Lexology GTDT Market Intelligence provides a unique perspective on evolving legal and regulatory landscapes. This interview is taken from the Anti-Corruption volume discussing topics including enforcement priorities, compliance programmes and individual vs corporate culpability within key jurisdictions worldwide.

GTDT: What are the key developments related to anti-corruption regulation and investigations in the past year in your jurisdiction, and what lessons can compliance professionals learn from them?

John E Davis: The United States continues to actively enforce laws prohibiting foreign bribery against both corporations and individuals, primarily through the US Foreign Corrupt Practices Act (FCPA) and laws against money laundering and certain types of fraud. As has been the case historically, US government investigations against companies continue to be resolved almost exclusively through negotiated settlements, and many actions against individuals also are concluded prior to any actual trial. These results are driven by the substantial leverage that the US agencies enforcing the FCPA (the US Department of Justice (DOJ) and US Securities and Exchange Commission (SEC)) can bring against both companies and individuals.

At the time of this interview, it is clear that the DOJ and the SEC under the Trump administration remain committed to an assertive anti-corruption enforcement programme under the FCPA, despite early concerns. In April 2017, the Attorney General observed in a speech that public corruption ‘increases the cost of doing business, and hurts honest companies that don’t pay these bribes’, in addition to ‘harm[ing] free competition, distort[ing] prices, and often lead[ing] to substandard products and services coming into this country’. He further emphasised that the DOJ ‘will continue to strongly enforce the FCPA and other anti-corruption laws’. Since that time, DOJ officials have repeatedly reinforced these messages. For example, in late July 2018, the DOJ official overseeing FCPA enforcement affirmed that ‘fighting corruption and ensuring a level playing field for law-abiding companies remains a significant priority for the [DOJ].’ Similarly, the SEC’s enforcement co-chair, in a speech marking the FCPA’s 40th anniversary in November 2017, stated bluntly: ‘Will the SEC continue to be committed to robust FCPA enforcement? My answer to that question is simple: Yes.’ Data on new FCPA investigations publicly disclosed by companies for the year 2017 supports these statements – the numbers remained consistent with reports tallied in the past few years. There has been some fall-off in these reported numbers in 2018 to date, though various unrelated factors could be affecting this data.

The main new development at the DOJ related to anti-corruption enforcement was the announcement in November 2017 of a new FCPA Corporate Enforcement Policy. That policy in part extended and codified the DOJ’s previously announced ‘pilot programme’, which was designed to encourage companies to voluntarily disclose potential FCPA violations to the US government. The policy promises a ‘presumption’ of declination of enforcement actions for all companies that disclose such violations – a presumption that may be overcome only if there are ‘aggravating circumstances’ that include involvement by executive management, significant profit earned from the misconduct, pervasiveness of misconduct within the company and criminal recidivism. The policy sets forth three conditions that companies must satisfy to be eligible for declination: voluntary self-disclosure, full cooperation with any government investigation, and timely and appropriate remediation. The policy contains detailed criteria for evaluating each of these three conditions. For the self-disclosure to be truly voluntary, it must be made ‘within a reasonably prompt time after becoming aware of the offense’, and ‘prior to an imminent threat of disclosure or government investigation’. Similarly, full cooperation requires timely disclosure of all facts relevant to the wrongdoing – including all facts gathered during any independent corporate investigation – as well as timely preservation of all relevant documents and data. True remediation requires the implementation of an effective compliance and ethics programme throughout the company and appropriate discipline of employees.

Qualifying for a declination under the policy does not necessarily allow a company to walk away from an FCPA investigation without consequences. First, the policy makes clear that a company will be required to pay ‘all disgorgement, forfeiture, and/or restitution resulting from the misconduct at issue’, which could result in significant penalties even if no criminal fines are imposed. Declinations decided pursuant to the policy are to be made public, which means that a company may still face public scrutiny into its conduct – though most public companies announce FCPA investigations when they disclose potential issues to the US agencies. And, as shown by the first formal closure of an investigation under the policy (Dun & Bradstreet in April 2018), a DOJ declination does not apply to SEC actions – in addition to US$6 million in disgorged profits, Dun & Bradstreet paid a US$2 million civil penalty to the SEC.

