I. Overview

On February 19, during the US Securities and Exchange Commission’s (SEC) annual “SEC Speaks” conference, Kara Brockmeyer, Chief of the SEC’s FCPA Unit, stated that 2016 will be a “very busy year” for the FCPA Unit; on February 23, at an anti-corruption conference in New York, Assistant Attorney General Leslie Caldwell indicated that the US Department of Justice (DOJ) is currently investigating “a lot” of FCPA cases. Indeed, the first quarter of 2016 has already seen a wave of FCPA settlements, with the SEC having announced nine resolutions and the DOJ having announced three.1

Among the recently announced settlements is the agreement by Amsterdam-based VimpelCom Ltd. and its wholly owned Uzbek subsidiary, Unitel LLC (collectively, VimpelCom), to pay approximately $795 million to settle enforcement actions with the DOJ, the SEC, and Dutch authorities in connection with allegations that the telecommunications companies made over $100 million in improper payments to an influential Uzbek official and other Uzbek officials to enter and continue operating in the Uzbek telecommunications market.2 According to the SEC’s complaint, the improper payments resulted in more than $2.5 billion in revenue for VimpelCom.3 Both the SEC and the DOJ alleged violations of the antibribery, internal controls and books-and-records provisions of the FCPA.4 Based on the combined US penalties alone, this is the sixth-largest FCPA resolution in US history. When the payments to Dutch authorities, which the DOJ credited as part of its agreement with VimpelCom, are factored into the total, this is the second-largest FCPA resolution of all time, behind the Siemens matter in 2008.

Exactly two weeks after the announcement of the VimpelCom settlement, on March 1, 2016, the SEC announced a $7.5 million settlement with San Diego–based Qualcomm Incorporated (Qualcomm) for violations of the anti-bribery, internal controls, and books-and-records provisions of the FCPA,5 and the DOJ announced a $22.8 million settlement with Olympus Latin America Inc. (OLA) for violations of the anti-bribery provisions of the FCPA.6 OLA is a Miami-based subsidiary of Olympus Corporation of the Americas, one of the largest US distributors of medical equipment.

The allegations in the Qualcomm case focused on Qualcomm’s hiring of relatives of Chinese regulators and executives at two state-owned telecommunications companies to encourage the officials to adopt and expand the use of Qualcomm’s technology. According to the SEC’s complaint, Qualcomm often hired or offered to hire relatives at the request of foreign officials and offered employment in some cases where the relative did not satisfy Qualcomm’s hiring standards.7 In one instance, a Qualcomm HR employee described an internship candidate as “a MUST PLACE” since he was referred by the director general of a Chinese agency, who had influence in China.8

The allegations in the DOJ’s FCPA enforcement action against OLA relate to payments to health care practitioners at government-owned health care facilities in order to increase medical equipment sales in Central and South America.9 According to the DPA’s statement of facts, the payments were made in the form of cash, money transfers, personal grants, personal travel, and free or heavily discounted equipment, and were made through OLA “training centers.”10 Separately, OLA’s parent, Olympus Corporation of the Americas, entered into a $623.2 million settlement with the DOJ in connection with charges that it violated the Anti-Kickback Statute and the False Claims Act.11

Two days after the announcement of the Qualcomm and Olympus settlements, the SEC announced settlements with global health science company Nordion (Canada) Inc. (Nordion) 12 and a former Nordion engineer, Mikhail Gourevitch, in connection with charges that Nordion had violated the books-and-records and internal controls provisions of the FCPA and Gourevitch had violated the anti-bribery, books-andrecords, and internal controls provisions. The SEC alleged that from 2004 through 2011, Gourevitch authorized, offered, and made corrupt payments to various Russian government officials through a Nordion third-party agent in Russia to obtain government approval to distribute Nordion’s liver cancer treatment drug.13 The SEC’s administrative order stated that Gourevitch hid the scheme from Nordion by providing false documentation and misrepresenting how the agent would use the funds received from Nordion.14

II. Significance of These Cases

While the facts of each of these cases vary, they share some common threads that pick up on several distinct trends that have emerged over the last year.15

Controls, Controls, Controls: the Importance and Elements of a Strong and Effective Compliance Program

Several of the settlements announced this quarter emphasize internal controls failures and detail specific steps the US government expects companies with an international footprint to take to ensure an effective compliance program. These steps include: (1) having dedicated, experienced compliance professionals; (2) training all relevant employees in key business functions, including those in human resources and finance functions; and (3) performing due diligence on agents and consultants acting on behalf of the company.

