Introduction and overview
From the start, it is important to understand what this book is about and what this book is not about.
This book is not about the legitimacy or validity of many enforcement theories that impact compliance. For instance, you will learn that Congress intended the FCPA’s “foreign official” element to mean bona fide, traditional foreign government officials such as presidents, prime ministers and other heads of state. However, many enforcement actions concern things of value provided or offered to materially different types of individuals such as employees of various business organizations (albeit with some state ownership or alleged control) as well as employees of certain foreign healthcare systems (such as physicians, laboratory personnel and even a mid-wife). These enforcement theories, like many others which impact compliance, have not been subjected to any meaningful judicial scrutiny because of the typical resolution vehicles used to resolve corporate enforcement actions. Moreover, the things of value often provided to alleged “foreign officials” bear little resemblance to classic notions of bribery such as suitcases full of cash, but rather consist of corporate hospitality, charitable donations or internships and jobs for family members. In other words, the underlying conduct may be legal and morally acceptable in most instances, yet, when directed to a certain type of individual, might be deemed bribery by government enforcement agencies.
Likewise, you will learn that Congress qualified the books and records and internal controls provisions, among other ways, through a reasonableness standard. However, many enforcement actions involve business organizations with pre-existing compliance policies and procedures and involve circumstances where it is difficult to reconcile existing legal authority, as well as even enforcement agency guidance, with the theories of enforcement advanced. Yet it is these enforcement theories which impact compliance in meaningful ways by causing risk-averse business organizations to calibrate compliance policies and procedures to existing enforcement theories.
In short, two distinct questions can be asked in connection with many instances of scrutiny and enforcement. The first question is whether Congress, in passing the FCPA, intended to capture the alleged conduct and whether a court would find the alleged conduct in violation of the FCPA? The second question is whether, given the government’s prevailing enforcement theories, the alleged conduct can expose a company to scrutiny and enforcement. The first question is obviously important in a legal system based on the rule of law; however, the answer is often unclear given actual legal authority and because the typical resolution vehicles used to resolve corporate enforcement actions bypass judicial scrutiny. The second question is obviously important to compliance professionals tasked with minimizing risk based on prevailing enforcement theories and the answer is often yes. Please remember these two distinct questions when reading Chapters 2–5 in which several references are made to “legal authority” (statutory text, legislative history and judicial authority) vs. “non-legal authority” (enforcement agency guidance and resolved enforcement actions – what some have called “prosecutorial common law”1). Visually, think of this dynamic as follows:
Legal authority of course has a firm foundation, but the problem is that, aside from the statute and legislative history, there are few judicial decisions construing the FCPA. When put in the rare position of deciding an FCPA issue, a judge remarked there are “surprisingly few decisions throughout the country on the FCPA”.2 Similarly, in its review of FCPA enforcement, the Organisation for Economic Co-operation and Development (OECD) observed: “although enforcement under the FCPA is strong and increasing, there is relatively little jurisprudence that has developed since the FCPA was enacted.”3 Even the Securities and Exchange Commission’s (SEC’s) Director of Enforcement has stated that “FCPA law … is not well developed.”4
Compared with legal authority, there are more non-legal sources of FCPA information. However, the problem with non-legal sources of information is that they rest on an unstable foundation and are subject to change. This shifting landscape has long been lamented and one of the best things ever written about the FCPA was penned in the early years of the statute when it was noted that:
The government has the option of deciding whether or not to prosecute. For practitioners, however, the situation is intolerable. We must be able to advise our clients as to whether their conduct violates the law, not whether this year’s crop of administrators is likely to enforce a particular alleged violation. That would produce, in effect, a government of men and women rather than a government of law.5
Yet even as the FCPA has matured, this dynamic remains. A dean of the FCPA bar observed:
One reality is the enforcement agencies’ [FCPA] views on issues and enforcement policies, positions on which they are rarely challenged in court. The other is what knowledgeable counsel believe the government could sustain in court, should their interpretations or positions be challenged. The two may not be the same. The operative rules of the game are the agencies’ views unless a company is prepared to go to court or to mount a serious challenge within the agencies.
Regarding this dynamic, compliance professionals simply need to accept the old adage “it is what it is” and recognize that in certain enforcement actions the enforcement theory advanced represents little more than ipse dixit (Latin for “he himself said it” – an unsupported statement that rests solely on the authority of the individual who makes it). As highlighted in Chapter 5, this dynamic is particularly relevant to certain of the SEC’s internal controls enforcement theories in which a business organization’s alleged failure to do x, y or z is an internal controls violation merely because the SEC says it is. Compliance professionals need to be cognizant of this dynamic, yet this book accepts prevailing enforcement theories, related government guidance and policy positions and seeks to provide the necessary skills to minimize risk given the current enforcement landscape.6 Nevertheless, this book will occasionally encourage you to think for yourself and ask certain critical questions relevant to the FCPA’s modern era.