In May 2018, the DOJ announced a new policy directing its attorneys to coordinate with other enforcement authorities, both in the United States and abroad, with the aim of avoiding duplicative penalties for the same corporate misconduct. The policy recognises the rule-of-law and fairness implications of subjecting a company to uncoordinated enforcement actions by multiple authorities – sometimes referred to as ‘piling on’ – and seeks to provide greater predictability and certainty to companies considering a resolution with multiple agencies. The relevant factors largely codify existing DOJ practices and considerations, explicitly mandating coordination with US federal and state agencies and enforcement authorities in other countries and directing DOJ attorneys to ‘consider all relevant factors’ in determining the appropriateness of enforcement methods and the apportionment of penalties for the same conduct among multiple authorities. While the case-by-case application of relevant factors and imposition of penalties largely remains at the discretion of prosecutors handling a given investigation, the articulation of these principles as a formal DOJ policy offers a greater level of certainty to companies facing parallel enforcement by the DOJ and other enforcement authorities, particularly outside the United States. However, the policy also adds to existing pressures on companies to disclose issues to and cooperate simultaneously with the DOJ and foreign enforcement authorities, with the consequent imposition of significant extra costs and risks.

On the SEC side, perhaps the most significant development was the June 2018 Supreme Court decision in the case Lucia v SEC, which ruled that the agency’s current bench of administrative law judges (ALJs) was not appointed according to the standards of the US Constitution. The Lucia decision endangered thousands of outcomes decided by these ALJs, including FCPA-related cases, because the Court determined that the appropriate remedy for all such defendants was a new hearing before a constitutionally-appointed ALJ. Indeed, the Court further noted that, at least in Mr Lucia’s case, that hearing could not be conducted by the same ALJ as before, even if that ALJ were to be reappointed in a proper manner. In the wake of this decision, the SEC announced that it was staying all pending administrative proceedings. After two months, the SEC lifted the stay and ordered that all respondents with cases before an ALJ or the Commission itself ‘be provided with the opportunity for a new hearing before an ALJ who did not previously participate in the matter’. The order also reiterated the SEC’s earlier ratification of its ALJs’ appointments. In July 2018, President Trump issued an executive order that attempted to forestall similar constitutional challenges to ALJs across the US federal government.

In addition, we are seeing some effects from the June 2017 US Supreme Court case Kokesh v SEC, which held that the five-year statute of limitations applies not only to civil penalties imposed under the FCPA, but also to the disgorgement of profits gained from such illegal activities. An SEC enforcement official told the US Congress in May 2018 that the decision had affected the agency’s ability to collect some US$800 million in disgorgement since the case was handed down (though this figure covers a broader spectrum of SEC cases than those dealing with public corruption). Along with other factors, the case is likely driving the SEC’s efforts to speed up FCPA investigations. The SEC’s co-director of enforcement reiterated in a November 2017 speech that his agency was ‘redoubling our efforts to bring cases as quickly as possible’, an approach that ‘makes sense because our cases have the highest impact, and our litigation efforts are most effective, when we bring our cases close in time to the alleged wrongful conduct’. Another SEC official affirmed in July 2018 remarks that Kokesh was ‘helping’ the agency move quickly on investigations. At the same time, the SEC has clearly signalled its view that Kokesh does not extend to claims for injunctive relief, and thus that the agency still has tools to address corrupt and other improper conduct that is more than five years old.

With regard to anti-corruption laws applicable to US federal and state officials, the 2016 US Supreme Court decision that overturned the corruption-related conviction of former Virginia governor Robert McDonnell continues to have significant effects. That case makes it more difficult for prosecutors to build and win cases that do not have evidence of an explicit agreement by the official to use his or her position in return for benefits. The Court’s decision has been criticised as having the effect of undermining public confidence in the accountability of elected officials – a concern that has been heightened by multiple instances of courts overturning previous corruption-related convictions of public officials, including those of two former high-level New York state legislators and former US Congressman William Jefferson of Louisiana. The challenges of pursuing public corruption cases under the Court’s announced standards were further illustrated at the trial of current US Senator Robert Menendez of New Jersey on 14 corruption-related counts related to gifts, travel and donations from a Florida physician allegedly in return for intervening on behalf of the donor’s business and personal interests. The trial, which began in September 2017, ended on 16 November 2017 when the judge declared a mistrial after the jurors announced they were unable to reach a unanimous decision. Prosecutors decided not to bring a new case.

US enforcers have continued to have some successes in prosecuting public corruption by US officials, including a guilty plea reached in the middle of the October 2017 trial of former Philadelphia District Attorney Seth Williams that resulted in Mr Williams being given a five-year prison term for accepting gifts and travel from businessmen in exchange for his intervention in a criminal case and other actions. It is also noteworthy that in at least two recent FCPA-related prosecutions of individuals, the courts ruled against defendants’ arguments that the McDonnell standard invalidated the cases against them.

