How to create an FCPA Compliance Program and Address Multiple Regulatory Requirements

Register for the August 27, 2014 Anti-Corruption / Anti-Bribery Webinar

Hosted by Orchid Advisors
Speakers: Jon Rydberg, Tom Fox and Jeff Grody
Webinar ID: 134-096-811
1pm EST

Join our webinar and get answers to the following questions:

  • How does your organization limit the risk of non-compliance? Can you list the controls?
  • Do you know what the prevailing global standards (U.S., Europe or elsewhere) are for an effective compliance program? And, what is the intersection between Anti-Corruption, ATF, ITAR, Import/Export or any other regulation?
  • Can you point to (or touch) your compliance program? What about your ethics program?
  • How do you mitigate the risk of bribery?
  • How do you mitigate inappropriate disbursements?
  • When was your last independent program assessment?

How to create an FCPA Compliance Program and Address Multiple Regulatory Requirements
(Excerpts from our Book: Global Anti-Corruption & Anti-Bribery Leadership – Practical FCPA and U.K. Bribery Compliance Concepts for the Corporate Board Member, C-Suite Executive and General Counsel; Credit Fox/Rydberg; 2013)

Setting Expectations

“Put simply, the prospect of significant prison sentences for individuals should make clear to every corporate executive, every board member, and every employee that we seek to hold you personally accountable for FCPA violations.” (Lanny Breuer, Assistant Attorney General, Criminal Division, U.S. Department of Justice, February 2010)

In 2010, Mr. Breuer made the full-bodied statement above. Using language that lacked the slightest hint of normal “government-speak,” he made it very clear that any individual caught violating the Foreign Corrupt Practices Act (FCPA) would be held accountable for his or her actions.

If the mantra “Simply put, don’t bribe” holds true, then maintaining compliance should be easy, right? Not necessarily. Various international organizations like the DOJ, SEC and SFO have established what they believe are reasonable standards for preventing and detecting non-compliant behavior. Organizations that conduct business in the U.S. or abroad can protect their stakeholders and shareholders by meeting or exceeding the standards set forth in the Federal Sentencing Guidelines §8b2.1, “

[An] Effective Compliance and Ethics Program” amongst other prevailing models.

Before you read further, take out a pen and piece of paper. We are going to provide a few tips for answering the following questions.

  • How does your organization limit the risk of non-compliance? Can you list the controls?
  • Do you know what the prevailing global standards (U.S., Europe or elsewhere) for an effective compliance program? And, what is the intersections between Anti-Corruption, ATF, ITAR, Import/Export or any other regulation?
  • Can you point to (or touch) your compliance program? What about your ethics program?
  • How do you mitigate the risk of bribery?
  • How do you mitigate inappropriate disbursements?
  • When was your last independent program assessment?


Selected Tips For Your Anti-Corruption/Anti-Bribery Program
(Adapted from Chapter 4 of our book)

The underlying principles of every compliance program should be relatively the same. That is, the frameworks available for creating compliance infrastructure, regardless of the source, are predominantly the same. The risk profile, extent of controls, and methods/tools deployed are what vary.

However, implementing a program that meets the necessary standards in a practical way can be a complicated, multi-year endeavor, requiring continued adjustment and maintenance. Sure, there’s a basic structure; but there is no ready-to-go, “one size fits all” program. Learn more in a recent Wall Street Journal article with Orchid’s CEO.

Establishing A Framework

The Federal Government has clear expectations for what defines an “effective compliance and ethics program.” As noted earlier, those expectations are clearly outlined in Chapter 8, Part B 2.1 of the Federal Sentencing Guidelines ( and include the following as paraphrased:

  • Leadership and Tone from The Top
  • A Commitment to Compliance – Beyond the Tone
  • Measurement: Set at Zero Tolerance; Sometimes there is no materiality level…..
  • Standards and Procedures
  • Education and Training
  • Efforts to Exclude Prohibited Personnel with Due Diligence
  • Validation and Oversight

So, how is that also relevant to ATF compliance?

Before we review each of these, lets discuss how they also impact pertinent regulations such as ATF compliance. The examples that follow are largely Anti-Corruption / Anti-Bribery related, so this Segway should add a little more relevancy to the industry.

What is ATF…. Compliance?

Is it training? Is it a check-list based audit? Or, is it something else?

