As the stock option backdating cases wind down, what will be the next corporate scandal to gain widespread notoriety?

It is always difficult to predict what alleged misdeeds will be front page news in the coming years, but many believe that Foreign Corrupt Practices Act ("FCPA") violations may be this year's corporate crime of the century.

The FCPA was enacted in 1977. But it was rarely enforced throughout the 1980s and 1990s. Now, in recent years, the Department of Justice and the Securities and Exchange Commission have picked up the pace of enforcement. The average number of FCPA criminal prosecutions and civil enforcement actions increased fourfold over the last five years compared to the previous five years, and the average fine for corporate violators has steadily increased over the last several years.

By all accounts, 2007 was a watershed year for FCPA enforcement for several reasons:

  • Public companies disclosed over 50 pending government investigations relating to potential FCPA violations.
  • The number of enforcement actions brought by the DOJ and SEC doubled compared with the number brought in 2006.
  • The number of enforcement actions brought against individuals hit an all time high.
  • Technology companies reported significant FCPA investigations, including house-hold names such as Siemens AG.
  • The DOJ and SEC imposed the largest combined FCPA criminal and civil corporate penalty in history, $44 million.
  • High level DOJ officials repeatedly touted FCPA enforcement as a priority.

We expect FCPA enforcement activity to continue to rise throughout 2008. In addition, we expect a continued focus by the regulators on technology companies who conduct business in Asia, Eastern Europe, Central and South America, and other high risk areas, in part because of a perception by the regulators that many technology companies have not adopted adequate FCPA internal controls. We recommend that all companies based in the U.S. or with officers or directors who are U.S. citizens, regardless of their size or whether they are publicly traded or privately held, implement FCPA internal controls, including FCPA compliance and training programs. We also recommend responding aggressively to signs of an FCPA violation – so called "red flags" – by conducting an internal investigation through qualified counsel.

What Does The FCPA Require?

The FCPA has three principal components:

  • Anti-bribery provisions, which prohibit payments, offers of payment, or authorization of payments by U.S. persons (including individuals and organizations) to foreign officials for the purpose of obtaining or retaining business.
  • Internal accounting controls provisions, which require public companies to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that:
    • transactions are executed in accordance with management's general and specific authorization;
    • transactions are recorded as necessary to permit preparation of financial statements under GAAP and to maintain accountability for assets;
    • access to assets is permitted only in accordance with management's general or specific authorization; and
    • the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences.
  • Books and records provisions, which require public companies to maintain their books and records such that they accurately and fairly reflect the transactions and dispositions of their assets.

Who Enforces The FCPA And What Are The Penalties For A Violation?

The FCPA is enforced by both the DOJ and SEC, and each of the three principal provisions of the FCPA carries both criminal and civil penalties. In many cases, companies find themselves the target of concurrent criminal and civil investigations by the DOJ and SEC.

The potential criminal penalties for knowing or willful violations of any of the FCPA provisions are severe:

  • Organizations are subject to a maximum fine of $2 million for each violation of the anti-bribery provisions and $25 million for each violation of the internal accounting controls or books and records provisions.
  • Individuals are subject to a maximum of five years imprisonment and a $100,000 fine for each violation of the anti-bribery provisions, and a maximum of 20 years imprisonment and a $5 million fine for each violation of the internal accounting controls or books and records provisions.

In addition, debarment and other collateral consequences of a criminal conviction under the FCPA can be catastrophic for companies largely dependent on government contracts.

The SEC has equally dramatic civil remedies available to it, including injunctive relief, substantial civil fines, and the disgorgement of any ill-gotten gains. The SEC is significantly aided in its enforcement efforts by the fact that there is no mens rea (i.e. intent) requirement for civil violations of the FCPA's books and records or internal accounting controls provisions.

What Is The Scope Of The FCPA's Anti-Bribery Provisions?

The scope of the FCPA's anti-bribery provisions is extraordinarily broad. Among other things, the FCPA makes it unlawful for:

  • any U.S. individual or organization, including "issuers" and "domestic concerns," or any officer, director, employee or agent of any issuer or domestic concern, or any stockholder acting on behalf of any issuer or domestic concern, acting anywhere in the world, as well as any non-U.S. person who acts on U.S. soil;
  • to "corruptly" offer, pay, promise to pay, or authorize the payment of money or the giving of anything of value;
  • to any "foreign official," foreign political party, official of a political party, or foreign political candidate;
  • for the purpose of influencing such official to do any official act or inducing such official to influence a foreign government or any entity thereof, in order to assist the "issuer" or "domestic concern" in retaining or obtaining business.

