The Foreign Corrupt Practices Act and Corporate Compliance Best Practices: Frequently Asked Questions Primer

Transcription

1 ATTORNEYS AT LAW The Foreign Corrupt Practices Act and Corporate Compliance Best Practices: Frequently Asked Questions Primer Our company has an anti-bribery policy and some associated procedures. What else should we have? What do DOJ and SEC expect? Can we satisfy enforcement standards, yet run a viable business? This primer of Frequently Asked Questions regarding compliance with the Foreign Corrupt Practices Act is informed by the experience of our White Collar practice group in conducting FCPA internal investigations, defending and resolving FCPA matters with U.S. federal law enforcement agencies, and providing guidance to companies with respect to a broad range of FCPA compliance questions and issues. 1 Throughout the FAQs detailed below, which address both the anti-bribery and the books and records and internal controls provisions, we emphasize a practical approach. The key to a successful program is to understand the corruption risks that your company faces based on its business profile, on the one hand, and the expectations of enforcement authorities and more generally the standards for best practices developed by the compliance, legal and business communities on the other. Then, of course, the program has to be practical in terms of mitigating risk while appropriately allocating resources and setting priorities that are tailored to your company. In this primer, we set forth our perspective to the following FAQs: 1. What subject areas must anticorruption compliance policies and procedures address? 2. How much and what kind of training must a company provide to satisfy the DOJ/SEC standards? 3. What should an American company do to prevent misconduct by a non-u.s. subsidiary? 4. What measures should be taken to prevent third party misconduct? 5. Can travel, entertainment, gifts, or product discounts be provided to non-u.s. government officials? 6. Should a company s anticorruption compliance policy prohibit facilitation payments? 7. What is a company expected to do with respect to investigating potential corrupt payments? 8. What do the DOJ/SEC expect a company to do to assess its FCPA compliance risk? 9. Does an SEC-registered company have to take additional anticorruption compliance measures beyond those taken by non-registered companies? 10. Should a company s compliance program take into account non-u.s. anticorruption laws? 1 More detailed discussion of FCPA enforcement trends and compliance can be found in our Annual Guide, at Towers Crescent Drive, Suite 900 Tysons Corner, Virginia Tel: Fax: Smith Pachter McWhorter PLC. This publication is not intended to provide legal advice. Smith Transmission Pachter is McWhorter not intended to FCPA create FAQs and receipt Primer does 1not establish an attorney-client relationship.

2 1. What subject areas must anticorruption compliance policies and procedures address? As a general matter, a company s policies and procedures should address classic areas of FCPA risk as well as any risks that are particular to the company s business profile. Classic risk areas include: Third party due diligence, compliance requirements, and monitoring Gifts, meals, and entertainment Customer travel Employee expense reimbursements Use of cash (e.g., petty cash, or other cash needed for overseas payments) Political contributions and charitable donations and sponsorships Facilitation payments Solicitation of payments, and extortion Mergers and acquisition: anticorruption due diligence and post-m&a compliance program integration Risks that may be specific to a company s business profile can include, among others: Non-U.S. government sales and bidding Interaction with non-u.s. government regulators, e.g., customs, visa agencies, labor authorities, tax authorities, licensing authorities, particularly if through third party partners Non-U.S. sponsors required to conduct business in certain countries Local requirements to partner with local companies or to use local companies as suppliers or service providers Doing business in countries with a high degree of state involvement in the economy/stateowned or controlled enterprises A company s policies and procedures also need to address certain compliance program processes: Training and certification Compliance guidance resources Internal reporting mechanisms, including a hotline where reports can be made anonymously, and non-retaliation Ethics and compliance internal investigations Employee discipline for violations Corruption risk assessments Monitoring and updating of the anticorruption compliance program, including by making use of data and metrics regarding the functioning of the program and through control testing. It is also helpful to review the recent Guidance issued by the Department of Justice regarding how they evaluate corporate compliance programs, which is available in full at criminal-fraud/page/file/937501/download. 2 Smith Pachter McWhorter FCPA FAQs Primer

