Since mid-2000s investigation of Siemens, and the resulting $800 million penalty for violations of the Foreign Corrupt Practices Act (FCPA), the FCPA has been an enforcement priority of the U.S. Government. Although a dip in announced penalties in 2015 led some to wonder whether FCPA enforcement had peaked, questions regarding lagging enforcement attention were answered by a record level of enforcement actions and penalties in 2016.
Yet while enforcement activity has been strong under the Obama administration, criticisms of the FCPA by President Trump have led some to question whether FCPA enforcement will be a key priority of the new administration. To help companies determine the level of resources and attention that should be allocated to anticorruption compliance, this client alert presents the “top ten” questions that every company operating outside the United States should be thinking about, particularly companies dealing in high-risk environments such as China, India, Africa, Latin America, and other countries or regions that rank high on indices of perceived corruption.
This client alert is part of a series of “top ten” articles on the future of key international trade and regulatory issues expected to change under the Trump administration. Previously issued client alerts discuss international trade issues (the future of NAFTA,1 Customs and Border Protection,2 and international trade litigation (including antidumping and countervailing duty actions)),3 international investment (the future of the CFIUS review process4 and concerns of PE firms), and international regulation (cybersecurity,5 white collar enforcement,6 and here, the FCPA). Future client alerts will deal comprehensively with all international trade and regulatory areas where significant change could occur under the new administration.
II. The Top Ten FCPA Questions Answered (or, Will Anti-bribery and Corruption Really Be as Easy as “ABC” under the New Administration?)
1. What has President Trump promised?
During the election, President Trump did not discuss the FCPA specifically (although he did introduce a promise at the end of the election that he would “drain the swamp,” if elected, a reference to supposed corruption in Washington politics). Prior to the campaign, Mr. Trump expressed skepticism regarding the FCPA in a 2012 interview with CNBC, where Mr. Trump stated that “this country is absolutely crazy” to vigorously prosecute alleged FCPA violations because it puts U.S. businesses at a “huge disadvantage.” Mr. Trump concluded that the FCPA is a “horrible law and it should be changed.”7
It is not likely that the skepticism of businessman Trump will translate to President Trump pushing for a wholesale overhaul of the law or its revocation. With regard to Mr. Trump’s view that the FCPA imposes a disproportionate impact on U.S. companies, the reality is that seven of the ten largest penalties have been imposed on non-U.S. companies. Strong leadership by the United States on corruption has led to a more consistent level of anticorruption laws around the world. With the OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions increasingly becoming the benchmark for anti-bribery standards (it has been signed by more than 40 countries), the result has been other countries enacting FCPA-style legislation or enhancing their measures to meet OECD standards. Both OECD and other countries (often at the urging of the United States) are implementing new anticorruption laws and stepping up their enforcement of their laws. For example, the second half of 2016, alone, saw France modernize its anti-corruption enforcement by adopting the Fight Against Corruption and Modernization of Economic Life law (known as Sapin II) in an effort to expand French jurisdiction over worldwide activity for companies that conduct business in France (among other enforcement strengthening). South Korea has also recently implemented a strengthened anticorruption law that prohibits its officials from accepting meals over 30,000 won (around $25) or gifts over 50,000 (around $45), while Brazil has announced a major series of investigations connected with Petrobas.
While it is true that the FCPA formerly put U.S. companies at a disadvantage, with other countries now putting in place their own restrictions on corrupt payments, the bribery-related advantages once enjoyed by companies from other countries have disappeared. This reality, as well as the political imperative that a President elected by promising to “drain the swamp,” will not want to be seen as weakening the principal anticorruption law maintained by the United States. With this in mind, it is unlikely that the FCPA or FCPA enforcement will be weakened under the Trump administration.
2. What are recent trends in FCPA enforcement? Will these trends continue?
In determining the likely enforcement priorities of the U.S. government, it is important to consider the nominees for the key positions that oversee FCPA enforcement: the Attorney General (criminal FCPA enforcement) and the head of the Securities & Exchange Commission (SEC) (oversight of the accounting provisions of the FCPA for publicly traded companies).
With regard to the former, Attorney General Sessions has shown general support for the value of anti-bribery laws, having co-sponsored the Public Corruption Prosecution Improvements Act, which would have revised U.S. law to expand prohibitions against bribery, theft of public money, and other government-related public corruption. As analyzed in the Foley Client Alert regarding white collar enforcement, Mr. Sessions is generally viewed as a law-and-order prosecutor who is unlikely to let violations of white collar laws in general, and the FCPA specifically, slide.8
With regard to the SEC, Mr. Trump has nominated Jay Clayton, a partner at Sullivan & Cromwell LLP, to chair the Commission. While Mr. Clayton chaired a committee of the New York City Bar Association that put out a 2011 white paper that concluded that rigorous FCPA enforcement was pushing foreign companies to avoid registering as U.S. issuers and stating that the U.S. government should “dial back the scope of FCPA enforcement with respect to companies,” the personal views of Mr. Clayton regarding FCPA enforcement are not known.
The SEC in general, however, has in recent years become a strong co-player with the Department of Justice (DOJ) in enforcing the accounting provisions of the FCPA. Institutional forces related to this increased SEC enforcement will push Mr. Clayton towards continuing the strong enforcement of the FCPA. Enforcement of the FCPA has been strong every year since 2008. Although FCPA settlements in 2015 were down (falling to $133 million), this appears to have been a statistical lull based upon the timing of settlements, what with 2014 featuring the announcement of $1.5 billion in penalties and 2016 announcements soaring to $2.48 billion. The new administration will not want to be seen as significantly falling off this pace.
