Enforcement of the Foreign Corrupt Practices Act ("FCPA") has reached historically high numbers in the United States. That law prohibits United States persons and corporations from making corrupt payments to foreign government and political party officials. Other countries also are rapidly increasing the investigation and prosecution of corrupt payments. China, for example, has announced a national campaign against commercial bribery, and Germany is investigating allegations that the country's largest companies made corrupt payments to government officials. In this environment, companies doing business around the world have a strong interest in establishing business practices that will detect and prevent corrupt payments, thereby avoiding potentially devastating enforcement actions.
An effective compliance program will educate relevant employees; require due diligence in pertinent business functions; promote accurate financial recordkeeping; foster the reporting of violations; and monitor high-risk activity. Such a program represents tangible evidence that a corporation seeks to prevent unlawful corrupt payments. Such good business ethics can help a corporation avoid prosecution or reduce the penalty imposed. The Department of Justice and the Securities and Exchange Commission have identified the existence of a corporate compliance program as a factor to be considered when deciding whether to bring charges. Federal sentencing guidelines provide for lower fines when a company has an effective compliance program in place.
Baseline Risk Assessment
The first step in creating a compliance program is to assess the risk of noncompliance. For a large multinational corporation, the risk assessment process may involve a wide-ranging internal review in which counsel collects documents, analyzes data, and interviews employees in order to obtain the relevant facts. For a company with limited overseas operations, the process can be scaled back accordingly. The goal of the assessment should be to identify:
Aspects of the business that operate overseas or deal with foreign officials.
Employees and agents who interact with foreign officials, such as sales representatives and government relations personnel.
Foreign consultants and business partners, including outside counsel.
Circumstances that may put the organization at risk, with an emphasis on business dealings with foreign officials and instances in which government approval must be obtained.
The nature of the organization's foreign operations and the extent to which they are subject to government control or do business with the government or state-controlled entities.
Existing compliance functions used to ensure that corrupt payments are not made and that accounting records accurately reflect all transactions.
Instances of past or ongoing corrupt payments.
Examples of codes of ethics, compliance policies, and best practices used by other businesses in the industry.
Once this information has been gathered and analyzed, management and counsel can determine what type of compliance program is appropriate for the organization. An organization with extensive dealings involving foreign officials will need a more robust program than an organization with comparatively few overseas operations, and vice versa. In determining the scope of the program, management should keep in mind the two purposes of the program: (1) preventing and detecting violations of the law and (2) demonstrating a commitment to lawful and ethical business practices.
Assignment Of Managerial And Governance Responsibility
An organization must place responsibility for the design, implementation and oversight of its compliance program in the hands of senior management and, as appropriate, its board or other governing body. Many organizations accomplish this goal by naming a compliance officer with a direct reporting relationship to the board's audit committee. Some organizations place the compliance function in the legal department, while others (particularly those in heavily regulated industries) create a separate corporate compliance department. The ideal structure depends on the organization's individual characteristics.
Written Components Of An FCPA Compliance Program
The elements of a corporation's FCPA compliance program will depend on many factors, including the locations where the company does business, the nature of its industry, and the peculiarities of its corporate and management structure. In addition to the FCPA, the local laws of the countries in which the company does business must be considered in drafting the program. For example, a U.S. company with significant operations in the United Kingdom would be well advised to consider the implications of that country's Anti-terrorism, Crime and Security Act 2001. Similarly, a company with operations in China should take into account that country's laws governing commercial bribery, which proscribe conduct that may not be prohibited by the FCPA. And a company doing business in France may need to account for laws that discourage anonymous reporting of corporate misconduct.
An FCPA compliance program typically will include the following written components:
Corporate Policy Prohibiting Foreign Corrupt Payments. The company's policy statement is the public assertion of its commitment to do business abroad without making corrupt payments. This policy might be incorporated into a pre-existing code of conduct or ethical statement. The policy should describe the applicable law and set forth the manner in which the company intends to comply with it. The policy also should state how the company will control and structure its relationships with foreign representatives, consultants, and business partners. The policy should be drafted in clear and unambiguous language that can be understood by all readers.
Internal Communications And Educational Material. Additional information and detail will need to be communicated to employees and agents to permit them to comply with the policy against corrupt payments. Accordingly, implementation of the compliance program will require educational material regarding the FCPA and other applicable laws.
This material often will be presented in a lecture format. Company meetings present a good opportunity for such training, as it can be followed by discussion and questions. Regardless of the format, a well-crafted, documented training program ensures that important topics are covered while also creating a record of the company's training efforts. The material can include a discussion of the importance of compliance to the company's culture, recent enforcement actions against noncompliant companies, and practical advice on avoiding exposure. Some businesses have used videos and online education to communicate these messages.
