Today, I conclude my five-part series on a Primer on FCPA Compliance. I end with a piece on policies and procedures. There are numerous reasons to put some serious work into your policies and procedures. They are certainly a first line of defense when the government comes knocking. The 2020 FCPA Resource Guide made clear that “Whether a company has policies and procedures that outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and documentation policies, and set forth disciplinary procedures will also be considered by DOJ and SEC.”

By using the word “considered” it is clear that this means the regulators will take a strong view against a company that does not have well thought out and articulated policies and procedures; all of which are systematically reviewed and updated. Moreover, having policies written out and signed by employees provides what some consider the most vital layer of communication and acts as an internal control. Together with a signed acknowledgement, these documents can serve as evidentiary support if a future issue arises. In other words, the “Document, Document, and Document” mantra applies just as strongly to this area of anti-corruption compliance.

The specific written policies and procedures required for a best practices compliance program are well known and long established. The 2020 FCPA Resource Guide stated, “Among the risks that a company may need to address include the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.” Policies help form the basis of expectation and conduct in your company. Procedures are the documents that implement these standards of conduct.

One role of compliance policies is to protect companies, their stakeholders, including employees, third-parties and others, despite an occasional lapse. A company’s compliance policies provide a basic set of guidelines for employees and others to follow. Compliance policies should give general prescriptions and should be supplemented by more specific procedures. By establishing what is and what is not acceptable ethical and compliant behavior, a company helps mitigate the risks posed by employees who might not always make the right ethical choices.

The 2020 Update to the Evaluation of Corporate Compliance Programs built upon the requirements articulated in the original 2012 FCPA Guidance (and brought forward in the 2020 FCPA Resource Guide). It stated:

Design – What is the company’s process for designing and implementing new policies and procedures, and updating existing policies and procedures and has that process changed over time? Who has been involved in the design of policies and procedures? Have business units been consulted prior to rolling them out?   

Comprehensiveness – What efforts has the company made to monitor and implement policies and procedures that reflect and deal with the spectrum of risks it faces, including changes to the legal and regulatory landscape?  

 Accessibility – How has the company communicated its policies and procedures to all employees and relevant third parties? If the company has foreign subsidiaries, are there linguistic or other barriers to foreign employees’ access? Have the policies and procedures been published in a searchable format for easy reference? Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees? 

Responsibility for Operational Integration – Who has been responsible for integrating policies and procedures? Have they been rolled out in a way that ensures employees’ understanding of the policies? In what specific ways are compliance policies and procedures reinforced through the company’s internal control systems? 

Gatekeepers – What, if any, guidance and training has been provided to key gatekeepers  in   the   control   processes   (e.g.,   those   with   approval   authority or certification responsibilities)? Do they know what misconduct to look for? Do they know when and how to escalate concerns?

Compliance policies do not guarantee employees will always make the right decision. However, the effective implementation and enforcement of compliance policies demonstrate to the government that a company is operating professionally and ethically for the benefit of its stakeholders, its employees and the community it serves.

There are five general elements to a compliance policy. It should stake out the following:

• identify who the compliance policy applies to;
• set out what is the objective of the compliance policy;
• describe why the compliance policy is required;
• outline examples of both acceptable and unacceptable behavior under the compliance policy; and
• lay out the specific consequences for failure to comply with the compliance policy.

The 2020 Update to the Evaluation of Corporate Compliance Programs mandated there must be communication of your compliance policies and procedures throughout the workforce and relevant stakeholders such as third-parties and business venture partners. Compliance training is only one type of communication. I think that this is a key element for compliance practitioners because if you have a 30,000+ worldwide work force, simply the logistics of training can appear daunting. Small groups, where detailed questions about policies can be raised and discussed, can be a powerful teaching tool. Another technique can be the posting FAQs in common areas and virtually. Also, having written compliance policies signed by employees provides what some consider the most vital layer of communication. A signed acknowledgement can serve as evidentiary support if a future issue arises. Finally, never forget the example of the Morgan Stanley declination where the recalcitrant employee annually signed such certifications. These signed certifications help Morgan Stanley walk away with a full declination.

The 2020 FCPA Resource Guide ended its section on policies with the following, “Regardless of the specific policies and procedures implemented, these standards should apply to personnel at all levels of the company.” It is important that compliance policies and procedure are applied fairly and consistently across the organization. The Fair Process Doctrine demonstrates that if compliance policies and procedures are not applied consistently, there is a greater chance that an employee dismissed for breaching a policy could successfully claim he or she was unfairly terminated. Moreover, lack of fair and consistent implementation and application will destroy the credibility of your compliance function. This last point cannot be over-emphasized. If an employee is going to be terminated for fudging their expense accounts in Brazil, you had best make sure that same conduct lands your top producer in the U.S. with the same quality of discipline.

I hope you have enjoyed this week’s primers on some basic topics to FCPA compliance. Sometimes it is good to review the basics upon which your compliance program is built.

[View source.]