Inside the FCPA: The Corruption and Compliance Quarterly
In This Issue:
Global Internal Investigations: Attending to Data Privacy Laws When Collecting and Transferring Data By Brian Hengesbaugh, Amy de La Lama, Michael Egan
The Ostrich Effect: Liability Under The FCPA For Ignoring Indications of Bribery By Lina A. Braude and Yuliya Kuchma
Baker & McKenzie’s quarterly corporate compliance publication, “Inside the FCPA,” is an electronic and hard copy newsletter dedicated to the critical examination of developments in U.S. and international anti-corruption compliance that are of particular concern to global companies (and their officers and employees). The newsletter is written with the intention of meshing specialized U.S. coverage with a select international viewpoint in order to meet the expectations of an international client base and a discriminating readership. We seek to make our guidance practical and informative in light of today’s robust enforcement climate, and we encourage your feedback on this and future newsletters.
If you would like to provide comments, want further information about the matters discussed in this issue, or are aware of others who may be interested in receiving this newsletter, please contact Sue Boggs of Baker & McKenzie at email@example.com or +1 214 965 7281. We look forward to hearing from you and to serving (or continuing to serve) your FCPA, international anti-corruption, and corporate compliance needs.
Global Internal Investigations: Attending to Data Privacy Laws When Collecting and Transferring Information
By Brian Hengesbaugh and Amy de La Lama, Chicago, and Michael Egan, Washington, D.C.
A frantic call comes in. A company’s auditors have found that something is amiss. A whistleblower has come forward or an enforcement agency has come calling, and the company needs to launch an internal investigation. With the increase in enforcement of the Foreign Corrupt Practices Act (“FCPA”), tax fraud, and money laundering laws, internal investigations into serious corporate compliance issues have become commonplace for global companies with a presence in the United States. One of the first issues that an investigation must address is the collection of information such as emails, text messages, documents, and spreadsheets. One critical question at this point is: how does one collect this information and bring it into the United States without violating non-U.S. privacy laws and other potential legal or regulatory impediments, such as blocking statutes?
The collection itself may not pose any technical or logistical issues. The company’s information technology (“IT”) department may be able to search the company’s servers for emails related to the conduct at issue. The IT department also may be able to collect the data itself, utilizing software programs previously installed on company workstations that can extract data from laptops and the company network around the world. Alternatively, the company may have outsourced part or all of its IT infrastructure to a third-party service provider. Third-party providers may have similar capabilities but often present more complex legal issues. These providers may maintain servers in locations outside the jurisdictions where the data at issue were created or received, and may control those servers or applications remotely from yet another jurisdiction (e.g., India).
2 Inside the FCPA Client Newsletter Summer 2014
If some information cannot be collected remotely, the company may be able to send outside counsel or other investigators into local offices to collect relevant data or documents. Outside counsel can also conduct on-site employee interviews. But even if the data collection is technically possible, it may still present certain legal challenges.
The legality of the collection depends on local privacy laws and related requirements in the various jurisdictions at issue. Before giving the green-light to start an internal investigation, the company should identify the jurisdictions potentially at issue and review the local privacy requirements in those jurisdictions. This step is important because many countries have adopted local laws regarding privacy, data protection, wiretapping, bank secrecy, blocking, labor and employment, and other legal requirements (collectively, “Privacy Laws”) applying to data and document collection.
No company wants to violate the law in the course of a compliance investigation, particularly since violations of Privacy Laws can risk significant unintended consequences for the company and the investigation. For example, a Privacy Law violation might confer a private right of action upon the individuals concerned (regardless of whether they have committed the underlying violations), attract attention from data protection authorities, incur fines and injunctive relief, and create potential criminal liability for the company and participating individuals, such as corporate directors, officers, and managers.
This article provides a brief overview of the types of local Privacy Laws that may impact data and document collection in internal investigations involving non-U.S. jurisdictions, and outlines practical recommendations for how to address these regulatory risks.