At both the DOJ and the SEC, there is an institutional inertia that transcends changes at the political level. Both agencies have bulked up through the hiring of attorneys and the dedication of investigation resources - specifically for anticorruption/FCPA investigations. These new and existing attorneys work with special squads of FBI agents devoted to FCPA investigations and work closely with enforcement counterparts in other countries. The hiring of the first DOJ compliance expert, Ms. Hui Chen, also shows a commitment to FCPA enforcement and the evaluation of compliance measures in enforcement actions. By all reports, there is a strong pipeline of cases under current investigation, including the massive investigation of Wal-Mart’s potential use of bribes as a business-development tool. Further, with the SEC becoming more aggressive in its penalty assessment, and mining its successful whistleblower program for reports of violations, the table is set for continuing strong FCPA enforcement activity.
Based on all of these reasons, the chances favor continuing strong enforcement of the FCPA at both the DOJ and the SEC.
3. Is Congress likely to change the operation or scope of the FCPA?
There have been calls for Congress to change the operation or scope of the FCPA in recent years. For the most part, these proposals have not been attempts to directly ease the reach of the Act, such as by curtailing the controversial (yet effective) assertion of U.S. jurisdiction over tangential contacts with the United States or the U.S. financial system. The proposals, however, could indirectly cause some weakening of the FCPA (in some cases, by design).
The most commonly advocated changes involve two areas: (1) greater clarity regarding the scope and coverage of the law; and (2) institutionalizing credit to be given to companies that maintain well-functioning compliance programs. These efforts are encapsulated by the FCPA reform agenda advocated by the U.S. Chamber of Commerce. The key elements of that reform proposal are as follows:
- Allowing for an affirmative defense that would allow the company to rebut the imposition of criminal liability upon a showing that the company maintained a compliance program reasonably designed to prevent FCPA violations.
- Greater clarity regarding the definition of a “foreign official,” to make clear that a government official is one who acts in a governmental capacity, not one who acts in a commercial capacity for a company that happens to be owned by a foreign government.
- Greater clarity regarding the definition of what an “instrumentality” is, to allow companies to determine whether they are in fact dealing with a government official in their dealings.
- Greater clarity regarding parent-subsidiary and successor liability.
- Greater clarity regarding the state of mind (mens rea standard) needed to support a finding of a violation.
Although prospects for significant FCPA weakening are low, some elements of this agenda could find a receptive ground before a pro-business Republican Congress and Republican president. The most likely change would be the introduction of an affirmative defense for effective anticorruption compliance measures. Such a provision would mirror the UK Bribery Act and other anticorruption laws that contain a similar provision to encourage effective compliance.
Less certain is whether Congress will enact “clarifying” changes, given that these clarifications generally would curtail the reach of the Act, such as stating that the law does not apply to employees of state-owned entities. There is a bipartisan interest in not appearing to be soft on corruption, especially with regard to bribes by not-particularly-popular U.S. and foreign multinational corporations. The U.S. Government also has an institutional interest in keeping the key terms of the law vague, as the DOJ has used the ambiguity to push an aggressive view of the breadth of the law. Thus, while judicial review of enforcement actions might provide additional clarity regarding these provisions, it is not likely that Congress will take steps to significantly curtail the reach of the law.
At the same time, it is possible that any efforts to open up the FCPA to amendment could actually lead to a tightening of the FCPA standards in two areas: coverage of commercial bribery and the elimination of the facilitating payments exception. Many non-U.S. laws, such as the UK Bribery Act, cover both types of bribes, making the FCPA’s approach somewhat dated.
Regardless of whether these changes occur, companies should be thinking more broadly about corruption compliance best practices, even if they are not explicitly required to comply with the FCPA. Even if the FCPA allows for commercial bribery and for facilitating payments, such actions often violate local law and make for bad compliance decisions. And the U.S. government has other tools, such as the Travel Act and various wire fraud statutes, to reach commercial bribery. As a result, companies should consider broadening their approach from compliance with the FCPA minimums to maintaining broader anticorruption policies, so as to cover all forms of corruption of any size, whether it involves government officials, private persons, facilitating payments, or even the receipt of bribes (kickbacks).
4. The regulatory agencies have a lot of regulations and initiatives in the anticorruption arena. Are these likely to change?
The DOJ and the SEC have undertaken several initiatives in recent years, including the issuance of a joint DOJ/SEC set of guidelines, the implementation of an SEC whistleblower program, SEC regulatory efforts, and the FCPA Pilot Program. In the main, these initiatives were intended to increase enforcement attention and to encourage enhanced FCPA compliance. The main recent regulatory initiatives in the anticorruption space, and prospects for change for each, are as follows:
SEC Whistleblower Program. Although there is pressure to amend the Dodd-Frank program that established this whistleblower regime (as discussed in the Foley Private Equity “Top Ten Questions” alert), the success of the SEC whistleblower program presents institutional pressure to keep it going, regardless of what happens to Dodd-Frank. Since the SEC established a whistleblower program in July of 2010, the SEC program has paid out well in excess of $100 million to whistleblowers, based on the collection of penalties approaching one billion dollars, with much of this activity being in the FCPA realm. The number of tips received annually has grown from 334 in 2011 to 4,218 in 2016.9
The SEC would hate to give up such a successful source of enforcement leads. The SEC placed a vote of confidence in the whistleblower program in several enforcement actions, against such companies as BlueLinx Holdings, Inc. and Health Net, Inc., which imposed severance agreement requirements stating that outgoing employees must waive their rights to any monetary award from the SEC’s whistleblower program. Underscoring the importance of the program, the SEC imposed significant penalties for the implementation of these provisions even though there was no finding that the provisions had prevented anyone from reporting a potential violation to the SEC.
