This article is an extract from GTDT Market Intelligence Anti-Corruption 2022. Click here for the full guide.
1 What are the key developments related to anti-corruption regulation and investigations in the past year in your jurisdiction, and what lessons can compliance professionals learn from them?
Despite a slow-down in the pace of announced cases in the last couple of years, the United States remains the most active country in the world in punishing both corporations and individuals for foreign bribery, primarily through the US Foreign Corrupt Practices Act (FCPA) (which features anti-bribery and accounting/internal controls requirements) and laws against money laundering and certain types of fraud. As has been the case historically, US government investigations of companies continue to be resolved almost exclusively through negotiated dispositions, and many actions against individuals also are concluded prior to any trial through plea agreements or negotiated civil settlements. These results are driven by the substantial leverage that the US agencies enforcing the FCPA (the US Department of Justice (DOJ) and US Securities and Exchange Commission (SEC)) can bring against companies and individuals.
As with most other areas of corporate endeavour (and life generally), the covid-19 pandemic had a significant impact on FCPA-related enforcement by the US government. This impact was evident through 2020 and especially 2021, and through the first half of 2022 it is clear that the DOJ and SEC are still catching up to pre-pandemic levels of activity. That said, throughout the pandemic, the DOJ and SEC continued to message publicly that the agencies’ commitment to FCPA enforcement has not subsided. And in late 2021 and early 2022, as will be discussed below, the Biden administration has taken several steps to bolster US anti-corruption efforts by tying them directly to US national security concerns.
Updated statistics show the pandemic’s effect, especially in cases that required multilateral cooperation (as many cases these days do), since the coronavirus outbreak has had vastly different impacts in different countries. In 2020, the US enforcement agencies announced 25 enforcement actions (some of which were combined) – the lowest total since 2015. In 2021, the agencies announced only 11 actions. And through July 2022, only six actions have been publicly announced. It bears noting, as I have done in past editions, that the statistics on investigations are derived from incomplete information – information that is continually updated as public companies make relevant disclosure filings or journalists acquire updated statistics through freedom of information requests. The investigation statistics tracked by my firm and others are necessarily incomplete because neither the DOJ nor the SEC disclose official investigations statistics in real time and only some companies are likely to disclose such information through SEC filings or other means.
Despite the slowdown in volume, FCPA enforcement efforts during the pandemic have resulted in substantial penalties and disgorgement for FCPA-related violations against major corporations such as:
- Glencore ($440 million in May 2022, as part of a multilateral disposition worth over $1 billion and counting);
- Credit Suisse ($475 million in October 2021);
- Foster Wheeler ($177 million in June 2021); and
- Deutsche Bank ($123 million in January 2021).
On 28 October 2021, Deputy Attorney General Lisa Monaco signalled the DOJ’s renewed commitment to enforcement of the FCPA and related laws by issuing a memorandum on ‘initial revisions’ to the department’s corporate criminal enforcement policies. The Monaco Memorandum announced policy changes in three areas, all of which marked more assertive stances by the DOJ.
First, where before the DOJ was to consider past ‘similar conduct’ by companies when making charging and disposition decisions, DOJ ‘prosecutors are [now] directed to consider all [prior] misconduct by the corporation’ in making these determinations. Thus, FCPA prosecutors need to assess not only past FCPA or fraud cases, but also past criminal tax, environmental, money laundering, or other violations by a company. The memorandum states that prosecutors also should evaluate whether a company has been prosecuted in ‘another country or state’ or has a history of ‘running afoul of regulators.’ It is too early to tell based on subsequent public cases how these assessments of all prior misconduct are actually working, but the issue warrants close scrutiny, in part because the DOJ is also evaluating whether corporate ‘recidivists’ should be ineligible for ‘pre-trial diversion’ (such as deferred prosecution agreements (DPAs) or non-prosecution agreements (NPAs) – the most common form of corporate resolutions of FCPA cases).
Second, the memorandum reinstated an earlier requirement that, ‘to qualify for any cooperation credit, corporations must provide to the Department all relevant facts relating to [all of] the individuals responsible for the misconduct (emphasis added).’ This requirement had been somewhat relaxed by the previous administration, which had narrowed the focus to ‘all individuals substantially involved in’ potential wrongdoing (emphasis added). The reimposition of the broader coverage of ‘all responsible individuals’ likely will significantly increase the financial costs of cooperation for companies under investigation, opening up large amounts of non-privileged information to potential disclosure and attendant review and analysis.
Third, the memorandum revises or supersedes parts of the 2018 Benczkowski Memorandum, which had established a higher standard for the imposition of independent compliance monitorships than had been used in the past. In a speech tied to the release of the Monaco Memorandum, Deputy Attorney General Monaco stated that, ‘[t]o the extent that prior Justice Department guidance suggested that monitorships are disfavored or are the exception, I am rescinding that guidance.’ The new memorandum states that monitors should be used in cases of ‘demonstrated need’ and where there will be ‘a clear benefit’ for the company and enforcement interests. Such a need could exist where a company’s compliance programme or related controls are deficient or ‘are untested, ineffective, inadequately resourced, or not fully implemented at the time of a resolution’. The impact of this policy revision has been clear – whereas none of the corporate resolutions in 2020 or 2021 imposed a monitor, two corporate dispositions in 2022 (Stericycle and Glencore) required the retention of independent compliance monitors by the companies.
Earlier in October 2021, the DOJ announced the formation of a specialised Federal Bureau of Investigation (FBI) team that will work full-time within the DOJ’s Fraud Section, focusing on FCPA, fraud and related matters as part of a surge in staff and resources to assist in corporate enforcement efforts.
Overall, FCPA cases managed by the DOJ remain subject to the FCPA Corporate Enforcement Policy, which has been codified in the DOJ’s Justice Manual (section 9-47.120). The policy promises a ‘presumption’ of declination of enforcement for all companies that meet certain conditions – a presumption that may be overcome if there are aggravating circumstances that include involvement by executive management, significant profit earned from the misconduct, pervasiveness of misconduct within the company, and criminal recidivism. The policy sets forth three conditions that companies must satisfy to be eligible for declination:
- voluntary self-disclosure;
- full cooperation with any government investigation; and
- timely and appropriate remediation of issues.
The policy contains detailed criteria for evaluating each of these three conditions. For the self-disclosure to be truly voluntary, it must be made ‘within a reasonably prompt time after becoming aware of the offense’, and ‘prior to an imminent threat of disclosure or government investigation’. Similarly, full cooperation (as defined in part by the Monaco Memorandum, as noted above) requires timely disclosure of all facts relevant to the wrongdoing – including all facts gathered during any independent corporate investigation – as well as timely preservation of all relevant documents and data. True remediation requires the implementation of an effective compliance and ethics programme throughout the company and appropriate discipline of employees.
