Compliance is a business process, and as a process, it can be measured, managed and, most importantly, improved. — T. Fox
Compliance as a field of studies and work is a relatively new practice: it took nearly 30 years in the USA to recognise the importance of compliance in managing the business. Good relations between the business and the government are the key to economic growth - that’s why not only we emphasise the importance of compliance in this process but DOJ.
We will skip the vast historical background of compliance (which of course takes more than 30 years) and stop on the critical day of compliance recognition. 1995 is the year when companies which have compliance systems get a credit for the first time comparing to the companies which don’t. Seems like a small step, but it was revolutionary: right after the implementation of government policy on compliance the world of compliance started to evolve, even though with a quite low speed.
To give preference to specific compliance systems and encourage the companies with comprehensive guidelines, federal prosecutors needed a set of criteria. Lack of evaluation criteria is still a weak spot in compliance, which takes two directions: criteria are insufficient or inappropriately designed. By inappropriate design we mean the juridical approach to business matters which couldn’t show any effectiveness for years. At first, DOJ hired experts for creating the guidelines for compliance with no experience in corporate culture and business management, and that had to change.
Let’s have a look at compliance development timeline to make it more clear:
1995 - first encouragement from the government to the companies which have taken substantial compliance measures
- 1999 - compliance programs take part in prosecutorial decision-making by the decision of DOJ
- 2015 - DOJ finally acquires compliance expertise
- 2017 - DOJ issues Evaluation of Corporate Compliance program
- 2020 - New criteria added to the Evaluation of Corporate Compliance.
A prominent breakthrough in compliance happens in 2015 when DOJ applies to its work a simple but fundamental truth - only business knows what works for business and what makes it fail. Therefore, that’s obligatory for lawyers who participate in the drafting of compliance programs and later their evaluation to have a relevant corporate compliance experience.
Compliance becomes a serious tool which now comes not from lawyers to lawyers but from lawyers to business. With a strong compliance system the company wins a favourable attitude from the government from a long-term perspective: no especially closely monitoring from DOJ, accusations for breaking FCPA and financial risks. That’s true only if everything is in order, of course.
Now, when compliance rules are closer to business realities, we can have a closer look at DOJ 2020 recommendations for compliance departments. Nothing radically new but an updated guideline with attention to details - that’s a result of 2019-2020 DOJ examination of business needs.
What’s on the list?
- Compliance evaluation has changed - now DOJ doesn’t recognize “one size fits all” solutions. The companies may be evaluated individually according to the location, industry’s features and more - it’s better to be prepared.
- Policies should be not only published but accessible. This access should be tracked to understand which strategies get more attention from employees who are relevant for certain activities.
- Short training sessions for the staff are to replace the long ones. DOJ emphasizes the importance of efficient ad hoc training which work on a short-term perspective and concentrate on the moment of “now.”
- Enhancing risk assessment by considering regional specifics of business units (close attention should be paid to third parties).
- A compliance program should be both well-financed and have a sufficient headcount to be efficient.
- Every change in compliance program should be documented, with no exceptions.
- Periodic review of risk assessment is a must: programs should be regularly updated accordingly to detected breaches.
- Performance of control personnel and compliance should be evaluated. According to this evaluation, the company should invest in the further development of the staff or change its strategy.
- Close attention to third parties which pose the highest risk of breaking FCPA - you should always evaluate if a third party partner is inevitable in doing business overseas.
- Particular attention should be given to data processing, storage and utilisation.
Again, nothing new, but DOJ added several essential details to compliance evaluation which we can’t miss. Our conclusion is simple: compliance still needs to reinvent itself and prove its worthiness with no exceptions for pandemic time.
Bribery and corruption under the FCPA have been illegal since 1977, and they remain so today. Compliance programs are the way to operate within the boundaries of the law; this is true even now. - T. Fox
Compliance, therefore, may change its form but we need to consider that it’s still about fairness and strict abidance by law.