Corporate compliance programs are increasingly the norm, but with great variety among them. What it means to have an effective antitrust compliance program, however, is not always simple. Antitrust is full of grey boundaries and so a compliance policy can never completely eliminate antitrust violations as a business risk. It is possible, however, to create a program that is effective in building awareness of antitrust rules. Government guidance is only so helpful in building a compliance program. Enforcers are focused more on negative caveats — the loss of credit for a compliance program if certain conditions are absent — and the threat of costly sanctions for those who fail to avoid a violation. So, corporate compliance officers must still navigate what their organizations should implement, and how to tailor it to the risks and their organization’s business processes. The starting point when doing is a discussion around business goals for compliance and a discussion of the business processes to understand where there is risk and where the business can integrate antitrust considerations and incentives.
By Noah A. Brumfield[1]
I. INTRODUCTION
Corporate compliance programs are increasingly the norm. We take it as a given that a company will have something in place. And, so, the typical conversation around such programs starts with less on why a company should adopt a compliance regime, and more on what they need to be effective.
Government enforcers certainly have a view on the characteristics of an effective policy. They bring, however, an enforcement perspective, which does not necessarily inform what is needed for any individual business organization. Corporate compliance officers must still navigate what their organizations should implement. So, when planning a compliance program, it is important to start with an answer to the why: Why implement a compliance program in the first place? Put differently, what are the business goals to be achieved with a compliance program?
A compliance policy is never going to completely eliminate antitrust violations as a business risk. Even the U.S. DOJ Antitrust Division sometimes recognizes this. Instead, to be effective, enforcers say very generally that compliance programs should be designed so as “to detect and address potential antitrust violations.”[2] This guidance is a good start, but it comes from an enforcement mindset.
A better approach is one that integrates compliance with the business goals. Doing so is likely to be more effective in changing how executives and employees think about the relationship between business and compliance.
In this article, I encourage a focus on answering the “why” as a business organization and, after having first answered that, then build a compliance program that serves the business. Obviously, if such a program is to be compliance-oriented, then it also has to align with the laws that govern the business. Otherwise, it will not be very effective in preventing or detecting antitrust violations. Additionally, there are a number of factors that enforcers around the world tend to think of when benchmarking efficacy. But, there is wide latitude in communicating what it means to be compliant and how to organize business processes toward compliance. Integrating compliance with the broader goals and processes of the business is only likely to increase efficacy by treating compliance as a business goal, as opposed to a legal obligation.
II. DETERMINING THE WHY
There are many reasons to adopt competition compliance policies and systems. Increasingly, it feels like companies are embracing the idea of a civic culture. While the bottom line is ultimately to make money for stakeholders, many companies are embracing the view that ethics are not only consistent with, but an important part of their business. Customers are more likely now than decades before to prioritize ethical corporate behavior, as reflected in the steady stream of research on customer preferences. Likewise, when employees have a choice in where they work, they may demand it of their employers.
There may also be strategic reasons. The Japan Fair Trade Commission Chairman, for example, recently encouraged companies to target anticompetitive practices with private antitrust litigation, pointing to the uptick in strategic litigation against various tech companies.[3] At a more fundamental level, when businesspeople know the rules for competition, it can give them an extra negotiating point. A purchasing team may be more alert to anticompetitive practices by its suppliers. A business development team may feel pressured to enter into an unwanted non-solicit or exclusive with a partner, and the ability to point to a competition policy for the organization may provide added justification for pushing back on the ask.
A more prosaic reason is to simply mitigate risk. The cost in defending an antitrust investigation and litigation is easily millions of dollars. Fines and damages claims can easily reach hundreds of millions in one jurisdiction alone. That can multiply when considering all the jurisdictions where a business operates. A related business risk is getting disqualified or debarred from procurement opportunities as a further consequence. Or maybe, having been caught violating the antitrust laws, a compliance policy may be adopted after the fact, whether as a belated effort to mitigate future risk or as a part of one’s sentencing or settlement.