Qualifying for a declination under the policy does not necessarily allow a company to walk away from an FCPA investigation without consequences. First, the policy makes clear that a company will be required to pay ‘all disgorgement, forfeiture, and/or restitution resulting from the misconduct at issue’, which could result in significant financial consequences even if no criminal fines are imposed. The most recent example of this dynamic occurred in March 2022, when the DOJ publicly announced that it had declined to prosecute UK-based insurer Jardine Lloyd Thompson Group Holding Ltd (JLT), but that JLT had agreed to disgorge approximately $29 million as part of the disposition. Declinations decided pursuant to the policy are made public, which means that a company may still face public scrutiny into its conduct – though most public companies announce FCPA investigations when they disclose potential issues to the US agencies. Finally, a DOJ declination does not apply to any SEC case, if that agency has jurisdiction. For example, in June 2022, Tenaris SA settled an SEC FCPA action by paying fines and disgorgement worth over US$78 million, even though (according to the company’s related press release) the DOJ had declined to prosecute the company for similar conduct.
In July 2020, the DOJ and SEC released a Second Edition of the Resource Guide to the US Foreign Corrupt Practices Act (FCPA), which summarises the key aspects of the FCPA, sets out the agencies’ positions related to interpretation of statutory provisions and relevant legal principles, and discusses the agencies’ enforcement policies and priorities, including as to the requirements and benefits of an effective FCPA compliance programme and related controls. The guide is ‘non-binding, informal, and summary in nature’ and its text ‘does not constitute rules or regulations’; however, the US agencies have stated that they plan to act consistent with the positions articulated in the guide in specific matters. The Guide’s second edition is an update that accounts for almost eight years of developments – including some international developments – since the original’s issuance in 2012.
The updated guide integrates and summarises DOJ policies introduced since the first edition, including the FCPA Corporate Enforcement Policy; the policy on Coordination of Corporate Resolution Penalties (also known as the policy against ‘piling on’ of penalties); guidelines on the Selection of Monitors in Criminal Division Matters; and the guidance on Evaluation of Corporate Compliance Programs. Some of these policies receive their own new summary sections, while others have driven changes seeded throughout the guide’s text. The FCPA Resource Guide also summarises long-standing SEC policies, noting, for example, that the DOJ’s Corporate Enforcement Policy ‘does not bind or apply to the SEC’. All in all, the updated FCPA Resource Guide remains a useful source of information on the DOJ’s and SEC’s views regarding the interpretation and enforcement of the FCPA. Users of the guide should continue to be aware, however, of the guide’s status as a non-binding summary and its US-centric views. Because of that focus, the guide in some places omits or does not fully discuss key aspects of FCPA-related investigations and compliance issues that companies face in their day-to-day operations, especially as they pertain to interactions with the laws of other countries.
Other than co-authoring the FCPA Resource Guide (which restated existing agency policies), the SEC has not undertaken significant formal changes in policy or processes regarding FCPA investigations in the past few years. That said, the SEC is publicly emphasising themes similar to those articulated by the DOJ in the agency’s discussions of corporate enforcement priorities. For example, in a speech in early October 2021, SEC Enforcement Division director Gurbir Grewal emphasised that the SEC will be looking closely at companies’ cooperation with investigations, evaluating ‘whether the would-be cooperator took significant, tangible steps that enhanced the quality of our investigation, allowed us to conserve resources and bring charges more quickly, or helped us to identify additional conduct or other violators that contributed to the wrongdoing’. In that speech, Director Grewal also noted that as ‘we evaluate the relevant penalty factors, we will also be closely assessing whether prior penalties have been sufficient to generally deter the misconduct at issue. Where they have not been, you can expect to see us seek larger penalties, both in settlement negotiations and, if necessary, in litigation.’
One development that bears watching is the potential fallout from the US Fifth Circuit Court of Appeals’ May 2022 decision in the case of Jarkesy v SEC, which involved the SEC’s administrative proceedings against Jarkesy for securities fraud. The appeals court’s findings will likely create significant challenges for the SEC’s long-standing use of in-house administrative dispositions – potentially including FCPA matters.
With regard to anti-corruption laws applicable to US federal and state officials, while the 2016 US Supreme Court decision that overturned the corruption-related conviction of former Virginia governor Robert McDonnell has had significant effects on some high-profile cases, DOJ enforcement personnel have continued to prosecute and convict corrupt officials and payors of bribes in various contexts. The McDonnell case has made it more difficult for prosecutors to build and win cases that do not have evidence of an explicit agreement by the official to use his or her position in return for benefits. Further, in May 2020, in the case of Kelly v United States, the US Supreme Court overturned the convictions of two former aides to the former Governor of New Jersey related to the Bridgegate scandal. The former officials had been charged and convicted under federal wire fraud and programme fraud statutes. The unanimous opinion, which is a rarity, stated, in part, that ‘not every corrupt act by a state or local official is a federal crime.’ This decision further narrowed the options that federal prosecutors have to attempt to redress public corruption.
Despite the challenges raised by these Supreme Court precedents, prosecutors have continued to have successes in cases of public corruption by US officials, including in dozens of local or regional cases. In one higher profile case, for example, in March 2020, former US Representative Duncan Hunter of California pled guilty to a charge of misuse of campaign funds to resolve more than 60 counts (including corruption-related allegations) against him and his wife and was sentenced to 11 months in prison (though he was pardoned in December 2020 by President Trump). Data compiled by the US Sentencing Commission reported that, for FY 2021, there were 156 cases reported to the commission that involved sentencing for bribery-related offenses.
As to lessons from these and other developments in the enforcement landscape, it bears repeating, first, that the United States remains committed to investigating and punishing public corruption overseas. Investigations and enforcement resolutions continue to cover various industries, including, for example, life sciences, industrial engineering/construction, financial institutions, information technology, manufacturing, telecommunications, retail, software, mining, commodities trading and oilfield services. And it is not just US companies that are targeted – non-US companies (often listed on US exchanges) have been the subjects of some of the largest FCPA-related settlements. Recent examples include Tenaris SA (Luxembourg), Glencore (Switzerland), KT Corporation (South Korea), Credit Suisse (Switzerland), WPP (UK/US), Foster Wheeler/John Wood Group (UK) and J&F Investimentos (Brazil).
The US agencies target corrupt activities around the world, though data continue to show that business activities in China are the ones most frequently involved in public resolutions – the 59 resolutions involving China during the period 2009–2021 constitute almost 25 per cent of the combined corporate FCPA actions during that period; recent China-related cases involve dispositions with WPP (September 2021), Novartis (June 2020), Cardinal Health (February 2020), and Airbus (January 2020). China likely will remain a key focus of FCPA enforcement given the size of its market and the prevalence of state-owned or controlled entities in most economic sectors. The countries other than China most frequently involved in FCPA enforcement actions during the 2009–2021 time period are Brazil (largely due to the massive and ongoing Car Wash investigation there), Mexico, Nigeria, Indonesia, Russia, India, Saudi Arabia, Angola and Iraq. Several recent FCPA cases also have reinforced the corruption risks generally present in Central Asia, the Middle East and Southeast Asia.
