Avoiding FCPA Liability with a Robust Compliance Program

With crystal clarity, the U.S. Government has signaled its intentions regarding enforcement of the Foreign Corrupt Practices Act (FCPA): far greater resources devoted to FCPA investigations, and far harsher penalties for FCPA violations.

Last year, the Department of Justice (DOJ) brought a record 26 enforcement actions under the FCPA. The Securities and Exchange Commission (SEC) had its second busiest year for FCPA enforcement, with 14 actions, and has created a specialized unit devoted solely to FCPA investigations. Corporate fines have reached record levels ' $1.6 billion in global penalties in the case of Siemens A.G., and $579 million in penalties against Halliburton/KBR.

In a marked departure from the past, many of the recent prosecutions have been aimed at corporate executives as well as their companies, sending a pointed message that the corporate veil provides no protection. “Prosecution of individuals is a cornerstone of our enforcement strategy,” Lanny Breuer, Assistant Attorney General of DOJ's Criminal Division, proclaimed recently. “Put simply, the prospect of significant prison sentences for individuals should make clear to every corporate executive, every board member, and every sales agent that we will seek to hold you personally accountable for FCPA violations.”

That strategy was made dramatically apparent in January, when 22 executives and employees of companies in the military and law enforcement products industry were indicted for engaging in a scheme to pay bribes to a minister of defense for an African country. For the first time, the DOJ made large-scale use of undercover law enforcement techniques, involving approximately 150 FBI agents, to detect FCPA violations. It was also the largest action ever undertaken by the DOJ against individuals for FCPA violations in the Act's history.

What This Means to You

Corporate legal counsel as well are clearly on the DOJ's and SEC's radars. In the Halliburton case, that company's legal department was specifically faulted for failing to perform adequate due diligence on Halliburton's agents, and failing to thoroughly review the agency agreements.

In this environment of heightened FCPA scrutiny and bulked-up enforcement muscle, companies doing business overseas can hardly afford to be complacent. Yet some companies doing business overseas persist in brushing off any concern about coming under the heavy hand of an FCPA investigation and prosecution. “We don't bribe foreign officials!” they may protest. That dismissive attitude is quite dangerous, and betrays a basic misunderstanding of the scope and complexity of the FCPA. Corporate legal counsel owe it to their clients to shake them out of this complacency.

FCPA Myth vs. Fact

Consider a few of the many “myths” surrounding the FCPA:

Myth: The FCPA only applies to monetary bribes paid to foreign officials.

Fact: The FCPA applies to “anything of value” given, authorized or offered to a foreign official. This may include such items as gifts, political contributions, charitable donations, inflated contract prices and travel and entertainment expenses.

Myth: Only payments to individuals working for a foreign government are prohibited.

Fact: The term “foreign official” in the FCPA is broadly interpreted to include employees of state-owned enterprises, public international organizations, anyone acting in an official capacity, and even close relatives of high government officials. For instance, doctors working at a state-owned hospital in China have been deemed to be “foreign officials” for FCPA purposes.

Myth: A U.S. company can't be held responsible under the FCPA for the unauthorized actions of its overseas agents.

Fact: U.S. companies are expected to perform thorough due diligence on its overseas agents and consultants, and may well be held liable for FCPA violations if those agents engage in behavior prohibited by the FCPA. Doing business abroad via third-party agents, distributors and consultants provides no insulation from FCPA liability risks.

Myth: The penalty for FCPA violations is a simple corporate fine.

Fact: Increasingly, executives of companies found liable under the FCPA are being personally fined and even sentenced to prison. Moreover, the price paid by the corporation is not limited to the actual monetary penalties, but includes the time and expense of FCPA investigations, adverse publicity and loss of U.S. government business. And it's not unusual for FCPA charges to lead to related charges on money laundering, fraud and racketeering grounds.

Myth: Gift-giving that is customary in a particular country is not an FCPA concern.

Fact: Even customary gifts may come under FCPA scrutiny if the circumstances or lavishness of the gift suggest that it may have been given with the intent to secure an “improper advantage.”

An FCPA Compliance Program Is Key

So how does a corporate legal department ensure that its company's employees can separate FCPA myths from facts, and keep the business from being exposed to FCPA liability?

