Two years into the new administration, regulators have imposed three of the ten largest Foreign Corrupt Practices Act (FCPA) penalties and the largest export controls penalty of all time, all while significantly tightening many economic sanctions regulations. All of this lies against the backdrop of ongoing strong antitrust enforcement. With the DOJ, FBI, and the SEC continuing to use dedicated resources to identify violations and to prosecute U.S. laws governing U.S. exports and international conduct, international regulatory risk management is a paramount concern for any automotive company that sells to, exports to, or operates in foreign destinations.

Automotive companies that sell to, export to, or operate abroad are at heightened risk from the aggressive enforcement of these laws. Many automotive companies maintain operations in parts of the world where the respect for the rule of law is diminished (China, Mexico, and so forth). Certain non-U.S. companies maintain operations (in accordance with the laws of other countries) in Iran, creating risks due to the extra-territorial application of U.S. law. These issues are in addition to the issues that arise from any operations abroad, such as language difficulties, difficulties of coordinating compliance across thousands of miles, and a lack of understanding of the reach of U.S. law.

To help deal with the current aggressive enforcement environment, this article lays out eight steps that most multinational automotive companies should take to allow them to cope with the current aggressive enforcement of U.S. international regulations.

Step 1: Securing Buy-in at the Top

Although most companies start with drafting compliance policies, there are a number of key steps that should occur first. Among the most important is to secure the buy-in of senior management for a comprehensive compliance push. Without the support of senior management, compliance efforts often languish. Even if a comprehensive program is put into place, it will not be effective if company personnel do not believe that compliance is taken seriously at all levels of the company. Senior management must understand the importance of a consistent and reinforced compliance message and must set a strong example.

The need for senior buy-in extends to the board of directors. In automotive companies that set the proper compliance tone, board-level involvement is regular and institutionalized, generally at either the compliance or audit committee levels. The key areas for board-level involvement include thorough oversight of compliance initiatives, quarterly reports of compliance activities, and special communications for potentially serious matters. The involvement of the board can be especially important when there are serious compliance missteps that may require an internal investigation.

Step 2: Performing a Risk Assessment

Compliance is an exercise in identifying and managing risk, allowing the organization to allocate its scarce compliance resources to give the biggest compliance payoff. Thus, a key initial step is to identify the key sources of regulatory risk through the conduct of a risk assessment. Any multinational automotive company that has not done a risk assessment in the last two or three years likely is overdue for a new assessment of the exposure of the organization to various forms of regulatory risk, as changes in the governing laws, the footprint of the firm's operations, the ways in which it conducts business, expansion into new markets, and other factors can radically alter the risk profile of the organization.

The risk assessment should consider both the likelihood and severity of possible violations and the current enforcement priorities of the relevant authority. For automotive companies that operate abroad, the key risks include not only the regulatory (economic sanctions and dealings with non-U.S. companies that operate in Iran, dealings with foreign officials that bring FCPA risk, and dealings with state-owned automotive companies), but also issues related to the business profile of the company and how it operates abroad. Once the risk assessment is complete, the results should be carefully evaluated to determine the greatest compliance concerns, with the results being distilled into a company-wide risk profile to guide the allocation of compliance resources.

Step 3: Assessing Current Controls

Sometimes referred to as a compliance gap analysis, the third step is to take a candid look at existing compliance measures (codes of conduct, compliance programs, internal controls and standard operating procedures, and training) to determine if compliance measures address the regulatory risks identified through the conduct of the risk assessment. Completing the gap analysis means having a good working knowledge of the company's regulatory risk profile (as per step 2), how it has addressed those regulatory issues in the past, and what regulatory areas have unaddressed regulatory risk.

An important part of the gap analysis is to consider not only the written forms of the compliance program, but also how effective the measures are in the field. It is common for even well-designed programs to run into difficulties when placed into operation, especially for international operations, where language, cultural, and distance issues can lead to a misunderstanding of the importance or operation of compliance measures. A candid assessment of the operation of the current controls should include a review of how the program actually operates.