On the US domestic side, federal prosecutors continue to look for high profile cases at all levels of government – for example, in July 2020, prosecutors arrested and charged the Ohio House Speaker, Larry Householder, and four others with crimes connected to an alleged $60 million in bribes paid to secure a state bailout totaling as much as $1 billion for two nuclear energy power plants. The federal US Attorney said in a public statement on the case: ‘This was bribery, plain and simple. This was a quid pro quo. This was pay to play.’ Since that time, one of the companies involved, Commonwealth Edison (ComEd), agreed in July 2020 to a deferred prosecution agreement (DPA) with federal prosecutors in Ohio in which ComEd agreed to pay a $200 million criminal penalty to address various charges – including a charge related to criminal misconduct under the FCPA’s accounting provisions. In July 2021, the other company, FirstEnergy Corp, agreed to a DPA and paid a criminal penalty of $230 million to address a charge of ‘conspiracy to commit honest services wire fraud’ related to its payments to entities connected with Householder. Several former ComEd executives, including the former CEO, have been indicted, and in October 2020 a former aide to Householder and a lobbyist pled guilty to charges related to their roles in the scheme.
Householder has pleaded not guilty and is scheduled to go on trial in January 2023.
Another recent notable case broke in August 2022, when the former governor of Puerto Rico was arrested and charged with seven counts of corruption related to alleged political influence by a bank. More typical cases include a guilty plea in December 2021 by a former director of public works for the City of San Francisco who confessed to receiving bribes and kickbacks from companies hoping for contracts, preferential treatment, and confidential information regarding city business. The former official likely faces at least nine years in prison. The plea agreement is part of an ongoing DOJ probe of corruption in San Francisco that has resulted over time in federal charges for 12 persons, including other former officials, and three companies.
In June 2022, the US Supreme Court agreed to hear an appeal from a former aide to former Governor of New York Andrew Cuomo. The aide, Joseph Percoco, was convicted in 2018 on bribery and conspiracy charges related to his acceptance of payments from a former energy executive and real estate developers seeking preferential treatment for their businesses. Percoco is challenging prosecutors’ use of the ‘honest services’ statute to convict him, arguing that the statute’s rules should not have applied to him since he was a private citizen at the time (he had been a state official previously), even if he retained substantial influence with the former governor. The Supreme Court will rule on the case sometime in the next year – likely in the spring of 2023 – and the outcome could create further hurdles for prosecutions of domestic bribery in the United States.
2 What are the key areas of anti-corruption compliance risk on which companies operating in your jurisdiction should focus?
The economic environment created by the covid-19 pandemic and its partial aftermath (including a potential recession in the near future) almost certainly has increased FCPA-related compliance risks (and, in the long term at least, related investigation and enforcement risks). Many critical compliance activities – including internal investigations, compliance risk assessments, third-party due diligence and monitoring, and operating company audits – have been curtailed by restrictions on travel and by limitations in company ERP and other controls systems. At the same time, companies’ risk profiles have been changing rapidly, due to plant closures, supply chain disruptions (and in many cases increasing reliance on third parties), restrictions on the movement of gatekeeper personnel and management compliance champions, pressures on financial targets, and more – many of which create additional opportunities for corruption and fraud. There is and will continue to be significant pressure on transactions deemed critical to company success or survival, with attendant calls by management to get them done quickly and without the time or expense associated with normal compliance-related due diligence and other safeguards.The looming financial clouds in the second half of 2022 may well exacerbate the issues.
Managing these compliance-related challenges in the face of time pressures and reduced resources will continue to require active planning and creativity. Staying on top of changing company risk profiles is critical to adapting and targeting diminished compliance resources to their best use. Among other actions, company compliance personnel should consider such activities as updated management messaging on company values and ethics programmes, increased virtual training, and accelerating planned monitoring activities through virtual methods when possible. And compliance personnel can take valuable data from this time period to learn longer-term lessons regarding where companies should invest in, for example, upgrades to ERP systems or tools for remotely directed investigation activities to be better prepared for the next crisis. As pandemic restrictions continue to ease, compliance personnel should focus their attention on the higher risk locations that become accessible as in-person training, meetings and compliance monitoring activities increase.
Companies subject to the FCPA need to be aware of the potential worldwide reach of the law over corporate activities. The agencies responsible for enforcing the FCPA push the limits of the jurisdictional provisions, and in resolutions with corporations have used the peripheral involvement of US banks or dollar-based transactions, or emails routed through US-based servers, to reach transactions that otherwise have no US contacts. A still-relevant example of this was the July 2015 resolution with Louis Berger International. There is a court case currently on appeal in the US Fifth Circuit Court of Appeals related to an individual defendant – Daisy Rafoi-Bleuler – that could result in some limits being placed on the DOJ’s use of its jurisdictional reach, but that is not yet a guarantee.
Another area of focus should be identifying and analysing the US agencies’ assertive positions regarding the scope and meaning of key, but sometimes vaguely defined, legal concepts in the FCPA, which can be seen in the updated FCPA Resource Guide, public resolutions or legal briefs filed in court cases. One example that has played out publicly over the past several years involves the definition of a government ‘instrumentality’ – essentially, whether employees of state-owned enterprises or other entities qualify as ‘foreign officials’ subject to the strictures of the FCPA. A number of challenges to the DOJ’s expansive and multipronged approach to this issue have ultimately been turned back by the US courts. Some recent settlements highlight the breadth of who qualifies as a foreign official under the FCPA. The September 2021 WPP matter involved, in part, payments to a mayoral campaign in Peru. The April 2022 Stericycle case and the June 2020 Novartis case both cited benefits to doctors and health workers employed by public hospitals in several countries (including Mexico, Greece and China) as payments to officials. The January 2021 Deutsche Bank disposition involved payments to employees of at least one sovereign wealth fund. In the November 2017 SBM case, an employee of an Italian oil and gas company that served as the operator of a project for a state-owned Kazakh gas company was deemed to be an official because he was ‘acting in an official capacity’ for the state instrumentality. Compliance professionals need to account for these broad definitions when addressing specific compliance risks.
Perhaps the most challenging set of FCPA compliance risks involves the actions of third parties with which a company has a relationship – sales representatives, joint venture partners, consultants, distributors, agents, vendors and the like. Data we have analysed show that roughly 75 per cent of FCPA cases in the past 10 years involve actions by third parties. Recent cases that have involved corporate liability for actions by third parties include resolutions with Glencore (involving regional and local intermediary companies that generated ‘sham’ agreements, inflated invoices, and fake commissions to conceal payments to officials), Stericycle (which involved numerous vendors that generated fake invoices), Credit Suisse (involving payments to agents of government officials), Foster Wheeler (involving payments via an intermediary – Unaoil), Deutsche Bank (involving specific third parties the bank called Business Development Consultants), Goldman Sachs (involving payments to financier Low Taek Jho) and Vitol (involving some payments through a Brazilian doleiro – a professional money launderer and black-market money exchanger).
