Safeguarding Corporate Compliance Programs During the COVID-19 Crisis

by Kara Brockmeyer, Andrew M. Levine and Philip Rohlik

COVID-19 has altered life for billions, including how companies interact with their employees, business partners, and regulators. Some changes will reverse as the pandemic ebbs or the virus becomes treatable. Others likely will remain for an extended period of time or even become permanent.

No matter the exact course of the coming months, disruptions from COVID-19 already have had a significant impact on corporate compliance functions, internal investigations, and government enforcement. These disruptions will continue to evolve, affecting companies in differing ways and leaving an unmistakable imprint on the compliance landscape.

Although resources and international travel are likely to be constrained for some time, companies still can take meaningful steps to mitigate their compliance risks. In the short term, employees working remotely can address many of the compliance issues that routinely arise, including by leveraging videoconferencing and other technologies. To do so effectively requires an intense focus on identifying shifting compliance risks, purposefully allocating and coordinating compliance resources, and consistently messaging that compliance remains critical. As local travel within jurisdictions resumes, smart planning and the efficient use of resources can mitigate some disruptions to compliance programs. At the same time, counsel and compliance professionals should recognize that some tasks are best left until a return to relative normalcy.

Given the importance of maintaining a robust compliance program, we offer ten strategies for doing so at this trying time.

1. Review Risk Assessments and Adjust Controls Accordingly

As reflected in DOJ’s recent guidance on evaluating corporate compliance programs, an effective compliance program rests in significant part on a sound risk assessment. [1] Unexpected as it has been, COVID-19 has radically changed the global marketplace, upsetting many assumptions that underlie such risk assessments.

The pandemic has sufficiently disrupted the economy that prior risk assessments now need to be reconsidered and updated as soon as possible, with associated adjustments to relevant internal controls being planned or implemented as soon as practicable. For example:

  • Suppliers and customers: As supply chains and markets shrink, suppliers are likely to increase the prices they charge, and customers are likely to request discounts. Such shifts may expose companies to bribery risks previously viewed as less acute, involving both governmental and commercial counterparties. These risks may be even more severe in particular industries, such as healthcare. Companies should be wary of and reject approaches by individual employees of counterparties, especially state-owned companies, that may constitute requests for improper benefits.
  • Natural resources and raw materials: As governments seek to assert more control over certain supplies, the role of state-owned enterprises likely will increase in supply chains, especially regarding natural resources (for example, rubber used to produce gloves and other personal protective equipment). More companies therefore may find themselves dealing with “foreign official” counterparties and potentially being pressured to pay bribes.
  • Logistics and import/export considerations: Moving goods internationally is typically a high-risk endeavor, involving numerous entities and individuals with the power to create delays. The pandemic is likely to reduce this risk in some circumstances, particularly with regard to importing healthcare-related supplies and other in-demand finished products. But export restrictions and the reduction in global freight are likely to increase risks involving exports and imports of primary materials. The enormous contraction of civil aviation also has eliminated a significant amount of logistics capacity, increasing the risk of demands for bribes at more traditional ports of entry.
  • Receipt of governmental funds: The scale of government programs and the vast amounts being spent in response to the pandemic likewise increase the potential for fraud and abuse. In addition to the FCPA, there are other anti-corruption statutes in the United States, including 18 U.S.C. § 666, which prohibits “theft or bribery concerning programs receiving federal funds.” This statute was used alongside the FCPA in prosecuting Ng Lap Seng in 2018, in which the United Nations was considered a program receiving federal funds. [2] Given the massive expenditure of governmental funds (domestically and internationally) to combat COVID-19, numerous commercial organizations less accustomed to receiving such funds could find themselves subjected to scrutiny under this and similar laws.

2. Exercise Caution in Dealings with Third Parties

Given the economic dislocation associated with COVID-19, companies may find themselves seeking new suppliers and customers on short notice and in new jurisdictions. These commercial emergencies, including supply chain disruption, are likely to occur while international travel is severely restricted, sometimes making it difficult for companies to identify and evaluate potential business partners.

During the COVID-19 crisis, the skills and abilities of consultants and other third parties to help navigate undoubtedly difficult waters will be in high demand, including to overcome local challenges. Although such services can be both extremely valuable and entirely lawful, countless examples of past mischief have turned consultants into the stock villains of FCPA enforcement actions.

