On November 18-21, 2013, in what is now a fall ritual, anti-corruption practitioners gathered in Washington, D.C. for the American Conference Institute’s 30th International Conference on the Foreign Corrupt Practices Act. As usual, this event provided a forum for officials of the U.S. Department of Justice (“DOJ”) and U.S. Securities and Exchange Commission (“SEC”) to provide their views on a range of FCPA enforcement issues.1 The major theme throughout comments by U.S. government officials was that, notwithstanding the perceptible decline in FCPA resolutions in 2013, neither companies nor individuals should become complacent about anti-corruption compliance.2
Deputy Attorney General Cole and SEC Co-Director of Enforcement Ceresney
Deputy Attorney General James M. Cole and SEC Co-Director of Enforcement Andrew J. Ceresney noted, as U.S. officials customarily do, the United States’ leadership in anti-corruption enforcement, while also highlighting significant collaboration with non- U.S. counterparts, including those in the United Kingdom, Germany, and France. They stressed the impact of the 2012 joint Resource Guide to the U.S. Foreign Corrupt Practices Act3 in promoting greater transparency in how the FCPA is enforced; their commitment to prosecuting individuals; the importance of preventing corruption through compliance best practices; and the benefits to individuals and corporations alike from voluntary disclosure and cooperation.
Deputy Attorney General Cole bluntly stated that, because the DOJ “understand[s] that even the best compliance program will not prevent every violation of the FCPA … when a violation does occur, we frankly expect you to tell us about it and cooperate in investigating it.” Noting the DOJ’s offer of reduced monetary penalties in certain cases, Cole cited other steps to “incentivize” self-reporting beyond those set out in the U.S. Sentencing Guidelines. These include “declinations like that in the Morgan Stanley case, resolutions short of a guilty plea like deferred prosecution agreements and non-prosecution agreements, and allowing companies to self-report their remediation efforts instead of being subject to the oversight of a corporate monitor.” But Cole also said the DOJ would “pressure test” the results of company internal investigations and be “unrelenting” in the case of companies that violate the FCPA, and, after becoming aware of the misconduct, do not engage in “true voluntary disclosures and actual cooperation.”
Co-Director of Enforcement Ceresney made a similar argument in favor of selfreporting: “The answer is simple – if we find the violations on our own, the consequences will surely be worse than if you had self-reported the conduct. Companies must keep in mind that the risk of not coming forward grows by the day as our whistleblower program continues to pick up steam.”
Panel Comments by DOJ and SEC Attorneys
General Enforcement Statistics and Trends
DOJ’s FCPA Unit Deputy Chief Charles E. Duross and SEC FCPA Unit Chief Kara N. Brockmeyer discussed their agencies’ respective pipelines of cases. Duross said that the DOJ has approximately 150 “open” FCPA investigations, a figure that has remained roughly constant for the past several years. Duross noted that the 150-case figure represented a “flow” of cases under investigation and that matters would come on and go off the DOJ’s list of open files virtually weekly. Brockmeyer estimated that the SEC had about 100 open investigations and that the SEC’s figure is also based on a flow of cases. Duross and Brockmeyer each said they have opened and declined cases in a day, and that their agencies’ responses each depend on the facts.
Brockmeyer stated that two-thirds or more of her team’s cases involve allegations that potential improper payments have been routed to foreign officials through intermediaries. She also noted that travel and entertainment issues continue to be the subject of enforcement actions, citing both the Diebold and Stryker settlements.4 Brockmeyer also noted the importance of the Dodd-Frank Act’s expansion of the SEC’s authority to issue penalties in administrative proceedings, which has encouraged the agency to resolve a greater number of matters through such proceedings.5 In his separate panel remarks on the emergence of deferred prosecutions in the United Kingdom, DOJ Deputy Fraud Section Chief Daniel Braun relatedly suggested that more active judicial review of Deferred Prosecution Agreements (“DPAs”) was increasing the attractiveness of Non- Prosecution Agreements (“NPAs”) for both sides in FCPA criminal cases.
Discussing the SEC’s determination to address commercial bribery issues as a matter of an issuer’s internal controls obligations, such as in in the Diebold settlement, Brockmeyer observed that the SEC’s FCPA Unit was not focused in the first instance on commercial bribery matters. However, she noted that where such matters come to the attention of the agency, they very well can be factored into an internal controls and books-and-records analysis.6
Speaking on a panel related to due diligence of third parties, DOJ Fraud Section Chief Jeffrey Knox said that many companies have excellent due diligence programs on paper, but nevertheless get into trouble in the investigation of their thirdparty relationships. He stressed that there is nothing inherently wrong in a third party having access to a foreign official; it is what the company does with that access that is critical, and that issue, as well as other red flags, should be resolved during the course of due diligence.