3 SMITH PACHTER McWHORTER PLC 2. How much and what kind of training must a company provide to satisfy the DOJ/SEC standards? The U.S. Department of Justice (DOJ) and Securities Exchange Commission (SEC) expect that training be risk-based. This means that anticorruption compliance training should be provided to all personnel who could confront corruption in performing their job duties, based on their function within the organization and/or location of work, and all personnel with managerial or supervisory responsibility over others in that position, to be trained as to the company s anticorruption policies, procedures and program. It is furthermore expected that employees in positions of leadership or trust will receive more in-depth and/or more frequent training. Such positions include senior executives and managers, personnel who occupy watchdog or gatekeeper functions (legal, compliance, finance, procurement, human resources), and personnel whose positions require them to handle transactions or situations that could put the company at risk (e.g., employees who manage non-u.s. government bids or interaction with non-u.s. government regulators, or who supervise third parties who perform such functions for the company). There are no specific rules regarding the specific training methodology including, for example, whether it is web-based or in-person or frequency that is required. The right answer for any given company as to any given portion of its workforce will vary based on the degree of risk, practicality, and resource commitment. Moreover, when a problem has occurred, it is unfortunately all too easy for enforcement authorities to criticize in retrospect the company s training program. Nor are the enforcement agencies typically sympathetic to arguments that it would have cost more than the company wanted to spend to do things differently. The best way to develop an effective, and defensible, training program is to be able to demonstrate that, whatever the particularities of the company s training program, that program is reasonably designed and effectively implemented given the three factors just mentioned: risk, practicality, and resources required. This includes using a format that is effective and clear, taking into account language issues, providing additional resources to employees who have questions, incorporating lessons learned from the company s experiences, and monitoring the effectiveness of the training program. Training of third party service providers, suppliers, subcontractors, business partners, and representatives or agents, raises its own set of questions and is more complex to administer. Here, though, again, the three factors come into play: risk, practicality, and resource commitment. For all third parties, the practicality factor has to take into account the fact that a company does not control a third party in the way that it controls employees. This means for example that a company cannot reasonably be expected to train all third parties on the company s anticorruption compliance program in the way that, generally speaking, a company will be expected to provide at least some level of training to all or most employees (exceptions when it comes to employees might be, for example, a blue-collar workforce with no possibility of triggering or observing FCPA issues based on their job function). Third parties, however, with significant responsibility for interacting with government authorities on the company s behalf, and who operate in high-risk environments, must receive strong training at the inception of the business relationships, and periodic refreshers if the relationship continues over time. The only exception to such third party training requirements may be where the third party is itself a demonstrably sophisticated and compliant organization with its own rigorous anticorruption policies, procedures, and training. Regarding third parties who pose less risk, whether specific training and if so what kind of training should be provided will depend on the circumstances. Finally, the DOJ and SEC expect that training will be documented and verified, including through a certification process. Smith Pachter McWhorter FCPA FAQs Primer 3

4 3. What should an American company do to prevent misconduct by a non-u.s. subsidiary? From a compliance program perspective, American companies must treat wholly-owned and majority-owned or controlled subsidiaries as entirely their own. U.S. enforcement authorities will view the American parent company as responsible, full stop, for conduct by such subsidiaries. Occasionally there might be technical arguments about U.S. jurisdiction that could lead to a viable defense in litigation against an enforcement action involving a non-u.s. subsidiary. But a compliance program cannot be structured around the hypothetical, and typically remote, possibility of such a defense in the event of a problem in the future. Thus, the company s anticorruption compliance program should be implemented at such subsidiaries, subject to any tailoring or modification reasonably needed to address local risks and local laws. With respect to minority-owned subsidiaries, American companies will be expected to take all measures that are reasonable and practical under the circumstances to ensure a robust anticorruption compliance program is in place. What that looks like will depend on the degree and nature of the American company s influence over the operations. But it should also be remembered that if an American company staffs the minority-owned subsidiary with its own personnel, for example as secondees, then misconduct by such personnel should be presumed to be directly attributable to the American company and to trigger corporate liability. Thus, particular care must be taken to ensure that such personnel are well-trained in the American company s anticorruption policies and practices, and that such personnel flag any potential misconduct that they observe at the minority-owned subsidiary. 4. What measures should be taken to prevent third party misconduct? Third party intermediaries, service providers, suppliers, subcontractors, distributors, and partners (e.g., JV partners) pose one of the most important risk areas for a company to focus on in its anticorruption compliance program. Quite simply, third parties have historically been used to cover up corruption schemes, because that is generally the easiest way to avoid detection within the company itself. In addition, no matter how close the relationship, third parties and their expenditures, communications, and actions are inherently subject to fewer controls and less oversight than company employees. All of this means that a company that works with third parties to conduct business abroad must take a hard look at which third parties pose a risk of getting the company into trouble based on the scope of the engagement, the location of the work, the size and sophistication of the third party from a compliance point of view, and the nature and significance of the government interaction that could occur on behalf of the company, for example, is the government a client? A regulator? Are the transactions at issue high value? Etc. Then the company must develop appropriate due diligence/vetting procedures, compliance requirements, training and monitoring for those third parties that pose risk. In order for such measures to be practical and capable of effective implementation and maintenance, a company needs to have a workable process for categorizing third parties by risk (typically, companies develop a process for categorizing them as low, medium and high risk), and a clear, standardized process for conducting due diligence, imposing contractual requirements related to ethics and compliance that both require and incentivize compliance (and provide remedies for non- 4 Smith Pachter McWhorter FCPA FAQs Primer

