During the past several years, multinational corporations have seen a steep increase in the enforcement of, and exposure from, the Foreign Corrupt Practices Act (FCPA). With the specter of the recently adopted U.K. Bribery Act, along with other anti-bribery measures enacted in Organisation for Economic Co-operation and Development countries, the exposure risk to multinational corporations has never been greater. In light of this environment, multinational corporations have been increasingly focused on enacting anti-bribery compliance programs designed to prevent wrongful conduct and, where such conduct occurs, to detect it and take prompt remedial action. Indeed, countless articles and “client alerts” have been written espousing the importance of implementing comprehensive, risk-based compliance programs. While these compliance programs are now ubiquitous, much less has been written about the soft underbelly of such programs: Do they really work?
There is a counterintuitive lesson here: Companies that believe their compliance programs always work because they have never had a single instance of reported misconduct are getting it exactly backwards. Authorities consider such compliance programs “paper policies” that exist only in the abstract. Both the U.S. and U.K. enforcement authorities have stated that they expect compliance procedures to identify potential breaches. Thus, at the outset of an inquiry, regulators or enforcement authorities will typically seek to determine whether the compliance program actually works, how complaints are handled and how rules are policed to ensure compliance.
