How to Build Effective Internal Communication Channels

Managing multinational workforces in an age of anti-corruption ‘accretion’

Managing risk within multinational, matrixed organisations is no simple feat. The complexities that accompany risk management have only been compounded as US regulators have unveiled several pieces of policy and renewed guidance for corporate compliance programmes in early 2023 alone.

Entities that face particular challenges amid these developments include, for example, those that employ nearly 100,000 employees worldwide and that generate significant revenue through production or sales in high-risk jurisdictions that are divided into several business segments. Often, such organisations are supported by global or regional compliance professionals tasked with navigating multiple jurisdictional demands in diverse areas of risk, including anti-bribery programming, employee onboarding and training, third-party due diligence and sanctions.

Building effective communication channels to advance global initiatives to workforces across the globe requires balancing both compliance and commercial priorities. To manage this balance effectively, a compliance programme must deploy a variety of techniques to support multinational workforces while ensuring the compliance programme is oriented to actual business risk and the enforcement landscape.

After receiving its mandate from the Biden administration to ‘fight’ against corruption as a core national security interest,^[2] the US Department of Justice (DOJ) has been committed to turning anti-corruption principles into policies in rapid succession in late 2022 and early 2023. The cascade of policy announcements surrounding anti-corruption efforts and tools to combat corporate crime more broadly have dramatically altered the enforcement landscape.

In New York in September 2022, Deputy Attorney General Lisa O Monaco (DAG Monaco or Monaco) announced policies to incentivise responsible corporate citizenship before an audience that included the Director of the Securities and Exchange Commission’s (SEC) Enforcement Division, Gurbir Grewal.^[3]

In Washington, DC in January 2023, Assistant Attorney General for the DOJ’s Criminal Division, Kenneth A Polite, Jr (AAG Polite or Polite) unveiled the first significant changes to the Corporate Enforcement Policy (CEP) since 2017.^[4] The amendments to the CEP provide a renewed framework by which the DOJ will reward companies that self-disclose misconduct, cooperate and remediate by offering increased reductions off applicable US Sentencing Guidelines ranges.^[5] And for all US Attorney’s Offices (USAOs) across the country, the DOJ announced a corporate Voluntary Self-Disclosure Policy (VSD Policy) in February 2023, setting nationwide incentives for voluntary corporate disclosures.^[6]

In Miami in March 2023, Monaco and Polite took the stage yet again at the 38th American Bar Association’s National Institute on White Collar Crime (ABA Conference) to provide greater colour on the DOJ’s sweeping policy changes. In her remarks, Monaco explained that the VSD Policy had been implemented nationwide to eliminate geographic disparities and ensure a ‘predictable’, ‘consistent’ and ‘transparent’ approach to enforcement.^[7] And Polite’s keynote only amplified Monaco’s message, underscoring the importance of ‘marshal[ing] a variety of tools to creatively address the challenges before us’.^[8]

For companies that operate across the Americas and the globe, those challenges often loom large. From the small-town hospital administrator who demands bribes in exchange for life-saving services to the globe-trotting kleptocrat who offshores an embezzled fortune to terrorist groups that accept millions in exchange for greenlighting company operations at a facility in Syria – recent remarks, policy announcements and enforcement actions are highly attuned to the cadence of corruption in the United States and abroad.

DOJ’s policy announcements and remarks at the ABA Conference signal a renewed commitment to coordinating with other governments to combat corruption. Polite’s spotlight on Venezuela, for example, exemplifies collaboration among the Foreign Corrupt Practices Act (FCPA) Unit, the USAO in the Southern District of Florida, the Criminal Division’s Office of International Affairs (OIA) and the Policía Nacional (Spanish National Police) in the successful prosecution of Claudia Patricia Diaz Guillen, the former National Treasurer of Venezuela and resident of Spain, who accepted over US$100 million in bribes from a Venezuelan billionaire.^[9] Against the backdrop of 96 per cent of Venezuelans living in poverty, DOJ considers this collaboration as the type of ‘righteous’ case the agency will continue to pursue.^[10]

The tone from the very top, from the highest levels of the US government itself, is reverberating with a resounding call for collaboration, creativity and clawbacks, where warranted, to achieve its commitment to combat corporate crime.