As to lessons from these and other developments in the enforcement landscape, it bears repeating, first, that the US remains committed to investigating and punishing public corruption. Barring the heights reached in 2016, resolved enforcement actions in 2017 and the first half of 2018 generally are on pace with the trends of the past 10 years. As mentioned, the business-friendly nature of the current US administration has not affected these efforts – though the new DOJ policies discussed above are designed to address long-standing complaints from the US business community regarding the certainty of benefits for companies that make voluntary disclosures and the fairness issues related to multi-agency actions.

Investigations and enforcement resolutions continue to cover various industries, including, for example, healthcare, telecoms, retail, business intelligence, manufacturing, shipyard operations, mining, oilfield services and financial institutions. Recently announced investigations involve companies ranging from specialty chemicals firm Albemarle Corporation to specialised electronics and systems manufacturer OSI Systems. And it is not just US companies that are targeted – non-US companies (often listed on US exchanges) have been the subjects of some of the largest FCPA-related settlements. Recent examples include Telia (Sweden), SBM Offshore (Netherlands), Keppel Offshore & Marine (Singapore), and Société Générale (France). Finally, several companies have announced large financial reserves related to anticipated FCPA-related resolutions in the future, including US retailer Walmart (US$283 million) and German medical company Fresenius (US$246 million).

The US agencies continue to target corrupt activities around the world, though data show that business activities in China are the most frequently involved in public resolutions. The 34 resolutions involving China since 2010 constitute close to a quarter of the combined corporate FCPA actions during that period (recent cases involve dispositions with Credit Suisse and Dun & Bradstreet). Indeed, in August 2017 it was reported that a major state-owned Chinese company, China Petroleum and Chemical Corp (Sinopec), was itself under FCPA investigation related to its activities in Africa. The countries other than China most frequently involved in FCPA enforcement actions over the past six years are Russia, Indonesia, India, Mexico and Argentina, each of which has served as a setting for seven or more resolved enforcement actions since 2010. The past year and a half has seen Brazil make this list, owing to several cases that were outgrowths of the ongoing Operation Car Wash. Several recent FCPA cases also reinforced the corruption risks present in West and North Africa.

The FCPA Corporate Enforcement Policy reinforces the importance for companies to weigh the benefits and risks of voluntary disclosure of potential FCPA-related issues to the DOJ (and, in parallel, to the SEC if the company is a US issuer). The policy also emphasises the need for full cooperation with any government investigation, which can trigger significant costs and, increasingly, can involve providing information to multiple authorities in different countries.

On the US domestic side, prosecutors continue to prioritise cases against executive branch officials and members of Congress (such as Senator Menendez and several congresspersons currently under investigation), though federal cases against state officials have also received significant attention (as exemplified by the Williams case and a recent case against the former chairman of the Port Authority of New York and New Jersey in relation to his pressuring United Airlines to implement a special flight route to his vacation home in exchange for official action). The McDonnell standard will remain a challenge for prosecutors bringing such cases, although not necessarily an impossible one. Indeed, the Menendez trial resulted in a ruling by the federal district judge overseeing the case that the McDonnell case does not invalidate a commonly used prosecutorial argument in public corruption cases – that a steady flow of gifts or favours (a ‘stream of benefits’) can add up over time to establish an improper quid pro quo linked to official acts by a defendant.

In August 2018, US senator Elizabeth Warren proposed sweeping legislation designed to address what she stated was public ‘corruption’ in the form of lobbying, corporate donations and related activities that are currently legal under US law. This proposal came in the wake of high-profile fraud convictions and admissions by persons who have been close to the current US President. While it is unclear whether this bill or similar legal reforms will move forward, these proposals are part of a political discussion in the United States about corruption, integrity and transparency in government that has not occurred with such intensity since the Watergate era of the mid 1970s. The US FCPA arose from the fallout of corporate disclosures related to that scandal.

“It bears repeating that the US remains committed to investigating and punishing public corruption.”

GTDT: What are the key areas of anti-corruption compliance risk on which companies operating in your jurisdiction should focus?

JED: First and foremost, companies subject to the FCPA need to be aware of the potential worldwide reach of the law over corporate activities. The agencies responsible for enforcing the FCPA push the limits of the jurisdictional provisions, and in settlements with corporations have used the peripheral involvement of US banks or dollar-based transactions, or emails routed through US-based servers, to reach transactions that otherwise have no US contacts. A still-relevant example of this was the July 2015 resolution with Louis Berger International.

