US Compliance Requirements

Introduction

During the past 15 years, the United States Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) – the principal enforcement agencies with jurisdiction over financial and other white-collar crimes – have increased their compliance expectations for corporations through enforcement actions and the issuance of enhanced guidance on designing and maintaining effective compliance programmes. A 2020 Miller & Chevalier survey of corporations measured maturity in the US market as ‘most developed’, reflecting a trend of companies expanding their compliance programmes beyond ‘basic policies’ and making meaningful investments to erect robust, sustainable programmes.

Historically, principal compliance guidance came from the United States Sentencing Commission Guidelines Manual Sentencing Guidelines (the Sentencing Guidelines). Developed by the Commission to promote effectiveness and fairness in the criminal justice system, as authorised by the Sentencing Reform Act of 1984, the Sentencing Guidelines were amended in 1991 to include Chapter 8, laying out sentencing considerations for organisations that have committed crimes. Subsequently amended in 2004, Chapter 8B, ‘Remedying Harm from Criminal Conduct, and Effective Compliance and Ethics Program’, outlines the very basic principles deemed most critical by the Commission for evaluating corporate compliance programmes.

Further compliance guidance for corporations gradually emerged through enforcement actions brought under the US law prohibiting bribery of foreign public officials: the Foreign Corrupt Practices Act (FCPA). Because the FCPA, unlike more recent anti-bribery laws in other jurisdictions, does not prescribe compliance requirements, the DOJ and SEC communicate compliance expectations through enforcement actions, such as deferred prosecution agreements and other civil and criminal resolutions with corporations and individuals, and public policy or guidance releases. Together, these sources provide the foundation for many of the elements of corporate compliance that we know today.

Building on years of ‘unofficial’ compliance guidance through resolution documents, in November 2012, the DOJ and SEC jointly issued ‘A Resource Guide to the U.S. Foreign Corrupt Practices Act’ (the Resources Guide), which introduced for the first time the now well-established principles underlying effective compliance programmes. The Resources Guide was updated on 3 July 2020. In addition, the DOJ has issued other guidelines of its own, such as the ‘Evaluation of Corporate Compliance Programs Guidelines’ (updated June 2020) (the Evaluation Guidance) and the ‘FCPA Corporate Enforcement Policy’ (updated March 2019) (the Enforcement Policy). Although most of the key elements of corporate compliance originated from the Sentencing Guidelines and compliance with anti-corruption laws, these guidelines apply more broadly to other financial crimes as well, such as money laundering, fraud, tax evasion and violation of sanctions. In particular, the Evaluation Guidance provides general principles for evaluating the effectiveness of corporate compliance programmes and is not specific to any types of corporate crimes.

In this chapter, we discuss the four main sources of guidance documents on compliance requirements issued by the DOJ. Although the guidance provided does not constitute requirements or obligations mandated by US laws, together these documents define US government expectations and set the standards to which the DOJ and the SEC will hold companies when evaluating their compliance programmes in criminal, civil and regulatory enforcement actions.

United States Sentencing Commission Guidelines Manual

The Sentencing Guidelines provide the basis for more detailed compliance guidance issued subsequently. Focusing on the need for adequate due diligence and a culture of compliance, the Guidelines state:

To have an effective compliance and ethics program . . . an organization shall—

  1. exercise due diligence to prevent and detect criminal conduct; and
  2. otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.

Such compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct. The failure to prevent or detect the instant offense does not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct.[2]

Thus, in a few short sentences, the Sentencing Guidelines provide the framework for later-developed more detailed guidance that dives deeper into compliance programme design, application and testing.

A Resource Guide to the US Foreign Corrupt Practices Act

The Resources Guide emphasises the importance of implementing an effective compliance programme that is ‘tailored to the company’s specific business and to the risks associated with that business’ in order to ‘prevent, detect, remediate, and report misconduct’.[3] Such a programme should be ‘well-constructed, effectively implemented, appropriately resourced, and consistently enforced’.[4] Having an adequate and effective compliance programme may help companies under investigation by the DOJ or the SEC obtain more favourable outcome in terms of the form of resolution, monetary penalty and compliance obligations to be imposed.

As a threshold matter, when assessing the effectiveness of a company’s compliance programme, the DOJ and the SEC will consider three main factors: whether the programme (1) is well designed; (2) is being applied in good faith; and (3) works in practice. We discuss each of these factors in more detail below.

