Summary and Analysis
A full year after promising written guidance regarding enforcement of and compliance with the Foreign Corrupt Practices Act, the U.S. Department of Justice and the Securities and Exchange Commission issued on November 14, 2012, A Resource Guide to the U.S. Foreign Corrupt Practices Act (the "Guidance"). The 120-page document has been rightly criticized for offering little new by way of substance. Instead, the Guidance is primarily a compilation of restated policy pronouncements issued by enforcement authorities in other contexts. While it addresses "big picture" FCPA issues, the Guidance is notable primarily for what it does not say, belying the assertion by the Assistant Attorney General that the publication constitutes "perhaps the boldest manifestation of [the government's] transparent approach to enforcement."
The Guidance: What It Says
The Guidance does not break new ground by offering any new policy pronouncements, but it does contain useful guidance for companies seeking to comply with the FCPA. The Guidance provides a comprehensive and easily read summary of government policy on the FCPA. It also pulls together into a single location guidelines that had not previously been stated clearly by U.S. enforcement authorities and guidelines that had only been stated orally. And, in certain respects, the Guidance provides a vehicle for the DOJ and SEC to state explicitly certain policies that otherwise must be teased out of anecdotal information arising from corporate prosecutions.
Permissible Business Courtesies. Corporate compliance departments often spend enormous amounts of time and effort on defining the proper limits to and approving expenditures on travel, entertainment, and gift-giving involving putative foreign officials. When a company is doing business in a foreign country with substantial government involvement in the private economy, the FCPA provides little statutory basis for distinguishing between prohibited corrupt payments and legitimate corporate hospitality (all of which is intended to influence the recipient foreign official). Although the amounts at issue tend to be small, the frequency with which the issue arises is high, and the available government guidance on the issue has been scant.
While the Guidance does not answer all of the nagging questions relating to business courtesies, it does for the first time provide a government-sanctioned framework for evaluating corporate hospitality. To start, the Guidance explicitly recognizes the legitimacy of the practice, stating that "[a] small gift or token of esteem or gratitude is often an appropriate way for business people to display respect for each other." (pg. 15) On the other end of the spectrum, the Guidance states obviously that improper benefits include such things as "a $12,000 birthday trip for a government decision-maker" and a "trip to Italy for eight" officials consisting "primarily of sightseeing" and including "$1,000 in 'pocket money' for each official." (pg. 16)
Most helpfully, the Guidance identifies the specific "hallmarks of appropriate gift-giving" as being that the gift is:
- "[G]iven openly and transparently,"
- "[P]roperly recorded in the giver's books and records,"
- "[P]rovided only to reflect esteem or gratitude, and"
- "[P]ermitted under local law."
(pg. 15) In addition, the Guidance specifically suggests that organizations, particularly large ones, use automated systems "with clear monetary limits and annual limitations" in implementing compliance programs related to "routine gifts, travel and entertainment." (pg. 58) Together, these aspects of the Guidance provide a road map to companies seeking to avoid "[d]evoting a disproportionate amount of time to policing modest entertainment and gift-giving," thereby freeing the compliance department to focus on more significant expenditures and risk areas. (pg. 58)
Likewise with respect to travel, the Guidance provides useful advice to companies seeking to comply with the FCPA's affirmative defense for "reasonable and bona fide travel and lodging expenses … related to the promotion, demonstration, or explanation of a company's products or services." (pg. 24) As with gifts, this is an area where companies have been hard-pressed to set limits that will withstand government scrutiny. The Guidance therefore gathers together and clearly states the safeguards that it has deemed in the past to be appropriate in relation to travel expenditures:
- Do not select the particular officials who will participate in the party's proposed trip or program or else select them based on pre-determined, merit-based criteria.
- Pay all costs directly to travel and lodging vendors and/or reimburse costs only upon presentation of a receipt.
- Do not advance funds or pay for reimbursements in cash.
- Ensure that any stipends are reasonable approximations of costs likely to be incurred and/or that expenses are limited to those that are necessary and reasonable.
- Ensure the expenditures are transparent, both within the company and to the foreign government.
- Do not condition payment of expenses on any action by the foreign official.
- Obtain written confirmation that payment of the expenses is not contrary to local law.
