On November 14, 2012, the DOJ and SEC jointly published "A Resource Guide to the U.S. Foreign Corrupt Practices Act" (Guidance), their long-awaited and highly anticipated guidance on the FCPA. The Guidance did not pronounce any new defenses or radically reinterpret any of the FCPA's provisions, but it does provide useful insights into the government's enforcement considerations and should serve as a roadmap for companies to reevaluate and revise their FCPA compliance policies.

The most useful takeaway for compliance officers is "Guiding Principles of Enforcement," in Chapter 5, which discusses the factors the DOJ and SEC consider when deciding whether to open an investigation or bring charges; the emphasis that the government places on self-reporting, cooperation, and remedial efforts; and the ten "hallmarks" of effective compliance programs. Later, in the "Resolutions" chapter, the Guidance provides several anonymized examples of cases where the SEC or DOJ declined prosecution. With the lone exception of the announcement of a declination in the Morgan Stanley case, this is the first time that either agency has publicly discussed actual examples of declinations.

The Guidance also sheds light on the rationale for several of the government's statutory interpretations, including the scope of acceptable gifts, entertainment and travel; its definition of a "foreign official" and "instrumentality"; the extent of successor liability in mergers and acquisitions; and the government's jurisdiction to enforce the FCPA. The Guidance conveniently illustrates each of these topics through helpful hints, examples and hypotheticals.

The DOJ and SEC's "industry sweeps" of medical device and pharmaceutical companies, financial services firms, energy companies, freight forwarders and retail companies over the past several years, as well as the release of the Guidance itself, demonstrate that the FCPA remains a top priority for government enforcement in the United States. Even President Obama noted his administration's commitment to fighting corruption in his 2011 State of the Union:

Around the globe, we are standing with those who take responsibility – helping farmers grow more food; supporting doctors who care for the sick; and combating the corruption that can rot a society and rob people of opportunity.

The scope and meaning of many of the FCPA's provisions have been rigorously debated over the years, and although the Guidance does not end the debate – in fact, it is explicitly "non-binding" and, in some cases, adopts unsettled or untested law – it provides some clarity in several important areas, and should serve as a measuring stick for compliance officers to evaluate and update their own companies' compliance programs.

THE GUIDING PRINCIPLES OF ENFORCEMENT

Chapter 5 of the Guidance, which describes the DOJ and SEC's policies on whether and how they will commence, decline or otherwise resolve FCPA matters, contains the most relevant and practical information for compliance officers.

The DOJ is guided by the Principles of Federal Prosecution, which outlines the DOJ's policies for initiating or declining prosecution, selecting charges and plea-bargaining; the Principles of Federal Prosecution of Business Organizations, which outlines the DOJ's policies on resolving cases involving corporate wrongdoing; and the U.S. Sentencing Guidelines, which governs the sentencing of organizations and individuals. The SEC is guided by its Enforcement Manual, which outlines the guiding principles that members of the SEC staff consider when determining whether to open or close an investigation, and the Seaboard Report, which outlines the SEC's framework for evaluating cooperation by companies.

According to the Guidance, in deciding whether and how to charge and resolve potential FCPA violations, "both DOJ and SEC place a high premium on self-reporting, along with cooperation and remedial efforts." They also consider factors such as the nature and seriousness of the offense, the pervasiveness of wrongdoing within the company and, of particular relevance to compliance officers, the existence and effectiveness of a company's pre-existing compliance program. The DOJ and SEC "will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered." To assist compliance officers, the Guidance outlines ten "Hallmarks of Effective Compliance Programs," which should serve as a benchmark for all companies to follow.

The Hallmarks of Effective Compliance Programs

The Guidance encourages comprehensive, tailored compliance policies and thorough, risk-based due diligence on third parties and potential merger and acquisition targets. The Guidance describes the value of an effective compliance program and clearly states that the DOJ and SEC will consider the adequacy of a company's compliance program when deciding what, if any, enforcement action to take after an FCPA violation has occurred.