For example, the VimpelCom DPA statement of facts painted a bleak portrait of compliance at VimpelCom prior to 2013 and described the compliance program as existing largely to give the company “plausible deniability of illegality.” Until 2013, VimpelCom’s anti-corruption policy consisted of two highlevel paragraphs in the company’s code of conduct and anti-corruption training. “To the extent it existed at all,” the policy was “inadequate and ad hoc.” There was “no dedicated compliance function” at VimpelCom until 2013, and the Chief Compliance Officer (CCO) was not a senior management position until 2014. Prior to that time, the CCO was a “junior executive” with no background in compliance, who had no staff or support, and for whom compliance was but one of many other job duties. Critically, VimpelCom lacked a third-party due diligence process, and to the extent that due diligence was done at all in connection with Uzbek transactions, it was always handled by VimpelCom executives or external third parties with little to no involvement by the company’s in-house or external counsel. VimpelCom also lacked basic internal accounting controls and permitted payments to be made to bank accounts in thirdparty countries; did not monitor third parties to ensure that services were performed and that payments were commensurate with those services; lacked an internal audit function and allowed an executive to interfere with an audit relating to one of the Uzbek schemes; and did not maintain proper accounting records.16

The DOJ charged VimpelCom with failing to design and maintain appropriate internal controls, making it one of the few cases in which the DOJ has ever brought a criminal internal controls case against an issuer—presumably due to the high “knowingly” standard required for such a charge, under which the defendant must have “knowingly circumvent[ed] or knowingly fail[ed] to implement a system of internal accounting controls.”17

The SEC’s order in the Qualcomm case alleged that widespread “internal controls weaknesses were intensified by the absence of someone whose full-time responsibility was to act as a company-wide chief compliance officer and the absence of an FCPA compliance officer in China.” In addition, the SEC faulted Qualcomm for failing to provide regular substantive FCPA training or information to employees of its subsidiaries, and for failing to train employees in important business functions, including human resources and hospitality planning.18 Further, the SEC stated that repeated red flags raised in internal audit reports regarding missing entries in Qualcomm’s gift logs were ignored year after year.19

The SEC’s order in Nordion echoed issues raised in the VimpelCom and Qualcomm cases. According to the SEC’s order, Nordion did not have adequate policies and procedures in place to detect corruption risks, including improper payments by and through third-party agents, and provided little, if any, anti-corruption compliance training to its employees.20 Similarly, the OLA DPA statement of facts noted that OLA did not require any pre-approval of the improper travel payments and did not establish or use any review process after expenses were submitted.21

Read together and independently, these four settlements—and a number of the other settlements announced in 2016—include alleged major compliance and accounting deficiencies that underscore the importance of a robust compliance program. Such a program should include anti-corruption policies and procedures, a robust third-party due diligence process, appropriate training for employees, auditing and monitoring, and adequate resources for compliance. In all of these cases, the SEC continued its practice of including an internal controls charge in virtually every settlement, even in cases where the SEC’s papers acknowledge that employees knowingly circumvented the company’s controls. While the need for strong internal controls is of course critical, it is worth asking whether any compliance program can be found satisfactory by the SEC if a violation by employees occurs.

