Since 2000, the Justice Department and SEC have entered into 290 publicly disclosed DPAs or NPAs, according to a recent analysis from law firm Gibson Dunn. Over that period, DPAs and NPAs have netted the government more than $42 billion in penalties and recoveries.

The start of 2014 alone saw monetary penalties of nearly $3.6 billion arising from 12 prosecution agreements: seven DPAs and five NPAs, including one negotiated solely by the SEC. This year’s monetary penalties already exceed the 2013 total of $2.9 billion. Furthermore, the analysis did not include the latest DPA and $86 million penalty Lloyds Banking Group reached July 28 with the Justice Department to resolve acts of false reporting and attempted manipulation of the London Interbank Offered Rate (LIBOR).

That’s a lot of FCPA enforcement action. So what have we learned?

“A common feature of DPAs required by the Department of Justice is minimum standards for corporate compliance,” says Warren Feldman, a partner with law firm Skadden Arps. These compliance standards reflect the latest thinking by regulators on what they consider to be a state-of-the-art compliance program, he says.

So compliance and legal executives can pore over these agreements to help their compliance programs evolve and drive changes in corporate culture. “If you look at the kinds of compliance requirements that are being imposed, they’re relatively straightforward,” Kelly Kramer, a partner with law firm Mayer Brown, says.

Risk-based assessments. One common compliance standard included in DPAs is the requirement that a company conduct an annual risk assessment tailored to the company’s unique risk profile that will help inform what changes it needs to make to its compliance policies and procedures.

Depending on the circumstances, the company’s risk assessment may have to consider numerous factors. For example, according to the DPA that Hewlett-Packard reached with the Justice Department in April, H-P must conduct a risk-based review that addresses the company’s foreign bribery risks, including “its geographical organization, interactions with various types and levels of government officials, industrial sectors of operation, involvement in joint venture arrangements, importance of licenses and permits in the company’s operations, degree of government oversight and inspection, and volume and importance of goods and personnel clearing through customs and immigration.”

“There is no one-size-fits-all compliance program,” says David Debold, a partner with law firm Gibson Dunn. “It really has to be adapted to the particular company and, moreover, has to be something that changes over time.”

The company should conduct a periodic risk assessment to determine whether the company’s risks have changed, or whether any recent improper activity has developed, “making sure the compliance program is adapted to whatever those changes might be in that risk area,” Debold adds. Any company, not just one that finds itself in the government’s crosshairs, would benefit from the ability to show government regulators how the program has been tailored to the particular risks that the company faces, he says.

Proper oversight. Also as part of a typical prosecution agreement, government regulators often require that the company appoint at least one senior compliance executive to implement and oversee corporate policies and procedures. That individual must also be able to report information directly to internal audit and the board, as well as maintain an adequate level of independence from management. Such a requirement appeared in 21 of the 26 prosecution agreements the government reached since 2011, according to Gibson Dunn’s analysis.

For example, in a DPA that medical-device company Arthrocare entered into with the Justice Department in January to resolve securities fraud violations, the company agreed to assign responsibility to at least one senior corporate executive to implement and oversee the company’s federal securities fraud and healthcare compliance code, policies, and procedures. “Such corporate official(s) shall have direct reporting obligations to independent monitoring bodies, including internal audit, the company’s board of directors, or any appropriate committee of the board of directors; and shall have an adequate level of autonomy from management as well as sufficient resources and authority to maintain such autonomy,” the DPA stated.

“The theory among Justice Department staff is that compliance is the kind of thing that, when responsibilities are diffused, people tend to not spend as much time on it as they otherwise would if they understand they are personally responsible for making sure the compliance program works as intended,” Kramer says.

“There is no one-size-fits-all compliance program. It really has to be adapted to the particular company and, moreover, has to be something that changes over time.”
David Debold, Partner, Gibson Dunn

Internal controls. The majority of prosecution agreements also require the implementation of financial and accounting procedures designed to ensure that transactions are executed and recorded in compliance with the company’s policies. This requirement appears most frequently in agreements resolving alleged violations of the internal controls and books and records provisions of the FCPA. 

