A well-designed and well-implemented compliance programme is a critical component of corporate governance. But even the best-designed programme will be ineffective if there is not regular and effective communication about the programme within an organisation. Many companies spend a great deal of time, resources and effort on creating policies and procedures and designing compliance programmes, but not nearly enough on actually communicating about the programme to the people who need to understand and live compliance each day. Indeed, the time, resources and effort a company spends on training and communication can be a good indicator of its commitment to ethical behaviour.
Fundamental to an adequate communications and training programme is ensuring that the personnel to whom a compliance programme applies – typically an organisation’s employees, agents, executives and board – truly understand the risks to which the organisation is exposed, the content of the compliance controls that are in place to mitigate those risks, and their responsibilities for implementing the compliance controls. That begins with the actual rollout of the programme, especially the clear communication of policies and procedures, continues with training and must include as a key element regular communications of the type we discuss in this chapter. Only by regularly communicating with stakeholders can an organisation translate its guiding principles and its policies into actions that minimise risk.
With this in mind, US regulators and enforcement agencies have identified essential principles relating to communications and training surrounding an organisation’s compliance programme that can affect its overall effectiveness. Especially in light of the compliance explosion in Latin America of the past several years, we discuss the practical lessons of these principles throughout the chapter. In particular:
An obvious caveat is that, in different organisations and even within the same company, there is no one-size-fits-all approach to communications and training. Different business lines or geographies, for example, are likely to require different approaches. And among different companies and industries, those differences might be more pronounced, as a medium-sized baked goods factory in Colombia will clearly have vastly different concerns from a large financial institution in Brazil. This chapter seeks to outline general best practices across industries and compliance issues, but they should of course be tailored to the particular characteristics of each company and the company component to which they apply.
Regulatory and enforcement agencies around the world expect a company’s board of directors and executive management to communicate their expectations and set the tone for a culture of compliance. Regulators carefully judge executive management’s level of commitment and oversight of an organisation’s compliance programme when evaluating its effectiveness, and several have flatly stated that enforcement decisions often can be traced to a poor culture of compliance. It is important, therefore, that executive management effectively communicates its compliance expectations and standards to personnel and relevant stakeholders in a manner that reinforces the organisation’s commitment to (1) facilitating compliance with legal requirements, (2) holding personnel and other stakeholders (such as, for example, vendors) accountable for deviating from compliance obligations set forth in policies and procedures, and (3) conducting business activity in a manner that aligns with the organisation’s risk tolerance and strategic objectives. Indeed, we are aware of large, sophisticated institutions that have created executive-level positions or board committees for the specific purpose of fostering a culture of compliance within the organisation.
But except in the smallest of organisations, it is impractical to expect upper management to handle all training and communications. As a result, it is necessary for executive management to maintain visibility regarding compliance while at the same time delegating responsibility for training and communications to functional groups and, if appropriate, third-party providers. This is the only way to ensure that compliance communications and training are properly developed, disseminated and tracked to confirm that the personnel understand and adhere to the standards and controls set forth in the compliance programme. To make certain that those groups assigned responsibility for training and communications are capable of performing these functions successfully, executive management should provide these groups with the appropriate resources, authority and independence. Conversely, unless executive management has adequate visibility in how compliance communications are being carried out, management cannot provide proper oversight. Therefore, processes should be put in place to encourage upward reporting back to management.
While, again, no one methodology fits all companies, it is common for compliance training and communications to be assigned both to the first and second lines of defence: the appropriate business unit and the compliance and risk management function. Thus, compliance staff must maintain communications to disseminate regulatory changes as well as amendments to compliance policies or procedures resulting from regulatory changes, or in light of changes to existing business practices. The business unit must be able to put into practice and disseminate any relevant changes to the operational procedures necessitated by updates to the policies or procedures. The best organisations do not leave these communications to the compliance function alone, but actively ensure that key business leaders at all levels are focusing on the right messages. An important way to ensure this is to give business managers at all levels the tools and support they require to communicate the compliance message throughout the company. A potential risk if employees only hear from compliance staff is that they will imagine compliance to be a separate, perhaps support, function that is not meant to integrate with the ‘real’ business of the company. That is a mistake a robust compliance programme avoids.
