Despite what some in the media and urban policy centers would have you believe, the firearms industry is heavily regulated. On any given day, operations of a firearms business are subject to the oversight of several distinct federal agencies, each with their own set of rules, regulations and policies. First is the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF), the agency charged with administering and enforcing the Gun Control Act of 1968 (GCA), the National Firearms Act (NFA), and the permanent import provisions of the Arms Export Control Act (AECA). If the company engages in the business of exporting or importing, the company is also subject to the rules and regulations of the U.S. Department of State, the U.S. Department of Commerce, the U.S. Treasury Office of Foreign Assets Control, and U.S. Customs and Border Protection. Government contractors must also comply with the Federal Acquisition Regulations and the Department of Defense supplement known as the Defense Acquisition Regulations System, and public companies must adhere to the requirements of the Sarbanes-Oxley Act and the Dodd-Frank Act.
Each of these regulatory regimes are complex, and regardless of the best intentions of management, employees, and corporate boards, mistakes will happen. When a regulatory violation occurs, the government’s response will depend on the intent of the persons involved. Was it a case of simple human error, a misunderstanding of the regulations? Or does the violation rise to the level of willfulness, reckless disregard or an intentional attempt to subvert the law?
The government considers the mindset of the people involved in the violation as a crucial factor in determining whether the company or individuals should be subject to enforcement, such as fines, penalties, license revocation or suspension, exclusion from future government business, debarment from importing or exporting, or criminal penalties. Furthermore, federal enforcement action against a firearms business will often receive primetime, front page media coverage.
Federal investigators, regulators and prosecutors will likely have a skeptical approach, compounded by the fact that they will have interests and priorities that differ from the company’s management and personnel.
An effective compliance program can be one of the most valuable tools in convincing government regulators, investigators, prosecutors and judges of the good faith and intent of the company in light of a compliance violation. This article focuses on the advantages to adopting a GCA/NFA compliance program and the essential elements to ensure the program is likely to be viewed as a mitigating factor by regulators.
I. Why Should FFLs Adopt a Compliance Program?
As outlined in our article published in Volume 19, No. 10 (“Compliance Inspections under the Gun Control Act—Know ATF’s Limitations and Boundaries”), ATF has the statutory authority to conduct annual warrantless compliance inspections of a Federal Firearms Licensee’s records and inventory. ATF attempts to inspect FFLs at least once every five years, but its resources often result in far less frequent inspections. If a licensee has not experienced an ATF compliance inspection in more than five years, one is likely to occur sooner rather than later. When ATF shows up at the licensed premises, most likely without any advance notice, the licensee is well advised to have its records and inventory in order. If not, it may be on the receiving end of enforcement action.
Companies who have in place an effective compliance program will stand a better chance of mitigating penalties than companies who either have no program or have a program that is not effective. This holds true for criminal prosecution as well. In a speech before compliance officers in New York on November 2, 2015, Leslie Caldwell, Assistant Attorney General for the Criminal Division of the Department of Justice, outlined the factors the Criminal Division considers in determining whether to prosecute companies for securities and commodities fraud, health care fraud, and violations of the Foreign Corrupt Practices Act. One of the factors mentioned by Ms. Caldwell is whether the company has an effective compliance program.
Even though Ms. Caldwell did not specifically mention companies who violate the federal firearms laws, the same rationale would apply. We are aware of a number of instances where ATF considered or proposed revoking a license, but the adoption of an effective compliance program convinced the agency to give the FFL another chance. Indeed, evidence of an effective compliance program may help protect against ever reaching the point of a proposed revocation.
An effective compliance program also will help protect against GCA and NFA violations from occurring and may deter employee misconduct, even if that misconduct does not present an obvious regulatory risk. Even though not required by law, a regulatory compliance program is a sound investment for virtually every FFL.
II. Elements of an Effective GCA/NFA Compliance Program
A. What Makes a Program Effective?
To avoid the “paper tiger” syndrome, compliance policies must be fully embedded in the corporate culture, supported by corporate policies, procedures, systems and documents, and embraced from the top down. A compliance program that is treated as mere window dressing is meaningless and likely will be recognized and called out by the regulators. As Leslie Caldwell noted in her November 2, 2015, speech, when the Department of Justice reviews compliance programs during a criminal investigation, “[t]he department looks closely at whether compliance programs are simply ‘paper programs,’ or whether the institution and its culture actually support compliance. We look at pre-existing programs as well as what remedial measures a company took after discovering misconduct – including efforts to implement or improve a compliance program.”
As indicated by Ms. Caldwell’s remarks, drafting a written compliance program is only the first step. The company must implement the program, evaluate it periodically, revise it as necessary, and enforce it for the program to have any meaning. The company must allocate resources necessary to make the compliance program meaningful and effective.
B. Corporate Commitment
An essential element of an effective compliance program is commitment to compliance from the top down. The commitment should be documented in corporate policies that set out the clear objectives of the program. The policies should clearly describe the consequences for employees who fail to abide by the compliance program and/or who fail to abide by the requirements of federal law.
