FCPA COMPLIANCE PROGRAMS JIMMY S. PAPPAS INTERNATIONAL INTERNAL INVESTIGATIONS CONFERENCE FRANKFURT, GERMANY DECEMBER 7, 2012
FCPA COMPLIANCE PROGRAMS - OVERVIEW! An effective compliance program is: A deterrent - Prevents and detects potential violations, and An insurance - Mitigates enforcement consequences! An effective compliance program MUST be perceived as such, both internally and externally. Perception as important as reality! The adequacy of a compliance program affects: Whether a violation will be resolved by an NPA or DPA The duration of NPAs and DPAs, and The amount of any assessed penalty! Effective compliance programs are: Dynamic and evolve as the business changes Intertwined with an organization s culture not super-imposed! One-size-fits-all programs are inefficient and ineffective - Practical differences exist between companies, in terms of size, resources, structure, and risk profile! Effective compliance programs are built from the bottom up not top down 2/14
! A clearly articulated commitment by senior management against corruption and violations of the FCPA s bribery and books and records provisions tone from the top. Lead by example senior managers must exhibit the importance of compliance over the temptation of short-term profit DOJ and SEC expect to see examples of tone from the top» Companies should consider demonstrating the tone from the top by undertaking such high profile approaches as having the CEO chair, or co-chair the company s compliance committee, in addition to designating a separate Chief Compliance Officer. See Pfizer 2012 DPA 3/14
! Code of conduct: Ethical culture is a major factor determining the amount of misconduct that will take place in a business DOJ has repeatedly noted in its charging documents that the most effective codes of conduct are clear, concise, and accessible to all employees and others conducting business on the company s behalf» Translated in local languages of foreign subsidiaries In assessing a company s compliance program, the DOJ and the SEC examine whether and how often the code of conduct is reviewed, and if necessary updated» Companies should consider periodically opening up the review of an organization s code of conduct to employee feedback 4/14
! Policies and procedures that outline compliance responsibilities and detail internal controls, auditing practices, documentation policies, and disciplinary procedures The type of policies and procedures will depend on the size and nature of the business and the risks associated with the business Risks that a company may need to evaluate include:» The nature and extent of transactions with foreign governments, including payments to foreign officials» Use of third parties» Gifts, travel and entertainment expense» Charitable and political donations» Facilitating payments Policies and procedures should apply to personnel at all levels inconsistent enforcement will produce inconsistent results 5/14
! Assignment of oversight and implementation responsibility to one or more specific senior executives with appropriate authority, autonomy, and resources Assign oversight and implementation responsibility to senior executives within the organization is a great way to highlight the organization s tone-at-the-top both internally and to regulatory authorities Individuals must have appropriate authority within the organization, adequate autonomy from management, and sufficient resources to implement the compliance program effectively 6/14
! A compliance approach tailored to identified risks, including involvement in high corruption jurisdictions, frequency of interaction with foreign officials, amount of government oversight/ regulation, and size of transactions Probably the single most important element of success Risk assessment determines where an organization should invest time and resources» Arbitrary, across the board compliance steps are ineffective and inefficient» Devoting excessive time policing modest entertainment and giftgiving expenses instead of focusing on excessive discounts to distributors and large government bids, will most likely result in an ineffective compliance program DOJ and SEC will give meaningful credit to companies which implement a comprehensive risk-based program if the compliance program does not prevent an infraction in a low risk area because resources had been diverted to high-risk areas 7/14
! Training, guidance and certifications Imperative that policies should be communicated throughout the organization» Web-based and live training sessions addressing policies, procedures, applicable legal standards, and practical advise to address real-life scenarios On-demand resources must be available to provide guidance and advice on complying with relevant policies as specific situations arise Certifications form all directors, officers, relevant employees, and where appropriate agents and business partners; focuses people on the importance of compliance and holds them accountable 8/14
! A combination of compliance incentives and disciplinary measures applicable at all levels. A compliance program should apply to everyone equally - no one should be beyond its reach Making adherence to compliance one of the metrics used to determine management s bonuses can ensure that compliance becomes an integral part of management s everyday concern Requiring strong performers to work for a period of time in the compliance department as part of advancing their careers is a great way to highlight an organization s commitment to compliance Publicizing disciplinary actions internally can have an important deterrent effect, demonstrating the individual consequences of deviating from policies and procedures 9/14
! A mechanism for confidential reporting of suspected violations or misconduct (such as on an anonymous hotline or via an ombudsmen) and a process for investigating such reports Anonymous reporting hotlines in multiple languages as appropriate» Consider opening up the process to employees of third parties» Consider appropriateness of providing monetary rewards Efficient, reliable and properly funded processes for investigating allegations and documenting the company s response 10/14
! Third-party due diligence - Enforcement actions demonstrate the degree to which third parties are used to conceal bribes to foreign officials. Risk-based due diligence of third parties is a major factor used by the DOJ / SEC in determining a program s effectiveness. Understand the qualifications and associations of third parties, including business reputation and relationships with foreign officials Have a documented business rationale for using a third party» Understand the role of and need for the third party» Ensure the contract terms reference the services to be rendered» Scrutinize the timing of engaging a third party with respect to material pending contracts» Ensure payment terms are reasonable for the country / industry» Verify that the work is being performed Monitor third parties on a periodic basis by updating due diligence, exercising audit rights, providing training, and obtaining compliance certifications 11/14
! Continuous review, testing, and, where necessary, improvement of the program in response to weaknesses or changing risks Learn from discovered infractions and update internal controls and compliance procedures Undertake employee surveys to measure compliance culture, and identify new risk areas Undertake unannounced surprise audits and proactive investigations Periodically perform and document a comprehensive review of the compliance program s effectiveness and efficiency 12/14
! Due diligence of any acquisition targets and, where appropriate, training employees of and conducting audits on acquired companies Major risk area for acquiring companies Incorporate FCPA-focused procedures in pre-acquisition due diligence Acquiring a company that enhances its profit margins though bribes can result in overpaying for the company If it is not possible to perform a pre-acquisition FCPA due diligence perform a post-acquisition FCPA due diligence» See DOJ Opinion Procedures Release No. 08-02 Promptly incorporate the acquired company into the company s internal controls and compliance programs, train employees, and evaluate third party relationships» Failing to detect/stop bribes can expose the acquiring company to enforcement action 13/14
JIMMY S. PAPPAS MANAGING DIRECTOR ALVAREZ & MARSAL GLOBAL FORENSIC AND DISPUTE SERVICES jpappas@alvarezandmarsal.com - +1 (617) 449.7844