What are the compliance strategies which can employed with the most effect by compliance professionals? This week, in a podcast series on the Compliance Podcast Network, sponsored by Affiliated Monitors, Inc. (AMI), I explore just this question with Vincent DiCianni, founder and President of AMI, and Eric Feldman, Senior Vice President of AMI. We look at the Department of Justice (DOJ) announcements over the past year and back to the FCPA Corporate Enforcement Policy, announced in November 2017, to consider what compliance strategies companies can use based upon these documents and pronouncements. The Benczkowski Memo (the “Memo”) and other DOJ guidance delivered in 2018 on Foreign Corrupt Practices Act (FCPA) enforcement and compliance programs can all be used by compliance professionals to create more robust compliance programs. 

Internal Strategies

DiCianni emphasizing the DOJ now mandates companies which come before them have an effective compliance program. The days of wheeling in a large stack of documents are long gone and companies need to have substantive evidence on not simply their program but its effectiveness. In December 2018, Principal Deputy Assistant Attorney General John P. Cronan, in a speech by at the Practising Law Institute Eventin Washington, said that companies must demonstrate they had an effectivecompliance program, not a paper compliance program. He stated, “whether a corporation’s compliance program is merely a ‘paper program’ or whether it was designed, implemented, reviewed, and revised, as appropriate, in an effective manner.”

DiCianni said that one of the strongest elements he took away from the Memo is that a company needs to demonstrate that it has an effective compliance program. From there you can move to remediation and strengthening of the program, which the Memo also addresses. If you begin with the premise that your company has a program, the next step is to assess whether or not that program is strong and effective and its weaknesses.

What does a company do if it uncovers a problem? Does it have the wherewithal to conduct an investigation and determine whether or not it is something that has to be self-reported to the government? On the remediation side, has the company gone deep enough to find out what was the root cause of that problem? Questions such as “how did we get here” and “what do we do to address it?” can become paramount. DiCianni believes one of the key elements the Memo underscores is how serious the company is taking its compliance program and then what it’s doing when a problem has been discovered.

DiCianni believes this has been a consistent message from the DOJ, as far back as the 2012 FCPA Guidance. However, as we move into 2019, it has become a more “front end concern” of the strength of the investigation process. The question then becomes, how a company can demonstrate that? If a problem has surfaced, what does the company do about it? Does an organization simply try to “cauterize it and say one bad apple kind of thing, does it do a deep dive into a learning whether or not it’s real, the merits of it and gathering information around the issue.”

This leads to such questions about the strength of the internal investigation process or whether the company has someone internally with investigator skills. For example, if someone in Human Resources (HR) or a transactional attorney are “all of a sudden thrown into an investigation and they just don’t have the experience and the depth of knowledge” this can have negative effects going forward or can lead to even further problems. DiCianni believes the Memo implores companies to both recognize that they may not have a strong investigative process and then move to strengthen it.

Another key area that a company can focus on internally is discipline. This means discipline for those who engage in internal controls and policies and procedures violations. But even more critical going forward is fair process for discipline and incentives around compliance. This means that discipline is meted out fairly, with process, with consistency and transparently. It also means that a company must promote simply beyond those who may be friends and colleagues of senior management to persons who truly do merit promotion because they have engaged in business ethically and in compliance with laws and regulations.

Internal controls testing also plays a big role what a company can do. DiCianni discussed the third-party flow process, most generally under the Foreign Corrupt Practices Act (FCPA) or other anti-corruption legislation. He said that a company could pose multiple internal queries, such as some of the following: “What are the controls around cash? Do you have some kind of mechanism for determining where cash is being spent? Do you have some control over bank accounts, particularly when you are working in a variety of countries? Do you have some kind of control over who is making decisions about where dollars can be spent? All of those kinds of things require internal controls.” First, you must establish internal controls and second you must test them to make sure that they are both appropriate and effective.

External Strategies

How companies can use this information internally to bolster their compliance programs and today we consider this same issue from the external perspective? There are several areas from the DOJ guidance which make the use of external resources more impactful for a corporate compliance program. We began by considering what a company might do if it is required to self-report a violation of a law such as the FCPA. It might begin by bringing in a crisis management team to look at the Board, to look at Board governance, to look at management functions and to look at very specific programs. Another area which is ripe for an external review is around a company’s sales cycle, particularly if it uses third parties. Third parties are still recognized as one of the highest risks under the FCPA and in 2018, 93% of all enforcement actions involved third parties.

Such an external investigation can include some of the basics like adequate due diligence and fulfilling internal requirements by using an external resource who is a subject matter expert, a company can really drill down into a program to look at sub-contractors and other 2^nd, 3^rdand 4^thlevel contractors. Using an external resource in these areas can help a company based upon the road map laid out in the Memo.

Another area emphasized by the DOJ in 2018 was the mergers and acquisitions (M&A) front, particularly in the pre-acquisition phase. In July 2018, the DOJ formalized the Safe Harbor provision first articulated in 2012 FCPA Guidance around companies which performed an appropriate level of pre-acquisition due diligence and then engaged in post-acquisition integration, a forensic FCPA review and then self-disclosure and remediation if required. This informal Safe Harbor is now written into the FCPA Corporate Enforcement Policy.

DiCianni said that the DOJ wants you to show you not only knew what you were acquiring from the commercial perspective but what he called “There’s the softer side of a M&A transaction.  The compliance side. You need to look at whether or not the company has a variety of compliance program indicia. Does it have a compliance program? Does it have a hotline program? Are there complaints to the hotline? Are there things that are percolating below the surface that you are not going to see in just looking at dollars? Does it have good compliance controls?” Beyond this, the DOJ will be looking at your integration plan based upon your pre-acquisition due diligence. Finally, have you fully implemented the acquired entity into your company?

For more information on the Benczkowski Memo and other DOJ announcements in 2018 relating to anti-corruption compliance programs and enforcement of the FCPA, check out the 5-part podcast series I am running entitled, “Compliance Strategies Under the Benczkowski Memo”. You can check it out on multiple platforms, in multiple formats including: The podcast is available on multiple sites: the FCPA Compliance Report, iTunes, JDSupra, Panoply and YouTube.

[View source.]