In this second part of our client alert series on the Foreign Corrupt Practices Act (“FCPA”), we focus on how companies may face FCPA liability under principles of parent-subsidiary and successor liability, and we address the steps companies can take to minimize that risk. As in the first part of the series, the presentation is based on “A Resource Guide to the U.S. Foreign Corrupt Practices Act” (the “Guide”), recently issued by the U.S. Department of Justice (“DOJ”) and the U.S. Securities and Exchange Commission (“SEC”).1
Parent Company-Subsidiary Liability
Violation of FCPA’s Anti-Bribery Provisions
The Guide explains that under the FCPA’s anti-bribery provisions, a parent company may be liable for its subsidiary’s conduct in two ways: (1) if the parent company is found to have “participated sufficiently” in the illegal activity, e.g., if it directs the subsidiary to engage in bribery or otherwise directly participates in the bribery scheme;2 and (2) even absent such involvement, under traditional agency principles.3
A parent company may only face FCPA liability under an agency theory if the government establishes that an agency relationship exists with the subsidiary. To make that showing, the DOJ and SEC will “evaluate the parent’s control – including the parent’s knowledge and direction of the subsidiary’s actions, both generally and in the context of the specific transaction.”4 Although an evaluation of the parent company’s control takes into account the formal relationship between the parent company and its subsidiary, it also looks at the “practical realities” of the interactions between the two entities.5 If a subsidiary is acting as an agent for its parent company, the subsidiary’s actions and knowledge are imputed to the parent company.6
Moreover, the Guide indicates that, if an agency relationship exists between the parent company and a subsidiary, the parent company is liable for FCPA violations committed by the subsidiary.7 Such liability can exist notwithstanding a parent company’s lack of actual knowledge, authorization, or direction.
Sometimes the government declines to take enforcement action against a parent company for misconduct of its subsidiary. As reflected in the Guide, no action was taken against a parent company where, among other things, bribe payments were relatively small, were immediately halted upon the parent company’s discovery, were voluntarily reported by the parent company to the DOJ and SEC, and where the parent company improved its compliance program and internal control structure to safeguard against further wrongdoing by the subsidiary.8
Violation of FCPA’s Books and Records Provisions
The FCPA requires issuers (U.S. and foreign public companies listed on U.S. stock exchanges or required to file periodic reports with the SEC) to “make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the issuer.”9 The issuer’s responsibility to maintain accurate books and records extends to the books and records of the subsidiaries and affiliates under its control, including foreign subsidiaries.10 Thus, a subsidiary’s misstated financial records may potentially result in an FCPA books and records violation for its parent company.
Unfortunately, the Guide does not clarify a parent company’s duties with respect to subsidiaries and affiliates that are not under the parent company’s control, i.e., where the parent company owns less than a 50% controlling interest in the subsidiary or affiliate. The Guide interprets the statute as requiring that the issuer “use its best efforts to cause the minorityowned subsidiary or affiliate to devise and maintain a system of internal accounting controls consistent with the issuer’s own obligations under the FCPA.”11 The Guide, however, offers no hypotheticals or other insight into what constitutes “best efforts.” The Guide only indicates that the government will evaluate the issuer’s efforts by taking into account “all the circumstances – including ‘the relative degree of the issuer’s ownership of the domestic or foreign firm and the laws and practices governing the business operations of the country in which such firm is located.’”12 With such limited “guidance,” it remains unclear whether and under what circumstances misstatements in the books and records of a minority-owned subsidiary may potentially subject an issuer to FCPA liability.
The applicability of successor liability “to a particular corporate transaction depends on the facts and the applicable state, federal, and foreign law.”13 As “a general legal matter, when a company merges with or acquires another company, the successor company assumes the predecessor company’s liabilities,” with such successor liability applying in both civil and criminal contexts.14 Principles of successor liability apply as well to FCPA violations. Notably, however, the Guide confirms that a successor company is not exposed to FCPA liability if the DOJ and SEC had no jurisdiction over the predecessor company’s pre-acquisition misconduct.15 This would be pertinent with respect to mergers with or acquisitions of foreign entities, provided there was no prohibited conduct within the United States or by a U.S. person.
Even where there has been a violation, an enforcement action is not always initiated against a successor company. It is here that the Guide is particularly useful, as it provides a detailed discussion of the types of preand post-acquisition conduct that the government expects from companies engaging in mergers and acquisitions, and presents examples of circumstances in which such companies can avoid, or anticipate, FCPA enforcement action.
Pre-Acquisition Conduct by Acquiring Company
As a starting point, the government “encourages” companies to conduct extensive risk-based FCPA and anti-corruption pre-acquisition due diligence.16 The Guide identifies four benefits from such diligence: the enhanced ability to value properly a target company, the ability to negotiate potential investigation and remediation responsibilities, the likely reduction of the risk that the acquired company will continue its corrupt activity, and the tangible demonstration that the successor company has a genuine commitment to uncovering and preventing FCPA violations.17
The Guide suggests that the aim of pre-acquisition due diligence should be to determine whether the target company has appropriate anti-corruption and compliance policies in place, whether its employees are adequately trained regarding such policies, whether the policies are followed, and what remedial action is taken if the policies are violated.18 Adequate pre-acquisition due diligence may include: having the acquiring company’s legal, accounting, and compliance departments review the target company’s sales and financial data, customer contracts, and third-party agreements; performing a risk-based analysis of the target company’s customers; auditing a random selection of the target company’s transactions; and speaking with the target company’s management regarding corruption risks and compliance efforts.19
If pre-acquisition due diligence reveals that the target company has engaged in corrupt conduct, the acquiring company should require the target company, as a condition to the acquisition, to report pre-acquisition misconduct.20 Such reporting should shield the successor from FCPA liability, while the target company will likely face an enforcement action.21
The Guide also discusses an acquiring company’s utilization of the DOJ’s opinion procedure to obtain pre-acquisition assurances that it will not face DOJ prosecution for a target company’s pre-acquisition FCPA violations.22 This option, however, has limited utility for most companies,23 and the Guide acknowledges that, in return for the opinion, the DOJ may impose “more stringent requirements than may be necessary in all circumstances.”24
Typically, prospective DOJ assurances are not needed.25 Rather, the performance of adequate anti-corruption pre-acquisition due diligence, together with certain postacquisition measures (described below), will reduce the likelihood that a successor company will face an FCPA enforcement action based upon the conduct of a predecessor company.
