When it comes to FCPA compliance and enforcement, myths and misconceptions abound. I’m not surprised to hear them from foreign business people with limited exposure to the FCPA. I am more concerned when I hear them in boardrooms, from the very executives most often exposed to individual liability under the law. These myths sometimes reflect a mere lack of knowledge about the FCPA. Other times they flow from a more “active” misunderstanding of the law – when employees hear what they want to hear and misconstrue rules in the most convenient way possible.
FCPA misconceptions are dangerous and compliance officers should be alert to them. A compliance program’s value depends on everyone understanding the rules to mean the same thing. This article overviews several common FCPA myths related to compliance and enforcement.
1. “Our third party is big and reputable, so we don’t need to vet it.”
Shady, unknown agents and consultants in foreign territories create obvious risk under the FCPA. But third-party intermediaries that are large and established – and their employees – can violate the law too. Just ask Baker Hughes – it settled an FCPA action with the SEC when KPMG paid a bribe to Indonesian officials to reduce the tax liability of its Indonesian subsidiary from $3.2 million to $270,000. Similarly, Pride International, Tidewater Marine, Transocean, Shell and others used the well-known Swiss freight forwarder Panalpina, only to learn that the firm was making payments to customs officials in Nigeria on their behalf. All wound up with FCPA issues.
When relying on larger, established third parties in high-risk jurisdictions, it is particularly important to vet the local operations of these global entities. The local units might not share the same reputations or control structures as headquarters. They might also rely on local partners, who might themselves engage in wrongdoing.
2. “We don’t need to perform due diligence on our lawyers.”
Companies too often assume that their foreign lawyers are exempt from third-party due diligence and monitoring. After all, lawyers are usually bound by stricter codes of ethics and can usually lose their licenses if they engage in corruption. But lawyers have been involved in numerous FCPA enforcement violations. In Stryker, a lawyer served as a conduit for a $46,000 improper payment to Mexican officials so that the company could retain a contract. The TSKJ joint venture in Nigeria, which spawned the series of “Bonny Island” FCPA enforcement actions for improper payments to win EPC contracts, relied on a British lawyer, Jeffrey Tesler, to serve as the bagman. Certain roles for lawyers are high-risk by their very nature, such as when they serve as intermediaries with regulatory or judicial officials (including judges). In some jurisdictions, lawyers have especially poor reputations.
3. “Employees that don’t interact with foreign officials don’t need compliance training.”
Anti-corruption compliance training should not stop with “front-office” employees who interact with foreign officials. Other employees can be pulled into schemes even if they have no connection to an official. Some employees might manage third parties that interact with officials on the company’s behalf, and they should be prepared to spot red flags. Employees in finance manage the accounting controls that help a company spot corruption and that ensure compliance with the FCPA’s accounting provisions. Legal positions are particularly important to a compliance infrastructure, even if their occupants never leave the United States. As such, tailored FCPA training should be given to a wide range of employees to ensure that they know the rules, understand how their functions support FCPA compliance and know where to report knowledge of violations. One of my favorite compliance mantras is: “Everyone is a Controller.”
4. “We have a policy, so we’re fine.”
Executives sometimes think it is enough to adopt an FCPA policy and communicate it to their company’s employees. Unfortunately, that is not the view of enforcement officials. The DOJ and SEC say that there must be a significant check on the back end, too – through testing, monitoring and audits – for a program to be fully effective. It is not enough to promote compliance rules and blindly expect employees to follow them. Detection must also lead to remediation when weaknesses are uncovered.
5. “Risk assessments don’t really matter.”
Companies often adopt policies and launch programs before they have assessed their actual risk profiles. But enforcement officials expect to see a formal risk assessment. This makes sense – without analyzing a company’s actual FCPA risks, it is very difficult to design a credible program to address those risks. Companies can easily waste resources setting up stringent controls for risks they do not face while failing to tailor their “generic” program to address the risks they do face.
