A Warning on "Meaningful" Compliance With FTC Orders

Matt_Kelly.png

Compliance professionals - we need to talk about the Federal Trade Commission. The folks there are unhappy with the quality of your work.

Specifically, the FTC’s Competition Bureau published a statement in March that it wants to see more detail in the compliance reports companies submit as part of consent decrees. In the agency’s own words:

“Each compliance report shall contain sufficient information and documentation to enable the Commission to determine independently whether respondents are in compliance with the order. Conclusory statements that respondents have complied with their obligations under the order are insufficient.”

This raises some interesting questions for compliance officers about how to supply that information and documentation. The FTC wants a “meaningful level of detail” in compliance reports. Well, exactly how much detail is that? And what policies or procedures are necessary to ensure your company provides it?

Let’s start with what the FTC truly wants: an ability to assess for itself your company’s progress on a consent order. That’s what “determine independently” and “conclusory statements… are insufficient” really mean here.

Read More: When It Comes to Documentation, Smart Companies Behave Like Every Day Is Audit Day

Consider the example of your company needing to divest some operations to proceed with a larger merger. (The FTC gave that example in its blog post.) The compliance report would need to include a list of steps the company plans to take to sell its assets; a timeline of when those steps either did happen, or will happen; and what other parties were involved.

So the company couldn’t merely say, “We’ve been talking to potential buyers.” The report would need to be more like, “We are talking to three potential buyers, two of them strategic acquirers and one a private equity firm. XYZ Corp. has already offered a purchase agreement and may begin due diligence in 30 days; the other two are still reviewing our presentation.”

Moreover, if the FTC is looking to measure progress, then the next compliance report will need to provide an update: whether XYZ Corp. really did begin due diligence, whether one of the rivals swooped in with a better bid, and so forth. The FTC even says “copies of relevant documents” should be submitted — that’s the level of specificity expected here.

Preparing for Compliance

The FTC did offer advice that should sound familiar to a compliance officer. “Respondents can take steps … such as establishing effective internal policies and procedures to regularly review, investigate, and verify order compliance, which would enable respondents to detect and correct areas of possible noncompliance promptly.”

Read More: 20 Questions to Ask when Prioritizing Your Policy Development Efforts

OK. Establishing policies, verifying compliance, correcting non-compliance — compliance officers have been doing those things for years, for either anti-corruption or other issues. So what are useful steps to take in this issue of anti-competition compliance?  

First, compliance officers need to ensure they are fully involved in discussions about how to comply with a consent order. A compliance officer can’t ensure that a compliance report has sufficient data if he or she has no visibility into what’s going on. Exclusion from those conversations is the true risk here; you can’t collect and submit useful data if you don’t even know what the company’s plans are.

You can’t collect and submit useful data if you don’t even know what the company’s plans are.

Going back to the divestiture example: a transaction like that might typically involve the company’s business development, legal, and finance teams, working through a project plan. Compliance should participate in those meetings, or at least be copied on all communications. If the buyer and seller have created a secure Data Room to exchange information, perhaps the CCO should have access to it.

Second, understand what a “meaningful level of detail” is for your compliance report. Compliance officers have a natural advantage here. The FTC wants enough data that it can assess a company’s compliance independently — and independent assessments are (ideally) what compliance officers do. The best step here is simply to ask: how would I independently assess compliance with this consent order? What information would I want to see in this report and subsequent ones?

There isn’t likely to be any bright-line, uniform standard here, since every consent order has unique circumstances; but most compliance officers should have the training and experience to make judgment reasonably close to what the FTC might do. That judgment can guide you toward the right amount to be “meaningful.”

Third, find that data. If they don’t already exist, push for policies and procedures that generate that data and send it to you. (Remember, it’s entirely possible the firm already has the right data, somewhere in the enterprise, if you know where to look and how to collect it.)

View Industry Benchmark Data

Conceptually, this point isn’t much different than the need for complete and accurate data on other compliance issues. Its success, however, hinges on our first point above: that the compliance officer is involved in what the plan for compliance with a consent order will be. Only when you know what actions are being taken, can you collect any data about them (let alone enough data to qualify as meaningful).

The FTC made clear in its statement that the duty for thorough compliance reports has always existed; only recently have reports failed to meet the agency’s expectations. So this is a matter compliance officers should take seriously. Otherwise, the FTC warned, “Respondents should expect Bureau staff to play an active role in ensuring that parties comply with their reporting obligations.”

Whatever that “active role” might look it, we can safely assume it will be more difficult and expensive than getting compliance reports right the first time.


What do you have to say? Share your thoughts in the comments below or join a discussion group on Compliance Next.

State-Specific Data Privacy Laws for Online Businesses

With AI, Compliance Should Focus on the "Intelligence" not the "Artificial"

Google recently announced the launch of a governance body charged with ensuring ethical principles are embedded into all of the company's artificial intelligence (AI) developments. Let's take a deeper dive into these principles and uncover intersections where compliance professionals can play pivotal roles in AI development in their own companies.

Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

EU Commission Approves New Whistleblower Protections

The EU Commission has approved a single, heightened standard for whistleblower protection across all of its 28 member countries. Let's discuss key aspects of the protections now afforded to European whistleblowers, and why they emphasize the importance of effective internal reporting processes. 

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.

Comments