During the past several years, multinational corporations have seen a steep increase in the enforcement of, and exposure from, the Foreign Corrupt Practices Act (FCPA). With the specter of the recently adopted U.K. Bribery Act, along with other anti-bribery measures enacted in Organisation for Economic Co-operation and Development countries, the exposure risk to multinational corporations has never been greater. In light of this environment, multinational corporations have been increasingly focused on enacting anti-bribery compliance programs designed to prevent wrongful conduct and, where such conduct occurs, to detect it and take prompt remedial action. Indeed, countless articles and “client alerts” have been written espousing the importance of implementing comprehensive, risk-based compliance programs. While these compliance programs are now ubiquitous, much less has been written about the soft underbelly of such programs: Do they really work?

There is a counterintuitive lesson here: Companies that believe their compliance programs always work because they have never had a single instance of reported misconduct are getting it exactly backwards. Authorities consider such compliance programs “paper policies” that exist only in the abstract. Both the U.S. and U.K. enforcement authorities have stated that they expect compliance procedures to identify potential breaches. Thus, at the outset of an inquiry, regulators or enforcement authorities will typically seek to determine whether the compliance program actually works, how complaints are handled and how rules are policed to ensure compliance.

This article explores how one can take a “paper policy” and ensure it is properly implemented throughout a company. It reviews some of the key compliance areas that often fall short in implementation and gives practical suggestions for overcoming those shortfalls.

Anti-bribery enforcement authorities have long touted a policy of considering compliance programs and remedial measures in assessing corporate criminal liability. For example, the U.S. Sentencing Guidelines § 8B2.1 and U.S. Attorneys’ Manual § 9-28.000 both highlight the importance of compliance programs and remedial measures. Recently, the U.S. Department of Justice issued guidance that reinforced the importance of thorough compliance programs, listing nine factors that are considered when deciding whether to prosecute a corporation or negotiate a plea agreement, including “the existence and effectiveness of the corporation’s pre-existing compliance program” and “the corporation’s remedial actions, including any efforts to implement an effective compliance program or improve an existing one.”

Similarly, the U.S. Securities and Exchange Commission has looked at the thoroughness of compliance programs and the adequacies of controls. The SEC’s enforcement manual lists four measures of evaluating a corporation’s cooperation when determining how much leniency to give upon an investigation. These include “self-policing prior to the discovery of misconduct, including establishing effective compliance procedures” and “[r]emediation, including…modifying and improving internal controls and procedures to prevent recurrence of the misconduct.”

The U.K. Bribery Act (which applies outside the territory of the United Kingdom in certain circumstances) goes one step further, providing a safe harbor for companies that establish meaningful compliance programs that satisfy six particular principles: the implementation of proportionate procedures; top-level commitment to anti-corruption within an organization; the application of risk assessments; appropriate due diligence; communication of policies and procedures internally and externally (including training); and the monitoring and review of policies and procedures against performance.


While virtually all large ­multinational corporations have enacted, or are in the process of enacting, comprehensive compliance programs, many fail to consider the important question of whether to implement certain procedures — even ­procedures that sound good on paper — and whether those procedures as a practical matter will be followed. As the recent Justice Department guidance on the FCPA noted, there are three basic questions that guide the agency’s evaluation of compliance programs: “Is the company’s compliance program well designed? Is it being applied in good faith? Does it work?” Although there is no expectation that any compliance program can be perfectly implemented, corporations must consider their business structure, existing controls, costs and corporate culture in fashioning a program that will actually be followed.

Practitioners in the compliance arena often consider the imposition of certifications, questionnaires and audit rights exercisable against third parties as a centerpiece of anti-bribery compliance. However, many of those same practitioners will tell you that such requirements are, at best, selectively enforced. Many complain that requesting audit rights or detailed questionnaires from true arms-length third parties is usually met either with resistance, begrudging acceptance that requires constant policing or simple disregard. On the other hand, third parties argue that the certifications, questionnaires and audit rights are too burdensome, require too much due diligence or create too much contractual exposure.

One practical solution in this area: When you anticipate the resistant third-party reaction, arrive at the meeting with the third party with a completed questionnaire or certification for your own company. Present the questionnaire and certification to the third party with the message that you are only asking he or she to do what you yourself are doing. This shows good faith and dampens the usual argument against such measures — that they are too onerous or impossible to do.

Another staple of compliance programs is a means of recording all gifts made by employees to business partners. Although the Justice Department noted that the FCPA does not have a de minimis amount, the recent guidance suggested that “[i]tems of nominal value, such as cab fare, reasonable meals and entertainment expenses, and company promotional items” are not likely to prompt enforcement.

Many companies in an effort to encourage higher gift-reporting compliance and to reduce administrative burden have established thresholds, in which employees do not need to report nongovernmental gifts below a certain amount. But what is the likelihood that the company can police employees for gifts of a low, but still reportable, amount? Many companies have addressed this issue by incorporating gift reporting into their automated reimbursement policy. This can be achieved by using corporate credit cards to track gift purchases and implementing policies for reimbursement that require explanations of the person to whom the gift was made, their relationship to the company or business and any other certifications.

Training is another staple of any compliance program. However, grand promises of robust training programs sometimes fizzle when confronted with the costs of implementation, from in-person training, to travel, to tracking of employee participation. Here again automation and technology can offer assistance. Many very sound web-based training programs exist that are automatically translated into the applicable language, can be completed by employees at their computer (if available), often include testing to ensure penetration of the concepts and provide an automatic record of completion for an audit trail. These programs help establish a good report card should the authorities question the real implementation of the compliance plan worldwide.

Another area that generates tension between the compliance need and the resourcing cost is the monitoring of compliance processes and procedures. As noted, it is a requirement under U.S. and U.K. legislation that policies and procedures are tested as to both their application across a company and their effectiveness in practice. Here are two practical steps for companies to improve compliance performance as well as manage already-stretched budgets:

• One of the first pieces of information requested in any investigation by regulators and enforcement agencies is an organizational chart — they want to know how the company is structured. Using that organizational chart as a basis on which to confirm the coverage of the compliance program will act as a useful test as to whether there are any gaps. In our experience, those gaps tend to identify the source of problems.

• Most large organizations have an internal audit function. Harnessing that resource for the purposes of testing compliance programs (in addition to its usual roles) will facilitate policies and procedures being investigated and improvements being implemented (with limited additional cost). Engaging the internal legal function in critical portions of that process will allow for appropriate oversight to be maintained to ensure the integrity of the process and to confer privilege. In our experience, the second item often requested by regulators is a copy of all relevant audit reports.

Do not set yourself up for failure. Think about your current business structure and how it can be utilized to comply with current compliance standards in the real world. There are a number of ways to tailor compliance programs to fit the risk, requirements and resources of an organization in a cost-effective manner. It just requires practical considerations and careful planning.

Dan K. Webb and Robb C. Adkins, partners at Winston & Strawn, concentrate on complex civil, regulatory and white-collar cases. Webb, the firm’s chairman, previously served as the U.S. attorney for the Northern District of Illinois. Adkins, the chairman of the firm’s white-collar, regulatory defense and investigations practice, previously served as an Enron prosecutor and as the nation’s top fraud official at the Department of Justice.