To guide companies in designing and implementing effective compliance programmes, the DOJ and the SEC introduced 10 hallmarks that they consider necessary for a well-functioning compliance programme. However, the DOJ and the SEC acknowledge that one size cannot fit all and, therefore, caution that each company’s compliance programme should be designed to address its own ‘specific needs, risks, and challenges’.[5] Below, we discuss each of these hallmarks.

Commitment from senior management and a clearly articulated policy against corruption

A proper tone from the top is a key component of a strong compliance culture, which is fundamental to a strong compliance programme. The DOJ and the SEC encourage corporate leaders, such as board members and senior executives, to commit to ethical and compliant business practices and to demonstrate that commitment not just through words but by their own conduct. Corporate leaders must ensure that their company has clearly articulated standards against corruption, which the corporate leaders should unambiguously communicate and disseminate throughout the organisation.

Code of conduct and compliance policies and procedures

A company should have a code of conduct that is ‘clear, concise, and accessible’ to all employees and its third parties, and that should be reviewed and updated periodically to stay current.[6] To be ‘clear, concise, and accessible’, a code of conduct should be easy to understand and be relevant to every member of the organisation. Companies would do well to make their code of conduct available in the local languages of the countries in which they operate. Building on the code of conduct, a company should develop and put in place written policies and procedures that ‘outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and documentation policies, and set forth disciplinary procedures’ to ensure that the principles set out in the code of conduct are followed and that the company can properly manage its specific risks.[7] The Resources Guide lists a few areas that commonly present compliance risks that a company may need to address through specific policies and procedures, including interactions and transactions with foreign officials; engagement of third parties; gifts, travel and entertainment expenses; charitable and political donations; and facilitating and expediting payments.

Oversight, autonomy and resources

To monitor the implementation of a compliance programme, the Resources Guide calls for a company to assign oversight responsibility to its senior executives, who ‘must have appropriate authority within the organization, adequate autonomy from management, and sufficient resources’ to ensure the effectiveness of the compliance programme.[8] Whether the resources that a company dedicates to compliance are sufficient will be highly dependent on the company’s size and industry, the countries in which it operates, the complexity of its business and risks associated with its business.

Risk assessment

The Resources Guide recommends a risk-based approach to compliance, meaning that a company should analyse the specific compliance risks that it faces and design its compliance to address those specific risks, including by dedicating more resources to markets, transactions and third parties that pose higher risks. When the risks for corruption or other financial crimes increase, a company should increase its due diligence efforts, which again are company specific; however, the Resources Guide identifies common factors that often affect those risks, including the countries and industry in which the company operates, the nature of the business opportunity or transaction, the involvement of business partners and other third parties, the level of interactions with governments and the amount of government regulation and oversight.[9]

Training and continuing advice

For a compliance programme to be effective, all levels of officers and employees within a company must understand the company’s compliance requirements and how those requirements apply to them. To achieve this goal, a company should conduct periodic training on company policies and procedures and applicable laws. Training should include practical tips and case studies relevant to the specific audience. Similar training may also need to be provided for third parties with which the company does business, particularly in high-risk countries. In addition to formal training, a company should encourage employees to seek guidance and ongoing compliance advice from company compliance personnel. To facilitate that guidance, a company should ensure that employees know to whom they should reach out for advice and how to do that.[10]

Incentives and disciplinary measures

A company should clearly articulate that compliance obligations apply to all members of the organisation without exception and should implement appropriate procedures to discipline those who fail to follow applicable laws or company policies and procedures. Not only can effective disciplinary measures punish the wrongdoers and remediate their wrongdoing to some degree, from which a company under investigation by the DOJ or the SEC may earn credit, they can also deter others from engaging in misconduct. Appropriate disciplinary measures may range from coaching, written warnings, withholding of discretionary bonuses, exclusion from promotion opportunities or dismissal. On the other hand, awarding compliant behaviours can further drive and promote corporate compliance, which also shows the value that an organisation places on ethics and compliance. Companies, therefore, should also design incentives to reward those that demonstrate commitment to compliance. Incentives can be monetary, such as making compliance a metric for salary or bonus determination, or non-monetary, such as personnel evaluations and promotions or rewards and recognitions within the organisation.[11]

Third-party due diligence and payments

Third parties remain the highest compliance risks for companies – agents, consultants and sales partners, among others, are frequently involved in cross-border financial crimes. Due diligence provides an effective way to mitigate those risks. The Resources Guide provides the following three guiding principles on conducting due diligence on third parties, noting that ‘the degree of appropriate due diligence may vary based on industry, country, size and nature of the transaction, and historical relationship with the third party’.[12] First, a company should understand the qualifications and associations of its third parties, including whether they have any relationship with foreign officials. Second, a company should have a business rationale for involving a specific third party in a transaction and specify its role and responsibilities in the engagement within the contract terms. Third, a company should undertake continuing monitoring after a third party is engaged, including conducting due diligence refreshers periodically based on its risk level, providing compliance training, requesting compliance certifications and exercising audit rights.[13]