Another area of focus should be identifying and analysing the US agencies’ assertive positions regarding the scope and meaning of key, but sometimes vaguely defined, legal concepts in the FCPA. One example that has played out publicly over the past several years involves the definition of a government ‘instrumentality’ – essentially, whether employees of state-owned enterprises or other entities qualify as foreign officials subject to the strictures of the FCPA. A number of challenges to the DOJ’s expansive and multipronged approach to this issue have ultimately been turned back by the US courts. The November 2017 SBM case serves as an example of the breadth of who qualifies as a foreign official – an employee of an Italian oil and gas company that served as the operator of a project for a state-owned Kazakh gas company was deemed to be an official because he was ‘acting in an official capacity’ for the state instrumentality. Compliance professionals need to account for these broad definitions when addressing specific compliance risks.

Perhaps the most challenging set of FCPA compliance risks involves the actions of third parties with which a company has a relationship, including sales representatives, joint-venture partners, consultants, distributors, agents and vendors. Data we have analysed show that close to 75 per cent of FCPA cases in the past 10 years involve corporate liability for actions by third parties. Resolutions in 2017 and 2018 that have involved such liability include those with Telia, SBM, Keppel Offshore, Panasonic, Dun & Bradstreet and Société Générale. This trend is driven by the FCPA’s provision stating that payment to a third party with ‘knowledge’ that the payment will be passed on to an official is a violation of the statute. The agencies have adopted an expansive definition of ‘knowledge’ that goes beyond actual knowledge to cover ‘conscious disregard’ of information showing corruption risks. The best illustration of this interpretation is the 2009–2012 case against Frederic Bourke (US v Kozeny), in which a jury convicted Mr Bourke of conspiracy to violate the FCPA using the conscious disregard standard. Appropriate, risk-based compliance policies, procedures and internal accounting controls related to due diligence on, contracting with, and monitoring and auditing of third parties are critical to remediating this key area of risk.

Inadequate internal accounting controls and violations by public company employees of the books and records provisions are another key area of FCPA risk. The relevant statutory requirements apply to all areas of corporate conduct (and there have been hundreds of non-bribery cases involving these controls). However, in the FCPA area, the SEC uses the broad reach of these requirements – issuers are responsible for worldwide compliance with these requirements by almost all subsidiaries – to penalise corrupt activities that may fall outside the DOJ’s criminal jurisdiction or that do not meet all of the elements of an anti-bribery violation.

Recent examples include 2018 settlements involving Elbit and Kinross. Compliance professionals should work closely with their finance and accounting function counterparts to ensure that the relevant controls are consistent with the company’s compliance processes and that business transactions are accurately recorded in the company’s records.

US domestic bribery laws and enforcement actions often focus on the specific and complex rules that govern executive branch employees; often these cases are combined with allegations of violations of detailed government contracting requirements. As mentioned, there are also prosecutions on the Congressional side, though the rules governing lobbying, gifts or entertainment and public disclosure requirements are sometimes drastically different from those for executive branch personnel. Close coordination with a company’s US lobbying and government relations functions and advice from experienced counsel on these rules are required to manage these risks.

GTDT: Do you expect the enforcement policies or priorities of anti-corruption authorities in your jurisdiction to change in the near future? If so, how do you think that might affect compliance efforts by companies or impact their business?

JED: I do not expect a fundamental change in enforcement practices or priorities to take place. The pace of announced FCPA-related resolutions by the DOJ and SEC can vary over time, and during some periods can seem to drop off. However, that pace is driven by a number of factors, many of which are case-specific. Thus, it would be a mistake to assume that any apparent slowdowns (such as those that occurred in the middle two quarters of 2017 and the first quarter of 2018) signal a slowdown in investigations or a significant redirection of FCPA enforcement resources. Unlike some other areas of US law, FCPA enforcement enjoys strong bipartisan political support and for many years has not been subject to changes in political control over the US government. The signs of the Trump administration’s continuing commitment to FCPA investigations discussed in this and other answers bear this out.

Historically, FCPA investigations by the SEC and DOJ have tended to be lengthy affairs, lasting years and, in a few cases, upwards of a decade. In April 2017, a senior DOJ official announced that the Department is ‘making a concerted effort to move corporate investigations expeditiously’ and to close out longer-running cases. As mentioned, the SEC also has made this a priority. Recent case outcomes show this focus in action – for example, all four of the corporate enforcement actions announced in the second quarter of 2018 arose out of investigations that were launched as early as 2012 and that involved conduct that took place before 2014. The stated overall goal of both agencies is to substantially shorten the length of FCPA investigations and their associated costs and uncertainties. It is still too soon to see whether and how these goals will be achieved.

