US Compliance Enforcement

• Published date: 12 September 2022
• Subject Matter: Corporate/Commercial Law, Criminal Law, Compliance, Corporate and Company Law, Securities, White Collar Crime, Anti-Corruption & Fraud
• Law Firm: Debevoise & Plimpton
• Author: Ms Kara Brockmeyer, Ivona Josipovic, Andreas A. Glimenakis and Berk Guler

The aggressive US enforcement landscape has encouraged an increasing focus on corporate compliance programmes. Companies under US jurisdiction can face significant consequences in white-collar matters, from long and intrusive government probes and reputational damage to headline-catching penalties. US authorities have been effective both in messaging the importance of compliance programmes and in providing concrete incentives for companies to invest in compliance, to self-police and - in the event an issue arises - to consider disclosing the misconduct and cooperating with authorities.² In this chapter, we explain how compliance factors into US white-collar enforcement and describe key considerations in that regard for companies facing potential enforcement actions and embarking on the reporting and settlement process with the US authorities.

US compliance enforcement landscape

The US Department of Justice (DOJ) and the US Securities and Exchange Commission (SEC) have each set clear expectations with respect to compliance programmes through their enforcement actions, enforcement policies and public statements from their leadership. Generally, the DOJ has criminal and civil enforcement authority over misconduct with US touchpoints, whether through jurisdiction over US nationals, residents and businesses, including their agents, or over entities and individuals who engaged in misconduct while in the territory of the United States. The SEC, in turn, has civil jurisdiction over US issuers, including with regard to violations of statutory provisions that require maintenance of adequate internal controls and accurate books and records. Companies subject to SEC jurisdiction, in particular, tend to invest in more robust compliance programmes.

Both agencies expect pre-incident, proactive efforts by companies to implement tailored compliance programmes that address key operational risks and prevent the types of misconduct most likely to occur in a company's line of business. The agencies view compliance programmes as the front line in combatting corporate misconduct by preventing it in the first place and expect that companies will not only maintain effective compliance programmes but also empower their compliance functions with the support of senior management and the company's board of directors. Without sufficient investment in compliance, the government warns, companies face the risk of significant penalties down the line.³

Both agencies also closely evaluate the maturity of a compliance programme as they consider their charging decisions and structure of settlements. For instance, as is addressed in more detail below in 'Compliance considerations in government reporting and settlement discussions', assessment of a compliance programme can affect the type and duration of a non-trial resolution agreement and whether there is a need to impose an external compliance monitor.⁴

Companies and their compliance personnel are not in the dark with respect to the DOJ's and the SEC's expectations. As explained in Chapter 3, although there are 'no formulaic requirements',⁵ the guidelines set forth in the DOJ's 'Evaluation of Corporate Compliance Programs' (ECCP) in particular set the stage for the assessment of corporate compliance efforts.⁶ The ECCP, which was issued in February 2017 and most recently updated in June 2020, contains the most comprehensive discussion of the government's expectations with respect to compliance and is intended to assist prosecutors in evaluating compliance programmes as part of their enforcement decisions. The ECCP is structured around three fundamental questions: whether a compliance programme (1) is 'well designed', (2) 'adequately resourced and empowered to function effectively' and (3) works in practice.⁷ In short, the government is looking for more than a 'paper programme'. This position was well illustrated in a recent statement by Assistant Attorney General (AAG) Kenneth A Polite Jr, who noted that the government wants 'to know more than dollars, headcount, and reporting lines'; will review the 'qualifications and expertise of key compliance personnel and other gatekeeper roles'; and wants to see that 'compliance officers have adequate access to and engagement with the business, management, and the board of directors'.⁸

Enforcement actions arising from compliance deficiencies

Lack of robust policies and internal controls, inadequate enforcement of adequate policies or controls, or other compliance failures can give rise to civil and criminal liability for companies. In the anti-corruption space in particular, enforcement actions often arise from companies' inability to design and implement anti-corruption compliance measures to adequately address their operational risks. The DOJ's and the SEC's 'Resource Guide to the Foreign Corrupt Practices Act' (the FCPA Resource Guide) highlights that an 'assessment of a company's compliance program, including its design and good faith implementation and enforcement, is an important part of the government's assessment of whether a violation occurred, and if so, what action should be taken'.⁹

The examples below from recent FCPA enforcement actions highlight some key considerations for companies looking to better implement and scale their compliance programmes. These enforcement actions serve as a helpful illustration of the DOJ's and the SEC's standards with respect to compliance, as well as a warning of the severity of consequences that can follow when the government's expectations are not met.

The need to fully implement compliance policies

From an enforcement perspective, establishing a compliance programme is a necessary step, but certainly not a sufficient one. Although companies can place a lot of emphasis on designing robust policies, it is essential to implement and test equally robust processes to support those policies, because companies may face exposure for failing to follow their own compliance policies. In 2018, the SEC charged medical devices company Stryker with violations of the FCPA's books and records and internal accounting controls provisions in connection with its business in India, China and Kuwait. This was the second time in five years that the company had been charged with FCPA violations.¹⁰ Although Stryker had anti-corruption policies and internal controls in place, the SEC found that the company 'failed to sufficiently implement its policies'.¹¹ Of particular note, the SEC found that Stryker failed to follow its own policies that required due diligence and training of sub-distributors in China, and, in Kuwait, failed to test whether its distributor would allow the company to exercise its audit rights or otherwise assure that it was complying with Stryker's anti-bribery policy. Stryker agreed as part of the resolution to retain a compliance consultant to review and evaluate its internal controls, policies and procedures.¹²

The importance of adequate accounting controls

Internal accounting controls are an important consideration for US issuers in particular. In 2022, Korean telecommunications company KT Corporation paid US$6.3 million to settle charges that it used slush funds to give gifts and illegal political contributions in Korea, as well as using an intermediary to generate funds to pay bribes to government officials in Vietnam.¹³ The SEC highlighted deficiencies in KT Corporation's internal accounting controls, noting that the company 'lacked sufficient internal accounting controls over charitable donations, third-party payments, executive bonuses, and gift card purchases'.¹⁴

Ensure senior support

Both the DOJ and the SEC have repeatedly noted the importance of ensuring that a company's compliance function has the strong support of senior executives and the board of directors. This includes 'tone at the top'. In 2020, US-based consumer loan company WAC resolved FCPA charges relating to its Mexican subsidiary. The SEC called out WAC's management for having a tone at the top that 'did not support robust internal audit and compliance functions, and undermined the effectiveness of those functions'.¹⁵ In fact, WAC terminated the internal audit vice president after he raised compliance concerns, combined internal audit and compliance functions and imposed staffing pressure, and allowed a general counsel with no prior audit or accounting experience to be in charge of the combined function.¹⁶ The company paid US$21.7 million to resolve the SEC's charges.

Ensure sufficient compliance resources

Successful implementation of compliance policies and procedures is contingent on sufficient resource allocation into compliance. Companies that have established policies without adequate resources can still run into trouble. In 2019, the SEC charged the global oil and gas services company TechnipFMC plc with violations of the FCPA's provisions on anti-bribery, books and records, and internal accounting controls in connection with payments made to a consultant who in turn paid bribes to Iraqi government officials.¹⁷ The company agreed to pay US$5 million to settle with the SEC. Notably, the SEC's order highlighted that TechnipFMC 'devoted insufficient resources to compliance concerning its Iraq business'.¹⁸

Proper scaling of compliance programmes in international expansion

Aggressive international expansion, including through acquisition of foreign entities, can significantly heighten companies' compliance risks. Several large FCPA actions in recent years arose from situations in which...