Banner artwork by Unitone Vector / Shutterstock.com
Cheat Sheet
- Serious consequences. Non-compliance can lead to severe penalties including large fines, imprisonment, and corporate liability.
- Varied approaches. Blend online and in-person training for optimal impact and relevance to diverse audiences.
- Top-down engagement. Empower C-suite, legal, and finance teams with ABAC insights.
- Continuous enhancement. Refresh content annually, stay updated, and demonstrate program effectiveness.
We have been practicing law for nearly five decades, combined across a variety of industries in global public and private companies. Nearly 80 percent of that time was significant, hands-on, in-house international compliance involvement as general counsel, chief compliance officer, or other senior attorney roles directly or indirectly charged with designing and executing compliance training functions.
The evolution of FCPA enforcement
The US Foreign Corrupt Practices Act (FCPA) was enacted by Congress in 1977. The first two decades of FCPA enforcement were relatively quiet, compared to the blistering pace of the last 20+ years across a variety of industries.
The introduction of FCPA and parallel anti-bribery/anti-corruption (ABAC) regimes like the OECD Anti-Bribery Convention, the UK Antibribery Act of 2010, and other country-specific legislation added further requirements and complexity.
This period has overlapped significantly with our career paths, creating significant opportunities to impact our companies’ ABAC and other compliance programs.
The era when it was sufficient to have a basic Code of Conduct and ABAC policy inserted into a three-ring binder to be handed out by human resources to new employees as part of their orientation are ancient history. Attorneys and other compliance practitioners at multinational companies are keenly aware of — or they should be — that the United States and other global regulators expect their client companies to have thoughtful and effective compliance programs, including robust and tailored training for ABAC topics.
Based on our experience, numerous conversations with expert outside counsel, and interactions with government lawyers, we have outlined six key principles to consider when designing and implementing your training program.
1. Understand your company situation and industry.
A great foundation for effective ABAC training is deep knowledge of your company’s business, industry and current compliance IQ. You cannot efficiently design a training program without being able to answer and account for at least the following:
- What is our main product or service?
- How is that product or service delivered to our customer? Do we use distributors, partners, agents, or other intermediaries?
- In what countries do we operate? Are any of them high-risk from an ABAC corruption index standpoint? Are we engaged in any if the high-risk activities in those countries?
- How many employees or contractors do we have at each location and what is the overall dispersion of our managers vs. line employees?
- Do all our employees and contractors have access to our standard computer hardware, software, and connectivity?
- What are the predominant languages spoken in my company?
- Do we have occasion to interface with governmental or quasi-governmental officials?
- Has our company been involved in ABAC or other compliance investigations? Have any companies in our peer group had similar experiences? Has our industry been the focus of ABAC or other compliance investigations? Do we sell to customers in industries that have been the focus ABAC or other compliance investigations?
Several of the companies we collaborated with lacked international compliance focus; they were either starting their risk management journey, had underwhelming compliance programs, or were grappling with high-risk factors or ongoing investigations.
A few had adequate programs, only needing continuous improvement.
Much of our careers have been in the energy industry, which historically (and unfortunately) has led the pack in terms of anti-bribery investigations. The gallows humor in our industry circles was always, “There are only two kinds of companies in this industry. One that has already had FCPA problems and one that will.”
In many cases this held true. However, there have been numerous companies who implemented effective compliance programs early on, including ABAC training, and this up-front work and dedication helped them avoid issues or at least mitigate the consequences of investigations.
2. Design the right curriculum for each audience.
ABAC training has evolved over the last 20 or so years, starting with simple, paper-based programs focused on a generic Code of Conduct and maturing into detailed, intensive ABAC-focused frameworks.
There are common elements of an ABAC training program that should be featured in all programs.
In addition, there should be customized aspects of your training that should consider your multiple audiences and their roles inside or outside your company.
An overall curriculum should feature these elements and can range anywhere from one to 10 hours per individual (or more), depending on their role in the company, and could be delivered in-person, online, or combination thereof:
Conduct your ABAC training in addition to the “Day One” training
Typically provided by human resources, covering the full range of all corporate policies and procedures. This HR training may or may not feature a Code of Conduct (which features ABAC language). Keep in mind that ABAC topics should not be overwhelmed by the myriad of other policies a new employee gets early on.