Senior-level support. According to Gibson Dunn’s analysis, 15 of the 26 prosecution agreements included a provision requiring the directors and senior management of the company to provide strong, explicit, and visible support for the company’s policy against violations of the relevant laws and compliance code. That wording has appeared more frequently in NPAs and DPAs from 2013 and 2014.

GIBSON DUNN ANALYSIS

A company seeking proactively to develop its compliance program should consider the most common provisions in recent NPAs and DPAs, which provide a useful baseline for compliance standards.  Based on Gibson Dunn’s analysis, the most common provisions from the last three years are:

High-level commitment from the directors and senior management of the company in support of the company's policy against legal violations and applicable compliance code provisions;

A strong, written corporate policy against violations of the relevant laws;

Standards and procedures to reduce the prospect of violation of the relevant laws;

An effective system of financial and accounting procedures, including a system of internal controls;

Annual risk-based review and updates of compliance standards and procedures;

A designated senior corporate executive to implement and oversee compliance with the relevant laws;

Strong mechanisms to ensure communication with and training of all officers, directors, employees, agents and business partners;

Clear channels to provide guidance and advice to all personnel, to ensure confidential reporting, and to protect those who wish to report violation of the relevant laws;

Disciplinary procedures to address violations of the relevant laws;

Due diligence and compliance requirements pertaining to all agents and business partners;

Standard provisions in commercial agreements designed to prevent violation of the relevant laws;

Periodic review and testing of compliance programs to improve effectiveness in detecting and preventing violations of the relevant laws; and

Policies and procedures designed to conduct risk-based due diligence with regard to M&A activities and the prompt application of the company's compliance code, policies, and procedures to newly acquired businesses.
Source: Gibson Dunn.

In addition, the analysis also revealed that all but one of the 26 prosecution agreements Gibson Dunn analyzed required the company to perform periodic training for directors, officers, and employees, along with annual certifications of compliance with such training requirements.

“One of the things the Department of Justice and SEC look for without question is tone-from-the-top,” meaning the C-suite must be trained and knowledgeable about the risks the company faces as well, Feldman says. “Sophisticated multinational companies typically have training top to bottom,” he says.

Third-party due diligence. Two standards relating to third parties appear frequently in prosecution agreements, according to Gibson Dunn’s analysis. The first requires the establishment of a risk-based due diligence program related to the hiring and oversight of agents and partners; the second requires companies to include standard contractual provisions in agreements with agents and business partners to prevent violations.

“It’s not just thinking about what your own employees are doing, but also whether people acting on the company’s behalf, or working closely with the company in certain areas, are taking the right steps to make sure they’re monitoring, preventing, and detecting potential violations,” Debold says.

Companies should continue to monitor their third parties on an ongoing basis, including regular risk assessments and audits. The trouble is that many companies struggle to understand what a risk-based assessment of agents even means, Kramer says.

“They spend a huge amount of resources trying to do due diligence on essentially each and every agent or joint venture partner they use, which is probably compliance overkill,” Kramer says. “For lots of other companies, they don’t even know how to begin to do due diligence.”

Periodic monitoring and testing. “Implementing reviews and tests to make sure the compliance program actually works is something that the Justice Department stresses,” Kramer says. “We’ve seen that in a bunch of these agreements.”

In fact, 23 of the 26 prosecution agreements Gibson Dunn analyzed require the company to perform periodic monitoring and testing to measure the effectiveness of the company’s compliance program.

If a company discovers potential wrongdoing, one question government regulators will ask is what internal controls the company had in place to prevent, or detect, the violation, Debold says. If it was a violation the company should have expected, given the nature of its risks, “that’s when the government is going to be skeptical about whether the program they had in place was really up to snuff.”