Given the well-known risks associated with third-party agents, especially when interacting with government officials, companies considering retaining a consultant or other third party in a jurisdiction posing heightened corruption risk should seek to: (i) conduct appropriate desktop due diligence, including reference checks with other international companies; (ii) schedule more thorough due diligence for as soon as the pandemic permits; (iii) provide for, at a minimum, the contractual right to terminate the relationship after more comprehensive due diligence or in the event of a credible indication of bribery or other significant wrongdoing; and (iv) ensure sufficient oversight of the third party’s work under the circumstances. All of these steps of course should be appropriately documented, as well.

3. Plan for Upticks in Particular Areas of Compliance Activity

Although COVID-19 is a global business disruption unlike anything in recent memory, past experience suggests that there are several areas relevant to compliance where an uptick in activity is likely, including:

  • Whistleblower complaints typically increase in a time of layoffs, requiring resources to track, investigate, and respond to such complaints, as well as to prevent retaliation.
  • Due diligence activities, including at least questionnaires and desktop research, are likely to become more urgent as companies adjust their supply chains and enroll new vendors and third parties.
  • Back-office level reviews, such as spot-checking adherence to accounting procedures, are likely to become more important as the reduction in personal contact reduces oversight of front-end controls.
  • Requests for exceptions to policies and procedures will become more common, sometimes after the fact, as the normal-course operation of compliance procedures is disrupted by the pandemic.

4. Maintain a Strong Tone at the Top

As a result of COVID-19, companies are battling challenging and uncertain economic forces. Regular communication and visits between headquarters and offices around the world have been disrupted by travel restrictions and social distancing. The compliance function, like the rest of a company, must adapt to this new situation, often with reduced resources. As the workforce’s attention is focused on survival, it is important that company leaders remind everyone of the importance of compliance, including by:

  • Finding appropriate venues to stress this importance (for example as an introduction to online training or during videoconferences with management and employees around the globe);
  • Identifying ways to “call out” and voice support for compliance employees in company updates and newsletters;
  • Stressing the importance of compliance roles, even if compliance personnel are asked to assist with other functions; and
  • Accounting for geographic reach in a compliance program when making difficult budgeting decisions. [3] 

5. Set Clear and Realistic Priorities 

As COVID-19 disrupts business, a wide variety of corporate control functions and tasks will be impaired. Travel restrictions likely will limit internal audits and similar reviews, including compliance assessments. “Work from home” regimes also may make it more difficult to monitor accounting controls in real time. The personal connections that make employees feel comfortable reporting wrongdoing likewise may be weakened. All this will occur when financial resources to mitigate such disruptions are likely more limited. As a result, companies should set clear, specific priorities for compliance, and document exceptions to usual monitoring activities.

6. Focus on Tasks That Can Be Done Remotely 

Maintaining a successful compliance program in a time of disruption requires, among other things, identifying compliance tasks that can be undertaken in the short term and scheduling other tasks for “as soon as practicable.” Even if budgets and resources are constrained, various compliance-related tasks can be accomplished efficiently while employees are working from home, including:

  • Online training;
  • Employee surveys about the compliance program and culture at the company;
  • Policy reviews;
  • Gap analyses of a company’s compliance program relative to best practices and associated guidance; and
  • Desktop reviews and data analysis.

More broadly, compliance personnel can take the opportunity to identify areas for improvement and draft proposals for post-pandemic enhancement, such as regarding the digitization of certain corporate records.

7. But Do Not Ignore Other Mission-Critical or Time-Sensitive Tasks 

Some compliance-related tasks are not as simple or resource-efficient when conducted remotely, but still can be time-sensitive and critical. For example, investigations of potentially ongoing misconduct or compliance due diligence on contemplated M&A transactions likely need to proceed, even if difficult or more expensive. Companies may need to consider creative and flexible approaches to getting the job done, such as conducting interviews by video or leveraging local staff when and as relevant travel restrictions ease. Regarding transactional due diligence, in particular, some on-the-ground diligence will be difficult given the disruption caused by COVID-19, but questionnaires and desktop background checks generally will not be as disrupted and should proceed with extra care under the circumstances. [4]

8. Securely Leverage Technology

The compliance and audit functions should liaise with a company’s information technology and finance functions regarding what kinds of corporate records are available remotely. Relevant examples include accounting data, digitized corporate records, corporate email, and communications on personal and mobile devices. Legal and compliance departments will benefit from remote access to certain data in order to fulfill their mandates, and also must assure that data protection and privacy laws are followed and that employees are working securely.