As the US government reinforces its already robust system of accountability, multinational compliance programmes must expect that they will be held to account for doing the same with their workforces. Compliance professionals will therefore need to answer the call to action this represents and work even more effectively at managing, communicating and amplifying anti-corruption efforts along with their sanctions framework, as applicable, particularly as the threat of enforcement looms.^[11]

However, those who build effective internal communication channels and adapt their compliance programmes will be well positioned.

Building effective internal communication channels

One key element of corporate governance is a well-designed and well-­implemented compliance programme. However, even the best programme will falter absent effective channels to diffuse the principles of an organisation’s ‘culture of compliance’ – the norms that encourage ethical conduct and a commitment to compliance with the law. Effective internal communication facilitates smooth information flow and shapes the way employees engage with an organisation, including how employees perceive its mission and values and how they relate to its culture.

A company conveys sound communication practices through the following:

• setting the tone beyond just the top to include the entire organisation;
• delegating compliance oversight and enforcement to a dedicated function;
• implementing and publicising compliance policies, procedures and practices;
• enforcing its policies, procedures and practices;
• operating a well-functioning confidential reporting mechanism;
• collecting and analysing compliance metrics; and
• establishing training initiatives that are tailored and adapted to local laws and customs.

No one size fits all when it comes to the channels used to communicate corporate compliance. This chapter discusses general best practices across industries, but they should be individually tailored to each company’s operational realities.

Tone throughout: communicating a commitment to compliance culture

Effective internal communication is multidirectional: top-down and bottom-up. Organisations comprise individual executives and employees who each should feel personally invested in ensuring and promoting compliance.^[12] Consistent with this principle, regulators evaluate a company’s commitment to fostering a strong culture of compliance at all levels of the company – not merely within its compliance department.^[13]

Senior leadership sets the tone for the rest of the organisation. The commitment to compliance is manifested by the extent to which senior leadership articulates the company’s ethical standards, conveys and disseminates those standards in clear and unambiguous terms and demonstrates rigorous adherence by example.^[14] In its revised March 2023 guidance on the Evaluation of Corporate Compliance Programs (ECCP), DOJ recognised that the tone at the top must be further bolstered by the tone at the middle and beyond, which drives the compliance programme on a daily basis and invests subordinates with a sense of ethical responsibility.^[15] Most employees, especially at larger organisations, have little direct contact with senior leadership and therefore are most influenced by the managers who supervise them on a regular basis.

Who owns this? Assigning compliance oversight

Another hallmark of commitment to ethical practices is designating a dedicated function to implement and enforce compliance initiatives. The delegation of this core mandate should account for an organisation’s size and structure and need not be a compliance officer or in-house personnel. Whichever option best complements the size and structure of an organisation, the compliance function should be independent from management and be resourced adequately in terms of budget, human capital and information technology (IT).^[16]

In assessing an organisation’s compliance programme, regulators ask not only whether compliance officers have ‘adequate access to and engagement with’ the business, management and board of directors but also whether an organisation has taken steps ‘to ensure that compliance has adequate stature within the company and is promoted as a resource’.^[17] US regulators are further scrutinising the qualifications and expertise of key compliance personnel, signalling a preference for chief compliance personnel to lead any presentation with regulators and to demonstrate knowledge and ownership of a company’s compliance programme.^[18] The overarching goal is to maintain a compliance function that is not merely a ‘paper programme’ but one that is well designed and equipped to handle an organisation’s operational demands.^[19]

Compliance policies, procedures and practices

An organisation’s policies and procedures form the foundation upon which an effective compliance programme is built. These policies set forth ethical expectations, outline disciplinary procedures and, more broadly, incorporate the culture of compliance into the organisation’s day-to-day operations.^[20]

But policies are meaningful only if personnel know about them. Before doling out disciplinary action, for example, a company must first communicate clearly what constitutes a breach of internal policies, procedures and values and how the company will respond to such a breach. If a breach is corroborated and repercussions are warranted, the company should issue disciplinary action promptly and consistently.^[21] This communicates that misconduct will not be tolerated while also reinforcing fidelity to ethics and accountability.^[22]