Practical Procedures And Guidance. Compliance requires a company's employees to know how to handle real-world situations. To accomplish that goal, a company can promulgate practical guides setting forth the conduct that it expects in specific circumstances.
Regular Compliance Review. Monitoring the effectiveness of a company's efforts is a critical component of any compliance program. The program should, therefore, detail the steps to be taken in conducting a regular FCPA compliance review. The steps that the compliance officer or other designated individual would be directed to take could include: (a) reviewing FCPA policies and procedures; (b) maintaining a list of individuals in sensitive positions to whom the FCPA is likely to be of particular relevance; (c) interviewing and obtaining written certification from individuals in sensitive positions; (d) ensuring that individuals in sensitive positions do not have a history of violating or disregarding the law or company policy; (e) reviewing the company's compliance with procedures that govern relevant business transactions; and (f) assessing the sufficiency of employee training.
Written Certification By Relevant Employees And Foreign Representatives. Employees who are likely to face FCPA-related issues can be required to certify in writing that they have been advised of the company's policies regarding foreign corrupt payments and that they will abide by those policies. Foreign agents, representatives, consultants, and other business partners may be asked to provide a similar written certification. These certifications may be required annually or only at the initiation of a relationship. In circumstances where the risk of corrupt practices is extremely high, corporate policy might also require a personal interview by counsel before a relationship is initiated. Documentation of the interview should be maintained along with the completed certification.
Due Diligence Checklists. The company's procedures should require employees to undertake a due diligence process before entering a relationship with either a foreign representative or a foreign business partner. In order to formalize the process and to ensure that all relevant information is considered, the company can promulgate a checklist to be completed as part of the due diligence. Because the relevant information to be obtained from a representative differs from the due diligence to be undertaken when entering a joint venture or other business transaction, two checklists may be appropriate. Of course, corporate policy should make clear that large corporate transactions - for example, the acquisition of a company with foreign operations - will require a separate due diligence process that exceeds a simple checklist.
Sample FCPA Contract Provisions. When the company enters a relationship with a foreign representative or business partner, contractual provisions may be appropriate to acknowledge the applicability of the FCPA and ensure that all parties will abide by the law. A company can provide sample contracts or contractual language through its compliance program, provided employees are given appropriate direction regarding when to involve company lawyers in negotiating agreements.
Reporting Mechanism For Violations. As a practical matter and, often, as a matter of law, employees must be given adequate opportunity to report violations and to do so anonymously if they wish. For companies subject to the Sarbanes-Oxley Act of 2002, this anonymous reporting requirement also must be extended to third parties. Accordingly, corporations often establish an anonymous telephone hotline or use an internet-based mechanism for anonymous communications. Such anonymous reporting could, however, create legal troubles in jurisdictions outside the United States. In France, for example, the law strongly discourages anonymous whistleblowing, relying instead on assurances of confidentiality. This particular conflict was resolved in part in November 2005 when the French Data Protection Agency issued guidelines applicable to corporations legally required to facilitate anonymous reporting under U.S. law.
Helpline. Employees who are expected to implement the company's FCPA compliance program will need guidance from individuals knowledgeable in the law and the organization's policies. A compliance program should have a mechanism in place to put employees in contact with the legal department or others capable of providing well-considered and accurate advice on a timely basis.
Documenting The Company's FCPA Compliance Efforts
All compliance efforts should be documented carefully in order to permit the company to prove later that it implemented a rigorous program in practice, rather than just on paper. To that end, the corporation should maintain comprehensive records of educational materials, attendance at training sessions, certifications of compliance, due diligence efforts, hotline calls, and regular compliance reviews. Internal investigations also should be documented and preserved.
Disciplinary Standards And Procedures
When implementing an FCPA compliance program, management should identify clearly the consequences to employees and agents - including the most senior officers in the organization - if they violate the law or company policy. Just as important, the organization must ensure that these disciplinary standards are actually applied, so that enforcement authorities cannot later contend that violations were tolerated or encouraged.
This article provides a broad outline of what an FCPA compliance program should include. Some organizations may require specialized policies and procedures beyond the scope of this general discussion. Regardless, all business organizations with overseas operations should implement and follow a written compliance program that explicitly delineates the procedures that it will undertake to ensure compliance with the FCPA and other laws prohibiting foreign corrupt practices.
R. Christopher Cook is a Partner in the Washington office of Jones Day, where he concentrates his practice on white collar criminal defense and civil litigation. He served as an Assistant United States Attorney in Chicago from 1992 to 1997.