The cornerstone of a Foreign Corrupt Practices Act (FCPA) compliance program is the US Federal Sentencing Guidelines (FSG). They contain seven (7) basic compliance elements that can be tailored to fit the needs and financial realities of any given organization. From these seven compliance elements the Department of Justice (DOJ) has crafted its minimum best practices compliance program which is now attached to every Deferred Prosecution Agreement (DPA) and Non-Prosecution Agreement (NPA). The FSG assumes that every effective compliance and ethics program begins with a written standard of conduct; i.e. a Code of Conduct. What should be in this “written standard of conduct? The starting point, as per the FSG, reads as follows:
An organization should have an established set of compliance standards and procedures. These standards should not be a “paper only” document, but a living document that promotes organizational culture that encourages “ethical conduct” and a commitment to compliance with applicable regulations and laws.
In each DPA and NPA over the past 18 months the DOJ has said the following as item No. 1 for a minimum best practices compliance program.
1. Code of Conduct. A Company should develop and promulgate a clearly articulated and visible corporate policy against violations of the FCPA, including its anti-bribery, books and records, and internal controls provisions, and other applicable foreign law counterparts (collectively, the “anti-corruption laws”), which policy shall be memorialized in a written compliance code.
In an article in the SCCE Complete Compliance and Ethics Manual, 2nd Ed., entitled “Essential Elements of an Effective Ethics and Compliance Program”, authors Debbie Troklus, Greg Warner and Emma Wollschlager Schwartz, state that your company’s Code of Conduct “should demonstrate a complete ethical attitude and your organization’s “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” Your Code of Conduct must be aimed at all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.” This would also include all “management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.”
There are several purposes identified by the authors which should be communicated in your Code of Conduct. Of course the overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this in a Code by communicating what is required of them, to provide a process for proper decision-making and then to require that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company “upholds and supports proper compliance conduct.”
The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena to do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. To that end suggest that your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasis it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.
As I often say, the three most important things about your FCPA compliance program are document, document and then document. The same is true of communicating your company’s Code of Conduct. You need to do more than simply put it on your website and tell folks it is there, available and that they should read it. You need to document that all employees, or anyone else that your Code of Conduct is applicable to, has received, read, and understands the Code. For employees, it is important that a representative of the Compliance Department, or other qualified trainer, explains the standards set forth in your Code of Conduct and answers any questions that an employee may have. Your company’s employees need to attest in writing that they have received, read, and understood the Code of Conduct and this attestation must be retained and updated as appropriate.
The DOJ expects each company to begin its compliance program with a very public and very robust Code of Conduct. If your company does not have one, you need to implement one forthwith. If your company has not reviewed or assessed your Code of Conduct for five years, I would suggest that you do in short order as much has changed in the compliance world.