Another reason is the typical enforcer rationale: that it is insurance in the event a company is caught in a violation. The U.S. Antitrust Division’s message, for example, is simple: “we will ensure the absence of such programs inevitably proves a costly omission for companies who end up the focus of department investigations.”[4]
In the U.S. and certain other countries, demonstrating the existence of an effective compliance program may enable a reduced fine under the jurisdiction’s leniency program. (The Europe Commission is a notable exception.) To that end, Government enforcers are likely to ask what compliance systems were in place when deciding to prosecute and make sentencing recommendations. Increasingly, countries are willing to consider the implementation of a compliance program as a mitigating factor when determining fines. Germany recently became one of the latest to incentivize compliance programs in this way. In January 2021, Germany amended its competition law to enable prosecutors to weigh the implementation of a competition program when considering a fine for a violation.[5]
Whatever the reasons, the goals for the compliance program should be discussed with the business leadership. At a minimum, enforcers will expect this, as discussed below. Independent of the enforcer expectations, there is business value in having executives discuss compliance. When done right, it can set the tone for the organization and help to socialize legal compliance in a way that aligns with how business is conducted.
This is because compliance requires active effort on the part of the businesspeople. Competition compliance means negotiating agreements that comply with the law. It means listening to requests made by partners, suppliers and customers — not just competitors — and deciding whether the request is inappropriate or not, and if it is not appropriate then deciding how to respond. It means seeking legal guidance to navigate grey areas. If businesspeople feel like a compliance program is forced on them by legal, it will be more challenging to ask business teams to spend the effort to adopt or modify processes to turn a compliance policy into an effective compliance program.
III. THE ENFORCER VIEW
Anyone can pull a compliance policy off the internet these days. An off-the-shelf policy, without more, is just a bunch of words that — hopefully — reflect the laws of the jurisdictions where a company operates. It is a passive approach, however, and so not necessarily an effective approach. If the business goals for compliance includes insurance mitigation against future fines or other penalties, then simply publishing a policy may not be enough for those enforcers that are likely to demand more of companies that are seeking sentencing mitigation.
This raises a question: what do enforcers say they are looking for? Fortunately, there is a common baseline that different agencies identify as necessary to an efficacy finding. While the relevant elements may vary by jurisdiction, they largely reflect these factors articulated by the U.S. Antitrust Division:
(1) the design and comprehensiveness of the program;
(2) the culture of compliance within the company, i.e. whether there is business support for the compliance function throughout the organization;
(3) responsibility for, and resources dedicated to, antitrust compliance;
(4) ongoing antitrust risk assessment to ensure the compliance program is working;
(5) compliance training and communication to employees;
(6) regular monitoring and auditing of actual compliance efforts;
(7) reporting mechanisms; and
(8) compliance incentives and discipline.[6]
While the need for training and reporting mechanisms should be self-explanatory, the other factors here are worth calling further attention to. Many overlap. In concept they are easy to understand, even if the effort called for may be substantial and a challenge to implement.
The first factor asks whether the policy was designed and implemented in a manner that is likely to be effective for the organization. I address this in greater depth in the section that follows.
Often referred to as top-down compliance, creating a culture of accountability overlaps with responsibility and discipline (discussed below). This factor largely concerns the role of senior leadership. Whether there is executive, and even Board level, buy-in is a fundamental component of many an enforcer’s assessment in deciding whether to give a company credit for a compliance.[7] For example, in the U.S., “Division prosecutors should examine the extent to which corporate management has clearly articulated — and conducted themselves in accordance with — the company’s commitment to good corporate citizenship.”[8] This may be a negative factor to the extent there is evidence that management has turned a blind eye or rewarded team members who have engaged violated the antitrust laws.
The issue of responsibility is similar to the question of the culture, but is often discussed separately. The focus here is on management accountability for compliance. It asks not only whether an organization has a specific person who is accountable for the policy, but also whether compliance personnel have business independence, authority, resources, and access to the business to be effective.[9]
A company should consider the role of the Board of Directors in holding management accountable. Maybe an audit committee is tasked with compliance generally. Whether or not such a committee exists, enforcers are likely to explore the circumstances in which management briefs the Board.
The risk assessment and reevaluation factor calls both for a tailoring of the program to the unique risk and a continuing evaluation to account for changes in the business, including changes in the methods of communication.[10] Canada Competition Bureau succinctly summarizes this as an ongoing obligation to identify areas of risk, employees exposed to risk, and changes that may increase risk.[11] Interestingly, the Canadian Competition Bureau has identified algorithmic pricing as a new area of antitrust risk, and is encouraging businesses “to train new categories of employees” — e.g. software engineers involved in developing or using algorithmic pricing models — in competition law.[12]
Whereas, the monitoring factor is typically focused on the procedures and efforts to test for compliance. Like any other audit, these test for actual compliance. This might include conducting real world interviews, surveys, or even targeted sampling of documents.
