The arduous process of FCPA compliance requires risk teams to digest and cross-reference a morass of information – from internal data analysis to human representatives collecting interviews on the ground. Diligence failures can bring about both enforcements and missed opportunities.
As U.S. authorities, namely the U.S. Department of Justice (DOJ) and U.S. Securities and Exchange Commission (SEC), state in their written Foreign Corrupt Practices Act (FCPA) compliance guidance: “[C]ompanies that conduct effective FCPA due diligence on their acquisition targets are able to evaluate more accurately each target’s value and negotiate for the costs of the bribery to be borne by the target. In addition, such actions demonstrate to DOJ and SEC a company’s commitment to compliance and are taken into account when evaluating any potential enforcement action.”
In this article, the authors provide an overview of the FCPA and the implications for corporate liability in the parent-subsidiary and mergers and acquisition contexts. They also provide practicable and actionable compliance advice regarding how to conduct effective and efficient compliance and ESG diligence, how to synergize these traditionally separate work streams, and how to mitigate and remediate any issues that may arise during diligence such that your transaction is defensible before the U.S. authorities and other stakeholders.
FCPA: Parent Subsidiary and M&A Liability
The FCPA prohibits U.S. companies and issuers of securities trading on a U.S. exchange from making or promising to make corrupt payments to foreign government officials in order to obtain or retain business. This prohibition extends to anyone acting on behalf of the company, under the company’s control or at the company’s direction, including officers, directors, employees, agents or shareholders. Under the FCPA’s books and records provisions, issuers are required to maintain books, records and accounts that accurately and fairly reflect the company’s transactions, and the issuer must devise a system of internal accounting controls sufficient to provide reasonable assurances that the issuer’s financial statements are accurate. Companies considering an acquisition should be mindful that they could be liable for the acts of their subsidiaries and their newly acquired entities.
Parent Subsidiary Liability
A parent company may be liable for a subsidiary’s misconduct (i) where the parent actively participated in or otherwise directed the misconduct or (ii) under traditional agency principles where the parent is deemed to control the subsidiary. When assessing whether the parent company “controls” the subsidiary and where the subsidiary is acting as the parent’s “agent,” U.S. authorities will look to “the practical realities of how the parent and subsidiary actually interact.”
Indicia of Control includes:
- Size of ownership interest
- Right to increase ownership to gain majority or effective control
- Special voting or veto rights
- Ability to direct, implement or control strategy or operations
- Right to appoint board members or senior management
- Reporting lines and channels back to the owner
- Consolidated books and records
In January 2014, the SEC asserted that two Alcoa subsidiaries were the parent company’s agents. Alcoa owned 60 percent of each subsidiary, appointed three out of five directors to each subsidiary’s board, controlled the “strategic council” responsible for setting each subsidiary’s strategy and policy, had reporting lines from the subsidiaries back to the parent and consolidated the subsidiaries’ books and records into the parent company’s financial statements.
Furthermore, where an issuer owns less than 50 percent of the voting equity of another company, it must “proceed in good faith to use its influence, to the extent reasonable under the issuer’s circumstances, to cause [compliance with the FCPA’s books and records provisions].” In the case of Eni S.p.A., the parent company owned 43 percent of the subsidiary but was deemed to have control. The subsidiary was subject to Eni’s “direction and coordination” under Italian law; Eni had “change of control” protections that enabled it to remain the controlling minority shareholder; and the subsidiary’s financial results were consolidated into the parent’s. Furthermore, the subsidiary’s CFO participated in the bribery scheme and continued to participate in and conceal the misconduct when he subsequently became CFO of Eni. Similarly, in Bell South, the SEC asserted that where the parent company held 49 percent of the equity with the right to acquire an additional 40 percent interest, the parent company had “operational control” and “the ability to cause [the subsidiary’s] compliance with the FCPA.”
“Successor liability applies to all kinds of civil and criminal liabilities, and FCPA violations are no exception.” Indeed, U.S. authorities frequently bring enforcement actions against acquirers for the target’s misdeeds.
Most recently, in 2021, John Wood Group, Plc. (“Wood”) paid $177 million in settlements to Brazilian, U.K. and U.S. law enforcement in order to resolve an investigation into historical misconduct at its recently acquired subsidiary. In 2011, the target engaged agents to corruptly obtain internal, confidential information that the target used to win a public tender from Petrobras, a state-owned oil company. Wood knew that the target was under investigation prior to the 2017 acquisition but proceeded with the transaction nevertheless.
In another example, in 2017, the SEC brought charges where the acquirer failed to detect that the target’s Indian subsidiary engaged an agent to corruptly obtain 30 licenses and approvals (some of which were backdated) to build a factory. The Indian subsidiary did not have a written contract with the agent, and there was not any documentary support evidencing the services allegedly performed. The acquisition closed Feb. 2, 2010, and the newly acquired subsidiary’s misconduct occurred between February 2010 and July 2010.
