Attorneys who serve individuals or companies with international operations should be aware of the recent focus by the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) on violations of the Foreign Corrupt Practices Act (FCPA). Authors Jennifer Johnston and Jeffrey Garfield discuss how to assess whether FCPA exposure exists and offer practical advice to mitigate the risk of loss.

The number of FCPA-related enforcement actions by the U.S. DOJ and the SEC jumped from two in 2003 to 38 in 2007.1 The past three years have seen the most enforcement actions in the history of the 31-year-old statute, with fines and penalties in excess of $100 million.2 All indicators from the DOJ, the SEC, and the newly formed FCPA unit of the Federal Bureau of Investigation point toward a continued emphasis on FCPA compliance.

Proactive Compliance Rewarded: A Recent Example

During a management meeting in October 2004, the newly appointed chief executive officer of Bristow Group heard a statement suggesting the possibility of inappropriate payments made to Nigerian government officials in an effort to obtain more lenient tax treatment. Without delay, the CEO alerted the company's audit committee of the potential FCPA violations and contacted outside general counsel. Armed with this knowledge, the audit committee engaged independent counsel to conduct an internal investigation, which resulted in the identification and prompt reporting to the SEC of approximately $423,000 in improper payments to government officials in Nigeria.

The moral of the story? Because of the swift and proactive measures undertaken, Bristow quickly entered into a settlement with the SEC that resulted in no fines for or further prosecution of the matter, only a cease-and-desist order forbidding Bristow from committing or causing any future FCPA violations.

The stakes are high when it comes to potential FCPA violations, and much can be learned from how Bristow proceeded in identifying and self-reporting its violations.3 Understanding exposure to FCPA violations, proactively investigating suspected noncompliant activity, and self-reporting appear to go a long way toward mitigating the risk of loss and prosecution by the SEC and DOJ.

Is Your Company At Risk?

The following table poses several questions to determine if your company is at risk of FCPA violations.

Exposure Question

If Your Answer Is ...
You Might Be Exposed

Is your company considered an issuer4 or domestic concern5 under the FCPA and conducting business internationally?


Are there any suspicions of FCPA violations within the company? It is extremely important that management not bury its head in the sand. It has been shown repeatedly that pleading ignorance is not a valid defense and will lead to costly resolution of any issues identified by the regulators.


Does your company have an anti-corruption policy that specifically addresses FCPA concerns with business conducted internationally?


Are procedures in place for periodic monitoring of compliance with the FCPA policies?


Have employees who are directly or indirectly responsible for international operations been trained on FCPA issues?


Are bribes historically and culturally acceptable in the countries where your company does business?


Does your company use third-party agents, consultants, intermediaries, or distributors when performing business overseas?


Does your company have a robust due diligence process to scrutinize properly the appropriateness of entities and individuals involved in securing or retaining international contracts on your behalf?


Are contracts to provide goods or services for foreign governments a source of revenue for your company?


Do employees come into contact with foreign officials (for example, customs agents, government employees, and local political officials) when conducting business internationally?


Is your company doing business in a high-risk FCPA industry such as aerospace and defense, telecommunications, oil and gas, pharmaceuticals, or manufacturing?


Is your company doing business in high-risk countries, such as China, Russia, India, Nigeria, Afghanistan, Venezuela, or the United Arab Emirates?


Responding To Potential Exposure

If you determine your company might carry FCPA exposure risk that needs to be addressed, follow these steps to mitigate the risk and avoid increased repercussions.

  1. Establish An FCPA Compliance Task Force

    Accountability is important as companies move forward with assessing FCPA risk. A cross section of key managers should be assembled to monitor the assessment process and ensure various objectives are met. In addition, communication protocol should be established to ensure relevant findings are discussed on a timely basis with other key members of management and attorneys, as applicable.

  2. Identify Existing FCPA Compliance Policies And Monitoring Procedures

    Take inventory of where the company is in terms of formalized FCPA policies and procedures, and let this help guide the next steps. If well-controlled and/or well-monitored areas of risk exist, leverage the knowledge about those areas in determining where to focus your efforts.

  3. Focus Your Efforts: Identify Areas Of High Risk For FCPA Violations

    To avoid wasting time, energy, and financial resources, take a close look at the company's international operations and determine the areas at greatest risk for FCPA violations. Certainly, if a company suspects FCPA violations have occurred, it should address these exposures first. Otherwise, the company should conduct an assessment of all types of transactions and/or business operations occurring internationally, the business culture of each country in which these international activities occur, and the integrity and reputation of third parties engaged on behalf of the company.

    As with other risk identification techniques, we have found that no one understands the intricacies of a company's operations better than its own management. Thus, to better tailor the assessment of FCPA risks, a task force of several members of management should be formed to brainstorm on where and how FCPA violations might occur within the company. The assessment should include thoughtful consideration of the question, "If there were FCPA violations within my company, where and how would they occur?"