The U.S. is not alone in combining compliance “incentives and discipline.” Defining the “discipline” here isn’t easy, and again it goes to the business objectives in adopting a compliance program. What are the consequences? Demotion, lost compensation, or even potential termination? Harder still is how to respond to enforcers’ increasing recognition that it may not be enough to just threaten consequences for violating a compliance policy. This is born of the recognition that people are motivated by different considerations. Businesses will often reward their employees when they achieve their business goals. Why shouldn’t compliance be any different? How to do so takes creativity and alignment with the organization’s broader business goals.
IV. THE PANDORA’S BOX OF REMEDIATION
Additionally, the U.S. Antitrust Division would include a factor not necessarily required by other jurisdictions. This is an expectation that a company also has undertaken remediation when it discovers an antitrust violation.[13] Remediation raises knotty issues for counsel to resolve when advising on how a compliance program should deal with violations when they are internally discovered. This factor is worth even more attention now in light of a major change in prosecutorial policy under the Biden Administration.
On October 28, 2021, the U.S. Attorney General’s Office announced a major change in what U.S. law enforcement must consider when weighing the prosecution of alleged corporate crimes. “Going forward, prosecutors will be directed to consider the full criminal, civil and regulatory record of any company when deciding what resolution is appropriate for a company that is the subject or target of a criminal investigation.”[14] The scope here is extraordinary — it directs prosecutors to consider the history of possible violations of any kind, and not even limited to the U.S. borders!
A prosecutor in the FCPA unit needs to take a department-wide view of misconduct: Has this company run afoul of the Tax Division, the Environment and Natural Resources Division, the money laundering sections, the U.S. Attorney’s Offices, and so on? He or she also needs to weigh what has happened outside the department — whether this company was prosecuted by another country or state, or whether this company has a history of running afoul of regulators. Some prior instances of misconduct may ultimately prove to have less significance, but prosecutors need to start by assuming all prior misconduct is potentially relevant.
This directive applies to the entire Justice Department — not just the FCPA unit, but to the Antitrust Division, fraud, etc.
This is truly a Pandora’s box that the DOJ is unleashing. And, it requires some pause to digest its potential. What does it mean to “run afoul” of one or another division, or of another regulator outside the DOJ? When a prosecutor is directed to “assum[e] all prior misconduct is potentially relevant,” how to decide when to draw the line and what is “less significant”? Can they look back to violations that have passed the statute of limitations? Just how far back are prosecutors allowed to go? What about double-jeopardy? What is the remedy for businesses and individuals who are forced to answer to the DOJ after having already answered to another agency for a potential past violation? Can the DOJ reasonably consider purported violations of Chinese, European, or Mexican law when weighing corporate culpability under U.S. law?
One can easily imagine an agency run amok conducting endless fishing into areas wholly inappropriate for a U.S. prosecutor to explore.
This brings us to remediation. Already a tricky issue to address, it takes on added significance when considering this Biden Administration change.
First, the Antitrust Division states that “early detection and self-policing are hallmarks of an effective compliance program.”[15] On its face, one would expect that this would include steps to identify and take actions to correct for a possible violation. Second, the Antitrust Division takes this a step further and encourages not only internal reporting, but also “voluntary disclosures to the government of any problems that a corporation discovers on its own.”
Deciding to report a violation to an enforcer — in essence, admitting to criminal liability for a hard-core violation — is a truly significant ask of a company and should not be the “hallmark” of an effective policy that the Antitrust Division says it is. Indeed, the U.S. government’s calling for this may be counterproductive, as some companies will deem the business risks in voluntary disclosure too great. A company may be first into the enforcer with a leniency application, but much uncertainty surrounds this decision. Did the company identify and report everything? Even if it did, will it expose itself to sanctions in other jurisdictions? Also, under U.S. law, amnesty does not extend to private civil damages — at most, there may be a de-trebling of antitrust damages.
V. INTEGRATING COMPLIANCE WITHIN THE BUSINESS
By its nature, compliance is not passive. It involves designing and implementing steps that increase the likelihood that the company will act consistent with the antitrust laws. The more challenging task is adopting a policy and creating processes that are a part of the business.
Below, I identify several considerations when building a compliance program around a business.
A. What is the Scope?
This question has at least two components. The first is geographic; the second is substantive.
-
- Geographic scope. Whether a company has people outside its home jurisdiction or not, we are all operating in a global economy. Supply chains are global. A good compliance program should also be global. The DOJ certainly agrees.