The corporate policies should address reporting requirements and identify the names, titles, and principal responsibilities of company personnel responsible for compliance. When deciding who will be responsible for compliance within the company, it is important to give compliance officers a significant stature in the company. Assigning the responsibility to low-level clerical employee sends a signal to employees and the government that compliance is not a priority. It also makes it more difficult for personnel to report violations of law, regulations, or company policy up through the chain of command. As discussed further below, it is essential that FFLs create a culture where all employees feel free to report violations to management so they can be addressed and corrected. Placing responsibility for regulatory compliance at a low level in the organization gives the program less visibility and credibility. It also makes it more difficult for compliance personnel to communicate effectively through multiple levels of the organization when they discover a problem. The ideal structure gives compliance personnel direct access to upper management.
To ensure that compliance is embraced by all employees, it is essential the company creates a culture where reporting violations is expected, encouraged, and rewarded. Remember, the operative word for compliance programs is that they are effective. If the company discourages reports of violations, makes it difficult to make such reports, or punishes employees who make reports, the ability to discover weaknesses in the compliance program will be severely hampered. If violations of the law are not discovered until an ATF compliance inspection is conducted, it may be too late to avoid citations against the company.
C. Communication and Training
To effectively implement a compliance program, employees must be adequately trained in the federal rules governing operations. It is also important for employees and third parties doing business with or on behalf of the company have an understanding of the corporate policies and procedures.
The statutes and regulations are complex and ATF policies can and often do change. Consequently, annual refresher training should be required for existing employees in addition to new hire training. The training should be provided by someone knowledgeable and experienced in the area of GCA and NFA compliance, and it should be tailored to the audience. For example, training for engineers will cover topics not pertinent to sales personnel.
Federal firearms licensees should create and retain records of all employee training sessions. The record should include the names and qualifications of the persons providing the training, a copy of the training presentation, and a list of all employees trained.
D. Regular Audits and Monitoring
Internal monitoring is essential to gauge the effectiveness of the compliance program and to discover violations. Even with the most robust compliance program, mistakes can and will be made. If a violation is discovered, the compliance program should set out the procedures for investigating the incident, preserving relevant materials, and taking the necessary remedial and corrective action. Also, whether the violation warrants a disclosure to the government should be carefully considered.
Should a company choose to use a non-attorney consultant, it is important to note that such consultants are not subject to the work product and privilege doctrines available to a licensed attorney. As such, a consultant’s communications, reports, findings and recommendations may be discoverable by the regulator or prosecutor.
E. Documentation – The Compliance Manual
A key part to making a compliance program effective is a written compliance manual that contains the corporate policies and implementing procedures to guide employees in their daily responsibilities and activities. The written manual should include an overview of pertinent provisions of the GCA, NFA (if the company manufactures, imports, or deals in NFA firearms), and import provisions of both statutes and the Arms Export Control Act (AECA), if appropriate. The manual should include sections on licensing and qualification, marking firearms, importing firearms, transferring firearms, records required by the GCA, and registration of firearms under the NFA.
The manual should include detailed processes for employees to follow, examples of forms required under the GCA and NFA, and lists of firearms products manufactured, imported, or distributed by the FFL and how each is regulated by ATF. The manual should also include references to relevant ATF rulings and other ATF compliance information. The manual should be comprehensive, outline all the licensee’s responsibilities under the federal firearms laws, and provide step-by-step guidance to employees on regulatory compliance.
A written compliance manual that outlines processes and procedures prevents mistakes in accounting for and transferring firearms. For example, having all records reviewed by more than one person will ensure accurate records AND protect against false or fraudulent records intended to cover up employee theft.
The written compliance manual should be reviewed and revised on a regular basis to ensure employees are using up-to-date information and that the manual accurately reflects the company’s product lines and business. The compliance manual should be distributed to all employees responsible for regulatory compliance and posted to the company’s internal website. It should not be provided to ATF representatives unless the company’s counsel directs such disclosure.
III. No “One Size Fits All” Program
Licensees are well advised to use caution when purchasing a pre-fabricated or “off-the-shelf” compliance program as there is no such thing as a “one-size-fits-all” compliance program. An effective program must be fully embedded in, supported and embraced by the company. Consequently, it must be tailored to the company’s structure, products, market, risks, and business practices. What works for a large company manufacturing destructive devices for the military will not work for a small company that customizes pistols for sale to consumers. Each FFL must create its own program based on the unique business needs of the company.
Federal firearms licensees who devote resources to creating and implementing an effective compliance program will reap long-term benefits. A robust compliance program will aid in preventing violations of the federal firearms laws, deter employee theft, and, in the event ATF cites the company with violations of the law, make it less likely ATF will propose license revocation. The Department of Justice has recognized the importance of a compliance program in the securities, health care, and financial fraud area and may apply the same standards to regulatory compliance under the federal firearms laws. Compliance programs tailored to the business and product lines of the licensee are a sound investment that should be considered by all manufacturers, importers, and distributors of firearms.