On November 14, 2012, the U.S. Department of Justice (DOJ) and the U.S. Securities and Exchange Commission (SEC) issued A Resource Guide on the U.S. Foreign Corrupt Practices Act (the Guidance1), approximately one year after Assistant Attorney General for the Criminal Division (AAG), Lanny Breuer, announced their intention to do so. To those expecting new, groundbreaking interpretations or insight into the Foreign Corrupt Practices Act (FCPA), the Guidance will be a disappointment. According to AAG Breuer, the Guidance “does not reflect a change in policy.”2
However, the 120-page, 418 footnote Guidance does provide a detailed and centralized repository of the U.S. government’s interpretation of many key parts of the FCPA, and it includes illustrative examples designed to help prevent future violations of the FCPA. The Guidance states that it is “non-binding, informal, and summary in nature, and the information contained herein does not constitute rules or regulations.”3 Despite this disclaimer, at an FCPA conference just days after the Guidance was issued, Jeffrey H. Knox, Principal Deputy Chief of the Fraud Section of DOJ, said that the public can rely on the Guidance and can expect that U.S. regulators will act consistently with the Guidance.4 He said that the Guidance will be treated like the U.S. Attorney’s Manual,5 which is “binding on all federal prosecutors around the country.”6 Therefore, although the Guidance does not contain much that is new, advocates can use it to argue that a client’s behavior is similar to scenarios contained in the Guidance where enforcement was not warranted, and in-house counsel can similarly use the Guidance as a yardstick for company behavior. In this regard, the Guidance is an invaluable reference for outside and in-house counsel alike.
I. Anti-Bribery Provisions
A. Determining Whether an Entity’s Employees are “Foreign Officials” Remains a Fact-Based Inquiry
The FCPA prohibits bribes to foreign government officials, including the employees of an “instrumentality” of the state.7 As noted by the U.S. Chamber of Commerce, however, the statute does not provide a “clear uniform definition” of instrumentality that companies can rely on to ensure FCPA compliance.8 The DOJ and SEC did not use the Guidance to supply their version of such a definition. Instead, after noting that the term instrumentality is “broad,” the Guidance observes that courts have employed a non-exhaustive list of factors to be considered in determining whether an entity is an “instrumentality of a foreign government,” and states that the DOJ and SEC “have long used” a multi-part analysis of the “entity’s ownership, control, status, and function.”9
The Guidance does offer the DOJ’s and SEC’s view that an entity is less likely to be considered an instrumentality if the foreign government does not own or control more than 50% of the entity.10 However, the Guidance adds that an entity with less than 50% government ownership can still be considered an instrumentality of the state if a government exercises substantial control over the entity.11
Importantly, the DOJ has signaled that if a company conducts due diligence and then transacts with a counterparty that it reasonably believes is not a government instrumentality, there is no FCPA violation because the company lacks the requisite knowledge for an FCPA violation.12
B. Gifts and Entertainment: Don’t Miss The Forest For The Trees
In response to concerns that disproportionate amounts were being spent investigating unimportant payments,13 the Guidance states that the U.S. government is not interested in prosecuting companies or individuals who provide nominal gifts such as “cab fare, reasonable meals and entertainment expenses, or company promotional items” because such gifts are unlikely to influence a foreign official.14 It further notes that the “DOJ’s and SEC’s anti-bribery enforcement actions have focused on small payments and gifts only when they comprise part of a systemic or long-standing course of conduct. …”15 The “hallmark” of appropriate gift giving is that it is being given open and transparently, with no corrupt intent.16
The Guidance notes that the DOJ and SEC expect that an effective compliance program will spend less time on “modest entertainment and gift-giving” and more time on bigger ticket items.17 Although the government did not define “modest,” at an FCPA conference soon after the Guidance was issued, DOJ FCPA Unit Chief Charles E. Duross stated that taking a foreign official to a US$200 dinner would not be considered appropriate.18
C. Broad Liability of a U.S. Parent Company for Actions Taken by a Subsidiary
The Guidance reaffirms the government’s view that unlawful acts taken by a subsidiary can be imputed to the parent under traditional agency principles.19 The fundamental characteristic of an agency relationship is the degree of control the parent exercises over its subsidiaries. In this regard, the government evaluates “the parent’s knowledge and direction of the subsidiary’s actions, both generally and in the context of the specific transaction.”20
