The United States Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have finally released long-awaited guidance on the US Foreign Corrupt Practices Act (FCPA). In releasing the 120-page “A Resource Guide to the US Foreign Corrupt Practices Act” (the Guide), the regulators made clear that they are committed to the view that FCPA enforcement is “a continuing priority.” The Guide is intended to offer a resource for companies both large and small that conduct business outside of the US. It includes a statutory analysis of the FCPA, emphasizing that the statute is designed to address the issue of “international corruption.”
The Guide is comprehensive and covers subjects ranging from gifts and entertainment, mergers and acquisitions, principles of civil and criminal liability, the role of auditors and related federal laws that can apply with equal force to corrupt conduct. Some of the topics covered have been the subject of much debate by practitioners in recent and still rare FCPA prosecutions that proceed to trial. Most prosecutions are settled without trial; as a consequence, there are very few court opinions to offer guidance
By way of background, the FCPA prohibits bribery of foreign government officials, candidates for political office and political party officials. The Act applies to a broad range of entities and individuals, including publicly traded companies and private companies organized under US laws or entities with a principal place of business in the US, and it covers conduct that occurs anywhere in the world. The FCPA also sets forth record-keeping provisions that require that issuers maintain a system of internal accounting controls sufficient to provide reasonable assurances that books are being kept accurately. These provisions essentially codify existing accounting standards.
With regard to FCPA-related enforcement activity, the criminal and civil cases brought by the DOJ and the SEC in recent years are striking in their factual similarity. Most involve emerging markets where large payments were funneled (either through an intermediary or directly) to foreign officials responsible for awarding contracts or other benefits from the state‐owned entities. These cases also highlight the failures of internal controls to deter or detect the corrupt conduct.
The clear message flowing through the Guide is the need for strong anti-corruption compliance policies and programs that are fully supported by a strong tone at the top. The Guide states that “[i]n a global marketplace, an effective compliance program is a critical component of a company’s internal controls and is essential to detecting and preventing FCPA violations.” According to the Guide, federal regulators are not recommending a formulaic approach to evaluating a company’s compliance programs but instead are adhering to a more commonsense approach that reviews the design of the program and searches for a good faith and working application of the program within the organization.
Hallmarks of an Effective Compliance Program
In Chapter 5, the Guide lists the hallmarks of an effective compliance program, all of which should be considered as essential for those charged with developing the policies and programs. These components have been previously articulated in several DOJ resolutions in criminal cases. Here is a summary of these important hallmarks:
- A high-level commitment from company leaders to a culture of compliance. Regulators will review and evaluate whether senior managers sent and incorporated the right ethical messages to employees.
- A code of conduct that is clear, concise and accessible to all employees who act on behalf of the company. Indeed, it is expected that the code will be translated into local languages so that all employees have access to and an understanding of the requirements. On this note, regulators expect that the code of conduct is periodically reviewed and updated. It is suggested that the policies incorporate the risks faced by individuals such as relationships with third parties and gifts, travel and entertainment.
- Oversight and implementation of the compliance program is assigned to a senior executive with sufficient authority within the company, independence from management and with reasonable resources devoted to the effective implementation of the program. According to the Guide, adequate autonomy typically includes direct access to the governing board of the organization such as the board of directors.
- The Guide encourages a company to conduct a risk assessment. In this view, compliance policies and programs should be tailored to the specific risks inherent in operating a business. Regulators expect that “[a]s a company’s risk for FCPA violations increases, that business should consider increasing its compliance with procedures, including due diligence and periodic internal audits.”
- Companies should offer training and periodic communication to employees on the policies and procedures. According to the Guide, no matter what method is chosen for delivery of training and related communications, the information must be tailored to the audience, including providing the relevant training materials in local languages.
- Enforcement of the program is considered essential to its success. According to regulators, “[a] compliance program should apply from the board room to the supply room—no one should be beyond its reach.” As a consequence, the regulators will evaluate whether a company has clear disciplinary procedures that are applied consistently and reliably across the organization.
- The Guide recognizes that third parties commonly are at the center of many FCPA violations, in that they are used to conceal the payment of bribes to foreign officials. Appropriate levels of due diligence should be implemented, using these guiding principles that are always applicable: an assessment of the third parties’ qualifications; an understanding of the business rationale for their retention, including ensuring that payment terms are in line with industry standards; and ongoing monitoring of the relationship.
- A means by which employees can make confidential reports of violations of a company’s policies without fear of retaliation. Once an allegation is made, companies should have in place a mechanism for evaluating and investigating the claim, followed by a process to incorporate any lessons learned into improving controls or updating the compliance program.
- Compliance programs and policies should be periodically reviewed so that they reflect and incorporate the current business environment and are sustainable.
- FCPA-related pre-acquisition due diligence should be performed on acquisition targets. Postacquisition efforts should include incorporating the acquired company into the company’s internal controls and into its compliance program.
DOJ and SEC Decisions Explained
One of the key teachings in the Guide is an unusually insightful summary of recent DOJ and SEC declination decisions. The Guide does not list the names of the companies, but it provides factors that influenced the declination decisions. These factors offer meaningful and real instruction for companies facing FCPA risks abroad. Key factors listed included:
- Immediate action upon notice of a potential FCPA violation including termination of corrupt business relationships with companies and third parties.
- Significant steps taken to improve an existing compliance program, including hiring new compliance leadership.
- Voluntary disclosure of conduct to the DOJ and SEC and full cooperation with the SEC and DOJ after disclosure.
- Relatively small, or isolated, bribes paid in circumstances demonstrating a small amount of profit to the company rather than systemic corrupt conduct.
- The bribes were detected through existing internal controls or due diligence.
Also instructive is that in at least two of the examples that the regulators highlighted, the company terminated its relationship with a foreign law firm as part of its remediation efforts.
In conclusion, the Guide should be viewed by companies as a tool and resource. It reflects the current and up-to-date thinking of the two major enforcement authorities active in this area. Its critical teachings should be used and incorporated in developing and enhancing FCPA compliance policies.