Similarly, on a panel devoted to due diligence in the merger and acquisition context, DOJ Fraud Section Assistant Chief James M. Koukios emphasized that, while a merger or acquisition “cannot create FCPA liability retroactively,” the rule of inherited liability requires close attention. Companies looking to reduce their M&A risks should consult the Resource Guide’s sections dealing with merger activity, the Halliburton Opinion Release (Op. Rel. 08- 02), and M&A remediation terms in FCPA resolutions.7 He said that, in appropriate cases, the DOJ would decline prosecution if a buyer voluntarily disclosed a bribery issue that had been identified in pre- or post-closing due diligence, provided the remediation was sufficient. To maximize the odds of a declination, he said that a company will want to “do everything right,” from real-time reporting to prompt and full remediation of the issues identified.
Voluntary Disclosure, Internal Investigations, and Cooperation
Perhaps no other topic generated as many comments by the U.S. officials as voluntary disclosure and the issue of whether, when, and how a company should self-report. Noting that companies have a variety of approaches on self-reporting, and that some have developed regular practices to make such reports, Duross and Brockmeyer each emphasized that early self-reporting and cooperation are genuinely received positively by the government, especially when that disclosure puts relevant documents in the hands of the U.S. enforcement agencies sooner than otherwise would take place.
In a panel devoted to voluntary disclosure, SEC Deputy FCPA Unit Chief Charles E. Cain noted that early selfreporting can have significant benefits beyond the self-reporting credit it generates. Asked to comment on the results of an audience poll in which more than fifty percent of respondents agreed a self-report should not be made until “the [company’s] internal investigation has progressed enough that the company understands the nature and scope of the conduct,” Cain said that he found the results unsurprising, but urged companies to report earlier. Cain said companies that self-report “often have a much bigger problem,” and early disclosure enables the agency to help the company identify the full scope of issues and remediate quickly. Cain acknowledged that he would be surprised to hear from a company if it determines after a reasonable effort that an issue is “small and discrete,” but that he would expect a self-report in any case involving more significant kinds of alleged misconduct.
DOJ Fraud Section Assistant Chief Jason Jones, who appeared on the panel with Cain, emphasized that self-reporting is particularly relevant to the government’s determination of the kind of disposition it will seek in settlement. He and Cain said self-reporting must be genuinely voluntary to generate credit. Reporting after receiving notice that an article disclosing a corruption issue would appear in the press the next day would not suffice.
Once a decision to self-report has been made, Brockmeyer noted that communication with the government should be frequent enough to adequately set and meet expectations for both sides. Although every case is different, Brockmeyer said the SEC’s baseline expectation is that documents, once requested, should be produced on at least a rolling basis within three months. During his separate panel, Cain also emphasized this point, noting that self-reporting and cooperation were highly intertwined.
Brockmeyer said that best practices for internal investigations involve early production of documents, provision of translations, and arrangements for witnesses to be interviewed in the United States. Duross emphasized that often the worst thing a company can do is investigate internally and disclose only after the fact what was done, thinking that doing so will end the case. He emphasized that an earlier discussion with DOJ will reduce the likelihood of needing to re-do investigative work. DOJ staff inevitably have their own ideas about how to investigate an issue, and engaging early and getting buy-in on the work plan are key, in Duross’s view. Duross likewise identified the Siemens matter as a case that was resolved in an accelerated manner, explaining: “You don’t finish a case like Siemens in two years by looking under every rock,” but the DOJ has to trust the work plan the company puts forward.
In a panel dealing specifically with internal investigations, SEC FCPA Unit Assistant Director Tracy L. Price emphasized that FCPA Unit members possess both experience and knowledge of evidence from related investigations, which can assist a company conducting an internal investigation to focus on the issues that genuinely matter. DOJ Assistant Fraud Section Chief Matthew S. Queler cautioned against scoping an internal investigation (including document preservation efforts) too narrowly, noting the DOJ had heard the argument that a case involved a “rogue employee” far more often than was justified. In considering whether under the Principles of Federal Prosecution of Business Organizations8 it was appropriate to charge a company, the DOJ would need to gain an understanding of how high up in an organization knowledge of misconduct and red flags had been escalated – and what was done by senior management in the face of the information that it received – before a case can be properly resolved.
Remediation and Resolution; Monitors
Duross and Brockmeyer each recognized that a company’s remediation efforts played a significant role in how their agencies responded to evidence of misconduct, and that the “compliance presentation” made to the government, usually at the close of an investigation, to demonstrate those efforts is a company’s “chance to shine.” Duross observed that some of the worst remediation approaches he has seen involve a company’s waiting until the end of the investigation before initiating remediation efforts. If a case is serious, he said that a company should be revising its systems and taking other action from “Day 1.” Brockmeyer echoed this point and said that in a case that has resulted in a government investigation, remediation that consists of simply more training is insufficient. Duross and Brockmeyer agreed that a genuine remediation of internal controls deficiencies, including testing of the new controls, as well as auditing and discipline, are important.
