Government Contractor Ethics and Compliance Requirements Robert K

Introduction Robert K. "Bob" Tompkins • • » Bob Tompkins » Partner » 202 469 -5111 » Robert. tompkins@ hklaw. com » Washington, DC Co-Chair National Government Contracts Team Government contracts counseling Bid protests and contract disputes Government investigations and audits Suspension and debarment Compliance and compliance programs Small Business Administration matters Practice • Government Contracts • Litigation and Dispute Resolution • Compliance Services Education • Washington & Lee University (B. A. and J. D. ) Bar Admission • District of Columbia • Virginia • Government Investigations • Risk and Crisis Management 2

Introduction Rodney M. Perry • • » Rodney Perry » Associate » 202 -469 -5233 » rodney. perry » @hklaw. com Bid protests Contract claim disputes, including litigation before the Boards of Contract Appeals Small business matters, including size determination appeals before SBA’s Office of Hearings and Appeals General counseling on government contracts legal issues, including subcontracts and teaming arrangements, organizational conflicts of interest, terminations, small business regulations, and many other contract administration and procurement issue Practice • Government Contracts • Litigation and Dispute Resolution Education • George Washington University, J. D. • College of William and Mary, B. A. Bar Admission • District of Columbia • Virginia » Washington, D. C. 3

AGENDA » This program addresses the ethics and compliance framework government contractors must establish and maintain to comply with the FAR and the Government’s expectations. We will cover: ˗ History of the FAR requirement ˗ Key Compliance program elements ˗ Recent DOJ Guidance ˗ The Mandatory Disclosure Rule ˗ How Small Businesses Can Implement an Effective Ethics and Compliance Program

Why Now is the Time to Deal With This » Compliance Programs are MANDATORY for Contractors » Recent enforcement activity has continued to focus on government contracting and small business programs in particular » DOJ has issued Guidance (April 30, 2019) for the evaluation of ethics and compliance programs and their effectiveness » There has been a lull in regulatory activity, especially with respect to the FAR – it’s a good time to catch up!

Why is Compliance So Important? » FAR 52. 203 -13 (2009) requires a compliance program » Federal Sentencing Guidelines » Suspension and Debarment Provisions of FAR Part 9 » Reputation – internal and external » Efficiency and Effectiveness » Most of all: avoiding trouble!

FAR Requirements » Contract clause 52. 203 -13 in all contracts exceeding $5. 5 M or 120 days (commercial item contracts excluded) ˗ Requires a written code of business ethics and conduct ˗ Must be made available to every employee involved with government contracts ˗ Contractor must diligently promote compliance to prevent and detect criminal conduct and create an organizational culture that encourages ethics and compliance » These basic requirement applies to small and large contractors

Other FAR-Required Elements (for large businesses on non-commercial item contracts) » Ongoing business ethics awareness and compliance program ˗ Effective compliance training program ˗ Training provided to principals, employees, agents and subcontractors » Internal Control System ˗ Standards and procedures to facilitate timely discovery of improper conduct ˗ Ensure corrective measures are promptly instituted and carried out

Minimum FAR Requirements for “Internal Control System” ˗ Assignment of responsibility at a high level and ensure adequate resources ˗ Procedures to bar individuals potentially involved in improper conduct ˗ Periodic compliance reviews and audits of procedures, policies and internal controls (see below) ˗ Anonymous internal reporting mechanism (hotline) ˗ Appropriate disciplinary action for failing to report or prevent misconduct and zero-tolerance policy for retribution or retaliation ˗ Timely disclosure of violations – The Mandatory Disclosure Rule (see below) ˗ "Full cooperation" with any Government audits, investigations or corrective actions ˗ The clause must be flowed down to subcontractors if the subcontract meets the same threshold ($5. 5 million and in excess of 120 days).

Internal Controls – Periodic Reviews (cont’d. ) » Periodic Reviews of company business practices, procedures, policies and internal controls for compliance with the Code of Business Ethics and Conduct AND the special requirements of Government contracting, including – 1. Monitoring and auditing to detect criminal conduct 2. Periodic evaluation of the effectiveness of the Program and internal control system, especially if criminal conduct has been detected 3. Periodic assessment of the risk of criminal conduct, with appropriate steps to design implement or modify the Program and internal controls to reduce the risks identified.

What Substantive Issues Should An Effective Ethics and Compliance Program Address and What are the Key Components of a Program?

Compliance Program Content Fundamentals » What government contracts rules and principles are important? ˗ Key Federal Procurement Laws ˗ The Federal Acquisition Regulation (FAR) ˗ SBA Regulations (13 CFR Parts 121, 124, 125) ˗ Contracting Agency Regulations ˗ Contract Terms and Conditions ˗ SBA Reporting Requirements ˗ Good Business “Ethics” and Practices

Key Federal Procurement-Related Laws Contractors Must Address » » » Bribery Gifts and Gratuities Antitrust and Bid Rigging Anti-Kickback Statute (and FAR Part 3) Procurement Integrity Act ˗ Employment Discussions with Federal Officials ˗ Gifts and Gratuities to Federal Procurement Officials ˗ Procurement Sensitive Information (Source Selection Information and Competitor Proprietary Information » » » Organizational Conflicts of Interest Personal Conflicts of Interest Whistleblower Protections Covenant Against Contingent Fees Anti-Lobbying Rules

Other Potentially Relevant Provisions to Address » Foreign Corrupt Practices Act (if operating overseas) » Export Control Issues (ITAR/EAR)(if handling covered items or information) » Domestic Preference Laws (Buy American and Trade Agreements Act)(manufacturing) » Cost Accounting (if engaged in cost-type contracting) » Small Business Requirements » Cyber Security » Special Security Requirements (i. e. NISPOM) » And others – Review your contracts including Sections H and I, especially

Summary of Key Compliance Program Elements – Mechanical and Process Issues » An overarching ethics and compliance policy adopted at the highest level of the organization » Written code of ethics and business conduct tailored to the company’s circumstances » Regular compliance training for employees, principals*, agents and subcontractors » A senior official charged with carrying out the Program and equipped with adequate resources » An internal control system (see above) » A Hotline or other anonymous reporting system » A process for evaluating and making Mandatory Disclosures to the Government (see below) » Periodic reviews of the program: monitoring/audits, evaluation of effectiveness, and risk assessments » Authorization and Oversight of the Program from the Board on down

Department of Justice’s Updated Guidance on Evaluation of Corporate Compliance Programs

DOJ’s Guidance is Important » DOJ’s Guidance provides prosecutors and investigators with direction on how to evaluate ethics and compliance programs » DOJ has recently updated this Guidance as of April 30, 2019 (discussed below) » DOJ’s Guidance is relied upon by many – including auditors, suspension and debarment officials, and contracting officers, not to mention the compliance community » DOJ also had a very large role in the development of the FAR Part 3 requirements pertaining to compliance programs and the Mandatory Disclosure Rule

DOJ Guidance (cont’d) » DOJ’s previous Guidance focused on many of the Compliance Program elements noted above. » The Updated Guidance frames the previous considerations in the context of three key questions: 1. Is the Corporation’s Compliance Program Well-Designed? 2. Is the program being applied earnestly and in good faith? In other words is the program being implemented effectively? 3. Does the Corporation’s compliance program work in practice? Within Question 1, DOJ has elevated the “Risk Assessment” to the top of the heap.

Question 1: Is the Program Well. Designed? » DOJ: Is the program “designed to detect the particular types of misconduct most likely to occur in the corporation’s line of business and regulatory environment? » The risk assessment should analyze and address: ˗ location of operations, ˗ the industry sector, ˗ competitiveness of the market, ˗ regulatory landscape, ˗ business partners, ˗ interaction with foreign governments/officials, ˗ use of third parties ˗ gifts, travel and entertainment ˗ charitable and political donations » The program should be tailored to these risks and periodically updated » Attention and resources should be focused on the high-risk areas

Question 2: Is the Program Being Implemented Effectively? DOJ identifies several key considerations: » Commitment by Senior and Middle Management » Providing Autonomy and Resources to the Compliance Function » Incentives and Disciplinary Measures

Question 3: Does the Program Work in Practice? DOJ Wants to See: » Continuous Improvement, Periodic Testing and Review » Investigation of Misconduct » Analysis and Remediation of Underlying Misconduct

So What Does DOJ’s Guidance Mean for Contractors » The Guidance Presents a Useful Lens through which to review your compliance program » The Updated Guidance gives more insight into what DOJ expects. » The Updated Guidance includes key questions and elements that were on DOJ’s mind 10 years ago when the FAR was amended, including the periodic review of the Program and internal controls and the importance of risk assessments” » Remember Slide 8…!

Requirement… Internal Controls – Periodic Reviews (cont’d. ) » Periodic Reviews of company business practices, procedures, policies and internal controls for compliance with the Code of Business Ethics and Conduct AND the special requirements of Government contracting, including – 1. Monitoring and auditing to detect criminal conduct 2. Periodic evaluation of the effectiveness of the Program and internal control system, especially if criminal conduct has been detected 3. Periodic assessment of the risk of criminal conduct, with appropriate steps to design implement or modify the Program and internal controls to reduce the risks identified.

