Over the last four years, at ACI’s winter International Conference on the FCPA, enforcement officials have repeatedly placed special emphasis on two specific compliance areas: risk assessments and monitoring.
To be sure, these officials have discussed many of the essential elements of an effective anti-corruption compliance program, including tone from the top, internal reporting mechanisms, trainings and third-party due diligence. But this year, as in the past, they spent an inordinate amount of time talking about the “bookends” of compliance; namely, (1) the risk assessments from which companies should design their compliance programs and (2) the monitoring and testing that should occur after implementation to ensure that the programs are implemented effectively.
Enforcement emphasis on these areas makes sense, since they are actions that provide key assurance that corporate compliance systems are more than words on paper. For the same reason, these should be key areas of focus for compliance officers. The following comments made at 2014’s ACI conference offer more detail about what SEC and DOJ officials hope to see.
The Importance of Risk Assessments. Patrick Stokes, the Deputy Chief of the FCPA Unit of the Fraud Section of the DOJ’s Criminal Division, said, “We expect companies to be thoughtful about risk assessments. What we want are companies that are thoughtfully identifying where their real FCPA risks are and focusing on those.”
He said that companies should think critically about how they engage third parties in high-risk jurisdictions, where they contract with the government sector and where they have relationships with foreign officials. He said that the DOJ does not go into a meeting expecting to see specific compliance measures. Instead, the DOJ wants companies to identify for themselves their highest risks and explain how they are addressing those risks: “Just as we don’t want companies to have a check-the-box program, we don’t have one for evaluating them.”
Mr. Stokes added, “We have no expectation that a compliance program will be perfect and is going to catch all bad conduct. We understand that bad actors will try to work around controls and try to evade them. But we expect that programs are well thought-out to prevent this.”
The Chief of the FCPA Unit of the SEC’s Enforcement Division, Kara Brockmeyer, explained further that companies need to “get out into the field” and talk to their people about how they are doing business, where they touch the government and other risks at play. She added that companies’ risk profiles often change over time. For example, a company might have a foreign-based manufacturing facility that only sells back to the United States, but then purchases another facility with significant sales to foreign government officials: “At that point risks change, and [companies] need to be focused on them.” Such changes can be detected through periodic risk assessments.
The Importance of Monitoring. In 2014, enforcement authorities once again stressed the importance of monitoring and testing compliance programs. Mr. Stokes said, “Many times companies have designed a… robust program, but [failed] to test it. What we expect is to not only have on paper a program, but to test it, to make sure it is working.”
Ms. Brockmeyer discussed how a company can leverage its internal audit department to test its compliance program. For example, a heavy reliance on petty cash creates a high risk of off-the-book payments, and internal audit can be leveraged to address this type of risk. It can check if certain third parties are included on approved vendor lists and have been subject to due diligence. It can look at reimbursements related to gifts, travel and entertainment. She said that companies can “tack on” these types of tests to regular audits, and that they do not necessarily require a separate FCPA component.
What if risk assessments and monitoring are missing? From statements made by enforcement officials, it appears that they would consider a lack of a serious risk assessment to suggest a lack of commitment, or a program that is merely paper in nature. If there is a violation, it makes it less likely that companies will get the full benefit of a compliance program. A lack of monitoring would have a similar effect – it suggests to law enforcement that a company is more interested in saying that it has a compliance program than it is in addressing actual corruption risks.
Risk assessments and monitoring are not the most talked about elements of FCPA compliance programs, but they are fundamental to getting FCPA compliance right. Enforcement officials have repeatedly made it clear that they think these issues belong in the foreground of corporate compliance efforts. In case that message has not been received, there is an excellent chance that enforcement officials will be saying it again at this year’s conference.
Matteson Ellis serves as Special Counsel to the FCPA and International Anti-Corruption practice group of Miller & Chevalier in Washington, DC. He is also founder and principal of Matteson Ellis Law PLLC, a law firm focusing on FCPA compliance and enforcement. He has extensive experience in a broad range of international anti-corruption areas. Previously, he worked with the anti-corruption and anti-fraud investigations and sanctions proceedings unit at The World Bank.
Mr. Ellis has helped build compliance programs associated with some of the largest FCPA settlements to date; performed internal investigations in more than 20 countries throughout the Americas, Asia, Europe and Africa considered “high corruption risk” by international monitoring organizations; investigated fraud and corruption and supported administrative sanctions and debarment proceedings for The World Bank and The Inter-American Development Bank; and is fluent in Spanish and Portuguese.
Mr. Ellis focuses particularly on the Americas, having spent several years in the region working for a Fortune 50 multinational corporation and a government ethics watchdog group. He regularly speaks on corruption matters throughout the region and is editor of the FCPAméricas Blog.
He has worked with every facet of FCPA enforcement and compliance, including legal analysis, internal investigations, third party due diligence, transactional due diligence, anti-corruption policy drafting, compliance training, compliance audits, corruption risk assessments, voluntary disclosures to the U.S. government and resolutions with the U.S. government. He has conducted anti-corruption enforcement and compliance work in the following sectors: agriculture, construction, defense, energy/oil and gas, engineering, financial services, medical devices, mining, pharmaceuticals, gaming, roads/infrastructure and technology.
Mr. Ellis received his law degree, cum laude, from Georgetown University Law Center, his masters in foreign affairs from Georgetown’s School of Foreign Service, and his B.A. from Dartmouth College. He co-founded and serves as chairman of the board of 
