We are now two years into the current presidential administration and regulators have imposed three of the ten largest Foreign Corrupt Practices Act penalties in history and the largest export controls penalty of all time. This comes alongside significant tightening of many economic sanctions regulations and ongoing strong antitrust enforcement. With the DOJ, FBI, and the SEC continuing to use dedicated resources to identify violations and to prosecute U.S. laws governing U.S. exports and international conduct, international regulatory risk management is a significant concern for any automotive company that sells to, exports to, or operates in foreign destinations.
To navigate the current enforcement environment, we’ve laid out eight steps that most multinational automotive companies can take to enhance compliance.
Step 1: Securing Buy-in at the Top
Before drafting compliance policies, there are a few steps that should be taken – most importantly, securing buy-in from senior management for a comprehensive compliance push. Even if a strong program is put into place, it will not be effective if employees don’t believe that compliance is being taken seriously at all levels of the company.
This includes regular and institutionalized involvement of the company’s board of directors, generally at either the compliance or audit committee levels. The key areas for board-level involvement include thorough oversight of compliance initiatives, quarterly reports of compliance activities, and special communications for potentially serious matters.
Step 2: Performing a Risk Assessment
Any multinational automotive company that has not done a risk assessment in the last two or three years likely is overdue for a new one. This is a key initial step to identify sources of regulatory risk, such as changes in the governing laws and changes to the firm’s risk profile due to alterations in the footprint of the firm, the ways in which it conducts business, any expansion into new markets, and other factors that can radically alter the risk profile of the organization.
For automotive companies that operate abroad, key risks include not only regulatory issues but also issues related to the company’s business profile and how it operates abroad (use of distributors, joint ventures, agents, and so forth). Once the risk assessment is complete, the results should be carefully evaluated to determine the greatest compliance concerns, as well as distilled into a company-wide risk profile to guide the allocation of compliance resources.
Step 3: Assessing Current Controls
Sometimes referred to as a compliance gap analysis, the third step is to take a candid look at existing compliance measures, such as codes of conduct, compliance programs, internal controls and standard operating procedures, and training. This allows companies to determine if compliance measures address the regulatory risks identified through the risk assessment.
An important part of the gap analysis is to consider not only the written forms of the compliance program, but also how effective the measures are in the field. It is common for even well-designed programs to run into difficulties when placed into operation, especially for international operations, where language, cultural, and distance issues can lead to misunderstandings of the importance or operation of compliance measures.
Step 4: Identifying and Managing Compliance Resources
The gap analysis also involves determining whether there is a disconnect between the identified risks and available compliance resources. To avoid promise/resource mismatches, multinational automotive companies should make an honest comparison of their identified risks to determine whether compliance is being starved of sufficient resources. Compliance should be viewed as an investment in protecting the organization from costly fines and reputational hits from violations of the law, especially for organizations that operate in high-risk environments or otherwise have a heightened risk profile.
While many organizations try to centralize compliance within U.S. headquarters, effective implementation and oversight of compliance measures often requires on-the-ground attention. For larger organizations – or companies operating in high-risk regions – compliance liaisons are oftentimes necessary to ensure that compliance functions as envisioned.
Step 5: Creating Compliance Policies
A written compliance policy should usually include a written compliance program. For high-risk legal regimes, there should also be supplemental materials for those who need specialized training or guidance. The program should be easy to comprehend, as the goal is not to create a workforce full of law professors, but rather to communicate when personnel need to pick up the phone and make a compliance call.
Step 6: Creating Coordinating Internal Controls
While establishing compliance policies is important, the implementation of internal controls can be as or even more important to make compliance standards work. As one example, export control policies often should be supplemented with stop, hold, and release measures and (for controlled technical data and goods) physical security, visitor access, and technology control plans. Companies should tailor their internal controls to the company’s operations, areas of operation, and business profile, addressing the types of risks covered in the company’s risk assessment.
Step 7: Training
Training should be tailored to the needs of the organization and job descriptions of people who are at a high risk of encountering certain legal regimes. Programs should focus on the purpose of the law, how it protects the organization to comply with the firm’s compliance measures, and how to identify red flags and other problematic situations that require reaching out to compliance personnel. For high risk personnel, training should occur not only for all new employees, but also annually thereafter.
For multinational automotive companies, training will often need to address local practices and different cultural norms, which may prove contrary to the compliance needs of the organization. Equally important is finding the best way to stress the importance of compliance with U.S. law for personnel who may not appreciate the risk exposure to the company. If English is not widely spoken, compliance materials and training should be done in the local language.
Step 8: Compliance Audits and Check-Ups
Once implemented, a compliance program cannot run on autopilot. Effective compliance requires that the company consistently monitor compliance measures and test the operation of its internal controls. Companies should use risk-based auditing principles to determine the countries, divisions, subsidiaries, and third parties that require monitoring through compliance audits and check-ups and consider extending such check-ups and audits to third parties as well.
In the current regulatory environment, regulatory risk management continues to be essential for all automotive companies – especially those that operate abroad. Through a self-reinforcing compliance system, automotive companies can maintain policies, internal controls, and training that helps protect the organization from regulatory risk in its many forms. Although compliance implementation will vary by organization, working through the eight steps outlined above will be a good starting point for companies looking to mitigate the risk flowing from the aggressive enforcement of U.S. laws governing exports and international conduct.
For more on this and other trending topics in the automotive industry, click here to download Foley’s white paper, Top Legal Issues Facing the Automotive Industry in 2019.
This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney.
This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary.
The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites.
In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.