Five insights into anti-corruption compliance programs
Revisiting the FCPA
Corporate compliance teams can benefit from remaining highly vigilant and considering the following insights as they review and refresh their anti-corruption compliance programs. In this article, Deloitte outlines the ways companies should take a fresh look at their anti-corruption compliance programs in light of ongoing enforcement of the Foreign Corrupt Practices Act (FCPA).
- It’s not business as usual for the FCPA
- Now is a good time to revisit anti-corruption compliance
- Get in touch
- Join the conversation
It’s not business as usual for the FCPA
The government’s current strategy is to secure private-sector cooperation. As part of this effort, in late 2012 the Justice Department and SEC published a guide to what a comprehensive, effective anti-corruption compliance program looks like. With such a program in place, a company might receive reduced sanctions or penalties should it find itself the target of regulatory investigation.
Underscoring this commitment, in 2015 the Justice Department appointed counsel to help prosecutors evaluate the compliance programs of companies that fall under scrutiny.1 Soon after, the Justice Department launched a program of its own to boost deterrence and accountability.2 How? By encouraging companies to voluntarily disclose any issues, cooperate with investigators, and improve FCPA related controls and compliance.
Authorities are trying to do their part by taking a non-arbitrary approach to assessing compliance. If companies know they’ll be treated fairly, goes the reasoning, they may be more inclined to tackle corruption head-on and work with investigators should a problem occur. As such, regulators have outlined 10 hallmarks of a compliance program.
First and foremost is a clearly articulated policy against corruption, backed up by senior management. Next is a code of conduct with appropriate policies and procedures. To ferret out corruption, companies also must provide adequate oversight, autonomy, and resources.
Then there are the basics of ongoing program management. These include training, risk assessments, and incentives and disciplinary measures. There’s also a provision for confidential reporting and internal investigation. Periodic testing and review needs to happen for continuous improvement. Companies must show due diligence for business combinations and other changes of ownership.
Last is the role of third parties. Although often necessary to doing business in high-risk countries, outside resources are frequently the source of most of the FCPA cases in a given year. As a result, third-party due diligence, payment monitoring, and auditing are essential to a robust compliance program.
For companies, compliance requires enormous judgment
Basic compliance is just part of the solution. A company can recognize the risk of a third party paying bribes on its behalf, take sufficient measures against it, and have it happen anyway. So at some point, companies need to determine how much compliance is enough, then turn their attention to understanding corruption and fraud risk in a documentable way.
Suppose, for instance, a multinational company is caught up in bribery charges in one particular country. The government investigators might wonder: Does this mean bribery is taking place in neighboring countries as well? What’s the full extent of the conduct?
Companies might have information on hand to satisfy regulators that no broader examination is necessary. But tracking this information requires decisions about what type of information to collect and how to collect it. The former could include length of management tenure, the nature of each third-party relationship, timing of an internal audit, and more. The latter could address documentation, frequency, background investigations, and so forth.
There’s no uniform prescription for compliance at this level of sophistication. It all comes down to judgment, based on experience and the particular circumstances of the business.
Compliance programs should be dynamic
Businesses expand into new countries. Management teams turn over. Supplier relationships change. Whatever the trigger, a company’s risk profile changes over time. The compliance program must change with it.
What does a dynamic compliance program look like? It should assess risk against the current state of the business via a strategic division of machine and human labor. Modern technology can scan the entire population of company transactions—avoiding the limitations of sampling—and applies built-in analytical models to identify behavioral anomalies. People, meanwhile, can evaluate whether those anomalies represent fraudulent activity. They can also conduct on-the-ground investigations as well as periodic reviews for potential deficiencies requiring remediation.
A program like this constantly monitors its own effectiveness even as it monitors compliance across the enterprise. A change in circumstances can lead to more or less monitoring, auditing, or due diligence. The idea is to direct compliance efforts where they can be most effective, both in heading off problems and in satisfying watchful regulators.
"Consistency is the heart of the government’s current approach to anti-corruption compliance.”
Now is a good time to revisit anti-corruption compliance
In the United States, FCPA enforcement and penalties remain elevated. Corporate officers are under greater accountability thanks to the Yates Memo, a 2015 directive stating that companies under investigation must disclose all relevant facts about potential individual misconduct before regulators can offer cooperation credit.
The Justice Department and FBI have responded by hiring dedicated resources to investigate bribery and corruption. The situation is similar elsewhere. Regulators have announced or carried out stricter anti-corruption laws in many countries with a US business presence. These include Brazil, Colombia, Eastern Europe, France, Mexico, Indonesia, Saudi Arabia, South Korea, and the United Arab Emirates.
In light of these recent developments, companies are justified in taking a fresh look at their compliance programs. A “check the box” approach could well lead to increased risk of financial and reputational damage from corruption-related misconduct. As a leading practice, business interests should be weighed against the risk of bribery and corruption in foreign markets through regularly scheduled, comprehensive corruption and fraud risk assessments.
Our take: Today’s environment calls for a sophisticated, hard-hitting program to address fraud and corruption
The next few years are likely to see ongoing enforcement of FCPA and similar statutes around the world. For businesses expanding into new markets, this potentially creates exposure to unfamiliar customs where common practices become subject to anti-corruption rules. Smart leaders won’t rely on governments for clarity. Instead, they’ll respond with a compliance program that’s comprehensive, tailored, and defensible to US and global regulators. That involves a new way of thinking about compliance—one that includes regularly revisiting the program to assess risk, upgrade technology, and incorporate best practices as they become available.
1 “New Compliance Counsel Expert Retailed by the DOJ Fraud Section,” US Department of Justice, November 2, 2015, https://www.justice.gov/criminal-fraud/file/790236/download
2 “The Fraud Section’s Foreign Corrupt Practices Act Enforcement Plan and Guidance,” US Department of Justice, April 5, 2016, https://www.justice.gov/criminalfraud/file/838416/download