    When assessing the FCPA risk at your company, consider:

    • The reputation of the foreign country for corruption;
    • The competence of each third party working on behalf of the company (for example, are you paying them to provide information technology services when they are normally a transportation logistics company?);
    • Any relationships between third parties and foreign government officials;
    • The reasonableness of compensation and commission payments to third parties (in other words, are payments to third parties substantially higher than market expectations?); and
    • Whether compliance issues have been reported at a location under assessment.

    Another common technique for gathering this information is to survey personnel who have intimate knowledge of the business operations in question. The survey takers should be familiar with the objectives of the FCPA survey. The survey audience can include business unit leaders, members of management, sales personnel, and accounting personnel, among others. It is important to collect a cross section of responses to get a full picture of what people know and what is occurring.

  4. Perform A Thorough And Complete Investigation

    Upon completion of your FCPA risk assessment, conduct a thorough investigation of any suspected violations and high-risk areas of concern.

    Prepare a preliminary investigative work plan to ensure objectives are established that address the important information accumulated during the FCPA risk-assessment phase. It is critical that the investigation team remain sufficiently flexible to change preplanned investigative steps to efficiently and effectively respond to new information that arises. It is difficult to predict at the onset where the evidence will lead.

    The thoroughness, completeness, and independence of the investigation are factors considered by the FCPA regulators, namely the SEC and the DOJ, in determining what the repercussions might be for FCPA violations. If the procedures are not deemed adequate, the SEC and the DOJ can and will require companies to do more investigative work. Notably, the regulators have rewarded companies with more favorable settlement agreements if the investigations are made through outside counsel.

    To mitigate the risk of loss, which can include protracted investigative procedures under the oversight of the SEC and DOJ, companies that have identified FCPA violations must demonstrate that their investigation procedures have been thorough, the procedures produced unbiased results, the results provide a complete picture of the violations, and effective remediation activities occurred.

    The following steps are effective in demonstrating that a thorough and complete investigation was performed:

    • Conduct background and preliminary fact-finding research to obtain a clear understanding of the personnel structure, FCPA policies and procedures, and strategic objectives of the organization.
    • Identify and interview key personnel and third-party individuals, if applicable, to obtain an understanding of the operating and accounting practices, organizational relationships, and pertinent information related to the current FCPA matters at hand.
    • Compile relevant hard copy and electronic documentation related to the activities and transactions in question for further examination.
    • Examine and analyze the collected supporting documentation to identify and document any FCPA violations. Remember, there is no materiality threshold in regards to FCPA violations, so suspected violations in any amount should be investigated.
    • Identify and remediate any potential weaknesses/breakdowns in the internal control environment.

    Documentation of your procedures and findings is essential. Regulators want to see what was done, from the risk-assessment phase through the end of the investigation. In addition, documenting the company's response to violations – remediation activities and newly established internal controls and monitoring procedures – will go a long way toward making regulators comfortable that your company has adequately addressed the FCPA issues.

  5. Self-Report FCPA Violations

    While voluntary disclosure to the SEC and the DOJ does not guarantee immense leniency, it appears to help, particularly if done in a timely manner. In several cases, the SEC and the DOJ have favorably considered the self-reporting of FCPA violations, a commitment to cooperate, and the implementation of proactive measures to prevent future violations in determining settlements.

    As part of this process, it is prudent to engage a reputable legal counsel, familiar with the FCPA issues, to review and advise on any potential violations resulting from the information acquired during the risk-assessment and investigation processes. To the extent violations are identified, counsel's involvement in self-reporting will become critical to mitigating further risk of loss.

Looking Ahead

Recent high-profile SEC and DOJ enforcements against companies such as Siemens, Alcatel-Lucent, and Johnson & Johnson have brought the FCPA into the public spotlight. While most of the attention has been given to Fortune 500 companies, both middle-market and private companies must also be prepared for heightened scrutiny. As exposure to FCPA risk might be unavoidable to a certain extent in this global economy, understanding and proactively following the FCPA risk-assessment and investigation procedures described above are likely to produce the most advantageous outcome.


1. "2007 – A 'Landmark Year' in FCPA Enforcement," Jan. 4, 2008,

2. Johnson, Carrie, "U.S. Targets Bribery Overseas," Washington Post, Dec. 5, 2007,

3. "Order Instituting Cease-and-Desist Proceedings, Making Findings, and Imposing a Cease-and-Desist Order Pursuant to Section 21C of the Securities Exchange Act of 1934," Release No. 56533, Sept. 26, 2007,

4. An issuer is a corporation that has issued securities that have been registered in the United States or who is required to file periodic reports with the SEC,

5. A domestic concern is any individual who is a citizen, national, or resident of the United States, or any corporation, partnership, association, joint-stock company, business trust, unincorporated organization, or sole proprietorship that has its principal place of business in the United States, or that is organized under the laws of a state of the United States, or a territory, possession, or commonwealth of the United States,

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.