Top Ten Tips for FCPA Compliance
Mar 01, 2010 Top Ten Download PDF
Brian Loughman, Ernst & Young, Fraud Investigation and Dispute Services practice
The Foreign Corrupt Practices Act (FCPA) is a federal anti-bribery statute that prohibits, in broad terms, US individuals and US companies, their subsidiaries, personnel, shareholders and agents from paying, offering, or promising to pay anything of value to foreign officials, either directly or indirectly, for the purpose of obtaining or retaining business. It also requires companies registered with the SEC to keep accurate records of all business transactions and maintain an effective system of internal accounting controls. It applies to acts committed within and outside the US and to both publicly and privately held entities. Although the key sections of the FCPA are associated with SEC rules and regulations generally thought of as governing public companies, US private entities, US individuals and anyone else taking or soliciting any action within the United States are also subject to the FCPA.
Violating the FCPA can result in lengthy and disruptive SEC and DOJ criminal investigations and stiff criminal penalties for companies and individuals (including the prospect of lengthy prison sentences for the latter). Your company also may be accorded the honor of paying for (and living with) government-mandated external FCPA compliance monitoring personnel, who are embedded in your business for years. The government can also debar your company from consideration for any government contracts. Your company may find itself a defendant in private litigation, such as shareholder lawsuits. And an FCPA charge can cause reputational damage to your company that is very difficult to quantify, let alone repair.
There are a few touchstones helpful for deciding just how much you should worry about your company becoming embroiled in an FCPA controversy. The first places to look are the locations and industries in which your business operates. Countries with a high level of cross-border business where companies are perceived as having a heightened risk of engaging in bribery include Russia, China, Brazil, Mexico and India, while countries with a lower perceived risk include Belgium, Canada, the Netherlands and Switzerland. As one might expect, corruption is generally more prevalent in low-income countries. Companies should be particularly careful doing business in emerging markets. Public works and construction, real estate and property development, oil and gas, heavy manufacturing, mining and pharmaceuticals and medical care are viewed as industries most vulnerable to bribery. No geographic area and no industry, however, is immune from being affected by the greed of a government official looking for a payoff.
There are many considerations to keep in mind concerning FCPA compliance, and you should seek appropriate professional advice. To give you a bit of a head start, however, here are our top ten tips for improving FCPA compliance and managing FCPA risk:
1. Determine your FCPA risk.
Base it on a formal risk assessment of corruption and bribery, focusing on factors including the type of business and transactions your company engages in, the location of these transactions, the degree of interaction with government officials and agencies, your company’s regulatory environment, the extent to which your company uses agents, consultants, brokers, distributors and other intermediaries and the degree of control your company has over such intermediaries. Identify your company’s high risk business locations, subsidiaries and affiliates and personnel (including employees, contractors, agents and consultants). Understand that your company is responsible for FCPA violations committed by these parties – the company doesn’t have to know about or approve their actions or policies to be subject to criminal penalties under the FCPA. Create and maintain a database of your intermediaries and review it periodically. Your standard contracts for intermediaries can include representations and warranties, as well as indemnifications and termination provisions, regarding FCPA compliance. Also consider key FCPA questions when engaging new vendors or third parties. It is important to complete and document initial due diligence on all intermediaries, including vendors and agents, and some companies perform due diligence on intermediaries on a regular basis. Organizations such as the membership-based TRACE International, Inc. can facilitate due diligence on your company’s intermediaries.
2. Develop an FCPA compliance policy.
This policy should cover US and non-US personnel and address bribery; gifts and payments to foreign officials, representatives and associates; charitable giving; travel and entertainment; keeping accurate and complete books and records; and compliance with local legal requirements. Your FCPA compliance policy should be embedded in your company’s overall compliance program. Include it in your code of conduct and post it with other company policies. Advise your HR department to make FCPA compliance part of the personnel initiation process and your business units to include it in the employee performance rating process. Setting the right tone at the top is critical – emphasis on FCPA compliance should be communicated regularly by senior executives so that FCPA compliance is aligned with overall corporate strategy. Your FCPA compliance policy should include a contact person whom your personnel can call with questions before taking actions that could implicate the FCPA. Your policy might detail an explicit approval procedure for facilitation payments, or it might ban them altogether. Whistleblower policies and procedures are also important, and personnel should have access to a variety of avenues to report violations with the right to remain anonymous.
3. Train your personnel regularly on your FCPA compliance policy and FCPA requirements.
Include at a minimum your top executives, personnel who are in a position to solicit business, deal with foreign officials or engage intermediaries involved with government business and company finance personnel. Relevant personnel should understand that the FCPA has a very broad scope – it doesn’t just prohibit bags full of cash being passed under the table to high-ranking government officials. Donations to political parties, a few dollars to a low-ranking official to move your project along, meals and entertainment and even charitable donations can violate the FCPA. Your personnel should know that violating the FCPA can result in personal criminal liability, including large fines and lengthy prison sentences, and that the company can be fined up to $2 million per violation or face disgorgement of twice the amount gained from the bribe. They should also know that revenue streams can be compromised and that your business can be disrupted by the consequences of an FCPA violation (including government investigations, criminal convictions, external monitors and private securities litigation, as discussed above).