For those of us that strive to achieve recurring, low-risk compliance with any regulation, the solution is often found in: (1) A programmatic approach; and (2) Methods and controls that are embedded INTO operations and become a part of everyone’s daily activities. Compliance is not the reaction after a negative event has occurred.

For example, attendance at a training seminar or a report generated from a static mock inspection serve their purpose. They are point in time activities that give a buyer a snapshot into their status. But running a business is complicated and things change. Customers cancel orders, extra products are shipped, new executives are hired, personnel want new system access, engineering creates new products…etc. How do you ensure that your ongoing FFL operation remains compliant with a high-degree of repeatability? It’s all about the program.

The good news, it’s the same program (yes only one) that serves as the backbone to comply with multiple regulations: Anti-Corruption, ATF, etc. Therein lies the intersection between your various regulatory responsibilities. If you approach these individually rather than part of an integrated compliance program model, it could seem complex and likely expensive.

Remember, effective doesn’t have to be expensive. We’ve implemented models with the proverbial “duct tape and shoe string” as well as those with high-end ERP processing system. The good news, not only does the Firearms Compliance UniversityTM includes content specific to ATF compliance, but it also addresses anti-corruption, ITAR, import / export and recommendations for implementing the program!

And so we continue….what are the programmatic elements that form a compliance program infrastructure?

1 – Leadership and Tone at the Top
Both the U.S. Federal Sentencing Guidelines and the Organization for Economic Co-operation and Development’s (OECD) Good Practice Guidance on Internal Controls, Ethics, and Compliance consider a best practice program to start with an unbreakable “Tone at the Top.”

The FSG reads: “High-level personnel and substantial authority personnel of the organization shall be knowledgeable about the content and operation of the compliance and ethics program … and shall promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.”

The OECD Good Practice Guidance reads: “Strong, explicit and visible support and commitment from senior management to the company’s internal controls, ethics and compliance programs or measures for preventing and detecting foreign bribery.”

Everyone understands that a company leader must set the tone that the entity will not engage in corruption or bribery. However, “tone-at-the-top” encompasses more than simply saying the right things.  It represents a commitment to compliance, far beyond the “tone.”

2 – A Commitment To Compliance – Beyond the Tone
Compliance can be occasionally seen as a priority that competes with the achievement of top-and-bottom-line financial goals. One of the challenging tasks that corporate leadership can undertake is to ensure that these two elements do not compete, but rather exist synergistically. Leadership from senior executives is asked to ensure that compliance objectives are achieved despite the possible distraction from competing objectives.

Typically, demonstrating such a commitment consists of any one or more of the following actions:

  • Being part of the selection and training of senior managers to lead anti-corruption/anti-bribery work;
  • Creating an independent reporting hotline (“whistleblower”) and providing of methods to promote it through company posters, pamphlets, and events;
  • Remaining engaged and/or involved in oversight of appropriate third party business partners;
  • Demonstrating oversight of procedure violation; and,
  • Assessing the status of compliance and providing feedback to the Retail Store Owner, General Manager or Board of Directors.
  • Find other examples in our guide: Global Anti-Corruption & Anti-Bribery Leadership

A commitment to compliance can be articulated with three words: leadership, ownership, and accountability. Without all three concepts firmly in place, your best compliance efforts could fail.

  • Leadership – Demonstrated by making compliance with rules and regulations an equal metric, on par with quality, safety, and financial performance.
  • Ownership – Individual responsibilities should be established in the company’s organization chart and throughout its job descriptions; otherwise, it becomes intangible and cannot be measured or managed. It is important to distinguish between those who are Responsible, Accountable, Advisors and Monitors.
  • Accountability – Without accountability, your compliance efforts could be meaningless. Directives of middle and upper-management may get ignored by those employees who know that, despite their actions, they will not be held accountable. Accountability is the glue that binds policies, procedures, and execution together.

3 – Measurement: Set at Zero Tolerance; Sometimes there is no materiality level…
A natural opening question might be…What standards do you set for other regulations (ex: ATF) and how do you determine if that is appropriate? What defined success…please tell me?

There are several steps that a company can take to establish a zero-tolerance policy towards corruption and bribery or related levels for other regulations. For instance, there could be a formal, written statement establishing policies that direct the business towards an atmosphere of integrity and compliance.  In fact, there can be several forms of communication, which might be tailored to different audiences within the company. Ideally, these would be generally available on a company’s intranet site or simply printed in a binder in the Store Manager’s office desk. Let’s look at what a formal statement might include.

