The last four years have been a time of dramatic change for many companies in the U.S. aerospace and defense industry. This period has been marked by a declining U.S. defense budget with continuing uncertainty over the impact of sequestration. Spending on national security has fallen every year since 2011 by a cumulative 15 percent.1 A report on U.S. military spending issued by the Council on Foreign Relations noted the effect that declines in military spending and budget uncertainty were having on defense contractors:
With these shifts in the defense landscape, the overriding question for U.S. contractors involves the future of their capability to develop and maintain exports in an increasingly competitive market. Without question, the U.S. military will remain their dominant customer. However, with decreased domestic sales and increasingly thin margins, IHS Jane’s Defense Industry & Markets Intelligence Centre analysts see U.S. firms having increasingly to address emerging markets and commercial adjacencies to maintain productive revenue growth and pursue needed market diversification.2
This period of declining budgets and uncertainty has resulted in increased emphasis by A&D companies on growing their international business and diversifying into new areas — “white spaces” or “commercial adjacencies,” involving high-risk countries in emerging markets, new and unfamiliar international commercial businesses, international joint ventures and teaming agreements, foreign subsidiaries and international acquisitions. For example, a U.S. defense contractor acquired a foreign commercial (nondefense) service business whose business model was based on forming joint ventures controlled by the local partner in highrisk countries such as China, India and Indonesia. The newly acquired business had virtually no compliance procedures and a very different compliance culture than the U.S. acquirer. Such an acquisition would necessarily raise new compliance issues for the acquirer that would have to be promptly and satisfactorily addressed.
CHANGES IN THE BUSINESS ENVIRONMENT HAVE CREATED NEW AND HEIGHTENED RISKS
The industrywide sea change in the nature and scope of A&D companies’ international business efforts has altered and increased the Foreign Corrupt Practices Act risks these companies are facing. In order to effectively address the new and greatly enhanced risks arising from the changed business environment, A&D companies need to determine whether their current policies, procedures and controls are adequate and, if not, where and how they need to be revised and strengthened. Such risk assessments should be performed regularly; necessary changes to policies, procedures and controls should be made periodically; and their effective implementation should be monitored and enforced on an ongoing basis. The responsibility for ensuring that these actions have been effectively taken and implemented, and the potential liability for failure to do so, rests with each company’s board of directors and senior management.
THE BOARD’S RESPONSIBILITY FOR COMPLIANCE OVERSIGHT
For a company’s anti-corruption compliance program to be effective, its board and senior management should be actively involved both in overseeing its implementation and effectiveness and in providing direct supervision of those who manage the program on a day-to-day basis. The U.S. Department of Justice and U.S. Securities and Exchange Commission in “A Resource Guide to the U.S. Foreign Corrupt Practices Act” and the U.S. Sentencing Commission in the sentencing guidelines have clearly expressed their expectation that the board must be knowledgeable about and exercise reasonable oversight with respect to the company’s compliance program. This expectation of board responsibility by the U.S. government highlights the potential exposure of directors to liability under the FCPA for violations by a company of both the anti-bribery and internal controls provisions.
The DOJ and SEC have made it clear that responsibility for a company having an effective FCPA compliance program starts with its board of directors. In discussing the hallmarks of an effective compliance program, the resource guide notes that: “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company. Managers and employees take their cues from these corporate leaders.” The DOJ and SEC also expect that the senior executive with dayto-day responsibility for the compliance and ethics program will have direct access to the board of directors and audit committee. The company’s senior management team, including the CEO, chief operations officer and chief financial officer, also should be directly involved in overseeing and ensuring the effective implementation and monitoring of the company’s anti-corruption compliance program on an ongoing basis to set the proper “tone at the top.”
Similarly, the sentencing guidelines state that the board must be “knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight” with respect to its implementation and effectiveness. To receive a “culpability score reduction” during sentencing under the guidelines, a company must show that its compliance officers can promptly report any matter involving criminal conduct directly to the board or appropriate board committee. The guidelines also note that compliance officers should report to the board on the implementation and effectiveness of the company’s compliance program at least once a year.
