The compliance world loves its frameworks: DOJ’s three elementary questions, France’s threat mapping necessities, the UK’s “enough procedures” commonplace. However strip away the bureaucratic packaging and one thing fascinating emerges — these disparate approaches share a lot of the identical DNA. Former DOJ prosecutor Andrew Gentin joined World Financial institution senior counsel Joseph Mauro, former OECD authorized director Nicola Bonucci and Paul Hastings’ Corinne Lammers, led by moderator Nathaniel Edmonds of DLA Piper, to dissect what works throughout jurisdictions, on the SCCE’s 2025 compliance and ethics institute.
Compliance with the panoply of worldwide guidelines and laws is among the many central preoccupations of day by day life for professionals in multinational companies. And whereas the duty is little question a posh one, many governmental and nongovernmental organizations have sought to make clear what it means to have an efficient company compliance program.
By analyzing rules outlined by regulators and enforcers just like the DOJ within the US, the Critical Fraud Workplace within the UK and the AFA in France in addition to non-enforcement worldwide our bodies just like the OECD and World Financial institution, it’s clear there are overlapping themes and constant rules.
These rules and themes have been the subject of debate within the basic session Sept. 16 to start out the second full day of SCCE’s 2025 compliance and ethics institute, hosted this yr in Nashville.
Whether or not their steering comes within the type of six rules, 10 components or a flowchart, worldwide our bodies are making it clear that efficient compliance applications share widespread DNA, and, maybe, a standard mission that extends past particular person company safety.
“We actually don’t see compliance as what one firm does for itself,” mentioned Joseph Mauro, senior counsel on the World Financial institution. “It’s what all firms do collectively to make it a extra clear enterprise setting.”
The place steering overlaps
Whereas the specifics of worldwide our bodies’ steering for company compliance applications varies — and typically dramatically — all of them appear to have a standard elementary basis, the panelists mentioned: threat.
Within the DOJ’s “Analysis of Company Compliance Applications,” the latest replace of which was introduced ultimately yr’s SCCE occasion, poses three elementary questions, the primary being whether or not the compliance program is well-designed, and the primary subsection below that query is “threat evaluation.” Danger mapping and threat administration account for 2 of the three pillars of the AFA’s anticorruption framework, and threat evaluation is one among six rules outlined within the UK Bribery Act, which requires firms to have enough compliance applications. In the meantime, the OECD and World Financial institution each emphasize a risk-based method tailor-made to the corporate’s distinctive circumstances.
“When firms current to [the] DOJ, you’ve all the time gotta begin with an evidence of [how] you designed this system the way in which you have got, and that wants to return to the chance evaluation,” mentioned Andrew Gentin, managing director and basic counsel at RosettiStar, who till a couple of weeks in the past, was chief of the Fraud Part’s company enforcement & compliance unit. “This system must be actually tailor-made to the precise dangers impacting the corporate.”
Certainly, tailor-made threat assessments are inspired just about throughout the board, although implementation of necessities varies. France, for instance, takes a extra direct method than American authorities.
“If you take a look at threat evaluation in France, they take a fairly prescriptive view of the kind of threat mapping that must be carried out,” mentioned Corinne Lammers, chair of the compliance & regulatory counseling apply at Paul Hastings. “What that entails is definitely documenting each the inherent threat, in addition to the residual threat in fairly various areas.”
Coverage is one factor, although; making threat evaluation necessities a actuality is one other, Lammers acknowledged, because of restricted assets.
“It’s all the time the case there are extra dangers than you have got time to do a deep dive on, so it’s a must to prioritize,” Lammers defined. “I’ve but to fulfill the compliance officer who tells me that they’ve greater than sufficient assets and headcount and {dollars} to get every little thing finished that they wish to on the checklist.”
Different widespread threads of world compliance steering embrace:
- Senior administration dedication and tone on the high: The DOJ’s second elementary query asks whether or not applications are “adequately resourced and empowered,” with administration dedication as the primary consideration, whereas France’s AFA lists senior administration dedication as one among its three key anticorruption pillars.
- Third-party due diligence and oversight: The DOJ’s analysis standards embrace a complete part on “third get together administration.” The World Financial institution’s integrity pointers circulation “all the way in which down the provide chain to the bottom sub-subcontractor,” Mauro defined, whereas Nicola Bonucci, former authorized director of the OECD, famous that intermediaries symbolize “80% of all transnational bribery circumstances,” calling third events “the largest issue” for compliance practitioners.
- Testing, monitoring and demonstrating effectiveness: The DOJ’s third elementary query asks whether or not applications work in apply by way of “steady enchancment, periodic testing & evaluate.” France’s threat administration pillar focuses on detection methods and whether or not firms are “taking corrective motion when points come up,” and the World Financial institution requires firms to indicate “a demonstrated file of implementation,” not simply insurance policies on paper.
