The end of the Obama era brought uncertainty regarding the future of the enforcement of U.S. regulations governing exports and international conduct. Although some observers speculated that a deregulation-minded President Donald Trump would cut back on enforcement of such laws as the economic sanctions regulated by the Office of Foreign Assets Control, the various anti-money laundering laws, U.S. export controls and the Foreign Corrupt Practices Act, enforcement activity for these laws — including the largest-ever FCPA settlement ($965 million in combined penalties) and the largest export controls/economic sanctions penalty ($1.19 billion) — confirms that the Trump administration is committed to the aggressive application of U.S. law abroad. With the U.S. Department of Justice, FBI and the U.S. Securities and Exchange Commission continuing to use dedicated resources to identify violations and to prosecute U.S. laws governing U.S. exports and international conduct, companies that sell to foreign markets or operate abroad need to prioritize managing the risks posed by these laws.
The compliance obligations of multinational corporations are more complicated than for domestic organizations. A corporation that operates internationally automatically takes on additional compliance responsibilities under laws and regulations that target international conduct, as well as new sets of foreign laws, all while shedding none of its domestic compliance obligations. Multinational companies tend to be larger, which increases the importance of establishing systematic compliance procedures. Multinational corporations also often have magnified logistical difficulties, such as coordinating compliance standards and training across disparate divisions and affiliates, dealing with employees with cultural and language differences, and dealing with general skepticism regarding the application of U.S. law outside of the country. These and other factors can increase the difficulty of creating and maintaining multinational compliance standards.
Although many organizations believe the first step of creating a compliance program is to draft a compliance program, there usually is groundwork that compliance personnel must undertake that takes precedence. Before the compliance process is triggered, the organization should first secure buy-in and support for compliance efforts, which is normally called “tone at the top.” The need for consistent management support for compliance initiatives is key in the eyes of U.S. regulators. Any multinational company’s compliance efforts are doomed if they do not enjoy top-level support. Senior management must understand the importance of a consistent and reinforced message and must set a strong example. Above all, people throughout the organization, whether located in the U.S. or elsewhere, should realize there are consequences for compliance missteps.
Once appropriate management support for a compliance program is secured, the organization should consider the following six broad steps to identify and manage its regulatory risk:
Compliance is an exercise in identifying and managing an organization’s risk and then allocating its scarce compliance resources to get the biggest compliance payoff. Thus, a crucial initial step is to identify the key sources of regulatory risk. Since it is not possible to eliminate all regulatory risk, risk assessments allow organizations to triage the allocation of its compliance resources.
If a company has not conducted a risk assessment in the last two years or so, it should strongly consider doing so. A risk assessment would survey the company’s operations to determine the exposure of the organization to various forms of regulatory risk, considering both the likelihood and severity of possible violations and the current enforcement priorities of the relevant authority. Compliance at multinational corporations should be tailored to their business profiles, areas of operation, whether they are high-risk, whether the areas being surveyed tend to support outsized fines, the revenue impacted by the areas being surveyed, as well as other risk factors. Once the risk assessment is complete, the results should be carefully evaluated to determine the greatest compliance concerns, with the result being distilled into a companywide risk profile to guide the allocation of compliance resources.
Once an organization’s risk assessment is completed, it can then conduct a gap analysis. Most multinational companies likely have some compliance procedures already in place; the trick is to determine whether those measures and internal controls are adequate to identify the risks uncovered as a result of the risk assessment. Companies accordingly should assess their existing compliance programs to see if those compliance measures and internal controls line up with the regulatory risks identified through conducting risk assessments.
An often-overlooked portion of any risk assessment is determining whether a company has a corporate governance gap, which can arise both from a lack of an adequate compliance infrastructure and a failure to have adequate communication channels with its compliance oversight function. Regarding the former, a chief compliance gap can arise due to the failure to consider the efficacy of compliance measures as they actually are implemented in the field. Multinational companies should not assume that compliance outside of the U.S. can entirely be managed from a central location, as implementation and oversight often require on-the-ground attention. For larger organizations — or companies operating in high-risk regions — compliance liaisons are generally necessary to ensure that compliance actually functions as envisioned. In assessing the adequacy of local oversight, relevant considerations include the state of oversight for nonentity risk points, such as foreign subsidiaries, joint ventures, agents, distributors and consultants.
In corporations that set the proper compliance tone, board-level involvement is regular and institutionalized, generally at either the compliance or audit committee levels. The key areas for board-level involvement include thorough oversight of compliance initiatives, quarterly reports of compliance activities and special communications for potentially serious matters. Written materials should be accompanied by direct and personal briefings by the chief compliance officer or general counsel, as appropriate.