This trend is driven by the FCPA’s provision stating that payment to a third party with ‘knowledge’ that the payment will be passed on to an official is a violation of the statute. The FCPA incorporates an expansive definition of ‘knowledge’ that goes beyond actual knowledge to also cover ‘conscious disregard’ of information showing corruption risks. The best illustration of this provision and its application is the 2009–2012 case against Frederick Bourke (US v Kozeny), in which a jury convicted Mr Bourke for conspiracy to violate the FCPA using the conscious-disregard standard (the July 2020 edition of the FCPA Resource Guide continues to use this case as the best example). Appropriate, risk-based compliance policies, procedures and internal accounting controls related to due diligence on, contracting with, and monitoring and auditing of third parties are critical to managing this key area of risk. It is noteworthy that, in several of the cases noted in the previous paragraph, such policies and processes were in place but were deliberately circumvented by company personnel, including in some cases senior executives.
Inadequate internal accounting controls and violations by public company employees of the books and records provisions are another key area of FCPA risk. The relevant statutory requirements apply to all areas of corporate conduct (and there have been hundreds of non-bribery cases involving these requirements). In the FCPA area, the SEC uses the broad reach of these rules – issuers are responsible for worldwide compliance with these requirements by almost all subsidiaries, including even minority-owned affiliates over which the issuer exercises control – to penalise corrupt activities that may fall outside the DOJ’s criminal jurisdiction or that do not meet all of the elements of an anti-bribery violation. A recent example is the April 2020 Eni matter, in which Eni paid almost US$25 million to resolve SEC allegations that Eni did not in ‘good faith’ implement effective internal accounting controls at its minority-owned subsidiary, which nonetheless the company controlled. Compliance professionals should work closely with their finance and accounting function counterparts to ensure that relevant internal accounting controls are consistent with the company’s compliance processes and that business transactions are accurately recorded in the company’s records.
Finally, several recent developments make the management of whistle-blowers an increasingly important priority. In December 2020, amendments to the rules governing the SEC’s whistle-blower programme went into effect. The rule amendments contain significant reforms that are likely to result in increased employee whistle-blowing. For example, the SEC expanded the definition of enforcement ‘action’ by the agency to include DPAs and NPAs entered into with the DOJ and settlement agreements entered into with the SEC. These are the most common forms of FCPA-related dispositions, and in February 2021, the SEC issued its first award based on an NPA or DPA with DOJ. The SEC also has changed the way that awards are calculated – whistle-blowers can now automatically receive the statutory maximum for awards at certain levels (absent the existence of negative factors or an ‘unreasonable delay in reporting’), which provides greater certainty regarding the size of eventual awards and may well result in higher awards generally. Finally, the rules make clear that, to be eligible for anti-retaliation protections, whistle-blowers must first report information to the SEC rather than through internal company reporting tools. Given that a reported 81 per cent of employee whistle-blowers in 2020 raised concerns internally before going to the SEC, this rule change may drive an increase in reports to the SEC before companies receive the same information internally.
Publicity regarding sizeable whistle-blower awards also likely will encourage whistle-blowers to go to the SEC with compliance concerns. According to its own public reporting, the SEC awarded a record-breaking amount of money to a record number of people (approximately $564 million to 108 individuals) in FY 2021 (these account for awards for all eligible securities law violations, not just the FCPA). The same report notes that the SEC received 258 FCPA-related tips from whistle-blowers in FY 2021. Individual awards are also receiving more prominent mentions in the media. For example, in May 2021, the SEC announced a $28 million dollar award to a whistle-blower who provided information that led to 2018 FCPA enforcement actions against Panasonic Avionics Corporation. The award is one of the 10 largest ever handed out under the SEC’s Dodd-Frank whistle-blower programme. Notably, the SEC granted the award despite the fact that ‘there [was] not a strong nexus’ between the whistle-blower’s tip and the conduct at issue in the eventual enforcement actions.
US domestic bribery laws and enforcement actions typically focus on the specific and complex rules that govern federal executive branch employees; often these cases are combined with allegations of violations of detailed government contracting requirements. As noted, there are also prosecutions on the Congressional side, though the rules governing lobbying, gifts or entertainment, and public disclosure requirements are sometimes drastically different from those for executive branch personnel. Finally, investigations of state officials can implicate the varying state-level laws and policies, which can differ from their federal counterparts and from the same laws in other states. Close coordination with a company’s US lobbying and government relations functions and advice from experienced counsel on these rules are required to manage risks.
3 Do you expect the enforcement policies or priorities of anti-corruption authorities in your jurisdiction to change in the near future? If so, how do you think that might affect compliance efforts by companies or impact their business?
I do not expect a fundamental change in the US agencies’ assertive enforcement practices or priorities to occur. The pace of announced FCPA-related resolutions by the DOJ and SEC has varied over time, and during some periods can seem to drop off. However, that pace is driven by a number of factors, many of which are case-specific. Thus, it would be a mistake to assume that any apparent slowdowns of announced cases (such as during the pandemic-affected years of 2020 and 2021) signal a slowdown in investigations or a significant redirection of FCPA enforcement resources. One indicator of the ongoing commitment is the size of recent awards. Admittedly, the cases involving such awards are years in the making, but recent cases in the past couple of years – including Glencore, Goldman Sachs, Ericsson, Mobil TeleSystems and Airbus featured some of the largest combined penalties in the history of FCPA-related enforcement.
Perhaps the clearest indicator of the Biden administration’s commitment to the fight against corruption is the 3 June 2021 National Security Study Memorandum (NSSM) issued by President Biden – the first of his presidency. Citing corruption’s substantial adverse financial effects and other negative consequences (including ‘contribut[ing] to national fragility, extremism, and migration’ and ‘provid[ing] authoritarian leaders a means to undermine democracies worldwide’), the NSSM concluded that countering corruption is a ‘core United States national security interest’. The NSSM therefore directed various departments and agencies of the US federal government to conduct an interagency assessment and send a report to President Biden with recommendations and strategies for upgrading the US fight against corruption.
On 6 December 2021, the administration issued the resulting report – the United States Strategy on Countering Corruption (SCC). The strategy establishes ‘five mutually reinforcing pillars’ of actions to be taken by the US government:
- ‘Modernizing, coordinating, and resourcing US government efforts to fight corruption’;
- ‘Curbing illicit finance’ by ‘addressing vulnerabilities in the US and international financial systems’;
- ‘Holding corrupt actors accountable… through a combination of diplomatic engagement, foreign assistance, and enforcement actions’ and ‘bolstering international best practices, regulations and enforcement efforts’;
- ‘Preserving and strengthening the multilateral anti-corruption architecture’ and the actions of non-governmental actors; and
- ‘Improving diplomatic engagement and leveraging foreign assistance resources to advance policy goals’.
Of perhaps most interest to corporate compliance professionals is the SCC’s statement that the US government will ‘vigorously pursue the enforcement of foreign bribery cases through the FCPA, money-laundering charges, and forfeitures for promoting corrupt schemes and laundering corruption proceeds as appropriate’. More generally, like the NSSM, the SCC defines corruption broadly and focuses much of its discussion on the ‘demand’ side of the equation – on methods to prevent public officials from receiving or hiding their corrupt gains and to hold such persons and their enablers (especially financial institutions) accountable. Thus, many of the SCC’s most concrete action plans focus on enhanced tools to fight the demand for corrupt payments, including working with Congress ‘to criminalize [directly] the demand side of bribery by foreign public officials’. A bill to accomplish this goal, titled the Foreign Extortion Prevention Act (FEPA), was introduced in the US House of Representatives in July 2021 and in the Senate in early November 2021. While the bill had bipartisan support, it has so far failed to clear various legislative hurdles. The SCC also notes that the administration will support similar laws in other countries, ‘including in the countries where the bribery occurs’.
