Editor: Companies seem to be spending more and more on compliance programs. What’s driving this increased spend?
Sklar: Over the last several years, there has been a trend towards increased enforcement – especially with international companies – which creates anxiety and inspires greater corporate spending on compliance. The Department of Justice (DOJ) and the SEC have become more vocal and specific about how and why they will give credit to companies with preexisting compliance programs, so companies really see the need for and benefit of these programs.
Editor: What are the risks that companies face?
Sklar: There are a number of risks, most of which particularly affect companies operating in the international space. Anti-corruption, certainly, but also antitrust, privacy and compliance with U.S. sanctions issues. There is a significant uptick in enforcement, and companies are forced into a position of having to spend money – either to successfully comply with regulatory expectations in advance or to face the potential costs of enforcement actions. As a result, we have seen significant impact to corporate spend and focus in the regulatory risk area.
Editor: How do the DOJ and SEC enforce the Foreign Corrupt Practices Act (FCPA)?
Sklar: Enforcement comes in two forms and the FCPA has two main sections. One section outlines anti-bribery provisions that are generally enforced by the Department of Justice (DOJ), and the other section contains amendments to the securities laws that require companies to maintain accurate books and records. In addition to complying with the books and records provision, which is enforced by the Securities and Exchange Commission (SEC), a company also must have effective internal controls to prevent and detect misconduct.
Enforcement actions involve two separate investigations. Bribery charges usually originate from the DOJ, while charges pertaining to how the bribed money was hidden within the corporate books and records, and other errors that arise from this illicit activity, are within the SEC’s purview. The internal controls provision is prosecuted by the SEC, and its usual remedy is disgorgement of illegally-obtained profits. For example, if a corporation pays a million dollars in bribes and derives $37 million in extra profit from that activity, the SEC will prosecute the company for hiding the bribe payments within its books and records and will require profit disgorgement of the $37 million profit. Then the DOJ will prosecute both the company and the individuals involved for the bribery itself, imposing a criminal penalty on top of the SEC’s penalty.
That’s generally the way that the FCPA is enforced. There is some crossover in limited situations where the DOJ might charge an internal controls violation, but such enforcement is more often done via some sort of disposition, plea arrangement or deferred prosecution agreement. The books and records provisions also contain criminal provisions, but charges are difficult to impose because the DOJ has to prove knowledge and intent to create inaccurate books and records, whereas, for the SEC, there is no such knowledge requirement.
Editor: Does the DOJ give any guidance on how companies should comply with the FCPA?
Sklar: Yes they do, and it’s often represented as a new development, though I estimate such guidance on FCPA compliance from the DOJ dates back to the 1990s – in an enforcement case called Metcalf and Eddy. There, the DOJ laid out an early format of what it expects from compliance programs. Then in a 2004 opinion release – which is a vehicle by which the DOJ can give an opinion and guidance on a situation presented by a company – the DOJ laid out expectations that closely resemble their current form.
Modern dispositions are done via a deferred prosecution agreement (DPA), in which the DOJ has laid out in very specific detail what it expects from a compliance program in what is colloquially referred to as the Schedule C. While each DPA may be slightly different, they are all roughly the same.
Editor: Where do companies get into trouble?
Sklar: Companies get into trouble in three main areas. First is ineffective due diligence when corporations conduct business with third parties. A corporation is responsible for the actions that third parties perform in its name, and it may engage with them without really knowing who they are or how they do business. Thus, when a third party pays a bribe, the corporation is liable for that action, and we have seen situations in which the driver of an enforcement action was ineffective or, more often, nonexistent due diligence.
The second area of concern involves the offering of meals, gifts, travel and entertainment (collectively “gifts”). There are some subtleties to assessing this activity, which have less to do with any single gift than with a pattern of behavior. We are seeing a lot of angst from companies over small gifts – bottles of wine, for example – which in reality are of less concern, as long as transparent records are maintained. Companies really get into trouble when they exhibit a pattern of vast overspending, often coupled with other indicators that the company was aware that this activity crossed the line. Indicators include hiding the source of funding or delivering gifts in a surreptitious way, any of which might trigger action by the DOJ.
The third issue is less concerned with any specific area or activity and focuses more on the overriding corporate culture, which may, for example, emphasize results over ethics or opt for short-cut solutions on important governance issues, like effective information management. In short, the DOJ is looking for a commitment from the top to exercise broad judgment and discretion.
Editor: Can you explain what the key compliance elements are?