6. “This is just a facilitating payment.”
One of the most frequent areas of FCPA misunderstanding relates to the facilitating payments exception. It is not uncommon to hear someone describe a $15,000 customs payment or a $9,000 immigration payment as a “facilitating payment,” when they clearly are not. The facilitating payments exception is quite limited. To qualify, a payment must be made to expedite or secure a “routine government action” and the official action must be non-discretionary (i.e., the official must have no legal basis to refuse to provide the service). While there is no statutory value limit on facilitating payments, in practice it would be very difficult to justify a four-figure payment as a facilitating payment.
The lack of statutory specificity seems to encourage creative interpretations of the facilitating payments exception. To address this, compliance officials should be careful to point out that any sizable payment, even one that might arguably fit within the exception, can invite the scrutiny of enforcement officials. This means that, even if a company were to prevail in its view that a large payment qualifies for the exception, that victory would come only after the disruption and expense of a formal investigation. Moreover, other international anti-corruption laws, like the UK Bribery Act, still prohibit facilitating payments.
7. “But the payment was extorted.”
Legitimate extortion payments can constitute exceptions to the FCPA – the FCPA Guidance provides that “payment[s] made in response to imminent threats to health and safety do not violate the FCPA.” If an official holds a gun to an employee’s head or is about to poke the employee with a dirty needle at immigration, bribe payments will not be considered FCPA violations.
The problem occurs when companies try to stretch the exception to other types of threats. Commercial necessity does not trigger the exception. Holding goods at customs unless an employee pays a bribe would not qualify. Therefore, all explanations of economic coercion should be considered suspect. A general rule of thumb, as provided in the FCPA Guidance, deals with whether the payor “could have turned his back and walked away.”
8. “The employee used his or her own funds, not the company’s.”
Suggesting that improper payments benefiting a company were not made with company funds raises a lot of questions, including “why?” Very few employees are willing to spend their own money on behalf of their employer. Employees paying bribes for a company’s benefit likely have a plan for getting paid back. This could be through fraud or theft. They may have made other arrangements with account managers, third parties or their supervisors. The fact that an employee is making personal payments to benefit the company, and that a company’s compliance program is not preventing such activity, could also be evidence of controls failures at the company, which could constitute FCPA “internal controls” violations themselves. Moreover, if the company is ultimately benefiting, the government could assert that the company was part of a conspiracy to violate the FCPA.
9. “We’re not a big company. The government won’t apply the FCPA to us.”
It is true that large multinational corporations are regularly in the crosshairs of FCPA enforcement. But smaller companies can be subject to enforcement, too. In fact, smaller companies are often more vulnerable because they are more likely to go out of business as a result of an FCPA investigation. For example, in 2013, the Wall Street brokerage firm Direct Access Partners was caught up in an investigation, and it only had 30 employees. As a result, the firm went out of business. The small Philadelphia-based export company, Nexus Technology, pled guilty to conspiracy to violate the FCPA and went out of business.
10. “The FCPA applies only to large payments.”
Not so. There is no materiality threshold for an FCPA violation. Moreover, FCPA actions have been built on a series of smaller payments that, in the aggregate, amount to significant expenditures. This can include not only payments of money, but things like gifts and entertainment, as well. For example, Diageo gave rice cakes and other gifts in South Korea ranging in value from $100 to $300 per recipient that, in the aggregate, amounted to $64,184 over four years (that action involved payments in other countries, too). The current “princeling” investigation into the activities in China of various banks does not appear to deal with specific monetary payments; instead, it focuses on firms that provided jobs to children of high-ranking Chinese officials.
Even if authorities are less likely to prosecute companies for individual smaller payments, the detection of smaller payments can prompt wider investigations to determine whether those small issues are actually systemic. These investigations, in themselves, can be costly and disruptive. Thus, by assuming that authorities are only interested in large payments, companies run the risk of ignoring the full picture.