- Provide no additional compensation, stipends, or spending money beyond what is necessary to pay for actual expenses incurred.
- Ensure that costs and expenses on behalf of the foreign officials will be accurately recorded in the company's books and records.
(pg. 24 (footnotes omitted)).
The examples that the Guidance provides regarding gifts, travel, and entertainment are equally instructive. In the form of hypotheticals, the Guidance advises readers that the FCPA is not violated when representatives of a U.S. company:
- Pay for a "moderate bar tab" for customers, including government officials at an industry trade show.
- Present "a moderately priced crystal vase" to the General Manager of a government-owned customer "as a wedding gift and token of esteem."
- Cover business class airfare for employees of a government customer to inspect company facilities in the United States, consistent with internal company guidelines for reimbursing the cost of lengthy international flights.
(pgs. 17-18) By contrast, the Guidance states that the FCPA obviously would not permit first-class airfare for the officials to travel, with spouses, to Las Vegas on a vacation. All of the above is consistent with prior guidance from DOJ and SEC but is nonetheless helpful in its specificity. In particular, the Guidance's use of internal policies as a yardstick for the reasonableness of travel expenses (in this example, class of travel) ratifies a common compliance practice of treating expenditures for visiting officials in a manner similar to a company's own employees.
Corporate Mergers and Acquisitions. The Guidance likewise suggests important best practices to be followed regarding a company's merger with or acquisition of other companies. The most significant developments in this regard are the Guidance's advice regarding the liability an acquiring company does, and does not, acquire in a merger or acquisition and the use of due diligence to minimize that successor liability.
Successor Liability. In the Guidance, the DOJ explicitly recognizes the applicability of several important limitations on successor liability. First, the Guidance recognizes that if a U.S. "issuer were to acquire a foreign company that was not previously subject to the FCPA's jurisdiction, the mere acquisition of that foreign company would not retroactively create FCPA liability for the acquiring issuer." (pg. 28) This, of course, merely restates a basic premise of corporate and criminal law. It is, however, one that is regularly misunderstood, and the inclusion in the Guidance can only help to clarify the matter.
Second, the Guidance seems to recognize implicitly that an acquiring company should not become responsible for the prior violations of an acquired company with which it does not merge. The Guidance proposes a hypothetical fact scenario in which "Company A" does not discover bribery by "Company B" until after its acquisition, notwithstanding "extensive due diligence." Once it discovers the bribery, however, Company A "makes certain that the illegal payments stop, … voluntarily discloses the misconduct to DOJ and SEC," and implements robust remedial compliance measures. Under these circumstances, the Guidance opines: "Absent unusual circumstances not contemplated by this hypothetical, DOJ and SEC are unlikely to prosecute Company A for the pre-acquisition misconduct of Company B, provided that Company B still exists in a form that would allow it to be prosecuted separately (i.e., Company B is a subsidiary of Company A)." (pg. 33)
Under the facts of this hypothetical, the Guidance reaches the correct legal conclusion regarding the consequences of pre-acquisition conduct by a corporate entity that has not been merged into the acquiring company. That is, as to actions that took place entirely before the acquisition, the new sole shareholder (i.e., the acquiring company) does not become liable merely by virtue of the corporate transaction. The Guidance potentially comes up short, however, in recognizing that some unspecified "unusual circumstances" could exist under which the acquiring company would become liable for the pre-acquisition conduct of the acquired company. Assuming that these "unusual circumstances" are sufficiently circumscribed, though, the Guidance confirms an important safeguard to companies seeking to limit properly their responsibility for the pre-acquisition conduct of their subsidiaries. It also acts as a reminder of the importance in this context of maintaining the corporate separateness of acquired subsidiaries.
The corollary lesson to be drawn from this aspect of the Guidance is that an acquiring company that discovers pre-acquisition misconduct at a subsidiary has a strong incentive to remedy the conduct and disclose it voluntarily to authorities. If the DOJ and SEC are taken at their word, an acquiring company minimizes the exposure to itself (and, by extension, to its directors, officers, and employees) when it draws a clear distinction between itself and the misbehaving subsidiary in these circumstances, and when it assists the government in bringing an action against the subsidiary. This encouragement of self-disclosure is not accidental.
