How can I possibly certify that 100 percent of my third parties, including all customers and vendors, are 100 percent FCPA compliant based on the new SEC/DOJ requirements? Frank Orlowski outlines a solution.
Now that the SEC has gotten involved with FCPA, along with the DOJ, they have interpreted the FPCA statute to mean that a company must maintain a system of internal accounting controls that monitors FCPA compliance not only internally, but also for all its third parties, including customers and suppliers.
With the average Fortune 50 company having over 75,000 suppliers and 300,000 large customers, the enforcement is nearly impossible and deemed as “sneaky.”
Even former DOJ leadership acknowledges the incredible challenge around FCPA compliance, especially now that the SEC has stepped up enforcement. (See video below at around 14:40).
However, there is a solution to avoid or mitigate FCPA fines/actions, as well as damaging public press releases by the DOJ/SEC due to third-party violations. A robust, but straightforward certification program can significantly mitigate this risk!
A certification program is primarily an attestation or assertion document that is acknowledged or signed by an employee and all third parties delivered by email, a simple workflow software or even through the mail. It is generally language-specific, but if translators are not available, an English-only document works. The attestation or assertion document is asking an individual, entity or official to certify that they understand the FCPA, are FCPA compliant and are unaware of any violations.
You might be thinking, there is no way all of my hundreds of thousands of suppliers, customers and colleagues will comply. What kind of exposure will we have?
In the case of colleagues, it’s a more straightforward answer: The certification process should be mandatory and use internal email or workflow tools. In the case of third parties, where there is less control, the recommendation is to send the certification communication (via email or mail) up to three times in 90 days. It is OK if there is no response.
The key to the entire certification process is robust documentation and controls, including for third parties that have not responded despite three attempts.
Essential elements to an FCPA certification process include:
- An emphasis on full disclosure, awareness and an understanding of the FCPA statute and any potential violations in the written certification
- A process for disseminating to third parties and internal employees
- Tracking and reporting
- Frequency
It has been proven: A robust certification program, when implemented in advance of a certification program, has led to reduced or even eliminated penalties, not to mention damaging PR from the announcement of an SEC/DOJ investigation.
A robust FCPA certification program may be the most significant solution you can implement within your organization in terms of minimizing costs and avoiding reputational harm.