A company can ensure employees keep up to date with its policies by requiring periodic certification of compliance and introducing new employees to its ethical values during onboarding.^[23] Relatedly, a company should inform business partners that it expects all activities carried out on its behalf to comport with internal ethics protocols and lawful business practices by seeking assurances from third parties, where appropriate, through certifications or contractual representations of reciprocal commitments.^[24] These measures ensure that the compliance programme is visible, understood and followed appropriately by all relevant stakeholders. They also comport with regulators’ expectation that a company implement policies that reflect the spectrum of risks posed by an evolving legal, regulatory and business landscape.^[25]

Moreover, recent guidance from DOJ makes plain that prosecutors will be asked to consider ‘the extent to which the company’s communications convey to its employees that unethical conduct will not be tolerated and will bring swift consequences, regardless of the position or title of the employee who engages in the conduct’.^[26] Compliance professionals should follow suit. Prosecutors will further be asked to consider ‘whether a company has publicized disciplinary actions internally, where appropriate and possible, which can have valuable deterrent effects’.^[27] Similarly, compliance professionals will need to weigh any benefits that might be gained in the publicisation of disciplinary actions for their own organisations.

Use of third-party messaging apps and mobile devices

The use of third-party messaging platforms (e.g., WhatsApp, WeChat) as well as ephemeral and encrypted messaging applications (e.g., Signal) for business communications increased substantially during the covid-19 pandemic due, in part, to limitations on in-person gatherings and remote work environments.^[28] Although the global pandemic has waned, app-based messaging is here to stay. This is particularly true in Latin America, where WhatsApp is the most used social network in the region, with more than 94 per cent of internet users in selected countries accessing the platform.^[29] And, as these messaging services continue to grow in popularity, regulators increasingly will expect companies to adapt their communication policies and practices to evolving technological realities.^[30]

Though there may be legitimate reasons for the business use of these applications, they also present significant challenges for companies’ ability to maintain effective internal communication channels. Such challenges include the ability to monitor the use of such devices for misconduct, diversity of retention requirements between industries and data privacy restrictions across jurisdictions. Companies operating in Latin America and elsewhere would thus benefit enormously from implementing centralised guidance on the use of third-party messaging applications to ensure that employees’ business communications comport with relevant regulatory obligations and that they can be monitored and preserved, as necessary.

In March 2023, DOJ expounded on the significant changes introduced by DAG Monaco in a September 2022 memorandum addressing the use of communications platforms, messaging applications and mobile devices.^[31] Under DOJ’s revised ECCP guidance, regulators will not only ask about the electronic communication channels used by the business and their preservation settings, they will also consider how companies communicate the policies to employees and whether they enforce them on a consistent basis.^[32] Regulators will inquire about the company’s ability to access such communications, whether they are stored on corporate devices or servers, as well as the company’s knowledge of applicable privacy and local laws. ‘A company’s answers – or lack of answers – may very well affect the offer it receives to resolve criminal liability’.^[33]

US enforcement authorities are delivering on their recommendations and admonishments, leaving less ambiguity on their expectations for compliance with respect to communications management. In 2022, the SEC and the Commodity Futures Trading Commission collectively levied billions in fines against a number of major banks and other financial institutions for not retaining SMS texts, iMessage, and app-based communications (which the SEC deemed ‘off-channel communications’).^[34] According to the SEC, employees routinely used off-channel communications to discuss business matters, thus impeding institutions’ ability to archive business-related communications as required by securities laws.^[35]

Even companies that historically have not had a legal duty to manage employees’ communication platforms, such as those not regulated by securities laws, should take note of regulators’ growing scrutiny of these communications more widely.^[36] As evidenced by the DOJ’s articulated views, companies should proactively enhance their compliance programmes to better withstand any future scrutiny of their employees’ communication channels. From the government’s perspective, companies that currently have no legal requirement to preserve business-related communications are ‘amply on notice’ of the risks of failing to do so.^[37]

Prosecutors’ expectation that companies implement communications policies includes those policies that permit employees to use managed BYOD^[38] devices rather than company-issued devices to access company information, known as bring-your-own-device, or BYOD, policies.^[39] Many companies require work to be conducted on corporate devices; others permit the use of managed BYOD or unmanaged personal devices. A managed BYOD device is often allowed with clear limitations of use that are technologically enforced, in full or in part, by MDM or EMM.^[40] They, like corporate-issued, might also have specialised apps or middleware that capture text and app-based communication content, allowing for preservation and monitoring for compliance reviews. An unmanaged personal device that is permitted for business communications will not have technological controls to assist in enforcing the company’s communications policy. Such personal devices typically hold a complicated commingling of business and personal communications.

