“It was important that we played our game for 90 minutes.” That line was found in a The Daily Telegraph article entitled “The unthinkable scoreline: Brazil 1, Germany 7” by Jeremy Wilson. It was a quote from Mats Hummels, German World Cup starter, who participated in the single most memorable soccer game that I have witnessed, Germany’s win over Brazil in last year’s World Cup. As Wilson wrote, “It was the game for which the 2014 World Cup will be forever remembered but even now, almost six months on, just the scoreline retains its capacity to shock.” I would only add that the game will most probably be remembered for as long as soccer is played. Wilson ended his piece with “It was a sporting earthquake, and the aftershocks are still being felt.”

Somehow Wilson’s article seemed also an appropriate reflection on the Alstom Foreign Corrupt Practices Act (FCPA) enforcement action. While it is more recent in the minds of many Chief Compliance Officers (CCOs) and compliance practitioners, it is still reverberating and will continue to do so for the foreseeable future. I am in the middle of a three part blog post series exploring facets of the Alstom matter. In my first blog post, I explored the specifics of the settlement documents, the stunning criminal fine of over $772MM and the over 10 year bribery scheme involving multiple countries. Today I want to look at the ongoing obligations which Alstom has agreed to in the Deferred Prosecutions Agreements (DPAs) for the entities involved; Alstom Network Schweiz AG, Alstom Power Inc. and Alstom Grid Inc. (collectively herein “Alstom”). All the DPAs are identical in their Attachment C’s and all quotes below are from the DPAs.

For the CCO or compliance practitioner, one of the first stops in reviewing any DPA is always Attachment C, which lays out the Corporate Compliance Program that each settling party agrees to in any FCPA enforcement action. It provides the Department of Justice’s (DOJ) most current thinking on what constitutes a minimum best practices compliance program which is generally described as “(a) a system of internal accounting controls designed to ensure that the Company makes and keeps fair and accurate books, records and accounts; and (b) a rigorous anti-corruption compliance program that includes policies and procedures designed to detect and deter violations of the FCPA and other relevant anti-corruption laws.” The Alstom DPAs set the following requirements:

1. High-level commitment. A company must ensure that its directors and senior management provide strong, explicit, and visible commitment to its corporate compliance policy. Stated differently, and again, “tone from the top.”
2. Code of Conduct, Policies and Procedures and Internal Controls. A company should have a clearly articulated and visible corporate compliance policy memorialized in a written compliance code. The policies and procedures will address the following areas; (a) gifts, (b) hospitality, entertainment and expenses, (c) customer travel, (d) political contributions, (e) charitable donations and sponsorships, (f) facilitation payments and (g) solicitation and extortion payments. Finally, there should be a system of financial and accounting procedures, “designed to provide reasonable assurance: (a) transactions are executed with management’s general or specific authorization”; (b) transactions are “recorded as necessary to permit preparation of financial statements in conformity with generally accepted accounting principals” and to maintain accountability for the assets; (c) access to company assets is permitted only with management general or specific authorization; and (d) there is testing of assets at regular intervals.
3. Periodic Risk-Based Review. The company should periodically evaluate no less than annually, these compliance codes on the basis of a risk assessment addressing the individual circumstances of the company, including “geographic organization, interactions with various types and levels of government officials, industrial sectors of operation, involvement in joint venture arrangements, importance of licenses and permits in the Company’s operations, degree of government oversight and inspection and volume and importance of goods and personnel clearing through customs and immigration. It also requires the company to update its compliance program “taking into account relevant developments in the field and evolving international and industry standards.”
4. Proper Oversight and Independence. The company should assign responsibility to senior executives for the implementation and oversight of the compliance program. Those executives should have the authority to report directly to independent monitoring bodies, including internal audit and the Board of Directors, and should have autonomy from management. Compliance programs needed to be funded; they need to have an appropriate level of resources.
5. Training and Guidance. The company should implement mechanisms designed to ensure that its compliance code is effectively communicated to all directors, officers and employees. This means repeated communication, frequent and effective training, and an ability to provide guidance when issues arise.
6. Internal Reporting and Investigation. Alstom should have an effective system for confidential, internal reporting of compliance violations. It must also establish an effective process with sufficient resources for responding to, investigating, and documenting allegations of violations.
7. Enforcement and Discipline. The company should implement mechanisms designed to enforce its compliance code, including appropriately incentivizing compliance and disciplining violations. The prong also includes the requirement that Alstom remedy the misconduct and take steps to ensure no recidivism.
8. Third-Party Relationships. Alstom should institute compliance requirements pertaining to the oversight of all agents and business partners. This includes the full five steps in the lifecycle management of third parties going forward.
9. Mergers and Acquisitions. Under this requirement, Alstom must perform pre-acquisition due diligence on any target companies it is looking at and engage in an appropriate risk assessment and due diligence by its legal, compliance and accounting functions. If an acquisition is made, the company integrate its compliance program into the newly acquired entity as soon as is practicable, put on an appropriate level of training and “when-warranted, conduct an FCPA-specific audit of newly acquired or merged businesses.”
10. Monitoring and Testing. A company should conduct periodic reviews and testing of its compliance code to improve its effectiveness in preventing and detecting violations. Kick the tires regularly. As I said, compliance programs must evolve with changes in the law, business practices, technology and culture.

The company also has an ongoing reporting requirement that it promptly report to the DOJ any “possible corrupt payments or possible corrupt transfers of property or interests…for any person or entity working directly for the Company (including its affiliates and any agent) or that related false books and records have been maintained”.

Finally, Alstom will report to the DOJ annually and for a period of three years “regarding the remediation and implementation of the compliance program and internal controls, policies and procedures”. However, in a twist we have not seen previously, as long as Alstom “satisfies the monitoring requirements contained in the Negotiated Resolution Agreement between the Company and the World Bank Group”, it will not be required to sustain an external monitor. If Alstom fails to meet this burden, then “it will be required to retain an Independent Monitor.”

What does this mean for the compliance practitioner? I think the key is to do as Mats Hummels suggested and play your game for the full match. The DOJ has laid out what it expects to see in a best practices compliance program going forward. Although clearly related to the Ten Hallmarks of an Effective Compliance Program, found in the FPCA Guidance, there are some subtle differences and perhaps even shifts in emphasis. I think the two keys ones are found in No. 3 where the DOJ lays out not only the specific areas you need to assess your risk around but also mandates that evolving technological and industry standards be taken into account when upgrading or enhancing your compliance regime. Finally in No. 7, I think the DOJ comes as close as it can to mandating that the CCO position and compliance function be separate and apart from the General Counsel (GC) and company’s legal function.

Tomorrow some concluding thought on Alstom.