As Jane Norberg, Chief of the SEC’s Office of the Whistleblower, summarized the SEC’s view that the whistleblower program has had a “transformative effect” on SEC enforcement activity.10 The whistleblower program accordingly is likely to survive any changes to the Dodd-Frank Act that initially authorized it. Further, even if the Dodd-Frank authorization were to disappear, the SEC nonetheless might use its inherent regulatory powers to continue a variation of it. It is unlikely Congress would take steps to bar this, given the blowback that such a softening of a well-known anticorruption initiative would create.
FCPA Pilot Program. The FCPA Pilot Program was announced as part of a three-part approach to FCPA enforcement in a memorandum from Andrew Weissmann, the Chief of the DOJ’s Fraud Unit. The three initiatives were that: (1) the DOJ would be “intensifying its investigative and prosecutorial efforts by substantially increasing its FCPA law enforcement resources,” including a fifty percent increase in the number of FCPA-specialist prosecutors; (2) there would be a “strengthening” of DOJ “coordination with foreign counterparts in the effort to hold corrupt individuals and companies accountable”; and (3) there would be an FCPA “pilot program,” which would be a one-year program designed “to promote greater accountability for individuals and companies that engage in corporate crime by motivating companies to voluntarily self-disclose FCPA-related misconduct, fully cooperate with the Fraud Section, and, where appropriate, remediate flaws in their internal control and compliance programs.” Consistent with the dictates of the Yates Memorandum, the FCPA Pilot Program is intended in part to hold individuals responsible for FCPA violations. The FCPA Pilot Program also included circumstances where the DOJ could use its discretion to decline prosecution. These declinations can be used only if certain conditions are satisfied, including complete cooperation and disgorgement of profits gained as a result of the bribes paid.
There are several more months during which the FCPA Pilot Program will run. It appears, however, that the Pilot Program has been successful and that it will be renewed or perhaps made permanent.
Yates Memorandum. The Yates Memorandum, among other things, is designed to increase the focus on individual actors in DOJ enforcement actions. With Attorney General Sessions a law-and-order former prosecutor, who, in the past, has expressed support for prosecuting individuals where they are involved in corporate crime, it is unlikely that the DOJ will seek to weaken the provisions of the Yates Memorandum. The Yates Memorandum is discussed more extensively in Foley’s White Collar Enforcement client alert.11
Extractive Regulations. In contrast to the initiatives listed above, which are expected to continue in force, the draft extractive regulation rule will not become permanent law. A draft reporting rule issued by the SEC required that oil, natural gas, and mining companies reveal details about payments made to secure the right to extract resources. The extractive reporting rule (Rule 13q-1) required that, for fiscal years ending on or after September 30, 2018, companies in the impacted industries make detailed reports regarding payments made to foreign and domestic governments for the commercial development of oil, natural gas, or minerals.
This rule met fierce political opposition, illustrating the difference between weakening an existing law like the FCPA and creating a new anticorruption requirement that targets a specific group of well-connected companies. Following a Joint Congressional resolution disapproving of the rule pursuant to the Congressional Review Act (which permits Congress, by simple majority, to disprove rules shortly following their adoption), President Trump endorsed the invalidation of the rule. Under the terms of the Congressional Review Act, the SEC is precluded from re-adopting the rule, even though the Dodd-Frank Act required the issuance of a resource extraction disclosure rule.
5. “In addition to these regulatory developments, what areas do you see as being likely new areas of focus under the new administration?”
The U.S. Government is taking an increasingly broad look at potential violations, seeking to punish all related conduct. This is manifested in combined AML and economic sanctions enforcement actions, export controls and economic sanctions actions, and so forth. It is likely the U.S. government will emphasize these types of combined enforcement actions in coming years, including with regard to the FCPA. In the FCPA context, this implies a focus on whether the object of the bribes was itself illegal under other laws.
Companies in bribery investigations should also be aware of the fact that enhanced sharing of information between the U.S. government and foreign governments may not be one way. As foreign governments become increasingly active in their own anti-corruption efforts, the chances that companies will face enforcement actions in multiple countries increase. The previous assumption, which was that only the U.S. government would prosecute bribe-related activity over which it has jurisdiction, has become increasingly tenuous.
6. What can we do to ensure integrity in our business partners or to reassure our own partners that we have vigorous compliance? What about this new ISO 37001 program?
The last decade has seen a number of sources of “best practices” in the realm of anticorruption compliance, including: (1) the FCPA Guidance issued by the DOJ and the SEC, which contains a section titled “Hallmarks of Effective Compliance Programs”; (2) the DOJ’s Principles of Prosecution of Business Organizations, which contains a section titled ‘Corporate Compliance Programs”; (3) U.S. Sentencing Guidelines, which contain a section titled “Effective Compliance and Ethics Programs”; (4) Attachment C in many recent DOJ FCPA settlement agreements; (5) The UK Bribery Act Guidance issued by the U.K. Ministry of Justice; and (6) the OECD’s “Good Practice Guidance on Internal Controls, Ethics, and Compliance.” These sources of anticorruption compliance best practices coalesce around sound principles of regulatory risk management, including the necessity for a clear, easy-to-understand compliance program, tailored and repeated training, and regularly audited internal controls.
