United States: Recent Enforcement Actions Demonstrate Multinational Automotive Companies Should Conduct Risk Assessments

Regulators within the Trump administration have sent a loud message that should concern all multinational automotive companies: laws governing international activities continue to be the subject of intense enforcement activity, leading to record fines in such areas as U.S. economic sanctions administered by the Office of Foreign Assets Control (OFAC), export controls (the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR)), and the Foreign Corrupt Practices Act (FCPA).

Many multinational companies maintain operations in China and Mexico, and these countries present issues under the FCPA (frequent bribery requests), OFAC sanctions (limitations on dealings with Iran, Syria, Russia), and export controls (controls on shipments of U.S.-origin goods to embargoed countries as well as restrictions on products that have dual-use capabilities, such as being useful in chemical and biological weapons production). Further, now that President Trump has withdrawn from the Joint Comprehensive Plan of Action, which eased the sanctions on Iran, the specialty sanctions that targeted the Iranian automotive industry have "snapped back" and now once again pose compliance challenges for the automotive industry.

In light of these developments, this blog entry summarizes the most recent enforcement activity of concern to automotive-sector companies, as well as the steps that these companies can take to identify and mitigate the risk of costly enforcement actions under these international regulatory regimes.

Recent Enforcement Activity Shows U.S. Government Willingness to Impose Record Penalties for Violations of International Regulations

Under the Obama administration, enforcement of the FCPA, export controls, economic sanctions, AML, and FCPA regulations was steady and strong. Although the numbers varied year by year – mostly due to timing issues related to when large matters were settled – it was not uncommon to see large enforcement settlement that individually surpassed the $100 million level, with total penalties in many years reaching into the billions.

Any thought that the Trump administration might take a more lenient approach toward these international regulations has been laid to rest by the strong record of enforcement under the current administration, as underscored by two recent enforcement actions.

First, Panasonic agreed to pay $280 million to resolve FCPA offenses for payments to consultants of its U.S. inflight entertainment unit in the Middle East and Asia, including the payment of $143 million in disgorgement to the Securities and Exchange Commission. In both cases, the resolutions were related to activities of Panasonic's U.S.-based subsidiary, Panasonic Avionics Corporation. According to the U.S. government, senior management of Panasonic Avionics established a bribery scheme to pay a Middle Eastern government official more than $900,000 for a "purported consulting position, which required little to no work," allowing Panasonic Avionics to help gain over $700 million in business from a state-owned airline. The U.S. government further stated that Panasonic Avionics concealed the payment "through a third-party vendor that provided unrelated services" to Panasonic Avionics and then allegedly falsely recorded these (and other) payments in its books and records. Other payments related to Asian sales.

The Department of Justice (DOJ) gave Panasonic Avionics a 20 percent discount off the low end of the U.S. Sentencing Guidelines fine range because of the cooperation of the company and what the DOJ characterized as strong remediation efforts, including the severing of several senior executives who were either involved in or aware of the misconduct by Panasonic Avionics or Panasonic. Nonetheless, because the remediation efforts only recently had been instated, the deferred prosecution agreement provides for a two-year independent monitor, followed by an additional year of self-reporting.

Independently, the Department of Commerce's Bureau of Industry and Security (BIS) took the unusual step of suspending an export control settlement deal with Chinese telecom equipment maker ZTE Corporation, while at the same time revoking the export privileges of the company. ZTE Corporation was operating under a settlement of claims that it had violated U.S. export control and economic sanctions regulations by engaging in 251 transactions with persons in Iran or with the Iranian government. These transactions had last year resulted in the largest-ever export controls penalty – nearly $1.2 billion, with $300 million of it being suspended during a seven-year probationary period. As a result of the export ban, the ability of ZTE to export any goods or technical data from its 14 offices and six research centers in the United States will be virtually eliminated until March 13, 2025, thereby endangering the ability of ZTE to take a leading role in the rollout of next-generation 5G wireless technology.