Although the Guidance acknowledges that each compliance program should be tailored to an organization's specific needs, risks and challenges, it also describes the following ten "Hallmarks of Effective Compliance Programs," which detail specific steps that companies can and should take to strengthen their compliance policies:

  1. Strong commitment from senior management and a clearly articulated policy against corruption: The board of directors and senior management must set the proper tone at the top for the rest of the company and actively encourage a "culture of compliance." For example, senior managers should not encourage profit motive over compliance. This high-level commitment should be reinforced through middle managers and employees of all levels.
  2. A current and effective code of conduct and compliance policy: When evaluating a compliance program, the DOJ and SEC "will review whether the company has taken steps to make certain that the code of conduct remains current and effective and whether a company has periodically reviewed and updated its code." The government also will consider whether a company has clear, concise "policies and procedures that outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and documentation policies, and set forth disciplinary procedures." Each company's specific business exposure and risk profile should determine the specific policies and procedures that are in place.
  3. Oversight by a member of senior management with sufficient autonomy and resources to be effective: The DOJ and SEC will consider whether a company "has assigned responsibility for the oversight and implementation of a company's compliance program to one or more specific senior executives within the organization." These executives must have "appropriate authority" with "direct access to the company's governing authority," "adequate autonomy from management," and "sufficient resources to ensure that the company's compliance program is implemented effectively." The amount of resources devoted to compliance should depend on the company's "size, complexity, industry, geographical reach, and risks associated with the business."
  4. Risk assessment and internal audit procedures: One-size-fits-all compliance programs are "generally ill-conceived and ineffective" because it is only possible to appropriately allocate resources and focus compliance efforts after a company has conducted a thorough risk assessment. Likewise, "the degree of appropriate due diligence is fact-specific and should vary based on industry, country, size, and nature of the transaction." The DOJ and SEC "will give meaningful credit to a company that implements in good faith a comprehensive, risk-based compliance program, even if that program does not prevent an infraction in a low risk area because greater attention and resources had been devoted to a higher risk area."
  5. Continuing advice and regular training for both new and current employees and third parties: The DOJ and SEC "will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners." Training should cover, for example, company policies and procedures, applicable anti-corruption laws, practical advice on how to handle common issues and hypotheticals or case studies. In addition, trainings should be tailored for the audience – sales personnel and accounting personnel should receive slightly different training, and foreign employees should be trained in their native language.
  6. Enforced disciplinary measures for employees who violate the policy and incentives for employees who follow it: Compliance programs, no matter how robust, are toothless without effective enforcement. Companies should have "appropriate and clear disciplinary procedures" that are "applied reliably and promptly" and "commensurate with the violation." In addition, good compliance behavior should be rewarded with positive incentives. See "When, Why and How Should Companies Discipline Employees for FCPA Violations?" The FCPA Report, Vol. 1, No. 8 (Sep. 19, 2012).
  7. Comprehensive, risk-based due diligence on third parties and transactions: Risk-based due diligence is critical for all third parties and should be based on the following guiding principles: (1) evaluate the "qualifications and associations" of the third party, including its "business reputation, and relationship, if any, with foreign officials"; (2) evaluate the "business rationale for including the third party in the transactions" and the specific contract and payment terms proposed by the third party; and (3) continue to monitor the third-party relationship through audit rights, periodic training and annual compliance certificates.
  8. Mechanisms for employees to confidentially report potential infractions and for an efficient, thorough internal investigation: Companies should have a mechanism in place for employees to confidentially (and anonymously, for those public companies that must comply with Sarbanes-Oxley) report any suspected or actual misconduct without fear of retaliation. Moreover, companies should have "an efficient, reliable, and properly funded process for investigating the allegation and documenting the company's response."
  9. Updating the compliance policy through periodic testing and review: Compliance programs should "constantly evolve." The DOJ and SEC will evaluate whether companies "regularly review and improve their compliance programs and not allow them to become stale," and will give "meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered."
  10. Pre-acquisition due diligence and post-acquisition integration for mergers and acquisitions: Not only should companies conduct thorough FCPA due diligence prior to a merger or acquisition, but they should also "promptly incorporate the acquired company into all of its internal controls, including its compliance program." Companies should "consider training new employees, reevaluating third parties" under their own standards, and "conducting audits on new business units." We discuss this in more detail later in the article.

