The FCPA Blog, in an article entitled “NSA spying also linked to FCPA enforcement,” reported that the National Security Agency (NSA) has engaged in economic espionage for the benefit of the United States and perhaps others. The FCPA Blog quoted a story from the American Spectator, entitled “Rise of the Surveillance State,” by James Bovard. One of the items which Bovard discussed is the program monikered ‘Echelon,” which he described as “a spy satellite system run by the National Security Agency along with the United Kingdom, Australia, New Zealand and Canada. Echelon reportedly scans millions of phone calls, e-mail messages, and faxes each hour, searching for key words.” In another blog post, entitled “Will Snowden leaks scuttle joint U.S.-EU anti-bribery enforcement?,” the FCPA Blog noted that “Der Spiegel reported that the NSA typically monitored about 20 million German phone connections and 10 million Internet data sets a day, and up to 60 million phone connections on busy days. The magazine said in France the U.S. taps about two million data connections per day.”
Apparently this program is also used for Foreign Corrupt Practices Act (FCPA) enforcement. Bovard wrote that “A February report by the European Union alleged that Echelon has been used for economic espionage. Former CIA Director James Woolsey told a German newspaper in early March that Echelon collects “economic intelligence.” One example Woolsey gave was espionage aimed at discovering when foreign companies are paying bribes to obtain contracts that might otherwise go to American companies. Woolsey elaborated on his views in a condescending March 17 Wall Street Journal op-ed, justifying Echelon spying on foreign companies because some foreigners do not obey the U.S. Foreign Corrupt Practices Act. To add insult to injury, Woolsey noted there’s “no reason for U.S. companies to steal backward Europe’s secrets.” Isn’t it comforting that (1) our former CIA Director not only thinks, but speaks so highly of our allies and (2) the U.S. stance on the surveillance policy of foreign businesses when the U.S. claims the Chinese are stealing trade secrets through computer hacking. It reminds me of Claude Rains shouting to Humphrey Bogart, “I am shocked, shocked to discover gambling is going on!”
But it turns out that such espionage has been going on for quite some time. Severin Wirz, writing in TRACE International’s blog, in a post entitled “The NSA, the FCPA and Parallels of History”, reported that as far back as 2000, the U.S. was engaging in such spying for FCPA enforcement. He wrote, “Back in 2000, in a speech before the Foreign Press Center, former director of the Central Intelligence Agency R. James Woolsey told the audience point blank that the government spied on European company Thomson-CSF (now Thales Group) to determine if that company had paid bribes to the Brazilian government, and he said that the same was done of Airbus to determine if it had been bribing a Saudi official. “That’s right, my continental friends, we have spied on you because you bribe,” Woolsey announced.”
Implications for FCPA Enforcement?
What are the implications for continued vigorous enforcement of the FCPA and indeed other anti-bribery/anti-corruption legislation going forward? It may have just become much more difficult. In an article in the July 1 edition of the Financial Times (FT), entitled “Europeans fume of U.S. spying allegations,” reporters Chris Bryant, Joshua Chaffin and Scheherazade Daneshkhu wrote that “A diplomatic dispute over surveillance deepened yesterday as European ministers reacted with disbelief and fury to reports that EU offices had been bugged by U.S. intelligence services.” They further noted that “The latest revelations could complicate efforts to forge a transatlantic trade agreement in which differing U.S. and European approaches to data privacy are expected to be among the stumbling blocks.” Put another way, if the U.S. government is engaged in spying on European companies and individuals, in addition to European governments, will European countries be interested in cooperating against bribery and corruption by European companies going forward?
Implications for the Compliance Professional
What are the implications for the compliance professional? For a more Orwellian prediction, John Batchelor, in an article entitled “ NSA Scandals: FCPA Compliance Game Changer?” has this chilling prediction, “Currently it takes months or years to develop a solid FCPA case and most of those end up with fines and some type of penalty. Could that change to a new way of enforcement where the government targets a company, identifies corruption, gathers evidence, and instead of going through the motions, simply calls them to schedule a meeting, slapping a fine and a series of actionable tasks for the company in question? It’s not happening now, but that is a question.” It would seem to do away completely with the concept of due process so I would discount this scenario as unlikely.
However, Batchelor does point out that such government oversight might well occur in countries which are known or perceived to be high risk for corruption. He says, “Under the FCPA we focus on anti-bribery, however, with our current emphasis on national security, I think there is a serious question to ask for any company that operates in high CPI areas where terrorist cells or money laundering outfits to terrorist cells operate.” From this premise, Batchelor poses several topical inquiries which you should consider now, they include: “How well do you know your agents? How well do you know their relationships? How well do you know the companies they are affiliated with? Are there red-flags that low-level DPL type screenings might not uncover?”