Privacy and Data Protection
Many non-U.S. jurisdictions have comprehensive privacy and data protection laws that restrict the collection, handling, and transfer of any personally identifiable information about individuals (“Personal Data”). Perhaps the most significant comprehensive privacy laws are established under the European Commission Directive on the Protection of Individuals With Respect to the Processing of Personal Data (95/46/EC) (“EC Directive”). Although a significant review of the EC Directive is underway, each of the EU member countries has implemented the EC Directive through national laws, and the EC Directive will generally apply in the context of internal investigations affecting employees, consultants, consumers, customer contacts, investors, suppliers, or other individuals in the local jurisdictions.
For example, if a document or email contains the name of a local company employee, data about payments made or received by such employee, and the name of the third party payee or payor, then the document or email would contain regulated Personal Data about both the employee and the third party. The collection, use, and transfer of this Personal Data during the internal investigation would trigger a range of data protection requirements for the company. These requirements include obligations to: (i) ensure that there is a legitimate purpose to collect and use such data; (ii) provide a sufficient privacy notice to the affected individuals; (iii) obtain consent in some cases, particularly if the data is sensitive (which in some countries includes data about criminal behavior); (iv) maintain reasonable measures to protect the security and confidentiality of such data; (v) complete a filing with the local data protection authority describing the data collection and processing activities; and (vi) confirm that any international transfers of the Personal Data to the United States or other non-EU locations are properly subject to adequate protection.
3 Inside the FCPA Client Newsletter Summer 2014
An internal investigation may be delayed or frustrated if the company has not already satisfied these requirements before the investigation begins. For example, waiting until the commencement of the internal investigation to provide a sufficient privacy notice to individuals suspected of wrongdoing could lead to concerns about the potential for the destruction of evidence. Some individuals also may refuse to provide consent for the collection of data. Furthermore, given that data protection authorities may have 60 days or more under statutory deadlines to review new filings and may in practice take even longer than this, the company could be left waiting for government approval before proceeding with the investigation.
Additionally, data protection regimes in certain jurisdictions (e.g., Germany) often require consultation with data protection officers. These are employees of the company or external appointees who must report any data privacy violations by the company to the data protection authorities and, as a result, may have to be consulted as part of the collection process. The international transfer of Personal Data can also cause headaches for those working on the investigation. Data collected during the course of an investigation is often consolidated for review in a single jurisdiction (e.g., the United States). The transfer of Personal Data from other jurisdictions can cause issues if the company has not already taken steps to address the international transfer of Personal Data.
Some of these requirements may have already been addressed by the company’s existing global privacy compliance program, or may otherwise be managed in short timelines through practical compliance efforts. Similarly, the company may have addressed the additional complications that arise from outsourcing the maintenance of its IT infrastructure to a third-party service provider. Yet, it is still important to consider all of these requirements and identify any potential issues as early as possible.
Wiretapping and Electronic Communications
Many non-U.S. jurisdictions also have wiretapping laws and other requirements that prohibit or restrict the interception, review, or recording of electronic, telephone, or other communications. For example, a portion of the German Telecommunications Act may protect employees’ private emails from review or transfer by the company without employee consent. Violations of this law constitute a crime and the penalty may include up to five (5) years’ imprisonment.
Similarly, the Federal Constitution of Brazil, which applies to companies and other private sector actors, establishes a right to privacy and the inviolability of electronic and other correspondence. The Brazilian Communications Interception Act establishes further requirements for the process of intercepting, reviewing, and recording such communications. Violations of this law carry both civil and criminal penalties. In order to address these requirements, the company may only be able to collect and review communications for which it has obtained the express consent of the employee or, at minimum, provided a sufficient privacy notice to the employee.