- Coaching and communication tailor-made to roles: The DOJ steering emphasizes that coaching ought to be tailor-made to staff’ roles and dangers. “The salesperson in China is gonna get loads completely different coaching than the home worker,” Gentin famous, recounting incidents the place firms current statistics like coaching “98% of staff” with out making certain the content material matches job capabilities.
- Confidential reporting and investigation processes: The DOJ explicitly lists “confidential reporting construction & investigation course of” as a key ingredient of well-designed applications, whereas France’s steering asks whether or not firms “have a whistle-blowing system.”
Divergent approaches
Worldwide applications and steering, after all, usually are not carbon copies of one another, and expectations and approaches diverge in a number of vital methods. Among the many most significant is the extent to which enforcers and regulators have laid down strict guidelines governing company compliance applications.
In France, firms with greater than 500 staff and annual income exceeding €100 million are obligated to implement anticorruption compliance applications below the Sapin II framework, whereas the UK Bribery Act mandates companies within the UK have compliance applications enough for the prevention of bribery. Their counterparts on the DOJ make no such requirement, although the presence of the ECCP steering strongly means that such a program can reap rewards within the type of diminished penalties and even declinations.
Its nature as a nongovernmental group is one factor that separates the World Financial institution, however its distinctive rule round collective motion is one other, Mauro mentioned: “It’s truly a requirement when firms are working with us and constructing a compliance program that they interact in some type of collective undertaking exterior their very own firm to advance compliance of their business, of their neighborhood.”
That requirement has a ripple impact all through native communities around the globe, Mauro mentioned.
“Probably the most fulfilling elements of this job is numerous the businesses which were by way of our processes, began with a sanction, didn’t know something about compliance, possibly have been in a jurisdiction the place compliance will not be one thing that’s widespread,” he mentioned. “However they undergo our course of, they study compliance, they construct a well-tailored compliance program. And now they’re the largest promoter of compliance in their very own space.”
Scope and focus is one other space of divergence with France taking a narrower method than the US or UK. The AFA’s steering is concentrated fully on anticorruption; in truth, this previous March, French authorities established a cross-border anticorruption job pressure together with the UK and Switzerland.
“It’s purely anti-corruption threat mapping,” Bonucci famous in regards to the AFA’s necessities. “They aren’t actually within the world threat mapping that any firm is doing.”
Placing it into apply
The presence of overlapping rules doesn’t imply a compliance program builds itself, the panelists famous. Compliance professionals nonetheless face the sensible problem of constructing and testing compliance applications that fulfill a number of regulatory or organizational expectations, typically with scant assets.
“I feel you’ll be able to’t simply ignore that hole as a result of it’s gonna come up,” Gentin mentioned, referring to the potential {that a} compliance officer might want to defend their program in a number of nations. “What you wish to do is put collectively a holistic compliance program, which is gonna work earlier than all these jurisdictions. And it may very well be that the US emphasizes one factor, the French emphasize one other.”
Panelists additionally emphasised the significance of sustaining inside possession relatively than outsourcing every little thing to exterior suppliers, particularly with regards to the important threat evaluation capabilities.
“Should you externalize every little thing, I don’t assume you’ll persuade any regulation enforcement authority that you’re doing actually a very good job,” Bonucci mentioned. “There are instruments, there are platforms, there are methods in which you’ll externalize, however on the finish of the day, it is advisable have somebody accountable who takes the last word choice.”
Gentin strengthened this level, warning that firms constructing threat assessments relying fully on exterior assist may have some robust moments when referred to as earlier than the DOJ to defend their applications.
“When the chief compliance officer is available in, [they’re] gonna ask who did the work, and it may very well be that they used a 3rd get together advisor to do a few of that.” Gentin mentioned. “However they higher be rattling certain [at least] that individuals on the firm helped design it, carried out the chance evaluation after which truly adopted up afterward to make the adjustments.”
Panelists provided different sensible options, like integrating compliance into enterprise operations from the outset relatively than treating it as a reactive problem-solving perform and specializing in demonstrating that applications truly work in apply relatively than simply present on paper.
Complying with a number of overlapping worldwide necessities has by no means been straightforward, however this yr’s whipsaw-style federal enforcement adjustments within the US have added much more complexity, the panel acknowledged.
Combating the nice combat nonetheless issues, Bonucci mentioned.
“That is the time for firms to resolve why they’re doing compliance — and that can’t be solely as a result of they’re responding to regulatory pressures,” Bonucci noticed, “as a result of the regulatory pressures sooner or later might go in several instructions, might even be contradictory.”