Post-Yates DOJ Focus on Corporate Cases Remains Strong

After resolving only two corporate FCPA cases in 2015, each for less than $20 million, the VimpelCom and OLA resolutions confirm that the DOJ is still pursuing large FCPA cases with corporations. At the same time that it has signaled a new emphasis on holding individuals accountable, the DOJ has also indicated that it would aim to bring larger corporate resolutions. These cases are a step in that direction. It is also confounding data for those who suggested last year that the paucity of FCPA resolutions may have indicated that compliance programs had become so effective that improper payments were finally being meaningfully reduced. According to the settlement papers, the improper conduct at VimpelCom, although it began in 2005, continued into 2013, and the improper conduct at OLA lasted until 2011.

DOJ and SEC Providing Greater Transparency Regarding Cooperation Credit

Despite the pervasive nature of the conduct, Assistant Attorney General Caldwell commented that VimpelCom’s cooperation was “very extensive,” which explained at least in part the DOJ’s decision to enter into a DPA with the corporate parent.22 Both the DPA and the DOJ’s press release included detailed explanations of the monetary discounts provided to VimpelCom in recognition of its extensive cooperation: the DPA, for example, stated that the DOJ awarded VimpelCom two layers of cooperation credit—25% savings for its substantial cooperation in providing the DOJ all relevant information, including information about individuals, and another 20% savings for its prompt acknowledgement of wrongdoing and expeditious cooperation during the investigation. The DPA further explained that VimpelCom did not voluntarily self-disclose—although VimpelCom had initiated an internal investigation and uncovered wrongdoing prior to the initiation of the government’s investigation—and thus did not receive an even greater discount.23

Similarly, both the OLA DPA and the DOJ’s press release reference OLA’s cooperation during the DOJ’s investigation of that matter. The DPA stated that the DOJ awarded OLA a 20% savings for its substantial cooperation. Although the Sentencing Guidelines calculation resulted in a fine range between $28.5 million and $57 million, OLA was only required to pay $22.8 million. OLA did not receive a larger penalty reduction because, like VimpelCom, OLA did not voluntarily self-disclose the misconduct in a timely manner. Further, unlike VimpelCom, the DPA did not reference OLA receiving any reduction for prompt acknowledgement of wrongdoing and expeditious cooperation during the investigation.24

These more detailed and particularized explanations of the DOJ’s determinations regarding disclosure and cooperation credit are a departure from prior DOJ resolutions, and are consistent with recent indications from the DOJ that it would provide more transparency concerning how companies’ selfdisclosure and cooperation ultimately impact resolutions. This may make it easier for companies to understand and foresee the types of enforcement actions and penalties they can expect if they cooperate with the DOJ. That said, determining precisely what amount of cooperation will result in what amount of credit is still a difficult task (e.g., it is not immediately apparent why VimpelCom’s cooperation was worth 45% (representing the combined 25% savings for substantial cooperation in providing the DOJ all relevant information and its 20% savings for its prompt acknowledgement of wrongdoing) and OLA’s was worth only 20%). However, the VimpelCom DPA suggests that the maximum cooperation credit a company would receive is 25%.25 Also, these discounts are off the bottom of the Guidelines range. In some cases, DOJ has required penalties within the Guidelines range. In each resolution, it is unclear exactly where the DOJ starts its calculations and why, and this leaves companies with uncertainty about the precise value of cooperation.

The SEC’s recent orders also provide detail regarding measures companies have taken to cooperate with the Commission and the benefit of such measures. For example, in Nordion, the SEC stated that it did not impose a civil penalty in excess of $375,000 based upon Nordion’s cooperation in the SEC’s investigation.26 In its order, the SEC stated that when Nordion discovered evidence that suggested that payments may have been made to a Russian government official, Nordion self-reported to authorities in both Canada and the United States, fully cooperated with parallel investigations, and implemented extensive remedial measures.27 However, unlike other SEC orders released in 2016 (and many in prior years), the Qualcomm order did not include any reference to Qualcomm’s cooperation and remediation efforts. It is also noteworthy that the SEC did not indicate the amount of profits gained as a result of the alleged improper payments in either the Nordion or Qualcomm case, nor did the SEC explain how the civil penalties were determined in those cases.

