Companies which have adopted anti-corruption compliance programs for the first time face a significant set of challenges relating to past conduct. The questions can be very tricky – Do you investigate past conduct for potential improper payments? Should existing third parties be subject to due diligence review or should such a review wait for renewals of existing arrangements?
The statute of limitations for FCPA criminal offenses is five years. However, if the scheme of improper payments is continuing, or continued for a period of time, the beginning of the five-year period can be delayed until the conspiracy ceases to exist. There are not many conspiracies which can meet this test. As a result, a company could face liabilities for improper payments which occurred more than five years ago.
How do companies deal with these challenges? Many companies ignore the issue and work towards future compliance. This can be the most prudent course. But this can be very risky with the increase in whistleblowers and the government’s ability to detect such conduct.
In my view, companies need to make an informed decision by conducting an informal risk assessment related to the past conduct. A subsidiary may have operated in a high risk area and may have engaged in bribery. The nature and extent of this conduct has to assessed, not through an expensive internal investigation, but through informal weighing of relevant information, interviews and risk assessments focused on the number of government interactions.
In the end, a risk decision needs to be made – in many cases, inertia leads to a decision to avoid uncovering a significant problem. The risk of detection or reporting by a whistleblower will be significant. Senior management, in consultation with the Audit or Compliance Committee, needs to address the issue and recommend a decision for the company to take.
Third party due diligence is another matter all together. Existing third parties may have to go through the due diligence process on an immediate timeline. The proper approach depends on the number of third parties, the time needed to investigate and conduct a due diligence review, and the number of “risky” third parties.
As a first step, it is important to prioritize due diligence reviews of existing third parties based on risk. For example, existing third parties which have no written contract and operate in high risk countries need to be reviewed quickly and terminated if they cannot survive such a review. A priority list for due diligence reviews should be created and when time allows they should be reviewed under the new due diligence program.
Depending on the number of existing third parties, it is impossible to conduct a retrospective due diligence review within a short period of time. Whatever strategy is implemented, it needs to be consistent and it needs to be crafted based on risk.
For most existing third party agents and distributors, a due diligence review may occur at the time of the renewal or a change in the nature of the contractual relationship. A due diligence review, however, of an existing third party is informed by a track record. A company can use this track record to inform the due diligence process and impose anti-corruption requirements on the third party including training, audits and contractual provisions. Assuming there is a level of trust, companies can often impose these requirements with little pushback.
It is important to focus on forward-looking anti-corruption practices. That does not mean you should ignore the past – it can come back to bite you.