In late July 2018, a senior DOJ attorney announced in a speech that the DOJ ‘would like to do better . . . with regard to mergers and acquisitions [M&A], particularly when such activity relates to high-risk industries and market[s].’ Noting that a compliant acquiring company can assist with ‘uncover[ing] wrongdoing’ and ‘applying strong compliance practices to the acquired company’, the DOJ official stated that ‘we intend to apply the principles contained in the FCPA Corporate Enforcement Policy to successor companies that uncover wrongdoing in connection with mergers and acquisitions and thereafter disclose the wrongdoing and provide cooperation’ in any resulting DOJ investigation. Presumably, any companies seeking to benefit from this policy would also have to show that they will implement rigorous compliance policies and controls at the successor company. It is too early to tell how this announcement might affect the various calculations that companies have had to make in managing anti-corruption risks in M&A scenarios, but this development should be monitored.

Finally, the DOJ remains committed to the Kleptocracy Asset Recovery Initiative (the Kleptocracy Initiative), which since 2010 has targeted the ill-gotten gains of officials who have received corrupt payments. While most FCPA enforcement focuses on the ‘supply’ side of corruption, the Kleptocracy Initiative focuses on the ‘demand’ side (indeed, the DOJ in 2016 stated that the FCPA enforcement programme and the Initiative were ‘two sides of the same anti-corruption coin’). The Initiative involves cooperation by US authorities with multiple jurisdictions to trace and seize corruption-tainted assets. In June 2017, for example, the DOJ filed a forfeiture action to recover of approximately US$540 million in assets associated with what it called ‘an international conspiracy to launder funds misappropriated from [the] Malaysian sovereign wealth fund’ 1MDB, carried out by ‘high-level officials’ of that fund. The US Attorney General highlighted his strong support for this case in remarks delivered in December 2017. The initiative has had mixed success, and the policy implications of returning funds to governments that are widely considered to be institutionally corrupt are not fully resolved. The impact of these efforts on companies can occur in several ways; for example, companies under investigation might be expected to cooperate in efforts to trace tainted assets or funds, creating additional costs. The cooperation among agencies across jurisdictions could also give US authorities access to evidence of wrongdoing by company employees that otherwise might be beyond US reach.

GTDT: Have you seen evidence of continuing or increasing cooperation by the enforcement authorities in your jurisdiction with authorities in other countries? If so, how has that affected the implementation or outcomes of their investigations?

JED: The US agencies have actively pursued cooperation with other enforcement authorities in the past several years, and multinational investigations remain a priority under the Trump administration. Cooperation is managed through bilateral mutual legal assistance treaties and through the assistance provisions of treaties such as the OECD Anti-Bribery Convention. Often, though with lessening frequency, the US authorities take the lead in coordinating these efforts.

The DOJ and SEC have a long track record of coordinating their investigations, enforcement and penalties under the FCPA. The coordination of anti-corruption enforcement among authorities outside of the United States is a more recent, but growing, trend, with global settlements becoming a standard component of the DOJ’s and SEC’s approach to anti-corruption enforcement. The rise in coordination between the DOJ, SEC and foreign enforcers, particularly since 2016, is evidenced in part by the EmbraerRolls-RoyceOdebrecht/BraskemTeliaSBMKeppel Offshore, and Société Générale enforcement resolutions, with the companies’ global penalties ranging from US$200 million to over US$3 billion.

DOJ personnel have repeatedly asserted that international cooperation and global dispositions of corruption-related investigations are an important enforcement goal. The Deputy Attorney General reiterated this in May 2018 when he announced the DOJ’s policy on enforcement agency coordination. Another DOJ official noted in late July 2018 that, while the US ‘will go after’ public corruption within the boundaries of the FCPA’s broad jurisdiction, ‘it’s better for all of us if everyone prosecutes their cases at home’ in a coordinated effort. Similarly, in early September 2017, the SEC Chair reiterated the agency’s commitment to the ‘pursuit of international corruption’, which he noted was no longer a ‘unilateral exercise’. He implied that the growth of international cooperation has ‘change[d] the dynamic substantially’ and has addressed some of the concerns he had voiced while in private practice in 2011 regarding FCPA enforcement. Other SEC officials have confirmed this view in more recent remarks in various settings.