Yet what these many sources of compliance best practices have not offered is a certifiable standard of anticorruption program benchmarking. This gap was filled on October 15, 2016, when the International Organization for Standardization (ISO) adopted ISO 37001 as a certifiable international “anti-bribery management system.”12 While ISO standards are voluntary, in certain areas, such as quality management, its standards have become de facto international benchmarks. The possibility of benchmarking to the standard by third-party certifying parties potentially could make the standard influential – not only with regard to companies seeking ethical partners, but potentially in DOJ and SEC investigations under the new administration as well.13
At this time, it is not certain how impactful the new ISO 37001 standards will be. Initial indications are that the ISO standard may prove most useful in countries that are marked by a high degree of perceived corruption, as they could provide an objective guidepost and assurance of the presence of an audited anticorruption compliance system. Companies operating in such environments may seek certification as a means of gaining a competitive advantage from business partners who want to minimize bribe-related risk.
For many U.S. companies, the receptivity to submitting to an outside ISO audit process will likely turn on how the program is treated in future DOJ and SEC enforcement actions. If it appears that the regulatory agencies are giving extra compliance credit to companies with a certified anticorruption process in place, the program may become coveted by companies at heightened risk of violations. There is precedent for such a result: the DOJ’s “Principles of Federal Prosecution of Business Organizations” states that prosecutors should evaluate “the existence and effectiveness of the corporation’s pre-existing compliance program” when determining whether to charge a corporation with a crime,”14 while the U.S. Sentencing Guidelines state that prosecutors should consider whether the defendant had an “effective compliance and ethics program” in place.15 The presence of a certified program could help with such requirements.
An additional reason to have ISO 37001 certification applies to companies that are subject to the UK Bribery Act of 2010. For these companies, the certification could prove useful because that Act (unlike the FCPA) provides for an “adequate procedures” defense. Because this defense can only be used if the company can “prove [it] had adequate procedures in place to prevent bribery,”16 the ISO 37001 would enhance the company’s ability to argue that it met this standard.
7. Sounds Intriguing. What is required to become ISO 37001 compliant?
The ISO 307001 standards are ones that undergird effective anti-bribery compliance in general. To be certified as ISO 37001-compliant, an organization must develop systems designed to prevent, detect, and deter bribery while also “comply[ing] with anti-bribery laws and voluntary commitments applicable to its activities.”17 Any ISO 37001 system must address: (1) bribery of government officials; (2) commercial bribery; (3) bribery in the non-profit sector; (4) both active bribery (outgoing payments) and passive bribery (incoming bribes); and (5) incoming and outgoing indirect bribes through third persons.18
The ISO 37001 standards recognize that effective anticorruption compliance requires the adoption of a risk-based approach – described as a “reasonable and proportionate” approach – which should be based upon periodic risk assessments. Risk assessments should be used to make decisions about the “allocation of anti-bribery compliance personnel, resources and activities.”19 Factors companies should consider when determining the breadth of their risk-based compliance response include:
- The size and structure of the company;
- The locations and sectors where the company operates or anticipates operating;
- The nature, scale, and complexity of the company’s activities and operations;
- Entities over which the company has control;
- The business associates of the company;
- The ways in which the company interacts with public officials; and
- Any applicable statutory, regulatory, contractual, or professional obligations or duties, such as arise from medical codes of conduct and so forth.20
In addition to conducting risk assessments, ISO 37001 requires that companies take the following steps:
- Develop and Maintain Compliance Policies and Internal Controls. “Well-managed organization[s]” are “expected to have compliance polic[ies] supported by appropriate management systems,” including “procedures that are designed to prevent the offering, provision or acceptance of gifts, hospitality, donations and similar benefits where the offering, provision or acceptance is, or could reasonably be perceived as, bribery.”21 The ISO 37001 Requirements also state that compliance policies and internal controls must be “communicated in appropriate languages” to both employees and relevant third parties.22
- Training. Companies must provide employees with “adequate and appropriate anti-bribery awareness and training” while also “retaining documented information on the training procedures, the content of the training, and when and to whom it was provided.”23
- Tone at the Top. The “group of people who direct and control [the] organization at the highest level” should demonstrate commitment to anti-corruption compliance, including by “communicating internally the importance of effective anti-bribery management and of conforming to the anti-bribery management system requirements” and “promoting an appropriate anti-bribery culture within the organization.”24 Required support from the top includes such tasks as “approving the organization’s anti-bribery policy,” “requiring that adequate and appropriate resources ... are allocated and assigned,” and “exercising reasonable oversight over the implementation of the organization’s anti-bribery management system by top management.”25***
- Risk-Based Due Diligence. Companies should conduct due diligence on “specific transactions, projects, activities, business associates,” and company personnel with more than a “low bribery risk.”26
- Contractual and Certification Protections. The ISO 37001 Requirements state that companies should require third parties that “pose more than a low bribery risk” to certify they will “commit to preventing bribery ... in connection with the relevant transaction, project, activity, or relationship.”27 These should be backed with termination provisions.28
- Compliance Commitments from Employees. Companies must “require [their] personnel to comply with the anti-bribery policy and anti-bribery management system, and give the organization the right to discipline personnel in the event of non-compliance.”29
- Implement Internal Controls. Companies must implement both “financial controls” and “non-financial controls” (i.e., “procurement, operational, sales, [and] commercial” measures).30
- Reporting Channels and Whistleblower Protections. Companies need to establish systems to allow personnel and third parties to “report in good faith or on the basis of a reasonable belief attempted, suspected and actual bribery, or any violation of or weakness in the anti-bribery management system,” including through “anonymous reporting” and the maintenance of measures that “prohibit retaliation, and protect those making reports from retaliation.”31
- Documentation. Companies need to document their ISO 37001 activities, with the degree of documentation being based on the size and complexity of the organization and the nature of its activities.32
- Improvement of Anti-Corruption Controls through Constant Assessment. Companies need to assess and review their anti-bribery compliance systems on an ongoing basis to ensure their “suitability, adequacy and effectiveness.”33
One notable difference between the ISO 37001 standards and U.S. law is that the FCPA allows “facilitation payments” while the ISO 37001 standards do not, on the basis that “they are illegal in most locations” (i.e., under local law). Since it is a best practice to make such payments contrary to company policy, this deviation from the strict requirements of the FCPA is not meaningful for most companies.