5 SMITH PACHTER McWHORTER PLC compliance), and monitoring or auditing company payments to third parties and the activities conducted by those third parties. These processes need to be integrated into relevant procurement, vendor management and/or other partnering processes. A company must also have a mechanism for going beyond its standard approach to respond to warning signs that might be particular to a given third party or set of circumstances. All of this can require significant planning, care and, even more importantly, expenditure of company resources. Fortunately, there are many valuable lessons to be drawn from the enforcement cases and, in addition, for experienced practitioners, from our work over many years on any number of FCPA cases involving all types of third parties and associated compliance risks or problems. Tailoring a company s anticorruption compliance program to adequately address third-party risks in a way that is practical and sensitive to resource constraints, can be done effectively by bringing these lessons learned and experience to bear. 5. Can travel, entertainment, gifts, or product discounts be provided to non-u.s. government officials? These items can be provided to non-u.s. government officials under some circumstances. First, the FCPA provides an affirmative defense for providing such items where they constitute reasonable (in terms of the value and type of item) expenses to support the promotion, demonstration or explanation of a company s products or services, or in support of the performance of a contract. As an affirmative defense, this means that the burden will be on the company to show that the expenditure meets these requirements. There are quite a few published examples of permissible scenarios provided via the DOJ s published Opinion Releases, as well as in the DOJ/SEC Guide to the Foreign Corrupt Practices Act. Examples that we have dealt with in practicing in this area are many and varied, and have included, among other situations, product discounts, gifts of product samples, business dinners with individual officials or larger dinner events for groups of officials, travel to company facilities for training accompanied by modest entertainment as a professional courtesy, and business-class air travel where appropriate based on the length of travel, level of the official, and consistent with company policies for its own employees, among many others. At bottom, the core issues are: whether one or more of the recognized statutory purposes is truly in play; whether the type and value of the item or benefit to be provided is reasonable in light of the purpose or, in other words, whether a reasonable prosecutor or other enforcement authority could conclude that the value of a trip or other hospitality is high enough to begin to corruptly influence the recipient; whether there is appropriate review and approval within the company, including, typically, by legal or compliance or, at least, by management personnel with sufficient authority and training as to compliance issues; is there documented evidence that the expenditure is appropriate; and is there transparency with the foreign official s employer or otherwise associated government agency. Second, because FCPA liability is only triggered where the provision of the thing of value is corrupt, there may be circumstances where this element is not met. As a legal matter, that means that the government could not meet its burden of proof to show that there was an intent to influence the official to obtain or retain business. That said, this is a legal distinction that should make little Smith Pachter McWhorter FCPA FAQs Primer 5