According to the government, a parent also can be held liable for the acts of a subsidiary’s employees, if the conduct was “undertaken within the scope of their employment and intended, in part to benefit the company.”21 In one case, the parent was found liable for bribes paid to foreign officials to secure a contract, by the president of the subsidiary, who the parent identified as a part of senior management in its SEC and annual filings.22 The Guidance makes clear if a whollyowned subsidiary acts independently, its misconduct is not automatically attributed to the parent solely because it owns the subsidiary. If, however, the foreign entity making the illicit payments acts as a de facto operating division of the parent, and the employees identify themselves as employees of the parent, knowledge and control will be imputed to the parent for misconduct committed by the operating division.23
D. Nip It in the Bud: Preventing Successor Liability
The Guidance emphasizes that if the successor company conducts pre-acquisition due diligence, self-reports any misconduct found in the due diligence process, and timely implements proper controls and compliance programs postclosing, it is unlikely that the government will bring an enforcement action against the successor company for the predecessor’s unlawful conduct.24 A successor will be prosecuted, however, if it continues the predecessor’s unlawful conduct.25
E. Facilitating Payments Exception Remains Narrowly Construed
Although the Guidance gives a slight nod to “facilitating” or “expediting” payments made to further “‘routine governmental action’ that involve non-discretionary acts,” it notes that the “OECD’s Working Group on Bribery recommends that all countries encourage companies to prohibit or discourage facilitating payments, which the United States has done regularly.”26 The UK Bribery Act, for example, prohibits facilitating payments.27
Given this trend, it comes as no surprise that the DOJ and SEC construe the facilitating payments exception narrowly. As the Guidance notes, the FCPA defines “routine governmental action” as including obtaining permits, licenses, or other documents for a company to conduct business in a foreign country, processing government papers such as visas, scheduling inspections related to the transit of goods, and providing basic services such as power and phone service, among other similar actions.28 In practice, however, the government has brought enforcement action against companies that made what on the surface may have appeared to be facilitating payments. For example, the DOJ and SEC found that a company violated the FCPA where it made small, routine payments to Indian officials charged with conducting pre-shipment inspection of goods to ensure the products would be cleared for shipment. The total amount paid in one year was approximately US$2,000 with payments ranging from US$67 to US$358 per inspection.29
As a practical matter, it may be difficult to determine whether a payment qualifies as a facilitating payment as opposed to an improper payment, particularly for employees on the ground being asked to make that distinction. It is far better for companies to simply prohibit them altogether, in the absence of prior Law Department approval, so as to avoid even the appearance of a potential FCPA violation.30
II. The Accounting Provisions: Key Takeaways
While the Guidance does not announce any revelatory interpretations of the FCPA’s accounting provisions, it nevertheless sets out several important points that are worth noting. First, the Guidance makes plain that a company’s FCPA compliance policies should include internal accounting controls. While the system of internal controls companies should employ is not subject to one universal formula, the Guidance notes that internal controls should incorporate components including risk assessments, policies and procedures designed to ensure management directives are carried out, and monitoring of the company’s compliance with these policies and procedures.31 Second, the Guidance reaffirms the DOJ’s and SEC’s expansive view of the reach of the accounting requirements, such as the ability to assert aiding and abetting liability against subsidiaries for their parents’ violations, even though the subsidiaries themselves are not subject to the FCPA’s accounting provisions.32 Third, the Guidance sets forth the SEC’s view that Section 404 of Sarbanes Oxley (SOX) applies to controls relating to bribery. As the Guidance indicates, SOX requires internal controls directed towards detecting illegal acts and fraud, including bribery, that could result in a “material misstatement of the company’s financial statements.”33
III. The Settlement and Penalty Phase
A. Declinations: How To Get Out of a Case Altogether (Or Never Get Into One)
With the exception of the recent Morgan Stanley case, discussed in more detail below, U.S. enforcement agencies have previously been tight-lipped about FCPA declinations, and among other proposed reforms, the Chamber of Commerce has requested that the DOJ issue declination decisions on a no-names basis.34 Although it continues to maintain its position that it will not issue declination decisions, the government reveals that “in the past two years alone, DOJ has declined several dozen cases against companies where potential FCPA violations were alleged.”35 This compares with 35 NPAs, Deferred Prosecution Agreements (DPAs) or criminal FCPA pleas with DOJ since November 14, 2010.