The best policies and procedures will not achieve their goals unless they are appropriately disseminated to an organisation’s stakeholders. The size of the company, its geographical footprint, the target audience and the activity governed by the policies and procedures are all factors that should be considered in determining the most efficient manner of dissemination. For example, policies that address business activity at a global level are more likely to be a valuable resource if they are posted within a central repository that is available to a broad range of personnel. On the other hand, policies that provide guidance on how a particular business unit should satisfy assigned compliance fulfilment functions should be disseminated in a more targeted manner.
The following are some of the various options organisations should consider when disseminating policies and procedures.
These methods of communication are not mutually exclusive. For example, executive management might send hard-copy handbooks, emails highlighting updates, and make more information available via a compliance portal. Regardless of the manner of dissemination, the company should ensure that policies and procedures are easily accessible to all, updated as necessary, and that employees know when they are updated.
In an ideal world, a company’s chief executive officer (CEO), general counsel or other similar executive would personally train all personnel and thereby make certain that the compliance message has been delivered. Because this is obviously impractical, every organisation must consider the complexity of its activities, its geographical footprint, its sophistication and its size when designing methods of delivery. In-person training (even if not delivered by the CEO) is the most attractive option in that it typically generates the most participation, but it also requires the most effort.
In-person training can be interactive, requiring action from the participants, which in itself engages more participants than a pre-recorded presentation, or even an interactive online training programme. When individuals are required to attend a training session, they will focus on programme content rather than the distractions at their desk (and, ideally, will have left their personal devices to the side). Similarly, while online or pre-recorded training sessions might be the most cost-effective and convenient to attend, it could lead to a lower number of active participants. The in-person experience also creates opportunities for discussions on how the compliance obligation should and can be fulfilled by relevant team members.
Equally important is conducting training in the local language of the personnel being trained. There is simply no substitute for communicating concepts plainly and in participants’ native language. And doing so has the added benefit of increasing the likelihood of employee buy-in, as the trainer will literally be speaking their language. Finally, the local language is likeliest to spark an interactive session, as employees will feel more comfortable asking questions in their native language.
As with communications generally, various individuals or groups may have the capacity to conduct compliance training appropriately. That said, it is important to confirm that those personnel or groups providing training maintain the expertise and authority needed to provide the targeted audience with guidance that is specific to their job functions and consistent with the organisation’s risk management principles. Options include the following:
Regardless of who is actually tasked with leading the training, this person or group should have a clear understanding of the legal requirements applicable to the company, and how these affect the company’s business activities. The intersection of the company’s activities and legal requirements must be understood by the trainer in order to effectively relay them to stakeholders. It is therefore advisable for compliance and business personnel to review the content of the training and inform the trainer of any relevant considerations.
It is often desirable that initial training sessions, as part of a compliance programme rollout or a new training initiative, be conducted by senior management to stress the importance to the company. In the long term, these arrangements are not likely to be sustainable, so it is important for executive management to ensure that subsequent training sessions are led by personnel with sufficient knowledge of the compliance programme and its effects on the company.
The content of compliance training sessions is as varied as the different types of compliance issues an organisation faces. Whatever the subject area, training should be customised to the audience. For example, the content required for legal and compliance personnel will differ from the content appropriate for business lines. Similarly, with respect to anti-corruption training, for example, some parts of a company might have daily interactions with government officials, making them higher risk than those in a division that does not interact with governments at all. Each division’s sessions should therefore have an appropriate emphasis.
Additionally, not everything contained within policies and procedures need be emphasised, lest the training devolve into a didactic reading rather than an interactive exercise in which the most important risks and expectations are stressed. Thus, the company’s risk assessments, which will have identified areas of elevated compliance risk, are a good source of training topics. To illustrate particular points, it is crucial to use examples either from the organisation’s own experience or from more broadly known cases. It would be difficult, for example, to get through anti-corruption training in Brazil without discussing Operation Car Wash, perhaps the most widespread bribery scandal in history.
As we have stressed, every company has different risks and areas of focus, but generally, all organisations will need to include the following basic topics, at a minimum, in their compliance training:
A fundamental element of a training initiative’s effectiveness is employee participation. Simply put, no training activity will be effective if it is not completed by those personnel for which it is designed, and if a company cannot later prove that the training was provided. For this reason, it is critical that executive management communicate that ongoing training is an essential part of each employee’s job functions and that those who do not complete training in a timely manner will be evaluated on that basis, and could be subject to discipline. Additionally, functional regulators will often consider employee participation when assessing the effectiveness of an organisation’s compliance programme. As a result, it is prudent for organisations to track and document levels of employee attendance, and keep evidence of the action taken with respect to employees who do not maintain an acceptable level of attendance.
