For 35 years, the U.S. government has enforced the Foreign Corrupt Practices Act (FCPA) while providing an incomplete picture of its views of either effective FCPA compliance or how certain key terms in the statute should be interpreted. This necessarily led to confusion among multinational corporations, who complained that this lack of certainty undermined their efforts to comply with the increasingly aggressive enforcement of the FCPA by the U.S. government.
On November 14, 2012, after more than a year of work, the DOJ’s Criminal Division and the SEC’s Enforcement Division issued their long-awaited Guidance.
In the press conference announcing the release, DOJ’s Lanny Breuer, Assistant Attorney General for the Criminal Division, said that the Guidance “does not represent a change in policy,” but rather is intended to give “others a window and greater guidance” as to the enforcement agencies policies. In the Foreword to the Guidance, the agencies correctly note that they have taken “a multi-faceted approach, setting forth in detail the statutory requirements while also providing insight into DOJ and SEC enforcement practices through hypotheticals, examples of enforcement actions and anonymized declinations, and summaries of applicable case law and DOJ opinion releases.”
The Guidance disappointed more than a few readers, in that it provides no bright-line rules or safe harbors. It also intentionally steers clear of many of the areas of ambiguity in the statute itself, thereby also leaving some of these areas, which never have been clarified by judicial review, unclear. Nonetheless, the Guidance provides an excellent overview of the DOJ and SEC’s view of the statute. Further, while the Guidance does not provide a model compliance program, it does enumerate a number of the broad themes that should be taken into account by companies seeking to manage the risk posed by the FCPA in their international operations. Companies will be well served to review their compliance policies and internal controls against the considerations that are laid out in the Guidance.
Below is our summary of what we consider to be the key aspects of this Guidance:
Enforcement Principles and Declinations
The Guidance summarizes the views of the DOJ and the SEC regarding how (and whether) they will act when initiating investigations of potential FCPA violations, bring FCPA charges, and resolve FCPA issues at the time of settlement. The Guidance relies heavily on the DOJ’s well-established Principles of Federal Prosecution of Business Organizations and relevant provisions from the SEC’s Enforcement Manual. The Guidance emphasizes, however, that “both DOJ and SEC place a high premium on self-reporting, along with cooperation and remedial efforts, in determining the appropriate resolution of FCPA matters.”
In our view, one of the most interesting aspects of the Guidance is the selection of declination examples and the discussion of those declinations by the agencies. DOJ has not historically publicized cases where declination letters are issued and DOJ declined to prosecute. This has led some observers to wonder whether it ever makes sense to self-report because it has not been obvious that self-reporting consistently leads to lower penalties. Perhaps as a way of combating this notion, in the Guidance, the DOJ and SEC have provided six specific declination examples, which appear to be designed to convey four key themes to the public. These include:
- Diligence Leading to Discovery by the Company. In the examples provided, the companies discovered the potential FCPA violation in a diligent and timely manner and, in more than one case, the potential issue was identified and stopped before any bribes or payments were made.
- Swift Response by the Company. Each example provided by DOJ included an immediate and determinative response by the company through investigating the matter internally and terminating or disciplining any individuals or third parties involved.
- Self-Reporting and Cooperation. In every example provided, the companies voluntarily disclosed or self-reported the bribes or misconduct to DOJ. Following this pattern, these companies also voluntarily disclosed the results of their own internal investigations and cooperated fully with any investigation conducted by DOJ and/or SEC.
- Robust Compliance and Internal Controls. Each example also demonstrated a commitment by the company to implement its own corrective measures internally through, for example, re-training, additional new training programs, instituting new or enhanced compliance programs and internal controls, hiring new compliance officers, or restructuring existing compliance departments to increase scrutiny over anti-corruption issues.