These settlement actions illustrate the ability of U.S. regulators to discover and punish violations of U.S. international regulations, as well as the willingness of the Trump administration to impose groundbreaking penalties. In light of the aggressive enforcement mentality of the U.S. government, this blog entry provides practical guidance to help multinational automotive companies to identify their risk and determine whether they are putting sufficient resources into dealing with those identified risks. For any multinational automotive-sector company that has not gone through such an exercise in the last few years, systematically working through the 12 steps is likely to lead to a significant payoff for ameliorating the organization's risk profile through an effective compliance system.

Identifying International Regulatory Risk

As illustrated by the record export controls penalty against ZTE (almost $1.2 billion, followed by a denial of export privileges) and the Panasonic FCPA settlements, the risk of severe enforcement actions under the Trump administration for violations of international regulations continues to be high. Yet many multinational automotive-sector companies find themselves in a quandary regarding how best to identify their international regulatory risk. This section summarizes the typical steps that most multinational companies should consider when determining their unique risk profile and evaluating whether they are devoting sufficient resources to managing that risk.

Step 1: Secure Buy-In at the Top

Many automotive-sector companies looking to implement an international regulatory compliance program start by drafting a written compliance policy. But long before it comes time to draft the policy, a well-thought-out compliance strategy will look to put in place the underpinnings of the compliance program. Chief among these is the need for consistent management support for compliance initiatives.

Although the phrase "tone at the top" encapsulates management support, the concept requires more than just support from the CEO and other top management officials. When properly executed, the idea of tone at the top is a pyramid, with the concept of "doing the right thing" and respect for compliance flowing down from the CEO to personnel at all levels. Senior management ensures it is known that compliance has full support at the top, and that compliance has the resources to function properly, while also trying to ensure that respect for compliance with legal and company mandates flows through the company.

Management support is especially important for companies with international operations. The connection between the sales and operational activities of international subsidiaries, on the one hand, and regulatory risk management and adhering to the requirements of U.S. law, on the other, can appear tenuous when viewed by far-flung actors. The reality, however, is these far-off operations often represent the highest regulatory risk. This may mean that the organization must pay special attention to these foreign subsidiaries so it can reinforce the compliance message and its importance to the overall organization.

Senior management must set a strong example. It should be common knowledge that compliance rules apply across the entire organization, including for senior personnel; that the company promptly follows up on credible red flags; and that the company is willing to walk away from business that requires stepping too close to the risk threshold. People throughout the organization, whether in the United States or elsewhere, should realize there are consequences for compliance missteps. Through these means, senior management can communicate its respect for compliance throughout the organization.

Step 2: Perform a Risk Assessment

The compliance obligations of multinational corporations are more complicated than for domestic organization.  A corporation that operates internationally automatically takes on additional compliance responsibilities under laws and regulations that target international conduct, as well as new sets of foreign laws, all while shedding none of its domestic compliance obligations.  Multinational automotive companies tend to be larger, which increases the importance of establishing systematic compliance procedures.  Multinational automotive corporations often have magnified logistical difficulties, such as coordinating compliance standards and training across disparate divisions and affiliates, dealing with employees with cultural and language differences, and dealing with general skepticism regarding the application of U.S. law outside the United States. These and other factors can increase the difficulty of creating and maintaining multinational compliance standards.

To help control these issues, the second step for multinational automotive companies should be to perform a risk assessment to determine how these factors impact their compliance obligations. A risk assessment is a survey of the company's operations to determine the exposure of the organization to various forms of regulatory risk, considering both the likelihood and the severity of possible violations and the current enforcement priorities of the relevant authority.

The importance of the risk assessment lies in the recognition that it is not possible to eliminate all regulatory risk. Since organizations need to minimize the risk of violations, while coping with the reality that they have limited resources to put into risk mitigation, they need guidelines for allocating their scarce compliance resources. The risk assessment provides this guidance by assembling data needed to create an organization-wide risk profile.

Compliance at international organizations should be tailored to the organization, taking into account all factors that bear on the risk profile of the organization.  For automotive-sector companies, items to consider include U.S. government enforcement priorities, prior compliance issues within the organization, risks and trends in the industry, and recent changes in the scope of operations of the organization. If the company is engaged in automotive extraction, all contacts with the government – whether as part of the approval process, procuring extraction rights, negotiating leases, dealing with Customs, and so forth – all need special scrutiny.  Areas of the world that If the company needs to deal with foreign state-owned entities, it needs to realize that even though these companies operate in a commercial fashion, the FCPA still treats all employees of these companies as foreign officials.  Such changes are frequent sources of weakness if they are not mirrored by changes in compliance oversight.

