On November 14, 2012, the U.S. Department of Justice (“DOJ”) and the U.S. Securities and Exchange Commission (“SEC”) issued joint guidance on the Foreign Corrupt Practices Act (“FCPA”). In general, the FCPA prohibits offering to pay, paying, promising to pay, or authorizing the payment of money or anything of value to a foreign official in order to influence any act or decision of the foreign official in his or her official capacity or to secure any other improper advantage in order to obtain or retain business. 15 U.S.C. § 78dd-2(a). The “FCPA: A Resource Guide to the U.S. Foreign Corrupt Practices Act” (“Guide”) issued by the DOJ and SEC provides thorough details on when the FCPA applies, how the DOJ and SEC enforce the law, the severe penalties imposed for violations, and general best practices for businesses of all sizes to follow to avoid violating the FCPA. While the Guide is not binding legal authority, it does clarify ambiguities in the FCPA through examples and elaborations on the terms in the FCPA.
This article summarizes the Guide’s new recommendations on effective compliance programs that businesses should adopt to detect and prevent FCPA violations. With this guidance, businesses with existing anti-bribery and corruption policies should review their programs to reflect the best practices issued by the DOJ and SEC, and businesses without such policies and programs should strongly consider adopting anti-bribery and corruption policies if they are engaged in any international commerce where they may interact with a “foreign official” (e.g., government agents and state employees including, for example, government buyers, health care professionals working with state-run hospitals, and customs and port authorities).
Importance of FCPA Compliance Programs
An FCPA compliance program is the best defense to FCPA liability. A comprehensive FCPA compliance program includes an internal anti-bribery and corruption written policy, often issued in conjunction with a company’s code of conduct or other employee handbooks, as well as marketing/sales, accounting, and customs protocols to detect and prevent FCPA violations (such as monitoring of payments made to foreign officials and employee training) and disciplinary procedures. Once actually applied to employees, an effective compliance program promotes “an organizational culture that encourages ethical conduct and a commitment to compliance with the law.” Practically speaking, an effective compliance program is the first step in preventing FCPA violations that can incur significant criminal fines of up to $2 million per violation as well as civil fines of up to $16,000 per violation. Not only could an FCPA compliance program prevent violations by educating employees on the law, if a violation should occur, the DOJ and SEC will consider a company’s preexisting compliance program as a mitigating factor in determining the appropriate penalties, if any. Indeed, in November 2012, Charles Duross, Deputy Chief in charge of the DOJ’s FCPA team, commented that if an FCPA violation is “a one-off situation, companies should not be punished” if they had “a robust compliance program and internal controls.”
The Guide provides that an effective compliance program is “well designed,” “applied in good faith,” and simply “works.”
An FCPA compliance program is only effective if well-constructed, written, and consistently enforced. But there are no “cookie-cutter” compliance programs, as the Guide recommends that the compliance program be tailored to the specific business’ size, activities, industry, and risk factors. For example, pharmaceutical and medical device companies will have unique compliance programs under the FCPA (addressing how the company should interact with health care professionals) while other manufacturers need to ensure compliance throughout their supply chain. Indeed, the Guide considers compliance programs with merely “check-the-box” provisions and that are otherwise not tailored to the business as inefficient and ineffective to prevent violations (and hence, will most likely not be considered a mitigating factor when imposing penalties).
Finally, the FCPA is merely one anti-bribery and corruption law. Other similar laws exist too, such as the U.K. Bribery Act 2010, and within the U.S., the U.S. Travel Act, 18 U.S.C. § 1952, and state restrictions on paying or giving of anything of value to government officials. An anti-bribery and corruption program should be designed broadly to encompass these other commercial bribery laws.
Senior Management Commitment
The Guide suggests that an FCPA compliance program starts from the top of the company – the board of directors and senior management of the company should create the “culture of compliance” by also adhering to the program. A compliance program that applies only to sales personnel, for example, is ineffective. The DOJ and SEC will consider whether senior management has “clearly articulated company standards, communicated them in unambiguous terms, adhered to them scrupulously, and disseminated them throughout the organization.” An anti-bribery and corruption policy could, for example, start with a letter from an executive or director highlighting the culture of compliance at the company, and more importantly, apply the company’s policies to all employees and directors of the company.
