Editor: Before we discuss the new Guidance, please provide some background on the Foreign Corrupt Practices Act.
Keneally: The Foreign Corrupt Practices Act was enacted in 1977 when, during an SEC investigation, more than 400 U.S. companies admitted making questionable or illegal payments to foreign government officials, politicians and political parties. The FCPA was little-used for quite some time. But that has changed over the last decade or so, as the SEC and DOJ have been increasingly on the lookout for violations and have emphasized the benefits to companies that cooperate in investigations and self-report violations.
The FCPA has two main prongs: one associated with antibribery, and the other with accounting requirements for certain entities. The antibribery provisions basically make it unlawful to bribe foreign government officials to obtain or retain business. The provisions are sweeping and prohibit companies from making “corrupt payments,” or bribes, to foreign officials that are intended to help the company obtain or retain business.
The accounting requirements are a complement to the antibribery provisions and require that certain companies, including those whose stock is listed on a U.S. stock exchange, comply with various accounting provisions. The accounting provisions make it difficult for companies to disguise the nature of payments that they make to foreign officials, thus making it difficult to make corrupt payments appear legitimate.
Editor: Who is potentially liable under the FCPA?
Keneally: The FCPA has tremendous breadth and potentially applies to any individual, firm, officer, director, employee or agent of a firm and any stockholder acting on behalf of a firm.
The statute specifically applies to “issuers” and “domestic concerns.” An “issuer” is a corporation that has issued securities that have been registered in the United States or who is required to file periodic reports with the SEC. A “domestic concern” is any individual who is a citizen, national, or resident of the United States, or any corporation, partnership, association, joint-stock company, business trust, unincorporated organization, or sole proprietorship that has its principal place of business in the United States, or which is organized under the laws of a state of the United States. A U.S. parent corporation may also be held liable for the acts of foreign subsidiaries where the parent company authorized or otherwise controlled the activity in question.
In addition to “issuers” and “domestic concerns,” the Act also applies to any person, including a non-U.S. person or corporation, who commits an act in furtherance of a bribe or prohibited act while in the United States or its territories. Thus, even foreign nationals can be liable under the FCPA if they commit the prohibited act while in the U.S. or its territories.
The FCPA also applies to persons or companies who hire third parties to make corrupt payments on their behalf, provided the hiring person has knowledge that the third party intends to make such a payment. The term “knowing” includes conscious disregard and deliberate ignorance. Thus, a U.S. company or other covered person who hires a foreign national to make bribes on its behalf, even if the foreign national never set foot inside the U.S. or its territories, could still be liable under the FCPA.
Editor: What is your reaction to the recent Guidance issued in November 2012 by the DOJ and SEC?
Keneally: Perhaps because it was so highly anticipated as a means of assisting companies with FCPA compliance, the Guidance may have fallen short of expectations.
Editor: Can you give an example of how it falls short?
Keneally: One subject that could have benefitted from further explanation is “facilitating payments.” These payments fall within a narrow exception to the FCPA’s anti-bribery provisions, and are defined as payments “made in furtherance of routine governmental action” involving non-discretionary actions. Yet the line between facilitating payments and bribes remains fuzzy, even following the release of the Guidance. Though the Guidance gives a few examples of what constitutes “routine governmental action,” setting out some concrete, bright-line rules would have been a useful and effective addition.
Editor: Will the Guidance help corporations with compliance efforts?
Keneally: Yes, in this sense: I think it’s valuable as a centralized compendium of government policy concerning various aspects of FCPA compliance. Perhaps most notably, the Guidance goes into great detail in laying out what the DOJ and SEC see as the “hallmarks” of an effective FCPA compliance program.
Editor: Does the Guidance outline specific actions a company can take to mitigate the risk of being investigated or prosecuted?
Keneally: Unfortunately, it offers very little new or prospective advice, but again, that doesn’t seem to be the intent. However, from the perspective of a company and its in-house counsel, the Guidance presents several principles for customizing a compliance program that will pass SEC and DOJ muster if there is ever a problem and self-reporting to these agencies becomes necessary for a company.
Editor: What are some of the specifics of the Guidance in terms of these hallmarks for effective compliance?
Keneally: The Guidance emphasizes the importance of a company’s creating a “culture of compliance,” and notes that “compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” FCPA compliance must be a top-down endeavor, as upper-level executives set an example for everyone to follow. It is therefore important that the DOJ and SEC see that senior management has clearly articulated and widely disseminated company anti-corruption standards in order to receive credit for its compliance efforts.
