Issue link: https://digital.shearman.com/i/1265921
COMPLIANCE GUIDANCE FCPA DIGEST July 2020 22 positive, and they should make it easier for companies to engage in constructive dialogue regarding how their compliance programs should impact charging and sentencing decisions. Second, there are a number of revisions that appear geared toward providing more detail and nuance about the factors that the DOJ considers as part of its program evaluation, without actually altering the substance of what the DOJ has long emphasized. For example, the previous Compliance Program Guidance stated that prosecutors should make an "individualized determination" of compliance programs. The revised version explicitly explains that these factors include "the company's size, industry, geographic footprint, regulatory landscape," and "other factors, both internal and external to the company's operations." Those factors, as a practical matter, were already being considered by line prosecutors, but now the guidance is in writing. The revised guidance added several references to whether a company plans for and effectively implements post-acquisition or post-merger compliance program integration. These additions are by no means earth-shattering, but they provide clear, useful information and highlight minor changes that could improve a company's compliance program. Similarly, the revised guidance adds to previous guidance on how the DOJ evaluates the accessibility of a company's policies and procedures, stating explicitly that they should be published "in a searchable format." Third, there are a number of revisions that appear to be geared towards evaluating whether a company itself evaluates and tracks its compliance program. These are, in our view, the most substantive and noteworthy changes that were made. For example, the revised Compliance Program Guidance indicates that the DOJ would consider whether a company: • tracks or measures access to its compliance policies and procedures to understand what policies are attracting more attention from employees; • engages in a "periodic review" of its risk assessment "based upon continuous access to operational data and information across functions" and whether the periodic review has led to updates in policies, procedures, and controls; • employs "a process for tracking and incorporating" lessons learned from "prior issues" of the company and "other companies operating in the same industry and/or geographical region;" • evaluates the impact of training on employee behavior; • tests the compliance program, including the hotline, in terms of employees' knowledge and comfort in using it and in terms of "tracking a report from start to finish;" and • monitors "investigations and resulting discipline to ensure consistency." Put simply, these revisions further emphasize the DOJ's previously stated expectation that compliance programs must be dynamic and constantly improving based on informed self- assessment and feedback. Accordingly, complying with these directives to test, measure, and evaluate their compliance programs' efficacy will be critical to implementing the most effective program and to demonstrating this fact to the DOJ with credibility. Companies would be wise to take this opportunity to reassess their compliance programs, or at least incorporate the new DOJ Compliance Program Guidance into their next periodic self- assessment. After all, while the overall message and impact of the Guidance largely stays the same, the revisions do provide helpful clarification. Being able to demonstrate that companies are trying to keep up with evolving best practices will serve them well if problems are later uncovered. ARTIFICIAL INTELLIGENCE & COMPLIANCE PROGRAM REFORMS Recently, global brewer Anheuser-Busch InBev SA (AB InBev) announced it has implemented a new system of internal compliance, for the first time employing machine learning to root out corrupt conduct in a corporation's global dealings. Three years in the making, AB InBev's new compliance program, which it calls BrewRight, seeks to cut compliance costs by taking charge of the expensive and time-consuming review of the company's millions of daily payment transactions. It seeks to proactively monitor legal developments in risk-prone business relationships and to prevent violations of the corporation's legal obligations, including anti-bribery provisions to which it is subject around the world. AB InBev has faced some scrutiny in the past for its corporate misconduct with respect to its anti-bribery obligations, notably settling charges with the SEC in 2016 for its Indian subsidiary's violations of the books and records and internal controls provisions of the FCPA. That said, the settlement proved minor ($6 million) compared to that year's average FCPA settlement of $130.6 million (or $13.2 million excluding outliers). Matt Galvin, the AB InBev executive in charge of the development of BrewRight, has stated his intention to empower other companies to work with the technology to better the analytic capabilities of the platform. Significantly, the DOJ's Evaluation of Corporate Compliance Programs (which we discuss at length above) notes the need for compliance programs to be "empowered to function effectively" and to adapt to changing circumstances. In line with these revisions, AB InBev's use of data-driven compliance strategies, and its promotion that other companies follow suit, could set a higher bar for international compliance monitoring—and raise expectations of the