A typical way for automotive-sector companies to proceed with a risk assessment is to survey business units that represent areas of high regulatory risk. Questions for an anti-corruption survey, for example, might examine whether the relevant stakeholders often deal with state-owned automotive companies, whether they have frequent interactions with government regulators, whether there is significant entertaining of non-U.S. persons, whether the organization does significant business in countries known to have a reputation for corruption, and whether the company does significant business in the United Kingdom (which can draw the UK Bribery Act into play). For export controls, the relevant topics to explore would include whether the organization deals with controlled items or controlled technologies; whether the company deals with items on the U.S. Munitions List (USML) or modifies commercial items for military use or to meet military specifications; whether the company has recently conducted a classification review; the degree to which non-U.S. nationals potentially have access to controlled technical data; whether the organization sells products that rely on encryption; and whether there are sales to known diversion points (the Middle East, Mexico, Russia, Pakistan, and so forth). For economic sanctions, relevant topics to cover would include whether there are sales by non-U.S. subsidiaries to sanctioned countries or specially designated nationals, whether there are sales to known diversion points, and whether the organization as a whole maintains adequate screening for SDNs (Specially Designated Nationals, or persons who have been sanctioned under U.S. law as being off-limits for business transactions and financial dealings). Finally, an anti-boycott risk assessment would examine the extent of dealings with Middle Eastern countries and with firms operating out of that region.

One thing to remember is that the conduct of a risk assessment can lead to the discovery of potential regulatory violations. The company accordingly should have the risk assessment process conducted in a way that stresses confidentiality with the exercise, if possible, being overseen by an attorney. This is so the exercise can be conducted under the rubric of attorney-client privilege. Doing so could be important if the investigation uncovers evidence of apparent violations.

Once the risk assessment is complete, the results should be carefully evaluated to determine where the areas of greatest compliance concern lie. The results can be distilled down to a company-wide risk profile, which can guide the allocation of compliance resources. The results can then be used for such useful exercises as determining which areas merit the greatest attention, which areas likely need additional internal controls, whether there are patterns of deficient compliance (based on geography, product lines, subsidiaries/divisions, etc.), and whether the basic knowledge of the relevant legal requirements appears to be in place. By formalizing the results in a risk profile, the corporation can determine the appropriate way to manage the identified risk.

Step 3: Survey Current Controls

Step 3 involves surveying current compliance procedures and internal controls and to determine whether these measures match with the identified risks. Most larger multinational corporations already have some kind of compliance procedures in place, whether in a formal compliance program or at least ethics provisions in the code of conduct. In determining how to proceed, these procedures are the best starting point. The company should assess the current compliance program to see if its compliance measures and internal controls line up with its risk profile.

The evaluation should consider whether the plan properly covers the following aspects of the company's risk model:

  • Does the plan reflect all of the circumstances that may put the organization at risk of a violation? Is it based upon a realistic risk assessment that is up to date and consistent with the company's current circumstances?
  • Does the program cover all aspects of the business that operate or sell overseas?
  • Does the plan extend to any business units that might have dealings with non-U.S. officials, whether in a procurement, regulatory, or other role?
  • Does the plan include model procedures and training for non-U.S. consultants and business partners with whom the organization does business?
  • Does the compliance program reflect the nature of the firm's foreign business operations and the extent to which they are subject to government control or influence?
  • Does the compliance program contain adequate procedures to ensure that the firm can monitor disbursements and reimbursements?
  • Does the plan contain adequate internal controls to help buttress the compliance procedures?
  • Does the plan compare well with codes of ethics and compliance policies used by comparable businesses in the industry and in the countries where the firm operates?

In making these determinations, the company should consider the company's general risk profile, not just those related to the specific legal regime. Problems in multiple areas may indicate a careless corporate culture toward compliance issues.

