New Mandatory Compliance Requirements: The Good, the Bad, and the Ugly

Effective December 24, 2007, the Federal Acquisition Regulation (“FAR”) was amended to address the requirements for a contractor code of business ethics and conduct. Essentially, the new rule requires basic codes of business ethics/conduct, compliance training programs, and internal control systems for companies doing business with the Government. The rule contains both a “policy” as well as “mandatory requirements.”

The policy provides that government contractors must conduct themselves with the highest degree of integrity and honesty. The policy also provides that contractors should have a written code of business ethics/conduct, compliance training programs, and internal control systems.

The mandatory requirements apply if the value of the contract is expected to exceed $5 million and the contract has a performance period of 120 days or more. However, the mandatory requirements do not apply if the contract is for the acquisition of a commercial item under FAR Part 12 or will be performed entirely outside the United States. If the mandatory requirements apply, a contractor must have:

• A code of business ethics/conduct within 30 days of contract award (unless the contracting officer establishes a longer time period); and
• Other than for small businesses, a business ethics/conduct training program and internal control system within 90 days of contract award (unless the contracting officer establishes a longer time period).

The rule discusses internal control systems in general terms, noting that an internal control system must facilitate timely discovery of improper conduct and provide for prompt corrective action. The rule goes on to give some internal control examples, such as periodic reviews of business practices, procedures, policies, and internal controls; a reporting mechanism; audits; and disciplinary action. The mandatory requirements flow down to similarly situated subcontractors (subcontracts with a value of more than $5 million and a performance period of more than 120 days, excluding commercial item subcontracts and subcontracts performed entirely outside the United States).

The Good: To some extent, the rule is old news. Many companies have voluntarily implemented compliance programs, even though, before the rule, there was no Government-wide regulatory requirement for such programs.

Certainly, for Department of Defense (“DoD”) contracts, the Defense Federal Acquisition Regulation Supplement (“DFARS”) has long recommended such standards of conduct and internal control systems (DFARS Subpart 203.70). Indeed, the Defense Industry Initiative on Business Ethics and Conduct (“DII”), a voluntary not-for-profit organization, includes the nation’s largest defense contractors as signatories and requires member companies to have a code of business ethics/conduct, training, and internal control systems.

Furthermore, most government contractors know (or should know) that an effective compliance and ethics program can mitigate potential liability. Under the Federal Sentencing Guidelines (§ 8B2.1), the existence of an effective compliance and ethics program has a direct bearing on the penalties and probation terms for an organization. Moreover, under the Department of Justice (“DOJ”) guidelines for the prosecution of business organizations, prosecutors are instructed to consider an organization’s compliance program in the decision whether to seek charges. Likewise, the FAR (9.406-1(a)(1)) instructs the debarring official to consider, before making a decision to debar a contractor from government contracting, whether the contractor had effective standards of conduct and internal control systems in place. Finally, Securities and Exchange Commission rules adopted under Section 406 of the Sarbanes-Oxley Act of 2002, which apply to publicly traded companies, require such companies to disclose whether they have adopted a code of ethics for principal executive officers, principal financial officers, and principal accounting officers and, if not, why not.

And last but not least, an effective compliance program may serve to deter qui tam actions under the False Claims Act ("FCA"). Under the FCA, an individual can file a qui tam action on behalf of the Government based on non-public information of contractor fraudulent activity. Potential liability under the FCA can be enormous. Often, qui tam actions are filed by individuals who believe that concerns raised are not taken seriously and not fully investigated, and that wrongdoers are not appropriately disciplined. Under an effective compliance program, an employee has the means to raise a concern, anonymously if so desired. The concern will be taken seriously and investigated, and wrongdoers will be disciplined if necessary. An employee who feels like his or her concerns are being taken seriously and addressed is less likely to become a qui tam litigant. Also, the company can remain in control and determine if the issue warrants a voluntary disclosure to the Government.

The Bad: If your company does not have a compliance program, the message should be loud and clear that now is the time. Even though the mandatory requirements may not apply to your company, the policy does. Coupled with the DoD regulations, the Federal Sentencing Guidelines, the DOJ guidelines for prosecution of business organizations, the debarment regulations, Sarbanes-Oxley, and the FCA, the new rule leaves no doubt that a company doing business with the Government without a compliance program does so at its own peril.

The Ugly: A number of the more controversial provisions of the rule were deferred to a new proposed rule, which was issued on November 14, 2007, with comments due on January 14, 2008. The proposed rule:

• Amends the general standards or responsibility (FAR 9.104-1(d)) to cross-reference the FAR provision on past performance information (FAR 42.1501), which is amended to add the contractor’s record of integrity and business ethics as relevant information to be included in past performance information.
• Amends the new FAR clause 52.203-13, Contractor Code of Business Ethics and Conduct, to more closely match the Federal Sentencing Guidelines’ enumerated elements of an effective compliance and ethics program. These amendments include mandatory elements of an internal control system.
• Further amends the new FAR clause 52.203-13 to require notification to the agency Office of Inspector General, with a copy to the contracting officer, whenever the contractor has reasonable grounds to believe that there has been a violation of criminal law in connection with the award or performance of the contract or any subcontract thereunder.
• Amends the FAR to provide that a contractor may be suspended or debarred for knowing failure to timely disclose a violation of criminal law in connection with the award or performance of any government contract or subcontract. Also amends the FAR to include another new cause for suspension or debarment – a knowing failure to timely disclose an overpayment on a government contract.
• Amends the FAR to mandate that an internal control system include timely reporting to the agency Office of Inspector General, with a copy to the contracting officer, whenever the contractor has reasonable grounds to believe that there has been a violation of criminal law in connection with the award or performance of any government contract performed by the contractor or a subcontract thereunder.
• Amends the FAR to mandate that an internal control system include full cooperation with any government agencies responsible for audit, investigation, or corrective action.

Obviously, the new proposed rule raises many red flags, especially with respect to the required mandatory disclosure of criminal acts. In fact, the Section of Public Contract Law of the American Bar Association submitted a 27-page comment to the proposed rule. We will be watching the progress of the proposed rule closely and will provide updates as needed.

No representation is made that the quality of legal services to be performed is greater than the quality of legal services performed by other lawyers.

Disclaimer regarding legal advice - The information in this newsletter should not be construed as legal advice. This information is not intended to create or constitute an attorney-client relationship. For more information or an explanation about the matters discussed in this newsletter, please contact an attorney in this practice group.

IRS Circular 230 Disclosure - To ensure compliance with requirements imposed by the IRS, we inform you that any U.S. federal tax advice contained in this communication is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.

Maynard, Cooper & Gale’s Government Contracts Practice Group recognizes that government contractors require legal counsel with specialized experience and a firm understanding of the complex web of laws and regulations at the federal, state, and local level that govern the relationship between contractors and their government customers. Maynard has that experience and understanding. Our attorneys have represented a wide variety of government contractors and subcontractors, both defense and non-defense, large businesses to small. We have a deep understanding of the applicable regulations and statutes. In addition, as a full-service law firm, we are able to address an array of legal matters for our government contracts clients.