FCPA Enforcement: What does it mean for non-US companies?
By Thomas R. Fox
The US Foreign Corrupt Practices Act (FCPA) is a law that prohibits companies from engaging in bribery and corruption outside the United States (US) and requires the maintenance of accurate financial books and records. That is straight forward and most people will not disagree with the intent of such legislation. However, the breadth and scope of the law is such that it can reach companies and individuals across the globe with what may appear to be the slightest connection to the US. As recently reported in the New York Times (NYT), in an article entitled “Foreign Firms Most Affected by U.S. Law Barring Bribes”, reporter Leslie Warren noted that the companies which have reached the biggest settlements under the FCPA “include Siemens, the German engineering giant; Daimler, the maker of Mercedes-Benz vehicles; Alcatel-Lucent, the French telecommunications company; and the JGC Corporation, a Japanese consulting company”. The two American companies in the top 10 are Halliburton, the energy services company, and Johnson & Johnson (J&J), the pharmaceutical company. This statement is made even clearer by the listing below of the top ten FCPA settlements of all time:
There are two other items of note to be drawn from this chart. The first is that as a group, they have paid nearly $3.2 billion in settlements, so there can be very large fines associated with a FCPA violation. The second is that with the exception of the first two companies, Siemens and Halliburton, all of the fines were levied within the past two years. This second fact indicates that FCPA enforcement continues to be increasing and ever more robust.
The FCPA is enforcement against all US based companies, wherever they operate across the globe; against all US citizens anywhere in the world; against all foreign subsidiaries of US companies across the globe; against any foreign company which has a US subsidiary or which does business in the US; against any company which has transactions which go through the US banking system; and finally against any foreign citizen who works for any of the above entities.
As reported in the NYT article, the Siemens enforcement action is illustrative of the jurisdictional reach of the FCPA. The bribery took place in Argentina. The people offering the bribes were not American, the people demanding the bribes were Argentine officials and Siemens is a German company. However, because Siemens’s securities were, and still are, traded in the US, the US Department of Justice (DOJ) was able to bring an enforcement action against the company. In the Daimler case, “the company admitted that its subsidiary in Russia had bribed local officials and that a German subsidiary had made payments to Croatian officials using an American shell company and those improper payments had been made to Chinese officials in an effort to persuade the officials to buy Daimler vehicles. Some of the money flowed through United States bank accounts, and Daimler has extensive operations in the United States.”
While Siemens also paid an $800 million fine to German authorities for the same conduct, the case involving its employees is not over. The DOJ has brought a criminal case against eight former executives, which continues. In December 2011, these former executives “were charged with paying $100 million in bribes to Argentine officials, including former President Carlos Menem, to secure a $1 billion contract for Siemens.” None of these indicted company officials are US citizens and the “eight executives live in Argentina, Germany or Switzerland, and none have been arrested or extradited”.
What Does the FCPA Cover?
FCPA has two parts. The first is the Anti-Bribery Provisions which criminalizes the conduct of making bribes, or offers to bribe, to non-US officials whether made directly or through a third party. The second is the Books and Records and Internal Controls Provisions, which require companies subject to the FCPA to maintain accurate books and records and adequate accounting and financial controls. The FCPA also includes a provision that requires that companies keep accurate books and records of payments made to any government officials. This means that it is a separate violation to not to enter such payment in the company books or to disguise it as some kind of legitimate payment. Finally, it is important to remember that virtually every country has laws on its books that prohibit bribery of its government officials.
The law extends to all third parties acting on behalf of a company, so a company may be liable for the actions of a third party acting on its behalf, for example: subcontractors, sales agents, freight forwarders, visa processors, accountants, lawyers, etc. The FCPA has a very broad definition of who is a foreign governmental official, it covers any officer or employee of a non-US government, any officer or employee of public international organization (NGO), any non-US government party official and any non-US government candidates for office. You should also beware in communist countries as government ownership is not unusual but sometimes this can be difficult to ascertain. While most people have a fair understanding of who may constitute a government official outside of the US, the FCPA applies not only to the elected representatives of a country, its non-elected representatives and various agencies and departments, it also applies to “instrumentalities” which can be generally defined as any state owned enterprise or business acting on behalf or with state control and oversight. Lastly, two US government agencies enforce the FCPA, the US Department of Justice (DOJ) and the US Securities and Exchange Commission (SEC). The DOJ enforces the criminal portion of the law, the anti-bribery provision, and the SEC brings civil actions pertaining to books and records violations.
As noted by the top ten settlements, the fines and penalties can be quite high for entities involved in FCPA enforcement actions. Company fines can range up to $2MM for each violation and also include disgorgement of all profits obtained through the corrupt actions. There can also be contract debarment and suspension of a company’s export license. The fines for individuals can be up to 5 years imprisonment and/or fines of up to $100K for each violation. A more catastrophic penalty for an individual can be forfeiture of all assets.