Risk-Based Due Diligence. The Guidance provides specific and detailed advice regarding the steps a company can take to minimize its liability in the context of a merger or acquisition. The Guidance states that "DOJ and SEC encourage companies engaging in mergers and acquisitions to" take the following steps:
Conduct thorough risk-based FCPA and anti-corruption due diligence on potential new business acquisitions;
- Ensure that the acquiring company's code of conduct and compliance policies and procedures regarding the FCPA and other anti-corruption laws apply as quickly as is practicable to newly acquired businesses or merged entities;
- Train the directors, officers, and employees of newly acquired businesses or merged entities, and when appropriate, train agents and business partners, on the FCPA and other relevant anti-corruption laws and the company's code of conduct and compliance policies and procedures;
- Conduct an FCPA-specific audit of all newly acquired or merged businesses as quickly as practicable; and
- Disclose any corrupt payments discovered as part of its due diligence of newly acquired entities or merged entities.
(pg. 29) Here again, the Guidance does not depart from what has been apparent DOJ and SEC policy in recent years, but helpfully makes that policy explicit, providing companies with a readily-available checklist for pre-acquisition and post-closing diligence.
Duress Defense. The Guidance provides comfort for companies facing the infrequent, but significant, circumstance of "real threats of violence or harm to their employees." The Guidance assures those companies that "payments made in response to imminent threats to health or safety do not violate the FCPA," provided they are properly recorded in the books and records of the company. (pg. 27) While companies presumably would have reached the same conclusion as a purely practical matter, it is helpful for the DOJ and SEC to recognize as much.
This defense, according to the regulators, has some important limitations. As the Guidance and pre-existing policy make clear, DOJ and SEC do not consider threats of economic harm sufficient to justify corrupt payments to foreign officials. (pg. 27) And, the Guidance is silent on the question of whether payments in response to threats of physical violence could be prosecuted as violations of other laws, such as the prohibition against supporting designated terrorist organizations.
Corporate Compliance Programs. The Guidance provides a list of so-called "Hallmarks of Effective Compliance Programs." The "hallmarks" are a summary of guidance contained in prior publications, including the DOJ's U.S. Attorney Manual, the SEC's Seaboard Report, the Federal Sentencing Guidelines, and Press Releases. (pgs. 56-61; endnotes 302-326) The Guidance, however, also includes fairly detailed guidance regarding the government's expectations for effective programs by including reference to what many practitioners would call "best practices" in some areas. Looking at this guidance from a different angle, a compliance program that fails to include these "hallmarks" may be viewed skeptically by the DOJ and SEC. The "Hallmarks of Effective Compliance Programs" are as follows:
- A proper "tone at the top" with the board of directors and senior executives demonstrating a commitment to compliance that is reinforced and implemented by middle managers and employees at all levels of the company. This should include unambiguous communication from senior management about the requirements for compliance that is "scrupulously followed" and disseminated throughout the organization. (pg. 57)
- The code of conduct should take into account the company's specific business model and be written, clear, concise, accessible to all employees and agents, and available in local languages. (pgs. 57-58)
- At least one senior executive, who has authority within the organization and autonomy from management, should be responsible for the oversight and implementation of the company's compliance program. (pg. 58)
- Risk assessment should drive decisions about the amount of human and financial resources allocated to the program, and the management of those resources. Attention should focus on risks associated, for example, with large government bids, questionable payments to third-party consultants, or excessive discounts to resellers and distributors rather than low-risk activities, such as modest entertainment or gift-giving. (pgs. 58-59)
- Periodic training on compliance policies and procedures should be provided to all directors, officers, relevant employees, and, where appropriate, agents and business partners. Moreover, specific audiences in higher risk functions should receive targeted and specific training. (pg. 59)
- There should be appropriate and clear disciplinary procedures that are applied "reliably and promptly" and should be commensurate with the severity of the conduct. A company should be providing positive incentives to employees in all functions for compliant conduct, and include related standards in employee performance criteria. (pgs. 59-60)