The December 2016 global settlement by the Brazilian conglomerate Odebrecht and its petrochemical subsidiary Braskem that resulted in the companies agreeing to pay more than US$3.5 billion in combined penalties to Brazilian, US and Swiss authorities signals the extent to which global investigations and settlements are becoming the norm for the DOJ and SEC. DOJ officials continue to cite the case in 2018 as the ‘gold standard’ for multinational anti-corruption cooperation. Apart from its record-breaking size (which was tied to the fact that the improper payments paid by the companies totalled more than US$1 billion), the case is notable in that the Brazilian prosecutors took the lead – unsurprising, as the case is linked to the larger Operation Car Wash investigation, which has gripped Brazil since 2014. The allocation of the combined penalties among the enforcement agencies reflects this: between 70 per cent and 80 per cent of the penalties went to Brazil, and in the aftermath of an April 2017 court decision, the US agencies received the smallest portion of the actual criminal penalties. In early October 2017, the Trump administration’s nominee for Assistant Attorney General of the DOJ’s Criminal Division, who oversees FCPA prosecutions, cited the Odebrecht/Braskem case as a model for the types of cases he would pursue (he was ultimately confirmed to this position in July 2018).

Other notable recent examples of cases involving multinational cooperation by the US agencies that involved substantial penalties paid to non-US agencies include the January 2017 settlement of an international investigation of Rolls-Royce that involved US, UK and Brazilian enforcement agencies; the September 2017 resolution of the investigation of Telia by US, Dutch and Swedish authorities; the December 2017 disposition of the investigation of Keppel Offshore by US, Brazil and Singapore authorities; and the June 2018 settlement with Société Générale involving US and French agencies. In all of these cases, the non-US agencies took a large share of the total penalties collected. For example, in Keppel Offshore, which was yet another offshoot of Operation Car Wash, Brazil took 50 per cent, while the United States and Singapore each took 25 per cent. In Société Générale, the US and French agencies effectively split the corruption-related penalties 50–50. This trend is likely to continue, and has been cited as an incentive for other countries to continue to conduct ‘home-grown’ anti-corruption investigations in coordination with the US agencies.

The US authorities’ encouragement of coordinated multinational investigations could come into conflict with their goal of resolving investigations faster. Coordination among various agencies in different countries can be challenging, especially with entities that are less experienced in investigation techniques or that operate under different legal systems. In addition, legal and regulatory developments in several countries that are involved in anti-corruption cooperation efforts with the US authorities are likely to create additional challenges for multinational enforcement and for companies’ internal investigations, which are often a critical factor in advancing resolutions to conclusion. The EU’s new General Data Privacy Regulation (GDPR) may well create additional time-consuming hurdles to accessing witnesses and documents in key jurisdictions outside the United States. The GDPR joins other existing national data privacy and national security-based restrictions on access to information in various countries that have been involved in past FCPA-related enforcement actions, such as Russia and China. In addition, recent cases in the United Kingdom and Germany have created a wider gulf between the treatment of attorney–client privilege in the United States and in Europe (though the decision in SFO v ENRC was reversed in September 2018), which may well affect the coordination of internal investigations by companies.

Multinational cooperation often increases the complexities and costs of any investigation for companies, and can create difficult dynamics, as the laws in different investigating jurisdictions are sometimes at odds regarding issues such as the extent of attorney–client privilege or the applicability of data privacy rules. Cooperation also allows US and other authorities to share evidence that might not be within reach of one or the other agency, which can expose companies to liability based on conduct that might not otherwise have been discovered. Companies therefore need to base important compliance decisions, such as whether or not to disclose a potential FCPA violation, in part on the possibility of cooperation among possibly several interested investigating jurisdictions.

GTDT: Have you seen any recent changes in how the enforcement authorities handle the potential culpability of individuals versus the treatment of corporate entities? How has this affected your advice to compliance professionals managing corruption risks?

JED: The DOJ and SEC are continuing to target individuals aggressively, with a focus on identifying the highest-level company personnel who can be deemed responsible for improper payments or related wrongdoing. According to the enforcement plan of the DOJ’s Fraud Section, various policies and initiatives are designed to enhance the DOJ’s ability to ‘prosecute individual wrongdoers whose conduct might otherwise have gone undiscovered or been impossible to prove’. The DOJ’s emphasis on individual prosecutions was a centrepiece of the now-superseded 2015 Yates Memorandum, and was recently reinforced by the FCPA Corporate Enforcement Policy and statements from senior agency officials.

The SEC also continues to focus its efforts against culpable individuals. In early September 2017, the SEC’s co-director of enforcement stated that the SEC is ‘incredibly focused’ on the liability of individuals across the enforcement spectrum, including with regard to the FCPA; she noted that individuals had been the subjects of over 70 per cent of the agency’s disposition in the past five years, and that the agency intended to continue this approach.

The year 2017 was unusually active for FCPA-related enforcement activity against individuals, largely driven by individual charges filed and convictions obtained by the DOJ. Specifically, the DOJ brought charges against 17 individuals, its highest number since 2009, and successfully reached guilty pleas or jury convictions for 13 individuals, its highest number ever in a single year. Eight of these charges and seven of these convictions were for individuals associated with companies subject to parallel investigation and settlements by the DOJ in 2016 or 2017. The year 2017 was also the third consecutive year that the number of individuals charged and the number of individuals actually convicted increased year over year. Trends this year show no sign of slowing the pace, as the DOJ had announced guilty pleas by 10 individuals by the end of July.

