Money, Money – Who’s Got the Money?
By Rebekah Poston and Gregory Bates
When the economic going gets tough, multinational companies might be tempted to cut costs by cutting back on steps needed to comply with the Foreign Corrupt Practices Act (FCPA).
In 2008, the U.S. Department of Justice (“DOJ”) and Securities and Exchange Commission (“SEC”) collected more than $924 million in combined penalties from corporations and individuals for FCPA violations. And lead DOJ Prosecutor Mark Mendelsohn recently – and pointedly – noted that even though the global economic crisis presents “a grave challenge in the fight against foreign bribery … companies need to be especially vigilant in this economic climate not to cut back. Our law enforcement efforts are not going to be scaled back, and so it would be, I think, a grave mistake for a company to take that path.”
Instituting policies and procedures that implement the Guidelines and practicing effective due diligence are two bedrock fundamentals of FCPA compliance and risk mitigation.
The FCPA has two principle sets of provisions: the anti-bribery and accounting provisions.
The anti-bribery provisions make it unlawful for certain classes of persons and entities to act corruptly in furtherance of an offer, promise, authorization, or payment of anything of value to a foreign official, or foreign political party, official, or candidate for the purposes of securing any improper advantage, or assisting in obtaining or retaining business for, or directing business to any person. The anti-bribery provisions also make it illegal to offer, promise or authorize the payment of anything of value to anyone when the payor, promisor or authorizer knows that all or a portion of the thing of value will pass on to the foreign official, or foreign political party, party candidate or party official.
The anti-bribery provisions apply to issuers, domestic concerns, certain foreign nationals or businesses, and anyone who commits a proscribed act within the U.S. An issuer is a U.S. or foreign corporation that has issued securities registered in the U.S. or who is required to file periodic reports with the SEC. A domestic concern is anyone who is a U.S. citizen, national, or resident, or any entity with its principal place of business in the U.S. or organized under the laws of a U.S. state, territory, possession or commonwealth. In addition, U.S. corporations may be held liable for acts of foreign subsidiaries for violations of the anti-bribery provisions where they authorized, directed or controlled the activity in question.
The accounting provisions require issuers to make and keep books and records that accurately and fairly reflect transactions and dispositions of the issuer’s assets and prohibit the falsification of such books and records. The accounting provisions also require issuers to maintain a system of internal controls sufficient to provide reasonable assurances that:
- (a) transactions are executed in accordance with management’s authorization;
- (b) transactions are recorded as necessary to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and maintain accountability for assets;
- (c) access to assets is permitted only in accordance with management’s authorization; and,
- (d) the recorded accountability for assets is compared with the existing assets at reasonable intervals, and appropriate action is taken with respect to any differences.
Finally, the accounting provisions prohibit the circumvention or failure to implement such a system of internal controls.
The accounting provisions only apply to issuers and directors, officers, employees, and stockholders or agents acting on an issuer’s behalf. Issuers may be held strictly liable for the actions of their controlled subsidiaries. Where an issuer holds fifty percent or less of the voting power with respect to a subsidiary, the FCPA requires only that the issuer proceed in good faith to cause its subsidiary to keep accurate books and records and maintain a system of internal accounting controls to the extent reasonable under the circumstances.
Violations of the FCPA carry substantial penalties. In respect to violations of the anti-bribery provisions, individuals face criminal fines of up to $250,000 under the U.S. Code’s alternative fines provision, five years in prison, or both, while corporate entities face criminal penalties of up to $2 million per violation.
Violations of the books and records and internal controls provisions carry even greater penalties when committed with willful, criminal intent. Individuals who criminally violate these provisions face up to twenty years in prison, a $5 million penalty, or both, while corporate entities face up to a $25 million fine per violation. In addition to these financial penalties, the alternative fines provision can balloon the financial penalty to twice the gain or loss derived from the unlawful conduct, whichever is greater. It is important to note that entities may not pay the fines imposed on individuals for conduct undertaken on the organization’s behalf.
Both the anti-bribery and accounting provisions also carry civil penalties. The anti-bribery provisions’ civil penalties include fines of $10,000 per violation. The accounting provisions’ civil penalties include substantial fines, profit disgorgement, loss of prejudgment interest, administrative proceedings, and injunctions as well as banning individuals from serving as officers or directors in a public company. In respect to anti-bribery violations, companies face additional repercussions upon conviction that include debarment from federal contracts.
Finally, if fines and prison terms weren’t enough, how do you feel about asset seizure and forfeiture and third party lawsuits?
The DOJ has developed an appetite for seizing bank accounts, wherever they may be, if they hold funds that have either passed through or lodged themselves in a U.S. bank. Defendants in such actions have forfeited more than $100 million since 2007. Second, just when you think it’s safe to go back into the water after you’ve settled up with the Feds, along comes a plaintiff’s attorney who files a civil action based on tort and breach of contract theories, where the alleged civil wrong occurred as a result of FCPA-related conduct. In these cases, protracted and expensive civil litigation further adds to the cost and misery of an FCPA nightmare.
FCPA compliance is a must if you engage in international business. Operating a compliance and ethics program that meets the Guidelines’ expectations should be every organization’s baseline objective. For an organization to demonstrate it has an effective program, the Guidelines require the organization to exercise due diligence to prevent and detect criminal activity and to promote an organizational culture that encourages ethical behavior and a commitment to lawful conduct. The Guidelines provide that a program minimally requires the following seven characteristics.