Confidential reporting and internal investigation

Companies must investigate allegations of wrongdoing and should design an adequate allegation management system that has (1) a process that allows company personnel and third parties to report suspected or actual misconduct anonymously, and (2) a process for the company to timely and thoroughly investigate the allegations and document its findings and responses, including any disciplinary measures or remedial actions taken.[14]

Continuous improvement: periodic testing and review

The DOJ and the SEC encourage companies to conduct regular testing and review of their compliance programmes and make improvements that may be necessary because of changes in their business operations, applicable laws and regulations, and industry standards.[15]

Pre-acquisition due diligence and post-acquisition integration

In mergers and acquisitions, it is crucial that a company conducts appropriate pre-closing and post-closing due diligence and risk assessment and integrates the new entity into the company’s compliance programme in a timely manner. These measures will mitigate the risk of potential liability for the company that could result from any misconduct in which the target company might have engaged prior to the transaction.[16]

Evaluation of Corporate Compliance Programs

The DOJ Criminal Division issued in 2017 (and amended in 2019 and 2020) its ‘Evaluation of Corporate Compliance Programs’ (the Evaluation Guidance) to assist federal prosecutors in evaluating the effectiveness of a company’s compliance programme as part of their enforcement determinations in line with the requirements of the Justice Manual Section 9-28.300 and the Sentencing Guidelines. The Justice Manual requires prosecutors to consider certain factors in determining ‘the adequacy and effectiveness of the corporation’s compliance programme at the time of the offense, as well as at the time of a charging decision’ and the corporation’s efforts ‘to implement an adequate and effective corporate compliance program or to improve an existing one’.[17]

The Evaluation Guidance retains the hallmark principles introduced in the Resources Guide but crafts questions that federal prosecutors should consider, both at the time of the offence and at the charging or resolution stage, to evaluate whether a company’s programme meets the DOJ’s expectations for each hallmark. These questions also serve as an important tool for companies seeking to design and maintain an effective compliance programme that meets the expectations of the US authorities. The Evaluation Guidance is organised around the three core questions and the compliance hallmarks under each question to help federal prosecutors and (by extension) companies understand how the various hallmarks interact:

Is the compliance programme well designed?Is the compliance programme being applied earnestly and in good faith?Does the compliance programme work in practice?
Risk assessmentCommitment by senior and middle managementContinuous improvement, periodic testing and review
Policies and proceduresAutonomy and resourcesInvestigation of misconduct
Training and communicationsIncentives and disciplinary measuresAnalysis and remediation of any underlying misconduct
Confidential reporting structure and investigation process  
Third-party management  
Mergers and acquisitions  

Building on the Resources Guide, the Evaluation Guidance applies a broader lens to compliance that first seeks to capture a company’s general approach to its compliance programme, and then to focus on a company’s application of its programme, and finally how the programme did or did not work in connection with the alleged misconduct under investigation. A few aspects of the Evaluation Guidance are of particular note.

Emphasis on decision-making rationale

The Evaluation Guidance reflects increased sensitivity to the circumstances and business realities of companies. For example, in its introductory paragraphs, the DOJ notes that certain portions of the Evaluation Guidance may be more or less relevant to companies depending on their specific circumstances: ‘In any particular case, the topics and questions set forth below may not all be relevant, and others may be more salient given the particular facts at issue and the circumstances of the company.’[18] The Evaluation Guidance drives this point by including questions intended to prompt prosecutors to enquire about a company’s rationale for decision-making regarding the design and implementation of its compliance programme – both broadly and at a more detailed level. For example, the section covering continuous improvement, periodic testing and reviewn prompts prosecutors to enquire not only whether internal audits occurred, but also as to the company’s rationale supporting its process for determining where and how frequently audits occurred. Language included in the section on autonomy and resources regarding whether compliance personnel have non-compliance responsibilities drives at the same point. In its discussion of mergers and acquisitions, rather than assuming that a company will conduct all due diligence prior to an acquisition, the DOJ explicitly acknowledges that may not be the case, adding the following question: ‘Was the company able to complete pre-acquisition due diligence and, if not, why not?’[19] These enquiries do not preclude a company from choosing a particular course but, rather, suggest that a company should be prepared to defend the rationales that informed programme design and resource allocations.