The SCC also discusses many other efforts to combat corruption and kleptocracy, such as enhanced corporate transparency rules (building on new legal requirements created by the January 2021 Corporate Transparency Act), strengthened anti-money laundering laws, expansions to US sanctions and visa regulations (some of which – such as sanctions related to the US Magnitsky Act – already focus on corruption), and the expanded use other laws and resources, including the increased availability of intelligence and other national security methods and means. For example, in a December 2021 speech, a US Treasury official stated that Treasury ‘has designated 216 targets with our anti-corruption sanctions authority to date’ and ‘plan[s] to use new resources like beneficial ownership data to…enhance the targeting and efficacy of our sanctions actions’. The Russian invasion of Ukraine has significantly increased the scope of such economic and other sanctions related to corrupt actors tied to Russia in 2022.
In a related development, in April 2022, the DOJ sent to Congress a package of legislative proposals to bolster the DOJ’s efforts to combat kleptocracy and public corruption, including expanded forfeiture authority, adding to the Racketeer Influenced and Corrupt Organizations Act’s definitions of racketeering, and extending statutes of limitations to prosecute kleptocrats and to seek forfeiture of their assets. The DOJ recently has also initiated several forfeiture and related actions to seize assets deemed to be the result of public corruption, including multi-million-dollar mansions in Los Angeles and the Washington, DC areas, as well as a superyacht owned by a Russian oligarch.
In the short term, the SCC and related efforts will not have a direct effect on FCPA enforcement. Any increase in announced cases for the rest of 2022 and into 2023 likely will be the legacy of the reduction of covid-19 pandemic effects on existing investigations and enhanced agency staffing. However, the SCC’s action plans could have significant long-term ramifications for FCPA enforcement, even if many of them are indirect, such as the criminalisation of the demand side of bribery or the expansion of corruption-related sanctions.
In the meantime, I expect that the DOJ will continue to look for cases that highlight the current administration’s enforcement priorities – for example, as indicated by the Monaco Memorandum. As noted, we have already seen an increase in the use of compliance monitors, and I expect future cases will likely highlight both the benefits of cooperation and the perils to companies that fall short of the DOJ’s standards in that respect. The DOJ also will likely issue further policy guidance on other aspects of FCPA corporate enforcement during 2022.
On the SEC side, the agency likely will continue to focus on using the FCPA’s accounting requirements to address corrupt activities by companies and individuals for which criminal charges may be more difficult to bring. Indeed, the past careers of the SEC’s Chair and Director of Enforcement suggest that the SEC may well stake out more aggressive legal positions and to demand tougher sanctions from companies and individuals in the future.
4 Have you seen evidence of increasing cooperation by the enforcement authorities in your jurisdiction with authorities in other countries? If so, how has that affected the implementation or outcomes of their investigations?
The US agencies continue actively to pursue cooperation with other enforcement authorities in the past several years. Multinational investigations were a priority under the previous administration and the Biden administration is continuing to look for additional opportunities for enforcement collaboration. Indeed, during a February 2021 webinar sponsored by the International Bar Association, the primary DOJ and SEC enforcement officials predicted more multi-jurisdictional investigations and coordinated resolutions – with the SEC official noting that future resolutions may involve jurisdictions with which US authorities have not coordinated in the past.
International cooperation is managed through bilateral mutual legal assistance treaties and through the assistance provisions of multilateral treaties such as the OECD Anti-Bribery Convention. Often, though with lessening frequency as other countries have stepped up enforcement efforts, the US authorities take the lead.
In May 2018, the DOJ announced a new policy directing its attorneys to coordinate with other enforcement authorities, both in the United States and abroad, with the aim of avoiding duplicative penalties for the same corporate misconduct. The policy recognises the rule-of-law and fairness implications of subjecting a company to uncoordinated enforcement actions by multiple authorities – sometimes referred to as ‘piling on’ – and seeks to provide greater predictability and certainty to companies considering a resolution with multiple agencies. The relevant factors largely codified existing DOJ practices and considerations, explicitly mandating coordination with US federal and state agencies and enforcement authorities in other countries and directing DOJ prosecutors to ‘consider all relevant factors’ in selecting enforcement methods and apportioning penalties for the same conduct among multiple authorities. The DOJ ‘piling on’ policy offers a greater level of certainty to companies facing multiple investigations, particularly those involving authorities outside the United States. However, the policy also adds to existing pressures on companies to disclose issues to and cooperate simultaneously with the DOJ and foreign agencies, with the consequent imposition of significant extra costs, risks and related demands.
Global settlements have become a standard component of the DOJ’s and SEC’s approach to FCPA and related anti-corruption enforcement. The US authorities have at various times credited the May 2018 coordination policy with increasing cooperation between the United States and other countries in terms of evidence gathering and sharing. Representatives of both US agencies in July 2019 cited enhanced working relationships with authorities in Brazil, the UK, France, Sweden, and other Latin American countries. The DOJ official stated that a ‘big component of that is our commitment to crediting penalties to overseas counterparts’.
The December 2016 global settlement by the Brazilian conglomerate Odebrecht and its petrochemical subsidiary Braskem that resulted in the companies agreeing to pay more than $3.5 billion in combined penalties to Brazilian, US and Swiss authorities signalled the extent to which global investigations and settlements are becoming the norm for the DOJ and SEC. DOJ officials continue to cite the case in 2022 as a ‘gold standard’ for multinational anti-corruption cooperation. Apart from its record-breaking size at the time (which was tied to the fact that the improper payments paid by the companies totalled more than $1 billion), the case is notable in that the Brazilian prosecutors took the lead – unsurprising, as the case is linked to the larger Car Wash investigation that gripped Brazil from 2014 to 2021. The allocation of the combined penalties among the enforcement agencies reflects this – between 70 and 80 per cent of the penalties went to Brazil, and in the aftermath of an April 2017 court decision, the US agencies received the smallest portion of the actual criminal penalties.
Other notable recent examples of cases involving multinational cooperation by the US agencies (many of which featured substantial penalties paid to non-US agencies) include:
- the May 2022 dispositions with Glencore, which involved US, UK and Brazilian agencies, and likely will also include Swiss and Dutch authorities (and perhaps others) in the future;
- the April 2022 settlements with Stericycle involving US and Brazilian authorities;
- the October 2021 disposition with Credit Suisse involving US, UK and Swiss authorities;
- the June 2021 disposition with Foster Wheeler involving US, UK and Brazilian authorities;
- the October 2020 settlements and leniency agreements with J&F Investimentos involving US and Brazilian enforcement agencies; and
- the January 2020 disposition with Airbus involving US, French and UK agencies.