Bank Secrecy and Common Law Confidentiality
Industry-specific secrecy or confidentiality requirements may apply to particular data depending on the company, the nature of the data, and the jurisdictions at issue. For example, healthcare data – particularly patient data – may be subject to separate regulations and may have stricter confidentiality requirements. Another example is Greek bank secrecy law, which prohibits local bank operations from sharing certain customer data with any of its affiliated companies or other third parties (including parent companies). This prohibition generally cannot be waived even with express customer consent,
4 Inside the FCPA Client Newsletter Summer 2014
and violations of this requirement give rise to criminal penalties. Other jurisdictions have statutory or common law bank secrecy or professional confidentiality obligations that may apply to data gathered in an investigation. As part of the data collection process, the company may need to take steps to protect data before it is transferred to the parent company or otherwise.
Various jurisdictions have adopted “blocking” statutes specifically intended to restrict or prohibit investigations in or affecting the local territory. For example, the French Blocking Statute, subject to applicable treaties or international agreements, prohibits any person to: (i) request, research, or communicate in writing, orally, or by any other means (ii) documents and information relating to economic, commercial, industrial, financial, or technical matters (iii) leading to the establishment of evidence for foreign judicial or administrative proceedings (or as part of such proceedings).
The terms and definitions in the French Blocking Statue must be considered carefully in the context of any investigation as they may apply more broadly than anticipated. For example, if data are collected and exported as part of an internal investigation in cooperation with the U.S. government, or if data are otherwise shared on an ongoing basis with the U.S. government, the French Blocking Statute may apply.
Labor and Employment Law
If the company has works councils or trade unions, it may need to consult these entities before starting to gather information. The company also may need to address any special terms in collective bargaining or other agreements. In some countries, other specific requirements may apply. For example, in Spain, it may be necessary to allow an employee representative to be present when an employee’s hard drive is imaged or when the employee’s workstation is searched. Violations of labor and employment requirements can lead to fines, practical difficulties with the company’s workforce, and in some cases, criminal liability for company officers.
Additionally, in certain jurisdictions the company must collect documents in a particular manner in order to use them in court (e.g., in a contested termination proceeding). In Spain, the collection may need to be overseen by a notary for the documents to be used in court against an employee. Failure to collect data appropriately may lead to its inadmissibility in court, making it difficult to successfully terminate employees who have engaged in unlawful behavior.
Other Legal Requirements
Additional requirements may apply depending on the jurisdiction at issue. For example, the People’s Republic of China (“PRC”) has adopted various requirements including the Law on Keeping State Secrets and the Regulations of Administration on Secrecy of Computer Information Systems. These requirements may apply to the collection of data and documentation about senior government officials and may restrict the collection and transfer of such information to the United States or other jurisdictions. As with the other categories of Privacy Laws described above, violations of these requirements in the PRC may give rise to criminal liability for corporate officers.
Although a variety of Privacy Laws apply to global internal investigations, companies can take several practical steps to assess and manage such risks. The starting point for the assessment is basic factual information about the investigation – such as the countries involved – and information about the company’s existing privacy compliance program.
5 Inside the FCPA Client Newsletter Summer 2014
The company may find that some Privacy Law obligations have already been addressed through privacy notices issued to affected employees, provisions embedded in its agreements with third-party service providers, filings with data protection authorities, or pre-existing cross-border transfer solutions (e.g., data transfer agreements or Safe Harbor certification).
Other obligations may be deferred for a short period of time to avoid concerns about destruction of evidence. It also may be possible to implement remediation measures addressing certain remaining regulatory risks (e.g., by implementing inter-company data transfer agreements). Other solutions to specific issues may involve keeping certain data from the investigation in-country or redacting Personal Data prior to transfer.
The specific solution will vary on a case-by-case basis, taking into account the jurisdictions, types of data, company operations, potential penalties, risk tolerance, and other factors at play. Perhaps the most important lesson, however, is that the best approach is for the company to conduct due diligence and get its “house in order” on global privacy issues before the need to conduct a global internal investigation arises.
