At long last, the United States Department of Justice (“DOJ”) and the Securities and Exchange Commission (“SEC”) released their guidance on Foreign Corrupt Practices Act (“FCPA”) compliance and enforcement issues.
The guidance is not a panacea for the difficult issues that global companies navigate on a daily basis, but the 120-page A Resource Guide to the U.S. Foreign Corrupt Practices Act (the “Resource Guide”) will prove to be a valuable resource. It provides a one-stop compilation of information and distillation of principles that will be helpful “from the board room to the supply room.”
The guidance presents the views of the regulators on commonly encountered issues. That in itself is valuable, even though it emphasizes (of course) that companies must approach FCPA compliance based on the particular facts of their operations and circumstances. But the guidance does not deliver any of the fundamental reform that the business community has been seeking, likely setting the stage for further attempts to secure statutory reform from Congress.
The FCPA has been on the books since 1977, but it has matured into a regulatory juggernaut over the past several years, during which FCPA enforcement has been a top priority of the DOJ and the SEC. The regulators have secured record fines (amounting to billions of dollars) and people have gone to prison. Just last week, Assistant Attorney General Lanny A. Breuer heralded the DOJ’s aggressive FCPA enforcement as a “signature achievement” of President Obama’s first term. Mr. Breuer noted that the battle against corruption is one of the “main struggles of our time.”
Global businesses have worked hard to comply with the FCPA, while at the same time expressing a desire for clarity and certainty in gray areas. The business community and members of Congress have suggested that reform is needed to curb regulatory excesses.
In this context, Mr. Breuer and the SEC’s Director of the Division of Enforcement, Robert Khuzami, announced last year that their agencies would issue guidance about the FCPA. Over the past year, both of these officials have stated several times that the guidance will not represent a retrenchment from aggressive enforcement. Indeed, the Resource Guide delivers on that promise and shows no indication that regulators intend to retreat. The Resource Guide calls FCPA enforcement a “continuing priority” of both agencies and promises “robust enforcement.”
KEY POINTS IN THE GUIDANCE
Who is a “foreign official” and what is a “foreign instrumentality”
The FCPA prohibits payments or offers of payments to “foreign officials.” The definition of “foreign official” includes those who work for an agency or instrumentality of a foreign government. Who qualifies as a foreign official has been a pivotal issue in designing compliance programs. As the issue has been litigated, courts have looked at a host of factors in determining whether a person is a foreign official.
The Resource Guide reaffirms the regulators’ longstanding policy that the FCPA applies to government foreign officials irrespective of rank, and notes that the DOJ and SEC “continue to regularly bring” cases based on bribes paid to “employees of agencies and instrumentalities of foreign governments.” The guidance does not set any bright-line rules, but instead refers to a long list of factors, mirroring those articulated by the courts that have considered the issue.
Notably, the guidance states that “as a practical matter, an entity is unlikely to qualify as an instrumentality if a government does not own or control a majority of its shares.” But the guidance then notes that there can be circumstances in which an entity with minority government ownership would qualify as an instrumentality if the government had “substantial control,” such as veto power and operational control. This is not news; it is a reflection of the regulators’ views on this issue to date. But it provides no meaningful relief from the fact-specific ambiguities presented in real life.
Gifts and hospitality
The relationship between being a good host or a good guest and what constitutes giving or offering “anything of value” under the FCPA has been an uneasy one. On the one hand, the DOJ and the SEC have refused to announce a de minimis rule that they will not bring enforcement actions based on the giving or providing of gifts or hospitality below a certain value. On the other, they have not brought (and have said they will not bring) enforcement actions based solely on small gifts or modest hospitality expenses.
The guidance recognizes that “[a] small gift or token of esteem or gratitude is often an appropriate way for business people to display respect for each other.” The regulators state that “[t]he FCPA does not prohibit gift-giving,” but instead “prohibits the payment of bribes, including those disguised as gifts.” The guidance does not adopt any de minimis rule, but includes hypotheticals that describe scenarios in which promotional materials and hospitality at a trade show booth, rounds of drinks after the trade show, and a wedding gift to a senior foreign official all could pass muster under the FCPA. The guidance focuses on the purpose of the gift or entertainment. These hypotheticals could turn out to be some of the most useful guidance for day-to-day matters in many compliance departments, though the topic of gift-giving, particularly of cash, should continue to receive careful attention.
The guidance also includes examples of “improper travel and entertainment,” such as lavish dinners, luxury gifts, and exotic trips unrelated to training or inspection visits. The regulators also note that small gifts individually are not likely to be prosecuted, but would be subject to enforcement action if they are part of systemic bribery.
