Gleaning Best FCPA Practices for Directors from Recent Government Actions
The Foreign Corrupt Practices Act (FCPA) prohibits bribery of foreign public officials in order to obtain or retain business. While management primarily oversees the company’s compliance with the FCPA, directors also play an important role in overseeing these risks. According to a 2012 FCPA resource guide by the Securities and Exchange Commission (SEC) and Department of Justice (DOJ), “compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” That view by the two primary enforcing bodies of the FCPA has predominated recent enforcement actions.
The government’s resource guide lists the “hallmarks” of an effective anti-corruption compliance program, and recent FCPA cases demonstrate that the government expects companies to actively adopt these hallmarks. FCPA compliance issues are so important to the DOJ that it recently retained a compliance specialist to assist in evaluating the effectiveness of companies’ programs. Below is a brief summary of the hallmarks that directors and officers should consider when building FCPA compliance programs,
- High-level commitment According to the SEC and DOJ, “compliance with the FCPA and ethical rules must start at the top.” Consistent with the agreements in recent DOJ actions, including those against Alstom S.A., IAP Worldwide Services, and Louis Berger International, directors and senior management should provide “strong, explicit, and visible support and commitment” to the company’s policy against violations of the anti-corruption laws and the company’s compliance code. In practice, that means actively reviewing the compliance program, devoting sufficient resources to the FCPA, following up on red flags, and disciplining wrongdoers for noncompliance.
- Policies and procedures The company’s policies and procedures should describe responsibilities for anti-corruption compliance; detail proper internal controls, auditing practices, and documentation policies; and set forth disciplinary procedures. In particular, the company should have a financial and accounting system, including internal controls, reasonably designed to fairly and accurately maintain the company’s books and records. Directors may satisfy their responsibilities by periodically reviewing internal controls and responding to any shortcomings, devoting sufficient resources to compliance and internal audit, and responding to compliance benchmarking against peer companies, among other options.
- Periodic risk-based review To keep pace with changes within the business, companies should review annually the foreign corruption risks they face and regularly benchmark their compliance function against industry standards, with the goal of ensuring that the compliance program is properly suited to the company’s risk. The review should be conducted with the assistance of outside counsel, as necessary. The board should request and expect a briefing on such a review from the chief compliance officer or general counsel at least annually.
- Proper oversight and independence At least one executive, often the chief compliance officer, should have the responsibility for oversight and implementation of the company’s anti-corruption program. This person should be given appropriate resources (including personnel and a travel budget) and have a direct reporting line to the company’s governing authority, usually the audit committee.
- Training and guidance In 2012, Morgan Stanley appropriately avoided an FCPA enforcement action due in large part to a robust compliance program that trained employees on FCPA issues and required annual employee certifications of compliance. Accordingly, companies should conduct periodic training of employees at home and abroad, and insist on regular certification of compliance with policies and procedures. Companies also should establish channels of communication to allow personnel to seek advice and guidance on compliance issues.
- Internal reporting and investigation The SEC and DOJ stress the importance of an anonymous hotline for employees and vendors to report suspected misconduct without fear of retaliation. The hotline should be actively monitored by appropriate compliance personnel, and suspected violations should be investigated promptly by management, and, when appropriate, by the audit committee.
- Enforcement and discipline Providing incentives for compliance and disincentives (i.e., discipline) for non-compliance with anti-corruption policies and procedures are essential components of FCPA compliance. The company’s incentives and discipline should be clearly articulated and should be applied reliably, promptly, and consistently to all company personnel. The board should have an active role in disciplining any senior managers who have violated anti-corruption policies.
- Third-party relationships According to the SEC and DOJ, third parties are commonly used to conceal bribes, so the company should conduct periodic due diligence on third-party service providers and vendors. As part of that diligence, the company should inform third parties of the company’s compliance program and require compliance. While written assurances from third parties of their compliance with the company’s FCPA policies and procedures may be useful, they are not substitutes for the company’s own periodic due diligence.
- Mergers and acquisitions Newly merged or acquired companies often pose the most FCPA risk, and acquirers are responsible for any illegal activity that occurs following the acquisition. Accordingly, the company should conduct thorough pre- and post-acquisition FCPA diligence and take prompt steps to ensure that newly-acquired entities are fully compliant on a going forward basis, including by training the new employees on FCPA compliance. Acquiring companies also should incorporate FCPA compliance into the internal audits of new companies and divisions.
- Monitoring and testing Companies should seek to improve their compliance programs by periodically testing their internal controls for potential weaknesses and risks in view of relevant developments and evolving industry standards. For example, in the DOJ’s landmark plea agreement with Alstom in December 2014, the DOJ required Alstom to conduct “appropriate reviews of its existing internal controls, policies, and procedures” and adopt or modify its controls to ensure it maintains fair and accurate books and records and a rigorous anti-corruption program.
David N. Kelley, who previously served as U.S. Attorney for the Southern District of New York, and Bradley J. Bondi, who previously served in senior positions at the SEC, are partners with Cahill Gordon & Reindel LLP. They advise financial institutions and global corporations, boards of directors, audit committees, and officers and directors of publicly-held companies in significant corporate and securities matters, including those involving the FCPA. Michael D. Wheatley, a litigation associate at Cahill, assisted with this article.