4. Establish an FCPA compliance team, including legal, financial reporting and internal audit personnel.
The team can facilitate auditing of your compliance policy for operating effectiveness. The FCPA compliance team should have internal and external investigative capabilities and be positioned to investigate red flags quickly and remediate where necessary. Schedule periodic FCPA compliance reviews, including annual compliance certification. Spot-check, or routinely check, annual miscellaneous expenditures by your personnel and agents to determine if the aggregate exceeds limits where individual line items may fall below approval thresholds. Have your board of directors approve the policy and give the compliance team the power to perform internal compliance audits (including audits of executive and other personnel expense accounts and receipts) and to require additional approvals for sensitive transactions. Be sure to review the effectiveness of the policy periodically, engaging external advisors if necessary.
5. Identify countries where in-house counsel employed by your company and its subsidiaries and affiliates are not covered by attorney privilege doctrines.
Did you know that most European countries do not accord the protection of the attorney-client privilege to communications between employees and in-house counsel? Communications with both in-house and outside counsel are equally without protection in China. Cross-border investigations require careful planning, and your company should consider differences in approach to the handling of cross-border investigations involving jurisdictions where unfamiliar privilege doctrines apply. As part of your planning, consider seeking advice from external counsel with expertise in the relevant jurisdictions.
6. Determine whether any other country’s anti-bribery laws may apply to your company.
Thirty-seven countries have enacted anti-bribery laws similar to the FCPA after ratifying the OECD Anti-Bribery Convention. The FCPA was the first law of this kind and is considered the most robust anti-bribery statute with the broadest extraterritorial reach, and it is also the most vigorously enforced. Intergovernmental cooperation and cross-border investigations, however, are becoming more commonplace, and your company can face investigations on several fronts leading to the possibility of penalties being levied in multiple jurisdictions. And ironically, investigations and actions by foreign governments can trigger and accelerate inquiry by US law enforcement agencies.
7. Judiciously consider using outside counsel in your company’s FCPA compliance program, especially where privilege may be an issue.
Using outside counsel will give your company stronger privilege claims and thus best preserve your ability to choose whether to report your conduct to the government. Experienced outside counsel have expertise in FCPA law and practice, knowledge of and experience in dealing with your regulators, the ability to help benchmark your practices against those of other companies and best practice overall,, and can improve the coordination of large-scale investigations and decrease response times and what otherwise could later become embarrassing and difficult-to-explain delays in taking action.
8. Direct your company’s financial reporting personnel to keep accurate books and maintain a system of internal accounting controls.
Under the books and records provisions of the FCPA, even improper payments must be recorded accurately. That’s not a typo: the law obligates companies to record bribe payments as bribes. Establish and implement a clear policy setting out how all transactions should be recorded. Consider creating general ledger accounts specifically for gifts to and entertainment of government officials. Identify key general ledger accounts to monitor and review on a consistent basis for FCPA compliance. For example, cash accounts should be monitored and controlled to limit the amounts that can be drawn from petty cash without prior approval. Consider setting up a method to flag transactions in general ledger accounts with certain vendors and agents. Consider engaging outside auditing or legal expertise for advice on your FCPA recordkeeping policies. Attorneys and executives should keep in mind that improper accounting for FCPA-prohibited actions will likely be an independent violation of the FCPA and can result in hefty penalties, even if the government cannot prove bribery. And it is generally easier to prove that a company’s books and records are inaccurate than to prove the actual payment of bribes.
9. Make FCPA review part of M&A and JV due diligence.
Many companies have made the review of FCPA-related issues a core component of the due diligence they conduct in M&A transactions and in setting up joint ventures. While there is no due diligence defense as such under the FCPA, effective diligence can mitigate the risk that the regulators will bring an enforcement action for a later-discovered violation, or could reduce the size of any resulting penalties. Effective pre-transaction diligence can help position your company to mitigate the risk of post-transaction violations of the FCPA. Where you identify risk, propose that the arrangements include indemnification for FCPA violations by the other party. (Insurance policies generally will not cover FCPA violations.) Including contractual provisions regarding compliance with the FCPA and other applicable anti-bribery standards, and requiring the other party to accurately and fully disclose any related violations, are not only reasonable steps to take in entering a business transaction but also will help avoid unpleasant post-acquisition surprises.
10. The SEC and DOJ expect robust and verified compliance.
That’s fair enough, as far as it goes. But the law enforcers also have come to expect companies to self-report FCPA violations. Notwithstanding this relatively recent expectation, the costs and benefits and risks of self-reporting should be carefully weighed. Government investigations into FCPA compliance are on the rise – there has been a sharp increase in the number of investigations that have been resolved via settlement in recent years, and the penalties for violations even in these settlement contexts are scratching the stratosphere. Executives have been jailed for their part in FCPA violations. Prosecutors say they give companies credit for genuine cooperation, a thorough internal investigation and comprehensive remediation, but the standards they expect are high, including internal investigations that involve large segments of the company’s overseas operations, sometimes involving hundreds of interviews and the review of millions of documents, all at considerable expense to the company. Any internal investigation needs to be thorough and likely will benefit from the involvement of external counsel to assist with planning, coordination and execution. Experienced outside counsel also can help a company weigh the wisdom of reporting a potential FCPA violation to the government, as well as the relative costs and benefits of doing so and of not doing so.
You can help minimize the risk that your company will commit FCPA violations and best position your company to respond to future government inquiries by knowing your company, its intermediaries and its FCPA risks worldwide and by developing a responsive FCPA compliance policy and verification plan. Above all, don’t let your company bury its head in the sand – ensure that you are appropriately equipped to identify red flags and to respond quickly and effectively.
Additional ACC Resources
ACC Resource Library - Sample Form & Policy
ACC Resource Library - Sample Form & Policy