Post-Acquisition Conduct by Acquiring Company
The DOJ and SEC also encourage successor companies to engage in certain post-acquisition conduct. The government suggests that the acquiring company impose its code of conduct and anti-corruption policies and procedures on the acquired entity “as quickly as is practicable.”26 The government advises that the acquiring company adequately train the acquired entity’s directors, officers, and employees and, when appropriate, its agents and business partners, on the FCPA and other relevant anti-corruption laws.27 Additionally, it is recommended that there be “an FCPA-specific audit” of the new business “as quickly as practicable.”28 Lastly, companies are urged to report violations uncovered as part of their due diligence.29
Companies that undertake the government’s recommended actions pre- and post-acquisition will be given “meaningful credit” and “in appropriate circumstances, DOJ and SEC may consequently decline to bring enforcement actions.”30 For example, the government declined to take enforcement action against a publicly held U.S. company in connection with its acquisition of a foreign company where, as part of its pre-acquisition due diligence, the U.S. company: (1) identified potentially improper payments by the target company to foreign government officials; (2) formulated a comprehensive plan to investigate, correct, and remediate any FCPA-related issues; and (3) selfreported the payments and provided the government with the results of its investigation on a real-time basis. Moreover, the government took into account that the acquiring company had its own internal controls and a robust compliance program, and that, after the closing, it stopped all improper payments, implemented a remedial plan, provided FCPA training to the foreign subsidiary’s employees, and incorporated the foreign subsidiary into the company’s existing internal controls and compliance program.31
Additionally, the government might decline to take enforcement action against a successor company where post-acquisition due diligence reveals for the first time that the predecessor company had engaged in FCPA violations.32 For example, the government declined to take enforcement action where a company discovered, post-acquisition, that its predecessor had violated the FCPA, and where the company reported the violations, agreed to cooperate in any investigations, and took remedial action, including terminating senior management at the acquired company.33
There has been enforcement action against successor companies “in limited circumstances, generally in cases involving egregious and sustained violations or where the successor company directly participated in the violations or failed to stop the misconduct from continuing after the acquisition.”34 The Guide cites two such examples: (1) an issuer was charged with violating the FCPA’s books and records and internal control provisions by continuing a kickback scheme originated by its predecessor;35 and (2) a merged company was liable under the FCPA where, prior to the merger, the two individual companies had independently committed FCPA violations through their foreign subsidiaries over a number of years.
Lastly, the Guide indicates that when full pre-acquisition due diligence is not possible, a successor company may, through “voluntary disclosure, appropriate due diligence, and implementation of an effective compliance program,” decrease the likelihood of facing enforcement action for the acquired company’s post-acquisition conduct.36 As reflected by Opinion Procedure Release No. 08-02, where U.K. legal restrictions prevented full FCPA pre-acquisition due diligence, the DOJ stated its intention not to take enforcement action against a potential acquiring company for any post-acquisition corrupt conduct by a target company, as long as such conduct was reported, and ceased, within 180 days after closing and remedial action was taken against the wrongdoers.37 The decision not to take enforcement action was contingent on various representations made by the potential acquiring company, including, among other things: that it would create a “risk-based FCPA and anti-corruption work plan” addressing the target company’s “use of agents and other third parties; commercial dealings with state-owned customers; any joint venture, teaming or consortium arrangements; customs and immigration matters; tax matters; and any government licenses and permits”; that its postacquisition due diligence process would include an examination of the acquired company’s records, including email review and review of company financial and accounting records, as well as interviews of relevant personnel; that it would impose its own FCPA and anticorruption policies and procedures on the target company; and that it would provide FCPA and anti-corruption training to employees of the target company.38
The Guide provides useful insight into the government’s considerations when deciding whether to bring FCPA enforcement action under principles of parentsubsidiary and successor liability.
With respect to parent-subsidiary liability, parent companies should do the following to reduce the likelihood of FCPA liability:
- Ensure that their subsidiaries have implemented effective FCPA training and compliance policies and procedures;
- Insist that their subsidiaries’ accounting policies and controls are consistent with the parent company’s standards; and
- Where the parent company lacks a controlling interest in the subsidiary or affiliate, engage in best efforts to influence the subsidiary’s or affiliate’s accounting and control policies to meet the parent’s standards.
With respect to successor liability, the Guide indicates that the government expects companies to engage in thorough risk-based FCPA and anti-corruption preacquisition due diligence. In addition, the government strongly encourages the following post-acquisition conduct:
- Imposition of effective anti-corruption policies and training;
- An FCPA-specific audit of the acquired or merged entity; and
- Self-reporting of corrupt payments discovered during due diligence.
Companies can reduce the risk of FCPA enforcement actions by following the government’s recommendations.