In the mid-1970's, the U.S. Securities and Exchange Commission lead a heated investigation into over 400 U.S. companies accused of making questionable or illegal payments to foreign government officials, politicians and political parties. These payments, ranging from blatant bribery of high officials to so-called "facilitating payments" for low level functionaries, totaled more than US$300 million. As such, Congress set forth, gavel in hand, to "restore public confidence in the integrity of the American business system"1 by establishing the Foreign Corrupt Practices Act (FCPA).

And yet it is only now, more than thirty years after the Act's implementation, that we are seeing dramatic increase in the number of SEC and the Department of Justice ("DOJ") enforcement actions. In 2010, these two entities took a total of seventy four FCPA enforcement actions, up from only five in the year 2004. Looking at this "historic" growth, Assistant Attorney General Larry Breuer announced "a new era of FCPA enforcement."2

The reason for this dramatic increase in enforcement actions? Some attribute it to testing and reporting requirements of financial books introduced under the Sarbanes Oxley Act of 2002. The more cynical imply that fines, penalties and profit disgorgement under the Act have proven to be an effective revenue source for the government. Richard Cassin, author of the FCPA Blog, has postulated that the events of 9/11 significantly changed the U.S. Government's perception of corruption and its effect on national security. He also contends that the more current Dodd-Frank Whistleblower program is generating more tips, and, combined with the hiring of more government agents and attorneys, is allowing the SEC and DOJ to carry out more enforcement activity.

In the past year, the DOJ has imposed well over US$1 billion in criminal penalties— more than in any prior 12-month period. In comparison, in 2004 it collected US$11 million. The Department is now focused on prosecuting individuals, as well as levying substantial criminal fines against companies. In addition to the DOJ's enforcement activity, the SEC brought in US$529 million in corporate FCPA settlements: US$20 million in civil penalties, and US$509 million in profit disgorgement and prejudgment interest. Enforcements were both small (Natco; US$65,000) and large (Daimler; US$91.4 million), although the SEC, unlike the DOJ, seldom focused on prosecuting individuals. Nevertheless, the risk of noncompliance has become a serious matter for all companies subject to the FCPA.

While the number of enforcement actions remains low when compared to the number of organizations governed by the FCPA's rules, two significant trends in the current enforcement environment have increased the chance that a company will face charges from the DOJ or SEC:

  1. Growth of the DOJ's Fraud Section The DOJ's Fraud Section has grown significantly in the last couple of years. Its new FCPA Unit alone consists of over a dozen prosecutors dedicated solely to FCPA cases. The FCPA Unit is also working with the Asset Forfeiture and Money Laundering Section, which targets, in part, proceeds of foreign official corruption being laundered through the United States.
  2. Greater DOJ international cooperation The DOJ has expanded its reach by forming partnerships with foreign agencies and increasing its participation in the Organization for Economic Cooperation and Development ("OECD"). Cooperation with the U.K.'s Serious Fraud Office has already provided a US$400 million settlement.

The average cost of an enforcement action carries an extremely high price, one that far outweighs the cost of implementing good governance practices and ensuring compliance under the law. With this in mind, management should fully weigh the potential costs to profitability and reputation that a compliance failure could bring about.

Legal expectations

The FCPA was written broadly and is, in many areas, vague and ambiguous. Consequently, interpretation of its requirements is often difficult. Unfortunately, in these circumstances, "law is developed on an ad hoc basis by Assistant U.S. Attorneys and by the Staff of the SEC and DOJ as they respond to the exigencies of particular factual situations."3 No company wants to be facing an enforcement action where the regulator is interpreting the law as the case unfolds, as there is no cost effective defense in those situations.

So what should companies do to achieve compliance and avoid enforcement action?

The most critical step is to understand the FCPA, and take proactive steps to achieve compliance. In his November speech, Mr. Breuer made clear that companies should not "wait in worry for [DOJ] to come knocking." Rather, companies need to be proactive and take affirmative steps that "would put organizations in a better position for the day we do come knocking, or that could prevent us from coming at all." He offered two specific suggestions to companies given the climate of vigorous FCPA enforcement.

  1. Take a hard look at your organization's FCPA compliances practices Reviewing and strengthening compliance programs is more important than ever in the Department's "new era" of FCPA enforcement.
  2. Self-Report "There is no doubt that a company that comes forward on its own will see a more favorable resolution than one that doesn't."

The specific language of the FCPA requires that issuers:

  • "Make and keep books, records and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and disposition of the assets of the issuer"
  • "Devise and maintain a system of internal accounting controls sufficient to provide reasonable assurance that—

Transactions are executed in accordance with management's general or specific authorization; and

Transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles, and (II) maintain accountability of assets; and

The recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences"

  • "No person shall knowingly circumvent or knowingly fail to implement a system of internal accounting controls or knowingly falsify any book, record, or account described (above)"

Creating and maintaining a positive, anticorruption culture is the critical first step toward compliance. It will not, however, ensure compliance that employees and corporate representatives actually comply with FCPA requirements. That can only be achieved through diligent prevention or detection controls that address corrupt behavior.