8. “I am worried about whistleblowers. What can I do to minimize problems in this area?”
As discussed above, the SEC whistleblower program has resulted in numerous FCPA penalties and announced settlements. In addition, with studies showing that most whistleblowers are motivated by reasons other than money (i.e., whistleblowing often occurs because employees are disgruntled or terminated, or because an employee believes internal reporting was not taken seriously), even companies that are not publicly traded should be concerned about whistleblower activity.
Minimizing whistleblower risk, to a large degree, starts with an effective compliance program. An effective compliance program, supported by a culture of compliance where employees are encouraged to speak up and internally report potential violations of law, is the best weapon to prevent external whistleblower activity. The more effective internal handling of compliance lapses is, the less likely external whistleblowing will occur.
Specific compliance measures firms should consider to minimize the risks of external whistleblower activity include:
- Maintaining a Culture of Compliance
- Ensuring that there is senior management support for compliance efforts.
- Hiring and adequately supporting well-trained staff empowered to independently identify misconduct and thoroughly investigate complaints, hire external counsel, and to report findings directly to senior management and relevant board committees/personnel.
- Ensuring that compliance efforts are adequately funded, based upon a clear and objective evaluation of the regulatory risks facing the organization.
- Maintaining Effective Policies
- Maintaining effective anticorruption policies that cover all forms of bribery-related regulatory risk (both for government officials and commercial bribery).
- Maintaining anti-retaliation compliance policies to ensure that there is no retaliation for whistleblower activity, and that whistleblowers continue to be evaluated solely based on quality of work and not concerns related to whistleblower activities.
- Maintaining Effective Procedures
- Implementing procedures to evaluate the significance of claims quickly, determine the priority of investigation, and appropriate follow up based on the potential seriousness of the issue.
- Creating procedures to ensure that any compliance lapses are remedied, such that issues identified as a result of whistleblower activity (or that are otherwise discovered) are not repeated.
- Maintaining procedures to document all claims received, how they were handled, and their resolution, tracking all complaints from initial report to ultimate resolution.
- Maintaining procedures to report back to whistleblowers regarding how their claims were handled while sanitizing the report of any confidential data.
- Maintaining procedures for determining when outside investigative resources, including law firms and forensic specialists, need to be brought onto investigations.
- Implementing special procedures related to the handling of complaints related to senior management, board of directors, audit committee members, and compliance committee members.
- Drafting procedures to ensure confidential treatment of materials related to internal investigations, including procedures designed to preserve attorney-client communication and attorney work product privileges
- Encouraging Effective Reporting
- Creating multiple ways to report potential misconduct, including independent 24-hour telephone hotlines with multiple language capability, web-based reporting, and email.
- Creating ways for external compliance stakeholders to report misconduct.
- Creating pre-existing procedures regarding how to properly engage whistleblowers, investigate allegations of misconduct, and otherwise manage whistleblowers.
- Encouraging Effective Follow up
- Properly documenting the results of investigations, including the persons involved, the allegations, how they were investigated, and any remedial measures adopted in response.
9. “My firm acquires a lot of companies. What can I do to prevent purchasing potential FCPA violations?”
Liability for FCPA issues can effectively be purchased, as changes in corporate structures or control do not eliminate FCPA liability. The FCPA Resource Guide provides for the following tips to minimize risks (which are equally applicable to any high-risk legal regime):
- Conduct thorough risk-based due diligence.
- Ensure the acquiring company applies its code of conduct and compliance policies to the target as quickly as possible, or otherwise ensures that strong compliance is in place soon after the acquisition is complete.
- Train the directors, officers, and employees of newly acquired businesses or merged entities regarding high-risk regulations and risks of its business model (which hopefully were identified as part of a searching due diligence inquiry prior to acquisition); consider training agents and business partners where the risk is high.
- Conduct a compliance audit of all newly acquired or merged businesses as quickly as practicable.