In the Glencore case, the US authorities received a substantial portion of the total penalties, though the Brazilian authorities claimed almost $40 million. The DOJ authorised a credit of more than $136 million for any future penalties paid to the UK (which penalties will likely be set in November 2022), as well as almost $30 million for possible future payments by the company to the Swiss authorities. In the Foster Wheeler matter, the UK obtained the lion’s share of the combined penalties (approximately $143 million of the $177 million total), and the UK SFO cited a broader set of allegations than the US public case documents covered. The J&F Investimentos settlements with the DOJ and SEC noted that the agencies modified the US penalty and disgorgement levels downward in light of a separate leniency agreement between the company and Brazilian authorities under which J&F agreed to pay a fine of approximately $1.4 billion and to support social projects in Brazil through payments of $414 million. The Airbus case surpassed the Odebrecht disposition to become the largest internationally coordinated resolution to date, with almost $4 billion in combined global penalties. The complex payment arrangements saw France taking the largest share (about $2.3 billion), with the agencies in other countries agreeing to credit or offset penalties paid to other jurisdictions. The massive investigation covered activities in 16 countries and took almost five years to resolve. The extensive international cooperation efforts were made possible in part by an agreement in 2016 between the UK and French agencies that allowed them to overcome significant legal and practical hurdles created by the French ‘blocking statute’s’ significant restrictions on mutual legal assistance.
Coordination among various agencies in different countries can be challenging, especially with enforcement entities that are less experienced in investigation techniques or that operate under different legal systems. In addition, legal and regulatory developments in several countries that are involved in anti-corruption cooperation efforts with the US authorities likely will create additional challenges for multinational enforcement and for companies’ internal investigations, which often are a critical factor in advancing resolutions to conclusion. For example, the EU’s General Data Privacy Regulation (GDPR) has in some cases created additional time-consuming hurdles to accessing witnesses and documents in key jurisdictions outside the United States. The GDPR joins other existing national data privacy and national security-based restrictions on access to information in various countries that have been involved in past FCPA-related enforcement actions, such as Russia and China. In addition, recent cases in, for example, Switzerland and the UK have created a wider gulf between the treatment of the attorney-client privilege in the United States and Europe, which may well affect the coordination of internal investigations by companies.
Cooperation also allows US and other authorities to share evidence that might not be within reach of one or the other agency, which can expose companies to liability based on conduct that might not otherwise have been discovered. Coordination among various agencies also can create significant delays in the process of resolving investigations – delays to which the US authorities can contribute. Indeed, a July 2021 DOJ report noted that the DOJ office handling international requests for legal assistance is ‘challenged by [the office’s] high pending caseload, difficulty hiring and retaining staff, and an antiquated case management system’. Companies therefore need to base important compliance decisions, such as whether or not to disclose a potential FCPA violation, in part on the possibility of cooperation among possibly several interested investigating jurisdictions.
5 Have you seen any recent changes in how the enforcement authorities handle the potential culpability of individuals versus the treatment of corporate entities? How has this affected your advice to compliance professionals managing corruption risks?
The DOJ and SEC continue to target individuals, with a focus on identifying the highest-level company personnel who can be deemed responsible for improper payments or related wrongdoing. Various DOJ officials, including Attorney General Merrick Garland, have emphasised that they are refocusing on the prosecution of individual wrongdoers as a top priority. The DOJ’s emphasis on individual prosecutions has been reinforced by elements of the FCPA Corporate Enforcement Policy and statements from senior agency officials. For example, the October 2021 Monaco Memorandum, discussed above, asserts that ‘[o]ne of the most effective ways to combat corporate misconduct is to hold accountable the individuals who perpetrated the wrongdoing.’ And the DOJ’s general policy on corporate accountability emphasises that a corporate resolution cannot shield individuals from criminal liability, absent extraordinary circumstances.
The SEC has continued to emphasise a focus against culpable individuals, though in the FCPA area the agency has lagged behind the DOJ in cases resolved over past several years.
The number of publicly announced resolutions against individuals by both US enforcement agencies in 2021 and the first half of 2022 was substantially below pre-2019 levels. The effects of the covid-19 pandemic probably weighed heavier in actions against individuals than on corporate actions, since most cases involving individuals require extensive court-based activities, which were substantially curtailed for much of 2020 and 2021. During that time, the DOJ continued to complete some long-running matters through remote activities. Indeed, in the second and third quarters of 2021, some of those activities resulted in a slight increase in announced guilty pleas by individuals, as well as a slew of sentencings for individuals that in many cases had been postponed in light of the pandemic.
The DOJ has had mixed success recently in high-profile FCPA-related prosecutions of individuals. In April 2022, a federal jury in New York convicted Roger Ng, a former managing director for Goldman Sachs, on three counts of conspiracy related to the multi-billion-dollar attempts by Ng and others to steal and launder money from 1Malaysia Development Berhad (1MDB), Malaysia’s state-owned investment development agency. The trial generated considerable media attention due to the scheme’s ties to fugitive Malaysian financier Low Taek Jho and the use of some of the laundered funds for production of a Hollywood film, among other issues. In 2018, another former Goldman Sachs executive, Tim Leissner, pleaded guilty to two conspiracy counts related to his role in the 1MDB scheme, and Leissner served as a key cooperating witness for the DOJ in Ng’s trial. Ng’s former employer Goldman Sachs pleaded guilty to conspiracy to violate the FCPA and paid over $2.9 billion in penalties in October 2020 for the company’s role in the scheme.
In October 2021, Jose Carlos Grubisich, the former CEO of Brazilian petrochemical company Braskem SA (Braskem), was sentenced in US federal court in New York to 20 months in prison and ordered to pay $1 million in fines and to forfeit $2.2 million. Grubisich pleaded guilty in April 2021 to conspiracy to violate the anti-bribery and books and records provisions of the FCPA.
The DOJ faced setbacks in other cases against individuals, including most notably in the long-running prosecutions of two businessmen, Joseph Baptiste and Roger Richard Boncy, for conspiracy to bribe public officials in connection with a port development project in Haiti. Though the two defendants were convicted in 2019, a US federal court threw out those convictions in 2020 due to ineffective legal assistance and ordered a new trial (a finding that was confirmed on appeal in 2021). While preparing for the new trial, the US FBI turned over previously undisclosed documents containing exculpatory evidence to the DOJ. The DOJ immediately shared the evidence with the defendants and moved to dismiss the charges, thus ending the years-long prosecution in June 2022.
It is often as a result of trials involving individuals that the US federal courts decide precedent-setting cases in the FCPA space (as FCPA cases against companies almost never result in such court judgments). One notable set of holdings occurred in multiple court proceedings in US v Hoskins. In August 2018, a federal appeals court held that the DOJ cannot use theories of complicity or conspiracy to charge a foreign national with violating the FCPA where the foreign national is not otherwise within the FCPA’s jurisdiction. Therefore, only foreign nationals who are within the categories of persons covered by the FCPA’s provisions – United States issuers and their agents; American ‘domestic concerns’ (including individual persons) and their agents; and foreign persons or businesses that take actions within the United States – can be prosecuted for conspiracy to violate the FCPA or aiding and abetting a violation of the FCPA.