The ultimate measure of a well-designed training programme is not someone’s subjective opinion of how good or bad it might be. The key question is whether it works – that is, whether the trainees have internalised the lessons of the programme and can apply it to day-to-day business at the company. The only way to know this is to evaluate and test the programme. Not surprisingly, US regulators and prosecutors assess how well an organisation evaluates its training effectiveness when reviewing an organisation’s compliance programme.
One method to test the effectiveness of training, particularly when implemented to address a compliance breach, is to measure key data points before and after the training. For example, if a required disclosure was not being provided to customers of a broker-dealer as required, a company might calculate whether there was an increase in the number of disclosures produced by the system after the training. Similarly, the effectiveness of training pertaining to incident-reporting processes can be evaluated by comparing how often the vehicle for reporting problematic incidents (e.g., compliance reporting portal) was used before and after the training.
Another means of assessing the effectiveness of training is conducting targeted ‘spot’ testing of employees who attended a particular training. While this type of evaluation method may not be practical for all organisations, ‘spot’ tests allow organisations to determine whether the employees have consistently at least understood, and hopefully adhered to, key requirements. One caution is that spot tests may be viewed as invasive by some employees, so an organisation should consider limiting them to employees whose adherence to the conduct specified in the training most affects the organisation’s compliance obligations.
Any weaknesses revealed through testing an organisation’s training programme should be factored into its risk assessment process, as the objective of these assessments is to help executive management proactively identify current and emerging compliance risks and implement appropriate strategies to mitigate these risks. By doing so, an organisation will be better positioned to correct training weakness before they become systemic.
Once policies and procedures have been appropriately disseminated and employees have received appropriate training, an organisation with a robust compliance programme must include periodic employee communications to reiterate the compliance message. Employees are busy people focusing on the business of the company, so those in charge of a communications programme must walk the line between communicating so infrequently that information falls through the cracks, and communication fatigue, which arises when employees hear so much about compliance that they stop listening.
Regular and consistent compliance communications to employees should be succinct, but provide enough detail so that they can understand the context in which it applies to each individual’s role. A key is for the communications to be interesting and not repetitive. For example, internal bulletins can be created to disseminate important dates, information or requirements once a month. Similarly, a periodic newsletter highlighting developments affecting compliance, reminders regarding scheduled training sessions, and an FAQ, among others, can be a useful regular communication resource for employees. This information could be disseminated in a company-wide email message, posted on an internal compliance portal, or printed and available in secure common areas.
Additionally, updates to policies and procedures provide an excellent opportunity to review both the existing policy and present a high-level summary of the updates circulated. This could be done by compliance staff or at business meetings, which are themselves a useful vehicle for sharing compliance communications. Indeed, any integration of compliance topics with business meetings can be extremely useful, and carry greater weight in the business context. Finally, more informal settings, such as roundtables or town halls moderated by the compliance group or senior management, can serve as a means of sharing communications regularly. In some parts of the world (Latin America is a good example), even more informal communication can be important to truly have impact, so settings such as office gatherings and even social events should not be overlooked as opportunities to communicate in a less threatening environment.
It is important to remember that communication goes both ways: employees should be encouraged to contact compliance staff, either for guidance on issues that arise or to report problems or gaps. Sometimes, the absence of this type of contact can be a red flag, indicating either that employees are not recognising compliance issues, or that they do not consider it important to seek guidance on these issues. Both are problems, and one solution that compliance officers are increasingly turning to is proactively calling business personnel for periodic check-ins. The first call might seem out of the ordinary to the business representative, but once that is out of the way, the compliance officer can have regular conversations and establish a true partnership. Making these communications routine will inevitably have a positive effect on the company’s compliance culture.
Employees should also have opportunities to provide feedback to the company. Though the specific mechanism to obtain feedback may vary by organisation, maintaining an email inbox, an online form process, or both, are acceptable. But the feedback system will only be successful if employees feel comfortable about sharing and providing their opinions, so organisations must do all in their power to encourage feedback. Employees should feel encouraged to share the information they deem important or valuable to the company, whether positive or negative. Accordingly, a good rule of thumb is to effect a non-retaliation policy for good-faith communications, and to give reasonable assurances of anonymity to the extent permissible by law.