A focus on programme integration

The Evaluation Guidance prompts prosecutors not only to determine whether certain elements of the programme exist, but also how they work in concert with other components of the programme and are integrated into the day-to-day rhythms of the company. For example, the Evaluation Guidance not only references the importance of having comprehensive policies and procedures, but also prompts prosecutors to ask how the policies and procedures are reinforced through a company’s internal control systems.

Increasing emphasis on the use of data to track and test

In a few areas of the Evaluation Guidance, the DOJ emphasises its expectations regarding data collection and use. In discussing autonomy and resources, the Guidance adds a section on data resources and access, which asks whether any impediments exist ‘that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?’[20] This may signal both the value the DOJ sees in data as a necessary tool for monitoring and testing compliance programmes, and an awareness of the European Union’s General Data Protection Regulation and other restrictions that have come into force in recent years, which can limit access to data for international companies. The Evaluation Guidance also makes clear the DOJ’s expectations that companies gather operational data across the company and on employee access to policies. These data points feed into updates to risk assessments and evaluate access to governing documents, respectively.

Focus on the evolution of compliance programmes

Throughout the Evaluation Guidance, the DOJ emphasises both a company’s own efforts to evolve its compliance programme and the Department’s understanding of that evolution. With respect to the company’s own efforts, the Guidance includes new language in the section on risk assessment under ‘Lessons Learned’, asking: ‘Does the company have a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region?’[21] Further, in its discussion of continuous improvement, periodic testing and review, under ‘Evolving Updates’, the DOJ guides prosecutors to ask: ‘Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?’[22] Both questions highlight the importance of learning from internal and external issues and of incorporating that learning into the programmatic changes.

The Evaluation Guidance also makes clear the DOJ’s interest in understanding the reasoning behind the evolution of a company’s compliance programme. In the introduction to the Evaluation Guidance, the DOJ states that it will be specifically evaluating compliance programmes at multiple points in time: ‘both at the time of the offense and at the time of the charging decision and resolution’.[23] The Guidance emphasises this point by the following addition under ‘Risk Assessments’: ‘In short, prosecutors should endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.’[24] For companies on the receiving end of questions from the DOJ, documentation on changes to their compliance programme – including the ‘why’ behind changes – will be critical.

Operationalising continuous improvement

Across various sections, the Evaluation Guidance prompts prosecutors to evaluate how a company measures programme effectiveness. For example, the document emphasises in several places the importance of capturing and tracking data to analyse trends and missed opportunities. Also, additional explanatory text encourages prosecutors to go beyond simply asking if a programme and its elements are effective, and instead prompts them to ask how that effectiveness is measured in practice. For example, the updated section on training and communications prompts prosecutors to ask how training effectiveness is measured and improved. In the context of ‘continuous improvement, periodic testing and review’, the Evaluation Guidance prompts prosecutors to enquire how and how often the company’s compliance culture is measured and how that analysis is used to inform the continuous improvement of the company’s programme.

Risk assessment as the starting point

The Evaluation Guidance emphasises that:

The starting point for a prosecutor’s evaluation of whether a company has a well-designed compliance program is to understand the company’s business from a commercial perspective, how the company has identified, assessed, and defined its risk profile and the degree to which the program devotes appropriate scrutiny and resources to the spectrum of risks.[25]

Notably, the Evaluation Guidance does not mention ‘manifested risks’ (a focus in the earlier guidance document) but instead highlights the importance of ‘risk-tailored resource allocation’ (i.e., ‘Does the company devote a disproportionate amount of time to policing low-risk areas instead of high-risk areas . . . ?’),[26] as well as the importance of updates and revisions to a company’s risk assessment and policies and procedures ‘in light of lessons learned’. Companies can expect prosecutors to spend more time understanding how risk assessments inform resource allocations, and to scrutinise those decisions. Of course, a company can rightly hope that this line of questioning, in some cases, may lead the DOJ to determine that a specific incident of misconduct in one area does not render the compliance programme ineffective or poorly designed.

Guidance on reporting mechanisms and investigation response

The Evaluation Guidance includes questions as to whether a company has established and publicised an anonymous reporting mechanism, underscoring the DOJ’s concerns regarding retaliation against reporting of compliance issues. In addition, the Guidance includes enquiries about the timing and quality of the company’s responsiveness to the results of investigations and the remediation of identified issues. It also underscores the importance of tracking and learning from investigation results (consistent with the Guidance’s more general theme of capturing and tracking data to inform continuous improvement).

