Consequences for FCPA Compliance

Overview of the FCPA and Other Relevant U.S. Transnational Anti-bribery Laws

The FCPA is a federal statute criminalizing the bribery of foreign public officials and certain others (including officers or employees of state-owned enterprises and of certain public international organizations, as well as foreign political parties and candidates for office) for a business benefit. See 15 U.S.C. '' 78dd-1(a), 78dd-2(a), 78dd-3(a). It also is the source of the generally applicable securities law obligations that publicly traded companies maintain complete and accurate books and records, and systems of internal controls. Although U.S. parent companies are not automatically liable for the acts of their foreign subsidiaries under the FCPA's anti-bribery provisions, the securities laws give them effective strict liability for the record keeping and control practices of their majority-owned or controlled foreign subsidiaries. See SEC v. Syncor Int'l Corp., (D.D.C. 2002), Lit. Rel. No. 17877 (Dec. 10, 2002); In the matter of Chiquita Brands Int'l, Inc., Admin. Proc. Rel. No. 34-44902 (Oct. 3, 2001); In the Matter of International Business Machines Corp., Admin. Proc. Rel. No. 34-43761 (Dec. 21, 2000); SEC v. Triton Energy Corp. (D.D.C. 1997), Lit. Rel. No. 15266 (Feb. 27, 1997), FCPA Rep. 699.471; see also In the Matter of BellSouth Corporation, Admin. Proc. Rel. No. 34-45279 (Jan. 15, 2002). (For minority-owned subsidiaries, only a good faith effort on the parent's part to secure compliance by the foreign subsidiary is required; however, where the parent controls the foreign subsidiary, compliance will be expected.) Moreover, parent companies risk anti-bribery liability if they authorize an improper payment by a foreign subsidiary or fund the activities of that subsidiary with “knowledge” that an improper payment may be made. Under the FCPA, the concept of “knowledge” extends beyond actual awareness of a payment and into circumstances indicating a parent's willful ignorance, for example, through disregard of “red flags,” of an improper payment or transaction. See 15 U.S.C. '' 78dd-1(a)(3), 78dd-1(f)(2), 78dd-2(a)(3), 78dd-2(h)(3), 78dd-3(a)(3), 78dd-3(f)(3).

U.S. tax laws also preclude the deductibility of payments that violate the FCPA. See 26 U.S.C. ' 162(c). Additional provisions of the tax code prevent U.S. parent companies from receiving any tax benefits in respect of the improper payments of their foreign subsidiaries. See 26 U.S.C. '' 952, 964.

The FCPA and Corporate Compliance Programs

The effect of these FCPA and tax provisions has been to create strong incentives for U.S. parent companies, especially publicly traded firms, to adopt corporate-wide anti-bribery policies and compliance procedures as well as accounting and internal control standards that flow down not only to their domestic U.S. subsidiaries, but also to their foreign subsidiaries. These incentives have been reinforced by recent developments in federal criminal law penalty standards, most notably the Sentencing of Organizations under the Federal Sentencing Guidelines (hereinafter referred to as the Federal Sentencing Guidelines or Guidelines). See Federal Sentencing Guidelines Manual, ch. 8. The Guidelines provide for a reduced culpability score (the basis for the calculation of penalties in the event of a criminal violation of law) for corporations that maintain “an effective program to prevent and detect violations of law.” Federal Sentencing Guidelines ' 8C2.5(f). In addition, the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC), the two agencies with enforcement authority over the FCPA, both expect that responsible companies will, among other steps, have in place an FCPA compliance program.

See, eg, Memorandum From Larry D. Thompson, Deputy Attorney General, to Heads of Department Components, United States Attorneys, Re: Principles of Federal Prosecution of Business Organizations (January 20, 2003); Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 and Commission Statement on the Relationship of Cooperation to Agency Enforcement Decisions, Rel. No. 34-44969 (Oct. 23, 2001).