Relatedly, it is crucial for companies to have a mechanism beyond regular business lines for reporting compliance issues. Indeed, the US Department of Justice and the Securities and Exchange Commission have made clear that an effective compliance programme, at least under the Foreign Corrupt Practices Act, ‘should include a mechanism for an organisation’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation’. A compliance hotline, which individuals may use to report concerns confidentially, is a best practice in this regard. And corresponding whistle-blower protections are also crucial. These mechanisms have several benefits.
In particular, a hotline makes clear the company’s commitment to ethical conduct and integrity, a key component of a good compliance culture. Additionally, information received through the hotline, even if not rising to the level of a regulatory or compliance breach, can be used to improve existing policies or procedures. A hotline also can make senior management aware of problems early, before they fester and become serious reputational or legal issues. And, of course, this kind of reporting channel, if effective, can be used in mitigation of enforcement actions with regulators.
The company should have appropriate whistle-blower policies and procedures that spell out how potential violations will be handled. In Latin America in particular, where concepts such as whistle-blowers and cooperating witnesses remain mostly inventions from other continents and are therefore sometimes viewed with suspicion, companies should take special care to explain them in detail to their employees. Elements of a strong whistle-blower policy include:
Ensuring that proper reporting policies are in place puts the company in a better position to identify and mitigate the regulatory, monetary, operational and reputational risks of the conduct reported. A strong whistle-blower protection programme is also important and should be included in regular compliance training.
Effective monitoring, testing and auditing of business activity and controls are key components of an effective compliance programme. A well-coordinated testing programme as part of the compliance function not only identifies compliance oversights and policy-related breaches, but also evaluates the effectiveness of the controls in place to facilitate compliance with the applicable legal requirements at issue, including training. As a best practice, results of monitoring and testing should be communicated to the appropriate stakeholders for evaluation. Sharing the results with relevant parties allows for collaborative feedback to those conducting the tests and will better position the company to adopt corrective actions or remediation. Moreover, appropriate distribution of these results will allow for issues to be reported appropriately. These types of measures are often viewed as reinforcing management’s commitment to a culture of compliance. For these reasons, it is imperative that executive management be involved in receiving these results, provide insight on corrective action and ensure that corrective action is tracked to completion.
Separate from the compliance function and business units within the company is the internal audit function, often called the third line of defence, for organisations large enough to sustain such a function. The audit function operates independently of the compliance function and business units, and can provide executive management with risk-based reviews of an organisation’s compliance programme and risk management standards. The reviews completed by a well-coordinated audit function typically include, among other things, an evaluation of internal controls to identify compliance control issues, including the root causes, across business activities or auditable entities. The audit function also measures whether risk has been adequately assessed by business and compliance functions, and whether controls are adequate in light of the risks. The audit function is uniquely positioned to provide executive management with an unbiased assessment of the organisation’s compliance programme and assist executive management to identify aspects of the compliance control functions completed by the compliance and the business unit that can be improved. Management, in turn, should seek to communicate these findings to all relevant personnel, and to make appropriate changes in the design or implementation of the compliance programme, as suggested by the findings.
 Daniel R Alonso is a partner, Andrew P Pennacchia is senior counsel and Benjamin W Hutten is a counsel in the New York office of Buckley LLP. Norma Ramirez-Marin is an associate in Buckley’s Los Angeles office.
 See Newbery, Charles, ‘Compliance is Taking Off in Latin America. Is It Effective?’ Americas Quarterly (22 July 2019) < https://www.americasquarterly.org/content/compliance-takes-latin-americ-it-working>.
 See, e.g., Office of the Comptroller of the Currency, ‘Compliance Management Systems’ [OCC Management Systems], p. 10 < https://www.occ.treas.gov/publications-and-resources/publications/comptrollers-handbook/files/compliance-mgmt-systems/pub-ch-compliance-management-systems.pdf>; US Dep’t of Justice [US DOJ], Criminal Division, ‘Evaluation of Corporate Compliance Programs’ [US DOJ Evaluation], p. 5 < https://www.justice.gov/criminal-fraud/page/file/937501/download>.
 See, e.g., US DOJ Evaluation, pp. 4 and 5.