The FCPA expressly excludes “facilitating or expediting payments” from liability. The guidance repeats the well-known (if less than crystal-clear) tests for distinguishing between one of these “grease” payments and a bribe, e.g., whether the payment is to further one-time, non-discretionary, government action, or to secure or retain business, such as by influencing discretionary acts. The Resource Guide includes examples of “routine government action,” such as obtaining permits or licenses, processing visas, scheduling inspections, obtaining police protection, or obtaining utility service. The guidance also provides a hypothetical involving a one-time, small, “grease” payment to ensure that a file clerk “files and stamps permit applications expeditiously” and a “modest cash payment” to a high-ranking government official to make an environmental issue go away. The guidance terms the former a facilitating payment and the latter a bribe.
After discussing facilitating and expediting payments, and affirming the FCPA’s exclusion for these payments, the Resource Guide nonetheless notes that facilitation payments violate many local laws, the recommendations of the Organisation for Economic Co-operation and Development’s Working Group on Bribery, and other countries’ foreign bribery laws, such as the UK Bribery Act.
The standard for corporate liability v. individual liability
The guidance reiterates the regulators’ position that there is a different standard for imposing criminal liability on an individual as compared to a company. The FCPA states that an individual must have acted “willfully,” but there is no “willful” requirement for corporate criminal or civil liability. “Willful,” say the regulators, means that the individual knows generally that his or her conduct is unlawful, not necessarily that it violates the FCPA. The guidance does not state that the regulators will apply a “willful” requirement in considering whether to prosecute a company. However, the guidance notes that “proof of corrupt intent” is required to establish corporate criminal or civil liability. What the regulators see as the difference between “willful” and “corrupt intent” goes unsaid.
On a related topic, the guidance endorses the court rulings that a defendant can be liable for violating the FCPA when he or she showed “willful blindness or “conscious avoidance”—i.e., the “head-in-the-sand” approach.1
The guidance addresses parent liability for a subsidiary’s violation of the FCPA’s anti-bribery provisions and for violation of the books and records provisions.
Notably, the regulators do not assert that a parent is always liable for its subsidiary’s violation of the anti-bribery provisions. The guidance, does not, however, describe situations in which a parent can never be held liable.
According to the guidance, where a parent directed the subsidiary to pay bribes or otherwise participated directly in the scheme, it has direct liability. But if the parent did not take those steps, then the Resource Guide states that “traditional agency principles” determine whether the parent may be liable for its subsidiary’s conduct. The regulators describe “control” as the fundamental characteristic of agency. In evaluating the parent’s control, the SEC and DOJ will look for the parent’s knowledge and direction of the subsidiary’s actions in general and in the context of the specific transaction, evaluating both the formal relationship and the "practical realities of how the parent and subsidiary actually interact." If there is an agency relationship, then the parent will be liable for bribery committed by the subsidiary’s employees.
The guidance states that an "issuer" (for simplicity, described here as a company whose stock or ADRs trade in the U.S.) is responsible for ensuring that "subsidiaries or affiliates under its control, including foreign subsidiaries and joint venture partners," comply with the FCPA’s accounting provisions. This signals that the regulators will continue to pursue parent corporations for civil liability under the accounting provisions when a small subsidiary in a distant land violates the accounting provisions and the false accounting is consolidated into the parent’s books and records. However, where a parent company owns less than 50% of a subsidiary or affiliate, the parent "is only required to use its best efforts to cause the minority-owned subsidiary or affiliate to devise and maintain a system of internal accounting controls consistent with the issuer’s own obligations under the FCPA." In evaluating those "best efforts," the regulators will take into account all circumstances, including the relative degree of ownership and the laws and practices of the country in which the subsidiary or affiliate is located.
Successor liability after a merger or acquisition
In the area of successor liability, the guidance makes two clear pronouncements: (1) when a company merges with or acquires another company, the successor company assumes the predecessor company’s liabilities, including FCPA liability; and (2) successor liability does not create liability where none existed before. The guidance articulates the regulators’ long-standing enforcement position that an acquiring company can be held liable for the acts of its predecessor even if the acquiring company may have had no involvement in the pre-acquisition conduct. The guidance also recognizes, however, that FCPA liability cannot be applied retroactively. Therefore, an acquiring company cannot be held liable for the conduct of a company that was not previously subject to the FCPA’s jurisdiction.
The guidance also emphasizes that, in cases where the improper conduct continues post-closing, the acquiring company may have direct liability—rather than liability under the theory of successor liability—for the continuing FCPA violations. The guidance also echoes recent enforcement actions and DOJ Opinion Releases in this area that encourage companies to conduct comprehensive pre-acquisition due diligence to the extent possible and to implement swift post-acquisition remediation, including integration of the acquired company into the acquiring company’s compliance program. The guidance also notes, several times, the potential upside to an acquiring company that voluntarily discloses FCPA violations that it uncovers at the acquired company.