The Mandatory Disclosure Rule

The Mandatory Disclosure Rule – FAR 52. 203 -13 » The Mandatory Disclosure Rule (MDR) was added to the FAR in late 2008 and requires: ˗ “Timely disclosure, in writing, to the agency OIG, with a copy to the Contracting Officer, whenever, in connection with the award, performance, or closeout of any Government contract performed by the Contractor or subcontractor thereunder, the Contractor has credible evidence that a principal, employee, agent or subcontractor of the Contractor has committed a violation of Federal criminal law involving fraud, conflict of interest, bribery or gratuity violations found in Title 18 U. S. C. or a violation of the civil False Claims Act (31 U. S. C. 3729 -3733. ” FAR 52. 203 -13(c)(2)(ii)(F). ˗ There is an enormous amount of nuance to this – the ABA published a 230 page-plus Guide to the “MDR” ˗ So what does this requirement mean? ? ?

Elements of the Disclosure Requirement » A contractor must ˗ timely disclose ˗ in writing to the agency OIG, with a copy to the Contracting Officer, ˗ whenever, in connection with the award, performance, or close out of the contract or any subcontract thereunder, ˗ the contractor has credible evidence ˗ that a principal, employee, agent, or subcontractor ˗ has committed a violation of Federal criminal law involving fraud, conflict of interest, bribery or gratuity violations in Title 18 U. S. Code or a violation of the civil False Claims Act. » Each of these elements is open to interpretation. 26

Consequences of failing to report as required by the MDR » The MDR is contained in a contract clause; failure to abide by it can constitute a breach of contract and be a basis for contract termination. » Violation of the MDR is also expressly addressed in the FAR Responsibility regulations and can form a basis for a non-Responsibility determination (i. e. debarment). » Failure to disclose may also run afoul of Sentencing Guideline requirements. 27

Principals and the Mandatory Disclosure Rule » Who is a Principal”? » Definition of Principal added to FAR 2. 101 in 2008“An officer, director, owner, partner, or a person having primary management or supervisory responsibilities within a business entity (e. g. , general manager; plant manager; head of a subsidiary, division, or business segment; and similar positions). ˗ February 23, 2010: FAR 2. 101 and 52. 209 -5 definition revised to remove “subsidiary” to just read “head of division or business segment” » The MDR addresses Principals’ responsibilities and their exposure in the MDR process ˗ Knowing failure by a principal to timely disclose to the Government credible evidence of certain misconduct or significant overpayment known to the principal results in a violation of the MDR. ˗ Individual Principals can be subjected to suspension and debarment for failure to disclose. » This substantially impacts how investigations are conducted.

Takeaways » Practice Pointers: ˗ Even if you determine NOT to make an MDR report of an alleged incident that implicates offenses enumerated in the MDR, document the basis for that decision. ˗ Consider the extent of Principals’ involvement in the investigation – vesting Principals with knowledge of a potentially reportable incident puts them and the company at risk. ˗ Consider the extent of Principals involvement in the MDR reporting decision -what do you do if two Principals disagree about whether a MDR report should be filed? ? ? ˗ Contractors should have an MDR policy. ˗ Most importantly, investigators must be aware of the MDR and conduct investigations in a manner that allows the MDR requirements to be met. » Query: How to balance the “Credible evidence” reporting trigger with DOJ demands for a “full disclosure”? Likely necessitates incremental reporting and requires you to be clear about the context of your report. 29

So How Does a Small Business Get this Done?

What Often Holds Small Business Compliance Efforts Back » Failure to see the upside and importance of an ethics and compliance program » Failure to view the compliance function as part of other business processes » Failure to realize how many compliance-related activities the company already has » In increasingly limited cases – failure to embrace the culture of compliance

So What’s A Small Business To Do? » Take Stock – involve key functional leadership; review your environment » Access Compliance Program Resources – Don’t reinvent the wheel and seek help » Perform a basic risk assessment » Designate someone to be in charge and give them and the program sufficient resources to succeed » Don’t let the perfect be the enemy of the good – start with pass-fail, then seek to improve over time

Holland & Knight Offices Portland Boston Stamford Chicago San Francisco New York Denver Northern Virginia Washington, D. C. Charlotte Los Angeles Atlanta Dallas Houston Jacksonville Austin Tallahassee Orlando West Palm Beach Mexico City, Mexico Tampa Lakeland Fort Lauderdale Miami Bogotá, Colombia Anchorage 33