The year 2020 witnessed a record level of $2.78 billion in corporate fines and penalties from enforcement of the Foreign Corrupt Practices Act (FCPA) by the U.S. Department of Justice (DOJ) and the U.S. Securities and Exchange Commission (SEC). It also witnessed continued close cooperation by the DOJ and SEC with enforcement authorities in other countries, resulting in billions of additional dollars in fines and penalties by foreign enforcement authorities. These trends, which will likely continue and even expand in 2021, highlight the urgent need for companies to identify the key risk areas of FCPA exposure they face in their international operations, and to maintain compliance programs that work in practice, not just on paper. This is especially important for companies operating in or doing business with certain high-risk countries, such as China, India and Brazil, which may draw special attention from the DOJ and SEC because of recurring corruption issues.
The FCPA contains both anti-bribery and accounting provisions. The anti-bribery provisions prohibit U.S. persons and businesses (domestic concerns), U.S. and foreign public companies listed on U.S. stock exchanges or required to file certain reports with the SEC (issuers), and certain foreign persons and businesses acting within U.S. territory from paying, offering, promising, or authorizing the payment or offer of money or "anything of value," directly or indirectly, with corrupt intent, to a "foreign official," political party official, or candidate in order to obtain or retain business.
Of special note to companies doing business with state-owned or controlled enterprises, the term "foreign official" includes officers and employees of a foreign government department, agency or "instrumentality." An "instrumentality" of a foreign government has been broadly construed to include state-owned or controlled entities. This classification can include many Chinese companies, but also entities from many other countries. Whether a particular entity is an "instrumentality" under the FCPA requires a fact-specific analysis of the entity’s ownership, control, status, and function.
The FCPA also contains accounting provisions requiring issuers to make and keep accurate books and records and to devise and maintain an adequate system of internal accounting controls. The FCPA’s accounting provisions prohibit individuals and businesses from knowingly falsifying books and records or knowingly circumventing or failing to implement a system of internal controls.
Key FCPA Risk Area: Responsibility for Third Party Acts
Approximately 90% of FCPA enforcement actions against companies involve a third party providing some service to a company. A third party that provides services for a company or acts on its behalf, such as a distributor or sales agent, can subject the company to liability for the third party’s corrupt actions, regardless of the fact that the company did not direct them to violate the law or did not even have actual knowledge of the third party’s intent to violate the law. Rather, a company can be liable for the third party’s actions if it was aware that the actions were "substantially certain" to occur, aware of a "high probability" that they would occur, or where the company consciously avoided knowing or was "willfully blind" to the third party’s corrupt conduct. In addition to sales agents and distributors, other examples of third parties that can create FCPA risks include consultants, customs brokers, freight forwarders, tax consultants who interact with foreign government tax and revenue authorities, and political lobbyists (whether or not registered) who interact with foreign legislative or ministerial authorities.
Airbus provides a notable example. In 2020 Airbus entered into a deferred prosecution agreement with the DOJ, which charged the company with conspiracy to violate the FCPA and conspiracy to violate the Arms Export Control Act (AECA) and the International Traffic in Arms Regulations (ITAR). The FCPA charge arose out of Airbus’ alleged scheme to use third-party business partners to bribe government officials, as well as non-governmental airline executives, in multiple countries around the world, including China. The improper payments were made to win business from both private companies and entities that were state-owned and state-controlled. Airbus agreed to pay combined penalties of more than $3.9 billion to resolve foreign bribery charges in the United States, France, and the United Kingdom, as well as AECA and ITAR violations. The FCPA-related penalty was $2.09 billion, although most of that amount was credited against payments made to foreign enforcement authorities. Airbus ultimately agreed to pay $294.5 million for the FCPA-related conduct and $232.7 million for ITAR-related conduct.
Examples of common FCPA "red flags" associated with third parties include:
- Cash payments to third parties;
- Unusually large commissions to agents or unusually large discounts to distributors;
- Undocumented payments or payments made for work that cannot be substantiated
- Consulting agreements with only vaguely described services;
- The agent or consultant is in a different line of business than that for which it has been retained or has no relevant experience or capability;
- The third party is related to or closely associated with the foreign official;
- The third party is recommended or requested by a foreign official;
- The third party is a shell company incorporated in an offshore jurisdiction; and
- The third-party requests payment to an offshore bank account.
To mitigate the FCPA risk arising from third party actions, companies need to have an effective FCPA compliance program that includes a documented risk-based due diligence procedure on the third parties performing services on their behalf internationally. Such a due diligence procedure should be custom-designed to fit the company’s operations and enable it to detect red flags such as those outlined above to prevent or stop violations of the FCPA, as well as foreign anti-corruption laws. Companies should conduct and carefully document this due diligence before retaining third parties. They also should monitor their third parties’ performance from both a substantive and compliance standpoint on an ongoing basis and should refresh the due diligence on their third parties at regular intervals, for example, every two years.
