SEC enforcement actions under the U.S. Foreign Corrupt Practices Act have been setting an ever-lower threshold for violations of the FCPA's books and records, and internal controls provisions. Most recently, the SEC has charged violations of the FCPA's internal controls provisions where an issuer has been deemed to have "created a risk" of bribery through inadequate compliance policies, procedures and internal controls.
Despite uncertainty about the direction of U.S. Securities and Exchange Commission (“SEC”) enforcement strategy under the administration of President Donald Trump, companies should note that SEC enforcement actions under the U.S. Foreign Corrupt Practices Act (“FCPA”) in recent years have been setting an ever-lower threshold for violations of the FCPA’s books and records and internal controls provisions. These provisions generally provide that issuers must: (i) maintain books, records and accounts which, in reasonable detail, accurately and fairly reflect issuer transactions and disposition of assets, and (ii) devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are properly authorized, recorded, and accounted for by the issuer.
Over the last few years, the SEC has developed a broad definition of “books, records and accounts” and, more significantly, has charged FCPA violations where a company has allegedly “created a heightened risk” environment for bribery and corrupt conduct through what are deemed by the SEC as lacking compliance policies, procedures and internal controls. Additionally, the SEC has found violations of the FCPA in circumstances where no underlying bribery has been alleged or where evidence of bribery was difficult to establish.
In this article we will examine these developments, and consider the lessons to be learned and the practical steps companies might take in response.
“Creating a risk”
The SEC has been increasingly using the FCPA’s books and records and internal controls provisions to bring enforcement actions where evidence of bribery is lacking. The SEC started developing a new “creating a heightened risk” standard to bring enforcement action against companies under the FCPA as early as 2012. During that year the SEC charged Oracle with violations of the FCPA for failing to prevent an overseas subsidiary from setting aside off-the-books money and using the funds to make unauthorised payments to certain vendors in India. A number of these payments were also documented with fake invoices. In developing a new threshold for books and records violations, the SEC found that Oracle’s Indian subsidiary’s use of secret cash and its failure to accurately record the off-the-books funds “created the potential that they could be used for bribery or embezzlement” [emphasis added] and therefore violated the FCPA. However, no actual evidence of bribery was cited in the settlement documents. Oracle agreed to pay a USD2 million penalty to settle the SEC’s charges.
The SEC’s “creating a risk” standard was seen again in May 2015 when the SEC announced that a multinational mining and resources company had agreed to pay a USD25m penalty to settle allegations that the company violated the books and records and internal controls provisions of the FCPA in connection with sponsoring foreign government officials to attend the 2008 Beijing Summer Olympics. In its order against the company, the SEC noted that inviting government officials to the Olympics created a “heightened risk” of violating anti-corruption laws and the company’s own compliance and ethics policies, and that the tailored internal controls developed and relied upon by the company were insufficient to mitigate that risk. As a result, the company’s controls around its Olympics hospitality program were found to be lacking and resulted in violations of the FCPA’s books and records and internal controls provisions.
Further establishing that “creating a risk” of bribery is enough to violate the FCPA, the SEC announced an enforcement action against Mondelez International, Inc. (formerly known as Kraft) on January 9, 2017 alleging that Cadbury, a subsidiary of Mondelez, Inc., and its subsidiaries failed to conduct appropriate due diligence on and monitor the activities of its agent in India. According to the SEC, the lacking due diligence and internal controls “created the risk” that funds paid to the agent could be used for improper purposes or bribes. The SEC also alleged that Cadbury India’s books and records did not accurately reflect the agent’s services. The SEC cited no evidence that the funds were used to pay a bribe or that there were any accounting irregularities – Cadbury’s failure to conduct due diligence on the agent and to monitor the expenditure of the agent’s funds were enough for the SEC to find “a risk” of bribery. Mondelez agreed to pay a USD13m penalty for its controls failures.
All three cases show the creeping expansion of the SEC’s use of the FCPA’s book and records and internal controls provisions to bring enforcement actions where there is a risk of bribery. In the later two cases, there were no accounting irregularities or allegations of bribery – lacking internal controls were sufficient to “create a risk” of bribery and therefore a violation of the FCPA.
Broader definition of “books, records and accounts”
Enforcement actions in recent years are also noteworthy for the adoption by the SEC of a broad definition of “books, records and accounts.” In the case against the multinational mining and resources company discussed above, the SEC noted that internal documents relating to the company’s hosting of customers at the 2008 Olympics formed part of the company’s books and records. In particular, the SEC noted that certain Olympic hospitality applications and forms “did not, in reasonable detail, accurately and fairly reflect [the company’s] pending negotiations or business dealings” with government officials invited to the Olympics.