The DOJ asserted that this result is not necessarily binding outside of the relevant circuit (a statement codified in July 2020 in the new edition of the FCPA Resource Guide), and indeed in June 2019 a federal trial court in a different circuit declined to apply the Hoskins holding in another case. In the autumn of 2019, the DOJ tried Hoskins on the theory (allowed by the appeals court) that he was an agent of a US company. In November 2019, a jury convicted Hoskins of almost all of the FCPA and money-laundering counts against him; however, in February 2020, the trial judge effectively threw out the jury verdict as to the FCPA-related charges, ruling that the court saw ‘no evidence upon which a rational jury could conclude that Mr Hoskins agreed to or understood that’ the company for whose benefit he was working ‘would control his actions on the [p]roject, as would be required to create an agency relationship’. The judge upheld the money-laundering charges and sentenced Hoskins to 15 months of prison based on the verdict on those charges, despite his winning two separate legal arguments against the DOJ. The DOJ appealed the trial judge’s FCPA holding to attempt to blunt its precedential impact on other cases. Arguments to the appeals courts occurred in August 2021, and a decision is expected in late 2022 or early 2023.
A recent SEC FCPA-related individual action was the agency’s June 2021 settlement with former Goldman Sachs executive Asante K Berko, who was responsible for developing investment banking business for Goldman Sachs and its UK subsidiary, for his role in an alleged scheme to bribe Ghanaian government officials in order to help a client to win a contract to build and operate an electrical power plant in Ghana. Berko agreed to pay $275,000 in disgorgement and approximately $54,000 in prejudgment interest. The SEC notably did not charge Goldman Sachs itself with any misconduct related to the facts at issue (which were different from the facts and circumstances that resulted in Goldman Sachs’ October 2020 FCPA-related dispositions), and the SEC’s complaint detailed how Berko had circumvented his employer’s compliance protocols and internal controls, including using personal email, lying to company legal and compliance personnel, and falsifying documents. This case is a rare example of the US agencies recognising a ‘rogue employee’ in light of facts demonstrating the effectiveness of a company’s strong compliance programme and other steps taken by the company, including showing willingness to walk away from a substantial transaction when faced with high corruption risks.
Finally, in important cases linking the FCPA and US domestic public corruption areas, in August 2019 a federal appeals court rejected claims by two different defendants that the requirements set out by the US Supreme Court’s McDonnell holding apply to FCPA cases. These decisions complement other appellate court cases in which those courts have declined to extend McDonnell to other federal anti-corruption and fraud statutes beyond the specific legal provision at issue in McDonnell’s case. Otherwise, as with the FCPA, the DOJ often brings cases against individuals who have engaged in domestic bribery even after settling with their employers – as the earlier cited example involving the CEO of ComEd and other former ComEd executives in Ohio shows.
6 Has there been any new guidance from enforcement authorities in your jurisdiction regarding how they assess the effectiveness of corporate anti-corruption compliance programmes?
As a general matter, the state of a company’s compliance programme factors significantly in penalty guidelines and the discretion that both the DOJ and SEC have to negotiate dispositions of FCPA investigations. Both US agencies have issued guidance regarding what they consider to be the key elements of a corporate FCPA compliance programme as part of the updated July 2020 FCPA Resource Guide and as annexes to individual disposition documents.
The FCPA Corporate Enforcement Policy’s presumption of a declination by the DOJ in certain cases requires, in part, timely and appropriate remediation of the problematic conduct, including
the implementation by the company of an effective compliance and ethics programme. The policy lists several basic criteria for such a programme, noting that the programme elements ‘may vary based on the size and resources of the organization’. Notable on the list are requirements related to a company’s culture, resources dedicated to compliance, the quality and independence of compliance personnel, the effectiveness of a company’s risk assessment processes and responses to them, and the periodic auditing of a programme’s effectiveness.
On 1 June 2020, the DOJ issued updated guidance on the Evaluation of Corporate Compliance Programs intended to direct prosecutors on how to assess the effectiveness of a company’s compliance programme. The guidance does not establish a ‘rigid formula’ or a mandatory set of questions to be asked, but rather offers useful insights regarding the DOJ’s views on the design and operation of company compliance programmes. The document has been organised to include 12 topic areas, which are grouped to track the three core questions about compliance programme effectiveness contained in the Justice Manual: whether a corporation’s compliance programme is well designed; whether the programme is ‘adequately resourced and empowered to function effectively’; and whether the programme works in practice.
Among the notable aspects of the updated guidance are:
- an emphasis on a company’s documented rationale for specific decisions related to the design and implementation of its compliance programme elements;
- a focus on whether programme elements are integrated into the day-to-day business processes and financial controls of the company, including whether and how often employees actually access programme policies and resources;
- the need for a documented risk assessment as a starting point, to determine the ‘degree to which the program devotes appropriate scrutiny and resources to the spectrum of risks’;
- an enhanced emphasis on collecting and using various data to track the effectiveness of programmes;
- the importance of proactive justification of business rationales for third parties – that is, asking whether such third parties are needed at all, and if so, what qualifications should they have to be legitimate and effective – as well as a focus on third-party risk management not just at the beginning but throughout the lifespan of the relationship;
- timely and orderly integration of acquired or merged entities into a company’s compliance programme; and
- an emphasis on lessons learned during programme operation and using such lessons to improve the programme over time.
The update also notes potential challenges to programme operations created by host country laws and tells prosecutors to approach such issues with skepticism, especially as to impediments to data transfers. The guidance instructs prosecutors to ask specific questions companies about how they have ‘addressed the [relevant foreign law challenge] to maintain the integrity and effectiveness of its compliance program while still abiding by foreign law’.
One area of renewed interest given recent DOJ policy announcements relates to the imposition of independent compliance monitors in FCPA resolutions. The October 2021 Monaco Memorandum clarified that the DOJ would require monitors in cases where a company’s programme or related controls are ‘deficient’ or ‘are untested, ineffective, inadequately resourced, or not fully implemented at the time of a resolution’. In a March 2022 speech, a senior DOJ official described monitorships as ‘effective tools for strengthening corporate compliance programs’. Two of the DOJ’s dispositions in 2022 to date – Stericycle and Glencore – included an independent compliance monitor requirement. In both cases, part of the stated rationale was that, while the companies had set up remedial compliance programmes and controls, there had not been time to test their effectiveness.
Of direct interest to corporate compliance personnel employed by companies that have been the subject of FCPA resolutions, the DOJ announced in March 2022 that, ‘in order to further empower Chief Compliance Officers’, the DOJ will, in most cases, require chief compliance officer certifications, whether at the end of the term of a DPA/NPA (to certify the compliance programme meets the design and effectiveness standards set in the agreement) or on a regular basis during an agreement (for example, if the company is expected to report annually to the DOJ in lieu of a monitorship). The first such certification requirement was issued as part of the Glencore disposition in May 2022. This requirement has been questioned by some compliance professionals and the defence bar, who have raised a variety of issues, including whether the certification increases personal liability risk for compliance officers. The DOJ has refuted that concern, but some commentators continue to raise other questions about metrics and potential unintended consequences.