Setting standards for compliance programs
As expected, the guidance does not state that the FCPA requires a particular set of compliance processes, or that adopting a particular type of program will immunize a company from liability. Indeed, the regulators expressly disclaim doing so, stating "DOJ and SEC have no formulaic requirements regarding compliance programs." The regulators state that they "employ a common-sense and pragmatic approach to evaluating compliance programs," inquiring whether the program is well designed, is applied in good faith, and does it work. Thus, according to the DOJ and SEC, companies have "flexibility" to create and maintain "a system of controls that is appropriate to their particular needs and circumstances." Notably, the guidance also does not adopt the existence of "adequate" procedures as an affirmative defense to FCPA liability.
The regulators call for companies to tailor their compliance programs to their business, such as by factoring in the nature of their products and services, how those products and services get to market, the nature of its work force, the degree of regulation, the extent of its government interaction, and the degree to which it operates in countries with a high risk of corruption. The Resource Guide states that businesses exposed to a high risk of corruption will have different controls than a company that faces a low risk, “just as a financial services company would be expected to devise and employ different internal controls than a manufacturer.”
The Resource Guide lists “hallmarks of effective compliance programs,” including (1) the “tone at the top” and clearly articulated and implemented anti-corruption policies; (2) a clear and readily available code of conduct and company-wide policies and procedures to prevent and detect bribery; (3) a senior executive who is responsible for overseeing an organization that has the autonomy and resources with which to monitor and enforce compliance; (4) risk assessment practices that prevent unnecessary expenditures of time and effort on low-risk areas to the detriment of monitoring high-risk areas; (5) training and access to immediate advice; (6) the use of incentives and discipline to enforce and strengthen the compliance program; (7) diligence in retaining and working with agents, consultants, and distributors; (8) hotlines and reliable internal investigations; (9) testing and improvement of compliance programs; and (10) diligence in investigating acquisition targets and in incorporating them into the compliance program “promptly” after the acquisition closes.
The guidance states that DOJ and the SEC understand that no compliance program can be 100% effective and that “they do not hold companies to a standard of perfection.” The regulators also note that there could be situations in which they “may otherwise seek to reward a company for its program, even when that program did not prevent the particular underlying FCPA violation that gave rise to the investigation,” i.e., by not bringing an enforcement action or by adjusting the penalty downward.
Whether and when to self-report a known or suspected FCPA violation is a complex and nuanced decision. The regulators have stated repeatedly that they encourage companies to self-report and that such cooperation results in benefits. The guidance emphasizes that “both DOJ and SEC place a high premium on self-reporting, along with cooperation and remedial efforts, in determining the appropriate resolution of FCPA matters.”
The DOJ notes that “in many investigations it will be appropriate for a prosecutor to consider a corporation’s pre-indictment conduct, including voluntary disclosure, cooperation, and remediation in determining whether to seek an indictment.” The DOJ also notes that it cannot assess an organization’s cooperation based on whether the company waived attorney-client privilege or work product protections, but can do so based on whether the company disclosed the relevant facts underlying an investigation. The SEC likewise cites existing statements about whether and when the SEC grants leniency to companies for cooperating in investigations, such as by self-reporting, and states that credit for cooperation by companies may range from taking no enforcement action to reduced sanctions. In this respect, the guidance merely echoes the regulators’ repeated endorsements of self-reporting and their statements that doing so could benefit the reporting company.
The guidance responds to the calls for fuller disclosure of declinations—decisions not to take enforcement action against an individual or company—by doing three things. First, the DOJ notes that it has a long-standing policy not to provide, without the party’s consent, non-public information about matters that it has declined to prosecute. The DOJ noted that there have been “rare circumstances” in which it prosecuted an individual but disclosed that it was not also prosecuting his or her employer. Second, the guidance discloses that “in the past two years alone, the DOJ has declined several dozen cases against companies where potential FCPA violations were alleged.” This is the first time that practitioners have ever learned from the DOJ something about the number of declinations. Third, the guidance lists six anonymized examples of declinations, all of which featured companies that had taken immediate action to stop the misconduct, completed thorough internal investigations, and self-reported.
The Resource Guide is not groundbreaking. There is no sign of the regulators retreating from their expansive views of liability under the FCPA. It does little to address the calls for bright-line rules.
Nonetheless, the guidance is helpful. The guidance provides some clarity in an area that is greatly lacking in precedent or judicial interpretation. Without creating safe harbors, the guidance clarifies circumstances that do not pose significant danger of FCPA liability.
The guidance is far from the last word on the constellation of issues in FCPA enforcement. But it is a step forward towards greater clarity and predictability.