJ and SEC guidance emphasized pre-acquisition FCPA due diligence,26 the regulators have acknowledged for the first time in the recent guidance “the potential benefits of corporate mergers and acquisitions, particularly when the acquiring entity has a robust compliance program in place and implements that program as quickly as practicable at the merged or acquired entity.”27 This overarching policy statement—that society may benefit when companies with strong compliance cultures acquire companies with weaker compliance—is coupled in the updated FCPA Resource Guide with a recognition that pre-acquisition due diligence necessarily has limits as well as with a greater emphasis on how acquiring companies can mitigate enforcement risk when acquiring a company with potential compliance issues.28
Internal Investigation and Remediation of Misconduct
The updated FCPA Resource Guide focuses on internal investigations, noting that “[t]he truest measure of an effective compliance program is how it responds to misconduct.”29 It explains: “An effective investigations structure will . . . have an established means of documenting the company’s response, including any disciplinary or remediation measures taken.”30 Accordingly, the DOJ and SEC expect a company “to analyze the root causes of the misconduct to timely and appropriately remediate those causes to prevent future compliance breaches.”31
The DOJ and SEC expect companies to maintain robust, risk-based compliance programs notwithstanding the current challenging business environment. Yet how are companies,32 including many Texas-based energy companies, to respond to this new guidance when faced with pressure to cut costs of all kinds? The answer, in part, is that companies must remain cautious as they seek to streamline compliance programs. As Daniel Kahn, the now acting chief of the Fraud Section, recently shared: “What I would want to see is a company coming in and explaining, ‘OK, here are the cuts that we have to make in connection with our business, here are our cuts correspondingly made to compliance. But here are the reasons we felt comfortable making these cuts and why we think that we are still able to address the very real risk that we have.’”33 When adapting their compliance programs to the current business environment, companies should consider the DOJ’s and the SEC’s latest guidance on compliance programs and be prepared, should their program come under regulatory scrutiny, to justify any reduction in compliance resources. Even if a company mandates head count reductions or budget cuts, the company may still be able to maintain an effective compliance program through the optimal use of technology and by employing creative methods of communication.TBJ
JAY G. MARTIN
is senior counsel in the Litigation Department and the Compliance, Investigations & Enforcement Practice Group of Willkie Farr & Gallagher in Houston. Prior to joining Willkie in May 2019, he served as the associate general counsel and chief compliance officer at Baker Hughes and Baker Hughes GE, where he was responsible for leading and directing the company’s comprehensive global compliance program across 120 countries. Prior to joining Baker Hughes, Martin was a partner at three major law firms and was assistant general counsel of Mobil Oil Corporation’s Worldwide Exploration and Production Division in Fairfax, Virginia. He has been a featured speaker at more than 90 industry and legal seminars and has also written 78 articles on legal and compliance subjects.
JEFFREY D. CLARK
is a partner in Willkie Farr & Gallagher, where he represents corporations and individuals in a variety of civil and criminal investigations and enforcement matters, including grand jury investigations and SEC enforcement actions. His practice includes conducting internal corporate investigations and advising corporate management and boards regarding enforcement matters. Clark specializes in Foreign Corrupt Practices Act matters and has substantial expertise in other types of international business and white-collar litigation. Prior to joining Willkie, he was the deputy chief of the Special Prosecutions (Corruption) and Criminal Divisions of the U.S. Attorney’s Office for the District of New Jersey. As a federal prosecutor, Clark prosecuted and supervised all manner of white-collar criminal and terrorism cases.
ERIC C. STEINHART
is an associate in the Litigation Department and the Compliance, Investigations & Enforcement Practice Group of Willkie Farr & Gallagher in Washington, D.C. A 2015 graduate of Georgetown University Law Center, he previously clerked for Judge Ellen L. Hollander, U.S. District Judge for the U.S. District Court for the District of Maryland.