Although enforcement officials have not defined the precise elements of an FCPA program, settled prosecutions such as the Metcalf & Eddy case in 1999 provide companies and their counsel with a road map with respect to the elements they will typically expect to find. See U.S. v. Metcalf & Eddy (D. Ma. 1999), FCPA Rep. 699.749. These elements include not only an anti-bribery policy, but also more detailed guidelines and procedures that are specific to the FCPA. For almost every company, it will be critical to have policies and procedures regarding the engagement of third parties, such as agents, consultants, joint venture partners, representatives, and even subcontractors, to ensure that those relationships do not become vehicles for the making of improper payments. These policies and procedures need to be controlled by corporate personnel independent of, or at least removed financially from, the immediate business opportunity. It will also be critical to have rules regarding the making of payments to ensure that bank accounts in Switzerland and other offshore jurisdictions are not used to funnel payments to officials. Additional risk areas treated in policies and procedures often include gifts and entertainment, travel and travel-related expenses, events sponsorship, political contributions, and facilitating payments.

Under the Federal Sentencing Guidelines, however, it is not enough to have policies and procedures. It is critical that relevant personnel within the organization be trained in these policies and procedures, and that they be policed and enforced, for example, through internal or external audits, internal or external FCPA legal audits, or the like.

The FCPA and Disclosure Responsibilities

For multinational companies with extensive and far-flung foreign operations, the compliance program requirements of the Sentencing Guidelines were daunting even before the Act came into effect. Because, however, the FCPA contains no requirement that companies disclose violations of which they became aware, many companies pre-Sarbanes Oxley opted to remediate any FCPA issues they encountered in their foreign operations without disclosure to enforcement officials, at least where those issues did not represent material violations of the federal securities laws or did not require disclosure under some other applicable law. Although the SEC and Department of Justice have long encouraged voluntary disclosures, their policies in this area, in contrast to other areas of federal law, do not define the credit that a disclosing company will receive for such disclosure in terms of either reduced penalties or the risk of criminal indictment. Balanced against the fears that a voluntary disclosure of a problem in one foreign country could lead to a fishing expedition on the part of the government to unearth problems in other foreign operations, this lack of defined benefit acted as a powerful deterrent to disclosure in many cases.

Implications for FCPA Compliance Practices

In the short time since it has been in effect, Sarbanes-Oxley has already had a significant impact on FCPA compliance practices with respect to the investigation of potential FCPA violations and disclosure issues. As its implementation progresses, Sarbanes-Oxley can also be expected to have an impact on other aspects of FCPA compliance as well.

Implications for Investigations and Disclosure

The Act has tipped the balance of internal corporate power away from management and toward the Board of Directors and Audit Committee. It has also resulted in internal corporate structural changes that have in many cases increased the authority of internal compliance and audit functions. Although these functions may have previously reported directly to the Audit Committee or Board on a dotted line basis, that trend appears to have accelerated.

Internal Investigations

When a possible FCPA violation is identified, it is more likely that the Board or Audit Committee will either assume responsibility for the investigation or will supervise management's investigation more directly and in detail than has been the case for the past 20 years. In this respect, the past is prologue, because in the early days of the FCPA, and during the SEC's voluntary disclosure program that preceded it, corporate boards of directors and audit committees often took a lead role. Over time, however, the balance of power shifted to management. Sometimes management was in a position to approach an internal investigation with independence and other times much less so. Sometimes management brought in independent outside counsel, and other times not.

In the wake of the Act, management's discretion to carry out internal investigations without significant board oversight will likely be curtailed in many respects. Boards and audit committees should be realistic, however, as to their ability to carry out FCPA internal investigations without the aid of management or other company personnel. FCPA internal investigations are complex, fact-intensive investigations that typically involve a detailed review of one or more foreign operations, review of the degree of management oversight or parent involvement in the conduct in question, and review of the parent's compliance program, often over a period of years. The more independent external counsel is, the less they will understand the structure and workings of the corporation and the more internal assistance they will need, particularly if there are time constraints. Thus, internal FCPA investigations will continue to be a team effort, although the team members and leadership roles may have shifted.

Moreover, Sarbanes-Oxley raises the stakes for the conduct of a proper internal investigation. In addition to the independence issue just discussed, the Act's increased criminal penalties for obstruction of justice, including document destruction, and treatment of whistleblowers, make it more critical than ever that the investigation be thorough and unrestricted. See Pub. L. No. 107-204, ' 1102, 116 Stat. 807; ' 1107, 116 Stat. 810 (2002). This does not necessarily mean uncovering every rock in all of the issuer's foreign operations. Judgment calls need to be made regarding the appropriate scope of the investigation, and this scope may need to be adjusted over time. Issues of foreign law increasingly need to be taken into account, requiring lead investigators with experience in international issues and not just U.S. law enforcement.