The key is a comprehensive FCPA compliance program. Such a program helps accomplish two essential objectives: 1) avoiding FCPA violations in the first place; and 2) serving as a mitigating factor if violations do occur. The DOJ has made clear that it will weigh the robustness of a company's FCPA compliance efforts in deciding whether to prosecute, and if prosecution is pursued, what penalties will be sought. Moreover, under the U.S. Sentencing Guidelines, a company's compliance and ethics program will be taken into account in determining legal repercussions.

Don't repeat the mistake made by some companies that simply issue an all-purpose company policy explaining what the FCPA is and admonishing employees to abide by it. An effective FCPA compliance program will have three elements:

1. Setting the Tone at the Top

The company must set an appropriate “tone at the top.” This means that the board chairman, CEO, general counsel or some combination of top-level officials in the organization should issue a clear statement of commitment to honoring the philosophy and principles of the FCPA and declaring a policy of zero tolerance for corrupt activities. Such a statement might include language along the following lines:

“Each of us at XYZ is held accountable to the highest ethical and legal standards in the conduct of our business. XYZ's reputation for honesty and integrity is of paramount importance, and no amount of prospective business is worth compromising those values.“

2. The FCPA Compliance Manual

The company must issue a comprehensive yet clear and unambiguous FCPA compliance manual. This manual must not only explain the law, but describe in practical terms what company policies and practices are responsive to legal requirements. The manual must explicitly address the following topics:

• Actions that may violate the FCPA ' which, as noted earlier, are far broader in scope than simply monetary bribes paid to foreign government officials;
• Due diligence procedures for the hiring of agents and others who may deal with foreign government officials who may be regarded as a foreign government official;
• Policies on gift-giving, travel and entertainment involving foreign government officials ' including hosted visits;
• Warning signs or “red flags” that may indicate a risk of FCPA violations
• Policy on “facilitating payments,” which are payments to accomplish routine government actions (not prohibited by the FCPA, but a slippery slope for any company that allows them);
• What countries are regarded as particularly “high risk” for FCPA purposes, based on the annual Corruption Perceptions Index published by anti-corruption organization Transparency International (see www.transparency. org/policy_research/surveys_indices/cpi/2009;
• How to report possible FCPA violations or seek guidance for complying with company policies;
• Description of repercussions for employees who violate the company's FCPA policy, including impact on performance reviews and disciplinary action;
• Certifications required by employees and agents of compliance with FCPA obligations; and
• Contractual provisions to be included in any representative or agency agreement.

It is important that the FCPA compliance manual makes clear who is responsible for the compliance program's implementation and oversight. Some companies have found it beneficial to appoint a dedicated compliance officer with a direct reporting relationship to the board's audit committee. In other cases, compliance is part of the legal function ' perhaps as a committee comprised of counsel based in both headquarters and overseas offices. In any event, compliance responsibilities should be given sufficient prominence to leave no doubt of the company's commitment to abiding by the FCPA.

3. FCPA Training

The company must offer ' and require employees to complete ' an effective FCPA compliance training program. This is where many companies fall short of their obligations under the FCPA. A mere “paper program” is not enough.

The threshold question regarding a training program is which employees should receive such training. The best practice is to require every employee to receive at least some training, with the understanding that at least a basic knowledge of corporate obligations under the FCPA is helpful from the C-level suites down to the mailroom. That scope of training would help create a true “culture of compliance.” Alternatively, training could be focused on those employees actually engaged in overseas business, with special attention on company executives dealing with foreign government clients and potential clients, especially in high-risk countries.

Also consider tailoring the training for each functional area of the organization. A business unit that relies heavily on the use of overseas sales agents, for instance, would benefit from training that focused in particular on due diligence procedures for vetting such agents and what “red flags” to look for (e.g., agents that refuse to divulge their ownership structure or request unusual payment terms).

Finally, there is the question of training format. For the widest possible dissemination of the training, Webinars or other online training programs are ideal. A number of corporate compliance companies offer packaged FCPA training for this purpose, although you may want to tailor such training to reflect your company's specific businesses.

For employees who are heavily involved in overseas business, however, live training is particularly effective, as it provides an opportunity for questions and discussion around what activities are permissible under the FCPA. For overseas offices, live training allows for more detailed discussion of local customs and business practices and how they jibe with the FCPA. One particularly effective format for overseas office training is to pair up an FCPA-oriented presentation with a presentation ' preferably by local in-house or outside counsel ' focused on local anti-corruption laws.