The SEC and DOJ want to be certain that all employees have a hand in FCPA compliance. To that end, all employees should be aware of, and have access to, company-wide policies and practices. The Guidance emphasizes that these policies should be “clear, concise and accessible to all employees,” and that they should “detail proper internal controls, auditing practices, and documentation policies, and set forth disciplinary procedures.” A compliance program can only operate effectively if all employees are able to participate, so the SEC and DOJ will look to make sure that proper communication of standards throughout the company has occurred. To that end, the Guidance also suggests situation-specific training , as well as disciplinary procedures and rewards for employees.
Editor: What should an in-house counsel and compliance staff keep in mind regarding employee involvement?
Keneally: Compliance programs can only function when employees are kept up to date with the latest policies and procedures. Companies should demonstrate a proactive interest in this goal by offering, if not requiring, attendance at regular training and continuing education programs. Training should be audience- and situation-specific: different types of training are needed for sales staff and accounting staff, with curricula that address real-life situations those employees may encounter.
In evaluating a compliance program’s effectiveness, the DOJ and SEC will determine whether a company appropriately and effectively sanctions those responsible for compliance violations and lapses. The Guidance states that “[a] compliance program should apply from the boardroom to the supply room – no one should be beyond its reach.” A company must apply disciplinary techniques “reliably and promptly” against anyone who warrants them, particularly higher-level executives who are at risk for incurring significant FCPA violations on larger transactions. Likewise, companies should encourage self-policing and reporting of potential FCPA violations by offering incentive programs that reward those employees who call attention to potential violations or who otherwise contribute to the company’s compliance culture.
The Guidance also explains that employees will be far more likely to alert compliance personnel to potentially violative behavior if they can be assured that they have a secure and anonymous channel for doing so. To that end, companies may establish anonymous hotlines or employ ombudsmen to accept reports. Moreover, companies must act on those reports and conduct thorough internal investigations that will, when necessary, punish those responsible and result in improvements to their compliance programs.
Editor: Are there any other “hallmarks” for compliance the Guidance mentions?
Keneally: It’s important to demonstrate independence from senior management. A compliance program cannot have real value if it is beholden to the company’s upper-management. Thus, the Guidance stresses the importance of an independent compliance staff with real authority to intervene. “Individuals must have appropriate authority within the organization, adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively.” The government will look to see whether a “company devoted adequate staffing and resources to the compliance program, given the size, structure and risk profile of the business.”
Thoughtful risk assessment and due diligence is also important. The Guidance emphasizes that a one-size-fits-all approach will not suffice in establishing a company’s FCPA risk assessment mechanism. For example, companies should not focus on policing smaller, less significant transactions at the expense of allowing focus on larger bids or risky activities to wane. Further, they say that “performing identical due diligence on all third-party agents, irrespective of risk factors, is often counter-productive, diverting attention and resources away from the third parties that pose the most significant risks.” Each company faces its own unique set of corruption risks, and so the SEC and DOJ will consider the extent to which a company has analyzed company-specific risks in crafting its compliance program.
Often, payments that are targeted under the FCPA are facilitated by third parties, such as agents, consultants or distributors. This can make corrupt payments more difficult to track. Because of this, it is important to exercise extra care when third parties are involved in significant transactions. The Guidance stresses that companies must understand the qualifications and associations of third-party partners and should weigh the business necessity for involving the third party in the subject transactions. In addition, companies should frequently monitor their third-party relationships to ensure third-party compliance.
Editor: What are the implications of the fact that the Guidance is not binding?
Keneally: I wouldn’t read too much into that. Remember that from the DOJ’s standpoint corporate compliance is nothing new. It’s an important component of the Sentencing Guidelines for corporations, and it is a major factor when the DOJ is considering prosecuting a corporation. Let’s put it another way. If I were representing in an FCPA investigation a company that had a lackluster compliance program, I certainly wouldn’t want to tell DOJ, “but the Guidance isn’t binding.”
Editor: How might the Guidance change existing compliance programs?
Keneally: I think any company would be wise to heed the advice in the guidance stressing that “[a] good compliance program should constantly evolve.” As businesses change over time, so do the environments in which they operate, the customers with whom they work, and the laws that are applicable to their operations. Additionally, internal investigations will sometimes expose program weaknesses that require fixes and enhancements. “Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and do not allow them to become stale.” As they stated – compliance programs are not one-size-fits-all, nor should they remain static as a business grows. The DOJ and SEC will be far more likely to credit a company’s compliance program when they see that effort has been invested in periodic testing and updates.