- There should be policies and procedures relating to the risks associated with third-parties, including the capacity for on-going monitoring and the ability to address any "red flags" that may surface during the course of the third-party relationship. (pgs. 60-61)
- An effective compliance program provides a mechanism for the reporting of suspected wrongdoing, protects whistleblowers from retaliation, and has in place an efficient, reliable, and properly funded process for investigating the allegation. (pg. 61)
- An effective compliance program "constantly evolve[s]" to reflect the changes to the company's business over time, including changes to the environment in which the company operates, the nature of its customers, the laws that govern the company's actions, and the standards of the company's industry. As a result, management should at least annually conduct a formal review of the effectiveness of the program and address any weaknesses. (pgs. 61-62)
For a company whose compliance program contains these "hallmarks" of effectiveness, the Guidance provides some encouragement, stating that the DOJ "may decline to pursue charges against a company based on the company's effective compliance program, or may otherwise seek to reward a company for its program, even when that program did not prevent the underlying FCPA violation that gave rise to the investigation." (pg. 56)
However, the Guidance notes that "individual companies have different compliance needs" and that "there is no one-size-fits-all program." (pg. 57) Importantly, the Guidance still leaves it to the company to determine what "reasonable" internal controls are. (pg. 58) Moreover, when determining what compliance controls are "reasonable," a company should be mindful that an effective compliance program is one that addresses risk, is implemented fully, and is enforced consistently, as a program that merely "employ[s] a 'check-the-box' approach may be insufficient." (pg. 57)
Books and Records Provisions. The Guidance confirms that the DOJ and SEC continue to view the books and records provisions of the FCPA as separate and distinct from bribery violations under the FCPA. The Guidance notes that the provisions apply to any circumstance in which the company's books and records do not accurately reflect the company's assets, liabilities, and transactions. It also reiterates the importance of recording transactions with reasonable detail. The Guidance emphasizes that mischaracterizing transactions in the company's books and records has facilitated concealment of bribe payments in past cases. The Guidance provides examples of bribes that were mischaracterized on a company's books and records:
- Commissions or Royalties
- Consulting Fees
- Sales and Marketing Expenses
- Scientific Incentives or Studies
- Travel and Entertainment Expenses
- Rebates or Discounts
- After Sales Service Fees
- Miscellaneous Expenses
- Petty Cash Withdrawals
- Free Goods
- Intercompany Accounts
- Supplier/Vendor Payments
- "Customs Intervention" Payments
The Guidance: What It Doesn't Say
Perhaps most important for corporations and their counsel in assessing the DOJ and SEC's guidance is to understand what the document does not say. Certain questions are, unsurprisingly, left unanswered. Many of these are matters of judgment while others are areas that the DOJ and SEC simply chose to leave vague, giving the government the most discretion possible in later enforcement actions.
Credit for Self-Reporting. One question not clearly resolved by the Guidance is what value or credit entities receive for self-reporting a potential FCPA issue to the government. The Guidance points to broad factors listed in pre-existing guidance such as the Sentencing Guidelines, DOJ's Principles of Federal Prosecution of Business Organizations and the SEC's Seaboard Report. What the Guidance does not do is provide any kind of measurement for how cooperation will be assessed or what credit will be given, and it does not address the conclusion of many (including a recent NYU study) that there is no observable difference in penalties between cases that are self-reported and those discovered by the government on its own.
Clients that are considering whether to self-report potential violations of the FCPA are in much the same boat that they were before the Guidance was released. There is no legal requirement to self-report violations of the statute. The DOJ and SEC warn corporations that they will be treated more harshly if they fail to self-report, and more leniently in a self-reporting scenario. But the objective evidence and the experience of investigative and defense counsel during investigations suggest that the outcome of an investigation depends most heavily on the seriousness of the underlying facts, and less on whether or not the company self-reported those facts. For example, the six examples of declinations cited in the Guidance were all self-reported, but they also involved amounts that were characterized by the government as small (or detected before the payment was made). (pgs. 77-79) The outcome also depends, at least in part, on the views of the individual prosecutors or regulators who are leading the inquiry, what other similar cases have recently been decided, timing, and many other factors that affect every government investigation.