Provide a “black letter” overview of the FCPA and other global ABAC regimes
The overview, including a restatement of the law, what is/isn’t covered, discussion of gifts and gratuities, use of agents/intermediaries, your company’s stance on facilitating payments, accounting requirements, etc. There are great off-the-shelf resources where you can find basic features of ABAC training and convert them to a PowerPoint style or online-software based presentation. Most off-the-shelf online training providers will also customize content to fit your company’s profile.
Include an overview of your overall compliance program mechanics
Describe the company’s compliance resources and which departments help support various elements of ABAC compliance (including training timelines, contractual clauses, agent/intermediary contracting, due diligence, reporting/hotlines, and related topics).
Think about your multiple audiences and customize your program and training
Effective programs tailor instruction based on job function, risk posed for the organization by that role, and relevance of ABAC topics to that individual. While all employees should receive basic ABAC training, not all have the same duties or exposure. For example, a manufacturing manager in your Nebraska facility dealing solely with in-state operations and sales poses an entirely different level of risk than your international sales organization overseas. Depending on timing and resources available to you, a triaged approach to training may be necessary.
Even more bulletproof: the importance of specialized training
Additional training for the legal department or compliance department teams.
Ensure everyone in the legal/compliance organization(s) has a keen understanding of the program and ramifications of non-compliance, even if it’s not their day job. We worked together for several years at a company in which a securities lawyer was filling in for a colleague, doing overflow commercial contract reviews, and spotted a questionable issue in some documentation which led to further questions and ultimately an investigation. The company was later credited by regulators for having a lawyer with keen eyes as part of the controls process, even though compliance was not his core area of expertise.
Additional training for the C-suite.
“Tone at the top” is a major topic for regulators, so it’s important that you allow for small group sessions between legal/compliance and the company’s executives, in addition to the standard training, to look at detailed aspects of the company’s business as it relates to ABAC risk.
Additional training for the finance and internal audit organization.
These teams should be equipped with a working knowledge of how to detect potential ABAC activity, implement necessary controls around payments, work with their internal and external audit in case of investigations, and comply with overall ABAC accounting requirements. You should also consider special sessions for human resources and procurement organizations as they are often “in the know” and could serve as additional resources.
Additional training for the commercial/sales/operations organizations.
We strongly recommend having one-on-one or group sessions with the manager and higher-level employees in these groups, especially those with an international focus, depending on your structure. They are on the front line of risk and are mostly likely to be asked to approve something that could be illegal, interface with governments, manage the profit-and-loss statements, and face the greatest pressure to improve revenue and profit.
Additional training for business partners.
Third-party actions, those of agents, equity partners, distributors, intermediaries, and suppliers, are a common way companies get into ABAC trouble. Depending on your company’s ability to scale its business, it may rely on business partners who could pose a risk. In addition to due diligence, having dedicated training sessions with these partners is critical.
If you can, train them in person (or video conference). Provide the same materials you use for employees, have them certify, walk through your contract with them, and review their business and team. Start by immediately training those who operate in the highest-risk jurisdictions or who handle the largest percentage of sales activities.
3. Use the right timing, tools, and trainers.
Once training content and scope have been designed, you will need to implement the training, considering the best trainers, tools, and techniques made available to you (or that you negotiate for with the C-suite). Other considerations include timing, how geographically dispersed your company is, the size and skillsets within your department, and other factors unique to your company.
Timing
Due to various factors, we recommend ABAC training for each employee and business partner at least once a year, with some flexibility on whether due dates are set based on a specific date or a rolling set of dates/employee. Customized HR or training software can assist with setting a calendar and tracking. ABAC training should be at least one hour for the lowest-risk employees, and we have seen it range to more than a full workday for the most specialized/high risk areas of the company described above. New employees should complete training within the first few weeks of employment, while training plans for current employees should be carefully mapped out in advance, considering other required non-ABAC training.
You don’t want to drown out the ABAC topics with a rushed training calendar that includes the rest of the Code of Conduct kitchen sink. A good, overall goal is to annually certify that all your company’s employees (and business partners) have been trained. Higher frequency and additional touch points may be required if your company is embroiled in an active investigation or if specific training is required following a settlement with a government agency, especially those with a prescribed monitor and remediation program.