Proper risk evaluation, good record keeping, solid internal controls and consistent and effective testing, evaluation and remediation are key to identifying and correcting these activities, and providing an "adequate procedures" defense of the company's compliance efforts if challenged.

Risk assessment

The first step a company must take if it intends to prevent or detect bribery and corruption is to determine what its unique risks and exposures are. Factors in determining this include a company's internal organization, geography, relationships and transactions.

Internal organization

The effectiveness of anti-corruption and anti-bribery training initiatives should be regularly measured and monitored to make certain that employees have the requisite skill sets to prevent or detect corruption and bribery situations. In particular, a company should access "Tone at the Top" and ensure that it is consistent with its "Tone at the Middle" since it is critical that operational management understands and carries out senior management's anti-corruption policies. The company should regularly test employee knowledge of the company's business profile and understanding of its associated bribery and corruption risks. Finally, the company must make certain that there is clarity in the policy on gifts, entertaining and travel expenses.

Geography

Management should also take into consideration the culture it does business in and the role of bribes in that culture. It should evaluate if those countries have sufficient anti-bribery legislation and if the country is perceived as having high levels of corruption as determined by nongovernment watchdog agencies. Finally, management should assess if there is sufficient capacity of the government and local business communities to effectively require transparent procurement and investment policies in the marketplace.

Relationships and Transactions

Business partners and transactions that need to be scrutinized carefully. The company should know, and document, what associations it has with public officials and their families. It should have contracts and transparency on the codes of conduct and business practices of its third party representatives. Internal controls and compliance monitoring programs should clearly focus on the activities that are at high risk of bribery and corruption. Those might include charitable or political contributions, expense report justifications, the obtaining of licenses or permits, or procurement activities on large projects with multiple contractors, intermediaries or agents.

At a minimum, a company should review its history: experience with its auditors and their historical findings, the involvement of the board in compliance activities, its current internal control environment and any internal history with fraud. They must also know what transactions are under management's direct supervision, and what transactions occur on a decentralized basis and determine what risks are involved in those transactions. Identify the areas of risk and protective action can be taken to achieve compliance and reduce the risk of enforcement actions.

Internal controls

Under the FCPA, internal controls need to address financial, regulatory and operational business functions as they relate to anti-bribery and anti-corruption practices.

In developing an effective internal control environment, management needs to design processes, tests and systems that provide ongoing knowledge that the organization's anti-bribery efforts are operating as expected. Designing a system of controls that should work, but aren't operating effectively is no defense. All transactions are subject to FCPA review. Hiring experts to help design and implement well thought out internal control environments is often the surest means of obtaining quick and effective results.

Keep these factors in mind:

  • The FCPA prohibits the payment, or offer of payment, of money or anything else of value. Gifts and free services can be violations under the FCPA.
  • The person making or authorizing the payment must have a corrupt intent, and the payment must be intended to induce the recipient to misuse his official position to direct business wrongfully to the payer or to any other person.
  • The FCPA focuses on payments that are made to obtain or retain business, or direct business to specific individuals. Although the payments have to be made to foreign officials to fall under the Act, the business being obtained or retained does not have to be with a foreign government organization.
  • Payments through third parties that have the intent of being passed through to a foreign official are also prohibited.
  • The corrupt act need not succeed. A mere offer or promise can constitute a violation.

Effective controls should be designed to meet specific objectives. A company's internal control system should include monitoring and testing programs that ensure that the controls are consistently and accurately performed, and validate that the design of the controls is effective. The internal accounting controls must provide reasonable assurance that transactions are accurately recorded, authorized and fully explained.

Enforcement actions have emphasized that the lack of adequate internal controls can bring serious consequences to any company found violating the FCPA. In fact, the failure to maintain proper internal controls can bring a separate civil charge that can lead to a fines, injunctions and loss of profits.

The current enforcement level of the FCPA is, by all indicators, here to stay, and will likely increase in frequency. Determining where risks reside, and designing the controls that prevent or detect activities relating to those risks are the challenge facing management if they want to achieve compliance under the FCPA. Not facing and mastering those challenges, in today's environment carries the risk of being a very dangerous and costly mistake.

Footnotes

1 Foreign Corrupt Practices Act; Antibribery Provisions "Background"

2 A transcript of the speech is available at http://www.justice.gov/criminal/pr/speeches/2010/crm-speech-101116.html

3 Toward a Reg. FDCPA: A Modest Proposal for Change in Administering the Foreign Corrupt Practices Act." James R. Doty, The Business Lawyer, Vol. 62

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.