Nonetheless, in our experience self-reporting still can have significant value. It is not the right answer in every case and is a decision that requires careful evaluation of the facts and circumstances by the company's leadership. In our experience, self-reporting impacts the dynamic between the company and the U.S. government throughout the course of the review. Self-reporting casts current management and the board of directors in the best possible light under difficult circumstances, giving defense counsel an opportunity to show the government at the very start of the review that the company wishes "to do the right thing." DOJ and SEC tend to give a self-reporting company more latitude in deciding how to get to the bottom of the facts, and at least facially they attempt to work with the company and its counsel to reach an appropriate and just resolution that takes into account the company's self-reporting. Individual corporate leaders or board members frequently take comfort, in a self-reporting setting, that their own conduct will be viewed in light of the decision to self-report. Moreover, the new Dodd-Frank whistleblower provisions have also impacted the dynamic in deciding whether to self report because of the possibility that a whistleblower will go to the government in advance of the company.
The dark side of self-reporting, of course, is that DOJ and SEC will look harshly at facts that present potential violations of the statute no matter how the case came to their attention. They will ask questions about when the company learned of the facts, how it responded, how long it took for the company to self-report, and whether adequate remediation was performed. They may also ask the company to expand an investigation that is already broad and expensive. And, at the end of the matter, the DOJ and SEC will want significant penalties for companies where violations occurred, whether or not the case began with self-reporting.
Corporate Exposure Resulting from Third Parties, JVs, and Others. General concepts of agency, piercing the corporate veil, and successor liability apply to the FCPA no less than to any other regulatory statute. DOJ and SEC also will pursue corporations on theories of conspiracy and aiding and abetting in appropriate cases.
The Guidance identifies common red flags associated with third-party transactions from which the government may infer willful blindness. The list includes examples such as excessive commissions to third-party agents and unreasonably large discounts to third-party distributors. As discussed above, the strength of a company's corporate compliance program (or the absence thereof) should play a major role in any analysis of the imputed knowledge issue.
Where a subsidiary involves itself in an FCPA violation, the Guidance makes it clear that DOJ and SEC will not hesitate to proceed against the corporate parent. Unless the parent directly participates in the violation, a case of that kind often will turn on whether the officers and agents of the parent essentially controlled the actions of the subsidiary. Any analysis of that issue will be heavily fact-intensive. It is therefore not surprising that the Guidance offers scant clarification of what facts will and will not suffice to prove control. Based on the one example cited, heightened risk certainly will arise where the subsidiary's president serves on the parent's senior management team, where the parent's in-house lawyers review and approve the subsidiary's third-party relationships, where that approval ignores a documented lack of due diligence, and where one of the parent's officers approves a corrupt payment. Whether the parent would face liability absent the latter approval is far more difficult to say—and not addressed by the Guidance.
The Guidance also fails to distinguish between a due diligence review of an agent or a distributor on the one hand and a customer or a supplier on the other. Although customers and suppliers are mentioned in many non-prosecution agreements and deferred prosecution agreements as "business partners," companies may have thousands of customers and suppliers, rendering it unrealistic to conduct the same type of due diligence of such entities as would be required for an agent or a distributor. Furthermore, the Guidance does not create a compliance defense. A corporation may conduct a due diligence check of a third party as part of a robust corporate compliance program and still be liable for an FCPA violation committed by that party.Given the widely publicized, massive recoveries in recent cases arising from corrupt payments by intermediaries of joint ventures, it is somewhat surprising that the Guidance does not explicitly caution corporations against the dangers arising from such ventures. In a joint venture setting, conspiracy principles may pose the greatest risk, but those principles have their limits. On page 12, and again at page 34, the Guidance cites Pinkerton v. United States , 328 U.S. 640, 647-48 (1946), and carefully notes that conspiracy liability (and jurisdiction premised on that liability) cannot extend beyond "reasonably foreseeable" acts of co-conspirators in furtherance of a substantive offense. These concepts of foreseeability and reasonableness are firmly rooted in both international law and American due process. They may ultimately curb some future prosecution of a company that prefers to seek a ruling, rather than a settlement.
Prosecutorial Discretion. While the Guidance provides substantial insight into how certain factual scenarios and statutory terms may be viewed by DOJ and SEC, it makes plain that the publication is not binding on line prosecutors or staff attorneys and creates no new substantive rights for targets or defendants. Essentially, prosecutors and regulators retain the right to exercise prosecutorial discretion which may well vary between offices and individuals. Unfortunately, the Guidance does not establish bright line guidance to restrict potentially over-broad interpretations of statutory terms and jurisdictional boundaries.