6 difference for a company s anticorruption compliance program: the same factors that would support the affirmative defense typically would support an argument that the government cannot show a corrupt purpose in the first place. 6. Should a company s anticorruption compliance policy prohibit facilitation payments? It has become increasingly common for companies to prohibit facilitation payments, i.e., low value payments made to officials to perform or to expedite non-discretionary, routine government acts to which a company is entitled, but for which the official seeks in essence a tip to perform. Facilitation payments are permitted under the FCPA. The trend to prohibit them despite that fact appears to stem from one or more of the following reasons: first, in today s global economy and with heightened awareness of compliance issues more generally in the corporate world, companies are increasingly sensitive to the fact that such payments typically are not permitted under other nation s anti-corruption laws; second, some companies take the view, which is the view taken by the Organisation for Economic Co-operation and Development (OECD), that permitting such payments could lead to a sense of complacency amongst company employees about bribery and/ or encourage more demands for these and other types of payments from officials; and third, some companies have concluded that navigating permissible vs. impermissible payments is too difficult to be worth the burden in training, legal review, and oversight of relevant transactions. Ultimately, because these payments are legal under U.S. law, from a U.S. perspective it is a business decision rather than a legal decision whether or not to prohibit them. And the reality is that in some parts of the world, it can be extremely difficult to obtain routine government acts to which a company is entitled without paying such tips. Failure to do so can lead to delays or outright denials of the act to which the company is entitled. But, because the exception is narrow, clear controls and review by Compliance or Legal are recommended. If on the other hand a company chooses to prohibit such payments altogether, it is important to provide the support, including with respect to helping employees plan ahead for these obstacles and develop effective strategies for resisting such demands without unduly compromising the needs of the business. We have found that this can be done, but it does require thought and some dedication of internal training, legal guidance, and business planning resources to have a ban on facilitation payments that truly works in practice. 7. What is a company expected to do with respect to investigating potential corrupt payments? When a company has reason to think that an employee or a business partner may have made corrupt payments to a foreign official, the DOJ and SEC expect that the company will look into the issue with sufficient rigor and depth to be able to assess: did payments occur or, even if they did not occur, were they offered or authorized; what was the benefit obtained or sought by the company; which company employees were involved, and how high up did the knowledge go; were there supervisors who either knew, were willfully blind, or failed to adequately train or supervise subordinates who were involved; why did the compliance failure occur, e.g., was it a bad apple employee or were there also failures in company policies, procedures, training, internal reporting mechanisms, culture (is there a culture of the end justifying the means), or other process issues; did personnel who serve as compliance watchdogs and gatekeepers (legal, compliance, finance, 6 Smith Pachter McWhorter FCPA FAQs Primer

7 SMITH PACHTER McWHORTER PLC procurement, human resources) fail in their responsibilities; is there evidence that the incident was isolated or one-off or, by contrast, evidence that it reflected a pattern or larger set of corruption issues; if a business partner was involved, what was their culpability and must the relationship be terminated or can the partner be trusted in the future; and are there disclosure obligations under local or U.S. law based on the nature of the conduct (there is no general legal obligation to disclose an FCPA violation to U.S. authorities; but there could be an obligation to disclose locally, or even to U.S. authorities, depending on the circumstances, e.g., if the payments were made to foreign officials in connection with performing a U.S. government contract, there might be mandatory disclosure obligation under the Federal Acquisition Regulations. It is also worth noting that a 2015 policy memorandum issued by former Deputy Attorney General, Sally Q. Yates, stresses that, if a company wants to be eligible for cooperation credit from the DOJ, the company must provide to the DOJ all relevant facts about the individuals involved in the corporate misconduct. This means the investigation must have inquired into the facts sufficient to provide such evidence. In truth, experienced practitioners have long structured their investigations in this manner in any case: identifying who at the company was involved and the degree of their culpability is a core element of any rigorous investigation, and critical to develop appropriate remediation. That said, the Yates memorandum serves to reiterate the importance of this element. Finally, a note on expectations as to investigation methods: there is no pre-set recipe for what constitutes sufficient investigation steps. But enforcement agencies expect to see rigorous scoping, independence and objectivity by the investigation team, strong evidence of preservation efforts, thorough and non- collection (including from servers, laptops, personal devices, and other media) and review, analysis of financial records, and interviews of employees, former employees and/or third parties if relevant, and analysis of root causes and appropriately structured remediation to address those causes. How far to go in any given case will depend on what is reasonable and can be defended as such if the need arises in the circumstances of the case. 8. What do the DOJ/SEC expect a company to do to assess its FCPA compliance risk? The DOJ and SEC expect that a company will take specific steps to assess its FCPA compliance risk with respect to both ongoing and prospective business. The degree of formality and the complexity of this risk assessment will vary according to the size, nature and complexity of the company as well as factors such as the extent of the company s non-u.s. business and operations, the countries with the highest corruption risk in which the company has business, the degree of interaction with foreign government agencies and officials required to conduct the company s business, and the extent to which the company relies on third parties to assist in those interactions. Some large companies engage in very formal and structured FCPA risk assessment processes, for example, by conducting risk assessment workshops with leadership from the business and from key corporate functions that seek to address risk both on a company-wide basis and more specifically with respect to the operations in particular countries or for particular lines of business; synthesizing the results of these workshops; and developing risk mitigation plans based on the results. This type of risk assessment process is also accompanied by taking into account information generated by compliance-related investigations, consultations to Legal/Compliance raised by the business, the results of internal audit activity, and other information sources. Smith Pachter McWhorter FCPA FAQs Primer 7

