On November 14, 2012, the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) issued their long-anticipated Resource Guide regarding the agencies’ enforcement of the Foreign Corrupt Practices Act (FCPA). The 120-page Guide addresses, among other things, (1) the definition of a foreign official, (2) gifts and entertainment, and (3) the “hallmarks” of an effective corporate compliance program. While the Guide does not represent a significant departure from the agencies’ prior positions, it offers several important clarifications and hypothetical case studies that corporate counsel should carefully review.
Emphasizing Importance of Effective Compliance Programs
The Guide highlights the importance of effective anti-corruption compliance programs and identifies the basic elements that DOJ and SEC consider when evaluating such programs. The Guide notes that DOJ and SEC understand that “no compliance program can ever prevent all criminal activity by a corporation’s employees,” and that they do not hold companies to a standard of perfection. The Guide reiterates the agencies’ prior claims that companies will receive meaningful credit if they implement in good faith a comprehensive, risk-based compliance program, even if that program does not prevent an infraction in a low-risk area because greater attention and resources had been devoted to a higher-risk area. For example, the adequacy of the program may influence whether or not charges should be resolved through a deferred prosecution agreement (DPA) or non-prosecution agreement (NPA), as well as the length of any DPA or NPA, the term of corporate probation, the penalty amount or the need for a monitor versus self-reporting. Conversely, the Guide warns that a company that fails to prevent an FCPA violation on an economically significant, high-risk transaction because it neglected to perform due diligence at a level commensurate with the size and risk of the transaction is likely to receive reduced credit based on the quality and effectiveness of its compliance program.
Although DOJ and SEC have no formulaic requirements regarding compliance programs, the Guide identifies the following “hallmarks” of an effective compliance program.
Commitment From Senior Management and a Clearly Articulated Policy Against Corruption. Senior management should clearly articulate company standards, communicate them in unambiguous terms, adhere to them scrupulously and disseminate them throughout the organization. Such high-level commitment should be reinforced and implemented by middle managers and employees at all levels.
Code of Conduct and Compliance Policies and Procedures. A code of conduct that is clear, concise and accessible (in local languages) is a prerequisite for an effective compliance program.
Beyond a code of conduct, the compliance policies and procedures that a business needs will vary based on the size and nature of the business and the risks associated with the business. Among the risks that a company may need to address are the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel and entertainment expenses; charitable and political donations; and facilitating and expediting payments.
Large, global companies may consider using web-based approval processes to review and approve routine gifts, travel and entertainment involving foreign officials and private customers with clear monetary limits and annual limitations. A system should have built-in flexibility so that senior management, or in-house legal counsel, can be apprised of and, in appropriate circumstances, approve unique requests. These types of systems can be a good way to conserve corporate resources while at the same time, if properly implemented, preventing and detecting potential FCPA violations.
Oversight, Autonomy and Resources. A company should assign responsibility for the oversight and implementation of the company’s compliance program to one or more specific senior executives who have appropriate authority within the organization, adequate autonomy from management and sufficient resources to ensure that the company’s compliance program is implemented effectively. “Adequate autonomy” generally includes direct access to an organization’s board of directors.
Risk Assessment. One-size-fits-all compliance programs are generally ill-conceived and ineffective because resources inevitably are spread too thin, with too much focus on low-risk markets and transactions to the detriment of high-risk areas. The Guide cautions that “[d]evoting a disproportionate amount of time policing modest entertainment and gift-giving instead of focusing on large government bids, questionable payments to third-party consultants, or excessive discounts to resellers and distributors may indicate that a company’s compliance program is ineffective.”
Training and Continuing Advice. Relevant policies and procedures should be communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.
Incentives and Disciplinary Measures. A compliance program should apply from the board room to the supply room—no one should be beyond its reach. A company should have appropriate and clear disciplinary procedures and should apply those procedures reliably and promptly. Publicizing disciplinary actions internally can have an important deterrent effect, while positive incentives can also drive compliant behavior.
Third-Party Due Diligence. Although the degree of appropriate due diligence will vary based on industry, country, size and nature of the transaction, and historical relationship with the third party, three guiding principles always apply.
First, as part of risk-based due diligence, a company should understand the qualifications and associations of its third-party partners, including each third-party partner’s business reputation and relationship, if any, with foreign officials. The degree of scrutiny should increase as red flags surface.
Second, a company should have an understanding of the business rationale for including the third party in the transaction and ensure that the contract terms specifically describe the services to be performed.
