Governments are aggressively enforcing anti-bribery laws and regulations, such as the U.S. Foreign Corrupt Practices Act (FCPA) and the U.K. Bribery Act, with increasing regularity. The FCPA, in particular, makes it illegal to corruptly offer or provide money or anything of value to government officials with the intent of obtaining or retaining business.
In addition, the FCPA’s accounting provisions require that companies make and keep accurate books and records, and devise and maintain reasonable internal accounting controls aimed at preventing and detecting FCPA violations. The regulators more frequently use the accounting provisions because they are easier to prove, as there is no requirement under the FCPA. This is typically because an allegation tied to the anti-bribery provision includes intent and other elements that can be difficult to prove.
Governments have been providing more and more information regarding expectations through guidance, settlements and new regulations. Meanwhile, whistleblower provisions, such as those in the Dodd-Frank Act, encourage reporting to the government. As a result, multinational companies are paying more attention to their corruption risks and focusing on how to reduce those risks.
Corporations are gaining fresh insights into what the U.S. Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) view as an effective FCPA compliance program. Last November, the DOJ and SEC released the FCPA Resource Guide (the “Guide”) — an unprecedented and extensive undertaking by both agencies that provides the public with detailed information about FCPA and explicitly sets expectations for compliance programs.
The FCPA Resource Guide
Since the release of the Guide, many companies have benchmarked their existing FCPA compliance programs and internal controls against the Guide’s “Hallmarks of an Effective Compliance Program.” Creating an effective compliance program that is proportional to the organization’s risks not only demonstrates a company’s commitment to ethical conduct, but also can reduce the risk of legal actions, civil fines and penalties, business disruption, reputational damage, brand erosion and substantial costs to investigate and remediate internal controls. Recently, the government has entered into a number of non-prosecution agreements and has declined to bring action against other companies, in part, because of their effective compliance programs.
How does your existing compliance program compare to the Guide’s “Hallmarks of an Effective Compliance Program?”
- Commitment from Senior Management and a Clearly Articulated Policy Against Corruption
Have the leaders of the organization set the proper tone at the top? Is the message clear and documented? A framework of compliance must be established by the board of directors and senior executives, while middle management must understand and reinforce a culture of compliance throughout the organization. Documentation of the message and associated activities should be maintained and archived centrally.
- Code of Conduct and Compliance Policies and Procedures
When did the company last update its policies? Do they address bribery and corruption risks that are specific to your business? For policies and procedures to be effective, they must be tailored to the business model and should consider products and services, third-party agents, high-risk customers, government interaction, industry and geographic risks. Further, an effective archival and version control system is important to correlate contemporaneous internal control and activities. The use of automation for transactional approvals and documentation can also help improve efficiencies.
- Oversight, Autonomy and Resources
Who has responsibility for overseeing the organization’s anti-corruption program? A management employee responsible for FCPA compliance should have direct access to the company’s governing authority. Having discreet compliance budgets, headcount and resources can also help substantiate the organization’s investment in compliance activities. The investment in resources should be proportional to the risk profile of the organization.
- Risk Assessment
Is the company focusing its time and resources on the corruption risks that matter most? A risk assessment is a fundamental aspect to developing a strong compliance program. Compliance programs should be designed to focus on the risks identified in a risk assessment. Off-the-shelf compliance programs are ineffective and ill-conceived, if not customized. As part of a risk assessment, the company should consider the industry, geography, size and use of third parties. In certain instances, existing internal audit risk assessments can be supplemented for corruption risk.
- Training and Continuing Advice
Is your company’s anti-corruption training specific to your industry and tailored to your employees’ roles? Training modules should encourage open dialogue and use real world examples. It’s important that training be designed for the target audience. For example, the content must be in the appropriate language and have the proper content for specific job responsibilities (e.g., sales personnel versus accountants). Training records as to who attended (and who did not) must be maintained and archived.