Whether training is live or recorded, however, it is critical that the training be both practical and scenario based. A presentation devoted solely to black-letter FCPA law will put an audience to sleep. A presentation focused on real-life situations, in contrast, will hold everyone's attention ' especially if the discussion includes examples drawn from actual scenarios that the company faces.

In our own training, we like to pose scenarios that our audience is likely to encounter in their day-to-day business transactions, and then ask, “What would you do?” This approach to training not only engages the audience in a dialogue ' and sometimes a heated debate ' but helps drive home the FCPA principles.

A Word of Caution

One word of caution, however. Even if the three critical compliance program elements outlined above are put in place, a company can't simply rest easy. One of the lessons of recent FCPA prosecutions is that the DOJ will look to see whether red flags are actually investigated and internal controls to prevent overseas corruption are actually monitored and maintained.

If a company carries out a compliance and training program that does all that, it can take solace that it is meeting its obligations under the FCPA ' and greatly reducing the chances that federal prosecutors may come knocking on its door.

Michael Whitener and Robert Walton are principals in the Washington, DC, office of VistaLaw International LLC (www.vistalaw.com), a global legal services firm.

With crystal clarity, the U.S. Government has signaled its intentions regarding enforcement of the Foreign Corrupt Practices Act (FCPA): far greater resources devoted to FCPA investigations, and far harsher penalties for FCPA violations.

Last year, the Department of Justice (DOJ) brought a record 26 enforcement actions under the FCPA. The Securities and Exchange Commission (SEC) had its second busiest year for FCPA enforcement, with 14 actions, and has created a specialized unit devoted solely to FCPA investigations. Corporate fines have reached record levels ' $1.6 billion in global penalties in the case of Siemens A.G., and $579 million in penalties against Halliburton/KBR.

In a marked departure from the past, many of the recent prosecutions have been aimed at corporate executives as well as their companies, sending a pointed message that the corporate veil provides no protection. “Prosecution of individuals is a cornerstone of our enforcement strategy,” Lanny Breuer, Assistant Attorney General of DOJ's Criminal Division, proclaimed recently. “Put simply, the prospect of significant prison sentences for individuals should make clear to every corporate executive, every board member, and every sales agent that we will seek to hold you personally accountable for FCPA violations.”

That strategy was made dramatically apparent in January, when 22 executives and employees of companies in the military and law enforcement products industry were indicted for engaging in a scheme to pay bribes to a minister of defense for an African country. For the first time, the DOJ made large-scale use of undercover law enforcement techniques, involving approximately 150 FBI agents, to detect FCPA violations. It was also the largest action ever undertaken by the DOJ against individuals for FCPA violations in the Act's history.

What This Means to You

Corporate legal counsel as well are clearly on the DOJ's and SEC's radars. In the Halliburton case, that company's legal department was specifically faulted for failing to perform adequate due diligence on Halliburton's agents, and failing to thoroughly review the agency agreements.

In this environment of heightened FCPA scrutiny and bulked-up enforcement muscle, companies doing business overseas can hardly afford to be complacent. Yet some companies doing business overseas persist in brushing off any concern about coming under the heavy hand of an FCPA investigation and prosecution. “We don't bribe foreign officials!” they may protest. That dismissive attitude is quite dangerous, and betrays a basic misunderstanding of the scope and complexity of the FCPA. Corporate legal counsel owe it to their clients to shake them out of this complacency.

FCPA Myth vs. Fact

Consider a few of the many “myths” surrounding the FCPA:

Myth: The FCPA only applies to monetary bribes paid to foreign officials.

Fact: The FCPA applies to “anything of value” given, authorized or offered to a foreign official. This may include such items as gifts, political contributions, charitable donations, inflated contract prices and travel and entertainment expenses.

Myth: Only payments to individuals working for a foreign government are prohibited.

Fact: The term “foreign official” in the FCPA is broadly interpreted to include employees of state-owned enterprises, public international organizations, anyone acting in an official capacity, and even close relatives of high government officials. For instance, doctors working at a state-owned hospital in China have been deemed to be “foreign officials” for FCPA purposes.

Myth: A U.S. company can't be held responsible under the FCPA for the unauthorized actions of its overseas agents.