The compliance world loves its frameworks: DOJ’s three elementary questions, France’s threat mapping necessities, the UK’s “enough procedures” commonplace. However strip away the bureaucratic packaging and one thing fascinating emerges — these disparate approaches share a lot of the identical DNA. Former DOJ prosecutor Andrew Gentin joined World Financial institution senior counsel Joseph Mauro, former OECD authorized director Nicola Bonucci and Paul Hastings’ Corinne Lammers, led by moderator Nathaniel Edmonds of DLA Piper, to dissect what works throughout jurisdictions, on the SCCE’s 2025 compliance and ethics institute.
Compliance with the panoply of worldwide guidelines and laws is among the many central preoccupations of day by day life for professionals in multinational companies. And whereas the duty is little question a posh one, many governmental and nongovernmental organizations have sought to make clear what it means to have an efficient company compliance program.
By analyzing rules outlined by regulators and enforcers just like the DOJ within the US, the Critical Fraud Workplace within the UK and the AFA in France in addition to non-enforcement worldwide our bodies just like the OECD and World Financial institution, it’s clear there are overlapping themes and constant rules.
These rules and themes have been the subject of debate within the basic session Sept. 16 to start out the second full day of SCCE’s 2025 compliance and ethics institute, hosted this yr in Nashville.
Whether or not their steering comes within the type of six rules, 10 components or a flowchart, worldwide our bodies are making it clear that efficient compliance applications share widespread DNA, and, maybe, a standard mission that extends past particular person company safety.
“We actually don’t see compliance as what one firm does for itself,” mentioned Joseph Mauro, senior counsel on the World Financial institution. “It’s what all firms do collectively to make it a extra clear enterprise setting.”
The place steering overlaps
Whereas the specifics of worldwide our bodies’ steering for company compliance applications varies — and typically dramatically — all of them appear to have a standard elementary basis, the panelists mentioned: threat.
Within the DOJ’s “Analysis of Company Compliance Applications,” the latest replace of which was introduced ultimately yr’s SCCE occasion, poses three elementary questions, the primary being whether or not the compliance program is well-designed, and the primary subsection below that query is “threat evaluation.” Danger mapping and threat administration account for 2 of the three pillars of the AFA’s anticorruption framework, and threat evaluation is one among six rules outlined within the UK Bribery Act, which requires firms to have enough compliance applications. In the meantime, the OECD and World Financial institution each emphasize a risk-based method tailor-made to the corporate’s distinctive circumstances.
“When firms current to [the] DOJ, you’ve all the time gotta begin with an evidence of [how] you designed this system the way in which you have got, and that wants to return to the chance evaluation,” mentioned Andrew Gentin, managing director and basic counsel at RosettiStar, who till a couple of weeks in the past, was chief of the Fraud Part’s company enforcement & compliance unit. “This system must be actually tailor-made to the precise dangers impacting the corporate.”
Certainly, tailor-made threat assessments are inspired just about throughout the board, although implementation of necessities varies. France, for instance, takes a extra direct method than American authorities.
“If you take a look at threat evaluation in France, they take a fairly prescriptive view of the kind of threat mapping that must be carried out,” mentioned Corinne Lammers, chair of the compliance & regulatory counseling apply at Paul Hastings. “What that entails is definitely documenting each the inherent threat, in addition to the residual threat in fairly various areas.”
Coverage is one factor, although; making threat evaluation necessities a actuality is one other, Lammers acknowledged, because of restricted assets.
“It’s all the time the case there are extra dangers than you have got time to do a deep dive on, so it’s a must to prioritize,” Lammers defined. “I’ve but to fulfill the compliance officer who tells me that they’ve greater than sufficient assets and headcount and {dollars} to get every little thing finished that they wish to on the checklist.”
Different widespread threads of world compliance steering embrace:
- Senior administration dedication and tone on the high: The DOJ’s second elementary query asks whether or not applications are “adequately resourced and empowered,” with administration dedication as the primary consideration, whereas France’s AFA lists senior administration dedication as one among its three key anticorruption pillars.
- Third-party due diligence and oversight: The DOJ’s analysis standards embrace a complete part on “third get together administration.” The World Financial institution’s integrity pointers circulation “all the way in which down the provide chain to the bottom sub-subcontractor,” Mauro defined, whereas Nicola Bonucci, former authorized director of the OECD, famous that intermediaries symbolize “80% of all transnational bribery circumstances,” calling third events “the largest issue” for compliance practitioners.
- Testing, monitoring and demonstrating effectiveness: The DOJ’s third elementary query asks whether or not applications work in apply by way of “steady enchancment, periodic testing & evaluate.” France’s threat administration pillar focuses on detection methods and whether or not firms are “taking corrective motion when points come up,” and the World Financial institution requires firms to indicate “a demonstrated file of implementation,” not simply insurance policies on paper.