Disclosure Issues

Sarbanes-Oxley has also dramatically altered the disclosure calculation with respect to FCPA issues. Although Sarbanes-Oxley makes no change to the FCPA itself, the certification requirements for CEOs and CFOs under Section 302 include a certification regarding the disclosure up to the auditors and the Board of Directors of any fraud, whether or not material, involving persons with a significant role in corporate internal controls. FCPA violations are categorized in the Sentencing Guidelines and by enforcement officials as a species of fraud, thereby triggering this position. The periodic reports filed by issuers to which these certifications certify must also identify any significant changes in internal controls or other factors that could significantly affect internal controls, including corrective actions with respect to significant deficiencies and material weaknesses.

Although some believe that the latter provisions may have the unintended effect of disincentivizing necessary corrective and remedial actions, these certification requirements expand the circle of those with more detailed knowledge regarding potential FCPA violations and their remediation to the Board and auditors, and make the latter much more potent decision-makers with respect to the disclosure decision.

The result, even in the course of the last year, has been a significant increase in decisions to make voluntary disclosures of FCPA violations. In a number of these cases, the same decision pre-Sarbanes-Oxley may well have been not to disclose.

This new dynamic is very significant for the FCPA, given the complexity of the offense, the difficulty for enforcement officials of assembling the necessary proof (which is almost always located in more than one country), and the traditional difficulties – now fading somewhat as international standards have created parallel offenses and new mechanisms for cross-border cooperation in investigations – of securing cooperation from other authorities.

The significance goes beyond public companies to all those who deal with them, whether as suppliers, customers, agents, representatives, partners, or competitors. Foreign bribery, a creature of the shadows, will increasingly be thrust into the sunshine.

Next month's article will discuss other FCPA Compliance Implications

Part One of a Two-Part Article

We all know by now that the Sarbanes-Oxley legislation was designed to strengthen corporate governance of publicly traded companies in the wake of Enron and other corporate accounting and fraud scandals of recent years. Its focus was principally on domestic corporate conduct. However, in just the short time since its enactment in 2002, the Act has begun to have a profound impact on other areas of corporate compliance and risk management as well. One of these is the U.S. Foreign Corrupt Practices Act (FCPA). See Pub. L. No. 95-213, 91 Stat. 1494 (1977); as amended by Pub. L. No. 100-418, 102 Stat. 1107 (1988), Pub. L. No. 105-366, 112 Stat. 3302 (1998); codified at 15 U.S.C. ” 78m, 78dd-1 et seq.

The FCPA: Requirements and Compliance Implications

Overview of the FCPA and Other Relevant U.S. Transnational Anti-bribery Laws

The FCPA is a federal statute criminalizing the bribery of foreign public officials and certain others (including officers or employees of state-owned enterprises and of certain public international organizations, as well as foreign political parties and candidates for office) for a business benefit. See 15 U.S.C. '' 78dd-1(a), 78dd-2(a), 78dd-3(a). It also is the source of the generally applicable securities law obligations that publicly traded companies maintain complete and accurate books and records, and systems of internal controls. Although U.S. parent companies are not automatically liable for the acts of their foreign subsidiaries under the FCPA's anti-bribery provisions, the securities laws give them effective strict liability for the record keeping and control practices of their majority-owned or controlled foreign subsidiaries. See SEC v. Syncor Int'l Corp., (D.D.C. 2002), Lit. Rel. No. 17877 (Dec. 10, 2002); In the matter of Chiquita Brands Int'l, Inc., Admin. Proc. Rel. No. 34-44902 (Oct. 3, 2001); In the Matter of International Business Machines Corp., Admin. Proc. Rel. No. 34-43761 (Dec. 21, 2000); SEC v. Triton Energy Corp. (D.D.C. 1997), Lit. Rel. No. 15266 (Feb. 27, 1997), FCPA Rep. 699.471; see also In the Matter of BellSouth Corporation, Admin. Proc. Rel. No. 34-45279 (Jan. 15, 2002). (For minority-owned subsidiaries, only a good faith effort on the parent's part to secure compliance by the foreign subsidiary is required; however, where the parent controls the foreign subsidiary, compliance will be expected.) Moreover, parent companies risk anti-bribery liability if they authorize an improper payment by a foreign subsidiary or fund the activities of that subsidiary with “knowledge” that an improper payment may be made. Under the FCPA, the concept of “knowledge” extends beyond actual awareness of a payment and into circumstances indicating a parent's willful ignorance, for example, through disregard of “red flags,” of an improper payment or transaction. See 15 U.S.C. '' 78dd-1(a)(3), 78dd-1(f)(2), 78dd-2(a)(3), 78dd-2(h)(3), 78dd-3(a)(3), 78dd-3(f)(3).