As responsible investing initiatives become increasingly prevalent, various stakeholders expect acquirers to consider ESG risks. ESG diligence requires qualitative research and should be aligned with leading ESG and human rights standards, such as the U.N.’s Guiding Principles on Business and Human Rights and the U.N.’s Principles of Responsible Investment. Practically, ESG diligence should be fully integrated with integrity diligence focused on financial crime issues, given the overlapping skillsets and source networks involved in collecting and analyzing relevant information. Such an approach often results not only in cost savings but also in a reassessment of ESG risks because many existing commercially available ESG ratings are overly reliant on self-reported policies and disclosures rather than facts on the ground.
Due Diligence Best Practices
Diligence Plan and Risk Assessment
A well-crafted diligence plan can serve to assess and mitigate financial crime risks and advance the acquirer’s ESG initiatives. Pre-acquisition diligence should be focused such that the acquirer can form a view of the target’s risk profile and include the following questions:
- Compliance and Control Infrastructure: Are the target’s policies and procedures adequately designed? Are employees and high-risk third parties (see below) appropriately trained? How are the control functions (legal, compliance and audit) resourced? Has the company conducted a risk assessment? Has an external or internal audit recently tested any of the key compliance controls?
- Corporate Governance and ESG: Who is on the board? What issues are escalated to the board? Have there been any allegations of wrongdoing or breaches of the target’s internal policies? Does the target have any material outstanding litigation or investigations? Is the target’s supply chain free from child and slave labor? How does the target’s operations impact the environment? Is there any adverse media coverage related to the target?
- Government and Regulatory Touchpoints: What licenses, permits or regulatory approvals does the target need to conduct its business? Who obtained these approvals? Who is responsible for government relations? Are there any lobbying efforts, political contributions, or political engagement — either directly or through a trade association?
- High-Risk Customers: To whom is the target selling its products or services? Are there any governmental or state-owned enterprise customers? If so, how is that business typically awarded? Who is responsible for maintaining relationships with customers? What (if any) gifts, hospitality, entertainment, travel, corporate sponsorships or charitable donations are connected to sales efforts?
- High-Risk Jurisdictions: Does the target have sales or operations in any high-risk jurisdictions? Who oversees sales and operations in high-risk jurisdictions? What (if any) gifts, hospitality, entertainment, travel, corporate sponsorships or charitable donations occur in high-risk jurisdictions?
- High-Risk Third Parties: Do the target’s third parties engage them to interact with governmental entities, state-owned enterprises or government officials? Does the target rely on sales channel partners, such as wholesalers, distributors, resellers, joint venture partners, locally sourced content providers, customs clearing agents or freight forwarders? Who are the target’s key suppliers, and where are they located? What are the targets processes for diligencing and contracting with high-risk third parties?
Conducting the Diligence
U.S. authorities state that the standard of “appropriate due diligence is fact-specific and should vary based on industry, country, size and nature of the transaction, and the method and amount of third-party compensation.” While helpful contextually, this guidance is a moving target that lacks granularity and does not include prescriptions for what sources or methods to use when conducting diligence or what to look for when choosing a provider. Consequently, these decisions often fall to deal counsel.
Choosing a Provider
When choosing a provider, it is important to be cognizant of the inherent reputational and corruption risks involved in obtaining information from the opaque jurisdictions where probing diligence is most necessary. There have been instances of unscrupulous diligence providers subcontracting work to unvetted investigators, who have proceeded to make illegal payments to government officials in attempts to obtain closely held corporate records or litigation filings. To mitigate this risk, a diligence firm should be transparent regarding which personnel are managing the project, conducting the research and interviewing sources. Ideally, the diligence provider is using its own full-time employees rather than outsourced or part-time contractors.
Importance of Human Intelligence — Boots on the Ground
Diligence approaches range from a “light touch” desktop search of public records to enhanced diligence that includes boots-on-the-ground records retrieval and discreet interviews of individuals. The diligence scope should be risk-based and tied to factors that are unique to the transaction, for example: whether the firm is acquiring a controlling or a minority interest, the risk-profile of the relevant jurisdiction(s), the industry risk-profile and the nature and extent of reputational exposure. When appropriate — and particularly in regions of the world where public records are often unavailable or inaccurate or where leading press outlets are subject to extensive censorship — the scope should include discreet interviews with human sources. Human intelligence collection can be an invaluable way to triangulate information, separate rumor from fact, contextualize the credibility of publicly reported allegations, comment on the likelihood of litigation or investigation and ascertain the extent of reputational and compliance risks posed by a potential counterparty. There is a downside to human source collection if diligence providers are overly reliant on a single source or are unable to corroborate commentary across multiple conversations.