Companies may not be able to prevent every employee from using unauthorised messaging apps for business use, but they can take steps to demonstrate reasonable controls, including by maintaining a clear policy, ensuring retention capabilities, auditing employee use and incorporating information security best practices. In addition, companies should consider technological solutions to restrict employees’ ability to instal unapproved apps on company-issued and managed BYOD devices and provide employee training to establish further awareness of and compliance with information security practices. For example, some applications may delete messages as soon as they are read (i.e., ephemeral messaging) and some may automatically delete messages after a specified period unless default settings are changed by the user.^[41] It is therefore critical that companies evaluate, in coordination with their local IT functions, the effect that various applications have on company data retention and information security goals.

However a company chooses to address the use of messaging platforms or mobile devices for business communications, it must strive to prevent circumvention of compliance protocols through off-system activity, preserve all key data and communications and maintain the capability to promptly produce that information for government investigations.^[42]

Compliance through carrots and sticks

Good-faith enforcement of policies and expectations further communicates an organisation’s culture of corporate compliance. Indeed, in analysing an organisation’s commitment to corporate compliance, government authorities examine whether corporate management is enforcing the programme or tacitly encouraging employees to engage in impropriety.^[43] A company can demonstrate good-faith enforcement by sanctioning misconduct and rewarding good behaviour.^[44] Disciplinary action and compensation structures that impose financial penalties for misconduct can deter risky behaviour and foster a culture of corporate compliance.^[45] At the same time, positive incentives, such as promotions, rewards and bonuses for improving and developing a compliance programme or demonstrating ethical leadership, can drive compliance.^[46]

With these principles in mind, DAG Monaco recently announced department-wide policy updates concerning corporate compensation systems, noting two significant changes in particular.

First, US prosecutors will assess a company’s compensation structures when evaluating compliance programmes to determine how these structures contribute to the presence – or lack – of an effective compliance programme.^[47] Is the company, for example, targeting bonuses to employees and supervisors who set the right tone, make compliance a priority and build an ethical culture? Companies should ensure that executives and employees are personally invested in promoting compliance, and ‘nothing grabs attention or demands personal investment like having skin in the game’ through direct and tangible financial incentives.^[48]

Second, the DOJ is launching a three-year pilot programme to require, as part of a criminal resolution, that corporate compliance programmes include compensation-related criteria, and to offer fine reductions for companies that clawed back incentives paid out to employees and supervisors who engaged in or did not stop wrongdoing.^[49] A company that fully cooperates with an investigation and timely and appropriately remediates the misconduct may receive an additional fine reduction if the company has implemented a programme to recoup compensation from the culpable employees.^[50] ‘We expect companies that use these programs to address not only employees who engaged in wrongdoing in connection with the conduct under investigation, but also those who had supervisory authority over the employees or business area engaged in the misconduct, and knew of, or were willfully blind to, the misconduct’, stated the DOJ.^[51]

These announcements exemplify the continuing formalisation of an existing practice of crediting companies for taking appropriate action as to culpable employees’ compensation. For example, incentives for compliance-promoting behaviour were incorporated in a recent plea agreement between the DOJ and Danske Bank, the largest bank in Denmark, over alleged failures in the lender’s anti-money laundering controls. As part of its agreement and in addition to forfeiting $2 billion, Danske Bank agreed to revise its performance review and bonus system to include criteria related to compliance so that each executive is evaluated on his or her efforts to ensure that the relevant business unit is complying with internal policies and applicable laws and regulations.^[52] Accordingly, Danske Bank executives with a failing score for compliance will fail to secure a bonus for that year.

Prosecutors’ examination of the relationship between compensation structures and fostering responsible corporate behaviour reflects a broader commitment to finding the right incentives to support a culture of corporate compliance.^[53] Companies are therefore encouraged to explore innovative, effective and targeted ways of leveraging compensation to incentivise good corporate behaviour and deter misconduct through their own mix of carrots and sticks.