U.S. tax laws also preclude the deductibility of payments that violate the FCPA. See 26 U.S.C. ' 162(c). Additional provisions of the tax code prevent U.S. parent companies from receiving any tax benefits in respect of the improper payments of their foreign subsidiaries. See 26 U.S.C. '' 952, 964.

The FCPA and Corporate Compliance Programs

The effect of these FCPA and tax provisions has been to create strong incentives for U.S. parent companies, especially publicly traded firms, to adopt corporate-wide anti-bribery policies and compliance procedures as well as accounting and internal control standards that flow down not only to their domestic U.S. subsidiaries, but also to their foreign subsidiaries. These incentives have been reinforced by recent developments in federal criminal law penalty standards, most notably the Sentencing of Organizations under the Federal Sentencing Guidelines (hereinafter referred to as the Federal Sentencing Guidelines or Guidelines). See Federal Sentencing Guidelines Manual, ch. 8. The Guidelines provide for a reduced culpability score (the basis for the calculation of penalties in the event of a criminal violation of law) for corporations that maintain “an effective program to prevent and detect violations of law.” Federal Sentencing Guidelines ' 8C2.5(f). In addition, the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC), the two agencies with enforcement authority over the FCPA, both expect that responsible companies will, among other steps, have in place an FCPA compliance program.

See, eg, Memorandum From Larry D. Thompson, Deputy Attorney General, to Heads of Department Components, United States Attorneys, Re: Principles of Federal Prosecution of Business Organizations (January 20, 2003); Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 and Commission Statement on the Relationship of Cooperation to Agency Enforcement Decisions, Rel. No. 34-44969 (Oct. 23, 2001).

Although enforcement officials have not defined the precise elements of an FCPA program, settled prosecutions such as the Metcalf & Eddy case in 1999 provide companies and their counsel with a road map with respect to the elements they will typically expect to find. See U.S. v. Metcalf & Eddy (D. Ma. 1999), FCPA Rep. 699.749. These elements include not only an anti-bribery policy, but also more detailed guidelines and procedures that are specific to the FCPA. For almost every company, it will be critical to have policies and procedures regarding the engagement of third parties, such as agents, consultants, joint venture partners, representatives, and even subcontractors, to ensure that those relationships do not become vehicles for the making of improper payments. These policies and procedures need to be controlled by corporate personnel independent of, or at least removed financially from, the immediate business opportunity. It will also be critical to have rules regarding the making of payments to ensure that bank accounts in Switzerland and other offshore jurisdictions are not used to funnel payments to officials. Additional risk areas treated in policies and procedures often include gifts and entertainment, travel and travel-related expenses, events sponsorship, political contributions, and facilitating payments.

Under the Federal Sentencing Guidelines, however, it is not enough to have policies and procedures. It is critical that relevant personnel within the organization be trained in these policies and procedures, and that they be policed and enforced, for example, through internal or external audits, internal or external FCPA legal audits, or the like.

The FCPA and Disclosure Responsibilities

For multinational companies with extensive and far-flung foreign operations, the compliance program requirements of the Sentencing Guidelines were daunting even before the Act came into effect. Because, however, the FCPA contains no requirement that companies disclose violations of which they became aware, many companies pre-Sarbanes Oxley opted to remediate any FCPA issues they encountered in their foreign operations without disclosure to enforcement officials, at least where those issues did not represent material violations of the federal securities laws or did not require disclosure under some other applicable law. Although the SEC and Department of Justice have long encouraged voluntary disclosures, their policies in this area, in contrast to other areas of federal law, do not define the credit that a disclosing company will receive for such disclosure in terms of either reduced penalties or the risk of criminal indictment. Balanced against the fears that a voluntary disclosure of a problem in one foreign country could lead to a fishing expedition on the part of the government to unearth problems in other foreign operations, this lack of defined benefit acted as a powerful deterrent to disclosure in many cases.