6 Inside the FCPA Client Newsletter Summer 2014
Knowledge and the FCPA: Being Alert, Aware, and Responsive to Red Flags
By Lina A. Braude and Yuliya Kuchma, Washington, D.C.*
When the U.S. Congress enacted the Foreign Corrupt Practices Act (“FCPA”) in 1977, the public record revealed a debate over what should constitute “knowledge” of an improper payment under the anti-bribery provisions of the statute. There was no controversy over “actual knowledge” since it was clear that a company or individual could be culpable if he or she actually knew about a bribe scheme. However, Congress extended this concept to include what is known as “constructive knowledge.” According to the language of the statute, knowledge exists when a person is aware that a “result is substantially certain to occur” or a person has a “firm belief that such circumstance exists.” The term “knowing” includes the concepts of “conscious disregard,” “deliberate ignorance,” and “willful blindness.”
In essence, this means that a company, or one of its executives, could face criminal liability under the FCPA if signs of potential bribery, or “red flags,” are reasonably evident in a transaction and nothing is done to resolve the red flags. If the company, for example, learns at some point in the future that a bribe was paid, liability could arise even if no one at the company actually knew or intended for a bribe to be paid. Merely failing to address the red flags may facilitate allegations by U.S. authorities that the company or one of its executives violated the FCPA.
What types of red flags could indicate potential bribery? Consider when one company seeks to acquire another company that does business globally, including in countries viewed as high-risk from a corruption standpoint. U.S. authorities have opined that merely doing business in a corrupt country should be considered a red flag. Moreover, in the Bourke case, prosecutors persuaded a U.S. federal judge that it was appropriate to enter into evidence the fact that Bourke’s conduct took place in Azerbaijan, a country known for corrupt business practices. The court stated that the evidence demonstrated “that Bourke was aware of how pervasive corruption was in Azerbaijan generally.” While prosecutors introduced evidence that Bourke actually knew about the bribery of Azeri government officials involved in the proposed privatization of the Azeri national oil company, the court also permitted the jury to make a finding of “constructive knowledge.” The court determined that “a rational juror could conclude that Bourke deliberately avoided confirming his suspicions that [his business partners] may be paying bribes.”
With that background, assume that the target does significant business in a high-risk country through a distributor that sells primarily to customers that are government-controlled. Assume further that the distributor is responsible for obtaining key government approvals to sell the target’s products. In a pre-acquisition review, your company learns that the target never performed any anti-corruption due diligence on the distributor and, despite having compliance audit rights in its contracts with the distributor, the target never exercised such rights or conducted any form of compliance review. Before you determine what your company should do, consider the following recent FCPA matter resolutions.
Ignoring Red Flags Becomes Basis For $384M in Criminal Fines and Disgorgement of Profits for Alcoa, Based on the Actions of a Single Consultant/Distributor
On January 9, 2014, Alcoa World Alumina LLC, a majority-owned U.S.- based subsidiary of Alcoa, Inc. (“Alcoa”) pleaded guilty to violating the anti-bribery provisions of the FCPA and agreed to pay a criminal fine of $209M and forfeit $14M to settle charges by the Department of Justice (“DOJ”). Alcoa, Inc. itself
7 Inside the FCPA Client Newsletter Summer 2014
agreed to pay $161M in disgorgement to settle civil charges levied by the Securities and Exchange Commission (“SEC”). The charges resulted from alleged corrupt schemes used by Alcoa subsidiaries to funnel money to foreign officials in Bahrain through a consultant/distributor in order to obtain business with a government-controlled aluminum smelter.
This case is notable because it is one of the first criminal FCPA enforcement actions against a company built on a “constructive knowledge theory,” described as “conscious disregard” by one of the executives of red flags evidencing corruption-related misconduct.
The language of the plea agreement indicates that the government interpreted the direct delivery of alumina by an Alcoa subsidiary to the Bahraini end users, despite the existence of a distributorship agreement with the consultant, as a red flag. When an Alcoa executive was asked by the legal department about the purpose of a distribution agreement with the consultant’s entities, he responded that it was “something that the Bahrain Government wants and that Alcoa shouldn’t get too involved with how the Distributor and the Government interact.” Based on the distribution agreement, the consultant had the right to mark up prices on alumina from Alcoa to the end user.