Anonymous reporting mechanisms

Among the truest measures of a company’s commitment to compliance is how it responds to potential misconduct. A company should have in place a well-functioning reporting mechanism for the anonymous reporting of suspected or actual breaches of internal policy.^[54] An effective mechanism will facilitate the timely and thorough investigation of those reports, which includes routing complaints to proper personnel and tracking timing metrics of open and closed investigations.^[55] Upon completion of a thorough probe, an organisation should document outcomes, monitor implementation of any remedial measures and share investigative findings with relevant stakeholders.^[56] Should reported allegations be substantiated, best practices recommended by the DOJ dictate that the company examine what happened, why it happened (i.e., the root cause) and how to avert similar incidents moving forward (i.e., the lessons learned).^[57]

But it is not enough to have such a reporting system in place without ensuring that employees and third parties know it exists.^[58] Publicise the reporting system broadly, perhaps through periodic trainings or email reminders that boost its profile.^[59] Hotline usage can be a good barometer of how well a company is advertising its reporting channels. Infrequent or non-use of a reporting hotline implies that employees or third parties are unaware of its existence or are aware but either lack the know-how to escalate concerns or are uncomfortable with or distrust the process.^[60] In contrast, healthy hotline usage evinces a well-functioning system and constructive environment wherein individuals are empowered to ‘speak up’.

Moreover, actively encouraging personnel to submit reports without fear of reprisal reinforces a corporate culture that promotes honest behaviour and incorporates reporting as part of one’s ethical duties. To further signal transparency and foster trust in the process, provide detailed information on the procedural next steps after submitting a report.^[61] Regulators want to see that reports ‘are taken seriously, appropriately documented, investigated, and – if substantiated – remediated’.^[62]

Monitoring and measuring compliance through data analytics

A staple of dynamic compliance programmes are mechanisms for collecting metrics to help detect and prevent misconduct, which also strengthen an organisation’s internal communication channels more broadly. Indeed, government enforcement authorities have signalled that companies need to be collecting and analysing metrics about their programmes, emphasising the growing importance of data analytics in communicating to employees and stakeholders an organisation’s commitment to maintaining an effective compliance system.^[63] In October 2022, for example, DOJ announced that it had hired Matt Galvin, former Global Vice President of Ethics and Compliance at Anheuser-Busch InBev SA, the world’s largest brewery, for the new role of Compliance and Data Analytics Counsel in the Criminal Division’s Fraud Section.^[64] Moreover, ‘[o]bservers should expect Galvin to leave a mark on the DOJ similar to the one he left at AB InBev, where he transformed the company’s compliance program to a data-driven machine’.^[65]

Relatedly, DOJ Fraud Section Chief Glenn Leon recently announced that DOJ is gearing up to expand its use of data analytics as a key prosecutorial tool, and AAG Polite further noted that regulators have been focusing more and more on companies’ use of data analytics to identify and prevent criminal wrongdoing.^[66] Just as government regulators use these tools to detect and combat criminal schemes, so too are organisations increasingly expected to leverage data analytics tools within their operations to monitor compliance with laws and policies, ferret out wrongdoing, and deliver meaningful remediation.^[67]

Gathering data helps organisations identify, mitigate, and respond to compliance risks in real time and diagnose behavioural compliance trends. Either internally or with external assistance, companies can optimise the utility of data analytics by tracking core compliance metrics, including due diligence reviews, hotline usage, investigations opened and closed, training completion rates, policies drafted or revised, disciplinary action and remediation status.^[68] Capturing these metrics not only helps companies analyse patterns of misconduct and identify compliance vulnerabilities, it also helps companies demonstrate their commitment to mitigating risk when engaging with regulators in the context of government investigations.^[69] As AAG Polite stated, ‘When we see criminality, we will not just ask what happened. We want to understand the root causes – why it happened, and whether it will happen again’.^[70] Analysing metrics further enables substantive assessment of high points and growth opportunities while offering benchmarks with which to anchor compliance targets and goals moving forward. This, in turn, breeds transparency and accountability by facilitating the reporting of actionable data to relevant stakeholders.

Adapting to local laws and customs

As if implementing a dynamic compliance programme were not already a delicate balancing act on its own, adapting programmes to address a spectrum of anti-corruption laws and other legislation adds to the challenge but is one that compliance programmes must address.

