New SEC policy requires companies to self-report FCPA violations in order to be eligible for deferred prosecution agreements and non-prosecution agreements.

On November 17, the US Securities and Exchange Commission (SEC) announced that companies subject to Foreign Corrupt Practices Act (FCPA) enforcement actions would need to self-report their potential misconduct to be eligible for deferred prosecution agreements (DPAs) and non-prosecution agreements (NPAs). SEC Enforcement Director Andrew Ceresney revealed the policy change in his remarks at the American Conference Institute’s 32nd Annual FCPA Conference, citing “the importance of self-reporting to our FCPA investigations” and the SEC’s intention to “encourage self-reporting of violations through our cooperation program” and “incentivize firms to promptly report FCPA misconduct to the SEC.”

While the new policy requires companies to self-report in order to be eligible for DPAs and NPAs, Ceresny made it clear that self-reporting will not guarantee such resolutions. According to Ceresney, “[d]eterminations of how much credit to give an entity for cooperation, including whether to take the extraordinary step of entering into a DPA or NPA, are made by evaluating the broad factors set out by the [SEC] in the Seaboard report,” which include factors like self-policing, remediation, and cooperation with law enforcement authorities.[1]

Requiring companies to self-report FCPA violations in order to be eligible for DPAs and NPAs is consistent with the SEC’s past enforcement practices. The SEC has resolved three FCPA enforcement actions by DPA or NPA—PBSJ Corporation (DPA, 2015), Ralph Lauren Corporation (NPA, 2013), and Tenaris, S.A. (DPA, 2011)—and each of the companies was publicly recognized for self-reporting and cooperating with the SEC.

In the PBSJ Corporation enforcement action, which was resolved by a DPA last January, the Florida-based engineering and construction firm “self-reported the violations to the SEC, took immediate steps to end the misconduct, and fully cooperated with the investigation, including voluntarily making foreign witnesses available for interviews and providing factual chronologies, timelines, internal summaries, and full forensic images to the SEC.”[2] In the Ralph Lauren Corporationenforcement action, which marked the SEC’s first ever FCPA NPA, the SEC recognized the American luxury goods designer’s “prompt reporting of the violations on its own initiative, the completeness of the information it provided, and its extensive, thorough, and real-time cooperation with the SEC’s investigation.”[3] Finally, in the Tenaris, S.A. enforcement action—the SEC’s first-ever resolution by DPA—the SEC cited the Luxemburg-based steel pipe manufacturer’s “immediate self-reporting, thorough internal investigation, [and] full cooperation with SEC staff.”[4]

According to Ceresney, the cooperation in these enforcement actions offers a “blueprint” for the “kind of cooperation and remediation efforts [that] are required to maximize the benefits of the SEC’s cooperation program.”[5]

Moving forward, companies confronted with the question of whether to self-report an FCPA violation should carefully consider the SEC’s new policy, because without self-disclosure, the SEC will not recommend a DPA or NPA.