Compliance officers should use the ten "Hallmarks of Effective Compliance Programs" outlined in the Guidance as a roadmap to reevaluate, refresh and revise their own compliance policies according to their company's specific, current risk profile. At the very least, it is clear that the DOJ and SEC expect companies to regularly reassess and periodically test their compliance policies to ensure that they always address the company's high-risk areas of concern. And robust compliance policies have other benefits, including helping to avoid or mitigate parent-company liability for the actions of a subsidiary or a subsidiary's employees.

As the Guidance states, "[i]n the end, if designed carefully, implemented earnestly, and enforced fairly, a company's compliance program – no matter how large or small the organization – will allow the company generally to prevent violations, detect those that do occur, and remediate them promptly and appropriately."

Third-Party Due Diligence: Common Red Flags

Another area of the Guidance that is particularly relevant for compliance officers is the section discussing how the government treats company relationships with third parties. The Guidance acknowledges that many companies doing business in foreign countries retain local consultants to help them evaluate the local market and identify local business partners. The Guidance warns, however, that companies should be vividly aware of the risks involved in engaging third parties or intermediaries because companies may be equally liable for any bribes paid by those third parties.

All compliance programs should include instructions for a thorough, risk-based due diligence inquiry into potential third parties. Such due diligence inquiries should highlight common red flags associated with third parties, including the following:

  • Excessive commissions to third-party agents or consultants;
  • Unreasonably large discounts to third-party distributors;
  • Third-party "consulting agreements" that include only vaguely described services;
  • The third-party consultant is in a different line of business than that for which it has been engaged;
  • The third party is related to or closely associated with the foreign official;
  • The third party became part of the transaction at the express request or insistence of the foreign official;
  • The third party is merely a shell company incorporated in an offshore jurisdiction; and
  • The third party requests payments to offshore bank accounts.

Ideally, all employees should be trained to be aware of these red flags, but at a minimum, those employees and managers who are responsible for directly interfacing with third parties and foreign officials must be trained to spot them. The Guidance makes clear that those who purposefully avoid actual knowledge of misconduct by ignoring red flags (the so-called "head-in-the-sand" problem) also meet the state of mind requirement under the FCPA.

Lessons to Live By: Examples of Prosecutorial Declinations

Compliance officers also should pay careful attention to the section of the Guidance that provides real-world, anonymized examples of fact patterns where the DOJ and/or SEC declined to pursue enforcement actions. Although the specific facts of each example vary, they generally follow the same course of action: (1) a strong compliance program enabled the company to catch the bad act after it happened; (2) the company immediately began a thorough internal investigation and severed ties to the corrupt third parties, contracts or employees; (3) the company engaged in remedial efforts; and (4) the company self-disclosed the violation and cooperated with the government.

The fact patterns in these examples should provide a useful point of comparison for compliance officers to evaluate any potential instances of wrongdoing within their own companies. They also should serve as a general roadmap for compliance officers to follow during the investigation and remediation process, as well as in evaluating whether and how to self-report.

THE SCOPE OF ACCEPTABLE GIFTS, ENTERTAINMENT AND TRAVEL

The FCPA prohibits the corrupt "offer, payment, promise to pay, or authorization of the payment of any money, or offer, gift, promise to give, or authorization of the giving of anything of value to" a foreign official. Gifts, entertainment and travel expenses for customers, potential customers, investors, conference guests and third-party representatives are common practices in many industries, and the Guidance provides helpful insight into exactly what actions the DOJ and SEC consider improper.