(At a minimum, every level of diligence should include thorough research of global sanctions and watch-list databases to ensure that the targets and their associated companies and shareholders are not named therein. These lists, however, are reactive rather than proactive tools. Once sanctioned, parties tend to change names or otherwise modify their ownership structure to ensure they remain free to transact globally and especially in U.S. dollars. Consequently, the absence of hits on watch lists or sanctions database screening tools should not be interpreted as an unqualified green light for engagement with a given counterparty.)
Due diligence reports should attribute commentary to the greatest extent possible while maintaining the anonymity of sources. This attribution should provide the reader with an indication of the number of sources who share a particular viewpoint, the perceived credibility of those sources based on the accuracy of information they have historically provided (and whether they are in a position to know what they claim to know) and the diligence provider’s degree of confidence in the commentary. Furthermore, diligence reports should clarify whether allegations are coming from a single, specious source (such as a blog or a social media post of unknown provenance) or whether they are unimpeachable facts based on disclosure of closely held information in litigation. The report should provide a nuanced analysis of the credibility of the underlying allegations, for example, whether a business rival owns the newspaper making the allegations or whether the target’s opposition to the ruling party has exposed them to unwarranted innuendo or prosecution.
Timely Escalating Red Flags
In an ideal scenario, diligence providers and legal counsel have a symbiotic relationship; the former gathers facts and collects intelligence, while the latter advises how to mitigate the legal and reputational consequences posed by those facts. Communication throughout the diligence process is essential to ensure appropriate scope to address specific transactional risks and to manage time frames for diligence completion. Additionally, periodic informal check-ins allow potential red flags to be addressed as early as possible in the deal’s life cycle. Identifying potential issues early on may afford the acquirer an opportunity to restructure the deal in order to ring-fence specific risks or to re-price the transaction entirely because of problematic facts.
Transaction documents should have risk-based compliance with laws representations and warranties, audit rights and annual compliance certifications. In higher-risk joint venture agreements, the acquirer could consider adding compliance call and put options that enable the acquirer to immediately exit from the investment or to force its partner(s) out of the venture should a material compliance breach occur.
Case Studies: How to Address, Mitigate and Remediate Red Flags
The following case studies provide examples of real-life scenarios that underscore the value of conducting robust due diligence supplemented by on-the-ground inquiries.
Example 1: Third-Party Agent in China
A multinational engineering firm conducting diligence on a target decided to investigate the activities of the target’s small third-party agent and introducing company in Gansu, a province in northwestern China. Following an anonymous whistleblowing tip, and given the remoteness of the province and the inherent exposure to government officials when operating in China, the acquirer was concerned that the individuals behind the agent were not who were being presented to them.
After reviewing the previously provided information about the agent’s purported owners and directors, the diligence provider pulled the official Association of Industry and Commerce (AIC) records available on the agent in Gansu. The two did not correlate. Further analysis of the AIC filings and other publicly available material proved that the information the agent had provided to the acquirer was false. Further, when the provider investigated the actual individuals behind the introducing agent (as per the official AIC records) some discreet on-the-ground inquiries established these individuals had no track record whatsoever in the engineering sector.
As a result, the acquirer determined that it would not be able to use the introducing company to obtain business in China after closing and assigned no value to the business obtained by the introducing company.
Example 2: Reputational and Supply Chain Risk
A U.S. investment firm engaged a diligence provider via outside counsel to conduct a diligence investigation in a proposed credit transaction. The borrower was a North American manufacturing firm that provided raw materials to the cosmetics sector. In 2015, an international advocacy organization’s report stated that the borrower was sourcing minerals from conflict zones in Afghanistan and Pakistan, actions facilitated by the direct payment of protection money to ISIS and the Taliban.
The diligence firm investigated the credibility of the original claims, which included exhaustive public records research and on-the-ground inquiries with sources in the region. The diligence firm established with a high degree of confidence that payoffs to armed groups were continuing. Furthermore, an analysis of import/export data and conversations with sources in Pakistan determined with a high degree of confidence that traders at various in-country commodities markets were deliberately misrepresenting the nature and origin of raw materials in order to convince major suppliers that the minerals in question were not sourced from conflict zones.
As a result, the investment firm decided not to advance the loan.
Example 3: Joint Venture Investment
A company was considering an equity investment in the Middle East where the proposed joint venture partner’s non-executive director was a Jordanian national. The individual in question formerly served as mayor of a large Jordanian municipality, and in this role, he had been subject to numerous allegations of graft, corruption and negligence. Accordingly, several lawsuits and investigations were launched into his tenure as mayor, most of which had received widespread media coverage.
On-the-ground inquiries, however, painted a much different picture. A diligence report clearly established that all of the litigation and official investigations had been dropped for lack of evidence and were widely considered to have been part of a politically motivated smear campaign by a then-rival politician.
As a result, the company determined that it could move forward with the investment and the joint venture partner.
Robust pre-transactional diligence enables acquiring companies to manage legal, reputational and ESG risks. Moreover, these risks often raise business issues impacting the ultimate transaction price and structure because the acquiring company may not be able to continue certain of the target’s business lines or practices post-closing.