When the economic going gets tough, multinational companies might be tempted to cut costs by cutting back on steps needed to comply with the Foreign Corrupt Practices Act (FCPA).
But the DOJ is on record that it and the Securities and Exchange Commission (SEC) don’t expect to cut back on FCPA investigations and prosecutions. In 2008 the DOJ and SEC collected more than US$924 million in penalties for FCPA violations. And lead DOJ Prosecutor Mark Mendelsohn recently – and pointedly – noted that even though the global economic crisis presents “a grave challenge in the fight against foreign bribery ... companies need to be especially vigilant in this economic climate not to cut back. Our law enforcement efforts are not going to be scaled back, and so it would be, I think, a grave mistake for a company to take that path.”
Instituting policies and procedures that implement the US Federal Sentencing Guidelines for an Effective Compliance and Ethics Program and practicing effective due diligence are two bedrock fundamentals of FCPA compliance and risk mitigation.
FCPA compliance is a must if you engage in international business. Operating a compliance and ethics program that meets the Guidelines’ expectations should be every organization’s baseline objective. For an organization to demonstrate it has an effective program, the Guidelines require the organization to exercise due diligence to prevent and detect criminal activity and to promote an organizational culture that encourages ethical behavior and a commitment to lawful conduct. The Guidelines provide that a program minimally requires the following seven characteristics:
- The organization must “establish standards and procedures to prevent and detect criminal conduct.”
- The organization’s governing authority must be knowledgeable about and reasonably supervise the program. Individuals with operational responsibility for the program must report periodically to high-level personnel and, as appropriate, to the governing authority or an appropriate subgroup of the governing authority (e.g., the audit committee) on the program’s effectiveness.
- The organization must use reasonable efforts to not empower substantial authority in any individual whom it “knew, or should have known…engaged in illegal activities or other conduct inconsistent with an effective” program.
- The organization must “take reasonable steps to communicate periodically and in a practical manner its standards and procedures” to the governing authority, officers and employees, and, as appropriate, agents and other third parties.
- The organization must take reasonable steps to guarantee that the program is followed, including monitoring and auditing to discover unlawful behavior, to evaluate from time to time the program’s effectiveness and to publicize a system that may include methods of communication that provide for anonymity, thus enabling employees and third parties to “report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.”
- The organization must promote and consistently enforce the program through appropriate performance incentives and commensurate disciplinary measures.
- “After criminal conduct has been detected,” the organization must “take reasonable steps to respond appropriately…and to prevent further similar criminal conduct.”
Finally, in addition to these seven elements, the Guidelines require that the organization “periodically assess the risk of criminal conduct” and take “steps to design, implement or modify each requirement” to reduce the risk of unlawful conduct.
The DOJ and SEC have stressed the need to conduct due diligence on anyone acting on behalf of an entity subject to the FCPA. The government has backed up these words by bringing enforcement actions against companies, their officers and employees, and third parties where the lack of due diligence contributed to FCPA violations. While common law agency will ultimately govern, the acts of employees, officers and directors, joint-venture partners, targets acquired in a merger and third parties all can impute FCPA liability to an entity for which they act.
There is no one right way to conduct due diligence. Due diligence is a potpourri of tasks that include FCPA-tailored risk and awareness application materials; interviews; background checks; using a forensic accountant to review books and records to evaluate high risk transactions; and visiting the office of and documenting the services provided by third parties. If any red flags appear during due diligence, they must be investigated until you are reasonably satisfied you do not have an FCPA concern. Finally, due diligence must be documented.
The government has suggested that FCPA due diligence is not a one-size-fits-all undertaking. For example, degrees of diligence may reasonably vary from industry to industry and location to location. Similarly, the timing (e.g., before and during) may also vary.
Once you have satisfied your due diligence, you need to implement the next steps in mitigating potential FCPA exposure. Suggested courses of action include providing your third-party agents with a copy of your antibribery code of conduct. Require them to read it and execute an acknowledgment that they will abide by it. Include in this acknowledgment FCPA-specific representations and warranties attesting to past compliance and covenants promising future compliance. If possible, negotiate as part of your third-party contracts the right to inspect and audit the books and records of your agent. Be certain to include termination rights.
In the high stakes and high risk world of international business, it’s all about mitigating exposure. Proactively meeting the Guidelines’ mandates and adhering to the due diligence best practices discussed above are your best tools to avoid sleepless nights due to an FCPA nightmare.