Complying with sweeping legislation across jurisdictions with varying enforcement landscapes

Distilling the vast expanse of bribery laws into manageable content for employees to understand and follow is not easy, especially with the cascade of countries that have enacted or amended a host of strong anti-corruption laws and enforcement regimes over the past decade. The FCPA, enforced by the DOJ and the SEC, is broadly applicable to US companies as well as foreign companies or persons with a nexus to the United States and their affiliates. This legislation prohibits foreign bribery of government officials but applies to the bribe payer only, whereas the UK Bribery Act (UKBA), passed in 2010, applies to both the bribe payer and the recipient. Moreover, the UKBA prohibits bribery of foreign public officials and private parties alike. These statutory regimes and the regulators who enforce them are usually well known to compliance professionals.

Relatedly, the anti-corruption terrain in Latin America imposes jurisdiction-specific requirements that organisations must navigate. Various countries in Latin America, including Brazil, Colombia and Mexico,^[71] have enacted corporate compliance requirements of their own in recent years, and companies engaged in those markets must be cognisant of these varying enforcement landscapes, which are also undergoing their own respective evolutions. For example, in July 2022, the Brazilian government published Federal Decree No. 11,129/2022, amending the regulation of Brazil’s 2013 anti-corruption law known as the Brazilian Clean Companies Act (BCCA).^[72] The decree also furnishes additional guidance related to the expectations of the Controladoria Geral da União, the entity that oversees compliance with the BCCA, in their assessment of integrity programmes and the range and application of administrative fines for violations of the law.^[73] Additionally, the Chilean government even proposed new anti-corruption provisions to their constitution.^[74] Though the constitutional proposal overall was rejected, as of March 2023, Chile has begun its second attempt to write a new constitution with a group of experts appointed by Congress. The vote to approve or reject the proposed text is scheduled for December 2023 and the potential passage of the constitution with any anti-corruption provisions the experts may draft will certainly be an area to monitor.^[75]

Taken together, it is clear that multinational organisations will need to ensure that their compliance programmes and global personnel adhere to the mandates that regulators impose. And whether it is the FCPA, the UKBA or local anti-corruption laws, the basic proscription is the same: nothing of value can be given, directly or indirectly, to improperly influence government officials or commercial counterparties.

Tailoring a global compliance policy

A global enterprise faces a wide array of compliance concerns including bribery, corruption, embezzlement, money laundering, employee kickbacks, accounting irregularities and conflicts of interest across geographies. Tailoring compliance programmes to the localities in which multinational companies operate while simultaneously addressing these cross-jurisdictional concerns poses yet another uphill challenge.

A multinational company may, for instance, choose to implement uniform global compliance policies that include requirements that are either more or less restrictive than local regulations, like those discussed above. Other multinational companies may mix and match – applying consistent standards globally while also supplementing them with country-specific guidance. Given the sheer number of individuals within a multinational organisation, it is also advisable that companies create roles for compliance professionals to be available to personnel globally for ‘on the ground’ guidance and feedback.

Tailoring training to an audience’s size, industry, risk profile, geographical footprint, language, sophistication and subject-matter expertise is crucial and underscored in the DOJ’s March 2023 ECCP.^[76] Above all else, when developing training programmes, multinational companies should tailor presentations and materials to the roles of its workforce, and policies and training should be presented in local languages and in person to the extent possible.^[77] Aiding companies that operate in Spanish-speaking jurisdictions and recognizing the significant need for alignment with regional developments, AAG Polite at the ABA Conference announced that the DOJ would reissue the 2020 FCPA Resource Guide in Spanish.^[78]

Training programmes should also be brimming with real-world examples tailored to any specific localities. Real-world examples that span the globe while also implicating Latin America are not difficult to find. In April 2022, for example, Stericycle Inc. (‘Stericycle), an international waste management company headquartered in Illinois, agreed to pay more than US$84 million to resolve parallel investigations by authorities in the United States and Brazil into the bribery of foreign officials in Brazil, Mexico and Argentina.^[79] Specifically, between 2011 and 2016, Stericycle caused hundreds of bribe payments that were calculated as a percentage of the underlying contract payments owed to Stericycle from government customers to be made to officials at government agencies and instrumentalities in Brazil, Mexico and Argentina.^[80]

