- What efforts has the company made to implement and monitor policies and procedures that reflect and deal with the spectrum of risks it faces, including changes to the legal and regulatory landscape?
- Has the company taken reasonable steps to ensure its compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct? Has the effectiveness of the organization’s program been evaluated periodically?
- How does the company engage in ongoing monitoring of its third parties?
These are the questions that prosecutors are instructed to ask when they evaluate and assess how comprehensive, responsive, and effective a compliance program is during a Foreign Corrupt Practices Act (“FCPA”) investigation. The FCPA is not the only cross-border anti-corruption law that highlights the importance of monitoring. The UK Bribery Act also addresses compliance monitoring as one of its six principles and recommends that organizations conduct monitoring in order to prevent bribery. But what exactly is compliance monitoring and where is it positioned within the scope of compliance programs?
What Is Compliance Monitoring in General? Why it is necessary?
Due to the FCPA’s clear stance regarding the necessity of effective and comprehensive ethics and compliance programs, many international companies have already designed and implemented their programs. They have allocated significant resources to identify their needs and to create tailor-made programs that work honestly and efficiently in practice. As a result of these efforts, the FCPA also expect an appropriately designed compliance program to mitigate and control risks and to respond promptly to prevent misconduct and noncompliance before such risks turn into damaging situations for a company. But how can companies recognize whether their compliance programs work effectively? How can they detect weak points that require improved control mechanisms? How can they ensure that their employees fully understand and correctly implement the company’s policies and procedures? This is exactly what compliance monitoring is designed for.
Compliance monitoring is the most essential mechanism of compliance programs because it enables companies to recognize whether their compliance program has been implemented in practice and whether it is practicable, responsive, and suitable for the characteristics of the company.
Compliance monitoring, as the most effective tool of compliance programs, concisely means the “oversight” of the company’s operations and activities, both in light of local and binding cross-border regulations and the company’s local and global policies, procedures, and ethical rules. A compliance monitor must initially control whether a company’s activities are in compliance with the local and cross-border laws, regulations, and practices, and if necessary, must seek cross-border legal support to ensure regulatory compliance. However, a one-off regulatory compliance check will not be enough as companies typically operate within a dynamic business environment. Business activities and services may rapidly change; for instance, companies may make mergers and acquisitions, enter into new business with state-owned entities, and/or cooperate with new private business partners. For this reason, the effectiveness of risk assessment and monitoring should be reviewed periodically to ensure that compliance programs remain relevant in changing business conditions.
Companies’ policies and procedures, particularly at multinational companies, may be stricter than applicable laws or could require higher standards. Therefore, it is initially key to understand the internal policies, principles, and standards of a company, and to monitor its operations based on those standards in order to detect any unexplained deviations and unapproved concessions. The coherence of the policies and principles with a company’s de facto situation and characteristics should also be monitored. The monitor should consider that a company’s policies, procedures, and standards may not be adaptable or suitable based on its size, operations, location, jurisdiction, etc. During an audit or an investigation, both the audited firm and the authorities primarily check whether the company’s own principles and procedures have been ignored, or noncompliance has been allowed. Were any such deficiencies detected at this point, a defense claiming that “the company’s procedures were abolished and not applicable to the company’s operations” would not be accepted. Therefore, in light of the “do what you write” principle, compliance monitors must act proactively if they realize a company’s need for a change in policies and procedures. Occasionally these changes may not be accepted at the global level and may require subsidiaries to apply differing practices locally. In such situations, to prevent any self-ordained practice, some sui generis actions and decisions can be taken by the management to ensure compliance with the local standards and not to allow any out-of-spec activities. This is a point that differentiates compliance monitoring from an audit; compliance monitors are put in place to detect both noncompliance and its root cause. They do not monitor to punish a company, but rather to take the right actions to ensure its compliance before an audit.
Understanding the relevant industry is also crucial in compliance monitoring. Compliance monitoring requires the monitoring of operations and decisions with a general business mindset, business rationale, industry-specific necessities, relevant compliance software programs and operational rules. This is because, some non-compliant practices can be hidden behind completely legal activities; however, when monitoring with a wider perspective and a business mindset, such activities can be recognized as unreasonable for a business or industry. Accordingly, we highly recommend that compliance professionals who are unfamiliar with an industry have monitoring support from a monitor experienced within the industry. In almost all sectors there are gray areas and unregulated activities that require deeper monitoring to prevent non-compliant practices that can be easily hidden.
Monitoring Results Provide a Roadmap
“Prosecutors should likewise look to whether a company has taken “reasonable steps” to “ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct,” and “evaluate periodically the effectiveness of the organization’s” program.”
The DoJ’s Evaluation of Compliance Programs refers to the above provision to highlight the aim and importance of compliance monitoring.
Company managers can demonstrate their decisiveness in implementing a compliance program through; (i) conducting ongoing compliance monitoring; (ii) allocating sufficient budget, employees, and resources; (iii) empowering the monitoring function by taking the monitoring results seriously; and (iv) effecting tone-at-the-top and taking immediate action to remediate monitoring results. Employees must be instructed and encouraged to support compliance monitors in order to obtain accurate and transparent results. Compliance monitoring is not an audit, so monitoring results that demonstrate poor compliance can be addressed with a remediation program. A worse scenario, which could have more severe consequences, would be inaccurate monitoring results concealing misconduct that is subsequently revealed in an audit or investigation.
The “ongoing” nature of monitoring is crucial. It must be considered that the “non-compliant” characteristics of some practices arise from their recurring nature, hence they can only be revealed through regular and ongoing monitoring.
Compliance monitoring is the core tool of all ethics and compliance programs, empowering their efficiency and practicability. Companies can ensure compliance with national and/or international regulations (for both on-site and internal activities) only with an effective compliance monitoring process. Effectively designed compliance monitoring should be tailored to reflect the characteristics of a company, its size, country of operations and the unique dynamics of its industry. Compliance monitoring should be conducted on a continuous basis and its coherence and effectiveness should be evaluated periodically. It should be noted that enforcement authorities will not only consider whether a compliance program exists; they will focus on its implementation, its company-wide application, senior management’s support and supervision in creating a compliance culture within the firm, and appropriate resource and budget allocation.
 U.S.S.G. § 8B2.1(b)(5).
Kemal Altuğ Özgün
Zeynep İnceer Üçgül