1. The organization must “establish standards and procedures to prevent and detect criminal conduct.”
2. The organization’s governing authority (e.g., the board of directors) must be knowledgeable about and reasonably supervise the program. High-level personnel (i.e., individuals with substantial control over the organization or policy making) must ensure that the organization has an effective program and that specific high-level personnel are assigned overall program responsibility. Specific individuals must be responsible for the program’s day-to-day operations. Individuals with operational responsibility for the program must report periodically to high-level personnel and, as appropriate, to the governing authority or an appropriate subgroup of the governing authority (e.g., the audit committee) on the program’s effectiveness. These individuals must “be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup.”
3. The organization must use reasonable efforts to not empower substantial authority (i.e., the ability to exercise a substantial measure of discretion in acting on the organization’s behalf) in any individual whom it “knew, or should have known…engaged in illegal activities or other conduct inconsistent with an effective” program.
4. The organization must “take reasonable steps to communicate periodically and in a practical manner its standards and procedures” to the governing authority, officers and employees, and, as appropriate, agents and other third parties.
5. The organization must take reasonable steps to guarantee that the program is followed, including monitoring and auditing to discover unlawful behavior, to evaluate from time to time the program’s effectiveness, and to publicize a system that may include methods of communication that provide for anonymity or confidentiality, thus enabling employees and third parties to “report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.”
6. The organization must promote and consistently enforce the program through appropriate performance incentives and commensurate “disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.”
7. “After criminal conduct has been detected,” the organization must “take reasonable steps to respond appropriately…and to prevent further similar criminal conduct, including making any necessary modifications” to the program.
Finally, in addition to these seven elements, the Guidelines require that the organization “periodically assess the risk of criminal conduct” and take “steps to design, implement, or modify each requirement” to reduce the risk of unlawful conduct.
The Guidelines’ commentary indicate that while each of the seven requirements must be met, the specific course of action to meet them may vary based on industry practice, applicable government regulation, the organization’s size, and a history of similar misconduct. An organization’s failure to implement and follow applicable industry practice or governmental regulation weighs against the finding of an effective program. In respect to size, larger organizations generally must “devote more formal operations and greater resources” than smaller organizations. Smaller organizations, however, must demonstrate the same degree of commitment to ethical and lawful conduct as larger ones, but may do so “with less formality and fewer resources.”
The DOJ and SEC have stressed the need to conduct due diligence on anyone acting on behalf of an entity subject to the FCPA. The government has backed up these words by bringing enforcement actions against companies, their officers and employees, and third parties where the lack of due diligence contributed to FCPA violations. Indeed, no or ineffective due diligence is a recipe for disaster in the government’s FCPA enforcement cook book.
Simply put, due diligence should be conducted on anyone whose actions may expose the organization to FCPA liability. While common law agency will ultimately govern, the acts of employees, officers and directors, joint-venture partners, targets acquired in a merger, and third parties, such as agents, consultants, distributors, marketing representatives and freight forwarders, all can impute FCPA liability to an entity for which they act.
There is no one right way to conduct due diligence. Due diligence is a potpourri of tasks that include FCPA-tailored risk and awareness application materials; interviews, and scrutinizing answers provided thereto; background checks to assess a reputation/history of illegal activity; consulting a third party (such as the local U.S. Embassy’s Foreign Commercial Service section, local counsel, etc.) to provide reliable local information; using a forensic accountant to review books and records to evaluate high risk transactions or suspect patterns of transactions; visiting the office of your third party; documenting the services provided by third parties; and targeted review of email, electronic, and hard copy files, all comprise elements of an effective due diligence plan. If any red flags appear during the due diligence phase, they must be investigated until you are reasonably satisfied you do not have an FCPA concern. Finally, due diligence must be documented.
The government has suggested that FCPA due diligence is not a one-size-fits-all undertaking. For example, degrees of diligence may reasonably vary from industry to industry, and location to location. An industry closely regulated by a foreign government deserves greater caution than one that is less regulated. Similarly, operations in a country that has a reputation for high corruption will require proof you performed greater diligence than in a country where you do business that is less corrupt.
As with the breadth and scope of due diligence, the timing may also vary. In all instances, to the degree possible, due diligence should be done prior to entering into a relationship with a person or entity that will act on your behalf. Due diligence also should be performed periodically throughout the relationship. Periodic due diligence may be done at a contract’s renewal, annually, semi-annually, or even quarterly in instances where heightened FCPA-compliance concerns dictate such a course of action. Finally, additional due diligence should also be undertaken if the business relationship changes (e.g., you acquire a former agent).
Once you have satisfied your due diligence, you need to implement the next steps in mitigating potential FCPA exposure. Suggested courses of action include providing your third party agents with a copy of your anti-bribery code of conduct. Be sure it’s in their native language and that it references the FCPA. Require them to read it and execute an acknowledgment that they will abide by it. Include in this acknowledgment FCPA-specific representations and warranties attesting to past compliance and covenants promising future compliance. If possible, negotiate as part of your third party contracts the right to inspect and audit the books and records of your agent. Be certain to include termination rights.
In the high stakes and high risk world of international business, it’s all about mitigating exposure. Proactively meeting the Guidelines’ mandates and adhering to the due diligence best practices discussed above are your best tools to avoid sleepless nights due to an FCPA nightmare.
About the Authors
Rebekah J. Poston, a partner at global law firm Squire, Sanders & Dempsey, focuses her practice on defending complex US and non-US criminal cases and immigration and nationality law, with particular focus on the Foreign Corrupt Practices Act (FCPA). She has written corporate compliance programs and conducted FCPA trainings, audits and investigations for Fortune 500 companies and conducted numerous corporate internal investigations around the globe.
Squire, Sanders & Dempsey associate Gregory Bates focuses his practice on FCPA and OFAC compliance and corporate internal investigations, as well as criminal and commercial litigation matters.
The authors can be contacted using the following email addresses: rposton[at]ssd[dot]com and gbates[at]ssd[dot]com.)