The FCPA defines "foreign official" to include any employee of a business enterprise that is owned or controlled by a foreign government. For many countries in Asia, Eastern Europe, and South America, a large percentage of the businesses are owned or controlled by the state, especially in the telecommunications, banking, power, and medical industries. Recent case law has also expanded the scope of the "retaining or obtaining business" prong to include virtually any government action that may be favorable to a company, such as favorable tax treatment or securing any "improper advantage."

In addition to prohibiting direct payments to foreign officials, the FCPA prohibits payments to third parties (such as agents, consultants, foreign subsidiaries, or joint venture partners) while "knowing" that the third party will, directly or indirectly, make a payment or offer of payment to a foreign official. In practice, this means that a company may be held liable for the acts of its agents – even though the company did not directly make or offer to make any payments to foreign officials – if it knew about or authorized the payments. Further, the FCPA also provides that the level of knowledge required for a criminal violation can be established not just by actual, affirmative knowledge of improper payments, but also by merely being aware of a "high probability" that such conduct may have occurred.

The FCPA also imposes obligations on companies with respect to the conduct of their subsidiaries, joint venture partners, and other entities they own in whole or in part, which can vary based upon the extent of the ownership interest.

Why Are FCPA Investigations On The Rise?

When the FCPA was enacted, Congress was primarily concerned with companies within the oil and gas industry bribing foreign officials for access to natural resources abroad. Now, the FCPA is being actively enforced across industries, including against technology companies. FCPA investigations are on the rise for several reasons:

First, companies have gone global. Many companies are aggressively seeking to increase sales by marketing their products and services in foreign countries, especially in high growth markets like China. That pattern is particularly prevalent in Silicon Valley. Several years ago, most technology companies recorded the bulk of their sales in the domestic market. The inverse is now true: it is not unusual for such companies to record over half their sales abroad.

Second, the business and legal cultures in many countries tolerate bribery. Within the last 20 years, bribes were tax deductible in some western European countries. Today, most countries have adopted anti-bribery laws to be in compliance with certain international conventions and treaties. However, even where such laws exist, they are not always enforced, and many foreign officials continue to solicit and expect bribes.

Third, after the enactment of the Sarbanes-Oxley Act and the issuance of various policy statements by the SEC and DOJ purporting to reward cooperation by corporations, companies are now much more likely to conduct internal investigations when they spot a "red flag" or otherwise learn of a potential FCPA problem and then self-report any legal violations to the regulators. In the last few years, the vast majority of publicly disclosed FCPA investigations were initiated by the government because a company self-reported a problem following an internal investigation by outside counsel. In contrast, prior to 2005, the government initiated the majority of publicly disclosed FCPA investigations.

Fourth, the DOJ and SEC have put more resources into FCPA enforcement. Last March, then-Attorney General Alberto Gonzales highlighted the importance of FCPA enforcement during a speech to members of the white collar bar. In addition, during 2007, Assistant Attorney General Alice Fisher gave multiple speeches during which she discussed the significance of FCPA enforcement.

What Are The Trends In FCPA Enforcement?

The last year saw the continuation of several trends in FCPA enforcement, including the following:

First, the DOJ and SEC have steadily increased the number of enforcement actions against both corporations and individuals. In 2007, the regulators brought over thirty enforcement actions under the FCPA, which was over double the number brought in 2006. Likewise, in 2007, fifteen individuals were charged with FCPA violations, which is an all time record for FCPA enforcement. When commenting on the recent enforcement actions, high ranking DOJ officials have stated that the current enforcement actions are "just the tip of the iceberg" and that there are many more matters under investigation.

Second, the DOJ and SEC have steadily increased the size of corporate penalties for FCPA violations. In 2007, Baker Hughes agreed to pay the largest FCPA penalty to date. The total penalty – $44 million – included a criminal fine of approximately $11 million and a civil penalty of approximately $33 million. Later in 2007, Vetco International paid the largest criminal penalty to date – $26 million. In addition, as part of any settlement, the SEC and DOJ now routinely require a company to disgorge any gains it received as a result of an FCPA violation. The fines are most severe where the company is a repeat offender or where the conduct is egregious. In contrast, the DOJ and SEC impose lower fines where the company conducts an internal investigation after discovering a potential violation, voluntarily discloses the results of that investigation to the regulators, and remedies the violation through improved internal controls. Likewise, the DOJ and SEC impose lower fines where the company has adopted FCPA internal controls and can demonstrate that the violation was the result of a rogue employee and not a rogue culture within the company.

