This alert, the sixth and final in our series addressing the Resource Guide to the U.S. Foreign Corrupt Practices Act (available here) that was jointly released by the Department of Justice ("DOJ") and Securities and Exchange Commission ("SEC") on November 14, 2012, provides: (1) a summary of DOJ and SEC’s expectations for companies in identifying and responding to red flags; (2) recommended steps before a red flag is raised; and (3) recommended actions in responding to a red flag.
Prior Issues in this Series
Issue 1 – Top DOJ Official Elaborates on New FCPA Resource Guide
Issue 2 – Elements of Compliance Programs
Issue 3 – Relationships with Third Parties
Issue 4 – Gifts, Hospitality and Entertainment
Issue 5 – Mergers, Acquisitions and Joint Ventures
Identifying and Responding to Red Flags
DOJ and SEC emphasize in the Guide that an effective compliance program should include a mechanism for the confidential reporting of suspected or actual misconduct, along with "an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response" to the allegation. In weighing the adequacy of a company’s response to alleged violations, DOJ and SEC "place a high premium" on voluntary disclosure, cooperation and "meaningful" remedial measures.
Guidance based on Enforcement Declinations
Although the Guide does not reveal exactly how much credit a company will receive for its actions in response to a red flag, it does offer a rare glimpse into DOJ and SEC's expectations through the inclusion of six declinations, which customarily are not publicized. DOJ and SEC cite some of the following response steps as reasons for the declinations:
- Improper payments detected in advance by company’s internal controls and investigated by Audit Committee;
- Undertook thorough internal investigation;
- Immediately stopped misconduct;
- Terminated employees involved;
- Severed ties with third-party agents;
- Withdrew potentially tainted contract bid;
- Terminated law firm in foreign locale providing improper advice;
- Voluntarily disclosed investigation and red flag to DOJ and/or SEC;
- Substantially updated compliance program (e.g., improved training program); and
- Developed plan to investigate and remediate subsidiary's red flags post-acquisition, and integrate subsidiary into compliance program (in M&A context).
Before a Red Flag Arises – Action Items
A company should prepare for problems in advance by considering the following action items:
- Implement an Effective Compliance Program. In addition to helping to prevent and more quickly detect problems, the existence and strength of a company’s pre-existing compliance program will be a key factor in whether DOJ and SEC decide to bring an enforcement action against a company.
- Enable Confidential Reporting. Companies should consider establishing a mechanism for two-way confidential reporting through, for example, an ethics line answered by a person, email address or the company’s intranet.
- Develop a Well-Rounded Response Team. A company can avoid many of the pitfalls that often occur during an internal investigation by identifying and readying internal resources that will often be quickly needed when a problem occurs (e.g., legal, compliance, finance, operations and internal audit, as necessary).
- Identify Outside Anti-Corruption Counsel and Foreign Local Counsel. By identifying external resource options (and sometimes retaining them) in advance, companies can better compare suitability, cost-effectiveness and fit, rather than rushing to identify, hire and integrate outside counsel in the midst of a crisis.
- Establish and Update Incident Response Plan. Developing a response plan in advance will help a company identify, consider and better prepare for contingencies, improve its response time and increase the cost-effectiveness of a response.
Responding to a Red Flag – Action Items
A company assessing how to respond to an alleged violation should consider the following action items:
- Evaluate the Big Picture and Scale Response. Companies should develop a risk-based strategy and consider execution practicalities at the outset of their response.
- Establish and Protect Legal Privileges. A company should involve in-house counsel as soon as the company becomes aware of a potential problem so that legal privileges can be quickly applied. Failure to do so can result in all aspects of the company’s response being subject to disclosure to the government and future civil litigants.
- Conduct Internal Investigation. A company should investigate red flags and reports quickly and thoroughly while being mindful of the need to protect the attorney-client privilege, preserve data and document its efforts.
- Stop Questionable Activities. Companies should act quickly to identify and halt any questionable business practices. Companies should discipline any culpable employees, replace responsible management and terminate tainted third-party relationships.
- Consider Self-Disclosure. In the Guide, DOJ and SEC repeatedly advise companies to self-report misconduct, including FCPA violations. In deciding whether to self-disclose, companies should consider a number of factors including the likelihood of the allegations being revealed through another means (e.g., whistleblower, press, industry-wide sweep, local enforcement action or SEC reporting obligations) and the cross-jurisdictional implications of self-disclosure.
- Update Compliance Program. As the Guide notes, "[c]ompanies will want to consider taking 'lessons learned' from any reported violations and the outcome of any resulting investigation to update their internal controls and compliance program and focus future training on such issues, as appropriate."