A final consideration is whether there is a gap between the identified risk and the available compliance resources. Effective risk management requires matching compliance promises found in the company’s compliance measures and the scope of identified regulatory risks with the resources available to address these regulatory risks. To avoid promise/resource mismatches, multinationals should make honest comparisons of their identified risk profiles with the inventories of their current policies and international controls to determine whether there are any gaps between the two. Once any such gaps are identified, the multinational can determine the best path forward, whether it be through reallocating existing compliance resources, finding new sources of funding or readjusting the compliance procedures.
A written compliance policy should include a written policy statement, a written compliance program, supplemental materials for individuals at high risk of potential violations or who need specialized training to oversee or comply with the relevant legal regime, and internal controls. In putting together written compliance policies, companies should avoid the temptation of making the policies either too long or too legalistic. Overly legalistic policies generally stem from a fear that they will omit some nuance of the law. But in the real world, the chief failures of compliance policies are that they are often not read — or read carefully — because they are overly complicated or do not seem relevant to the key personnel. The company accordingly should distill down the description of the laws at issue and its compliance expectations as much as possible, while drawing on real-world or industry examples to communicate its core expectations. The goal is not to create a workforce full of law professors; rather, it is to communicate the key regulatory issues where personnel would need to pick up the phone and make a compliance call.
In addition, companies should pay equal attention to internal controls and standard operating procedures. Compliance policies set the standard, while internal controls implement and reinforce that standard. For example, export control policies should be supplemented with stop, hold and release measures and (for controlled technical data and goods) physical security, visitor access and technology control plans. For OFAC sanctions, there should be written controls regarding screening for embargoed persons and clearing red flags. For the FCPA, there should be measures for gifts, meals, entertainment and travel. Internal controls should be tailored to the company’s operations, areas of operation, and business profile, addressing the types of risks covered in its compliance policies and identified risks.
Training — implemented in conjunction with a well-written compliance program and appropriate internal controls — forms the third leg of the compliance stool. The goal is to ensure that employees and agents have sufficient knowledge to recognize red flags and other problematic situations and understand what they need to do to comply. The personnel to be trained should be identified based upon their likelihood of encountering regulations of concern. For personnel at high risk, training should occur for all new employees and annually thereafter.
Identification of red flags and appropriate follow-up are the keystones to well-functioning compliance in all of the common international compliance areas. It is for this reason that one of the most important tasks when implementing international compliance is to train relevant stakeholders regarding the transactions and conduct that are suspicious given the regulatory requirements. This is not a static process and will vary company to company.
For multinational companies, training will often need to address local practices and different cultural norms that may prove contrary to the compliance needs of the organization. Equally important is finding the best way to stress the importance of compliance with U.S. law, regardless of the foreign national being outside of U.S. territory. Organizations also should consider presenting compliance materials and training in the local language of the employees and agents.
All of the international regulatory regimes allow regulators the ability to reach the conduct of third parties acting on behalf of the organization. The company should pay close attention to the incremental risk added by third parties, including business partners, joint ventures, agents, subagents and consultants. A best practice is integrating outsiders into the risk management plan, which requires explicitly incorporating outsiders into the compliance program, providing them with training materials, conducting training for them, and exercising auditing rights on a risk-adjusted basis.
Finally, multinational companies should monitor their compliance programs by direct observation, by supervising the programs, and by testing the controls. Regular compliance audits are an increasingly common way of testing the controls. Companies should use risk-based auditing principles to determine the countries, divisions and subsidiaries that should be monitored through audits and compliance checkups, and consider extending such checkups and audits to third parties as well.
With the Trump administration continuing to impose hefty penalties for violations of U.S. regulations of exports and international conduct, regulatory risk management continues to be essential for all multinational companies. A well-run compliance program is not something that comes about by accident, particularly in the international realm. Creating such a system requires a thorough understanding of the company’s risk profile, as informed by the systematic evaluation of its regulatory risk points, scope of operations, and use of third parties that so often create compliance conundrums. Further, even if the goal of an effective compliance system is realized, that happy state is unlikely to be a permanent one. Natural changes in an organization’s footprint, its evolving methods of operation, changes in the law, and changes in the aims of the enforcement authorities can all conspire to make even the best compliance program and related internal controls obsolete in a surprisingly short time.
Above all, an organization’s compliance efforts should never be one and done. Compliance processes are never completed and the goal is not to perfect the system of risk management. Rather, it is to maintain a system of process improvement in which the changing risk profile of the organization is addressed through evolving procedures and systems. Through a self-reinforcing compliance system, the organization can maintain compliance policies, internal controls and training that provides reasonable controls to protect it from regulatory risk in its many forms.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
This article was originally published here in Law360 on May 21, 2018.