- Incentives and Disciplinary Measures
In addition to disciplining wrongdoers, does your organization reward and recognize employees to drive compliant behavior? For example, bonuses may be paid for timely compliance with critical controls. On the other hand, employees who violate policies should be disciplined, with proper documentation if an exception was made.
- Third-Party Due Diligence and Payments
Have you conducted appropriate due diligence on your riskier third parties and communicated to them your company’s expectations with regard to anti-corruption? What technology are you using to identify higher risk payments and transactions? Based on Alvarez & Marsal’s experience, 80 to 90 percent of FCPA violations relate to third-party intermediaries. Companies must know who they do business with and evaluate the risk for each third party. The onboarding process should include preventative controls designed to ensure third parties have the requisite qualifications and commitment to compliance. The due diligence should include appropriate representations from a company sponsor, as well as certifications from third-party representatives. In addition, third parties must be monitored. Using a risk-based approach, companies should search for changes that could influence the relationship, including: change in ownership, governmental relationships, use of sub-agents, negative news, inclusion in watch lists, and criminal and civil actions.
- Confidential Reporting and Internal Investigation
Does the company have a mechanism to encourage whistleblowers to communicate concerns internally before going to the government? For an anonymous hotline, is the call volume appropriate, given the size and demographics of your workforce? If there are few or no calls, it may be indicative of employees’ discomfort or lack of awareness in using the hotline, and in some cultures, employees may be reluctant to use them. Are complaints properly acted upon? In addition, there should be a well-designed investigatory process to triage and evaluate allegations, as well as a post-mortem to determine whether modifications in internal controls need to be made.
- Continuous Improvement: Periodic Testing and Review
Does the board receive periodic reports, evidencing the effectiveness of the company’s program? Are violations resolved on a timely basis and evaluated for improvement opportunities? Are you routinely testing your anti-corruption program? Is the company continuously improving its policies, internal controls and training? Companies must also monitor the effectiveness of their anti-corruption program. This may include transaction and internal control testing, contract reviews, interviews and employee surveys. More and more, businesses are using data analytics on transactional data, third-party listings, as well as email and other communications to prioritize and focus testing on the areas identified as presenting the highest risk. In addition, after each audit, a change management program should be implemented to assign responsibility and ensure the improvements are made and documented.
- Mergers and Acquisitions: Pre-Acquisition Due Diligence and Post-Acquisition Integration
Are FCPA risks included in the company’s M&A due diligence procedures and are those risks accurately reflected in the purchase price? How effectively are acquired companies integrated into your compliance culture? Companies must perform adequate FCPA due diligence prior to a merger or acquisition or face legal and business risks. Under successor liability laws, inadequate due diligence may lead to potential civil and criminal liability. When pre-acquisition due diligence is not possible, companies can be given consideration from the DOJ if they promptly conduct post-acquisition due diligence. Due diligence can also help a buyer to: negotiate a more beneficial purchase price for corrective actions, identify prior illegal conduct that could harm the buyer’s reputation, reduce the risk that the revenue stream was based on paying bribes, reduce the risk that the acquired company will continue to pay bribes, improve post acquisition integration, and demonstrate a level of commitment to compliance.
The Bottom Line
The DOJ and SEC share information regarding what an effective compliance program should look like. However, it’s not a “one-size-fits-all” solution. It must be customized to the company’s business risks, strategy and markets. This information, when followed, is extremely helpful to prevent bribery and protect companies from serious and long-term financial and business-related harm. Furthermore, the government recognizes that no compliance program can ever prevent all criminal activity by a corporation’s employees.
If an unfortunate improper payment occurred and the government initiated an inquiry, the company, at a minimum, should be in a position to say: “Yes, we listened and did what you suggested. Here’s evidence of a thoughtful approach to FCPA compliance.” Seeking the advice of independent, credible professionals with anti-corruption and operational expertise can improve the effectiveness of anti-corruption compliance programs and increase the probability of a successful outcome.