I believe that the revelations which came out last week will make the compliance professional’s job more difficult, but that difficulty may well be due to the backlash against not only the massive collections of data that the U.S. government is obtaining through its surveillance programs but also the arrogance shown in statements, similar to those quoted in the American Spectator, from former CIA Director Woolsey. I believe that there are three general areas which will negatively affect U.S. compliance professionals.
First, is in the area of data access. Edward Luce, in a June 9 FT article, entitled “Obama has hurt himself and business over privacy,” said that the “U.S. is losing credibility in its goal of trying to stop the Internet from balkanizing into separate national frameworks.” While Luce discussed this in terms of the U.S. criticism of “the great firewall of China,” a U.S. investor might think about the Securities and Exchange Commission’s (SEC’s) struggle to get China to agree to allow auditors to provide data to the U.S. consistent with U.S. securities laws, or laws which the SEC enforces, such as the books and records component of the FCPA.
Second, what about data privacy? I think that the acknowledgement of the U.S. surveillance programs will lead other countries to toughen up their data privacy requirements. This means that the compliance professional will be faced with an even more bewildering set of data privacy requirements to deal with to accurately access a company’s compliance program. For the intelligence angle, Luce quoted Ira Hunt, the CIA’s chief technology officer, for the following “Since you can’t connect the dots you don’t have…we fundamentally try and collect everything and hang on to it forever.” However, we now know that this surveillance was also used for other law enforcement issues such as enforcement of the FCPA. While foreign governments cannot legislate privacy as to the data collected by the U.S. government, they certainly can do so vis-à-vis U.S. companies doing business in their jurisdictions or home-domiciled foreign companies which are subject to the FCPA through a U.S. subsidiary.
Indeed this very issue is now in the forefront of EU-U.S. trade negotiations. In another FT article on June 9, entitled “Data scandal clouds trade talks”, Hannes Swoboda, leader of the socialist members of the European Parliament, was quoted as saying “With all the information that we’ve found out in the recent days about how easily the US spies on people’s private data I think it will be difficult for the Americans to oppose a strong data protection agreement.” The article notes that many of the rules proposed for EU data protection are opposed by US companies because “their business models would be damaged.”
Lastly, what about jurisdiction and the FCPA? Currently if a banking transfer goes thought the U.S. banking system, FCPA jurisdiction attaches. While it has not yet been tested, several commentators have spoken about information which might be saved on servers based in the U.S. So what if information appears on Google or through a Google-search or on Facebook? Now take the next step and ask, if there is data mining, which strikes pay dirt, could that create or even portend jurisdiction?
Great Board Oversight Required?
A colleague of mine Phil Wedemeyer, had another take on it, which I found equally interesting. Phil is a retired former partner of a Big Five accounting firm (when there was a Big 5); the former Director of the Office of Research and Analysis at the Public Company Oversight Accounting Board and currently sits on the Board of Directors of two corporations; one public, where Phil is the Chairman of the Audit Committee, and one private. As you might guess from someone with such a professional background, Phil tends to view things through the prism of an audit perspective. He questioned whether this information about the US government could put an additional burden on not only the compliance practitioner but on a board of directors? When I asked him what he meant by this, he questioned if a company had reliable information that the US government was employing oversight techniques to search for evidence of bribery and corruption (or non-compliance with other laws or regulations) beyond more traditional law enforcement techniques (e.g., whistleblowers, self-disclosure and competitor reporting); should this cause that company to increase its oversight of compliance with the FCPA? In particular, more intrusive and comprehensive government monitoring activity could increase the chances of discovery of the types of illegal activities at lower levels of the company that is one of the primary objectives of whistleblower procedures and that may not always be known to upper level management. Further, if so, would this change in risk put a director on notice that they need to perform additional oversight of the compliance function?
Where does all of this go? I do not subscribe to the notion that it is the end of western civilization as we now know it because the reality is that gentlemen do open other gentlemen’s mail (or email). But I think things in the compliance world just got a lot harder. There are many bruised egos and feelings across the Atlantic about now. The U.S. depends on cooperation with many governments in enforcement actions where there is an international aspect, which, by nature, all FCPA enforcement actions are. The cooperation may not dry up but it may slow down, particularly if foreign governments think that the U.S. is targeting some of their major business entities in a manner which they cannot do so themselves. But I think that at least the European response will be to tighten up privacy and data protection laws so that it makes it much harder for the U.S. compliance practitioner to do his or her job. As Grace Slick said at Woodstock, “It’s a new dawn.”
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2013