Your International Compliance Playbook

One Size Does Not Fit All

While “best practices” should serve as a benchmark for any centralized compliance program, a successful one must be carefully adapted to the particular culture and circumstances of the company. It's also important to consider the particular ways that regulations are most likely to affect its operations. Otherwise, it can find itself devoting unnecessary resources to compliance activities that don't add much value. For instance, there's no point in implementing a stringent international anti-boycott policy if your company doesn't do business in the Middle East, from which most boycott requests emanate.

A good place to start is carefully assessing your company's needs. Some leading organizations work on their culture by designing programs to address the strengths and weaknesses identified in employee surveys and focus groups. This advance planning often pays off.

Another essential assessment is a company's risk. Companies will want to identify their more sensitive technologies, regional operations, interactions with governments and third parties, etc. It's particularly important to fully consider compliance needs outside a company's home jurisdiction. Headquarters may not be as familiar with those laws.

Integration Is Key

Most compliance activities such as anti-corruption, trade controls and data protection are isolated from each other, resulting in inefficiency. An integrated compliance operation centralizes review and therefore can take advantage of processes that can serve more than one objective, saving money and time. For instance, due diligence on third parties can serve both anti-corruption and trade controls compliance.

An integrated compliance operation can also identify and resolve tensions between regulatory mandates. For instance, screening of employees and business partners may be important for trade controls, but can present issues for data protection. That's because some European data protection laws have been interpreted to restrict companies' ability to screen their employees against the U.S. lists of restricted parties. Similarly, transfer pricing approaches among related companies may be preferred from a tax planning standpoint, but may create unnecessary issues or risks from a customs standpoint, so it is important to consider both tax and customs when structuring the scheme.

Or, in order to achieve corporate social responsibility objectives, companies may want to share information with their competitors regarding “bad actors” in the supply chain. But this information exchange can also present antitrust risks. Proactively managing high-net-worth expatriate employees with increasingly complex cross-border arrangements presents numerous compliance issues: corporate tax (permanent establishment and transfer pricing), anti-corruption, immigration and forum-shopping in severance scenarios. This may require careful coordination. In general, better understanding and communication among compliance areas can achieve significant benefits. The person who leads on anti-corruption issues may become aware of weaknesses in a particular business unit's compliance function, and given the risk that these could affect other compliance areas (as trade controls), it's important to promote regular sharing of information. Some successful organizations address this by establishing compliance committees that meet regularly to identify and share enterprise-wide risks.

Thus, instead of “silos” of compliance, integrated compliance promotes cooperation across substantive areas. Specifically, it seeks to: 1) achieve efficiencies by leveraging compliance that may be useful for more than one area; 2) promote consistent approaches by minimizing the potential that a procedure in one area may create risks in another; and 3) foster a culture of communication and teamwork.

Don't Fix It and Forget It

Government regulators increasingly emphasize that companies should treat compliance as a “living program” that is constantly evolving in response to changes in the company (acquisitions, technology developments, employee responses to surveys); the company's record of compliance successes and failures; and changes in regulations and enforcement policies.

We see leading companies regularly reviewing their compliance programs to ensure that they remain current. One major international consulting firm fully reviews key programs every three years, on a staggered basis, and also does interim reviews annually. This is not overly costly, and it helps the company prevent gaps that could arise if it fails to take account of changes in its business or the law.

A company that experiences a significant compliance failure, or a success, should use that experience as a teaching tool for employees. These events are highly valuable data; they show employees how “it can happen here.” Moreover, a failure may suggest a weakness in the company's procedures. It can identify “red flags” that warrant review. Conversely, a success is an opportunity for employees to learn from an excellent response-and to boost morale by praising and rewarding those involved.

Remember the Human Element

The inherent complexity of even a well-designed program leaves compliance leaders with much discretion. Companies depend on experienced, thoughtful personnel who can say no when required-but who can also identify legitimate ways for business to proceed. Consequently, a strong compliance function requires significant, sustained investment in human capital through measures such as high-quality recruitment, appropriate rewards (including compensation and career paths) and the routine involvement of compliance personnel in business planning and decision-making.

