The long-awaited Resource Guide to the U.S. Foreign Corrupt Practices Act has brought the cynics and naysayers out of the woodwork. The critical consensus on this joint publication of the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) has been thumbs down — that the Guide does not go far enough in bringing bright lines into an area of the law that is mostly gray. “What FCPA enforcement needs at this critical juncture is not non-binding enforcement agency guidance,” opined professor Mike Koehler in the Wall Street Journal.1 A recent survey by Grant Thornton revealed that 52% of 150 respondents were “still unclear about the Department of Justice and the Securities and Exchange Commission’s compliance expectations.”2 One commentator in the New York Times found the Resource Guide “short on how to avoid violating the law in new situations” and “leav[ing] plenty of uncertainty about enforcement.”3 The U.S. Chamber of Commerce has made clear its dissatisfaction with being “left guessing” in a lengthy letter to DOJ and SEC in February.4
Contrary to the received wisdom of the cynics and naysayers, though, the Resource Guide is actually a helpful document. This is not necessarily because of its substance. Admittedly, the Guide is short on details about the government’s enforcement priorities, and it contains little that experienced FCPA practitioners do not already know. The Guide’s value lies, rather, in its usefulness as a communication tool. Lawyers who deal with the FCPA every day — both in companies and in firms — frequently find themselves dealing with difficult issues and the need to give advice in an area of the law that is one big gray zone, with little or no case law to guide them through the issues. This is where the Resource Guide can play a role. Where lawyers used to have to give advice based completely on their own experience practicing before DOJ and SEC, they now have an additional authoritative source to rely on in communicating compliance and enforcement advice to clients.
One area where this guidance is particularly helpful is with respect to compliance programs.
The Resource Guide recognizes that different companies face different compliance risks. The hallmarks described in the Resource Guide flow from the premise that a company’s compliance regime must be designed to address that company’s particular circumstances. A small company with few foreign government clients will face a different level of risk (and will have a different level of compliance resources to deploy) than a Fortune 500 company with extensive multi-national operations and a long list of foreign government clients. The importance of tailoring a compliance program cannot be overstated, and the Resource Guide repeatedly acknowledges that one size does not fit all.
However they may be woven into a particular compliance program, the hallmarks described by the Resource Guide should be applied in some way, shape, or form by every company. These hallmarks include:
- Tone from the top that emphasizes ethics and compliance: As corporate leaders’ commitment to ethics and FCPA compliance trickles down, it builds a culture of compliance, including by inspiring middle managers to prioritize compliance and reinforcing such a priority with employees of all levels.
- Clear, concise, accessible, and understandable code of conduct: The code of conduct must apply to personnel at all levels, and in some cases to certain third parties as well.
- Implemented by empowered, autonomous personnel: The compliance program must be implemented by someone with appropriate authority (often one or more senior executives) and adequate autonomy, which generally includes direct access to the board of directors, audit committee, and other appropriate corporate bodies. The program must have adequate staffing and resources.
- Risk-based: The compliance program should be based on a risk assessment that prioritizes areas of greater FCPA risk. For example, resources devoted to monitoring routine, modest gifts and entertainment should be proportionate and should not detract from a large government bid or contract.
- Well communicated: Policies and procedures should be communicated periodically to officers and directors, as well as relevant personnel, agents, and business partners, in their local language.
- Universally and consistently applied: Compliance policies must apply to all employees, “from the board room to the supply room.” No one can be above discipline or beyond reproach commensurate with a violation of those policies. Conversely, incentives that reinforce good compliance practices can help foster a culture of compliance.
- Confidential reporting, without stigma or fear: The compliance program should ensure both a way that potential misconduct can be reported confidentially, without fear of retaliation, and “an efficient, reliable, and properly funded process for investigating” allegations and documenting the results of and response to that investigation.
- Dynamic: Compliance programs should evolve as the company develops and changes, and should be reviewed, tested, and updated periodically.
In communicating with clients about compliance matters, it is good to provide carrots along with the sticks, and the Resource Guide outlines the potential benefits of having a sound compliance program: “In appropriate circumstances, DOJ and SEC may decline to pursue charges against a company based on the company’s effective compliance program.” The Resource Guide lists examples of declinations and the factors considered in those declinations, as well as several hypotheticals based on declinations, and strong compliance programs feature prominently in them. Although many commentators would like to see a defense or “safe harbor” added to the FCPA for having a good compliance program and criticize the Resource Guide for not going that far (and for detracting from such structural, legislative reform),5 what the Guide does contain is helpful in communicating the message to clients about what a good compliance program needs to be.
Risk-Based Due Diligence
Another hallmark of an effective compliance program is risk-based due diligence of third parties, which, because it is “particularly important” to DOJ and SEC, is given detailed treatment in the Resource Guide. This treatment may also reflect a desire to emphasize a message that might seem counterintuitive in the broader context of compliance: more is not always better.
While agents, consultants, and distributors have played prominent roles in FCPA enforcement actions through the years, there is no presumption that all third parties are likely to engage in misconduct. Because a company’s resources are finite, potential risks should be assessed when determining the level of due diligence appropriate for a third party. The Resource Guide offers the following “guiding principles”:
- Know the third party: Understand its qualifications, associations, reputation, and relationships with foreign officials.
- Know why the third party is being hired: Articulate the business rationale for using the third party in this transaction, and ensure that the contract and payment terms correspond to the work to be performed, which should be confirmed and documented.
- Monitor the relationship: Update due diligence, exercise audit rights, provide training, and request compliance certifications.
In the context of merger and acquisitions, such a risk-based diligence takes on additional importance. It is preferable to perform such diligence prior to an acquisition so that the target company is properly valued, both economically and in terms of the allocating costs of FCPA-related risks, but post-closing diligence may also be warranted. Either way, the acquired company should be promptly incorporated into the parent’s compliance program. Having these principles spelled out in the Resource Guide gives lawyers more authoritative guidance for their advice on these matters.
Gift-Giving, Travel and Entertainment Expenses
One of the grayest of gray areas in the FCPA is gifts, travel and entertainment expenses. Even though the Resource Guide does not provide any bright-line rules in that regard, it still provides helpful principles to use in communicating what is permissible to clients.
Just as all third parties are not automatically presumed to be middlemen for FCPA improprieties, the Resource Guide makes clear that a compliance program need not treat every modest gift or travel and entertainment expense relating to a foreign official as bribe in disguise. To the contrary, “[a] small gift or token of esteem or gratitude is often an appropriate way for business people to display respect for each other.” The touchstone is corrupt intent. For example, when a modest gift is given openly, recorded properly, provided to show esteem or gratitude, and permitted under local law, then it may bear the hallmarks of appropriate gift-giving.
The Resource Guide provides many examples of improper expenses, too: a $12,000 trip for a government decision maker that included visits to wineries and dinners; $10,000 on dinners, drinks, and entertainment for a government official; a trip to Italy for multiple officials consisting primarily of sightseeing with $1,000 in “pocket money” for each official; a trip to Paris for an official and his wife for chauffeured tours; “training” trips that involved no training, occurred at locations where the company had no facilities, or on which minimal time was spent at company facilities.
Though the Resource Guide does not provide a definition or a dollar amount that divides proper from improper expenses, it provides extensive hypotheticals that walk through the spectrum.
In the end, although the Resource Guide may be criticized for not going very far in drawing bright lines or answering every question about FCPA enforcement, that would probably be asking too much. After all, FCPA compliance and enforcement are fact-specific, and it would be impossible to analyze every possible scenario. The Resource Guide may not say much that is new, but it will help FCPA lawyers communicate their advice to clients — which may be the next best thing.