Proactive justification of business rationales for third parties

The Evaluation Guidance’s section on third-party management assesses how the company ensures appropriate business rationales for the use of third parties, more generally. These questions evidence the view that the first, and arguably most important, step in managing compliance risk posed by third parties is to evaluate whether there is a clear business need to engage them and, if so, to articulate the qualifications required to meet that need. Companies will be well served to consider whether their compliance programmes require this step and, if so, whether it is documented and maintained as part of due diligence.

FCPA Corporate Enforcement Policy

In November 2019, the DOJ’s Fraud Section implemented a subtle change to its Enforcement Policy, which offers companies the presumption that the Department will decline prosecution if they (1) self-report foreign bribery, (2) fully cooperate with the government’s investigation, and (3) remediate the compliance failures.[27] The change clarifies the information that companies need to disclose and the timing of the disclosure to obtain the Policy’s benefits.

Previously, companies were required under the Enforcement Policy to ‘disclose all relevant facts known to [them]’ to qualify for voluntary disclosure credit under the Policy. Recognising that the previous language may have been confusing and may have created a disincentive for companies to come forward with information about wrongdoing, companies are now expected to disclose ‘all relevant facts known to [them] at the time of the disclosure’.[28]

It also requires disclosure of facts about any individuals who played a substantial role in the misconduct at issue rather than requiring disclosure of all individuals substantially involved in a violation of law, as the Policy previously required. The DOJ implemented the update because a company may not be in a position to know all relevant facts at the time of a voluntary self-disclosure, especially where only preliminary investigative efforts have been possible.

Another change to the Enforcement Policy relates to proactive cooperation, with the updated Policy now stating that a company must inform the DOJ if it is aware of relevant evidence not in the company’s possession. In contrast, the Policy previously required companies to inform the DOJ ‘where the company is or should be aware of opportunities for the Department to obtain relevant evidence not in the company’s possession and not otherwise known to the Department’.[29] Like the tweak to the self-reporting requirement, the change to the cooperation language potentially makes this requirement less onerous and comes after the DOJ had realised that the language was potentially ambiguous, and possibly creating confusion about what a company ‘should’ be doing or looking for in order to satisfy the proactive cooperation requirement.

Conclusion

The expansion of compliance guidance issued by the DOJ and the SEC and the increasing depth of that guidance signals to US and foreign corporations a heightened expectation of proactive and considered compliance programme development. Collectively, the guidance documents noted provide a blueprint for companies seeking to develop and enhance their compliance programmes and for those having to defend their existing programmes. However, as the various guidelines, and statements by enforcement officials, have made clear, compliance programme design and effectiveness is a particularised and individualised art, where one size does not fit all and continued customisation, evaluation and improvement is the expectation. Thus, companies would do well to incorporate the guidance provided into their own internal monitoring and testing efforts to ensure their compliance programme stays relevant to their operations.


Footnotes

[1] Alejandra Montenegro Almonte is a member and vice chair of the international department, Ann K Sultan is a member and practice lead, and FeiFei (Andrea) Ren is a senior associate at Miller & Chevalier Chartered. The authors thank Fabio de Aratanha, consultant at Miller & Chevalier Chartered, for his contributions to this chapter.

[2] U.S. Sentencing Commission, Guidelines Manual, §8B2.1 (2021), https://guidelines.ussc.gov/gl/%C2%A78B2.1 (last accessed 24 June 2022).

[3] U.S. Department of Justice and U.S. Securities and Exchange Commission, ‘A Resource Guide to the U.S. Foreign Corrupt Practices Act’ (2d ed. July 2020) at 56, https://www.justice.gov/criminal-fraud/file/1292051/download (last accessed 24 June 2022).

[4] ibid., at 57.

[5] ibid., at 58.

[6] ibid., at 59.

[7] id.

[8] id.

[9] ibid., at 60.

[10] ibid., at 60–61.

[11] ibid., at 61.

[12] ibid., at 62.

[14] ibid., at 66, 67.

[16] ibid., at 66–67.

[17] U.S. Department of Justice Criminal Division, ‘Evaluation of Corporate Compliance Programs’ (updated June 2020) at 1, https://www.justice.gov/criminal-fraud/page/file/937501/download (last updated 24 June 2022).

[18] ibid., at 2.

[19] ibid., at 8.

[20] ibid., at 12.

[21] ibid., at 4.

[22] ibid., at 16.

[23] ibid., at 2.

[26] ibid., at 3.

[27] U.S. Department of Justice, ‘FCPA Corporate Enforcement Policy’ (updated March 2019), https://www.justice.gov/criminal-fraud/file/838416/download (last accessed 24 June 2022).

[28] ibid., at 2.

Unlock unlimited access to all Global Investigations Review content