It is equally important for companies to focus on compliance and ethics in their workforce outside the formal compliance function. For example, a company's human resources function should give due attention to a candidate's background and attitude on these issues in the recruiting and on-boarding process, particularly for a role that involves risk for the company (such as a salesperson who deals directly with customers and third parties). Additionally, compensation should take into account compliance and ethics-including at senior levels of the company-in order to provide a clear message and incentive regarding the importance of execution on these corporate goals. Managers in particular should be incentivized to promote ethical values at all times.

Finally, it is important for training and audit/assessment to involve two-way communication. Employees can often pinpoint potential challenges ' either noncompliance issues or feasibility concerns ' because not only are they knowledgeable about the current business operations, they often have a greater understanding of how issues have been handled historically. Similarly, persons conducting assessments generally should approach the interaction as an opportunity for discussion about how the business unit is handling an area and how it can improve, rather than a test that must be passed. Such a two-way model will build confidence and trust between the business and the compliance function ' a relationship that is critical to long-term success.

Violations Found: Now What?

Once a company has identified an apparent violation, it is important to have a strong process to assess: 1) whether there is really a violation and, if so, its nature and significance; 2) whether to disclose the violation to the government and commercial customers; and 3) how to modify compliance procedures in light of the violation.

In assessing the apparent violation, it is important to establish a good process for evaluating its significance and scope in order to plan who will conduct the review and what steps are appropriate. One size does not fit all when it comes to investigations, and the review should be appropriately calibrated. For instance, is this a serious violation that may also exist at other business units? Is the review occurring in a European jurisdiction, where it is necessary to involve outside counsel in order to maintain the attorney-client privilege over the findings?

In addition, it is vital to stress that investigations and disclosures are a “no-spin zone.” The company relies on all employees to be fully candid in their responses. In the United States, in particular, enforcement authorities have recently penalized companies for inaccurate or incomplete statements in their voluntary disclosures.

Some firms advise that once a violation is discovered, the company must be committed to full and complete disclosure to appropriate authorities. However, this “automatic” approach may not best serve a company's interests. The attitude toward voluntary disclosures is quite different in Europe than in the United States, with European regulators frequently unwilling to provide any “mitigation credit” for a disclosure.

Even in the United States, it is important to consider the perspective of the particular agency with jurisdiction over the violation. Some agencies expect disclosure in all cases, such as the U.S. Department of State's Directorate of Defense Trade Controls, and most if not all U.S. agencies provide substantial mitigation for voluntary disclosure. Yet it is not clear, given the consequences of disclosure, that companies are always best served by disclosing. In the anti-corruption area, for instance, it may sometimes be preferable for a company to fully investigate the issue and fix the problem that led to the violation without disclosing it to the Justice Department (assuming that disclosure is not required under the Federal Acquisition Regulations).

In deciding how to enhance compliance procedures after a violation, the first step is recognizing a need to focus hard on this issue. Regulators will expect a company to carefully analyze the root causes of the violation and develop corrective actions that are appropriately tailored. A company should also consider whether the compliance failure is limited to the business unit where it happened, or whether there is a need to look more broadly at how the company is managing the issues across business units. Since not every failure warrants an across-the-board review, the key is to have a strong evaluation process.

Finally, once corrective actions are identified, a company should use a “project management” approach to ensure that the actions are fully implemented in a timely manner.

Lanny Breuer, vice chairman of Covington & Burling, was one of the longest-serving assistant attorneys general for the Criminal Division at the Justice Department, and served as special counsel to President Bill Clinton. Peter Lichtenbaum, cochair of the firm's international trade and finance practice group, practices in a broad array of international regulatory compliance and trade matters. This article also appeared in Corporate Counsel, an ALM sister publication of this newsletter.

The phone rings, and the CEO tells you she's planning an acquisition of a target that has operations in Europe and Asia. She's focused on the potential to develop technology 24-7 and get closer to the global customers. Of course, your job is to get regulatory approval and maintain compliance once it happens. As you start to consider the requirements of antitrust reviews, foreign investment restrictions, trade controls and data protection, some involving non-U.S. law, you suddenly find yourself paralyzed by one thought. How are you supposed to manage them all?