What the Guidance makes clear is that the decision to bring or decline an enforcement action under the FCPA remains a matter of prosecutorial discretion and that the pre-existing factors set forth in the DOJ’s Principles of Federal Prosecution and the Principles of Federal Prosecution of Business Organizations and the SEC’s Division of Enforcement, Enforcement Manual continue to guide the exercise of that discretion. In an attempt to provide transparency, the Guidance notes that DOJ declined to prosecute matters where some or all of the following 7 circumstances were present:
- a corporation voluntarily and fully disclosed the potential misconduct;
- corporate principles voluntarily engaged in interviews with DOJ and provided truthful and complete information about their conduct;
- a parent company conducted extensive preacquisition due diligence of potentially liable subsidiaries and engaged in significant remediation efforts post-acquisition;
- a company provided information about its extensive compliance policies, procedures, and internal controls;
- a company agreed to a civil resolution with the SEC while also demonstrating that criminal declination was appropriate;
- only a single employee was involved in the improper payments; and
- the improper payments involved minimal funds compared to overall business revenues.36
Beyond this list, the Guidance provides six instances of declinations that reflect the significance of voluntary selfreporting, conducting internal investigations, taking immediate action against employees involved in misconduct, and improving existing compliance programs. As has been known in the FCPA community for years, a declination is more likely where a company takes decisive action to proactively remedy issues — both in terms of employee discipline and compliance enhancements.
B. The Guidance Does Not Allay Concerns That Self-Disclosure Is Adequately Rewarded
A recent study published by two New York University Law School professors concludes that, based on their statistical analysis of FCPA settlements from 2004 to 2011 and controlling for a variety of factors, there is “no evidence to support the hypothesis that voluntary disclosure  or cooperation or remediation [by improving corporate compliance programs] correlates with reduced total monetary penalties.”37 Despite widespread coverage of this study, the Guidance does not attempt to disprove its findings. Rather, the Guidance reiterates the fact that, under the DOJ’s Sentencing Guidelines and SEC’s Seaboard factors, cooperation and self-disclosure can be taken into account in FCPA resolutions,38 gives examples of declinations that all involve self-reporting to the government,39 and emphasizes the importance of a strong compliance program.40
A. Ongoing Opposition to a Compliance Defense
The UK Bribery Act contains a strict corporate liability offense if a corporation fails to prevent bribery by persons associated with it.41 However, the statute also provides an adequate procedures defense to corporations if they can show that they have adequate anti-corruption compliance procedures in place “designed to prevent persons associated with [it]” from engaging in bribery.42 During the lead-up to the Guidance, the Chamber of Commerce pushed for the addition of an adequate compliance defense to the FCPA, claiming it would “not only increase compliance with the FCPA by providing businesses with an incentive to deter, identify, and self-report potential and existing violations, but will also protect corporations from employees who commit crimes despite a corporation’s diligence.”43
The DOJ and SEC chose not to embrace a compliance, or adequate procedures, defense in the Guidance. After the Guidance was issued, AAG Breuer stated that he did not support an adequate measures compliance defense because effective compliance programs was only one of the many factors contained in the Sentencing Guidelines.44 The head of the SEC’s FCPA unit, Kara Brockmeyer, also did not support an adequate procedures defense. She pointed out that the UK Bribery Act adequate procedures defense only applies where a corporation can be held strictly liable for the actions of associated persons and not as relates to other elements of the statute that require proof of intent on behalf of the corporation.45 Ms. Brockmeyer argued that because the FCPA’s anti-bribery provision is intentbased, the FCPA should not include an adequate procedures defense until it also includes a strict liability offense.46
B. The FCPA Guidance Provides Additional Clarity to What Constitutes an Effective Anti-Corruption Compliance Program
The Guidance nevertheless makes clear that an effective anticorruption compliance program is a corporate imperative. While the Guidance does not lay out a one-size-fits-all compliance program — in fact noting that one does not exist — the Guidance does provide additional clarity to what the DOJ and SEC expect to see, highlights that companies should make risk-based determinations and not review every transaction or relationship to the same degree, and provides some specific program designs that companies have adopted and imbedded in their companies.
1. Managing the Review of Gifts, Travel, and Entertainment Involving Government Officials
According to the Guidance, “some companies with global operations have created web-based approval processes.”47 The systems automate “clear monetary limits and annual limitations” and “have built-in flexibility so that senior management, or inhouse legal counsel, can be apprised of and, in appropriate circumstances, approve unique requests.”48 As such, the Guidance recognizes that legal approval may not always be necessary for every financial transaction involving government officials and that, if implemented effectively, some reasonable monetary thresholds may be appropriate.
Multinational companies should, however, keep in mind that what may work for one corporation may not be appropriate for another. Experience shows that individualized risk assessments and programmatic decisions that are tailored towards tackling the specific risks of each company are the most effective avenues to developing living, breathing, and effective compliance program that have a chance of detecting and preventing improper conduct.