For companies operating in more than one jurisdiction, how is the business to approach its obligations in each? Some companies will adopt localized policies. But, the risk here is that employees in Jurisdiction A will engage in conduct having effects in Jurisdiction B, subjecting the business to risk notwithstanding the effort to have rules for employees in Jurisdiction B. It may make more sense to work with counsel on the fundamental rules common to all the relevant jurisdictions, and then layer in additional guidance reflecting important differences in the jurisdictions touched by an organization’s supply chain.
-
- Substantive scope. If the goal is to focus on mitigating the greatest risk, then a good competition program can focus on training and procedures to reduce the risk of price fixing, bid-rigging, and other per se violations. A better competition compliance program, however, should aim to do more than merely prevent hard-core violations. It should also seek to create a mindset and mechanism for identifying other potential violations, i.e. those that create significant business risk short of criminal prosecution.
B. Is Competition Compliance Integrated with the Business’s Other Legal Obligations?
A related characteristic is the degree to which competition compliance is integrated with compliance and business ethics more generally. Competition compliance programs do not operate in a vacuum. There are anti-bribery, sourcing, sanctions and other areas that entail significant risk and also significant opportunity for a company to stand out as an ethical business. This brings competition compliance — and compliance programs more generally — back to the question of the goals of the organization in adopting and implementing an effective policy for the business.
This may be summed up by business ethics. The organization that embeds ethics into its business is not only more likely to achieve antitrust compliance, but legal compliance generally. As Brazil’s CADE has argued, “competition compliance programmes are more effective if they are elaborated and implemented as part of comprehensive programmes focused on corporate integrity and ethics, without losing sight of the specific requirements of each law. The truth is that the term “compliance” nowadays is associated not only to compliance programmes but to a whole business model that deals with integrity in all activities carried out by a firm.”[16]
C. Is Compliance Integrated with Business Processes?
An off-the-shelf compliance policy is only intended to state the rules. A compliance program that seeks to influence day-to-day behavior involves tailoring the policy to the business, and then tailoring business processes to make it easy for people up and down the business hierarchy to conduct business consistent with antitrust and other laws. This admittedly takes effort.
Each business is unique. Tailoring a policy and procedures so that they are an integrated part of the business entails spending time to understand where there is antitrust risk and how to mitigate that risk, both as a matter of policy and in the practices adopted to reduce risk and hold the organization accountable. It means understanding first what the business goals are and what is expected of the businesspeople in achieving those goals. It also means understanding the areas of risk. Competition law is a law that governs how companies engage with other businesses, consumers and even their employees. So, it means understanding these relationships and the practices, communications, and agreements that bind (or lock out) each.
A policy will be more effective when it anticipates the situations in which antitrust risk is created in the day-to-day business. This step involves discussing how the business team crafts business strategy; how different teams build, market and sell the company’s products; and how they interact with partners, suppliers, customers, and — of course — competitors. For example, if the business engages resellers, then the policy should anticipate resale price-fixing across the jurisdictions where resellers are used.
Are salespeople expected to sell both their organization’s product and the product of another? What do partners expect in the way of exclusivity, or preferences? Where are the parts of the business where leverage can be applied to lock-in or lock-out another participant in the marketplace? Questions like these take time to answer, and more importantly require discussion with the businesspeople. In answering them, a compliance program is more likely to enable the business and legal teams to work collaboratively to identify areas of risk, and plan a compliance program that is tuned to the business.
Tailoring business processes can be more daunting. But it is an important consideration. For example, if competitor collaborations are the norm, are there processes in place to structure discussions and decision-making to prevent spill-over discussions and agreements outside the lawful scope of the collaboration? If the business uses dual-distribution where it is competing with its customers, has the compliance team considered how the business organizes its sales teams or what firewalls are in place to mitigate risk of improper pricing or other go-to-market communications?
VI. TAKING STOCK AND ASSESSING EFFICACY
A recent OECD discussion on the subject of competition compliance programs offers a reminder that it is difficult to measure effectiveness. In the summer of 2021, enforcers from around the world came together to discuss the role of compliance in reducing competition law violations. In doing so, they asked an important question: do government agencies have empirical evidence that compliance programs are effective? Sadly, but not surprisingly, the empirical evidence coming out of the discussion was inconclusively “thin.”[17] They observed a trend toward fewer and fewer leniency applications. Was this as a result of effective compliance programs? They couldn’t say. Interestingly, government enforcers acknowledged that the reduction in leniency cases was just as likely the result of reticence in coming clean for fear of follow-on civil damages claims arising from a violation.