- Consider disclosing any issues discovered as part of the due diligence or post-acquisition compliance implementation to relevant regulatory authorities.34
As can be seen, the recommendations center on the conduct of effective due diligence and the implementation of learnings found in that due diligence after the acquisition. The role of due diligence in this process cannot be overstated, as effective due diligence actually has seven rationales: (1) to determine the risk of the acquisition; (2) to ensure proper valuation of the acquired company; (3) to determine the potential liability for violations; (4) to minimize unexpected surprises; (5) to minimize liability for past conduct; (6) to identify future compliance issues; and (7) to assist in post-acquisition planning.
To avoid unpleasant surprises, the following are the general topics the due diligence inquiry should address:
- Evaluating the risk profile of the target including, with regard to its industry, countries of sales and operation, the use of third parties/consultants/joint ventures, and so forth.
- Evaluating the structure of the target’s operations, including its customer base, its non-U.S. operations and the countries in which it operates, sells, and to which it exports.
- Determining how the target conducts business with third parties, what due diligence has been performed on them, and to what extent the target’s business relies on agents or distributors.
- Determining the rigor of the target’s recordkeeping and accounting procedures.
- Determining whether the target has appropriate compliance and training procedures.
- Determining whether the target conducts periodic reviews and certifications of its third-party intermediaries and whether the target has contractual provisions which allow termination based upon suspected legal violations.
- Determining whether the target has procedures to help identify red flags for high-risk areas (FCPA, export controls, sanctions, AML, and antitrust/fair competition, among others) with appropriate follow up.
- Determining whether the target has been the subject of any investigation by any government that potentially could lead to significant risk and penalty exposure under legal regimes of concern.
- Determining whether the target’s compliance structure is appropriate, including with regard to compliance resources located outside of headquarters, and whether it is run, in an independent fashion, by a senior management-level employee who is backed with appropriate resources.
- Determining whether the target conducts periodic internal compliance assessments and compliance audits and follows up on identified compliance gaps with compliance improvements to identify known compliance issues.
A basic understanding of the operations of the target is required, which is determined by requesting:
Basic Background Information
- A list of countries where the target conducts business.
- A list of countries where the target has sold directly or indirectly to foreign governments.
- A list of companies that the target does business with that is owned by a foreign government.
- Estimates of what percentage of the target’s business depends upon dealings with foreign governments and state-owned entities.
- Copies of all contracts for purchases by, or sales to, state-owned entities and details regarding how these contracts were negotiated.
- A list of any joint ventures or other arrangements with state-owned entities.
- A list of any business relationships with government officials.
Compliance and Training
Information regarding the target’s training and compliance measures provides a window into the culture of the target. Discovering this type of information is accomplished by requesting the following information:
- A description of the target’s anti-bribery compliance program and all its elements including training.
- A copy of any materials provided to employees as part of their anti-bribery training.
- A description and contents of any third-party FCPA compliance training.
- A list of all red flags uncovered through the operation of the target’s anti-bribery compliance program.
Agents and Third Parties
Third parties cause many FCPA problems. To minimize this risk, the acquirer should seek information regarding:
- Whether the target has hired any foreign officials as agents or in any other role, and whether any of these relationships are ongoing.
- The due diligence procedures relating to the hiring of agents, the results of any due diligence performed, and a description of how any red flags discovered during the hiring of agents were addressed.
- Any contracts with agents or other third parties including certifications of FCPA compliance.
- Any past or present relationships between foreign officials and any agents hired by, or acting on behalf of, the target.
- The services provided by any agents, the total compensation paid in relation to those services and the basis for establishing the compensation.
- Any payments made to foreign officials for any reason including visits to conferences, trips and entertainment.
- The procedures used to reimburse agents for entertainment of foreign officials.
- Any hiring by the target of government officials as agents, consultants or in any other business capacity.
- Any documents relating to the suspension of payments to agents or other third-party representatives, including information pertaining to the red flags that led to the suspension.
Dealing With Potential FCPA Issues
Where it appears that the target has paid bribes, there are a number of tough questions for the acquiring company to ask itself before proceeding. These include:
- Is the conduct over? Are there likely other bribery situations that have not yet been discovered?
- Will continuing bribes be required to maintain the acquired company’s business? Will ending the bribes significantly impact the target’s business?
- If it appears that the acquirer will need to terminate personnel who were involved in the bribery, how important are these personnel to the operation of the target’s business? If they are demoted or dismissed, what is the impact on the business of the target?
- Where it appears that third-party agents, consultants, representatives, distributors, joint venture partners and other business partners are involved, what will be the impact of reforming or ending relationships with those parties?
- Where past bribes have been paid, does it appear that disbarment risks are raised such as the potential loss of government contracts or export licenses?
- How will accounting and disclosure issues be dealt with after the closing?
- Does the price for the target need to be adjusted in light of not only the known corrupt activities, but also those whose discovery might not occur until after closing? Is the possibility of future discoveries taken care of in the sale agreement, including the potential expense of investigations, voided contracts, lost business or other potential problems?
- Is there the potential for shareholder class action or derivative suits?
Because due diligence is never perfect, acquirers need to consider protections in the event that potential violations are not discovered through the conduct of the due diligence. Contractual safeguards help reduce exposure to FCPA risks.
The scope of the representations and warranties should be negotiated to protect the acquirer against any wrongdoing committed not only by the target company, but also by its agents, its subsidiaries and affiliates, and perhaps even its existing shareholders. To the extent specific risks are identified during the due diligence phase, representations and warranties can be tailored to target identified risks.