7 How have developments in laws governing data privacy in your jurisdiction affected companies’ abilities to investigate and deter potential corrupt activities or cooperate with government inquiries?
US data privacy laws generally are less stringent than such laws in Europe, Russia and the former Soviet Union and China. Companies in the United States, for example, can generally share personal data with third-party service providers, such as outside counsel, auditors, etc, as well as with government regulators and investigatory authorities. Certain laws, such as the US Freedom of Information Act require US government authorities to screen certain types of sensitive data from general public release, but generally do not inhibit such authorities’ use of such data for investigation purposes. Even the most restrictive data privacy law in the United States (the California Consumer Privacy Act, which went into (partial) effect at the beginning of 2020 and mirrors many requirements adapted from more stringent data privacy laws in other countries) currently contains exceptions that allow companies to collect, process and view information from their employees during an investigation. Those exceptions currently run through the end of 2022 (due to approval of a companion law, the California Privacy Rights Act, in November 2020), but there is substantial business pressure to make them permanent.
The primary challenge for companies subject to the FCPA is complying with host country restrictions on information-sharing/data processing while simultaneously being able to access compliance-sensitive company information when needed to operate compliance programmes, conduct internal investigations of allegations of misconduct, or respond to requests or demands for information by US enforcement authorities. Such host country laws can regulate data privacy or invoke national security considerations – both of which can limit the ability of companies to collect, use and share relevant information.
The entry into force of the EU’s GDPR in May 2018 has presented significant challenges to multinational companies’ handling of a wide variety of data, and key issues remained unsettled. Further questions arose as a result of the July 2020 decision by the European Court of Justice (ECJ) that struck down the EU–US Privacy Shield, an agreement on which many companies had relied to facilitate transfers of data to the United States while complying with GDPR requirements. The Court’s decision stated, in part, that US laws allowing for national security-based surveillance and acquisition of personal data did not adequately protect EU citizens’ rights.
The 2020 ECJ decision created a period of uncertainty and led to intensive negotiations between the US and EU governments. In the meantime, on 4 June 2021, the European Commission released new versions of the standard contractual clauses – the provisions that the Commission requires companies to use to govern various transfers of personal data to entities in countries that are not considered to provide appropriate data privacy rights, including the United States. Companies have roughly until the end of 2022 to implement these clauses fully, but their broad scope and some undefined terms within raise additional unresolved issues for companies seeking to navigate this area.
On 25 March 2022, the US and EU announced that they had agreed in principle on a new Trans-Atlantic Data Privacy Framework designed to address the concerns raised by the 2020 ECJ decision. The US government release stated, ‘[t]hose forthcoming reforms will ultimately underpin all commercial transfers of EU personal data to the United States, including those made in reliance on the EU–US Privacy Shield, Standard Contractual Clauses, and Binding Corporate Rules.’ The underlying legal agreements are currently under negotiation, and the EU will need to issue a new ‘adequacy decision’ in order for the reformed Privacy Shield to take effect.
The GDPR has had a significant impact on the way that cross-border internal investigations and multi-jurisdictional agency enforcement actions are conducted. A detailed discussion of the GDPR is beyond the scope of this section, but several points are worth noting. Processing of personal data may only occur under a strict set of circumstances and only for a clearly articulated and legal purpose, and must be limited to only what is necessary to fulfil the legal basis for the processing. The purposes most applicable to internal and cross-border investigations include processing that is necessary for a contract with a data subject, necessary for the company controller to comply with EU law, or for the controller’s legitimate interest. This last purpose – a ‘legitimate interest’ – may be the most potentially useful legal basis available to most companies conducting investigations. Companies may argue that they have a legitimate interest in investigating, stopping or preventing possible corruption or addressing internal compliance issues. The fact, however, that such investigations and related legal advice may result in a company decision to cooperate with a US or other country enforcement action to minimise or possibly eliminate criminal liability and any commensurate financial penalty can create significant complications for the company’s obligations to comply with the GDPR, especially if the concerns raised by the July 2020 ECJ decision come into play.
Indeed, the FCPA Corporate Enforcement Policy’s requirement that a company produce all relevant documents, including overseas documents, on its face creates a clear conflict with the GDPR’s restrictions on the processing and disclosure of EU data subjects’ personal data. And the penalties for violations of or non-compliance with the GDPR are severe – up to 4 per cent of a company’s global annual revenue or €20 million, whichever is greater. A company deciding whether to provide documents and data to the US government therefore faces a dilemma – those wishing to benefit from the DOJ policy must balance the benefits of a potential declination or a reduced financial penalty with the risk of significant fines under the GDPR. The DOJ policy places the burden on the company to justify its argument that it cannot disclose documents, and the company must show specific efforts to identify all available legal avenues to locate and produce relevant material. Companies and their external counsel will be challenged to think creatively about how to collect and produce information sufficient to obtain cooperation credit from the DOJ, while minimising the risks of liability under the GDPR.
More generally, compliance professionals working for companies subject to the FCPA should work closely with data privacy experts in each operational jurisdiction around the world to craft solutions that give appropriate access and comply with data privacy protections or other legal restrictions on information access. As noted, the US authorities are aware of and sensitive to these issues but are also wary of companies using data privacy and related laws to avoid full cooperation with investigations. Companies that have plans in place to address these issues before any investigation arises are more likely to be considered to be acting in good faith when the inevitable conflicts of legal requirements arise.
The Inside Track
What are the critical abilities or experience for an adviser in the anti-corruption area in your jurisdiction?
Much of the knowledge needed to give effective FCPA advice comes from outside traditional legal sources – there are very few adjudicated cases, no substantive regulations and the US authorities traditionally have been opaque regarding what drives their enforcement decisions. The best adviser combines extensive experience managing government and internal investigations with expertise in addressing the varied compliance issues actually faced by companies. Because the agencies have considerable leverage over targeted companies, counsel must be able to gain the trust of enforcement personnel while advocating effectively on behalf of clients.
What issues in your jurisdiction make advising on anti-corruption compliance challenging or unique?
US domestic bribery laws are a patchwork that sometimes can create compliance contradictions. Analysing specific issues requires identifying whether federal or state laws control, the identity and position of any official within government (to apply the right regulatory analysis), and the company’s own status under those rules. These rules are sometimes subject to different sets of court precedents or administrative guidance, some of which can be mutually inconsistent.
What have been the most interesting or challenging anti-corruption matters you have handled recently?
In 2017, I was appointed as an independent compliance monitor per an FCPA resolution, a project that was completed just before the pandemic. These engagements require US agency sign-off as to the monitor’s experience and suitability, and require efficient, yet comprehensive, reviews of corporate compliance programmes and the exercise of independent judgment in balancing the goals of the company and the agencies. I am also handling several active investigations before the US DOJ and SEC, many of which also involve interactions with agencies in other countries; I also act as ‘buffer counsel’ – advising companies on how to manage compliance monitors, using my past experience as one to advocate effectively.