In some of the examples, the fact that the bribes or payments were of very small amounts was also a factor considered by DOJ in its declination. One example described a matter where an individual bad actor was prosecuted, but prosecution of the company was declined. This example likely is intended to underscore the value of a company taking swift action, pursuant to well thought out compliance procedures, to isolate the activities of a “rogue” employee or agent.
Effective FCPA Compliance
It is clear from the Guidance that the agencies place significant value company-specific anti-corruption compliance programs, internal controls, regular training, and company actions to self-police, self-report, and self-impose remedial actions. Although the Guidance states that the agencies “have no formulaic requirements regarding compliance programs,” the Guidance does describe, in very broad brush, the elements of what the enforcement agencies consider an effective compliance program.
The Guidance makes clear that there is no single model for a compliance program because an effective compliance program will be tailored to the company’s specific business and to the risks associated with that business. There are, however, three key inquiries that will be made in assessing an existing compliance program: (1) is the company’s compliance program well-designed; (2) is it being applied in good faith; and (3) is it working?
DOJ and SEC have identified the following “hallmarks” of effective compliance programs:
- Commitment from Senior Management and a Clearly Articulated Policy Against Corruption. The Guidance puts great emphasis on the “tone from the top” to provide the proper company culture regarding compliance and ethics. This theme from these agencies is well known, yet its inclusion is a good reminder that the actions and words of senior personnel who are not part of the compliance department are an important measure used to assess the quality of a compliance program. The take-away from this point is that a strong compliance program on paper means nothing without strong implementation, adherence, and reinforcement from senior management.
- Strong Risk Assessment. The Guidance consistently takes into account the use of a risk assessment to determine how companies should allocate their compliance resources. Risk assessment, however, is not a synonym for eliminating compliance in low-risk areas. Rather, it needs to be a thorough and thoughtful assessment of the areas of risk determined based upon the company’s scope of operations, business models, geographic locations, degree of interactions with foreign officials and state-owned entities, use of third-party agents, gifts, travel expenses, entertainment expenses, and charitable and political donations and so forth. To get credit for the risk assessment, a company should make it rigorous and contemporaneously document it, with updates occurring at reasonable intervals.
- Code of Conduct and Compliance Policies and Procedures. It is important for each of the codes, policies, and procedures to be clear, concise, and easily accessible (i.e., to be widely distributed and easy to find on the company’s intranet) to all employees and those third parties conducting business on the company’s behalf. To be effective, companies must review these policies periodically and keep them up to date. Additionally, they must address the risk assessment noted above. DOJ recognizes that higher-risk areas should be afforded more resources and higher scrutiny.
- Oversight, Autonomy, and Resources. Although the structure, size, and complexity of the compliance program will vary by company, those in charge of overseeing compliance must have autonomy from management, sufficient resources to effectively implement the compliance program, and direct access to the governance of the company, such as the board of directors and related committees. A poorly resourced compliance department will not fare well when examined by these agencies.
- Training and Continuing Advice. The principles emphasized here correspond with those communicated regarding the codes and policies themselves: The key to effectiveness is implementation, adherence, periodic review, and timely updates. The company must communicate relevant policies and procedures through all levels of the company and require periodic training and certification for all directors, officers, relevant employees (especially those who have frequent interactions with foreign officials or state-owned entities, or supervise those who do so), and (where appropriate) third-party agents and business partners.
- Incentives and Disciplinary Measures. Positive incentives and publicized disciplinary measures drive compliant behavior across all levels of a company. An effective compliance program reinforces a company culture of compliance where good behavior is rewarded and bad behavior is sanctioned fairly and consistently, regardless of position within the company.
- Third-Party Due Diligence and Payments. Risk-based due diligence is necessary due to the frequency with which third parties are facilitating bribes or payments. A third party’s qualifications, associations, and business reputation should be assessed and greater scrutiny should be applied if red flags surface. An adequate assessment should be made of the necessity of the third party, the role it will fill, and particular attention should be paid to any terms of payment. Third-party relationships should be monitored periodically through audits, re-training, or other methods.
- Confidential Reporting and Internal Investigation. A mechanism that allows for confidential reporting of suspected or actual misconduct without fear of retaliation is essential to an effective compliance program. Once an allegation surfaces, there must be sufficient resources for investigation, documentation of the company’s response, and implementation of any disciplinary or remedial measures necessary.
- Continuous Improvement. There must be frequent analysis, updated risk assessment, and review of all aspects of the compliance program and all aspects of its communication to the company as a whole. The compliance program and its implementation should be constantly evolving to address changes in the business, shifts in the industry, and updates to the regulatory or legal guidance available.
Sarbanes-Oxley Reporting and Monitoring
Good FCPA risk management relies not just on the compliance program, but also on internal controls that are tailored to the company and that use common-sense procedures to help reinforce the company’s FCPA compliance strategy. Many companies, however, pay more attention to the compliance program itself while neglecting the important role of the internal controls in compliance. The Guidance, by explicitly connecting the FCPA internal controls to the Sarbanes-Oxley regulations, underscores the importance of internal controls in FCPA compliance.
Section 404 of the Sarbanes-Oxley Act requires that the management of any issuer report on the effectiveness of the company’s internal controls over financial reporting, including the effectiveness of those controls. The Guidance states that this type of assessment must “include those related to illegal acts and fraud — including acts of bribery — that could result in a material misstatement of the company’s financial statements.”
This has important implications, for two reasons. First, it underscores that even though the Sarbanes-Oxley Act concentrates on the role of internal controls in assuring accurate financial reporting, the provisions should be applied equally to controls intended to prevent bribery. Second, while Section 404 focuses on the concept of material weaknesses in internal controls, it is relevant to recall that the concept of materiality does not apply for the internal controls requirements found in the FCPA. Putting together the two requirements thus arguably expands the already rigorous Sarbanes-Oxley requirements, at least for any internal controls that are linked to or have a role in preventing bribery-related conduct.
Gifts, Travel, Entertainment, and Other Business Courtesies
One of the toughest issues for anti-corruption compliance professionals is how to appropriately and practically manage expenditures for gifts, meals, entertainment, travel, and other business courtesies. Many hoped that the agencies would offer clear guidance, perhaps even safe harbors, for this business practice. Alas, no. But the agencies did make it clear that this area does not represent their highest enforcement priority, noting that the enforcement actions were focused where “the expenditures occurred in conjunction with other conduct reflecting systemic bribery or other clear indicia of corrupt intent.”
The Guidance makes clear that, while the value of a gift or business courtesy does not determine whether the FCPA has been violated, the larger or more extravagant the gift or courtesy, the more likely that DOJ or SEC will deem that it was given with an improper purpose. Items of nominal value, such as cab fare, reasonable meals and entertainment expenses, or company promotional items, are unlikely to influence improperly an official, and without more, will not result in an enforcement action by DOJ or SEC. Typically, DOJ and SEC only focus on small payments and gifts when the gifts are part of a systemic or long-standing scheme to corruptly pay foreign officials to obtain or retain business.
The Guidance highlights the following hallmarks of appropriate gift-giving: that the gift is given openly and transparently, that it is properly recorded in the giver’s books and records, that it is provided only to reflect esteem or gratitude, and that it is permitted under local law. Any gift or entertainment should never be given either as a reward for, or to induce, any return favor or action by the foreign official or employee of a state-owned entity.
Successor Liability and Recommended M&A Due Diligence
The Guidance addresses successor liability in the context of mergers and acquisitions. DOJ and SEC encourage companies to conduct pre-acquisition due diligence and to improve compliance programs after acquisitions for a number of reasons. First, pre-acquisition due diligence helps acquiring companies accurately value target companies. Second, due diligence reduces the risk of a company unknowingly continuing to pay bribes post-acquisition. Third, the consequences of potential violations uncovered during pre-acquisition due diligence can be handled by the parties in an orderly and efficient manner through negotiation of the allocation of costs and responsibilities for the investigation and remediation. Fourth, such due diligence is evidence of a genuine commitment to FCPA compliance.