The Alcoa subsidiary also sought and received approval to extend credit lines to the consultant’s entities even though the consultant refused to provide financial statements to Alcoa’s credit department. Allegedly, the credit lines were “significantly greater than those granted by Alcoa to any other third party.” The government claimed that by doing so, Alcoa “enabled the purported distribution scheme,” and that the red flags should have put Alcoa on notice that the distribution agreement was a sham. However, Alcoa failed to follow up on the red flags and entered into more distribution agreements. Both the SEC and DOJ asserted that Alcoa “consciously disregarded” the fact that the consultant’s role in Alcoa’s supply chain may have been to generate funds to pay bribes to Bahraini officials.
In each instance in which the government alleged that Alcoa’s subsidiary “consciously disregarded” red flags, there was evidence of legitimate commercial and legal arrangements. Nonetheless, where bribes have been paid over an extended period, the government’s review of the transactional history can be shaped by the evidence of bribery, leading investigators to, in some instances, interpret certain key events, statements, and documents to confirm their perception.
Failure to Recognize Red Flags Evidencing Potential Corrupt Practices at a Subsidiary Can Be the Basis for an FCPA Enforcement Action
On December 30, 2013, Archer Daniels Midland Company (“ADM”) reached a settlement with the DOJ and SEC of allegations under the FCPA relating to conduct by ACTI Ukraine, ADM’s indirect majority-owned Ukrainian subsidiary, and ACTI Hamburg, ADM’s majority-owned German subsidiary.
According to the case resolution documents, from 2002-2008, ACTI Hamburg and ACTI Ukraine engaged in multiple fraudulent schemes and paid third-party agents to channel bribes to Ukrainian government officials to obtain VAT refunds owed to ACTI Ukraine by the Ukrainian government. According to the documents, ACTI Hamburg and ACTI Ukraine paid vendors roughly $22M, nearly all of which was remitted to Ukrainian government officials. In exchange, ACTI Ukraine received over $100M in VAT refunds, to which ACTI Ukraine was legally entitled. The SEC and DOJ alleged that the VAT refunds obtained by ADM’s subsidiaries through improper payments gave ACTI Ukraine an undue business advantage, resulting in a benefit to ACTI Hamburg and ACTI Ukraine of roughly $41M.
8 Inside the FCPA Client Newsletter Summer 2014
The SEC charged ADM with violations of the FCPA books and records and internal control provisions and ordered it to pay $36.5M in disgorgement and prejudgment interest. In a parallel DOJ action, ACTI Ukraine pleaded guilty to one count of conspiracy to violate the FCPA anti-bribery provisions and agreed to pay a criminal fine of $17.8M. In addition, ADM entered into a non-prosecution agreement with the DOJ, apparently for ADM’s knowing failure to implement and maintain adequate controls over its subsidiaries’ use of third parties.
In contrast to the Alcoa case, ACTI Hamburg and ACTI Ukraine were allegedly aware of the misconduct. But there is no clear evidence that ADM, the parent company, was aware of the conduct of its subsidiaries. In holding ADM directly accountable through a non-prosecution agreement, the DOJ seemingly relied on a “constructive knowledge” theory. According to the non-prosecution agreement, “an ADM executive in the tax department sent an email to the head of the international tax organization” and stated that in order to recover $100M of the VAT refunds a Ukrainian subsidiary paid 30 percent to local charities. While it is clear that ADM’s executives were aware of some concerns related to legal procedures for obtaining a VAT refund, the case indicates how aggressively the DOJ will act to hold companies accountable where there is a failure to recognize and respond to red flags.
Prosecution of Weatherford for Internal Controls Violations is Equivalent to the DOJ Pursuing a Constructive Knowledge Theory for Bribery
On November 26, 2013, Weatherford International (“Weatherford”), a Swiss oil services company that trades its shares on the New York Stock Exchange, and its Bermudian subsidiary, Weatherford Services Limited, reached a settlement with the DOJ and the SEC for FCPA violations in Africa, the Middle East, and Europe. Weatherford allegedly obtained a dominant position and earned profits of $54.4M by bribing foreign officials. Weatherford and its subsidiaries agreed to pay $152M in fines and $65.6M in disgorgement, prejudgment interest, and civil penalties.
