Over the past decade, compliance as a discipline has moved from infancy squarely into adulthood. There has also been exponential growth in compliance-related jobs, and more people affirmatively identify themselves as compliance professionals. The primary driver behind this expansion has been the proliferation of legal and regulatory imperatives in the United States (US), the European Union (EU), and elsewhere that have pushed businesses to dedicate resources to promoting compliance within their organizations. As a result of these forces, the majority of mid- to large-sized companies based in the US and EU that do business internationally now have written compliance policies, and most have at least one dedicated employee whose job it is to train other employees about their legal obligations and company policies and procedures. The focal point of much of these compliance efforts have been to reduce corrupt interactions with foreign government officials, and consequent exposure to criminal prosecution and the attendant costs of defense.
Now that the scramble to establish compliance programs is largely over, compliance has entered a new phase. Among other things, there are now more tools available in the market to help compliance professionals manage the various aspects of their compliance programs, from performing due diligence on potential business partners to keeping track of employee training. The sophistication of dialogue and exchange of ideas in the compliance community focused on common compliance challenges have also increased. One harbinger of this change is the current content of compliance industry conferences. Increasingly these conferences feature fewer basic presentations in favor of discussions about more mature issues such as compliance testing, reducing false positives in due diligence, and obtaining accurate valuation information, among other things.
This mature phase, however, poses some challenges, particularly in the area of anti-corruption compliance. This article discusses several of the challenges that we expect compliance professionals in that area to face in the decade to come.
The past decade has seen unprecedented enforcement of anti-corruption laws, particularly the US Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act. Domestic enforcement of legal and regulatory requirements particularly in the health and environmental sectors also has proliferated. The common wisdom is that the change in administration in the United States will produce different enforcement priorities, and that we will see fewer FCPA prosecutions. Some news reports specifically suggest that this trend is real. While it is too early to tell if these predictions will come true, certainly the United States Department of Justice's announcements to date are not inconsistent with these predictions.
Reduced enforcement – whether real or perceived – has the potential to make compliance programs seem less important than they may have seemed a few years ago. Compliance professionals may see this perception manifest in their department being given a lower profile and/or constrained resources. Of course, to the extent that there actually is reduced enforcement for a period of time, the pendulum could swing back in the other direction. Put another way, compliance still remains relevant because career prosecutors will remain long after their superiors have changed and instituted new enforcement priorities.
Closely related to the issue of a perceived reduced relevancy is the fact that most companies will be investing less rather than more in their compliance programs in future. Obviously changed or apparently changed prosecutorial priorities reduce the pressure on corporations to maintain robust compliance programs. Economic pressures also account for lower budgets particularly in non-revenue generating areas such as compliance. Consequently, doing more with less will be a challenge in the coming decade.
Less money will mean that compliance professionals will have to assess how best to accomplish baseline compliance for the fewest dollars – including use of electronic training modules, on-line project tracking software etcetera. In addition, they will have to allocate their remaining resources based on an assessment of the greatest exposure risks posed by non-compliance and which risks can be materially reduced in the most cost-effective way possible. To the extent that they are cutting back on performing certain compliance tasks – such as performing full due diligence on subcontractors in a lower risk sector – they should also devote thought to how to document their decisions. Shifting course in a compliance program is not necessarily unjustifiable. However, explaining the decisions that are made regarding expenditure of more limited resources should be made carefully and transparently based upon risk factors.
Response to Change
Change is inevitable. Elections, civil war, natural disasters, the enactment of laws, infrastructure changes, and even the availability of credit are a few examples of events that can alter the risk profiles of the countries in which a company operates. Changes inside an organization can also have a material impact. A company's choice to enter or exit a foreign market, launch a new product, or expand manufacturing facilities in another country all will impact that company's compliance program. Thus, a compliance program that is well-designed to meet identified risks in 2017 may be well outdated by 2022 or even sooner.
One of the key challenges of the coming decade is to ensure that existing compliance programs do not become outdated and professionals do not become complacent. Compliance professionals need to be attuned to developments within their company and the countries where they do business, and anticipate the compliance challenges these developments may present. Ideally, compliance professionals will be at the table when key business decisions are made so that he or she has notice of them and can offer their perspective. At a minimum, compliance professionals should keep abreast of significant changes in corporate operation and undertake on an annual basis an assessment of these changes and the risk profiles of the regions in which their company operates, and propose changes to the compliance program if necessary.