Most anti-bribery and corruption policies will have provisions on the following topics at a minimum, further tailored to the business:
- Use of third parties
- Use of facilitating and expediting payments (e.g., grease payments)
- Restrictions on gifts, travel, and entertainment expenses
- Restrictions on charitable and political donations
- Auditing practices
- Accounting and recordkeeping policies
- Documentation policies regarding transactions, contracts, etc.
- Approval procedures for certain transactions
- Disciplinary procedures
Like any employee policy, a code of conduct, an anti-bribery and corruption policy, and other FCPA compliance policies and training material must be clear, concise, and accessible to all employees. Multi-national companies should consider translating these documents into the local language of its overseas employees. Finally, these documents need to be continuously updated as necessary.
Oversight and Autonomy
A specially designated committee (or even an individual ombudsman) should be assigned responsibility for oversight of the FCPA compliance program. The committee or ombudsman should implement the compliance program, train employees as necessary, address questions regarding the application of the policies to specific transactions, and enforce the compliance program.
An FCPA compliance program is only effective if all employees are cognizant of their responsibilities. The Guide suggests that companies train employees with hypotheticals and case studies to show how the company’s compliance programs apply in practice.
Employees need to be encouraged to report suspected violations, even anonymously if necessary. An anti-bribery and corruption policy should list the investigative and disciplinary procedures the company has for violations or suspected violations of the FCPA and other laws. As noted above, even the board of directors and senior management must be held accountable for violations.
Subsidiaries, Affiliates, and Other Third Parties
The Guide explains in depth that the DOJ and SEC will enforce the FCPA against companies even where the illegal conduct was by an agent, consultant, distributor, or other third party on behalf of the company. The Guide confirms existing agency law, stating that a parent is also liable for any foreign or domestic subsidiary’s actions if there is an agency relationship under the doctrine of respondeat superior. To the extent a company is involved in mergers and acquisitions, the Guide suggests that an acquiring company conduct risk-based due diligence before acquiring any company. An acquiring company should have protocols in place to conduct pre-acquisition due diligence on any possible FCPA violations, as these pre-existing violations can carry forward to impose post-acquisition FCPA liability on the acquiring company.
An anti-bribery and corruption policy should therefore apply to all third parties engaged in conduct with or on behalf of the company, as well as any subsidiaries, given the scope of corporate liability imposed by the FCPA.
Response to Violations
An effective FCPA compliance program has three phases: prevention, implementation, and response. As summarized above, a company should adopt written, tailored, and publicized policies on anti-bribery and corruption with the goal that employees will avoid illegal conduct. Next, these policies must be implemented, which may include training and certifications. Many companies also periodically assess compliance with internal policies through randomly selected samples of transactions with foreign officials. Other companies may employ software to check for red flags in transactions with foreign officials or apply risk-based compliance assessments that look to specific risk factors (such as geographic factors) or benchmarks (such as transactions that meet a certain set of criteria) to target limited evaluation resources where risks are greatest. An FCPA compliance program should evolve with the company and industry best practices. Since no compliance program is full-proof, if an FCPA violation arises, the company’s response may lower its penalties. All suspected violations should be thoroughly and independently investigated by the investigative committee or ombudsman (and sometimes, by outside investigators). Under the FCPA, a company may voluntarily disclose violations, and the DOJ and SEC will consider a company’s cooperation and remediation (along with its preexisting compliance programs) before imposing penalties, if any.
The DOJ and SEC have been enforcing the FCPA regularly, often imposing significant penalties. Accordingly, with the new Guide, businesses should strongly consider revisiting their anti-bribery and corruption policies to, hopefully, stop violations before they occur. The Guide confirms that the best defense to FCPA liability is a comprehensive compliance program and internal controls.