Cornerstones of a formal statement might include:

  • A commitment to carry out business fairly, honestly, openly, and with transparency;
  • A commitment to zero-tolerance towards corruption and bribery;
  • The negative consequences of breaching the policy for both general employees and managers;
  • The negative consequences of breaching contractual provisions relating to regulatory compliance standards formally sent and/or communicated to channel partners;
  • Find other examples in our guide: Global Anti-Corruption & Anti-Bribery Leadership

4 – Standards and Procedures
Standards (or policies) are an organization’s written rules in response to the law and/or other company expectations. Procedures (or work instructions) provide employees with the methods to achieve compliance with those policies.

These standards and procedures are critical towards achieving and maintaining compliance for the following reasons:

  • Personnel join and leave the organization and knowledge needs to be retained;
  • Lack of written standards can lead to variability in transaction quality; and,
  • Employees only retain a small percentage of the information that they receive through training sessions. Written reference material is critical.
  • How does a company decide what its standards and procedures should be? Well, by asking basic questions about the business, how it works, and where it conducts business. Here are some examples:
  • Will the company do business in countries with high corruption ratings, as defined by the Transparency International Corruption Perception Index?
  • Will the company use an internal sales force? Or will that function be outsourced?
  • If the company will use an external or outsourced sales force, will they commission based?
  • Does the company offer a standard set of discounts? Or will it vary them by country?
  • Find other examples in our guide: Global Anti-Corruption & Anti-Bribery Leadership

Other areas where standards need to be set include email and communications, travel and entertainment, gifts, and ethical behavior for the organization. Many of these are items are inherent to a well-written Code of Conduct and Corporate Policy set.

While there are several methods for making standards and procedures available to employees, the following key factors should be considered:

  • There should be a formal process for developing, releasing, changing, and deleting policies and procedures documentation. The process should be standardized, repeatable, and, ideally, managed by an independent resource in the organization.
  • There should be a formal process for communicating new or revised policy and procedure documentation.
  • There should be a formal process for controlling and distributing the policies and procedures documentation, including, but not limited to: hardcopy distribution that is maintained in a central, controlled department binder; revision-controlled handbooks that can be distributed at the employee desk level; and online and web-based repositories.
  • Find other examples in our guide: Global Anti-Corruption & Anti-Bribery Leadership

Recommended standards and procedures might, amongst others, include the following:

  • A Code of Conduct and Ethics
  • Your Compliance Program, Defined
  • List Of Prohibited Activities
  • Conflicts of Interest
  • Gift and Gratuities
  • Travel and Entertainment
  • Free Goods and Promotional Activities
  • Delegation of Authority and Approval Matrix
  • Third Party and Employee Due Diligence Procedures
  • Find other examples in our guide: Global Anti-Corruption & Anti-Bribery Leadership

5 – Education and Training
Education and training can come in many different forms. While everyone in the organization should be trained on core ethics and compliance principles, some may require deeper levels of teaching. For example, those employees involved in international sales and marketing, legal, compliance, and the accounting departments have a greater responsibility due to their roles as international transaction “control owners.” Having a deeper level of knowledge becomes a great aid in stopping Anti-Corruption issues before they happen.

An organization’s investment in education and training does not need to be significant in order to be effective. In fact, small investments in this area often have the greatest bang for the compliance buck. While solid business processes and system controls can limit the risk of undesired outcomes, it is the mass of employees who process transactions that have the single greatest impact on achieving compliance. Judgment often becomes a key element in doing the right thing.

How proper training is achieved is dependent upon an organization’s size, technological maturity, and existing culture. But, regardless of those factors, there is no more effective method than a recurring program that consists of:

  • New hire training
  • Department / Role-specific training
  • Recurring annual training

There are many generic, off-the-shelf solutions for such knowledge. And, you might be able to find some regional in-person sessions around the country.

However, there is only one training available today that covers all of the topics we’re addressing today in an online format. Moreover, its available on a real-time basis, right at your computer finger tips. And even better – it is updated when the regulations change. You won’t get that in static training sessions. Visit the Firearms Compliance University today.

5 – Efforts to Exclude Prohibited Personnel with Due Diligence

While most compliance practitioners are certainly aware of the need to perform due diligence, they may not understand its continued role in third party relationships. From this perspective, they can be divided into past, present, and future.