Many corporations are facing similar challenges as their international business expands. The legal regimes have become much more complicated. And many more countries have imposed regulatory requirements in recent years, such as European sanctions and China's anticorruption and antitrust/competition rules. As companies expand, the regulatory burden can become onerous. And compliance and legal departments are being asked to do more with less, making well-designed compliance programs all the more critical.

Here are tips to consider when designing or revamping yours.

One Size Does Not Fit All

While “best practices” should serve as a benchmark for any centralized compliance program, a successful one must be carefully adapted to the particular culture and circumstances of the company. It's also important to consider the particular ways that regulations are most likely to affect its operations. Otherwise, it can find itself devoting unnecessary resources to compliance activities that don't add much value. For instance, there's no point in implementing a stringent international anti-boycott policy if your company doesn't do business in the Middle East, from which most boycott requests emanate.

A good place to start is carefully assessing your company's needs. Some leading organizations work on their culture by designing programs to address the strengths and weaknesses identified in employee surveys and focus groups. This advance planning often pays off.

Another essential assessment is a company's risk. Companies will want to identify their more sensitive technologies, regional operations, interactions with governments and third parties, etc. It's particularly important to fully consider compliance needs outside a company's home jurisdiction. Headquarters may not be as familiar with those laws.

Integration Is Key

Most compliance activities such as anti-corruption, trade controls and data protection are isolated from each other, resulting in inefficiency. An integrated compliance operation centralizes review and therefore can take advantage of processes that can serve more than one objective, saving money and time. For instance, due diligence on third parties can serve both anti-corruption and trade controls compliance.

An integrated compliance operation can also identify and resolve tensions between regulatory mandates. For instance, screening of employees and business partners may be important for trade controls, but can present issues for data protection. That's because some European data protection laws have been interpreted to restrict companies' ability to screen their employees against the U.S. lists of restricted parties. Similarly, transfer pricing approaches among related companies may be preferred from a tax planning standpoint, but may create unnecessary issues or risks from a customs standpoint, so it is important to consider both tax and customs when structuring the scheme.

Or, in order to achieve corporate social responsibility objectives, companies may want to share information with their competitors regarding “bad actors” in the supply chain. But this information exchange can also present antitrust risks. Proactively managing high-net-worth expatriate employees with increasingly complex cross-border arrangements presents numerous compliance issues: corporate tax (permanent establishment and transfer pricing), anti-corruption, immigration and forum-shopping in severance scenarios. This may require careful coordination. In general, better understanding and communication among compliance areas can achieve significant benefits. The person who leads on anti-corruption issues may become aware of weaknesses in a particular business unit's compliance function, and given the risk that these could affect other compliance areas (as trade controls), it's important to promote regular sharing of information. Some successful organizations address this by establishing compliance committees that meet regularly to identify and share enterprise-wide risks.

Thus, instead of “silos” of compliance, integrated compliance promotes cooperation across substantive areas. Specifically, it seeks to: 1) achieve efficiencies by leveraging compliance that may be useful for more than one area; 2) promote consistent approaches by minimizing the potential that a procedure in one area may create risks in another; and 3) foster a culture of communication and teamwork.

Don't Fix It and Forget It

Government regulators increasingly emphasize that companies should treat compliance as a “living program” that is constantly evolving in response to changes in the company (acquisitions, technology developments, employee responses to surveys); the company's record of compliance successes and failures; and changes in regulations and enforcement policies.

We see leading companies regularly reviewing their compliance programs to ensure that they remain current. One major international consulting firm fully reviews key programs every three years, on a staggered basis, and also does interim reviews annually. This is not overly costly, and it helps the company prevent gaps that could arise if it fails to take account of changes in its business or the law.

A company that experiences a significant compliance failure, or a success, should use that experience as a teaching tool for employees. These events are highly valuable data; they show employees how “it can happen here.” Moreover, a failure may suggest a weakness in the company's procedures. It can identify “red flags” that warrant review. Conversely, a success is an opportunity for employees to learn from an excellent response-and to boost morale by praising and rewarding those involved.