The U.S. government’s expectation that directors will “exercise reasonable oversight” over compliance and ethics program implementation and effectiveness and receive direct reports from the senior official with day-to-day responsibility for it highlights the potential exposure of directors to liability under the FCPA for their company’s bribery violations and internal controls failures if they fail to properly exercise this oversight responsibility.
DIRECTORS’ POTENTIAL LIABILITY FOR NONCOMPLIANCE
Two non-FCPA cases decided in 2014 illustrate how the U.S. government has gone after corporate directors for alleged fraud. In a case brought against animal feed company AgFeed, the SEC found that the company’s executives implemented an accounting fraud scheme to report false revenues from its China operations. K. Ivan Gothner, a U.S. director and audit committee chairman, learned of the fraud and was advised to pursue an internal investigation. Gothner did not act on the recommendation to investigate and the false reporting was allowed to continue. The SEC charged him with failing to pursue an investigation and “scheming to avoid or delay disclosure” of the accounting fraud. The SEC is seeking penalties against Gothner, including a permanent ban on his future service as an officer or director. AgFeed agreed to repay $18 million in alleged illicit profits to settle civil accounting fraud charges.
In a case against coal company L&L Energy, the SEC found that L&L Energy falsely represented that it had a CFO. Its financial statements, including certifications required under Sarbanes-Oxley, were certified in the name of an individual who did not work for the company. Audit committee chairwoman Shirley Kiang signed the company’s financial statements and annual reports. The SEC issued a cease-and-desist order against Kiang, finding that she knew or should have known of the false SOX certification regarding the CFO. The SEC also permanently barred her from any role that involves certification of SEC filings.
These cases suggest that directors could face similar liability for failing to properly exercise their oversight responsibility with respect to their company’s FCPA compliance program, thereby allowing an FCPA violation to occur or continue. Given the U.S. government’s expectation that the board will exercise reasonable oversight over compliance, failure to take action in furtherance of this responsibility would be very ill-advised for both the company and its directors.
There also have been a number of FCPA cases that illustrate a company’s exposure to FCPA liability based upon its failure to implement an adequate system of internal controls. For example, U.S. v. Total SA (2013) found that Total paid bribes to an Iranian official to gain access to Iranian oil and gas fields, and the DOJ alleged that Total “knowingly circumvented and knowingly failed to implement a system of internal accounting controls sufficient to provide reasonable assurances that transactions and dispositions of Total’s assets complied with applicable law.” In U.S. v. Orthofix International (2012), Orthofix’s Mexican subsidiary paid bribes to Mexican officials and falsely recorded them on the subsidiary’s books. The DOJ charged Orthofix with internal controls violations for failing to maintain an effective anti-corruption compliance program and adequate financial controls.
Although directors were not charged with internal controls violations in these cases, it is certainly conceivable that they could be in the future given that the DOJ and SEC take the position that directors are responsible for exercising reasonable oversight with respect to the implementation and effectiveness of the company’s compliance program.
Such an enforcement position was essentially taken by the SEC with respect to senior executives in Nature’s Sunshine Products (2009), involving cash payments made by the company’s Brazilian subsidiary to import unregistered products into Brazil and the subsequent falsification of the company’s books and records to conceal the payments. The SEC brought an enforcement action against the company and its CEO and CFO, alleging that they failed to adequately supervise their personnel, ensure that accurate books and records were kept, and ensure that proper internal controls were being maintained. Both the company and the senior executives agreed to pay civil penalties. While the Nature’s Sunshine Products case involved senior executives, rather than directors, a similar control person theory of liability could be used against a company’s directors given the U.S. government’s position on their oversight responsibility with respect to the company’s compliance program.
Directors may become targets of enforcement actions under the FCPA (and be subject to civil liability to shareholders) based upon conduct that constitutes a breach of their fiduciary duty under Delaware corporate law. In re Caremark International Inc. (1996) held that a board’s obligation “includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards.”