The Guidance emphasizes that it is the payor's intent – not a threshold monetary value – that is the critical factor in determining whether a gift, entertainment or travel expense for a foreign official violates the FCPA. As the Guidance states, "[t]he corrupt intent requirement protects companies that engage in the ordinary and legitimate promotion of their business while targeting conduct that seeks to improperly induce officials into misusing their positions." Consequently, "cups of coffee, taxi fare, or company promotional items of nominal value" would almost never violate the FCPA.

Moreover, the Guidance recognizes that a "small gift or token of esteem or gratitude is often an appropriate way for business people to display respect for each other," and states that items of "nominal value . . . are unlikely to improperly influence an official." Some hallmarks of appropriate gift-giving are when the gift is:

  1. Given openly and transparently;
  2. Properly recorded in the giver's books and records;
  3. Provided only to reflect esteem or gratitude; and
  4. Permitted under local law.

The Guidance recommends that companies "should have clear and easily accessible guidelines and processes in place for gift-giving by the company's directors, officers, employees and agents," including, for example, "automated gift-giving clearances processes" and "clear monetary thresholds for gifts along with annual limitations."

The Guidance also provides clear examples of what would not be appropriate, such as fur coats, sports cars and other luxury items; a trip to Paris for a government official and his wife for non-business purposes; $10,000 spent on dinners, drinks and entertainment for a government official; and a $12,000 birthday trip for a government decision-maker from Mexico that included visits to wineries and dinners.

A FACT-SPECIFIC DEFINITION OF "FOREIGN OFFICIAL" AND "INSTRUMENTALITY"

The FCPA's anti-bribery provisions apply to corrupt payments to "foreign officials," including officers or employees of a department, agency, or instrumentality of a foreign government. The Guidance states that the FCPA proscribes corrupt payments to "low-ranking employees and high-level officials alike." What constitutes an "instrumentality," however, has been an unsettled question, and consequently, companies are often uncertain as to when they might be dealing with a foreign official. It is impossible for companies to design effective compliance programs without knowing the full extent of their exposure to foreign officials, and this additional guidance from the DOJ and SEC should be useful for companies in conducting their risk assessments.

The Guidance states that the term "instrumentality" is "broad" and "requires a fact-specific analysis of an entity's ownership, control, status, and function." Citing final court-approved jury instructions in several cases, the Guidance lists several non-exclusive factors that companies should consider when evaluating the risk of FCPA violations and designing compliance programs:

  • The foreign state's extent of ownership of the entity;
  • The foreign state's degree of control over the entity (including whether key officers and directors of the entity are or are appointed by government officials);
  • The foreign state's characterization of the entity and its employees;
  • The circumstances surrounding the entity's creation;
  • The purpose of the entity's activities;
  • The entity's obligations and privileges under the foreign state's law;
  • The exclusive or controlling power vested in the entity to administer its designated functions;
  • The level of financial support by the foreign state (including subsidiaries, special tax treatment, government-mandated fees and loans);
  • The entity's provision of services to the jurisdiction's residents;
  • Whether the governmental end or purpose sought to be achieved is expressed in the policies of the foreign government; and
  • The general perception that the entity is performing official or governmental functions.

Although the Guidance states that "no one factor is dispositive or necessarily more important than another, as a practical matter, an entity is unlikely to qualify as an instrumentality if a government does not own or control a majority of its shares." The Guidance cautions, however, that "there are circumstances in which an entity would qualify as an instrumentality absent 50% or greater foreign government ownership." Although this appears to be the first time that the DOJ and SEC have publicly acknowledged an ownership threshold to determine whether an entity constitutes an "instrumentality" under the FCPA, it ultimately is still a fact-based analysis. The degree of a foreign government's actual or perceived control over a company will always supersede any ownership threshold.

