Will Independent Directors Be on the Hook for Failure of Internal Controls in FCPA Cases?

by Cadwalader, Wickersham & Taft LLP

The Foreign Corrupt Practices Act ("FCPA" or "the Act") prohibits bribery of foreign public officials in order to obtain or retain business. In addition to its anti-bribery provisions, the FCPA contains accounting provisions related to bookkeeping and internal controls. Among the FCPA accounting provisions, the books and records provision requires issuers to make and maintain accurate books, records and accounts, and the internal controls provision requires that issuers devise and maintain reasonable internal accounting controls aimed at preventing and detecting FCPA violations.

In recent years, the number of FCPA enforcement actions initiated by the U.S. Department of Justice ("DOJ") and the U.S. Securities and Exchange Commission ("SEC") that include an internal controls charge have increased, and may signal a shift toward a broader application of the internal controls provision of the Act. There is real concern that the DOJ and SEC may be setting the stage to charge independent directors for knowingly failing to implement and/or maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions and assets are properly authorized and recorded.

This short article highlights the recent enforcement actions that have included an internal controls charge, discusses the threat of broader internal controls prosecutions against directors, and provides some guidance for directors in light of the potential for increased prosecution of internal controls violations.

A. The Rise of the Internal Controls Charge

With respect to internal controls, the FCPA mandates that every issuer of publicly traded securities required to file periodic reports with the SEC devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that:

  1. Transactions are executed in accordance with management's general or specific authorization;
  2. Transactions are recorded as necessary to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and to maintain accountability for assets;
  3. Access to assets is permitted only in accordance with management's general or specific authorization;
  4. The recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences.1

Further, according to the statute, "no person shall knowingly circumvent or knowingly fail to implement a system of internal accounting controls or knowingly falsify any book, record, or account" described above.2

Although the SEC has brought civil charges against companies and individuals with internal controls violations in FCPA matters since 1996, the DOJ first brought criminal charges against a company for an internal controls violation in 2008.3 Since 2008, the DOJ has increasingly charged internal controls violations, in conjunction with the SEC. For example, in the most recent FCPA criminal enforcement action, U.S. v. Total S.A.,4 the DOJ alleged in its criminal information that Total "knowingly circumvented and knowingly failed to implement a system of internal accounting controls sufficient to provide reasonable assurances that transactions and dispositions of Total's assets complied with applicable law." In support of this allegation, the DOJ stated that Total:

(a) failed to implement adequate anti-bribery compliance policies and procedures; (b) failed to maintain an adequate system for the selection and approval of consultants; (c) failed to conduct adequate audits of payments to purported consultants; (d) failed to establish a sufficiently empowered and competent corporate compliance office; (e) failed to take reasonable steps to ensure the company's compliance and ethics program was followed; (f) failed to evaluate regularly the effectiveness of the company's compliance and ethics program;

(g) failed to provide appropriate incentives to perform in accordance with the compliance and ethics program; (h) concealed the consulting agreements' true nature and true participants; (i) performed no due diligence concerning the named or unnamed parties to these agreements; and (j) lacked controls sufficient to provide reasonable assurances that the consulting agreements complied with applicable laws.5

This list of compliance steps that Total was alleged to have failed to take provides a road map for companies looking to ensure that their compliance programs and internal controls meet the standards of the DOJ and SEC.

Another notable example of a recent internal controls enforcement action is the criminal information against Orthofix International.6 In that case, which was resolved with a deferred prosecution agreement, the DOJ charged Orthofix with violating the internal controls provision for having failed to maintain an effective anti-corruption compliance program and adequate financial controls. The DOJ's information alleged, among other things, that Orthofix had not translated its anti-corruption policy into Spanish, and that the company had not trained its employees on its anti-corruption policies.

Internal controls charges also have been brought against individuals. In general, because most of the individuals charged under the FCPA to date have been directly involved in bribe payments or payment falsification, internal controls violations are often charged in addition to other FCPA-related charges.7

In 2009, the SEC brought an enforcement action against two senior executives of Nature's Sunshine Products, Inc. for their alleged knowledge of improper payments made by their subordinates to Brazilian customs officials.8 The SEC charged the executives based on control person liability, alleging that they failed to (1) adequately supervise their personnel; (2) ensure accurate books and records were kept, and (3) ensure that proper internal controls were being maintained. In charging the executives under the control person liability theory, the SEC did not allege that the executives had personal knowledge of the payments, but instead alleged knowledge due to their supervisory position. The executives each agreed to pay $25,000 civil penalties. Prior to Nature's Sunshine Products, the government had not asserted control person liability in FCPA enforcement actions. The Nature's Sunshine Products case potentially marks the beginning of a shift in prosecution of those responsible with overseeing and monitoring internal controls, rather than merely those that circumvent controls or commit other violations of the Act.

B. SEC and DOJ's Next Frontier of FCPA Liability: Audit Committees and Independent Directors?

Importantly, the internal controls provisions of the Act are independent of the anti-bribery provisions. Thus, because there is no requirement that a deficient control be linked to an improper payment, a payment that does not constitute a violation of the anti-bribery provisions still may lead to prosecution if it is attributable to an internal controls deficiency. In other words, an executive or director may be exposed to an internal controls charge as a result of a corporation's violation of the anti-bribery provisions, but also in the absence of any anti-bribery provision violation.