In Stone v. Ritter (2006), the Delaware Supreme Court upheld the Caremark standard as the appropriate one for director duties with respect to corporate compliance issues and held that the question of director liability turns on whether there is a “sustained or systematic failure of the board to exercise oversight — such as an utter failure to attempt to assure a reasonable information and reporting system exists.” This standard would appear to make it the board’s duty to ensure that an adequate anti-corruption compliance program is in place and to subsequently monitor and oversee that program on an ongoing basis to ensure that it is operating effectively.
Such exposure of directors to liability under the FCPA for failing to properly exercise their oversight responsibility would be consistent with the DOJ’s current emphasis on prosecuting individuals, as articulated in a recent memo from Deputy Attorney General Sally Quillian Yates. The Yates memo instructed all DOJ attorneys, both civil and criminal, to prioritize the prosecution of individuals responsible for corporate wrongdoing. This should provide additional incentive for corporate directors to take their FCPA compliance oversight responsibility very seriously.
ACTIONS DIRECTORS SHOULD TAKE TO PROTECT THEIR COMPANY AND THEMSELVES
What will constitute reasonable oversight by directors over their company’s anti-corruption compliance program may vary somewhat, depending upon the particular facts and circumstances of a company’s operations and the compliance risks that these operations engender. This raises the question of what a director must do to exercise reasonable oversight and protect the company and himself or herself from liability. However, certain elements of what directors must do to exercise such oversight seem clear. At the highest level of generality, the board must attempt to ensure that the company has adequate anticorruption compliance policies, procedures and controls in place. To accomplish this, the board should monitor the implementation and effectiveness of the company’s compliance program on an regular basis. Directors can do this by being actively involved in fulfilling their oversight responsibility, attending board meetings, reviewing and evaluating the information provided, and inquiring further when presented with questionable circumstances or potential compliance issues. The board cannot ignore red flags or fail to investigate them and take action. Once the board knows about a potential compliance issue, it must act to address it.
The board also should receive anti-corruption compliance briefings and training on a regular basis. While the U.S. government recommends that compliance officers report to the board at least annually on the implementation and effectiveness of the compliance program, my firm recommends quarterly presentations to the board on any ongoing internal investigations, general developments in anti-corruption laws and recent enforcement actions and trends, specific compliance challenges the company is facing, and what is being done to address those challenges.
Finally, the board should maintain an open line of communication with the company’s compliance team. This can be accomplished in various ways, for example, through written direction to bring any suspect matter or concern to the audit committee promptly, without waiting for the next regularly scheduled meeting. As recently noted by Joan Meyer in a presentation to National Association of Corporate Directors directors, “There should be a direct, unobstructed line of communications between the compliance function and the board.3 Boards need to hear directly from the corporate compliance officers for the ‘unvarnished truth’ that could get diluted when only the general counsel reports to the board.”
The changed business environment has created new and increased FCPA compliance risks for companies in the A&D industry. The U.S. government takes the position that companies’ boards of directors are responsible for being knowledgeable about and exercising reasonable oversight over their companies’ compliance programs to address this compliance risk. Recent case law indicates that both companies and their directors may face liability under the FCPA for failure to properly fulfill this responsibility.
By taking the actions noted above to demonstrate that it takes its governance responsibilities with respect to anti-corruption compliance seriously, the board (along with senior management) will set the proper tone for the company and help to establish and maintain a culture of compliance throughout the entire organization.
Of course, in taking these actions, there is no substitute for genuine interest and commitment on the part of the directors to ensuring the company’s strict compliance with the FCPA. There also is no substitute for the careful exercise of their judgment in identifying and addressing the FCPA compliance risks that are certain to arise in the course of doing business internationally. Taking these actions with the requisite commitment to compliance and exercise of informed judgment will help protect the company and its directors, officers and employees from potentially draconian criminal and civil penalties under the FCPA and other applicable anti-corruption laws and will best serve the interests of the company and its shareholders.