Duross said that companies need to show concretely how remediation efforts would have prevented the problem that generated the misconduct under investigation.
Both Brockmeyer and Duross noted that the best compliance presentations were those in which key company personnel with direct knowledge of the compliance remediation efforts participate. Such personnel could include, among others, the Chief Compliance Officer, the Chief Financial Officer or Head of Accounting, or the Head of Internal Audit. Compliance presentations made exclusively by counsel can be less effective than a robust presentation by those enmeshed in the actual operation of the compliance program.
Remediation of relationships with third parties, if they were the source of violations, can be tailored to the problem found, Brockmeyer said. A problem with a classic business consultant in Africa, for example, would not require stopping all third-party hiring in its tracks. But if there are custom broker problems (or other issues affecting a broader array of third parties) a broader remediation fix may be needed. All companies, Brockmeyer stated, need a plan for third-party due diligence, but pre-hiring due diligence, she suggested, is not required for all third parties; back end or post-hiring due diligence for lower-risk third parties can be sufficient.
On the topic of whether a company will be required to retain a corporate monitor as a condition of resolving an FCPA case, Duross noted that there is a greater flexibility now; a new tool that the DOJ is exploring more often is a “hybrid” monitor with provisions for a short initial monitorship (18 months vs. the “standard period” of three years) and a potential early end to the monitorship if the monitor certifies the lack of need after the 18-month period. Jones said that those looking to understand how selfreporting, cooperation, and remediation affect a case’s result can find some guidance in the DOJ’s settlement documents. He described the recent Diebold matter as a case that involved self-reporting, but where remediation could have been better, and the company accordingly was required to retain a “hybrid” compliance monitor for an 18- month period.
During a panel discussion of U.K. enforcement, Braun also noted that the United States’ current approach in deducting penalties paid abroad when considering the penalty that should be paid pursuant to settled U.S. proceedings was generally “dollar for dollar.” Once the DOJ determines the appropriate U.S. penalty, it generally offsets that amount by penalties paid overseas. Stating that this was not required by U.S. law, insofar as U.S. criminal law operates under the assumption of dual (or, in the case of interests by several nations, multiple) sovereignty, Braun stated that achieving just results in terms of the amount of monetary penalties was a continuing challenge, and that there are ongoing discussions between even the SEC and the DOJ to assure consistent and fair outcomes reflecting the fact “we are a single government” when it comes to U.S. enforcement.
Cross-Border Investigations and Data Protection
Duross and Brockmeyer each acknowledged the significant challenges that non-U.S. data protection regimes and blocking statutes can play in hindering a company’s efforts to conduct an internal investigation of alleged FCPA violations and other cross-border wrongdoing. Nevertheless, they stressed that their respective agencies would look to companies seeking cooperation credit to work towards “creative solutions” to the impediments posed by these non-U.S. laws. Although Duross agreed that the policy of the United States is to respect the sovereignty of other nations just as the United States expects its sovereignty to be respected, solutions such as producing documents to a foreign government in order to facilitate a request by the DOJ pursuant to a Mutual Legal Assistance Treaty request was one solution that accommodated the concerns of both the United States and a foreign country operating a data protection regime. Production to the U.S. agencies of redacted documents in compliance with data protection laws was noted as another way to accommodate the varying interests of U.S. and non-U.S. governments.
Duross advised against companies failing to comply consistently with data protection regulations in the ordinary course of business, but then, in the midst of a DOJ investigation, insisting that data protection requirements must be observed strictly. Duross said that such inconsistency could lead to a determination of “bad faith” and seriously undermine the efforts by the company to obtain credit for its cooperation.
The recent comments of U.S. law enforcement personnel reinforce several enduring facts about FCPA enforcement. Above all, once a violation occurs and comes to the government’s attention, a company’s or individual’s fate is significantly in the hands of law enforcement personnel with broad discretionary authority and the ability to require significant corporate expenditures, as well as to prosecute companies and individuals criminally, civilly, and administratively. Nevertheless, as government representatives candidly acknowledge, they cannot (and should not) prosecute every case where a conviction could be obtained. The most effective ways to avoid being at the wrong end of a decision to prosecute include undertaking robust and effective compliance measures well before an issue arises, and, when violations do occur, quickly and efficiently gathering the necessary information to make an informed decision about whether to self-report, and remediating any compliance deficiencies.