At the American Conference Institute’s 9th Annual Houston Foreign Corrupt Practices Act Boot Camp, January 27-28, 2015, Deputy Criminal Chief Jason Varnado, from the Major Fraud Section of the United States Attorney’s Office in the Southern District of Texas, offered the audience of compliance and audit professionals insight into what the Department of Justice (DOJ) expects to see in corporate FCPA compliance programs. Varnado recently returned to Houston from Washington, D.C., where he served as DOJ’s White Collar and Cyber Crime Coordinator. After first disclaiming that the views he expressed were his own and not those of DOJ, Varnado outlined the Top Ten things the government looks for when evaluating corporate compliance programs.
- Commitment to compliance at the highest levels: Because managers and employees take cues from corporate leaders, board members and senior executives must set the proper tone for the rest of the company. Accordingly, DOJ wants to see that the highest levels of corporate leadership demonstrate a commitment to a culture of compliance.
- Written, and widely disseminated, compliance policies: Companies must have in place a written code of conduct and compliance policies that are clear and concise. In addition, such policies must be disseminated and accessible to all employees and those acting on the company’s behalf, and should be translated into local languages.
- Periodic review and updates: Companies are evolving organizations and, accordingly, compliance policies should be regularly reviewed, updated, and appropriately communicated throughout the company.
- Independence and funding: Companies should assign responsibility for the oversight and implementation of compliance programs to senior executives who have adequate autonomy from management. Those executives should also have authority to report issues directly to independent bodies and boards of directors. In addition, compliance programs must be adequately funded to support proper implementation.
- Training and guidance: Companies should take steps to ensure that compliance policies are communicated not just to upper management, but to every employee worldwide. This requires adequate, country-specific training. Employees should be encouraged to seek advice and guidance prior to entering into certain transactions to ensure that problematic behavior is stopped before it occurs.
- Internal reporting mechanism: Companies should provide a convenient means for employees and others to report suspected violations of the company’s compliance policies on a confidential basis and without fear of retaliation.
- Investigations: Companies should establish effective processes for handling internal investigations, with sufficient resources to respond to, investigate, and document compliance violations. A sophisticated multinational corporation is expected to expend more resources than a smaller company—but the manner and integrity in which all investigations are undertaken is of utmost importance to DOJ. A program’s ability to effectively uncover wrongdoing, coupled with the company’s willingness to disclose and cooperate, is a major consideration for DOJ in determining whether to bring charges.
- Enforcement of policies and disciplinary measures for noncompliance: Companies should implement mechanisms to enforce compliance policies and should punish those individuals who are found to have violated those policies. On this point, Varnado noted that DOJ is more committed than ever to bringing responsible individuals to justice because punishing individuals is the strongest way to deter wrongdoing. To this end, DOJ has started using, and will continue to use, law enforcement techniques historically preserved for organized crime investigations, including phone taps, secret recordings, and email search warrants.
- Paying attention to third-party relationships: The recent Organization for Economic Co-operation and Development (OECD) Foreign Bribery Report indicated that over 70% of bribery cases reviewed for the report involved third-party agents or intermediaries. Companies must closely examine those relationships to understand why third-parties are being hired, what they are doing for the company, and whether the costs of those services appear reasonable. Simply including boilerplate language in contracts is not sufficient. Companies need to sensitize third parties to the importance of compliance and demonstrate a willingness to terminate those agents and contractors who fail to comply.
- Monitoring and testing: Companies should continually test their compliance programs to improve effectiveness and to ensure that, given the present state of the company, the program can still prevent and detect violations. The program should evolve with changes in the law, business practices, technology, and cultural considerations in countries where the company operates.
Though these ten points highlighted by Varnado largely echo what the DOJ and SEC have already laid out in the Resource Guide to the U.S. Foreign Corrupt Practices Act, released in November 2012, the importance of building and maintaining an effective compliance program remains paramount.
In closing, Varnado noted that the DOJ can serve as a company’s ally, rather than just a regulator to be feared. Compliance programs and internal audits frequently reveal instances where those outside the company, or even the company’s own employees, seek to victimize the company. The DOJ has an obligation to protect citizens who are defrauded, and that includes corporate citizens. Varnado highlighted the case of LyondellBasell Industries, which was the victim of a multimillion dollar fraud and kickback scheme orchestrated by an employee. The company in that case self-reported the conduct to the U.S. Attorney’s Office in Houston, which ultimately put wrongdoers in jail and returned over $20 million to the company. Varnado remarked that the DOJ views the fight against fraud and corruption as a mutually beneficial endeavor, key to which is an effective compliance program.