Moreover, a director may face an internal controls charge for failing to implement the controls necessary to prevent improper payments, even where the director himself or herself is not aware of the improper payment itself.

To date, neither the DOJ nor the SEC has brought charges against an independent director solely for an internal controls violation. Of course, both the DOJ and the SEC have prosecuted individuals for FCPA violations, but all such individuals allegedly have committed a substantive, direct violation of one or more of the Act's provisions. In other words, the government has yet to levy an internal controls charge against an individual who was not directly involved in malfeasance related to the FCPA's anti-bribery or accounting provisions but instead is merely aware of the lack of internal controls in the company for which he or she is an independent director.

To be held criminally liable, a person must "knowingly" circumvent or fail to implement a system of internal accounting controls.9 The government, however, has taken a broad interpretation of the knowledge requirement. For example, the government has already begun to expand liability of parent corporations for the acts of their subsidiaries, even in cases where the parent corporation has no knowledge of the subsidiaries' corrupt actions, as was made clear in a recent enforcement action against Ralph Lauren Corporation. In that case, which was resolved via non-prosecution agreements with the DOJ and SEC, there was no evidence presented that Ralph Lauren Corporation was aware of the corrupt payments made by its Argentinian subsidiary.10 The same logic applies for the link between subsidiary action and parent corporation and the link between corporate executives and independent directors. If the government is willing to expand corporate liability for its subsidiary's actions, even without clear evidence of corporate knowledge of such acts, then it stands to reason that the government is willing to expand individual liability even to audit committee members and other independent directors responsible for maintaining adequate internal controls, even in cases where directors may be unaware of illegal payments.

As manifested in Nature's Sunshine Products, the government also is able to use the theory of control person liability to hold executives liable for lack of internal controls. Directors, in addition to executives, may be targets of enforcement actions because they have a duty to "attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards."11

According to Delaware case law, director liability exists if there is a "sustained or systemic failure of the board to exercise oversight - such as an utter failure to attempt to assure a reasonable information and reporting system exists."12 This means that it is the Board's duty to ensure that a compliance program is in place, and independently monitor the effectiveness of that compliance program. In fact, the DOJ and SEC guidance for FCPA compliance explicitly states that "compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company."

It would not be any stretch for the DOJ and SEC to invoke these same requirements for independent directors and audit committee members who are charged with oversight of a compliance program.

C. Guidance

In order to protect themselves from liability for internal controls violations, independent directors and members of audit committees should take the following steps:

  • actively benchmark the corporate FCPA compliance program and internal controls against the compliance programs and controls of peer corporations;
  • request an independent assessment of the company's FCPA internal controls;
  • make sure the company has a strong overall compliance strategy;
  • carefully document the sufficiency of internal controls and be mindful of audit reports;
  • follow up on any reports of misconduct and, if necessary, commence an internal investigation using counsel that is independent from management counsel;
  • ensure independent directors and committees have the resources and authority to make changes if necessary;
  • have candid conversations with external auditors regarding FCPA controls;
  • consider whether FCPA violations could occur if more robust controls were in place and whether wrongdoers are able to take purposeful steps to circumvent those controls.

The accounting provisions of the FCPA already have an expansive reach and can create pitfalls to corporations and their employees. In addition, the internal controls provision can pose a particular risk to board members, audit committee members, and other independent directors. These risks should not be taken lightly, given the recent increase in internal controls violations charges by the DOJ, and the continued use of the internal controls charge by the SEC.


1 15 U.S.C. § 78m(b)(2)(B).
2 Id. at § 78m(b)(5).
3 U.S. v. Siemens Aktiengesellschaft, No. 1:08-cr-00367-RJL (D.D.C. 2008).
4 No. 1:13-cr-239 (E.D. Va. 2013). Total entered a deferred prosecution agreement for its FCPA related charges.
5 Information, U.S. v. Total, S.A., No. 1:13-cr-239 (E.D. Va. 2013). The SEC's cease and desist order against Total included the same facts and allegations.
6 U.S. v. Orthofix Int'l, N.V., No. 4:12-cr-150 (E.D. Tex. 2012); SEC v. Orthofix Int'l, N.V., No. 4:12-cv-00419 (E.D. Tex. 2012).
7 See, e.g., U.S. v. Peterson, No. 12-cr-224 (E.D.N.Y. 2012); SEC v. Uriel Sharef et al., No. 11-cv-9073 (S.D.N.Y. 2011).
8 SEC v. Nature's Sunshine Products, Inc. et al., No. 09-0672 (D. Utah 2009)
9 15 U.S.C. §78m(b)(5).
10 Press Release, U.S. Sec. & Exh. Comm'n, SEC Announces Non-Prosecution Agreement With Ralph Lauren Corporation Involving FCPA Misconduct (Apr. 22, 2013), available at http://www.sec.gov/news/press/2013/2013-65.htm; Press Release, U.S. Dep't of Justice, Ralph Lauren Corporation Resolves Foreign Corrupt Practices Act Investigation and Agrees to Pay $882,000 Monetary Penalty (Apr. 22, 2013), available at http://www.justice.gov/opa/pr/2013/April/13-crm-456.html.
11 In Re Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Del. 1996).
12 Stone v. Ritter, 911 A.2d 362, 370 (Del. 2006).

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Cadwalader, Wickersham & Taft LLP | Attorney Advertising

Written by:

Cadwalader, Wickersham & Taft LLP

Cadwalader, Wickersham & Taft LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.