This book is also not about eliminating risk under the FCPA and related laws. FCPA liability is a form of legal liability similar to tort liability, contract liability, antitrust liability and environmental liability. Compliance professionals rarely encounter literature suggesting that business organizations can eliminate these forms of legal liability, but there are some who market FCPA compliance products and services as a way to eliminate risk. Such charlatans are selling “snake oil” for the simple reason that FCPA and related risk, while it can minimized through the strategies highlighted in this book, can’t be eliminated. This is particularly true given the general U.S. legal principle of respondeat superior which generally holds that business organizations can face legal liability based on the conduct of any employee or agent (regardless of rank, title, or position) to the extent the employee or agent: (i) acted within the scope of employment/agency; and (ii) the conduct, at least in part, benefited the organization.
While rogue actors are often portrayed as a figment of the corporate apologist’s imagination,7 they do exist, as even the enforcement agencies acknowledge. For instance, the Department of Justice’s (DOJ’s) Assistant Attorney General for the Criminal Division stated:
We recognize that any big company can’t control all of its employees all of the time, we recognize that. If you are a company operating in certain geographies you are going to be paying possibly small, but you will be paying some kind of inappropriate payment, we recognize that. We recognize that companies have rogue employees who don’t follow company policy so even when there is a strong company policy it may still be the case that somebody in the company does something that is off the reservation, that happens all the time … it’s impossible for a big global company to make sure that all of its employees are following the law all of the time.8
Indeed, certain enforcement actions are based on the conduct of single actors who knowingly circumvent a company’s existing internal controls.9 In other words, a business organization can act consistently with all of the risk management strategies highlighted in this book, yet still face liability under the FCPA and related laws. As noted by a former DOJ FCPA enforcement attorney, this aspect of enforcement is controversial:
I think that companies’ main frustration is that even with an outstanding compliance program and 99% of the employees maintaining strict adherence to the laws, you can still have violations which expose the entire company to extraordinarily serious penalties. I think the government has, at times, lost track of the main motivations for this statute and has become focused on the amounts of penalties, the imposition of compliance monitors, and exercising government control over what are basically private businesses. The vast majority of companies are absolutely committed to following the spirit and the letter of the FCPA, but when a company gets into trouble, the whole enterprise can be put at risk because of the conduct of a few people, and that doesn’t seem right.10
From a comparative standpoint, it is worth noting that U.S. respondeat superior principles are unique because in most other peer nations (i.e. other signatory countries to the OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions),11 criminal liability can only be imputed to a business organization (if at all) based on the conduct of so-called “controlling minds” such as board of director members or executive officers.12
Related to this issue, this book is not about whether the FCPA as written or whether the FCPA as enforced pursuant to government enforcement agency policy adequately recognizes a business organization’s good faith compliance efforts. Although the FCPA does not have a compliance defense, it is important to recognize that the FCPA-like laws of several peer countries have a compliance defense or similar concepts embedded in law.13
Amending the FCPA to include a compliance defense (i.e. to legally recognize pro-active compliance policies and procedures and provide business organizations with the best return on its compliance investment) is not a new or novel idea. For instance, an FCPA reform bill that included a compliance defense previously passed the U.S. House of Representatives and the relevant House Report stated: “If a corporation has set up internal controls to avoid illicit payments or has otherwise acted to keep within the law, its due diligence can be used as a defense against both civil and criminal liability in cases where its employees have nonetheless engaged in bribery.”14 Amending the FCPA to include a compliance defense is not a novel idea either. The FCPA is part of the Securities Exchange Act and other Exchange Act provisions excuse legal liability based on good faith compliance efforts. Last but certainly not least in terms of an FCPA compliance defense is that numerous former FCPA enforcement attorneys support a compliance defense. In the words of a former chief of the DOJ’s FCPA Unit, an FCPA compliance defense is “manifestly reasonable” for the following reasons:
Companies that seek only to be good corporate citizens would have an opportunity to demonstrate not only to DOJ, but also to a federal district court, that they had in fact done everything reasonably required, and that despite that fact an errant employee avoided company policy and violated the law. Affording this type of defense to corporate liability would recognize and reward strong compliance programs; provide a powerful incentive for companies to develop and enforce such programs; may encourage more companies to come forward with voluntary disclosures; and yet still enable prosecution of the culpable individuals. It is time to stop punishing our good corporate citizens and start going after the guilty – both corrupt corporate employees and corrupt foreign officials.15
It is true that government enforcement agencies have stated that pre-existing compliance policies and procedures such as those highlighted in this book are relevant to how they exercise charging discretion as well as the ultimate fine and penalty amounts in an actual enforcement action. However, given the lack of transparency surrounding enforcement, it is nearly impossible to assess whether the enforcement agencies are acting consistent with their own enforcement policies and the salient point regarding the risk management strategies highlighted in this book is that, under current U.S. practices, they may merely lessen the impact of legal exposure, but not reduce legal exposure like in several peer countries that have a compliance defense or similar concepts embedded in their FCPA-like laws. Nevertheless, adhering to the risk management strategies highlighted in this book will allow a business organization to tell the best story possible to government enforcement agencies should scrutiny arise.