In this matter, the DOJ appeared to use the criminal prosecution of internal controls violations as an alternative to a “constructive knowledge” theory. The DOJ charged Weatherford International under the accounting provisions of the FCPA for the “knowing failure to implement internal accounting controls.” The deferred prosecution agreement, however, does not recite evidence of Weatherford’s knowledge of corrupt misconduct by its subsidiaries. Instead, in the case of the joint venture established by one of its subsidiaries in Africa, the DOJ stated that Weatherford did not conduct “any meaningful due diligence of either joint venture partner” even though the joint ventures were controlled by foreign officials and their relatives, nor did it investigate why the local entities were partners in the joint venture despite the fact that they “did not contribute capital, expertise or labor to the joint venture.”
The DOJ’s position is that Weatherford created “a permissive and uncontrolled environment” in which employees of certain of its subsidiaries “were able to engage in various corrupt conduct.” It appears from the deferred prosecution agreement that the bases for establishing criminal liability under the internal controls provisions consisted of Weatherford’s failure to conduct compliance due diligence on third parties and business transactions, failure to investigate allegations of illegal conduct, and failure to implement its policies at its subsidiaries and newly-established joint ventures. In other words, Weatherford failed to have an effective anti-corruption program, which led to a criminal violation of the accounting provisions of the FCPA.
Pre-Acquisition Due Diligence and Post-Acquisition Integration as Effective Safeguards
Returning to the original hypothetical acquisition of the target operating in a high-risk jurisdiction (mentioned at the outset of this article) and using third
9 Inside the FCPA Client Newsletter Summer 2014
parties to interact with government-controlled end-users, what can companies do to protect themselves from FCPA liability? Appropriate due diligence of the target followed by prompt and comprehensive remediation and integration to ensure compliance with company compliance policies and procedures are critical tools to minimize the risk of criminal liability for post-acquisition improprieties. A failure to conduct such due diligence, in light of the cases described above, could expose your company to FCPA liability if it turns out that the target company has been paying bribes through its distributors or other third parties in the high-risk market.
The Resource Guide to the U.S. Foreign Corrupt Practices Act (issued jointly by DOJ and SEC in 2012) articulates “best practices” for pre-acquisition due diligence, including all of the following: (i) review of the target’s sales and financial data; (ii) review of its customer contracts, and its third party and distributor agreements; (iii) performance of a risk-based analysis of the target’s customer base; (iv) audit of selected transactions engaged in by the target; and (v) discussions with the target’s general counsel, vice president of sales, and heads of internal audit and compliance functions about corruption risks, compliance efforts, and any other corruption-related issues that have surfaced at the target over the past.
If any specific red flags are uncovered during the due diligence process, they must be properly reviewed to ensure that there is a sufficient understanding of the issues so that they can be resolved on a timely basis. And even if your review of any red flags fails to uncover actual corruption, the good faith efforts by the company to resolve any compliance-related concerns will make it less likely that U.S. authorities view any transactions in question as improper.
Recent enforcement actions demonstrate that even where direct knowledge of possible bribery is not evident, failure to implement effective mechanisms that would detect and prevent corruption may be interpreted by the DOJ as establishing “constructive knowledge,” resulting in enormous costs to a company. These cases also reaffirm the importance of being vigilant and maintaining a robust anti-corruption compliance program to avoid the proactive tactics of the DOJ and the SEC in FCPA enforcement.
*This article was modified from a piece co-authored by Ms. Braude and Ms. Kuchma, as published in Risk & Compliance Magazine (Jul-Sep 2014 issue).
©2014 Baker & McKenzie. All rights reserved. Baker & McKenzie International is a Swiss Verein with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “partner” means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an “office” means an office of any such law firm.
This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.