Charles Duross is the head of Morrison & Foerster’s Global Anti-Corruption Practice. He is the former head of the Department of Justice’s Foreign Corrupt Practices Act unit, where he took a leading role in developing and implementing the government’s anti-bribery enforcement strategy. Here, he discusses how tech companies can avoid violating the FCPA.
We have been hearing about more companies running into problems related to the FCPA. Is this an increasing risk?
I don’t think bribery per se is increasing, but the risk of getting caught if you’re paying bribes is. The Department of Justice has been strengthening its FCPA enforcement for years. But at the same time, many countries are now part of the OECD [Organisation for Economic Co-operation and Development] Anti-Bribery Convention, and have created their own laws that are very much like the FCPA. Forty countries have signed on, the most recent one being Russia. The OECD’s Working Group on Bribery actively monitors enforcement of these laws, and there is a great deal of cooperation among countries about corruption cases. So enforcement is increasing— and not just by the U.S. government.
What are some areas where technology companies run into trouble?
Generally, businesses understand that they’re not supposed to hand a cash bribe to a foreign official. But there are potential problems in areas that might be less obvious. One of the biggest comes from working through third parties. For example, if a company is bidding on a government project in a foreign country, it might retain a local consultant to assist, which is fine. However, if that consultant is using part of that fee to pay off a government official to obtain or retain business, that can get you in trouble. Indeed, the FCPA has a “willful blindness” provision, which means you can’t avoid criminal liability by simply remaining deliberately ignorant about what your agent is doing.
So it’s important to understand what consultants are doing on your behalf in their dealings with foreign governments.
Yes. But technology companies are also at risk from the distribution model that’s often used in the industry. Many companies sell their products to channel partners, which add some value to the product or service—such as other hardware, software, an installation, or a service plan—and then resell it at a higher price. That’s an entirely appropriate business model. But as with any third party, companies need to appreciate the potential risk if, for example, the distributor is simply reselling at a higher price without adding any legitimate value and using that profit as a slush fund to funnel bribes to government officials. It may seem to the company that it is not violating the FCPA. It has simply sold its product to another company. But if a company’s employees are aware that the distributor is paying (or just offering) bribes to government officials to help sell the product, the company and its employees could be criminally liable as conspirators and aiders and abettors.
What should tech companies be doing to avoid these issues?
One thing is to know the third parties they’re doing business with. It is also fundamental to understand the business reason for working with third parties. One of the first questions asked during a DOJ or SEC investigation will often be, “What was the business purpose behind working with X?” Having a clear answer will earn credibility with regulators and underscore the company’s commitment to compliance.
Also, making sure employees—and third parties—understand company policies, are properly trained, execute FCPA certifications, and are subject to appropriate ongoing reviews can prevent violations and mitigate (or avoid altogether) penalties if a problem does occur. That is just good business. Corruption tends to occur at companies with loose control environments. While I was at DOJ, we routinely saw loose control environments leading to embezzlement, self-dealing, fraud, and even antitrust violations. When a company doesn’t know where its money is going, that’s bad business and negatively impacts shareholder value. When companies invest in a compliance program, they are investing in the health of the business.