Five insights into anti-corruption compliance programs
Revisiting the FCPA.
Corporate compliance teams can benefit from remaining highly vigilant and considering the following insights as they review and refresh their anti-corruption compliance programs. In this article, Deloitte outlines the ways companies should take a fresh look at their anti-corruption compliance programs in light of ongoing enforcement of the Foreign Corrupt Practices Act (FCPA).
It’s not business as usual for the FCPA
The government’s current strategy is to secure private-sector cooperation. As part of this effort, in late 2012 the Justice Department and SEC published a guide to what a comprehensive, effective anti-corruption compliance program looks like. With such a program in place, a company might receive reduced sanctions or penalties should it find itself the target of regulatory investigation.
Underscoring this commitment, in 2015 the Justice Department appointed counsel to help prosecutors evaluate the compliance programs of companies that fall under scrutiny.1 Soon after, the Justice Department launched a program of its own to boost deterrence and accountability.2 How? By encouraging companies to voluntarily disclose any issues, cooperate with investigators, and improve FCPA related controls and compliance.
Authorities are trying to do their part by taking a non-arbitrary approach to assessing compliance. If companies know they’ll be treated fairly, goes the reasoning, they may be more inclined to tackle corruption head-on and work with investigators should a problem occur. As such, regulators have outlined 10 hallmarks of a compliance program.
First and foremost is a clearly articulated policy against corruption, backed up by senior management. Next is a code of conduct with appropriate policies and procedures. To ferret out corruption, companies also must provide adequate oversight, autonomy, and resources.
Then there are the basics of ongoing program management. These include training, risk assessments, and incentives and disciplinary measures. There’s also a provision for confidential reporting and internal investigation. Periodic testing and review needs to happen for continuous improvement. Companies must show due diligence for business combinations and other changes of ownership.
Last is the role of third parties. Although often necessary to doing business in high-risk countries, outside resources are frequently the source of most of the FCPA cases in a given year. As a result, third-party due diligence, payment monitoring, and auditing are essential to a robust compliance program.
For companies, compliance requires enormous judgment
Basic compliance is just part of the solution. A company can recognize the risk of a third party paying bribes on its behalf, take sufficient measures against it, and have it happen anyway. So at some point, companies need to determine how much compliance is enough, then turn their attention to understanding corruption and fraud risk in a documentable way.
Suppose, for instance, a multinational company is caught up in bribery charges in one particular country. The government investigators might wonder: Does this mean bribery is taking place in neighboring countries as well? What’s the full extent of the conduct?
Companies might have information on hand to satisfy regulators that no broader examination is necessary. But tracking this information requires decisions about what type of information to collect and how to collect it. The former could include length of management tenure, the nature of each third-party relationship, timing of an internal audit, and more. The latter could address documentation, frequency, background investigations, and so forth.
There’s no uniform prescription for compliance at this level of sophistication. It all comes down to judgment, based on experience and the particular circumstances of the business.
Compliance programs should be dynamic
Businesses expand into new countries. Management teams turn over. Supplier relationships change. Whatever the trigger, a company’s risk profile changes over time. The compliance program must change with it.
What does a dynamic compliance program look like? It should assess risk against the current state of the business via a strategic division of machine and human labor. Modern technology can scan the entire population of company transactions—avoiding the limitations of sampling—and applies built-in analytical models to identify behavioral anomalies. People, meanwhile, can evaluate whether those anomalies represent fraudulent activity. They can also conduct on-the-ground investigations as well as periodic reviews for potential deficiencies requiring remediation.
A program like this constantly monitors its own effectiveness even as it monitors compliance across the enterprise. A change in circumstances can lead to more or less monitoring, auditing, or due diligence. The idea is to direct compliance efforts where they can be most effective, both in heading off problems and in satisfying watchful regulators.
Our take: Today’s environment calls for a sophisticated, hard-hitting program to address fraud and corruption
The next few years are likely to see ongoing enforcement of FCPA and similar statutes around the world. For businesses expanding into new markets, this potentially creates exposure to unfamiliar customs where common practices become subject to anti-corruption rules. Smart leaders won’t rely on governments for clarity. Instead, they’ll respond with a compliance program that’s comprehensive, tailored, and defensible to US and global regulators. That involves a new way of thinking about compliance—one that includes regularly revisiting the program to assess risk, upgrade technology, and incorporate best practices as they become available.