It is not enough to simply articulate a compliance objective and build a program around that. It is also important to know whether the processes adopted are effective. Enforcers stress this. Aside from the enforcement consideration, its good business to evaluate if its compliance program is effective. If it isn’t effective, then it’s natural to ask why continue and what needs to change? Measuring for efficacy can tell you if an organization is working toward and achieving its goals or if it needs to adjust and improve the program. Measuring efficacy again comes back to first having an answer to the why. If the business is to meaningfully measure effectiveness, it must know what goals it is measuring for.
Notwithstanding the want for empirical evidence considered by the OECD, it is possible for a business organization to measure efficacy. Anecdotally, in counseling companies on compliance, I am firmly of the view that compliance training and integrating compliance into business process can indeed work. Salespeople are more likely to ask for legal advice about their pricing discussions or a customer ask if antitrust is integrated with a business’ go-to-market discussions and strategies. Similarly, procurement is more likely to flag issues when they have thought about how companies may be acting anticompetitively. The more that antitrust norms become a part of the conversation in different business functions, the more likely it is going to reflect a business with a “culture of compliance.”
By contrast, companies lacking a good compliance program are less likely to see business questions elevated when they might implicate the antitrust laws. They are more likely to be reactive and at risk of being the victim of a violation, whether within their own organization or from outside the business.
VII. CONCLUSION
In this essay, I have focused on what I have observed to result in a more effective business approach to compliance. The risks to a business of a competition law violation are only increasing. The DOJ’s recent policy change is an example of how enforcement risks can be amplified, with antitrust violations in and outside the U.S. now factoring into DOJ prosecutions more generally.
1 Partner, Allen & Overy LLP.
2 U.S. DOJ Antitrust Division, Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations (July 2019), available at https://www.justice.gov/atr/page/file/1182001/download.
3 Mlex, Japanese companies should better use antirust rules for their benefit, competition chief says (Oct. 28, 2021), available at https://content.mlex.com/#/content/1332874.
4 U.S. DOJ Antitrust Division, Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations (July 2019), available at https://www.justice.gov/atr/page/file/1182001/download.
5 German Competition Act, Section 81d (1). Likewise, in 2016, Brazil’s enforcer adopted its Guidelines for Cease and Desist Agreements for Cartel Cases, available at https://cdn.cade.gov.br/Portal/centrais-de-conteudo/publicacoes/guias-do-cade/guidelines_tcc1.pdf. Again, in the U.S., the federal Sentencing Guidelines provide that an organization may be eligible for a reduced sentence following a criminal conviction.[5] That is in contrast with the position of the European Commission, which does not reward companies with reduced fines where they have adopted compliance programs.
6 U.S. DOJ Antitrust Division, Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations (July 2019), available at https://www.justice.gov/atr/page/file/1182001/download.
7 See, e.g. Note from the Government of Korea, https://one.oecd.org/document/DAF/COMP/WP3/WD(2021)12/en/pdf.
8 U.S. DOJ Antitrust Division, Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations (July 2019), available at https://www.justice.gov/atr/page/file/1182001/download.
9 See, e.g. Note from the Government of Korea, https://one.oecd.org/document/DAF/COMP/WP3/WD(2021)12/en/pdf.
10 See, e.g. Canada Competition Bureau, Bulletin — Corporate Compliance Programs (September 27, 2010), available at https://www.competitionbureau.gc.ca/eic/site/cb-bc.nsf/eng/03927.html#s4_0.
11 See, e.g. Canada Competition Bureau, Bulletin — Corporate Compliance Programs (September 27, 2010), available at https://www.competitionbureau.gc.ca/eic/site/cb-bc.nsf/eng/03927.html#s4_0.
12 Note from the Government of Canada, https://one.oecd.org/document/DAF/COMP/WP3/WD(2021)5/en/pdf.
13 U.S. DOJ Antitrust Division, Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations (July 2019), available at https://www.justice.gov/atr/page/file/1182001/download.
14 Deputy Attorney General Lisa O. Monaco, Keynote Address at ABA’s 36th National Institute on White Collar Crime (Oct. 28, 2021), available at https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-gives-keynote-address-abas-36th-national-institute.
15 U.S. DOJ Antitrust Division, Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations (July 2019), available at https://www.justice.gov/atr/page/file/1182001/download.
16 Note from the Government of Brazil, https://one.oecd.org/document/DAF/COMP/WP3/WD(2021)18/en/pdf.
17 https://www.oecd.org/daf/competition/competition-compliance-programmes.htm.