In addition, indemnification mechanisms also can provide important protections if there are losses following completion of the transaction. Material adverse changes and conditions precedent clauses also can enable acquirers to abandon transactions where corrupt activities are identified before the transaction has been completed. If corrupt activities occur or are suspected during the transaction or before the closing, the acquirer should have the ability to pull out from the transaction or to carve out the affected portion of the business.
Ultimately, the steps taken to mitigate compliance risks need to be tailored to address the specific risks of the transaction, which is why effective due diligence is important. Conducting comprehensive due diligence before committing to a deal, particularly for targets operating in high-risk jurisdictions, is an important protection from the high-risk FCPA enforcement environment.
10. “Compliance sounds complicated! Has anyone ever thought of putting together a twelve-step program to provide guideposts for an effective risk mitigation?”
The author of this client alert has an international compliance guide that includes just such a twelve-step program; a copy is available by request.35 The headlines of this twelve-step program are as follows:
- Step 1: Secure Buy-In at the Top. This includes not only taking steps to secure the appropriate “tone at the top” and support for compliance efforts, but also securing adequate resources to support compliance efforts.
- Step 2: Perform a Risk Assessment. The second step for most organization is to perform a risk assessment (a survey of the company’s operations to determine the exposure of the organization to various forms of regulatory risk, considering both the likelihood and severity of possible violations and the current enforcement priorities of the relevant authority). Once the risk assessment is complete, the results should be carefully evaluated to determine where the areas of greatest compliance concern lie through the preparation of a company-wide risk profile, which can guide the allocation of compliance resources.
- Step 3: Survey Current Controls Step 3 involves surveying current compliance procedures and internal controls to determine whether the compliance measures in place properly cover the circumstances that may put the organization at risk of violations.
- Step 4: Identify Available Resources. After an inventory of compliance procedures in place has occurred, a key next step is to ensure the organization has not fallen into the classic compliance trap of over-promising and under-delivering by imposing compliance requirements and then failing to implement them. To avoid these and other promise-resource mismatches, the company should, with a clear and open mind, compare its identified risk profile with the inventory of current policies and internal controls to determine whether there are any gaps between the two. Funding adequate to cover all necessary compliance efforts should be in place and, if not, should become a funding priority.
- Step 5: Assess Local Oversight. The state of compliance as envisioned at corporate headquarters, and the actual state of compliance, as implemented in the field, diverges far too often. It is often necessary, at least in larger companies, to set up a compliance infrastructure that includes compliance liaisons and various local resources that can ensure effective implementation of compliance dictates. These resources also can be invaluable in identifying compliance lapses before they grow and become a large problem.
- Step 6: Create a Written Compliance Policy. It is an unfortunate fact that Step 6—the drafting of the compliance manual—is often Step 1 for many companies. But there is considerable groundwork to cover before the organization should begin the actual drafting of the compliance manual, including the performance of a risk assessment and establishment of the culture of compliance. The written manual should accurately summarize the regulations, using plain language that employees without legal training can readily follow. The focus should be on readability and tailoring the policy to the risk and business profile of the company, not trying to cover every nuance of the legal regime at issue.
- Step 7: Establish Internal Controls. Although internal controls (called standard operating procedures at some companies) are one of the three pillars of compliance (along with the written policy and training), they often are the most neglected. But internal controls provide procedures that are essential to implement the dictates of the compliance program. Systematizing compliance through internal controls also gives the company the ability to audit compliance and determine how effective the procedures actually are.
- Step 8: Training, Training, Training. The basic task of training is to ensure, in conjunction with a well-written compliance program and appropriate internal controls, that employees and agents have sufficient knowledge to recognize red flags and other problematic situations, and understand what they need to do to comply with regulations and company policy. The goal is not to create legal experts all across the company; rather, it is to sensitize people to the law so they know when to seek counsel from the appropriate compliance or legal personnel. No compliance regime will be successful unless the appropriate individuals are identified and trained regarding the company’s compliance efforts and the operation of its compliance program.
- Step 9: Integrate Outsiders. Outsiders—third parties who act (or could be construed as acting) for the organization—are often a key source of risk. Companies accordingly should take steps to ensure that outsiders acting on their behalf are trained in the key compliance requirements, whether through the imposition of an obligation of the outside actor to receive training or through direct integration of the outsider into the company’s compliance program.
- Step 10: Auditing and Checkups. It is difficult to have a strong compliance program unless it is regularly tested and probed, with the results analyzed to come up with compliance improvement action items. As companies realize the dangers of letting their compliance program run on auto-pilot, it has become common for companies to use risk-based auditing principles to determine the countries, divisions, subsidiaries, and third parties who should be monitored through audits and compliance check-ups. Companies that do so reap considerable compliance dividends.
- Step 11: Monitor Red Flags. The identification of red flags and ensuring appropriate follow-up are the keystones to a well-functioning compliance system. One of the most important tasks when implementing international compliance, accordingly, is to train relevant stakeholders regarding the transactions and conduct that are suspicious given the regulatory requirements.
- Step 12: Communicate with Board & Senior Management. In corporations that set the proper compliance tone, board-level involvement is regular and institutionalized. The key areas for board-level involvement include thorough oversight of compliance initiatives, quarterly reports of compliance activities, and special communications for potentially serious matters. Compliance conversations with senior management should be routine and compliance counsel consistently heeded.