The Guidance notes that in the merger and acquisition context, where companies have voluntarily disclosed and remediated improper conduct, DOJ and SEC have, in a significant number of instances, declined to take action against the acquiring companies. Nothing about this statement, however, is binding on enforcement agencies. The Guidance further notes that enforcement agencies have only taken action against successor companies in limited circumstances, generally in egregious cases or where the successor company failed to stop the misconduct post-acquisition. This is a significant observation. Turning a blind eye to FCPA red flags during an acquisition may be a costly decision.
Interpretation of the FCPA
Jurisdictional Reach Under FCPA
A recent hallmark of FCPA enforcement in recent years is the expansive interpretation of U.S. jurisdiction that both the DOJ and the SEC have relied upon in bringing and settling FCPA enforcement actions. U.S. jurisdiction has been premised on as little as the routing of a transaction through the U.S. financial system or a single act within the United States. The Guidance is consistent with and underscores the agencies’ far-reaching interpretation of the FCPA’s jurisdictional reach.
The Guidance notes that the FCPA’s anti-bribery provisions apply “broadly” to issuers, domestic concerns, and certain persons and entities acting while in the territory of the United States. The reference to “issuers” and “domestic concerns,” standing alone, are not particularly controversial and generally follow fairly well-accepted definitions. It is notable, however, that the references to issuers and domestic concerns are both followed by the language “and their officers, directors, employees, agents and shareholders.” There are similar references throughout the Guidance. The reference to “agents” underscores the government’s focus on third-party agents acting in foreign jurisdictions. The reference to officers, directors, and employees underscores the government’s focus on individual liability. And the reference to shareholders underscores the potential liability of U.S. companies with affiliate sales or operations in foreign jurisdictions, as well as the potential liability of private equity firms investing in companies with sales or operations in foreign jurisdictions.
Not surprisingly, the Guidance states that the FCPA’s anti-bribery provisions “apply to conduct both inside and outside the United States.” The Guidance emphasizes the broad definition of “interstate commerce” as used in the FCPA, and then notes that the term “interstate commerce” also includes “the intrastate use of any interstate means of communication or any other interstate instrumentality” [emphasis in original]. The Guidance explains that if a telephone call, email, text message, fax, wire transfer, or the like originates from or is sent to the United States as part of an anti-bribery violation, the U.S. government will assert jurisdiction. This extraordinary statement (sometimes thought of as the “single email” test) is worth noting for foreign companies. According to the Guidance, the U.S. government can assert jurisdiction over any persons or entities who, directly or through an agent, engage in “any act in furtherance of a corrupt payment while in the territory of the United States, regardless of whether they utilize the U.S. mails or a means or instrumentality of interstate commerce.” The Guidance also alludes to the U.S. government relying on conspiracy theories to assert jurisdiction over otherwise wholly foreign entities.
In sum, the Guidance confirms what many practitioners have inferred throughout the years. If there is any conceivable nexus between a corrupt payment that the DOJ wants to charge and the territory of the United States, however limited or tenuous, the U.S. government likely will not permit the jurisdictional consideration to be a limiting principle of prosecution.
Liability for Acts of Employees and Agents
Nearly all FCPA settlements during the past 10 years have been predicated, at least in part, on liability for the actions of a third party, such as an agent or a distributor. For these types of situations, the Guidance reinforces the application to the FCPA of the doctrine of respondeat superior. The Guidance reinforces the view of the DOJ and SEC that an employer is liable under this doctrine for the wrongful acts of its employees, officers, and directors, acting within the scope of their employment, as long as the FCPA violations were intended, at least in part, to benefit the company.