How the Guidance Interacts with UK Bribery Act Guidance
The Guidance makes it plain that there will be occasions when strict compliance with the FCPA will not necessarily ensure compliance with other national legislation. In particular, it cites the UK Bribery Act 2010 ("UKBA") and notes that the UKBA does not make an exception for facilitation payments whereas the FCPA does.
This is not the only difference between the two regimes. We offer a table on page 9 of the attached PDF that sets out a simplified comparison between some of the key areas covered by the two Acts.
There will also be occasions when a corporate entity potentially has liability under both the FCPA and the UKBA. The case of Innospec, which is referred to on a number of occasions within the Guidance, is an example of a company that had to deal both with the DOJ and the UK Serious Fraud Office.
The following is a brief summary of the major legislative provisions of the UKBA. The UKBA creates three general offenses:
- Paying a bribe, contrary to section 1 UKBA;
- Receiving a bribe, contrary to section 2 UKBA; and
- Bribing an overseas public official, contrary to section 6 UKBA.
The offenses of paying a bribe (section 1) and receiving a bribe (section 2) apply equally to transactions with private individuals as they do to transactions with government officials.
Additionally, any corporate entity that carries on any part of its business in the UK commits an offense in violation of section 7 UKBA if it fails to prevent persons associated with it from committing acts which, if committed in the UK, would constitute offenses contrary to sections 1 and 6.
There is no statutory definition of what constitutes carrying on "a part of" a business in the UK. Guidance issued by the UK Ministry of Justice suggests that a bare listing on a UK exchange would not be sufficient to satisfy the test, but the UKBA is drafted widely and there is, to date, no case law to assist corporations and their advisors in deciding where the bar is likely to be set.
The definition of "associated persons" is likewise broad. It includes employees, agents, consultants and joint venture partners.
The only defense available to a corporation facing prosecution for the section 7 offense is that it had in place adequate procedures to prevent bribery. The UK Ministry of Justice has issued guidance on what constitutes "adequate procedures."
FCPA Enforcement and Compliance: Where We Go From Here
In the hours (and even the minutes) following the release of the Guidance, commentators quickly issued pronouncements regarding whether or not the guidance will change the landscape of FCPA enforcement and compliance. Similar to the desire of the media to declare a "winner" in a presidential debate, publications offered immediate opinions on whether or not the Guidance will alter how companies behave or how prosecutors and regulators will evaluate those companies and corporate leadership and employees.
In our view, the Guidance is critically important because it represents the official words of the U.S. government regarding FCPA interpretation. The role of counsel, now, whether in an investigation or compliance setting, is to understand what the Guidance says and to help companies interpret it in light of counsel's experience and judgment. The Guidance is not, however, a complete "how to" guide that companies can use to solve all of their issues and questions in the area of anti-corruption. It is a tool that must now be used and considered carefully, and which counsel can use on companies' behalf when making arguments to DOJ and SEC about how the company tried to comply.
At the end of the day, corporations are best positioned against corruption, however, not through adherence to a publication from DOJ or SEC, but through thoughtful and reasonable assessment of the risks attendant to their business, drafting and communicating effective policies that address those risks, monitoring compliance with policies, enforcing rules when policies are violated, and ensuring that issues of non-compliance are considered and addressed responsibly. When this cycle is complete, companies should "rinse and repeat" and begin the process again through a living, breathing compliance structure that leadership supports and employees understand and embrace.
As defense and investigative counsel, it is the paradox of our role that the best result for our clients—the end of the investigation and the resolution of compliance issues—makes us obsolete. This comes with the territory, and the best clients know and understand that our work is designed to remove outside counsel from the process as quickly, efficiently, and early as possible so that the company can focus on running its business. While the completion of the review to the benefit of the client is always our goal, we do not believe, however, that the Guidance eliminates the difficult issues that companies must address, and many questions remain even after examining the guidance in detail. As always, we stand at the ready to assist our clients in working through these issues and to improve each client's position.