This is not going to be easy. Or short. What I’m going to attempt is only to elucidate the parameters of an effective compliance program, using the DOJ’s list of elements found in recent deferred prosecution agreements as my guide. I will take the thirteen (or twelve, or fourteen, or however many it ends up being depending on how you read the DPAs and which DPAs you use as exemplars) specific compliance areas and expand on them with my own experience and the experience that others have shared with me. I hope it proves useful, and I hope to spark a discussion on which elements people feel enhance their programs and which are, frankly, overkill and only agreed to because the DOJ is holding a hammer over their heads.
Which makes it sound like I’m not in favor of DPAs. Nothing could be further from the truth. I’m a fan. And more than DPAs, I’m a tremendous fan of the Schedule Cs that the Department has included in DPAs as far back as Metcalf & Eddy. The Department has never played hide-the-ball with FCPA enforcement. It’s ironic, if that’s the right word, that companies complain that they don’t understand enforcement and what the DOJ expects. The DOJ has essentially given us a color-by-numbers guide to compliance. The problem is more a lack of will and skill than a lack of information. This is a theme I’m going to come back to again and again. There’s a lack of will on behalf of companies, and a lack of skill on behalf of people giving them advice. By “skill,” I also mean ability to implement, which oftentimes puts the blame right back on the business. But one of the things we need to face is the abominable advice companies sometimes get from their counsel. We’ll talk about theoretical risk and training on policy versus on the law. We’ll talk about what my colleague Alexandra Wrage describes as “lawyers describing themselves as FCPA lawyers because they know how to spell it.” There is a difference—something a lot of people outside of corporations don’t understand—between legal advice and compliance advice.
So what is the dysfunction that prevents companies from following the rules? Why, given that the DOJ has been so incredibly descriptive, do we still have companies so incredibly non-compliant? This is one of the things we’ll discuss over the next 12 or 13 essays on compliance. We’ll engage in that favorite of compliance pastimes: the root cause analysis.
So why don’t we jump right in?
The intro to the DPA, before element #1, talks about the obligations the company has. I’m going to use the Lucent case as my exemplar.
After agreeing to conduct periodic reviews of its controls, the DPA obliges Alcatel-Lucent in an overall sense:
Where necessary and appropriate, Alcatel-Lucent agrees to adopt new or to modify existing internal controls, policies, and procedures in order to ensure that it maintains: (a) a system of internal accounting controls designed to ensure that Alcatel-Lucent makes and keeps fair and accurate books, records, and accounts; and (b) a rigorous anti-corruption compliance code, standards, and procedures designed to detect and deter violations of the FCPA and other applicable anti-corruption laws. At a minimum, this should include, but not be limited to, the following elements to the extent they are not already part of the company’s existing internal controls, policies, and procedures.
We spend a lot of time on anti-bribery controls, but as this introductory paragraph should make clear, companies need to spend some time on their financial controls. As much as I say that outside counsel needs work on their advice, boy do compliance officers need work on this one. I love quoting Manny Alas who always asks about your chart of accounts. Most compliance officers wouldn’t know a chart of accounts if it came up and bit them. But getting a good handle on finances goes a long way—a long way indeed—to mitigating bribery risk.
Even if your internal controls aren’t, shall we say, state of the art, you should still “link and label” them with your anti-corruption program. For companies just starting to implement programs, they should concentrate on how they ensure large dollars don’t go unnoticed. Where is money left on the table? The nice thing about this kind of analysis is that companies have people in sales and operations who know this stuff, who can answer the questions you’re asking. Find them, talk with them, learn from them. Because nothing breeds success—in any compliance venture—like knowing the business. When you understand how deals are structured, you know where bribes could come from, and where you need to start enhancing your program.
The first piece of advice for companies, and the best piece of advice I’ll give, is this: start. Just start somewhere. Pick some area, and enhance something. And if you don’t know where to start, read on. Over the next couple of months, we’ll discuss 12 or 13 different areas where you can jump right in and create a program that will actually “detect and deter” violations.
Next up: number 1, policies.