International Cooperation in Anti-Corruption Realm Continues to Grow

In 2014 and 2015, US enforcement officials repeatedly remarked on the growing coordination among anticorruption authorities around the world. For example, on November 17, 2015 at an FCPA conference in Washington DC, SEC Enforcement Director Andrew Ceresney stated that one of the reasons the SEC has been able to achieve such success in its FCPA cases in recent years is the SEC’s effective coordination with international regulators and law enforcement.28 It seems this trend will continue through 2016 as one notable aspect of the Nordion and VimpelCom settlements is the number of countries involved in both investigations. In Nordion, an SEC release summarizing the matter acknowledged the assistance of enforcement authorities in several countries: Canada, Cyprus, Latvia, Estonia, the British Virgin Islands, Liechtenstein, and Finland.29

With regard to VimpelCom, Assistant Attorney General Leslie Caldwell described the settlement as “one of the most significant coordinated international and multi-agency resolutions in the history of the FCPA.”30 Ceresney added that this is indicative of an increasing trend toward international cooperation, particularly concerning corruption cases.31 The various charging papers list a number of different jurisdictions that provided assistance, including many often thought to be offshore banking or tax havens that typically have secrecy protections. Those providing assistance were Belgium, Bermuda, the British Virgin Islands, the Cayman Islands, Estonia, France, Gibraltar, Ireland, Latvia, Luxembourg, the Marshall Islands, Norway, Spain, Sweden, Switzerland, the UAE, and the UK.

The Return of External Compliance Monitors

Starting at the end of 2009, both the DOJ and the SEC appeared to be moving away from their imposition of external compliance monitors in favor of allowing companies to “self-report” to the government on their implementation of enhanced FCPA controls. This trend continued into 2015. However, the DOJ’s settlements with VimpelCom and Olympus32 both required the imposition of an independent compliance monitor for a term of three years. It remains to be seen whether the imposition of compliance monitors is really on the rise, at least for significant cases, but both cases serve as a warning of the consequences of systemic internal controls failures.

SEC’s Broad Interpretation of “Thing of Value”

Both the VimpelCom and Qualcomm settlements are reminders of the SEC’s broad interpretation of the FCPA’s “thing of value” element. In VimpelCom, the SEC’s discussion of charitable contributions is notable given that it is not supported by many facts about the contributions. The complaint did not indicate whether or not the organizations involved had good-faith charitable intentions, or the foreign official’s relationship to the charity. Rather, the SEC merely noted that the payments were made at the foreign official’s request and were made in order to influence the foreign official. The SEC has historically had a broad interpretation of “thing of value” that has included charitable contributions. Local officials often ask companies for support and funding for philanthropic activities, which can be appropriate. However, the VimpelCom decision highlights the importance of reviewing and monitoring charitable contributions, including assessing the ownership and directors of the charities to which money is going. VimpelCom’s failure to vet the contributions and sponsorships partly formed the basis for the SEC’s enforcement action.

The Qualcomm settlement is a reminder that benefits bestowed on relatives of government officials can be considered benefits to those officials, and that benefits come in a variety of forms. In addition to more typical FCPA violations involving the provision of gifts, meals, and entertainment, the benefit conferred upon the relatives of foreign officials in the Qualcomm case included a wide range of items including employment, assistance maintaining a position in a PhD program, and a $75,000 loan for a down payment on a home.

III. Conclusion

With the year off to an active start and senior enforcement leaders suggesting that more cases are yet to come, 2016 could well turn out to be a banner year for FCPA enforcement. Based on the actions released thus far, companies would be wise to take a fresh look at their compliance programs to ensure that they are comprised of dedicated, experienced compliance professionals; that they provide training to all relevant employees in key functions; and that they perform due diligence on agents and consultants acting on behalf of the company. Further, even if a company opts not to voluntarily self-disclose potential misconduct, companies should consider the benefits of full cooperation with US authorities during an investigation, in order to receive maximum cooperation credit. WilmerHale will continue to monitor developments in the enforcement landscape.