Companies discover FCPA violations all the time – most are small and few are big. Most companies learn of these violations when implementing or upgrading their compliance program.
Typically, FCPA violations are discovered in the aftermath of an acquisition (months or even years after the acquisition), or in a company’s failure to implement adequate controls and supervision of their third parties and/or distributors.
When discovered, companies have to do something. The question is what should a company do. The answer – it depends. Here are the five critical questions which need to be addressed:
1. Has the conduct stopped?
This is the first and most important question. It is critical that the company put a stop to the conduct. The failure to do so can reflect either the lack of commitment by the company to compliance, and/or the inability of the company to exercise adequate control of its employees. Either way prosecutors will seize on such evidence and demand major changes to the company’s compliance program.
The government has cited companies for failing to cease immediately conduct which violates the law. In one case, a company was unable to stop improper payments by a subsidiary months after the violations were initially discovered.
2. What was the nature and extent of the violation (s)?
Once the conduct has been stopped, the company needs to learn as quickly as possible the nature and extent of the violation(s). While there may be a rush to identify and define the problem, the company has to be careful to avoid issues and conduct which need to be examined. A quick and accurate assessment has to be made, but flexibility has to be preserved to respond to additional facts.
If the problem involves a failure to control third party agents in high-risk countries for years, a company should define a broad inquiry into the third party relationships in that country. On the other hand, if the company suspects that improper payments were made through gifts and entertainment expenditures to a single entity (e.g. a sovereign wealth fund representative), the initial inquiry may be more limited in scope.
Whatever the initial assessment, the company should gather as much information as quickly as possible. A small assessment team should review the information, conduct initial interviews and analyze the potential problem and exposure.
3. How quickly can the problem be remedied?
If the company has an accurate initial assessment of a violation (e.g. a rogue or small number of employees), the company has to determine how to remedy the problem and how long it will take to implement.
For example, assume that two sales staff are found to have taken petty cash on a regular basis to fund bribes to officials in a country. The remedy will focus on that those two employees, the specific office and country. It will require additional financial controls, supervision and monitoring of the office (of course, the two employees should be fired). That should not take long to implement.
Why is this question relevant? The longer the remediation, the greater the likelihood that such an event may be “material” and require public disclosure (if a publicly-traded company), and the greater the risk of detection by the government from whistleblowers or competitors.
4. What is the risk that the conduct occurred in other areas of operation?
A question which is closely related to number 3 above is the risk that the conduct occurred in other parts of the company. Once a problem is identified and defined, it is important to ask if the conduct is likely to have occurred in other areas. This inquiry does not require a complete audit of the company but it does require a targeted assessment in like areas of the company to determine if the conduct occurred in another area.
5. What is the risk that the violation(s) will be detected by the government?
Questions 1 through 4 are designed to help answer a critical question – is the government likely to learn of the conduct? Even if the company identifies the problem, and remedies the problem, the company may be at risk if the government learns of the violation from competitors, a whistleblower or a “disgruntled” employee. All of these issues have to be considered in determining whether the company sit hould make a voluntary disclosure.
For example, if the problem is pervasive throughout the company, will take a long time to remedy, is well known within the company, and is likely to be learned by the government, the company should make a voluntary disclosure in order to gain control over the issue, buy time to fix and confirm the full nature of the problem and earn as large a reduction in punishment as possible.
On the other hand, if the problem is contained to a small number of employees in a single office of the company, is quickly remedied, and is unlikely to be learned by the government, a company should respond to the problem, fix it and make sure it does not happen again. In this situation, a company is likely to have any disclosure obligations – either legal under any securities laws, or strategically to the Justice Department and/or SEC.