On September 9, 2016, Cisco Systems, Inc. (“Cisco”) announced that the U.S. Securities and Exchange Commission (“SEC”) and the Department of Justice (“DOJ”) declined to bring Foreign Corrupt Practices Act (“FCPA”) enforcement actions following the company’s internal investigation of its business dealings in Russia and various CIS (Commonwealth of Independent States) countries. The announcement and decision by the SEC and DOJ came on the heels of a three year investigation where Cisco disclosed its findings, made organizational changes to its business in Russia, and cooperated with the government agencies. While the investigation serves as yet another reminder that the government is focused on potential FCPA violations in the technology sector wherever they occur, the decision not to bring any charges is consistent with the principles enunciated in the FCPA Pilot Program (“Pilot Program”), instituted in April 2016. Consistent with the Pilot Program’s “mitigation credit” for voluntary self-disclosure, cooperation, and remediation, Cisco received the benefit the government promises.
Third Party Risks
Cisco’s internal investigation highlights the risks technology companies face from third party sales agents and the efforts expected by the government to mitigate, investigate, and remediate such risks. Technology companies routinely rely on resellers and distributors in their sales operations globally. Many companies undertake efforts to require their third party agents to maintain accurate books and records and to justify the additional discounts they seek. But the reality is that third parties may not provide truthful information or records—whether to justify the requested discount or to reflect their sales or expenses. In certain markets around the world, such business practices are not scrutinized or criminalized, causing entities which do not face liability in other jurisdictions to continue operating in a less than forthcoming manner. Or, when faced with audit requests that may uncover impropriety, third parties claim protection based on antitrust, state secrets, or data privacy laws, which help insulate the third party under a seemingly legitimate argument. Thus, technology companies operating globally must be vigilant about issues such as the booking of revenue by resellers, the business justifications used to obtain approval for discounts, and the potential falsification of records maintained by its resellers. Faced with such challenges, companies must maintain strong internal controls to monitor the behavior of their third parties (including conducting routine audits of higher-risk third parties) and to take decisive action (including terminating the business relationship) where misconduct is identified.
The Cisco investigation continues a trend of technology companies being the target of FCPA investigations and enforcement actions. For example, in 2016 alone, the SEC has initiated enforcement actions against five companies or individuals in the technology industry, while the DOJ has initiated two enforcement actions. Moreover, investigations within the sector continue to relate to conduct of third parties acting on behalf of the company.
Pilot Program’s Mitigation Credit
The Cisco investigation provides some insight into the mitigation credit that companies may receive pursuant to the Pilot Program instituted by the DOJ earlier this year. The Pilot Program was intended, according to the government, to add enforcement resources, increase cooperation, and provide more transparency into the requirements for obtaining mitigation credit. With respect to mitigation credit, the program outlines three requirements: (i) voluntary self-disclosure, (ii) full cooperation, and (iii) remediation.
The Fraud Section’s FCPA Enforcement Plan and Guidance memorandum, issued on April 5, 2016 by the DOJ’s Criminal Division, sets forth the conduct necessary to satisfy each of the mitigation requirements. For example, to satisfy the “voluntary self-disclosure” requirement, the disclosure must (i) not be one that is required by law, agreement, or contract, (ii) occur prior to an imminent threat of disclosure or government investigation, (iii) be reasonably prompt, and (iv) include all known relevant facts concerning the misconduct. Similarly, the “full cooperation” requirement includes (among other things): timely disclosing all relevant facts, including providing timely updates and rolling disclosures; proactively cooperating by disclosing facts when not specifically asked and helping the government to identify relevant evidence; preserving, collecting, and disclosing relevant documents and information; disclosing all relevant facts related to potential third-party criminal conduct; upon request, facilitating interviews with officers and employees (subject to the individuals’ Fifth Amendment rights); and disclosing all relevant facts gathered during a company’s independent investigation (subject to the attorney-client privilege). “Full cooperation,” however, may tread close to the line of waiving attorney-client privilege, particularly if the conduct at issue is severe; the more egregious the conduct, the more relevant the mitigation credit may become and the more incentivized (or pressured) the company may feel to waive—even if only partially—the privilege.
The requirement of “remediation,” which the DOJ admits is “difficult to ascertain and highly case specific,” may involve implementing an effective compliance and ethics program that is tailored to the size and resources of the organization, appropriate discipline of employees (including those identified by the corporation as responsible for the misconduct), and any additional steps that demonstrate “recognition of the seriousness of the corporation’s misconduct[.]” Moreover, to be eligible for mitigation credit, even if a company satisfies all three requirements, it still “will be required to disgorge all profits resulting from the FCPA violation.”
Since the launch of the Pilot Program approximately five months ago, the DOJ has publicly released three declination letters. Each of the three letters made clear that although FCPA violations potentially occurred, “consistent with the FCPA Pilot Program [ ] we have closed our inquiry into this matter.” These decisions were based on a number of factors, all of which relate to the three mitigation requirements outlined above. While Cisco clearly achieved the desired result from its cooperation, disclosure, and remediation, it nevertheless was involved in a three year investigation and negotiation with the SEC and the DOJ on this issue. Cisco publicly disclosed the investigation three years ago, meaning it was the subject of media and industry attention, investor scrutiny, and possible civil exposure from shareholder derivative lawsuits during that time. The Pilot Program can be even more successful in achieving the government’s stated goals and in providing meaningful benefit to corporations if it ensures a timely issuance of declination or non-prosecution agreements after the company concludes its investigation.