The DOJ enforcement action against Stericycle, along with a parallel investigation by the SEC related to conduct in multiple jurisdictions, provides a window for compliance professionals to educate their workforces on how bribery and books-and-records violations can play out in Latin America. Indeed, in all three countries, the co-conspirators tracked the bribe payments through spreadsheets and described the bribes through code words and euphemisms, such as ‘CP’ or ‘commission payment’ in Brazil, ‘IP’ or ‘incentive payment’ in Mexico, and ‘alfajores’ (a popular cookie) in Argentina.^[81]

In the aviation sector, Linhas Aéreas Inteligentes S.A. (GOL), an airline headquartered in São Paulo, Brazil, paid more than $41 million to resolve parallel bribery investigations by criminal and civil authorities in the United States and Brazil.^[82] According to AAG Polite’s statement in a September 2022 press release:

GOL paid millions of dollars in bribes to foreign officials in Brazil in exchange for the passage of legislation that was beneficial to the airline . . . The company entered into fraudulent contracts with third-party vendors for the purpose of generating and concealing the funds necessary to perpetrate this criminal conduct, and then falsely recorded the sham payments in their own books.^[83]

As part of the resolution, GOL agreed to continue to enhance its compliance programme and provide reports to the DOJ regarding the remediation and implementation of compliance measures, signalling the importance of compliance professionals enhancing their compliance programmes in the first instance.

Companies that operate in the oil and gas sector will also find lessons learned in the use of intermediaries to facilitate improper payments from Honeywell UOP’s December 2022 resolution. There, Honeywell UOP agreed to pay US$160 million to resolve parallel bribery investigations by criminal and civil authorities in the United States and Brazil stemming from funds offered to a high-ranking official at Brazil’s state-owned oil company.^[84] As part of the arrangement, Honeywell UOP entered into an agency agreement with a sales agent for the purpose of paying US$4 million to the high-ranking Petróleo Brasileiro S.A. (Petrobras) executive.^[85]

The increase in individual prosecutions involving Latin America also signals a continued focus on the region as well as a regulatory focus on individual accountability. In 2022 and 2023, for example, both Venezuelan and Brazilian nationals have been charged with violations of the FCPA. More specifically, in February 2023, a senior oil and gas trader and a Brazil-based intermediary were charged with conspiracy, multiple counts of violating the FCPA and money laundering in connection with an alleged scheme to pay bribes to Brazilian officials to win contracts with Brazil’s state-owned and state-controlled energy company, Petrobras.^[86] Clearly, FCPA enforcement in Latin America is ‘forecast to remain hot as US regulators strengthen partnerships with their counterparts’ and the ‘pace of FCPA enforcement doesn’t appear to be slowing in 2023’.^[87]

Tailoring global compliance policies in a way that grapples with these real-world realities, whether they draw from corporate resolutions or individual prosecutions, will only provide multinational companies with a competitive advantage and bolster their ability to attract and retain superior talent. It will also ensure that business is done the ‘right’ way and help employees, wherever they are in the world, take stock in a company that acts with integrity.

Conclusion

Compliance programmes that incorporate the lessons learned from around the globe and marshal the tools outlined above as prophylactics will be well positioned to avoid enforcement actions on the back end. Government regulators are encouraging companies to do precisely that for their own benefit.

Architects who design compliance programmes in this age of anti-corruption ‘accretion’ must look to the past, present and future in managing multinational workforces and building effective internal communication channels. Compliance programmes should factor into their policies the role of incentives and clawbacks, especially as they relate to executive compensation and rewarding compliance leadership. Training should include lessons learned from past enforcement actions as well as lessons from within a company while making innovative use of measures such as data analytics in diagnosing, mitigating and responding to compliance risks. Training should also take a multidirectional approach to educating the workforce on the current state of anti-corruption accretion and its evolving nature and be tailored to an employee’s locality when applicable. In addition, trainings should provide employees a glimpse into what the future could hold as seen in recent enforcement actions if compliance is not prioritised, providing adequate resources, anonymous reporting mechanisms, guidance and even mega-fine figures to ensure that the future is not, in fact, realised.

Footnotes