M&A PRE-ACQUISITION DUE DILIGENCE AND POST-ACQUISITION INTEGRATION ARE THE KEYS TO AVOIDING SUCCESSOR LIABILITY

In order to evaluate and avoid successor liability, all companies should engage in pre-acquisition due diligence in a potential merger and acquisition (M&A) deal, and that is no different for FCPA concerns. A successor company that inherits FCPA liability faces many negative business consequences, including the following:

  • Contracts obtained through bribes may be legally unenforceable (each new transaction that stems from a contract obtained through bribery resets the statute of limitations, so contracts going back for many years could be canceled);
  • Business obtained illegally may be lost when bribe payments are stopped; and
  • The prior corrupt acts may harm the acquiring company's reputation and future business prospects.

In addition to pre-acquisition due diligence, the DOJ and SEC also encourage acquiring companies to swiftly integrate their compliance policy, internal controls, training program and code of ethics into the acquired entity.

The Guidance provides five "practical tips" for companies engaging in M&A risk-based due diligence and disclosure:

  1. Conduct thorough risk-based FCPA and anti-corruption due diligence on potential new business acquisitions;
  2. Ensure that the acquiring company's code of conduct and compliance policies and procedures regarding the FCPA and other anti-corruption laws apply as quickly as is practicable to newly acquired businesses or merged entities;
  3. Train the directors, officers and employees of newly acquired businesses or merged entities, and when appropriate, train agents and business partners on the FCPA and other relevant anti-corruption laws and the company's code of conduct and compliance policies and procedures;
  4. Conduct an FCPA-specific audit of all newly acquired or merged businesses as quickly as practicable; and
  5. Disclose any corrupt payments discovered as part of its due diligence of newly acquired entities or merged entities.

These tips are designed to maximize an acquiring company's chances of detecting any improper activity that occurred at the target company – including any systematic corruption ingrained within management – and remediating that activity in the event that the acquiring company makes a business decision to go forward with the transaction anyway.

The Guidance states that the DOJ and SEC will provide "meaningful credit" to companies who undertake these five actions in an M&A transaction and, "in appropriate circumstances, DOJ and SEC may consequently decline to bring enforcement actions" against the successor company. Nevertheless, M&A due diligence and disclosure is a fact-specific process, and self-disclosure of any improper activity should not be an automatic decision, particularly when discovered during a post-acquisition due diligence or audit process. Compliance officers should discuss any red flags with the acquiring company's general counsel and, where appropriate, with outside counsel.

THE GOVERNMENT'S JURISDICTION TO ENFORCE THE FCPA

In addition to the statutory jurisdiction that the FCPA confers on the government, the DOJ and SEC have taken the sweeping – and legally untested – position that the mere act of "placing a telephone call or sending an e-mail message, text message, or fax from, to, or through the United States involves interstate commerce – as does sending a wire transfer from or to a U.S. bank or otherwise using the U.S. banking system." The Guidance also states that any person or issuer that is not a U.S. citizen or company may be prosecuted if the person or issuer directly or indirectly engages in any act in furtherance of a violation of the FCPA while in the territory of the United States. In other words, any contact with the United States – no matter how minimal – by any person, whether a U.S. citizen or not, could invoke the FCPA's jurisdiction and result in significant consequences for the company employing that person.

CONCLUSION

The Guidance should serve as a wake-up call for companies that have permitted their compliance programs to languish or become stale. Conversely, the Guidance should provide some solace to companies that have actively invested in and regularly updated their compliance programs. Throughout the Guidance, the DOJ and SEC repeatedly emphasize that each company should tailor its compliance program and third-party due diligence to its own individual circumstances, and that all companies should continually reevaluate, test and strive to improve their compliance programs. The Guidance makes clear that if a company has invested time and thought into creating and enforcing a robust, effective and tailored compliance program, then the DOJ and SEC will give that company "meaningful credit" when making its charging decision, including the declination of prosecution altogether. Although the Guidance is non-binding and leaves many issues open to a fact-based interpretation, it provides unique insight into the government's thinking and should serve as a minimum standard upon which compliance officers can rely.

Originally published in The FCPA Report, November 28, 2012

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.