The FCPA Corporate Enforcement Policy defines cooperation (a required element for a company to receive a declination) as including the provision to the DOJ of ‘all facts related to involvement in the criminal activity by the company’s officers, employees, or agents’ and strong company efforts to make available ‘those company officers and employees who possess relevant information’ for any interview requested by the DOJ. This requirement explicitly includes officers and employees located overseas, officers and employees no longer associated with the company, and ‘agents’ of the company – the last two categories obviously being persons over whom the company may not have complete control. The DOJ has emphasised that it does not expect companies to specify or allege whether individual employees are criminally or civilly liable; instead, companies merely ‘give [DOJ] the facts’. These cooperation obligations require compliance professionals and their counsel to consider risks related to attorney–client privilege (and possible waiver thereof), data privacy rules, and the applicability (and limits) of directors and officers insurance when evaluating a company’s position in an investigation.

GTDT: Has there been any new guidance from enforcement authorities in your jurisdiction regarding how they assess the effectiveness of corporate anti-corruption compliance programmes?

JED: The past three years have seen renewed focus by the DOJ and SEC on the effectiveness of corporate compliance programmes. The state of a company’s compliance programme factors into penalty guidelines and the discretion that the agencies have to negotiate dispositions of investigations. Both US agencies have issued guidance regarding what they consider to be the key elements of a corporate FCPA compliance programme – as part of the November 2012 FCPA Resource Guide and as annexes to individual disposition documents. In November 2015, the DOJ retained its first ‘compliance expert’, a former compliance executive at multiple companies (and former US prosecutor). The expert’s job was to assist with the DOJ’s assessment of compliance programmes during disposition negotiations and to advise on compliance issues that arise during periods set by disposition agreements while a company is effectively ‘on probation’.

In February 2017, the DOJ issued a guidance document titled ‘Evaluation of Corporate Compliance Programs’. This guidance was designed by the DOJ’s compliance expert to help companies evaluate the robustness of their compliance programmes by reciting a series of questions focusing on various programme elements – likely the same questions the DOJ would ask when reviewing whether a company’s compliance programme is effective under the penalty guidelines or when considering whether an independent compliance monitor is required. The guidance does not provide benchmarks, but its questions are useful for evaluating new compliance programmes or considering enhancements to existing ones. The DOJ’s compliance expert resigned her position in June 2017; while the Department has indicated a desire to name a replacement, it is unclear over a year on as to when that will occur and whether further programme guidance or benchmarks will be issued in the near future.

The FCPA Corporate Enforcement Policy’s definition of timely and appropriate remediation by companies for past actions includes the implementation of an effective compliance and ethics programme. The policy lists several basic criteria for such a programme, noting that the programme elements ‘may vary based on the size and resources of the organization’. Notable on the list are requirements related to a company’s culture, resources dedicated to compliance, the quality and independence of compliance personnel, the effectiveness of a company’s risk assessment processes and responses to them, and the periodic auditing of a programme’s effectiveness. However, those looking for detailed guidance on these elements are better served by reviewing the other DOJ and SEC documents that I have discussed.

GTDT: How have developments in laws governing data privacy in your jurisdiction affected companies’ abilities to investigate and deter potential corrupt activities or cooperate with government inquiries?

JED: US data privacy laws generally are less stringent than such laws in Europe, Russia and the former Soviet Union, and China. The primary challenge for companies subject to the FCPA is complying with host country restrictions on information-sharing and data processing while simultaneously being able to access compliance-sensitive company information when needed to operate compliance programmes, conduct internal investigations of allegations of misconduct, or respond to requests or demands for information by enforcement authorities.

The entry into force of the EU’s GDPR in May 2018 presents significant challenges to multinational companies’ handling of a wide variety of data. The new regulation is more restrictive than previous EU rules and will likely have a significant impact on the way that cross-border internal investigations and multi-jurisdictional agency enforcement actions are conducted. A detailed discussion of the GDPR is beyond the scope of this question, but several points are worth noting.