According to the SEC, some hospitality applications described certain employees of state-owned enterprises as “customer” rather than “representative of government” and provided little detail of the company’s past and future dealings with the prospective guests. Based on the descriptions in the hospitality applications, the SEC alleged violations of the books and records and internal controls provisions, noting that the company did not devise and maintain adequate oversight or internal control mechanisms around the Olympic hospitality program that would have captured, for example, inaccurate descriptions on internal hospitality applications. The hospitality forms themselves were deemed “books, records and accounts” that violated the FCPA. The SEC’s allegations in this case did not relate to any accounting misrepresentations or how the hospitality applications may have impacted the company’s books and financial statements. Similarly, the SEC did not find any corrupt intent underlying the inadequate descriptions on the hospitality applications or link the hospitality program to any evidence of improper payments. Despite this, the SEC concluded that the company had violated the FCPA.
Absence of link to an improper payment
The SEC is also increasingly finding violations of the FCPA in the absence of any link to an improper or corrupt payment. In 2016, the SEC charged Las Vegas Sands, a Nevada-based owner and operator of casinos in Asia and the United States, with a USD9m civil penalty to settle alleged books and records and internal controls violations despite there being no evidence of any alleged bribery. The SEC found that the company failed to properly account for payments associated with a Beijing real estate project, a Macau ferry operator, and for a transaction to purchase a Chinese basketball team with the help of an agent. In the settlement documents, the SEC presented no evidence that the payments to the agent hired to assist with the transaction were used to obtain government approval for the acquisition of the team or amounted to an unauthorised payment. The improper accounting for payments to the agent and lacking internal controls were enough to violate the FCPA.
Practical Considerations for Issuers Arising Out of these Cases
While we wait to see the enforcement strategy of the SEC under a Trump administration, the increasing ease with which the SEC has been able to find a violation of the FCPA’s books and records and internal controls provisions in recent years demonstrates the potency of the provisions.
These cases also demonstrate the degree to which the SEC will inquire into the minutiae of the anti-bribery and corruption compliance program of a company under investigation for potential violations of the FCPA. Errors and oversights in the filling out of internal approval forms, even without corrupt intent, may be enough to violate the FCPA.
These enforcement actions serve as a reminder to issuers of the importance of designing and implementing an appropriate risk-based anti-bribery and corruption compliance program. Perhaps more importantly, they also remind companies to make sure that their compliance program is regularly reviewed, tested and enhanced in an effort to avoid inadvertently “creating a risk” of bribery as a result of a compliance program that is out-dated or illdesigned to combat the bribery risks facing the company.
In particular, companies should consider the following:
Regular compliance program risk assessments are critical: Be aware of the importance of regular internal risk assessments designed to continuously improve, periodically test and review your compliance environment. Testing, reviewing and enhancing your compliance program is the best defense against a claim that it may be inadequate or “creates a risk” of bribery.
Importance of internal controls that can be audited against to test their effectiveness: Be aware of the need to not just develop and implement internal controls, but the need to develop internal controls that can be audited against to test their effectiveness. One of the best defenses against a charge of inadequate internal controls is to be able to place the results of testing and review of internal controls – and any remediation steps taken – in front of authorities.
Look to recent U.S. government guidance to understand how authorities will look at your compliance program and the questions they may ask in assessing its appropriateness: In February 2017, the Fraud Section of the U.S. Department of Justice (“DOJ”), published a new set of sample questions that it may ask in the course of evaluating the effectiveness of a corporate compliance program, titled “Evaluation of Corporate Compliance Programs.” While the new questions have not come from the SEC and are largely based on a number of pre-existing U.S. government publications and guidance documents, they do provide additional insight on various topics, including the DOJ’s view of what companies should be asking themselves when undertaking risk assessments and periodic reviews of their compliance programs.
The design and structure of your company’s anti-bribery and corruption compliance program can be an FCPA risk: The cases discussed in this article show that overseas subsidiaries, third party intermediaries, and corporate gifting and hospitality can be a source of bribery and corruption risk. Importantly, the cases also show that the design and structure of your anti-bribery and corruption compliance program can also present FCPA compliance risks. Companies should not just focus on external risks when conducting an anti-bribery and corruption risk assessment. Look at the workings of your internal risk processes and oversight mechanisms as well as they will be a focus of U.S. authorities as much as external facing risks.