Companies and compliance personnel also should recognize the limitations of working remotely. The ability to extract accounting data and digitized documentation works well for a desktop review, but is not the same as an audit during which one may easily follow up and question personnel and review supporting documentation available only in hard copy. Additionally, while videoconferencing works well in many situations, compliance professionals understandably will prefer in-person meetings for some discussions.

9. Coordinate Effectively with Local Resources

Effectively deploying these compliance strategies across multinational companies requires close coordination between the corporate compliance function and personnel operating locally. Given the constraints of remote working and limited travel, headquarters must extend extra effort to ensure that regional and local managers appropriately attend to relevant compliance risks. In prioritizing activities, it is important to remember that lockdowns and closures are not universal or without end. Internal or third-party resources are likely to come back online sooner in some jurisdictions than in others and may be leveraged to support compliance activities in other jurisdictions.

10. Document Everything

At all times, and certainly during a crisis, carefully documenting compliance activities is critical. This includes memorializing, as mentioned above, exceptions to established policies and procedures, including sometimes after the fact. In times of disruption, internal controls can slip for both legitimate and nefarious reasons. For example, multinationals operating as good corporate citizens may be encouraged to donate funds or goods (like personal protective equipment) to assist in combatting COVID-19. Local management may forget to obtain required approvals from headquarters or find it difficult to do so given social distancing measures. While such deviations may be understandable, it will be necessary for compliance personnel ultimately to document the appropriateness of such donations and the rationales for failing to obtain any necessary approvals.

More broadly, regulators have been known to second-guess corporate decisions regarding the use of compliance resources. [5] Once lockdowns begin to ease, such second-guessing is likely to resume. A company, in order to protect itself, should transparently and thoroughly document decisions about prioritizing its compliance resources, including the reasons for any delay and the circumstances under which additional measures will be possible.

Footnotes

[1] U.S. Dep’t of Justice, Criminal Division, Evaluation of Corporate Compliance Programs (updated Apr. 2019), https://www.justice.gov/criminal-fraud/page/file/937501/download; see also Debevoise & Plimpton LLP, “DOJ Updates Guidance on Evaluating Corporate Compliance Programs” (May 3, 2019), https://www.debevoise.com/insights/publications/2019/05/doj-updates-guidance.

[2] See Bruce E. Yannett, Kara Brockmeyer, Philip Rohlik, Jil Simon & Leonie M. Stoute, “Second Circuit Rules that McDonnell’s ‘Official Act’ Requirement Does Not Apply to the FCPA,” FCPA Update, Vol. 11, No. 1 (Aug. 2019), https://www.debevoise.com/insights/publications/2019/08/fcpa-update-august-2019.

[3] See, e.g., In the Matter of Bristol-Myers Squibb Co., Sec. Exch. Act of 1934 Rel. No. 76073; Admin. Proceeding File No. 3-16881 (Oct. 5, 2015), https://www.sec.gov/litigation/admin/2015/34-76073.pdf (PDF: 118 KB) (faulting company for basing Asia Pacific compliance resources in the United States).

[4] See Andrew M. Levine, Philip Rohlik & Kamya B. Mehta, “Mitigating Anti-Corruption Risk in M&A Transactions: Successor Liability and Beyond,” FCPA Update, Vol. 10, No. 5 (Dec. 2018), https://www.debevoise.com/insights/publications/2018/12/fcpa-update-december-2018.

[5] See, e.g., In the Matter of Beam Inc., n/k/a Beam Suntory Inc., Sec. Exch. Act of 1934 Rel. No. 83575; Accounting and Auditing Enforcement Rel. No. 3944; Admin Proc. File No. 3-18568 at ¶ 22 (July 2, 2018), https://www.sec.gov/litigation/admin/2018/34-83575.pdf (“However, Beam did not then expand the review to other third parties or other markets that presented similar risks”).

Kara Brockmeyer and Andrew M. Levine are partners in the Washington, D.C. and New York offices, respectively, and Philip Rohlik is counsel in the Shanghai office, of Debevoise & Plimpton.

Disclaimer

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.