FCPA Enforcement As A Security Issue And Implications For The Compliance Practitioner

by Thomas Fox

One of the things that has long puzzled me is what led to the significant rise in the enforcement of the Foreign Corrupt Practices Act (FCPA) beginning in the 2003-2004 time frame? One of the more consistent theories that I have heard proffered, by Dan Chapman, Dick Cassin, Alexandra Wrage and others is that after 9/11, the Bush administration viewed corruption as a security issue. I admit that I was not totally sold on this theory until last week when, the FCPA Blog, in an article entitled “NSA spying also linked to FCPA enforcement”, reported that the National Security Agency (NSA) has engaged in economic espionage for the benefit of the United States and perhaps others. The FCPA Blog quoted a story from the American Spectator, entitled “Rise of the Surveillance State”, by James Bovard. One of the items which Bovard discussed is the program monikered ‘Echelon’, which he described as “a spy satellite system run by the National Security Agency along with the United Kingdom, Australia, New Zealand, and Canada. Echelon reportedly scans millions of phone calls, e-mail messages, and faxes each hour, searching for key words.”

Apparently this program is also used for FCPA enforcement. Bovard wrote that “A February report by the European Union alleged that Echelon has been used for economic espionage. Former CIA Director James Woolsey told a German newspaper in early March that Echelon collects “economic intelligence.” One example Woolsey gave was espionage aimed at discovering when foreign companies are paying bribes to obtain contracts that might otherwise go to American companies. Woolsey elaborated on his views in a condescending March 17 Wall Street Journal oped, justifying Echelon spying on foreign companies because some foreigners do not obey the U.S. Foreign Corrupt Practices Act. To add insult to injury, Woolsey noted there’s no reason for U.S. companies to steal backward Europe’s secrets.” Isn’t that a comforting thought when the US claims the Chinese are stealing secrets through computer hacking.

But what are the implications for the compliance professional? For a more Orwellian prediction, John Batchelor, in an article entitled “ NSA Scandals: FCPA Compliance Game Changer?”, has this chilling predeiction, “Currently it takes months or years to develop a solid FCPA case and most of those end up with fines and some type of penalty. Could that change to a new way of enforcement where the government targets a company, identifies corruption, gathers evidence, and instead of going through the motions, simply calls them to schedule a meeting, slapping a fine and a series of actionable tasks for the company in question? It’s not happening now, but that is a question.” It would seem to do away completely with the concept of due process so I would discount this scenario as unlikely.

However, Batchelor does point out that such government oversight might well occur in countries which are known or perceived to be high risk for corruption. He says, “Under the FCPA we focus on anti-bribery, however, with our current emphasis on national security, I think there is a serious question to ask for any company that operates in high CPI areas where terrorist cells or money laundering outfits to terrorist cells operate.” From this premise, Batchelor poses several topical inquiries which you should consider now. They include: “How well do you know your agents? How well do you know their relationships? How well do you know the companies they are affiliated with? Are there red-flags that low-level DPL type screenings might not uncover?”

I believe that the revelations which came out last week will make the compliance professional’s job more difficult but that difficulty may well be due to the backlash against not only the massive collections of data that the US government is obtaining through its surveillance programs but also the arrogance shown in statements like former CIA Director Woolsey, in the statement quoted in the American Spectator article. I believe that there three general areas which will negatively affect US compliance professionals.

First, is in the area of data access. Edward Luce, in a Financial Times (FT) article entitled “Obama has hurt himself and business over privacy”, said that the “US is losing credibility in its goal of trying to stop the internet from balkanizing into separate national frameworks.” While Luce discussed this in terms of the US criticism of “the great firewall of China”; a US investor might think about the Securities and Exchange Commission’s (SEC’s) struggle to get China to agree to allow auditors to provide data to the US consistent with US securities laws, or laws which the SEC enforces, such as the books and records component of the FCPA.

Second, what about data privacy? I think that the acknowledgement of the US surveillance programs will lead other countries to toughen up their data privacy requirements. This means that the compliance professional will be faced with an even more bewildering set of data privacy requirements to deal with to accurately access a company’s compliance program. For the intelligence angle, Luce quoted Ira Hunt, the CIA’s chief technology officer for the following, “Since you can’t connect the dots you don’t have…we fundamentally try and collect everything and hang on to it forever.” However, we now know that this surveillance also was used for other law enforcement issues such as enforcement of the FCPA. While foreign governments cannot legislate privacy as to the data collected by the US government, they certainly can do so vis-à-vis US companies doing business in their jurisdictions or home-domiciled foreign companies which are subject to the FCPA through a US subsidiary.

Indeed this very issue is now in the forefront of EU-US trade negotiations. In another article in the FT, entitled “Data scandal clouds trade talks”, Hannes Swoboda, leader of the socialist members of the European Parliament was quoted as saying, “With all the information that we’ve found out in the recent days about how easily the US spies on people’s private data I think it will be difficult for the Americans to oppose a strong data protection agreement.” The article notes that many of the rules proposed for EU data protection are opposed by US companies because “their business models would be damaged.”

Lastly, what about jurisdiction and the FCPA? Currently if a banking transfer goes thought the US banking system, FCPA jurisdiction attaches. While it has not yet been tested, several commentators have spoken about information which might be saved on servers based in the US. So what if information appears on Google or through a Google-search or on Facebook? Now take the next step and ask, if there is data mining, which strikes pay dirt, could that create or even portend jurisdiction?

As an American, I understand the need for enhancing security protocols after 9/11. It is an irritation, but only that, similar to taking off my shoes to go through security, all courtesy of Richard Reid, ‘the Shoe Bomber’. Further, these US government surveillance programs, which have been ongoing though both a GOP and Democratic administration, were authorized by an overwhelming majority of both houses of the US Congress and has judicial oversight. But many outside the US may not see the same needs and protections that I see in place. Luce said in his article, “Washington’s reassurances are irrelevant to the 3.4bn non-Americans who are online…But foreigners might not be comforted to learn that their privacy is protected by a secret US court, which is overseen by a select group of US lawmakers who are themselves sworn to secrecy.”

I think that the job of the compliance practitioner just got a lot tougher.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Thomas Fox, Compliance Evangelist | Attorney Advertising

Written by:

Thomas Fox

Compliance Evangelist on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.