Third, in recent years, the DOJ has shown an increased willingness to settle FCPA investigations by entering non-prosecution or deferred prosecution agreements with companies. The DOJ first settled an FCPA investigation through a non-prosecution agreement in connection with the InVision Technologies, Inc. ("InVision") matter at the end of 2004. Fenwick & West LLP represented the Special Investigation Committee of InVision's Board of Directors, conducted the internal investigation that uncovered the FCPA violations, helped the company report the results of that investigation to the DOJ and SEC, and negotiated the non-prosecution agreement with the DOJ. In the agreement, the DOJ promised not to prosecute InVision. In return, InVision agreed to adopt an FCPA compliance program and internal controls designed to deter future violations. Since the InVision investigation, the DOJ has settled several FCPA matters through similar agreements.

Fourth, the regulators continue to stress that a company and its officers can be held liable for the misconduct of distributors and other third-party business partners. The regulators demonstrated their resolve to pursue a corporation for FCPA violations based on the conduct of third-parties during the InVision FCPA investigation. In that matter, the allegedly improper payments included payments made to foreign officials by a distributor of InVision's products. In the past, FCPA compliance practices with respect to distributors have generally been less extensive than those involving sales representatives or consultants. That can no longer be the case. In the last year, the regulators routinely stressed the importance of conducting due diligence before engaging a third-party business partner, obtaining written certification of FCPA compliance by the business partner, and investigating any signs that the business partner may be engaging in improper conduct.

Fifth, in the last few years, with the up tick in M&A activity, the number of FCPA issues discovered or addressed as part of an acquisition increased substantially. FCPA compliance is now a standard M&A due diligence item. FCPA issues can be a major sticking point in negotiations with the acquiring party, often causing a delay of the deal or a change in the price terms. Any company that is contemplating a possible sale to another company should be prepared to demonstrate the adequacy of its FCPA internal controls to the acquiring party.

What Should You Do To Be Ready?

Any U.S. company that conducts business overseas (regardless of size or whether publicly traded) and any foreign company that trades on a U.S. exchange or is operated by U.S. officers or directors should implement comprehensive FCPA internal controls, including FCPA compliance and training programs.

A company's FCPA compliance program should be tailored to its particular circumstances. As a result, FCPA compliance programs will vary from company to company. In most cases, an FCPA compliance program will be part of a company's broader compliance and ethics program, which should be structured to comply with the U.S. Sentencing Guidelines.

In general, an effective FCPA compliance program should include the following:

  • Established "tone at the top" that emphasizes the importance of ethical conduct and legal compliance.
  • Established standards and procedures to prevent and detect potential violations of the FCPA, including the adoption of a corporate ethics policy that explicitly prohibits conduct that violates the FCPA.
  • Oversight by the Board of Directors and senior management of the content and operation of the company's FCPA compliance program.
  • A designated member of senior management to act as the company's Compliance Officer, with overall responsibility for the FCPA compliance program.
  • Adequate resources for the implementation of the program.
  • Ongoing monitoring and risk assessment to confirm the program is being followed and is effective.
  • Periodic reporting regarding the efficacy of the program to the Board of Directors and senior management.
  • Periodic training for officers, employees, agents, consultants, joint venture partners, and distributors concerning the requirements of the FCPA.
  • Appropriate disciplinary mechanisms for violations or failure to detect violations of company policy or the law.
  • Incentives for compliance and an established system for anonymous and confidential reporting of suspected violations without fear of retribution.
  • Documented procedures to ensure that the company forms business relationships only with reputable agents, consultants, joint venture partners, and distributors.
  • Contractual provisions in agreements with agents, consultants, joint venture partners, and distributors, explaining and requiring adherence to the FCPA.
  • Internal accounting controls governing access to cash, travel and entertainment expenses, and other disbursements, as well as controls over any exceptions to established commission rates or price schedules.
  • Procedures to ensure that, if criminal conduct is detected, reasonable steps will be taken to respond appropriately to prevent it from recurring, including modification of the program as appropriate.
  • Procedures to enable the company to exercise due diligence in order to exclude from management those persons who the company knew or should have known had engaged in illegal conduct or other conduct inconsistent with the program.

It is critically important that documentation exist for each aspect of the company's FCPA controls, including written policies and procedures, formalized reporting responsibilities within the organization, and written descriptions of specific compliance controls and procedures, as well as documentation relating to the testing of the adequacy of those controls and procedures. Indeed, without such documentation or other evidentiary proof, a company is without the means to demonstrate to the DOJ or SEC the adequacy, or even the existence, of its compliance program.

Why Should You Adopt An FCPA Compliance Program?

Establishing an effective FCPA compliance program can provide significant benefits. Such a compliance program may detect and prevent potential violations of the FCPA before they occur. In addition, in the event of a violation of the FCPA, the existence of an effective FCPA compliance program is an important factor used by both the DOJ and the SEC in deciding whether to prosecute. Finally, in the event of a prosecution and conviction, the existence of an effective FCPA compliance program can significantly reduce the punishment the company would otherwise receive under the U.S. Sentencing Guidelines.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.