Tools and techniques
As described above, a combination of online and in-person training is ideal for various reasons. Online training programs (off the shelf or customized) can provide great leverage for training all employees (and business partners) on the basics, for testing, and for certifications. Given enough time and financial resources, however, there is no substitute for in-person training. Consider “lunch and learns,” town hall meetings, CEO messaging, compliance moments (like safety moments), and ABAC-related corporate communications. We subscribe to various online lists that provide updates on recent ABAC cases and settlements. There’s nothing more eye-opening or a better stark reminder than being able to send out a recent article about a prosecution, settlement, or large fine paid out by someone in the industry or country within which your company is operating! Keep it relevant and fresh.
Trainers
Your ABAC training will only be as effective as the trainer. A bad choice of training software or unprepared trainers can derail your program. Consider international audiences and language requirements to make the materials comprehensible to match your trainer’s language capabilities accordingly. The larger and more well-resourced your organization, the greater your capacity to hire dedicated and experienced compliance and training personnel. Otherwise, you should consider hiring outside resources (law firms or consultants) to assist with your training. Also consider outside counsel to annually present on trends and more confidential or sensitive ABAC issues to your board and C-suite.
4. Emphasize the unique importance and practical relevance of these laws.
Make sure employees understand that you are not trying to make lawyers out of them. Rather, you are trying to equip them with enough knowledge to enable them to spot issues and avoid potentially catastrophic problems. They also need to understand that the realm of ABAC is incredibly serious and can result in personal and corporate liability vastly greater than violations of other more subjective company policies or infrequently prosecuted laws. Employees and partners could be terminated, personally bankrupted, or incarcerated for ABAC violations without indemnity, and your company could be fined, prohibited from conducting business, violate banking or other contractual obligations, and lose significant value from the actions of one individual.
Stanford University maintains an excellent online clearinghouse for everything FCPA. Currently, they report that the top 10 monetary sanctions for ABAC violations range from over US$3.5 billion to nearly US$800 million. We have been involved in protracted investigations, remediations, and settlements for several companies totaling over US$300 million (not counting hundreds of millions in investigation, audit, forensic, and outside counsel fees). These are sobering situations which led to ruined careers, C-suite and board overhauls, strategic disruptions, decreased market value, fractured families, and damage to business reputation. We encourage you to incorporate as many anecdotes and real-world examples into your training and make it as personal to your audience as possible. They need to understand that ABAC topics are non-negotiable.
5. Maintain excellent training records.
Part of effective training is maintaining precise records of your program. An online platform should do a good job of capturing data and completion of courses, but be thoughtful about what else you should track and be able to produce at a moment’s notice to your internal or external auditors, outside counsel, or governmental investigators. Some basic suggestions include:
- Biographical information on trained individual (name, role, location, etc.);
- Date of training;
- Duration of training (start and stop times);
- Materials used in training;
- Sign in/sign out sheets for in-person training;
- Annual certifications;
- Overall completion statistics; and
- Other key statistics by region, department, product line, etc.
6. Test the effectiveness of the training program and refresh.
All organizations have limited resources to dedicate to their compliance programs, but you need to be able to demonstrate that your ABAC compliance programs generally follow the guidelines provided by the US Department of Justice, the SEC, and other foreign counterparts, are tailored to your company and risk, and executed consistently.
If your company does end up having an ABAC issue, questions will be asked regarding whether it happened despite your excellent training (and other controls) or because your program was inadequate. As expectations of compliance programs have evolved, we have reached a point where government representatives basically ask, “Can you prove to us that the training was understood and effective?” Ask yourself some basic questions to make sure you’re on the right path:
- Would my training program survive an audit (internal or external)?
- Would I be able to justify and defend my training program in the face of questioning by the US government?
- Are we getting good, follow-up questions from individuals we have trained?
- Any feedback on the content, tools, presentations, or effectiveness of the trainers?
- Are we seeing ABAC processes followed?
- Have potential concerns been raised, even if “false alarms,” providing evidence of employee engagement?
- Are the finance or audit organizations seeing improvement in controls and procedures?
A well-trained employee population is as adept at detecting issues as the company’s lawyers, particularly because they operate on the front lines. It’s crucial to revitalize your program annually. Not only do audiences lose interest in repetitive presentations, but the evolving nature of your company’s business, operational scope, and go-to-market strategies necessitate adjustments. Changes in key personnel and shifts in management roles, coupled with infrequent alterations in ABAC laws and the emergence of new governmental guidelines, further emphasize this need. Ensure that you incorporate the latest findings, analyses, and updates to maintain the relevance and effectiveness of your content and techniques each year.