Issue link: https://digital.shearman.com/i/1265921
COMPLIANCE GUIDANCE FCPA DIGEST July 2020 21 COMPLIANCE CHALLENGES IN A COVID-19 WORLD It goes without saying that COVID-19 has placed the global economy under a significant strain, particularly in sectors tied to healthcare. In times of such economic stress, companies and their employees may find themselves tempted to skirt compliance laws or to de-prioritize compliance programs in favor of more "essential" business functions. This can be especially appealing when faced with exigent pandemic-response demands and foreign government officials who may seek to capitalize on the circumstances. Additionally, an increased flow of foreign aid to troubled areas provides opportunity for abuse, although based on litigation trends, COVID-related fraud is potentially rampant in the U.S. as well. As companies respond to the crisis, there are many opportunities for compliance-related risks to manifest. For example, corrupt customs officials who know the importance of getting medical supplies across borders may feel more empowered to demand bribes from companies. This and other compliance-related problems can be compounded by the difficulty of monitoring employees who now work remotely. Increased demand can cause significant shifts in the supply chains that are available to companies. Companies may find themselves wanting to partner with entities they have not fully vetted out of a desire for expediency. The urgency of need for medical supplies places greater pressure on customs agents across globe, giving greater leverage to corrupt officials seeking to extract value from companies attempting to respond to global needs. Other priorities are whistleblowing and hiring decisions. However, companies should guard against letting their compliance controls slip, even as they rise to meet the challenges presented by COVID-19. Both the DOJ and the SEC have announced that they will continue enforcement measures despite logistical hurdles, and they have singled-out COVID-19- related infractions as those of potential interest to authorities. Historically, crises of this magnitude (e.g., the Financial Crisis of 2008) tend to be followed by periods of heightened enforcement, which may already be materializing. As we discuss below, DOJ has also recently published revised guidelines for how it evaluates compliance monitoring systems, emphasizing the reasoning behind the system's design, how well it is resourced, and the system's ability to evolve to meet new challenges. One way of combatting the potential risk associated with this unusual time is to ensure that compliance programs assess and reassess the risk landscape as it shifts under the tremors of COVID-19's impact. By remaining vigilant, compliance programs will be better able to foresee, mitigate, and neutralize threats as they arise—and demonstrate a track record of responsive diligence to inquisitive enforcement authorities. Towards that end, compliance programs should consider conducting trainings specific to this context, take greater steps to monitor risks associated with remote work, add temporary layers of approval requirements for risk-heightened spending decisions, and regularly review and audit internal processes. DOJ REVISES CORPORATE COMPLIANCE PROGRAMS GUIDANCE On June 1, 2020, the DOJ released a revision of its guidance on the Evaluation of Corporate Compliance Programs, which provides companies with general principles and factors to consider when designing, implementing, and updating their compliance policies and procedures. It also provides a useful basis for companies seeking to avoid or mitigate prosecution pursuant to the DOJ's "Principles of Federal Prosecution of Business Organizations" and the U.S. Sentencing Guidelines, both of which require DOJ prosecutors to consider a company's compliance program as a factor in their decisions to initiate a case and in terms of punishment. While the revisions to the Compliance Program Guidance generally represent incremental changes, there are sufficient updates that companies may still want to take this opportunity to reevaluate existing compliance programs to ensure that they are keeping step with evolving best practices. Indeed, the revisions to the text are so minor that a line-by-line comparison was needed to identify all the changes—but they still represent important changes, which we have broken down into several thematic categories. First, and perhaps most critically, some of the DOJ's revisions to the Compliance Program Guidance have the effect of reducing some of the arguably bright-line, determinative aspects of the previous version by adding language confirming that the DOJ recognizes that compliance programs are not one-size-fits- all. For example, in the previous guidance, the question of whether a compliance program is "being implemented effectively" becomes whether it is "adequately resourced and empowered to function effectively" in the new version. This change reveals the DOJ's increasing focus on quality over mere quantity. In terms of training, the DOJ makes it clear that longer is not always better, citing companies that use "shorter, more targeted" sessions as a positive example. The DOJ also adds that the "need for" due diligence of third parties—rather than just the degree of due diligence—"may vary based on size." Finally, the DOJ acknowledges that a company's compliance program outside the U.S. might be affected by local law, and it will consider the limitations and requirements of foreign law as part of its evaluation. On balance, we view all of these changes as