Key FCPA Risk Area: Lavish or Excessive Meals, Gifts, Travel or Entertainment
The FCPA prohibits the corrupt offer, payment, promise to pay or authorizing the payment or offer of money or "anything of value" to a foreign official to obtain or retain business, and "anything of value" includes lavish or excessive meals, gifts, travel, or entertainment offered or given to a foreign official. The Resource Guide makes it clear that "appropriate gift giving," in which the gift given is open and transparent, properly recorded in the giver’s books and records, provided only to reflect esteem or gratitude, and permitted under local law, does not violate the FCPA. In contrast, gift-giving or other hospitality, including meals, travel and entertainment, which is lavish, excessive, or not provided for a legitimate business purpose, but rather provided for a corrupt purpose to obtain some improper advantage or in violation of local law, can violate the FCPA.
For example, the DOJ and SEC announced a $123 million FCPA resolution with Herbalife on August 28, 2020, with respect to Herbalife’s Chinese subsidiaries allegedly providing corrupt payments and benefits, including cash, gifts, travel and hospitality, to influence Chinese government officials in a variety of regulatory matters, including obtaining and retaining certain direct selling licenses, improperly influencing Chinese government investigations, and improperly influencing certain Chinese state-owned and state-controlled media. Herbalife also agreed to pay the SEC disgorgement and prejudgment interest totaling approximately $67,313,497. This case illustrates the fact that an entity or company owned or controlled by a foreign government may constitute an "instrumentality" for FCPA purposes and that corrupt or improper payments or benefits to employees of such an entity, including meals, gifts, travel or entertainment, may violate the FCPA.
For U.S. companies doing business in a country like China, in which many local companies may be owned or controlled by the Chinese government, it is critically important to understand which local companies likely will be deemed Chinese government "instrumentalities," whose employees will be considered "foreign officials" for FCPA purposes. In the automotive industry, for example, Chinese companies which are either wholly owned by the Chinese government or joint venture companies with significant ownership by Chinese state-owned enterprises may well be deemed "instrumentalities" and their employees "foreign officials" under the FCPA. This means that companies need to carefully monitor the offering and giving of gifts and hospitality to employees of such state-owned or controlled enterprises and that companies should have and must comply with their FCPA gifts and hospitality policy and procedures, as well as the requirements of local law.
Key FCPA Risk Area: Certain High Risk Countries
The DOJ and SEC make it clear in the Resource Guide [provide link] that risk assessment is fundamental to a strong compliance program. The Resource Guide states that:
"one-size-fits-all compliance programs are generally ill-conceived and ineffective because resources inevitably are spread too thin, with too much focus on low-risk markets and transactions to the detriment of high-risk areas. Devoting a disproportionate amount of time policing modest entertainment and gift-giving instead of focusing on large government bids, questionable payments to third party consultants, or excessive discounts to resellers and distributors may indicate that a company’s compliance program is ineffective." See Resource Guide at page 60.
The Transparency International Corruption Perceptions Index 2020 is a useful tool in assessing the relative corruption risk in various countries where a company is doing business and having a rational basis for allocating additional compliance resources to certain higher risk countries. For example, additional compliance resources, such as conducting enhanced third party due diligence, would be warranted with respect to a third party in China (TI rank 78), India (TI rank 86) or Brazil (TI rank 94), as opposed to a third party in Denmark (TI rank 1) or Canada or the United Kingdom (TI rank 11).
The Importance of Having a Compliance Program that Works
The DOJ and SEC make it clear in the Resource Guide that they have no "formulaic requirements" regarding compliance programs and do not expect that "one size fits all." Rather, they have said they will take a pragmatic, common-sense approach to evaluating a company’s compliance program based on answering three questions:
- Is the compliance program well-designed?
- Is the compliance program effectively implemented?
- Does the compliance program work in practice?
Every company doing business internationally should have an FCPA compliance program tailored to its operations and the risks that these operations create. Based on the expectations of the DOJ and SEC, this should include the following in a form appropriate for the company’s operations:
- A documented commitment from senior management and a clearly articulated policy against corruption;
- A Code of Conduct available to all employees and to persons conducting business on the company’s behalf. This Code should be reviewed and updated periodically to remain current and effective;
- Policies and procedures outlining responsibilities for compliance within the company, detailing proper internal controls, auditing practices and documentation policies, and setting forth disciplinary procedures. These policies and procedures should address risks arising from transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations, and facilitating and expediting payments;
- Assigned responsibility for oversight and implementation of the company’s compliance program to one or more senior executives who have appropriate authority, adequate autonomy from management, and sufficient resources;
- A formal risk assessment conducted and documented on a periodic basis;
- Periodic anti-corruption compliance training and certification for directors, officers, relevant employees and, where appropriate, for agents and business partners; and
- A documented due diligence and monitoring procedure on the company’s third-party business partners, including any agents or consultants, which is refreshed on a periodic basis.
Because the FCPA risks faced by every company are based upon the nature of its international business operations, which can change over time, each company's compliance program must be designed to address these specific risks and must be able to adapt and evolve as the company's operations evolve and change over time. While a small or mid-size company with less extensive or complex international operations may not need the same anti-corruption policies and procedures as a Fortune 100 company, it is vitally important that every company's compliance program work in practice, in its daily real-world operations, to protect it and its directors, officers and employees from criminal and civil liability under the FCPA and foreign anti-corruption laws.