The international climate for U.S.-based multinational companies and non-U.S. based companies that sell into the United States has never been more uncertain. This client alert is the seventh of a series of Articles that is being prepared to help companies navigate the uncertain international trade and regulatory environment. Future “Ten Question” articles related to the transition to a new Administration already cover international trade issues (NAFTA, International Trade (antidumping and countervailing duty) actions, and Customs); international investment (changes in how the Committee of Foreign Investment in the United States (CFIUS) evaluates investment in the United States, concerns of PE firms); and international regulatory issues (cybersecurity, white collar enforcement and, here, the FCPA). Future client alerts will cover the Office of Foreign Asset Controls (OFAC economic sanctions) and Export Controls and anti-money laundering.
If you would like to be added to the mailing list for these alerts, please contact the chair of the Foley & Lardner LLP Export Controls and National Security practice (and the author of this client alert) at ghusisian foley.com or +1 202.945.6149.
1 See Gregory Husisian and Robert Huey, “NAFTA and the Trump Administration: Your Top Ten Questions Answered,” https://www.foley.com/nafta-and-the-new-trump-administration-12-01-2016/
2 See Gregory Husisian and Robert Huey, “U.S. Customs and the Trump Administration: Your Top Ten Questions Answered,” https://www.foley.com/us-customs-and-the-new-trump-administration-your-top-ten-questions-answered-02-07-2017/
3 See Gregory Husisian and Robert Huey, “International Trade Litigation and the Trump Administration: Your Top Ten Questions Answered,” https://www.foley.com/international-trade-litigation-and-the-new-trump-administration-your-top-ten-questions-answered-01-06-2017/.
4 See Gregory Husisian, “CFIUS and the New Trump Administration: Your Top Ten Questions Answered,” https://www.foley.com/cfius-and-the-new-trump-administration-your-top-ten-questions-answered-01-25-2017/.
5 See Gregory Husisian, Chanley Howell, and Jacob Heller, "Cybersecurity and the new Trump Administration: Your Top Ten Questions Answered," https://www.foley.com/cybersecurity-and-the-new-trump-administration-your-top-ten-questions-answered-04-27-2017/.
6 See Scott Fredericksen and Gregory Husisian, “White Collar Enforcement and the New Trump Administration: Your Top Ten Questions Answered,” https://www.foley.com/white-collar-enforcement-and-the-new-trump-administration-your-top-ten-questions-answered-02-09-2017/.
7 See FCPA Professor, “The FCPA is a Horrible Law and It Should be Changed,” available at http://fcpaprofessor.com/donald-trump-the-fcpa-is-a-horrible-law-and-it-should-be-changed/.
8 See Scott Fredericksen and Gregory Husisian, “White Collar Enforcement and the New Trump Administration: Your Top Ten Questions Answered,” https://www.foley.com/white-collar-enforcement-and-the-new-trump-administration-your-top-ten-questions-answered-02-09-2017/.
9 See 2016 Annual Report to Congress on the Dodd-Frank Whistleblower Program.
10 See 2016 Annual Report to Congress on the Dodd-Frank Whistleblower Program.
11 See Scott Fredericksen and Gregory Husisian, “White Collar Enforcement and the New Trump Administration: Your Top Ten Questions Answered,” https://www.foley.com/white-collar-enforcement-and-the-new-trump-administration-your-top-ten-questions-answered-02-09-2017/.
12 See “ISO 37001:2016, Anti-bribery management systems – Requirements with guidance for use,” http://www.iso.org/iso/catalogue_detail?csnumber=65034 (“ISO 37001 Requirements”).
13 Although the ISO had previously issued anticorruption compliance in ISO 19600, that Type B standard provided only guidance for companies to consider in their anticorruption efforts. The ISO 37001 Requirements are a Type A standard, which means that contain objective criteria designed to allow independent auditors to render determinations regarding the fealty of a company to the new ISO standards.
14 US Dep’t of Justice, §§ 9-28.300, 9-28.800, https://www.justice.gov/usam/usam-9-28000-principles-federal-prosecution-business-organizations.
15 U.S. Sentencing Guidelines, § 8B2.1
16 UK Ministry of Justice, The Bribery Act 2010: Guidance 6 (Mar. 2011), https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/181762/bribery-act-2010-guidance.pdf.
17 ISO 37001 Requirements at Introduction.
18 ISO 37001 Requirements § 1.
19 ISO 37001 Requirements, Annex, § A.4.1.
20 ISO 37001 Requirements, § 4.4.
21 ISO 37001 Requirements, Introduction and § 8.7.
22 ISO 37001 Requirements § 5.2.
23 ISO 37001 Requirements § 7.3.
24 ISO 37001 Requirements § 5.1.2.
25 ISO 37001 Requirements § 5.1.1.
26 ISO 37001 Requirements, Annex, § A.10.3.
27 ISO 37001 Requirements § 8.6.
28 ISO 37001 Requirements § 8.6.
29 ISO 37001 Requirements § 188.8.131.52.
30 ISO 37001 Requirements § 8.4.
31 ISO 37001 Requirements § 8.9.
32 ISO 37001 Requirements § 7.5.1.
33 ISO 37001 Requirements § 10.2.
34 FCPA Resource Guide at 29.
35 Please contact Gregory Husisian at +1 202.945.6149 or ghusisian foley.com to receive a copy.