Another key issue that should be covered in the compliance survey is whether the program covers the identified outside actors who can expose the organization to the risk of a regulatory violation. The U.S. government considers all affiliates, joint ventures, agents, distributors, suppliers, subcontractors, and other third parties to be extensions of the organization. The organization should evaluate whether the controls and compliance procedures extend appropriately to any person or entity with which it is affiliated and whether that entity may cause third-party liability.

Where anti-corruption is concerned, organizations operating abroad need to assess whether the current plan adequately covers the regulatory risk posed by resellers, vendors, consultants/agents, sales representatives, joint venture partners, freight companies, customs brokers, and any other third party that could be viewed as being a source of bribes while representing the interests or carrying on the business of the U.S.-based company. Where exports and sanctions are concerned, the organization must consider not only its own affiliates (joint ventures, agents, distributors, and so forth), but also the risk profile raised by its own customers who might be diversion risk points. Where anti-boycott is concerned, the organization should consider whether it has agents who might be viewed as providing information on behalf of the organization, and therefore might provide boycott-related information to countries cooperating with the Arab League boycott of Israel.

Step 4: Identify Available Resources

It does little good to identify regulatory risk if the organization is not putting resources into managing that risk.  Appropriate risk management requires matching compliance promises and expectations to the available resources, and vice versa.

No compliance initiatives will work without adequate support. Once the company has identified the risk and necessary controls relating to those risks, it should develop a realistic sense of the cost of a program and the resources needed to run it. Senior management should sign off on the budgeting, with the understanding that the company will need to invest time and resources to maintain the program on an ongoing basis.

Without proper resources, a corporation risks compliance failure. Compliance can be expensive, so a company should decide at the outset that it will budget adequate funds and employ sufficient resources to follow through on its compliance initiatives. In determining whether sufficient resources are available, the company needs to consider that success in compliance efforts takes a commitment of both tangible company resources (hiring people and spending money on due diligence) and intangible ones (setting aside employee time for training). The resource identification should take a candid look at whether the company is adequately funding current compliance efforts. If the company has put in place a program that demands substantial due diligence of every foreign agent hired, for example, but has not adequately funded such activities, then the company should view this as a compliance failure. Viewed in an enforcement context, the corporation would look like it has failed to meet its own compliance standards.

In the international realm, some of the most common areas where compliance resources tend to lag include:

  • Anti-corruption. Promises of systematic due diligence for vetting agents, distributors, joint ventures, and other third-party entities; adequate oversight of the activities of third-party intermediaries; resources to conduct compliance audits; adequate training of overseas actors.
  • Economic Sanctions. Resources for systematically checking the SDN and other blocked lists; allocating adequate resources for "know your customer" diligence; adequate training of overseas actors; failure to reflect new rules regarding what subsidiaries of U.S. companies can and cannot do.
  • Export Controls. Inadequate classification of controlled items and technical data; failure to implement "know your customer" guidelines for end-use and end-user controls; failure to take into account potential diversion risks; failure to check the SDN and other blocked lists.
  • Anti-boycott. Resources for reviewing contracts, purchase orders, letters of credit, certificates of origin, bills of lading, and other commercial documents.

To avoid these and other promise-resource mismatches, the organization should, with a clear and open mind, compare its identified risk profile with the inventory of current policies and internal controls, to determine whether there are any gaps between the two. Once such gaps are identified, the organization can, using normal risk-based principles, determine the best order and way to remedy the resource misallocation, whether by reallocating existing compliance resources, finding new sources of funding, or readjusting the compliance procedures.

*  *  *

With the Trump administration continuing to impose hefty penalties for violations of U.S. regulations of exports and international conduct, regulatory risk management continues to be essential for all multinational companies.  This is especially true for automotive-sector companies that operate abroad.  Any multinational automotive company that has not conducted a risk assessment in the last two years should take the compliance lessons of the Trump administration to heart and make a fresh evaluation of its international regulatory risk.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Sign Up
Gain free access to lawyers expertise from more than 250 countries.
Email Address
Company Name
Confirm Password
Mondaq Newsalert
Select Topics
Select Regions
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions