On August 29, it was announced that the U.S. Department of Justice is considering an investigation into Uber, the San Francisco-based technology company that has expanded its ride-sharing service abroad to more than 70 countries. Press reports indicate that DOJ may investigate potential violations by company personnel of the U.S. law against foreign bribery, known as the Foreign Corrupt Practices Act (FCPA). On the same day, the company confirmed the review and said that it was cooperating with the Justice Department on the matter.

A Wall Street Journal article alleged that “the eight-year-old company spread rapidly to more than 70 countries around the world in part by giving regional teams authority to adapt to local markets and expand as quickly as possible, sometimes flouting local laws.”

In our experience, once DOJ begins learning about a particular industry in such an investigation, the investigation will expand to other players within the industry. It’s called an “industry sweep,” and it’s a thing.

The case illustrates a question for tech startups: When do I get my compliance house in order?

A startup generally will not have significant resources to spend on compliance initially, which is fine: the risk profile is typically low as a company gets its feet under it locally. But as the company expands to international markets, it will face a rapidly expanding series of compliance challenges, even as its success draws more scrutiny from regulators.

The Growth

Because a typical startup begins as a small local company, the risk of violating the FCPA is slight. However, as the company’s growth curve takes it into foreign markets, new compliance obligations may not always be clear. First and most obviously, the company must understand the host country laws and regulations. At the same time, the company must clearly address U.S. regulatory restrictions on its new foreign business, which can tend to be more obscure.

The Pain

Regulated Industries. The growth can be particularly dangerous for a company attempting to disrupt established regulated industries. Playing abroad in a regulated industry requires constant interaction with foreign government officials. Each of those interactions creates a risk that some payment, offer, or business hospitality could be considered an FCPA violation. As an example, taxi services are heavily regulated by local government agencies in the areas of driver qualifications, licensing, vehicle maintenance, fares, and myriad other areas. An illicit payment to any one of those regulators can be an FCPA violation. Players in this industry should be aware that DOJ is now looking at such payments.

Similarly, companies disrupting other regulated industries should be aware that DOJ will very likely soon be looking at their business models. This would likely include the following industries, among others:

  • Telecommunications;
  • Power generation and transmission;
  • Pharmaceuticals and medical services;
  • Financial technologies;
  • Hospitality;
  • Insurance; and
  • Any company playing in the sharing economy.

Geographic Risk. When the company expands internationally, its risk and exposure can expand exponentially. Particularly in developing companies, the rules are not always clear and the local culture does not always deter corruption. The company needs a strong compliance infrastructure to hold out against the pressure to engage in bribery.

Industry Sweeps. We have seen industries such as oil and gas, medical devices, pharma, and telecom ravaged by DOJ industry sweeps. FCPA enforcers in the U.S. Department of Justice and the Securities and Exchange Commission (and, more recently, the UK Serious Fraud Office) catch one big player in an industry red-handed and, in return for mitigated penalties, that big company starts pointing the finger at competitors. Small, domestic startups are not a likely target, but those companies that have begun to cross international borders may look like fish in the proverbial barrel: exposed and unaware of the risks they face.

The Prevention

Typically, startups do not have the budget for platinum standard compliance programs. Nevertheless, compliance programs are now considered core business processes; startups operating without those are putting their business at risks. And certainly before setting foot in a foreign jurisdiction, those compliance programs need solid anti-bribery components.

By investing early in a light and flexible compliance program, then updating that program as you expand, you can be protected against the potential costly investigations, painful penalties, and damaging reputational harm that that have buffeted entire industries caught up in DOJ industry sweeps.