One of the most significant facets of the GDPR is its reach. First, the regulation seeks to protect the ‘personal data’ of individuals who are physically in the EU, and therefore applies to more than just EU citizens and residents by reaching out to give rights to anyone who is in the EU, even temporarily, and who has personal data in the EU that an entity wants to access. Second, the types of data protected are defined broadly to include any information related to a natural person that can be used to either directly or indirectly identify him or her, and go well beyond what information had been protected by prior data privacy laws. A third important aspect of the GDPR is its territorial scope: the regulation seeks to control the activities of any companies or other entities that want to access, use, store or otherwise ‘process’ the personal data of individuals who are in the EU, no matter where the company is operating or where the processing would take place. The regulation also continues to restrict the ability of companies or other entities to transfer such data outside of the EU. As a result, the GDPR essentially affects any company anywhere in the world that wants to access or process the personal data of EU data subjects.

Processing of personal data may only occur under a strict set of circumstances and only for a clearly articulated and legal purpose, and must be limited to only what is necessary to fulfil the legal basis for the processing. The purposes most applicable to internal and cross-border investigations include processing that is necessary for a contract with a data subject, necessary for the company ‘controller’ to comply with EU law or for the controller’s ‘legitimate interest’. This last purpose (a legitimate interest) is, on preliminary review, the most potentially useful legal basis available to most companies conducting investigations. Companies may argue that they have a legitimate interest in investigating, stopping or preventing possible corruption, or addressing internal compliance issues. The fact, however, that such investigations and related legal advice may result in a company decision to cooperate with a US or other country enforcement action to minimise or possibly eliminate criminal liability and any commensurate financial penalty can create significant complications for the company’s obligations to comply with the GDPR.

Indeed, the FCPA Corporate Enforcement Policy’s requirement that a company produce all relevant documents, including overseas documents, on its face creates a clear conflict with the GDPR’s restrictions on the processing and disclosure of EU data subjects’ personal data. And the penalties for violations of or non-compliance with the GDPR are severe: up to 4 per cent of a company’s global annual revenue or €20 million, whichever is greater. company deciding whether to provide documents and data to the US government therefore faces a dilemma – those wishing to benefit from the DOJ policy must balance the benefits of a potential declination or a reduced financial penalty with the risk of significant fines under the GDPR. The DOJ policy places the burden on the company to justify its argument that it cannot disclose documents, and the company must show specific efforts to identify all available legal avenues to locate and produce relevant material. Companies and their external counsel will be challenged to think creatively about how to collect and produce information sufficient to obtain cooperation credit from the DOJ, while minimising the risks of liability under the GDPR.

More generally, compliance professionals working for companies subject to the FCPA should work closely with data privacy experts in each operational jurisdiction around the world to craft solutions that give appropriate access and comply with data privacy protections or other legal restrictions on information access. The US authorities are aware of and sensitive to these issues but are also wary of companies using data privacy and related laws to avoid full cooperation with investigations. Companies that have plans in place to address these issues are more likely to be considered to be acting in good faith when the inevitable conflicts of legal requirements arise.

The Inside Track

What are the critical abilities or experience for an adviser in the anti-corruption area in your jurisdiction?

Much of the key knowledge needed to give FCPA advice lies outside the normal legal sources and methods – there are very few adjudicated cases, no substantive regulations and the enforcement agencies traditionally have been opaque regarding their investigation and charging decisions. Thus, the best adviser combines extensive experience managing government and internal investigations with expertise in analysing and addressing the varied compliance issues actually faced by companies. Because the agencies have considerable leverage over companies that are targets of investigations, counsel must be able to gain the trust of the enforcement personnel while advocating appropriately on behalf of clients.

What issues in your jurisdiction make advising on anti-corruption compliance unique?

US domestic bribery laws are a patchwork that sometimes can create compliance contradictions. Analysing specific issues requires identifying whether federal or state laws control, the identity and position of any official within government (so that the right regulations can be reviewed), and the company’s own classification under those rules. For example, the rules on gifts and disclosures are different depending on whether a company is US-based or, perhaps, a ‘foreign agent’. More stringent rules can apply to government contractors. These rules are sometimes subject to different sets of court precedents or administrative guidance, some of which can be inconsistent.

What have been the most interesting or challenging anti-corruption matters you have handled recently?

We represented VimpelCom Ltd (now VEON) during investigations by US and Dutch enforcement authorities that were resolved February 2016. Because the company directed and supported actions ultimately acknowledged by the agencies as constituting extraordinary cooperation, the company was able to negotiate a resolution in two years (the average investigation lasts over four years), with penalties that represented substantial reductions from what relevant guidelines allowed. In 2017, I was appointed as an independent compliance monitor by the DOJ and SEC in accordance with an FCPA resolution, a project that is ongoing in 2018. Monitor engagements require efficient yet comprehensive reviews of corporate compliance programmes and internal controls, and the exercise of independent judgement in balancing the goals of the company and the agencies.