That said, web-based approval processes, reasonable monetary thresholds, and appropriate risk-based approval requirements can be effective options for companies. As the Guidance highlights, this approach allows companies “to conserve corporate resources” in the review and approval process, while still implementing a procedure that can prevent and detect possible FCPA violations.49
2. Not All Due Diligence Reviews Should be the Same
The Guidance makes clear that an effective anti-corruption compliance program must employ risk-based reviews that are developed as the result of a company’s individualized risk assessment. By way of example, the Guidance recognizes that “[d]evoting a disproportionate amount of time policing modest entertainment and gift-giving instead of focusing on large government bids, questionable payments to thirdparty consultants, or excessive discounts to resellers and distributors may indicate that a company’s compliance program is ineffective.”50 In fact, multinational companies that perform a thorough risk assessment prior to developing or enhancing their anti-corruption compliance program can best determine where it should most focus its attention and where its company’s greatest risks lie. For some companies, entertainment and giftgiving may be a particular concern, while for others it may be their network of distributors or third-party consultant. The key factor to keep in mind is that risks must be assessed upfront for any program to truly be designed to meet the company’s needs.
The Guidance further explains that “performing identical due diligence on all third-party agents, irrespective of risk factors, is often counterproductive, diverting attention and resources away from those third parties that pose the most significant risks.”51 Experience shows that risk-based due diligence is critical, and just like with other elements of an effective anti-corruption compliance program can only be developed by utilizing the information gathered in an individualized risk assessment. Risk-based third-party reviews not only improve efficiency and best utilize company resources, it also helps attain buy-in from the business employees of the company. Demonstrating that compliance is there to enhance the business, rather than to be a constant roadblock without a clear purpose, is essential to ensuring that the compliance program is accepted and effectively embedded into the business.
The Guidance highlights that multinational companies should implement multifaceted training programs, comprising both web-based and in-person trainings. The training usually “covers company policies and procedures, instruction on applicable laws, practical advice to address real-life scenarios, and case studies.”52 The focus on practical advice, reallife scenarios, and case studies is critical. While company employees must receive basic information on the law and specifics regarding company policies, experience has shown that information is best absorbed if the trainees are actively participating during the training program rather than simply being passive listeners. Case scenarios utilizing a hypothetical company structured similarly to that of the employees being trained are particularly effective tools that allow employees to simulate decisions they will be asked to make in the real world once the training has concluded.
The Guidance also emphasizes that companies should ensure that their trainings are adequately designed for the target audience.53 Experience shows that a uniform anti-corruption training program that is geared towards conveying the same message to all employees should be supplemented with individualized and less formal programs for specific business units. This combination of training programs also provides the legal and compliance departments with critical information that helps gauge how the compliance program is understood and imbedded throughout the company.
4. Carrots and Sticks
The Guidance recognizes that effective anti-corruption compliance programs should not only contain strong disciplinary guidelines, but should also reward employees for good behavior. Some examples include incorporating adherence to compliance as “a significant metric for managements’ bonuses,” “recognizing compliance professionals and internal audit staff,” and making “working in the company’s compliance organization a way to advance an employee’s career.”54 Employees must see consequences, good and bad, for them to comply with all company policies, to take the anti-corruption compliance program seriously, and to raise concerns when doing so may cost the company a business opportunity.
C. Effective Compliance Program — A Potential Panacea?
Within recent months, U.S. enforcement agencies have signaled that good compliance programs, coupled with complete cooperation, can lead to a declination. On April 25, 2012, the DOJ announced that while it had obtained a guilty plea from one of Morgan Stanley’s former employees, it was declining to prosecute Morgan Stanley because “Morgan Stanley maintained a system of internal controls meant to ensure accountability for its assets and to prevent employees from offering, promising or paying anything of value to foreign government officials” that the rogue employee evaded.55
In addition, DOJ just terminated a DPA with Pride International, Inc. a year early because of the company’s improvements in its compliance program.56 According to the DOJ, Pride, among other things, (a) instituted and maintained a compliance and ethics program designed to prevent and detect violations of the FCPA, among other laws; (b) maintained internal controls, policies and procedures to ensure that books, records and accounts are fairly and accurately made and kept; and (c) reduced its reliance on third-party business partners and subjected third-party business partners to appropriate due diligence requirements pertaining to the retention and oversight of agents and business partners.57 Notably, Pride International, Inc. was recently acquired by Ensco, and the DOJ may have seen this as a fresh start.
These two examples are being touted by DOJ as proof positive that companies will be rewarded for implementing robust and effective compliance programs. Whether there will be further such cases remains to be seen.
* * *
In conclusion, the Guidance is not a step in a new direction and did not address many of the criticisms leveled against the government about the standards it uses to enforce the FCPA. However, it does provide a valuable tool for outside and in-house counsel alike to use as a reference point for the government’s positions on almost all salient FCPA issues.