Compliance Programs – Prevent, Detect and Remedy
So what can a company do to protect itself from a FCPA enforcement action? As formulated by former Deputy Attorney General of the United States, Paul McNulty, there are generally three questions asked by a government regulator: (1) What did you do to prevent it? (2) What did you do to detect it? And (3) what did you do to remedy it? A satisfactory answer to all three questions will turn on the strength of your anti-corruption/anti-bribery compliance program. I believe that there are five essential elements to an anti-corruption/anti-bribery program. These essential elements of a corporate compliance program are based upon the best practices as set out in the seven elements of a corporate compliance program under the US Sentencing Guidelines; the 13 Good Practices by the OECD on Internal Controls, Ethics, and Compliance; and the UK Bribery Act’s Six Principles of an Adequate Procedures compliance program. The following chart lists the elements of each.
I believe that you can distill the five essential elements that make up a best practices compliance program from the above guidelines. They are as follows:
- Leadership – color coded Red.
- Risk Assessment – color coded Yellow.
- Standards and Controls – color coded Blue.
- Training and Communication – color coded Green.
- Oversight – color coded Grey.
Element I – Leadership
The point means more than simply “Tone-at-the-Top”. A successful compliance program must be built on a solid foundation of ethics that are fully and openly endorsed by senior management; otherwise the program may amount to little more than a hollow set of internal rules and regulations. There should be an unambiguous, visible and active commitment to compliance. But even more than support or the right tone, compliance standards require that companies must have high-ranking compliance officers with the authority and resources to manage the program on a day-to-day basis. And compliance officers must have the ear of those ultimately responsible for corporate conduct, including the board of directors.
Element II – Risk Assessment
The implementation of an effective compliance program is more than simply following a set of accounting rules or providing effective training. Compliance issues can touch many areas of your business and you need to know not only what your highest risks are but where to marshal your efforts in moving forward. A risk assessment is designed to provide a big picture of your overall compliance obligations and then identify areas of high risk so that you can prioritize your resources to tackle these high risk areas first.
Element III – Standards and Controls
Generally, there are three levels of standards and controls. (1) Code of Conduct. Every company should have a Code of Conduct which should express its ethical principles. However, a Code of Conduct is not enough. (2) Standards and Policies. Every company should have standards and policies in place that build upon the foundation of the Code of Conduct and articulate Code-based policies, which should cover such issues as bribery, corruption and accounting practices. (3) Procedures. Every Company should then ensure that enabling procedures are implemented to confirm those policies are applied, followed and enforced. FCPA compliance best practices now require companies to have additional standards and controls, including, for example, detailed due diligence protocols for screening third-party business partners for criminal backgrounds, financial stability and improper associations with government agencies. Ultimately, the purpose of establishing effective standards and controls is to demonstrate that your compliance program is more than just words on a piece of paper.
Element IV – Training
Another pillar of a strong compliance program is properly training company officers, employees and third parties on relevant laws, regulations, corporate policies and prohibited conduct. Simply conducting training usually is not enough. Enforcement officials want to be certain the messages in the training actually get through to employees. Expectations of effectiveness are measured by who a company trains, how the training is conducted and how often training occurs.
Element IV – Oversight
This final element focuses on whether employees are staying with the compliance program. Even after all the important ethical messages from management have been communicated to the appropriate audiences and key standards and controls are in place, there should still be a question of whether the company’s employees are adhering to the compliance program. The three key components to oversight are monitoring, auditing and responding quickly to allegations of misconduct. These three highlighted activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.
Navigating the waters of FCPA compliance can sometimes seem like a tricky and difficult task. Nevertheless, by putting a robust compliance program in place, your company will not only be in a position to prevent and detect corruption and bribery but if the US or any other countries’ regulators come calling, such a best practices compliance program will be your best defense in negotiating a fine and penalty. The cost and time of implementation will be well worth the credit you receive from any regulator.
About the Author
Thomas R. Fox, General Counsel/Chief Compliance Officer. Thomas is a client-focused, innovative attorney, with expertise in contracts, corporate law, international law, compliance, and small business affairs for major Fortune 500 corporations as well as small and solo business owners. Thomas built an international reputation as the “Nuts and Bolts” compliance expert, and is noted for providing superior legal services for the greatest value. (email@example.com; www.tfoxlaw.com; tel: +1 832 744 0264)
WorldCompliance empowers organizations to identify corrupt Foreign Officials and State Owned Enterprises within their business networks. World-Mplus,WorldCompliance’s proprietary software, allows companies to perform initial Third Party Due Diligence, and submit information for automatic and continuous monitoring and alerts companies if there is a change in a profile that may pose a risk.
For further information
North America: +1 305 579 2298
Latin America: +571 211 9601
Europe: +39 041 963 7171