Step 4: Identifying and Managing Compliance Resources

A key part of the gap analysis is determining whether there is a gap between the identified risks and the available compliance resources. To avoid promise/resource mismatches, multinational automotive companies should make an honest comparison of their identified risks to determine whether compliance is being starved of sufficient resources. Compliance should be viewed as an investment in protecting the firm from costly fines and reputational hits from violations of the law. For organizations that operate in high-risk environments or otherwise have a heightened risk profile, effective compliance may take the commitment of significant resources to secure this kind of protection.

Many organizations try to centralize compliance within U.S. headquarters. But effective implementation and oversight of compliance measures often requires on-the-ground attention. For larger organizations – or companies operating in high-risk regions – compliance liaisons are generally necessary to ensure that compliance actually functions as envisioned. This can be especially true for foreign subsidiaries, joint ventures, agents, distributors, and consultants.

Step 5: Creating Compliance Policies

A written compliance policy should usually include a written compliance program and, for high-risk legal regimes, supplemental materials for individuals who need specialized training or guidance to oversee or comply with the relevant legal regime. The focus should be on readability and avoiding long or legalistic recitations of the legal requirements. The goal is not to create a workforce full of law professors; rather, it is to communicate when personnel need to pick up the phone and make a compliance call.

Step 6: Creating Coordinating Internal Controls

Although many automotive companies focus their attention on the compliance policies, internal controls can be as or even more important, as they implement the compliance standards and make them work. For example, export control policies often should be supplemented with stop, hold, and release measures and (for controlled technical data and goods) physical security, visitor access, and technology control plans. Economic sanctions require that there be written controls regarding screening for embargoed persons, automatic approval procedures for sales to comprehensively embargoed countries, and written procedures for identifying and clearing red flags. For anti-bribery measures, gifts, meals, entertainment, and travel measures, controls on the use of gift cards, and accuracy in books and records requirements will augment the ability to implement compliance initiatives. Companies should tailor their internal controls to the company's operations, areas of operation, and business profile, addressing the types of risks covered in the company's risk assessment.

Step 7: Training

Training – implemented in conjunction with a well-written compliance program and appropriate internal controls – forms the third leg of the compliance stool. Training should be tailored to the needs of the organization and job descriptions of persons at a high risk of encountering certain legal regimes. Training should focus on the purpose of the law, how it protects the organization to comply with the firm's compliance measures, and how to identify red flags and other problematic situations that require reaching out to compliance personnel. For personnel at high risk, training should occur not only for all new employees, but also annually thereafter.

For multinational automotive companies, training will often need to address local practices and different cultural norms that may prove contrary to the compliance needs of the organization. Equally important is finding the best way to stress the importance of compliance with U.S. law for personnel who may not appreciate the risk exposure to the company. If English is not widely spoken, compliance materials and training should be done in the local language.

Step 8: Compliance Audits and Check-Ups

Companies should avoid the fallacy of thinking that a compliance program, once implemented, can run on autopilot. Compliance processes are never completed, and the goal is not to perfect the system of risk management. Effective compliance requires that the company consistently monitor compliance measures and test the operation of its internal controls. Companies should use risk-based auditing principles to determine the countries, divisions, subsidiaries, and third parties that require monitoring through compliance audits and check-ups, and consider extending such check¬ups and audits to third parties as well.

* * *

In the current regulatory environment, regulatory risk management continues to be essential for all automotive companies – especially those that operate abroad. Through a self-reinforcing compliance system, automotive companies can maintain compliance policies, internal controls, and training that provides reasonable controls to protect the organization from regulatory risk in its many forms. Although compliance implementation will vary by organization, working through the eight steps outlined above will be a good starting point for companies looking to mitigate the risk flowing from the aggressive enforcement of U.S. laws governing exports and international conduct

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.