Remember the Human Element

The inherent complexity of even a well-designed program leaves compliance leaders with much discretion. Companies depend on experienced, thoughtful personnel who can say no when required-but who can also identify legitimate ways for business to proceed. Consequently, a strong compliance function requires significant, sustained investment in human capital through measures such as high-quality recruitment, appropriate rewards (including compensation and career paths) and the routine involvement of compliance personnel in business planning and decision-making.

It is equally important for companies to focus on compliance and ethics in their workforce outside the formal compliance function. For example, a company's human resources function should give due attention to a candidate's background and attitude on these issues in the recruiting and on-boarding process, particularly for a role that involves risk for the company (such as a salesperson who deals directly with customers and third parties). Additionally, compensation should take into account compliance and ethics-including at senior levels of the company-in order to provide a clear message and incentive regarding the importance of execution on these corporate goals. Managers in particular should be incentivized to promote ethical values at all times.

Finally, it is important for training and audit/assessment to involve two-way communication. Employees can often pinpoint potential challenges ' either noncompliance issues or feasibility concerns ' because not only are they knowledgeable about the current business operations, they often have a greater understanding of how issues have been handled historically. Similarly, persons conducting assessments generally should approach the interaction as an opportunity for discussion about how the business unit is handling an area and how it can improve, rather than a test that must be passed. Such a two-way model will build confidence and trust between the business and the compliance function ' a relationship that is critical to long-term success.

Violations Found: Now What?

Once a company has identified an apparent violation, it is important to have a strong process to assess: 1) whether there is really a violation and, if so, its nature and significance; 2) whether to disclose the violation to the government and commercial customers; and 3) how to modify compliance procedures in light of the violation.

In assessing the apparent violation, it is important to establish a good process for evaluating its significance and scope in order to plan who will conduct the review and what steps are appropriate. One size does not fit all when it comes to investigations, and the review should be appropriately calibrated. For instance, is this a serious violation that may also exist at other business units? Is the review occurring in a European jurisdiction, where it is necessary to involve outside counsel in order to maintain the attorney-client privilege over the findings?

In addition, it is vital to stress that investigations and disclosures are a “no-spin zone.” The company relies on all employees to be fully candid in their responses. In the United States, in particular, enforcement authorities have recently penalized companies for inaccurate or incomplete statements in their voluntary disclosures.

Some firms advise that once a violation is discovered, the company must be committed to full and complete disclosure to appropriate authorities. However, this “automatic” approach may not best serve a company's interests. The attitude toward voluntary disclosures is quite different in Europe than in the United States, with European regulators frequently unwilling to provide any “mitigation credit” for a disclosure.

Even in the United States, it is important to consider the perspective of the particular agency with jurisdiction over the violation. Some agencies expect disclosure in all cases, such as the U.S. Department of State's Directorate of Defense Trade Controls, and most if not all U.S. agencies provide substantial mitigation for voluntary disclosure. Yet it is not clear, given the consequences of disclosure, that companies are always best served by disclosing. In the anti-corruption area, for instance, it may sometimes be preferable for a company to fully investigate the issue and fix the problem that led to the violation without disclosing it to the Justice Department (assuming that disclosure is not required under the Federal Acquisition Regulations).

In deciding how to enhance compliance procedures after a violation, the first step is recognizing a need to focus hard on this issue. Regulators will expect a company to carefully analyze the root causes of the violation and develop corrective actions that are appropriately tailored. A company should also consider whether the compliance failure is limited to the business unit where it happened, or whether there is a need to look more broadly at how the company is managing the issues across business units. Since not every failure warrants an across-the-board review, the key is to have a strong evaluation process.

Finally, once corrective actions are identified, a company should use a “project management” approach to ensure that the actions are fully implemented in a timely manner.

Lanny Breuer, vice chairman of Covington & Burling, was one of the longest-serving assistant attorneys general for the Criminal Division at the Justice Department, and served as special counsel to President Bill Clinton. Peter Lichtenbaum, cochair of the firm's international trade and finance practice group, practices in a broad array of international regulatory compliance and trade matters. This article also appeared in Corporate Counsel, an ALM sister publication of this newsletter.