8 Other companies, based on their size, complexity of the operations or extent of non-u.s. business, or stage of development of their risk assessment processes, may undertake a risk assessment process that is somewhat less complex. Even in those cases, however, it is important that the company undertake to identify who within the company is in a position to assist in identifying corruption risk in the company s business, and to develop a process for collecting information from such sources, organizing it, using it to inform the company s anti-corruption compliance program, and then updating this information on a periodic basis. Moreover, the DOJ in particular has become increasingly data-focused, expecting that companies will collect and analyze data about its risks, as well as make use of internal audit findings as well as the results of internal investigations, and periodically update its program accordingly. However, such practices are wise not only because enforcement agencies expect it, but also because such a process is necessary to be able to deploy precious compliance resources wisely: all of this costs time and money, and the primary purpose of a business is to be a successful business for the company s customers and clients, shareholders or owners, and employees. An effective risk assessment process will help the company focus those resources on where they are most needed. 9. Does an SEC-registered company have to take additional anticorruption compliance measures beyond those taken by non-registered companies? The short answer to this question is: Yes, but. Yes: because the FCPA places additional obligations on public companies, i.e., they are legally required to maintain accurate books and records, and an adequate system of internal accounting controls. Those obligations extend to all parts of a public company that it owns, including wholly owned and majority-owned subsidiaries and other corporate affiliates. Public companies are moreover strictly liable for failures to comply: no bad intent is required for civil liability, although it is for criminal liability under these provisions. But: all companies should be aware that the DOJ has imported the books and records and internal controls legal standard into the Department s requirements, as a policy matter, for an effective anticorruption compliance program. This is manifested in the requirements that the DOJ imposes on all companies both public and private when it settles an FCPA matter with them. Those requirements now require as a standard measure that the company maintain an anticorruption compliance program that satisfies the elements laid out in guidance issued by the enforcement agencies (principally, by the DOJ). One of those elements is that the company maintain internal controls and financial and accounting procedures sufficient to provide reasonable assurances that: books and records accurately reflect the substance of any economic transaction, and are not used to mask slush funds or other inappropriate expenditures; execution and recordation of transactions is per management authorization; access to assets is authorized; and recorded assets are compared with existing assets at regular intervals. Finally, the greater the risk profile of the company or of certain business activities in which it engages, the more rigorous must be the controls. 8 Smith Pachter McWhorter FCPA FAQs Primer

9 SMITH PACHTER McWHORTER PLC 10. Should a company s compliance program take into account non-u.s. anticorruption laws? Certainly, any company with non-u.s. business or operations must take into account applicable anti-corruption laws of the local country, and of other countries if their laws apply to the company and have extraterritorial applicability (such as the U.K. Bribery Act). Failure to do so means legal risk. That said, the U.S. remains the leading enforcer in this area, and is likely to remain so for many years to come. Thus, it is no surprise that companies subject to U.S. jurisdiction tend to focus their anticorruption compliance programs first and foremost on the FCPA. It is also worth noting that the core precepts of U.S. and non-u.s. anticorruption laws tend to be the same or very similar. And where there are differences, U.S. laws tend to be as complete, or more expansive. As one example, the U.K. Bribery Act criminalizes both government and private sector bribery (aka commercial bribery ), whereas the FCPA criminalizes only government bribery, other U.S. laws exist to prosecute commercial bribery, including when such bribery is committed outside of the U.S. As another example, while there are a number of countries in the world whose criminal law systems do not provide for corporate criminal liability absent high-level management involvement in the conduct, under U.S. law corporate liability is triggered by the acts of any employee, no matter how low in the company pecking order, or third party acting as the company s agent within the meaning of vicarious liability principles. Of course, there are some exceptions: the U.S. permits facilitation payments, whereas other nation s anticorruption laws tend not to do this; the U.K. Bribery Act goes even farther than the FCPA in terms of premising liability on the acts of third parties, through the U.K. Bribery Act corporate failure to prevent bribery provision; and others. It is for this reason that, while it is generally reasonable to focus a company s anticorruption compliance program on U.S. law, the laws of other countries must also be taken into account where applicable to the company s operations. Smith Pachter McWhorter FCPA FAQs Primer 9