Past – Obviously, your company wants to know with whom they are doing business, and whether the person or entity is a channel partner, joint venture partner, or exists under some other business relationship. This is also true for acquisitions. But due diligence is more important than providing a “check-the-box” activity pertaining to the past activities of a third party; it is an important tool in the overall international efforts to fight firearm theft, corruption and bribery. It supports your company’s Code of Conduct, protects your reputation, and allows the early discovery of deal-breakers before it’s too late.

Present – So what are some types of information that you should obtain in due diligence? The following is a good place to start (ref: Orchid Advisors and Tabor).

Future – The future involves proactive diligence, enabling you to identify red flags in the diligence process before you engage in business with an unwanted party. Diligence, along-side strong contracting and third party training, will become an indispensable tool in your overall enterprise risk management efforts. It is considered a best practice to share your Code of Conduct with third parties and draw attention to internal reporting hotlines for questions and concerns. Key considerations include:

  • Clearly communicating that bribery and corruption are not tolerated;
  • Using your due diligence to review and improve existing contracts; and,
  • Suggesting that the third party adopt a compliance program similar to yours. Alternatively, you may provide training on specific issues.

It is important to note that the “future tense” also speaks to the need for ongoing due diligence monitoring, a critical element and best practice for every program. This is simply because things change.

Practically speaking, diligence can be performed many ways. In our careers, we’ve made use of materials and services provided by:

  • Transparency International
  • Trace International
  • Google (and other basic internet search tools)
  • World Compliance (
  • World-Check (
  • Dow Jones Factiva (
  • U.S. OFAC databases (
  • Amongst many others

6 – Validation and Oversight
In the compliance world, process validation comes through oversight. More than one of the compliance program standards call for companies to monitor, audit, and respond quickly to allegations of misconduct. These highlighted activities are key components for which enforcement officials will look when determining whether companies maintain adequate oversight of their compliance programs.

Monitoring is management’s commitment to reviewing and detecting transaction errors in real-time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis.

Auditing is an independent, targeted, and in-depth review of specific business processes, systems, or transactions. You should not assume that because your company conducts independent audits that it is effectively monitoring.

A robust compliance program should include separate functions for auditing and monitoring. While unique in protocol, the two functions are related and can operate effectively in tandem. Monitoring activities can occasionally lead to audits. For instance, if management identified a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to call Internal Audit, under legal privilege, to perform an evaluation of transaction compliance.

The concept of management executing, controlling, and monitoring is also inherent in tangential laws such as Sarbanes-Oxley (SOX). Responsibilities of the certifying officers under SOX are not too dissimilar from other regulatory standards. Both require a defined program of internal controls that have established owners and are independently tested for proper design and performance. In fact, many of the internal controls subject to a SOX evaluation would be included in an FCPA program evaluation. For example, think of the “key control” that resides within the Accounts Payable department to evaluate the appropriateness of disbursements in accordance with an established approval authority matrix. While the two laws have separate objectives, the definition of the control and the nature of the test may be very similar. This is one of the reasons why the SEC plays a key role in FCPA investigations – it is to evaluate the internal controls over financial reporting and ability to prevent or detect fraud.

How you audit or monitor can vary considerably. “Old-school” methods of checklist-based auditing have some level of effectiveness, but cannot touch the power of modern, real-time dashboards. In our experience, we’ve designed data scripts that reside over the top of ERP systems and highlight significant red flags. They provide early warning systems over volumes of data that would simply be impractical for a human auditor to detect. Real-time dashboards might include:

  • High discount levels in a particular country;
  • Excessive entertainment receipts for a given employee;
  • Significant margins on lower margin products; or,
  • Higher commission rates or volumes, amongst others.
  • Find other examples in our guide: Global Anti-Corruption & Anti-Bribery Leadership


If you “believe” your organization is compliant because: (1) you provided training; (2) you have an “honest” culture; or (3) because a Federal investigator hasn’t told you otherwise, you may be putting the corporate enterprise at increased risk.  There is a difference between being “compliant” and having a “Compliance Program.”

  • How did you do in answering these questions? Call Orchid if you need any assistance.
  • How does your organization limit the risk of non-compliance? Can you list the controls?
  • Do you know what the prevailing standard and U.S. Government’s expectations are for a Compliance Program?
  • Can you point to (or touch) your Compliance Program? What about your Ethics program?
  • How do you mitigate the risk of bribery?
  • How do you mitigate inappropriate disbursements?
  • When was your last independent anti-corruption/anti-bribery program audit?