- Coaching and communication tailor-made to roles: The DOJ steering emphasizes that coaching ought to be tailor-made to staff’ roles and dangers. “The salesperson in China is gonna get loads completely different coaching than the home worker,” Gentin famous, recounting incidents the place firms current statistics like coaching “98% of staff” with out making certain the content material matches job capabilities.
- Confidential reporting and investigation processes: The DOJ explicitly lists “confidential reporting construction & investigation course of” as a key ingredient of well-designed applications, whereas France’s steering asks whether or not firms “have a whistle-blowing system.”
Divergent approaches
Worldwide applications and steering, after all, usually are not carbon copies of one another, and expectations and approaches diverge in a number of vital methods. Among the many most significant is the extent to which enforcers and regulators have laid down strict guidelines governing company compliance applications.
In France, firms with greater than 500 staff and annual income exceeding €100 million are obligated to implement anticorruption compliance applications below the Sapin II framework, whereas the UK Bribery Act mandates companies within the UK have compliance applications enough for the prevention of bribery. Their counterparts on the DOJ make no such requirement, although the presence of the ECCP steering strongly means that such a program can reap rewards within the type of diminished penalties and even declinations.
Its nature as a nongovernmental group is one factor that separates the World Financial institution, however its distinctive rule round collective motion is one other, Mauro mentioned: “It’s truly a requirement when firms are working with us and constructing a compliance program that they interact in some type of collective undertaking exterior their very own firm to advance compliance of their business, of their neighborhood.”
That requirement has a ripple impact all through native communities around the globe, Mauro mentioned.
“Probably the most fulfilling elements of this job is numerous the businesses which were by way of our processes, began with a sanction, didn’t know something about compliance, possibly have been in a jurisdiction the place compliance will not be one thing that’s widespread,” he mentioned. “However they undergo our course of, they study compliance, they construct a well-tailored compliance program. And now they’re the largest promoter of compliance in their very own space.”
Scope and focus is one other space of divergence with France taking a narrower method than the US or UK. The AFA’s steering is concentrated fully on anticorruption; in truth, this previous March, French authorities established a cross-border anticorruption job pressure together with the UK and Switzerland.
“It’s purely anti-corruption threat mapping,” Bonucci famous in regards to the AFA’s necessities. “They aren’t actually within the world threat mapping that any firm is doing.”
Placing it into apply
The presence of overlapping rules doesn’t imply a compliance program builds itself, the panelists famous. Compliance professionals nonetheless face the sensible problem of constructing and testing compliance applications that fulfill a number of regulatory or organizational expectations, typically with scant assets.
“I feel you’ll be able to’t simply ignore that hole as a result of it’s gonna come up,” Gentin mentioned, referring to the potential {that a} compliance officer might want to defend their program in a number of nations. “What you wish to do is put collectively a holistic compliance program, which is gonna work earlier than all these jurisdictions. And it may very well be that the US emphasizes one factor, the French emphasize one other.”
Panelists additionally emphasised the significance of sustaining inside possession relatively than outsourcing every little thing to exterior suppliers, particularly with regards to the important threat evaluation capabilities.
“Should you externalize every little thing, I don’t assume you’ll persuade any regulation enforcement authority that you’re doing actually a very good job,” Bonucci mentioned. “There are instruments, there are platforms, there are methods in which you’ll externalize, however on the finish of the day, it is advisable have somebody accountable who takes the last word choice.”
Gentin strengthened this level, warning that firms constructing threat assessments relying fully on exterior assist may have some robust moments when referred to as earlier than the DOJ to defend their applications.
“When the chief compliance officer is available in, [they’re] gonna ask who did the work, and it may very well be that they used a 3rd get together advisor to do a few of that.” Gentin mentioned. “However they higher be rattling certain [at least] that individuals on the firm helped design it, carried out the chance evaluation after which truly adopted up afterward to make the adjustments.”
Panelists provided different sensible options, like integrating compliance into enterprise operations from the outset relatively than treating it as a reactive problem-solving perform and specializing in demonstrating that applications truly work in apply relatively than simply present on paper.
Complying with a number of overlapping worldwide necessities has by no means been straightforward, however this yr’s whipsaw-style federal enforcement adjustments within the US have added much more complexity, the panel acknowledged.
Combating the nice combat nonetheless issues, Bonucci mentioned.
“That is the time for firms to resolve why they’re doing compliance — and that can’t be solely as a result of they’re responding to regulatory pressures,” Bonucci noticed, “as a result of the regulatory pressures sooner or later might go in several instructions, might even be contradictory.”