If this book is not about the legitimacy or validity of certain FCPA enforcement theories, not about eliminating risk under the FCPA and related laws, and not about the policy issue of whether the FCPA or enforcement agency practice adequately recognize compliance efforts, then what is this book about?
Simply stated, this book is about providing a diverse group of professionals who can assist in risk management (such as lawyers; finance, accounting and auditing professionals; business executives and board of director members; human resources professionals; and others) with the best available tools to minimize risk under the FCPA and related laws given the current enforcement landscape. Towards this goal, this book uses plain English to: (i) highlight legal authority and other sources of information relevant to bribery laws; (ii) guide you through various components of compliance best practices from the fundamentals of conducting a risk assessment, to effectively communicating compliance expectations, to implementing and overseeing compliance strategies; and (iii) allow you to assess your acquired knowledge through various issue-spotting scenarios and skills exercises.
Prior to providing a general overview of the eight chapters of this book, a brief explanation about how the book is organized. As demonstrated by the below visual, the primary goal of this book is to provide you with a pair of “FCPA goggles” and teach you to spot risk so that you can confidently implement and execute specific compliance strategies unique to your business organization.
The teaching goal of this book is advanced through various visual learning devices to best convey relevant information. For instance, Chapters 2–5 go in-depth into the FCPA’s anti-bribery provisions and books and records and internal controls provisions and include several real-world issue-spotting scenarios that allow you to assess your acquired knowledge and skills by putting on your “FCPA goggles” to spot risk. To get the most out of this book, do not breeze through these issue-spotting scenarios but rather pause to access your acquired knowledge and skills before reviewing the model answers.
As you learn the specific elements of the anti-bribery and books and records and internal controls provisions, various risk management strategies specific to these elements are introduced through the below visual.
The umbrella visual is a useful reminder of one of the essential take-away points of this book. As discussed earlier, risk under the FCPA and related laws can be minimized, but it can’t be entirely eliminated. Similarly, an umbrella is going to shield you from most rain drops and keep you relatively dry. However, using an umbrella is not a guarantee that no rain drop will hit you.
Regarding the risk management strategies highlighted in this book, it is important to recognize as alluded to above (i.e. the difference between “legal authority” vs. “non-legal sources of information”) that few of the risk management strategies are technically legally required or found in the FCPA statute. Rather, business organizations have a legal obligation under the anti-bribery provisions not to offer or provide money or things of value, with a corrupt intent, to a foreign official, to assist in obtaining or retaining business. Under the books and records and internal controls provisions, certain business organizations (so-called issuers under the FCPA) have a legal obligation to: (i) “make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the issuer;” and (ii) “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that” certain financial objectives are met.
While some of the risk management strategies highlighted in this book may seem fairly obvious (things often do with the benefit of hindsight), sometimes it takes learning of a real company, involved in a real enforcement action, with a real failure to best drive home basic compliance points. Indeed, a skill this book aims to develop is teaching you to read actual enforcement actions and “flip” the allegations or findings in the enforcement action into risk management strategies. Accordingly, this book highlights various compliance failures from actual enforcement actions through the below visual.
In addition to various real-world issue-spotting scenarios, you will also have an opportunity to practice your acquired knowledge in a comprehensive skill exercise at the end of Chapter 6. This exercise, which is introduced with the below visual, requires you to conduct a risk assessment of a real company based on generic corporate information and once again to get the most out of this book do not breeze through the skills exercise, but rather pause to access your acquired knowledge and skills before reviewing the model answers.
One final point to keep in mind is that for the sake of brevity this book frequently refers to the U.S. FCPA. However, this book and the risk management strategies highlighted are relevant to more laws than just the FCPA. While lawyers seeking your business may try to convince you otherwise, the fact is that other FCPA-like laws such as the U.K.’s Bribery Act, Canada’s Corruption of Foreign Public Officials Act, Brazil’s Clean Companies Act and many others, have elements very similar to the FCPA and thus very similar risk management strategies. In other words, this book is not just for compliance professionals wanting to minimize risk under the FCPA but many other laws as well and it is intended for a global compliance audience.