In addition to updating the program to meet current needs, compliance professionals will need to test, not assume, the effectiveness of the existing program. Put another way, their critical focus should be directed inward as well as outward as part of their annual assessment of the program. How this assessment is conducted will vary according to a company's needs, risk profile, and budget. Ideally, such an assessment will be performed at least annually and will address the key components of the program. The United States Department of Justice's Criminal Division Fraud Section's report Evaluation of Corporate Compliance Programs and the Department of Health and Human Services Office of Inspector General and the Health Care Compliance Association's report Measuring Compliance Program Effectiveness: A Resource Guide are two publications that are good guides to assessing the effectiveness of a compliance program. While the second is directed at healthcare sector companies, its suggested approach can be adapted to a variety of settings. Of course, follow through is crucial, and steps should be taken immediately to address any deficiencies identified.
In addition to internal assessments, some companies may wish to attempt to obtain ISO 37001 certification. The international standard, which concerns the prevention, detection and curing bribery through the implementation of anti-bribery controls, was introduced in October 2016. Decision making around compliance program assessments, including whether to apply for ISO 37001 certification, thus represents another challenge mature compliance programs face..
Legal enforcement trends and new laws also will impact compliance programs over the coming decade. As noted previously, there is currently a perception that FCPA enforcement may slow. Another key trend is the increase in criminal corruption cases arising from purely commercial transactions. Compliance professionals employed by multi-national corporations have by-and-large been focused primarily on preventing corrupt interactions with foreign officials, rather than private self-dealing by company employees. The reasons may seem obvious: first, the laws concerning commercial bribery are less often enforced than those aimed at combatting official corruption; and second, when enforced, they generally involve charges being brought against individual company executives or employees, not the company itself.
There is some indication that these two points may be changing and that compliance professionals may need to consider whether and how to address this risk. Unlike the FCPA, which covers only bribery of foreign officials, the UK Bribery Act prohibits corruption outside the government official context – namely, private business corruption involving illegal kickback payments and the like. Enforcement authorities outside the UK have used their laws creatively to bring charges involving commercial corruption. For example, in the US, the Travel Act, federal conspiracy statute (18 USC. § 371) and RICO statutes have been used to reach this conduct.
In addition to changed enforcement priorities, new laws obviously can impact the adequacy of a company's compliance program. For example, the UK's Criminal Finances Act 2017, which was passed in April 2017, contains several new provisions concerning tax evasion, money laundering, gross human rights violations against whistleblowers and human rights activists, and notification requirements regarding so-called "unexplained wealth" that impose affirmative burdens on companies operating there. Among other things, a company may need to update their procedures such that it can demonstrate (if called upon to do so) that it has "reasonable procedures" in place to prevent facilitation of tax evasion.
While it is impossible to predict what other legal developments will occur over the next decade, it is absolutely certain that there will be such developments and that some will have a direct impact on compliance programs. As noted above, compliance professionals must be attuned to new legislation and enforcement trends in all markets in which their company operates, and must update the compliance program accordingly.
Although much has been made in the press about the so-called Yates Memorandum, which concerns the US prosecutorial initiative regarding charging responsible individuals involved in corporate crimes, the personal exposure of corporate compliance officers – to civil sanctions and criminal charges – has been more theoretical than actual. On August 17, 2017, however, the Securities and Exchange Commission (SEC) fined the Chief Compliance Officer of Aegis Capital, an investment advisor, for failing to verify information provided in an SEC filing personally, and instead relying on estimates provided by his company's Chief Investment Officer. The month before UK's Financial Conduct Authority penalized a compliance officer for failing to take reasonable steps to ensure that the wealth management firms for which he worked provided advice to its customers that was adequate and met regulatory standards. Compliance officers are also obviously vulnerable for misusing information that comes into their possession, as the insider trading charges lodged against a UBS Group AG compliance officer in June 2017 illustrate. While none of these recent examples concern failures by compliance officers in connection with the operation of anti-corruption or related compliance programs, they do show that compliance officers are in the zone of danger when misconduct occurs and that they will be held to have affirmative duties to investigate information supplied by other business executives. Further where compliance officers are directly involved in corruption, they can certainly expect to be charged criminally.
According to one recent survey of compliance professionals by the Ethisphere Institute, compliance officers are increasingly confounded by the massive amounts of data involved in their compliance functions, and the inadequacy or outdated nature of the tools available to them to review and assess this data. One of the challenges professionals will face over the next decade is choosing the right technology to permit them to spend more time understanding information generated by the compliance program rather than battling multiple inadequate systems. In addition, completely new tools involving Artificial Intelligence (AI) are likely to have greater application in the compliance arena. As with all new technology, choosing the appropriate system and dealing with bugs in operation will be likely challenges.
* * * * *
The challenges listed above are the ones that in my view will be the most pressing for compliance professionals in this mature phase of compliance. However, I am not sure that I hope that my crystal ball is accurate, as these are steep challenges.
Carolyn F. McNiven is a shareholder in Greenberg Traurig LLP's Litigation Practice. She is a former federal prosecutor, who is routinely asked to assess existing compliance programs and perform risk assessments in the areas of anti-corruption and healthcare regulatory compliance.