Third, a company should undertake some form of ongoing monitoring of third-party relationships. Depending on the circumstances, this may include updating due diligence periodically, exercising audit rights, providing periodic training and requesting annual compliance certifications by the third party.
Confidential Reporting and Internal Investigation. An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct on a confidential basis without fear of retaliation. A company should also have in place an efficient, reliable and properly funded process for investigating any allegation made and documenting the company’s response, including any disciplinary or remediation measures taken.
Continuous Improvement: Periodic Testing and Review. A good compliance program should constantly evolve. A company should regularly review and improve its compliance program and not allow the program to become stale. A company should also review and test its controls and think critically about its potential weaknesses and risk areas.
Because each compliance program should be tailored to an organization’s specific needs, risks and challenges, these “hallmarks” should not be considered a substitute for a company’s own assessment of the corporate compliance program that is most appropriate for that particular business organization. But, as the Guide instructs, “if designed carefully, implemented earnestly, and enforced fairly, a company’s compliance program—no matter how large or small the organization—will allow the company generally to prevent violations, detect those that do occur, and remediate them promptly and appropriately.”
Clarifying Who Is a “Foreign Official”
The Guide provides a non-exhaustive list of factors considered by DOJ and the SEC in determining whether a government “instrumentality” constitutes a foreign official under the FCPA. The list, which echoes the agencies’ prior opinions, includes such factors as the foreign government’s degree of control over the entity, the circumstances surrounding the entity’s creation and the purpose of the entity’s activities. The Guide adds that while no one factor is dispositive, an entity is unlikely to qualify as an instrumentality if a foreign government does not own or control a majority of its shares, unless other indicia of substantial control are present. This clarification is significant, as it marks the first time DOJ or SEC has provided an ownership threshold to assist corporate counsel in assessing an instrumentality’s status. The indicia of substantial control have been broadly construed by the agencies in the past, however, so companies should refrain from overreliance on the ownership threshold introduced by the Guide.
Focusing on Intent of Gifts, Travel and Entertainment
The Guide also provides helpful clarifications regarding gifts, travel, entertainment and other things of value for foreign officials. To violate the FCPA, such things of value must be given with corrupt intent—that is, the intent to improperly influence the government official. The Guide thus instructs that DOJ and SEC are unlikely to investigate the provision of taxi fare, cups of coffee or company promotional items of nominal value. In fact, neither agency has ever pursued an investigation based solely on such conduct in the past.
Many have criticized the Guide, however, for failing to address what constitutes a “reasonable” meal or entertainment expense under the law. While DOJ and SEC have made clear that $10,000 meals or entertainment expenses are unreasonable, they have not provided guidance for situations closer to the line that are more likely to vex corporate counsel.
Encouraging M&A Due Diligence
DOJ and SEC may also decline to pursue an enforcement action when a company has taken steps toward FCPA compliance, including in the context of mergers and acquisitions. The Guide encourages a company engaging in such corporate restructuring to conduct thorough FCPA and anti-corruption due diligence, conduct FCPA-specific audits of a newly acquired or merged business and implement FCPA-specific code of conduct and compliance training programs as quickly as practicable.
Reaffirming Value of Self-Reporting, Cooperation and Remedial Efforts
The Guide reaffirms what has long been conventional wisdom, namely that both DOJ and SEC place a high premium on self-reporting, along with cooperation and remedial efforts, in determining the appropriate resolution of FCPA matters.
In addition to considering whether a company has self-reported, cooperated and taken appropriate remedial actions, DOJ and SEC also consider the adequacy of a company’s compliance program when deciding what, if any, action to take. The program may influence decisions made regarding whether or not charges should be resolved through a DPA or NPA (as well as the appropriate length of any DPA or NPA), the term of corporate probation or the penalty amount.
The Guide collects DOJ’s and SEC’s prior opinions and releases and provides helpful clarifications and hypothetical case studies for corporate counsel. The Guide, however, is just that—a guide—and is not binding on courts or even the agencies themselves. Corporate counsel should be cognizant that the guidance included in the Guide may change, perhaps even dramatically, as occurred earlier this year with the appointment of a new Serious Fraud Office (SFO) chief in the United Kingdom. In statements from earlier this week, SFO Director David Green predicted an increase in UK Bribery Act prosecutions, despite earlier SFO guidance that certain technical infringements of the Act would not be pursued. Nevertheless, the Guide provides a valuable tool for corporate counsel to check its compliance activities against the current expectations of DOJ and SEC.