This book begins by highlighting why a diverse group of professionals need skills to spot risk under the FCPA and related laws. The short answer is because risk is omnipresent for business organizations competing in the global marketplace. While all seem to acknowledge this, in the minds of some, compliance should be easy: “just don’t bribe.” However, this simplistic narrative is a fallacy because the overwhelming majority of business organizations subject to the FCPA and related laws compete in the global marketplace with a commitment to compliance, yet subject to unrealistic legal standards and/or difficult and complex business conditions that often serve as the root cause of scrutiny and enforcement. An examination of these root causes is not meant to excuse the conduct giving rise to an enforcement action, but rather to understand how and why the conduct occurred in the first place. Understanding the root causes of scrutiny and enforcement also serves an important compliance objective in that a key component of best practices is conducting a risk assessment (i.e. understanding unique points of contact with “foreign officials”) and prioritizing compliance to specific risks.
Chapter 1 next highlights that a diverse group of professionals also need skills to spot risk because scrutiny and enforcement can result in wide-ranging, negative financial consequences for business organizations. Obviously one reason to comply with the FCPA and related laws is because non-compliance can expose an organization to an actual enforcement action brought by law enforcement. However, settlement amounts in an actual enforcement action are often only a relatively minor component of the overall financial consequences that can result from scrutiny and enforcement. Discussion of these many other “ripples” is intended to shift the compliance conversation away from a purely legal issue to its more proper designation as a general business issue that needs to be on the radar screen of many professionals who can assist in risk management and who should view the importance of compliance more holistically and not merely through the narrow lens of actual enforcement actions.
With a clear understanding of why skills to spot risk are important, Chapter 2 begins to construct your “FCPA goggles” by analyzing the core elements of the FCPA’s anti-bribery provisions. To competently conduct the risk assessment skills exercise in Chapter 6, you must first be familiar with the myriad ways in which scrutiny and enforcement arise. This requires you to have a comprehensive understanding of legal authority and non-legal sources of information relevant to the core elements: anything of value, corrupt intent, foreign official, and obtain or retain business.
You will quickly learn that while a suitcase full of cash to a traditional foreign government official to obtain a foreign government contract most certainly meets these elements, few modern enforcement actions concern this type of conduct. Rather, and the reason why the “just don’t bribe” narrative is often simplistic and naïve, the things of value often provided to alleged “foreign officials” consist of corporate hospitality, charitable donations and internships or jobs for family members. In other words, the underlying conduct is often legal and morally acceptable in most instances, yet when directed to a specific type of individual might be deemed bribery by government enforcement agencies.
Throughout Chapter 2 you will learn risk management strategies specific to certain core elements of the FCPA’s anti-bribery provisions that present the greatest compliance challenges and you will also have a chance to assess your acquired knowledge through several real-world issue-spotting scenarios.
The FCPA and related laws contain third-party payment provisions which prohibit the above core conduct from being accomplished indirectly through third parties. The upside of utilizing third parties – in connection not just with sales activities but with other aspects of business as well – is that they are efficient, understand the local business environment and have relationships with key business actors. However, these attributes also represent a downside and third parties are often the single greatest risk to a compliance program. Accordingly, an important component of having “FCPA goggles” is understanding the FCPA’s third-party payment provisions and Chapter 3 develops this knowledge by highlighting legal authority and non-legal sources of information relevant to these expansive provisions and how they capture so-called willful blindness or conscious disregard of third party conduct.
To minimize the risk of engaging and maintaining relationships with third parties, Chapter 3 also highlights various compliance best practices spanning all three phases of a third-party relationship: pre-engagement best practices; engagement best practices; and post-engagement best practices. In addition, various template compliance documents are provided and you will also have a chance to assess your acquired knowledge of the third-party payments provisions through a real-world issue spotting scenario.
Even if all of the substantive elements of the FCPA’s anti-bribery provisions are met and there is jurisdiction over the actor, the final step in analyzing the anti-bribery provisions is determining whether the facilitating payment exception or the so-called local law or reasonable and bona fide expenditures affirmative defenses apply. Chapter 4 highlights legal authority and non-legal sources of information regarding these provisions, yet relevant to the two distinct questions highlighted above in connection with many instances of scrutiny and enforcement, you will learn that while the FCPA expressly exempts facilitating payments it is an open question whether this statutory exception has any real meaning or whether the enforcement agencies have, through their enforcement theories, essentially repealed this exception. Regardless, prevailing best practices seem to be prohibiting facilitating payments except in cases of health and safety, and consistent with this approach, training best practices will be highlighted.