Sklar: Robust risk assessment should be the first priority and will garner positive results with the DOJ. First, a company must identify basic elements, such as where and how its activities are conducted, what are the associated risks within each potential corruption space and how to control for those risks. Advanced companies also lay out a long-term plan for risk management, which resonates with regulators by reflecting a true depth of knowledge of the regulations and of the business itself.
Another key compliance area is due diligence, which includes knowing the players and then monitoring transactions – at least periodically – with higher-risk third parties. Overall, companies should regularly review and enhance existing compliance programs because, while the DOJ will acknowledge effective programs, it will also probe as to how the program lives and breathes organically within your company.
The last key element of effective compliance programs is training that both addresses what employees really encounter on the job and reinforces the need to do business ethically. Higher-risk situations arise as a result of geographic location or an individual’s level of seniority, for instance, and training programs must be designed to help employees understand conditions and limits of doing business within certain markets without paying bribes.
Editor: Do companies get credit for having compliance programs?
Sklar: Yes. In fact, the internal policies of both the DOJ and the SEC require that they analyze and give credit for preexisting compliance programs in the context of a regulatory action. Companies also get credit for voluntary self disclosure and for cooperating with the agencies toward resolving the problem. Thus, companies have three strategies toward regulatory agency credit: self disclosure, cooperation and preexisting compliance, which can make all the difference between facing a full-blown prosecution and a deferred prosecution agreement, non-prosecution agreement or even a declination. The latter eliminates the problem as a result of the DOJ effectively acknowledging that an issue arose in spite of the company’s having met agency expectations.
Editor: What should we expect from the upcoming FCPA guidance?
Sklar: In addition to items I already mentioned – the second opinion release of 2004, the Schedule C and every modern DPA – the DOJ has promised guidance on FCPA compliance in the fall, covering a broad range of issues, such as fully defining “foreign official” for FCPA purposes, available credit for compliance programs, the value of self disclosure and specific issues arising from individual prosecutions. Further, the DOJ’s guidance will be issued jointly with the SEC, and will cover internal controls that have not been sufficiently addressed to date.
While the form of such guidance is a contentious matter for experienced practitioners, the final product likely will be a compilation of items that are currently available in a dispersed format. While such will be a significant and welcome development for a wide swath of the corporate world – especially for smaller and medium-sized companies that lack the resources needed for proper risk management infrastructure – it likely will not affect those of us who work with the FCPA every day – FCPA practitioners or in-house compliance officers.
Editor: What is the driver for new case law in the FCPA arena?
Sklar: Certainly, FCPA enforcement has been – and still is – a major event for corporations. What has changed, however, is that case law currently being developed seems to have shifted focus to the prosecution of individuals versus corporations.
Generally speaking, individuals exhibit greater capacity and willingness to fight charges and really put the government to its burden, whereas corporations are more likely to settle and forego the disruption and expense of a trial. Depending on the business involved, a grand jury indictment alone could have major negative consequences – on operations generally, export licenses issued through the Department of Defense or even on the right to bid for government contracts. Thus, cases involving individuals are on the rise and coming to fruition in court, resulting in a significant increase in judicial examination of the DOJ’s previously untested interpretation of the law.
Editor: How can technology assist companies in the current enforcement environment?
Sklar: A number of clients are using our technology for internal review of documents during an FCPA investigation, which also ties in with Dodd-Frank issues that arise when a whistleblower reports directly to a regulator. Dodd-Frank adds to the complexity by imposing a time limit on the internal investigation as a result of the whistleblower being allowed 120 days after reporting internally to go to the SEC and not lose their place in line.
Recommind really shines for corporations in the FCPA context because we offer the element of time savings in addition to being a cost-effective option for advanced search and review capabilities. Our technology also can be used as a tool in proactive compliance. The robust searching capabilities allow identification of high-risk individuals and activities; a compliance program that includes advanced search as a monitoring technique would really impress the DOJ. Plus, some regulatory bodies are already using our technologies.
Editor: Please tell us about efforts to enact legislation that formalizes agency credit for preexisting compliance programs.
Sklar: There are two proposals afoot. One involves legislating an affirmative defense for corporations that have effective compliance programs, and the other involves legislating negative consideration for lack of such programs. In my view, both are misguided because companies will not enjoy any incremental benefit beyond existing options for the DOJ to review and give credit where credit is due.
Rather, there is only significant downside for companies if the lack of formal programs becomes an element of the crime. Companies will face expanded and demoralizing scrutiny of compliance programs, leading to subpoenas and testimony to uncover program gaps. Further, the DOJ will have to plead it in a complaint, which means that the government will be accusing companies of inadequate compliance during the earliest stages of the case – rather than after initial investigations and any negotiations.