 See, e.g., id., p. 5; OCC Management Systems, p. 12; Consumer Financial Protection Bureau, Examination Procedures, ‘Compliance Management Review’ [CFPB Procedures], p. 9 < https://files.consumerfinance.gov/f/documents/201708_cfpb_compliance-management-review_supervision-and-examination-manual.pdf>.
 See, e.g., US Dep’t of Treasury, Office of Foreign Assets Control, ‘A Framework for OFAC Compliance Commitments’ [OFAC Framework], p. 7 < https://www.treasury.gov/resource-center/sanctions/Documents/framework_ofac_cc.pdf>.
 See US DOJ Evaluation, p. 5.
 id., at p. 5; OCC Management Systems, p. 12.
 See, e.g., US DOJ Evaluation, p. 5.
 See, e.g., OCC Management Systems, pp. 6 and 7, 11; CFPB Procedures, pp. 5 and 6.
 See, e.g., US Dep’t of Treasury, Financial Crimes Enforcement Network, ‘Advisory to US Financial Institutions on Promoting a Culture of Compliance’ (FIN-2014-A007), [FinCEN Culture] < https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2014-a007>; UK Serious Fraud Office, ‘SFO Operational Handbook: Evaluating a Compliance Programme’, p. 5 < https://www.sfo.gov.uk/download/evaluating-a-compliance-programme/?wpdmdl=25403>; Alonso, Daniel R, ‘Loud and Clear: FinCEN Demands a Culture of Compliance’, Business Crimes Bulletin, 1 October 2014 < www.lawjournalnewsletters.com/sites/lawjournalnewsletters/2014/10/01/loud-and-clear-fincen-demands-a-culture-of-compliance/>.
 CFPB Procedures, p. 4; Office of the Comptroller of the Currency Compliance Management Systems, p. 6.
 See, e.g., FinCEN Culture.
 See also Federal Reserve Board Supervisory Letter < https://www.federalreserve.gov/boarddocs/srletters/2008/SR0808.htm> (emphasising the importance of boards and senior management of banking institutions to promoting strong compliance cultures within the organisation).
 See, e.g., US DOJ Evaluation, p. 5.
 See Jaeger, Jaclyn, ‘Leveraging Middle Management to Foster a Culture of Compliance’, Compliance Week (26 November 2013) < https://www.complianceweek.com/leveraging-middle-management-to-foster-a-culture-of-compliance/3801.article>; Alonso (footnote 11, above) (‘[O]ften, the key to true culture change is the contribution of informal leaders at all levels of the organization.’).
 See, e.g., ‘Operation Car Wash: Is this the biggest corruption scandal in history?’, The Guardian, 1 June 2017 < https://www.theguardian.com/world/2017/jun/01/brazil-operation-car-wash-is-this-the-biggest-corruption-scandal-in-history>.
 See, e.g., US DOJ Evaluation, p. 5; OFAC Framework, p. 3.
 See, e.g., US DOJ Evaluation, p. 5.
 OCC Management Systems, p. 12; CFPB Procedures, pp. 9 and 10;
 US DOJ Evaluation, p. 5; OCC Management Systems, p. 22; CFPB Procedures, p. 11.
 See Ellis, Matteson, The FCPA in Latin America: Common Corruption Risks and Effective Compliance Strategies for the Region (2016), Chapter 4.
 US DOJ and US Securities and Exchange Commission, ‘A Resource Guide to the Foreign Corrupt Practices Act’, at 61 (2012).
 See, e.g., US DOJ Evaluation, p. 5; see also United States Sentencing Commission, ‘2018 Guidelines Manual’, Annotated §8B2.1(b)(5)(C).
 Gedan, Benjamin N; Alonso, Daniel R, ‘Only Criminals Can Clean Up Argentina’s Corruption,’ Foreign Policy (15 November 2018) < https://foreignpolicy.com/2018/11/15/only-criminals-can-clean-up-argentinas-corruption/>.
 See CFPB Procedures, p. 11; OCC Management Systems, p. 13.
 See, e.g., OFAC Framework, p. 3.
 See OCC Management Systems, p. 14; CFPB Procedures, p. 10.
 See OCC Management Systems, p. 14.
 See, e.g., Federal Financial Institutions Examination Council, ‘Bank Secrecy Act/Anti-Money Laundering Manual’, p. 28 < https://bsaaml.ffiec.gov/docs/manual/BSA_AML_Man_2014_v2_CDDBO.pdf>.