I think that a strict liability standard is coming to Foreign Corrupt Practices Act (FCPA) enforcement. A number of factors have caused me to come to this conclusion. While there may well be wide disagreement as to whether such a standard is warranted under the FCPA, I think it is coming and it is something every Chief Compliance Officer (CCO) and compliance practitioner needs to be ready to address if and when the day comes that your company is under the shadow of a FCPA investigation.
I do not think this strict liability standard is coming for criminal enforcement of the FCPA by the Department of Justice (DOJ) because there is still a requirement of intent under the Act. Intent can be inferred by conscious indifference but I still do not think that day of reckoning is near for DOJ enforcement. However I do think that a confluence of events, FCPA enforcement actions by the Securities and Exchange Commission (SEC) and statements by the SEC representatives, all point towards a new enforcement angle to the FCPA. I think that the SEC is moving towards a strict liability standard for internal controls under the FCPA. That means if your compliance internal control regime is investigated, you will have to demonstrate that it meets some minimum standard that satisfies the SEC. If not, there will be a SEC administrative complaint filed against your company, alleging failure to maintain appropriate internal controls as required by the FCPA and your company will bear the burden of proof to demonstrate that you have designed and implemented an effective system of compliance internal controls.
The FCPA says that internal controls requires issuers to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that—
(i) transactions are executed in accordance with management’s general or specific authorization;
(ii) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets;
(iii) access to assets is permitted only in accordance with management’s general or specific authorization; and
(iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences.
As further explained in the FCPA Guidance, “the Act defines “reasonable assurances” as “such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.” The Act does not specify a particular set of controls that companies are required to implement. Rather, the internal controls provision gives companies the flexibility to develop and maintain a system of controls that is appropriate to their particular needs and circumstances.””
My evolution of thinking on this issue began last fall with the Smith & Wesson (S&W) FCPA enforcement action. There was nothing in the reported settlement documents that tied the failure of S&W internal controls to the payment (or offer to pay) of a bribe or the obtaining of any benefit. The claims made against S&W were basically along the lines of this language laid out in the Order Instituting Cease-and-Desist Proceedings, “Despite making it a high priority to grow sales in new and high risk markets overseas, the company failed to design and implement a system of internal controls or an appropriate FCPA compliance program reasonably designed to address the increased risks of its new business model.” It should be noted that S&W did not ‘admit or deny’ any of the allegations made against it, the company simply consented to the entry of the Order.
In its Administrative Order, the SEC stated, “Smith & Wesson failed to devise and maintain sufficient internal controls with respect to its international sales operations. While the company had a basic corporate policy prohibiting the payment of bribes, it failed to implement a reasonable system of controls to effectuate that policy.” Additionally, the company did not “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed in accordance with management’s general or specific authorization; transactions are recorded as necessary to maintain accountability for assets, and that access to assets is permitted only in accordance with management’s general or specific authorization.”
All of this was laid out in the face of no evidence of the payment of bribes by S&W to obtain or retain business. This means it was as close to strict liability as it can be without using those words. Kara Brockmeyer, chief of the SEC Enforcement Division’s FCPA Unit, was quoted in a SEC Press Release on the matter that ““This is a wake-up call for small and medium-size businesses that want to enter into high-risk markets and expand their international sales.” When a company makes the strategic decision to sell its products overseas, it must ensure that the right internal controls are in place and operating.””
The second factor that informs my thinking on this issue is the updated COSO 2013 Framework that became effective in December 2014. Larry Rittenberg, in his book COSO Internal Control-Integrated Framework, said that the original COSO framework from 1992 has stood the test of time “because it was built as conceptual framework that could accommodate changes in (a) the environment, (b) globalization, (c) organizational relationship and dependencies, and (d) information processing and analysis.” Moreover, the updated 2013 Framework was based upon four general principles which include the following: (1) the updated Framework should be conceptual which allows for updating as internal controls (and compliance programs) evolve; (2) internal controls are a process which is designed to help businesses achieve their business goals; (3) internal controls applies to more than simply accounting controls, it applies to compliance controls and operational controls; and (4) while it all starts with Tone at the Top, compliance is the responsibility for the implementation of effective internal controls resides with everyone in the organization.”
For the compliance practitioner, this final statement is of significant importance because it directly speaks to the need for the compliance practitioner to be involved in the design and implementation of internal controls for compliance and not to simply rely upon a company’s accounting, finance or internal audit function to do so.
The updated Framework also gives a precise model for the SEC to use to inquire from companies about their compliance internal controls. How many companies could not only present evidence of implementation of compliance internal controls along the lines of the updated Framework but also evidence of their effectiveness? Unfortunately the answer is not many.
There is one other factor that informs my evolution of thinking regarding a strict liability standard under the FCPA. Under Sarbanes-Oxley (SOX), Section 404, public companies are required to report on the adequacy of the company’s internal control on financial reporting. The report must affirm the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting. The report must also contain an assessment, as of the end of the most recent fiscal year of the Company, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. External auditors must also assess and make such a report. To do so, most companies, and their external auditors were using the prior COSO Framework.
Now imagine a situation where your external auditors have made their report and your company has made such report public, under its SOX 404 reporting obligation. What if the SEC took that report, reviewed it and made an initial assessment that your compliance internal controls around bribery and corruption were not sufficient, as required under the FCPA? What if the SEC sent you a letter asking for evidence of development and implementation of compliance internal controls, also asking for your audited evidence of effectiveness? What if you respond in due course and you receive another letter from SEC, which opines that your compliance internal controls are insufficient under the FCPA giving your proposed fine. You protest that there is no evidence of bribery or corruption regarding this insufficiency of your compliance internal controls. What if your company is then invited to contest this issue through the SEC Administrative process?
Does that sound far-fetched? Maybe it is but, from where I sit, that is the direction I see the issue of internal controls going in FCPA enforcement. I think a strict liability regime is coming under SEC enforcement of the FCPA. As a CCO or compliance practitioner in a public company, you need to be ready to defend your compliance internal controls.