The Guidance also states the view of DOJ and SEC that a parent company may be liable for the FCPA violations of its subsidiary if (1) the parent company directly participated in the wrongful conduct or directed its subsidiary's misconduct or (2) the parent company sufficiently controlled the acts of its subsidiary for the latter to be identified as an agent of the parent. For a subsidiary to be deemed an agent of a parent, the issue of control is key. To evaluate the issue of control, the DOJ and the SEC evaluate the parent's knowledge and direction of the subsidiary's actions, both generally and in the context of a specific transaction.
In support of the above, the Guidance cites a 2009 Enforcement Action where the SEC brought a non-criminal, administrative action against a parent company for bribes paid by the president of its indirect, wholly owned subsidiary, where the president reported directly to the CEO of the parent company, the president was routinely identified as a member of the parent company's senior management, the parent company's legal department approved the retention of a third-party agent through whom the bribes were arranged, and an official of the parent company approved one of the payments at issue.
The Guidance notes a particular FCPA danger posed by third parties, such as consultants, agents, and distributors. In evaluating the effectiveness of a company's compliance program, DOJ and SEC view risk-based due diligence of third parties as particularly important. The Guidance notes that appropriate due diligence will depend on the type of industry, country size, nature of the transaction, and a company's historical relationship with the third party.
The Guidance offers several "red-flag"-based principles: (1) a company should understand the qualifications of a third party, including its business reputation and relationship, if any, with foreign officials; (2) a company should understand a business rationale for using a third party in a transaction, ensure that a contract specifically describes the services to be performed and payment terms, which should be reasonable under the circumstances, and confirm and document that the third party is actually performing the work; and (3) a company should undertake some form of ongoing monitoring of third-party relationships. DOJ and SEC also assess whether a company informed third parties of the company's compliance program and commitment to ethical and lawful business practices, and, where appropriate, whether the company sought assurances from third parties of reciprocal commitments.
The agencies did not take the opportunity to provide a bright-line test for whether an entity is an “instrumentality” of a foreign government and its employees “foreign officials” — an issue that some hoped would be clarified in the Guidance. Instead, the Guidance notes that the term “instrumentality” is “broad and can include state-owned or state-controlled entities” and states that whether an entity is an instrumentality under the FCPA requires a “fact specific analysis of an entity’s ownership, control, status and function.” Although the Guidance states that a company is unlikely to be an instrumentality of a foreign government if the government does not own or control a majority of its shares, it also indicates that a company might be an instrumentality of a foreign government if the government nevertheless had substantial control over the company. The Guidance identifies nine non-exclusive factors to be considered in assessing whether a company is an instrumentality of a foreign government. Interestingly, although the Guidance obliquely refers to United States v. Esquinazi (the first appellate case to address the definition of instrumentality), the Guidance does not refer to the “government function” test that was set forth by DOJ in its appellee’s brief filed in that case as determinative. (“An ‘instrumentality’ of a foreign government is a means or agency through which a function of the foreign government is accomplished.”)
Compliance Wake-Up Call
As noted, the Guidance is carefully drafted to avoid breaking any new legal ground. And it does not provide the sort of clear parameters many hoped for on key FCPA interpretation issues. Nonetheless, the Guidance was crafted in the clear hope of underscoring just how important the DOJ and the SEC consider FCPA compliance to be.
Companies that operate abroad and that are at risk of an FCPA enforcement action would be well served by taking the Guidance as a compliance wake-up call. Such actions as updating any risk assessment (or performing a first one), reviewing compliance procedures against the FCPA provisions and the Guidance, conducting new or updated training, evaluating internal controls, conducting FCPA audits, and generally evaluating the state of FCPA compliance against the Guidance and FCPA best practices would be a prudent exercise for minimizing corporate-wide FCPA risks. While the Guidance is a good basic guide to the operation of the FCPA, in the end there is no substitute for the kinds of hands-on consideration of risks and risk mitigation that is urged by DOJ and SEC.