Implications for FCPA Compliance Practices

In the short time since it has been in effect, Sarbanes-Oxley has already had a significant impact on FCPA compliance practices with respect to the investigation of potential FCPA violations and disclosure issues. As its implementation progresses, Sarbanes-Oxley can also be expected to have an impact on other aspects of FCPA compliance as well.

Implications for Investigations and Disclosure

The Act has tipped the balance of internal corporate power away from management and toward the Board of Directors and Audit Committee. It has also resulted in internal corporate structural changes that have in many cases increased the authority of internal compliance and audit functions. Although these functions may have previously reported directly to the Audit Committee or Board on a dotted line basis, that trend appears to have accelerated.

Internal Investigations

When a possible FCPA violation is identified, it is more likely that the Board or Audit Committee will either assume responsibility for the investigation or will supervise management's investigation more directly and in detail than has been the case for the past 20 years. In this respect, the past is prologue, because in the early days of the FCPA, and during the SEC's voluntary disclosure program that preceded it, corporate boards of directors and audit committees often took a lead role. Over time, however, the balance of power shifted to management. Sometimes management was in a position to approach an internal investigation with independence and other times much less so. Sometimes management brought in independent outside counsel, and other times not.

In the wake of the Act, management's discretion to carry out internal investigations without significant board oversight will likely be curtailed in many respects. Boards and audit committees should be realistic, however, as to their ability to carry out FCPA internal investigations without the aid of management or other company personnel. FCPA internal investigations are complex, fact-intensive investigations that typically involve a detailed review of one or more foreign operations, review of the degree of management oversight or parent involvement in the conduct in question, and review of the parent's compliance program, often over a period of years. The more independent external counsel is, the less they will understand the structure and workings of the corporation and the more internal assistance they will need, particularly if there are time constraints. Thus, internal FCPA investigations will continue to be a team effort, although the team members and leadership roles may have shifted.

Moreover, Sarbanes-Oxley raises the stakes for the conduct of a proper internal investigation. In addition to the independence issue just discussed, the Act's increased criminal penalties for obstruction of justice, including document destruction, and treatment of whistleblowers, make it more critical than ever that the investigation be thorough and unrestricted. See Pub. L. No. 107-204, ' 1102, 116 Stat. 807; ' 1107, 116 Stat. 810 (2002). This does not necessarily mean uncovering every rock in all of the issuer's foreign operations. Judgment calls need to be made regarding the appropriate scope of the investigation, and this scope may need to be adjusted over time. Issues of foreign law increasingly need to be taken into account, requiring lead investigators with experience in international issues and not just U.S. law enforcement.

Disclosure Issues

Sarbanes-Oxley has also dramatically altered the disclosure calculation with respect to FCPA issues. Although Sarbanes-Oxley makes no change to the FCPA itself, the certification requirements for CEOs and CFOs under Section 302 include a certification regarding the disclosure up to the auditors and the Board of Directors of any fraud, whether or not material, involving persons with a significant role in corporate internal controls. FCPA violations are categorized in the Sentencing Guidelines and by enforcement officials as a species of fraud, thereby triggering this position. The periodic reports filed by issuers to which these certifications certify must also identify any significant changes in internal controls or other factors that could significantly affect internal controls, including corrective actions with respect to significant deficiencies and material weaknesses.

Although some believe that the latter provisions may have the unintended effect of disincentivizing necessary corrective and remedial actions, these certification requirements expand the circle of those with more detailed knowledge regarding potential FCPA violations and their remediation to the Board and auditors, and make the latter much more potent decision-makers with respect to the disclosure decision.

The result, even in the course of the last year, has been a significant increase in decisions to make voluntary disclosures of FCPA violations. In a number of these cases, the same decision pre-Sarbanes-Oxley may well have been not to disclose.

This new dynamic is very significant for the FCPA, given the complexity of the offense, the difficulty for enforcement officials of assembling the necessary proof (which is almost always located in more than one country), and the traditional difficulties – now fading somewhat as international standards have created parallel offenses and new mechanisms for cross-border cooperation in investigations – of securing cooperation from other authorities.

The significance goes beyond public companies to all those who deal with them, whether as suppliers, customers, agents, representatives, partners, or competitors. Foreign bribery, a creature of the shadows, will increasingly be thrust into the sunshine.

Next month's article will discuss other FCPA Compliance Implications