We are now two years into the current presidential administration and regulators have imposed three of the ten largest Foreign Corrupt Practices Act penalties in history and the largest export controls penalty of all time. This comes alongside significant tightening of many economic sanctions regulations and ongoing strong antitrust enforcement. With the DOJ, FBI, and the SEC continuing to use dedicated resources to identify violations and to prosecute U.S. laws governing U.S. exports and international conduct, international regulatory risk management is a significant concern for any automotive company that sells to, exports to, or operates in foreign destinations.
To navigate the current enforcement environment, we’ve laid out eight steps that most multinational automotive companies can take to enhance compliance.
Before drafting compliance policies, there are a few steps that should be taken – most importantly, securing buy-in from senior management for a comprehensive compliance push. Even if a strong program is put into place, it will not be effective if employees don’t believe that compliance is being taken seriously at all levels of the company.
This includes regular and institutionalized involvement of the company’s board of directors, generally at either the compliance or audit committee levels. The key areas for board-level involvement include thorough oversight of compliance initiatives, quarterly reports of compliance activities, and special communications for potentially serious matters.
Any multinational automotive company that has not done a risk assessment in the last two or three years likely is overdue for a new one. This is a key initial step to identify sources of regulatory risk, such as changes in the governing laws and changes to the firm’s risk profile due to alterations in the footprint of the firm, the ways in which it conducts business, any expansion into new markets, and other factors that can radically alter the risk profile of the organization.
For automotive companies that operate abroad, key risks include not only regulatory issues but also issues related to the company’s business profile and how it operates abroad (use of distributors, joint ventures, agents, and so forth). Once the risk assessment is complete, the results should be carefully evaluated to determine the greatest compliance concerns, as well as distilled into a company-wide risk profile to guide the allocation of compliance resources.
Sometimes referred to as a compliance gap analysis, the third step is to take a candid look at existing compliance measures, such as codes of conduct, compliance programs, internal controls and standard operating procedures, and training. This allows companies to determine if compliance measures address the regulatory risks identified through the risk assessment.
An important part of the gap analysis is to consider not only the written forms of the compliance program, but also how effective the measures are in the field. It is common for even well-designed programs to run into difficulties when placed into operation, especially for international operations, where language, cultural, and distance issues can lead to misunderstandings of the importance or operation of compliance measures.
The gap analysis also involves determining whether there is a disconnect between the identified risks and available compliance resources. To avoid promise/resource mismatches, multinational automotive companies should make an honest comparison of their identified risks to determine whether compliance is being starved of sufficient resources. Compliance should be viewed as an investment in protecting the organization from costly fines and reputational hits from violations of the law, especially for organizations that operate in high-risk environments or otherwise have a heightened risk profile.
While many organizations try to centralize compliance within U.S. headquarters, effective implementation and oversight of compliance measures often requires on-the-ground attention. For larger organizations – or companies operating in high-risk regions – compliance liaisons are oftentimes necessary to ensure that compliance functions as envisioned.
A written compliance policy should usually include a written compliance program. For high-risk legal regimes, there should also be supplemental materials for those who need specialized training or guidance. The program should be easy to comprehend, as the goal is not to create a workforce full of law professors, but rather to communicate when personnel need to pick up the phone and make a compliance call.
While establishing compliance policies is important, the implementation of internal controls can be as or even more important to make compliance standards work. As one example, export control policies often should be supplemented with stop, hold, and release measures and (for controlled technical data and goods) physical security, visitor access, and technology control plans. Companies should tailor their internal controls to the company’s operations, areas of operation, and business profile, addressing the types of risks covered in the company’s risk assessment.
Training should be tailored to the needs of the organization and job descriptions of people who are at a high risk of encountering certain legal regimes. Programs should focus on the purpose of the law, how it protects the organization to comply with the firm’s compliance measures, and how to identify red flags and other problematic situations that require reaching out to compliance personnel. For high risk personnel, training should occur not only for all new employees, but also annually thereafter.
For multinational automotive companies, training will often need to address local practices and different cultural norms, which may prove contrary to the compliance needs of the organization. Equally important is finding the best way to stress the importance of compliance with U.S. law for personnel who may not appreciate the risk exposure to the company. If English is not widely spoken, compliance materials and training should be done in the local language.
Once implemented, a compliance program cannot run on autopilot. Effective compliance requires that the company consistently monitor compliance measures and test the operation of its internal controls. Companies should use risk-based auditing principles to determine the countries, divisions, subsidiaries, and third parties that require monitoring through compliance audits and check-ups and consider extending such check-ups and audits to third parties as well.
In the current regulatory environment, regulatory risk management continues to be essential for all automotive companies – especially those that operate abroad. Through a self-reinforcing compliance system, automotive companies can maintain policies, internal controls, and training that helps protect the organization from regulatory risk in its many forms. Although compliance implementation will vary by organization, working through the eight steps outlined above will be a good starting point for companies looking to mitigate the risk flowing from the aggressive enforcement of U.S. laws governing exports and international conduct.
For more on this and other trending topics in the automotive industry, click here to download Foley’s white paper, Top Legal Issues Facing the Automotive Industry in 2019.