Along with third parties, corporate hospitality and related expenditures also present challenges to a compliance program given that business organizations routinely promote their products and services and execute contracts. Because of this, an additional component of having “FCPA goggles” is understanding the contours of the reasonable and bona fide expenditures affirmative defense and you will learn of compliance practices to minimize risk in this area.
Relevant to the facilitating payment exception and reasonable and bona fide expenditures affirmative defense, you will once again have a chance to assess your acquired knowledge through real-world issue spotting scenarios.
The FCPA has always been a law much broader than its name suggests. The anti-bribery provisions that were the focus of Chapters 2–4 are just one prong of the FCPA. The other prong, applicable to “issuers” (FCPA-speak for publicly traded companies or those subject to SEC regulation), is the books and records and internal controls provisions. These provisions operate independently of the anti-bribery provisions and are among the most generic and flexible legal provisions one can possibly find. Because of this and how these provisions are currently enforced, the books and records and internal controls provisions are a potent supplement to the more glamorous anti-bribery provisions.
Chapter 5 highlights legal authority and non-legal sources of information relevant to the books and records and internal controls provisions and demonstrates through actual enforcement actions the wide range of circumstances in which the enforcement agencies use these flexible provisions to also address allegations of foreign bribery or similar conduct. Like in previous chapters, you will also have a chance to assess your acquired knowledge through a real-world issue-spotting scenario.
Having an element specific understanding of the FCPA’s provisions and how they are enforced is a critical first step toward minimizing risk. However, you also need to be knowledgeable about the wide body of so-called compliance “best practices” and Chapter 6 begins by highlighting various potentially relevant sources. At first blush these various sources may seem a bit overwhelming, but Chapter 6 breaks these best practices into bite-size pieces that are easier for you to digest.
A common thread in all sources of best practices is conducting a risk assessment. After all, rarely does a compliance professional receive questions tied to specific legal elements such as “is this customer an instrumentality of a foreign government such that its employees may be deemed a ‘foreign official’ under the FCPA” or “does this planned corporate hospitality event represent a ‘reasonable’ and ‘bona fide’ expenditure ‘directly related’ to a business purpose.” Rather, in the real world compliance professionals listen to stories or receive information and from these real-world stories and information are expected to spot risk.
Chapter 6 graduates you to the next level of compliance proficiency by highlighting the fundamentals of conducting a risk assessment. From there, and with your “FCPA goggles” on, you will complete a skills exercise by reviewing generic business information of a real company and categorizing the company’s unique risk points. Perhaps the company’s customer base presents risk; perhaps the company’s unique product or service presents risk; or perhaps the company’s go-to-market strategy presents risk? It will be up to you and your “FCPA goggles” to spot the risk and devise strategies for minimizing the risk.
There is more to FCPA and related compliance than just spotting risk in a business organization. Think of this in terms of a sports analogy where a coach devotes hours studying an opponent to learn of its deficiencies and vulnerabilities. This is a great start, but the success of a sports team will largely depend on the ability of the coaching staff to implement a game strategy and effectively communicate it to the players who will be facing the opponent. The success of a business organization in minimizing risk under the FCPA and related laws likewise largely depends on implementing a compliance strategy and effectively communicating it to employees and agents in the global marketplace.
Accordingly, Chapter 7 discusses how to implement written compliance policies and procedures throughout a business organization and effectively communicate the compliance strategy in a way that resonates with the intended audience. Next, training best practices will be highlighted (in terms of both who to include in training and how best to convey important concepts) as well as the importance of holistic compliance in which various corporate actors can play a meaningful role in minimizing risk.
Prior to Chapter 8 you will have: (i) learned why spotting risk under the FCPA and related laws is an important skill for a diverse group of professionals; (ii) constructed your own “FCPA goggles” through an element-by-element review of the FCPA’s provisions; (iii) practiced wearing your “FCPA goggles” through issue-spotting scenarios; (iv) learned of various sources of compliance best practices and the common elements found in these sources; (v) conducted a risk assessment of a real company based on generic information; and (vi) learned of various best practices to implement a compliance program and effectively communicate compliance expectations within a business organization. These are all critical tasks to minimizing risk within a business organization.
However, a compliance professional’s job is not yet finished as Chapter 8 highlights various risk management strategies relevant to oversight responsibility and resources for a compliance program; having a system for internal reporting of compliance concerns and proper investigation protocols; and finally the important step of periodically assessing a compliance program and continuous improvement.