Fact: U.S. companies are expected to perform thorough due diligence on its overseas agents and consultants, and may well be held liable for FCPA violations if those agents engage in behavior prohibited by the FCPA. Doing business abroad via third-party agents, distributors and consultants provides no insulation from FCPA liability risks.

Myth: The penalty for FCPA violations is a simple corporate fine.

Fact: Increasingly, executives of companies found liable under the FCPA are being personally fined and even sentenced to prison. Moreover, the price paid by the corporation is not limited to the actual monetary penalties, but includes the time and expense of FCPA investigations, adverse publicity and loss of U.S. government business. And it's not unusual for FCPA charges to lead to related charges on money laundering, fraud and racketeering grounds.

Myth: Gift-giving that is customary in a particular country is not an FCPA concern.

Fact: Even customary gifts may come under FCPA scrutiny if the circumstances or lavishness of the gift suggest that it may have been given with the intent to secure an “improper advantage.”

An FCPA Compliance Program Is Key

So how does a corporate legal department ensure that its company's employees can separate FCPA myths from facts, and keep the business from being exposed to FCPA liability?

The key is a comprehensive FCPA compliance program. Such a program helps accomplish two essential objectives: 1) avoiding FCPA violations in the first place; and 2) serving as a mitigating factor if violations do occur. The DOJ has made clear that it will weigh the robustness of a company's FCPA compliance efforts in deciding whether to prosecute, and if prosecution is pursued, what penalties will be sought. Moreover, under the U.S. Sentencing Guidelines, a company's compliance and ethics program will be taken into account in determining legal repercussions.

Don't repeat the mistake made by some companies that simply issue an all-purpose company policy explaining what the FCPA is and admonishing employees to abide by it. An effective FCPA compliance program will have three elements:

1. Setting the Tone at the Top

The company must set an appropriate “tone at the top.” This means that the board chairman, CEO, general counsel or some combination of top-level officials in the organization should issue a clear statement of commitment to honoring the philosophy and principles of the FCPA and declaring a policy of zero tolerance for corrupt activities. Such a statement might include language along the following lines:

“Each of us at XYZ is held accountable to the highest ethical and legal standards in the conduct of our business. XYZ's reputation for honesty and integrity is of paramount importance, and no amount of prospective business is worth compromising those values.“

2. The FCPA Compliance Manual

The company must issue a comprehensive yet clear and unambiguous FCPA compliance manual. This manual must not only explain the law, but describe in practical terms what company policies and practices are responsive to legal requirements. The manual must explicitly address the following topics:

• Actions that may violate the FCPA ' which, as noted earlier, are far broader in scope than simply monetary bribes paid to foreign government officials;
• Due diligence procedures for the hiring of agents and others who may deal with foreign government officials who may be regarded as a foreign government official;
• Policies on gift-giving, travel and entertainment involving foreign government officials ' including hosted visits;
• Warning signs or “red flags” that may indicate a risk of FCPA violations
• Policy on “facilitating payments,” which are payments to accomplish routine government actions (not prohibited by the FCPA, but a slippery slope for any company that allows them);
• What countries are regarded as particularly “high risk” for FCPA purposes, based on the annual Corruption Perceptions Index published by anti-corruption organization Transparency International (see www.transparency. org/policy_research/surveys_indices/cpi/2009;
• How to report possible FCPA violations or seek guidance for complying with company policies;
• Description of repercussions for employees who violate the company's FCPA policy, including impact on performance reviews and disciplinary action;
• Certifications required by employees and agents of compliance with FCPA obligations; and
• Contractual provisions to be included in any representative or agency agreement.

It is important that the FCPA compliance manual makes clear who is responsible for the compliance program's implementation and oversight. Some companies have found it beneficial to appoint a dedicated compliance officer with a direct reporting relationship to the board's audit committee. In other cases, compliance is part of the legal function ' perhaps as a committee comprised of counsel based in both headquarters and overseas offices. In any event, compliance responsibilities should be given sufficient prominence to leave no doubt of the company's commitment to abiding by the FCPA.

3. FCPA Training

The company must offer ' and require employees to complete ' an effective FCPA compliance training program. This is where many companies fall short of their obligations under the FCPA. A mere “paper program” is not enough.

The threshold question regarding a training program is which employees should receive such training. The best practice is to require every employee to receive at least some training, with the understanding that at least a basic knowledge of corporate obligations under the FCPA is helpful from the C-level suites down to the mailroom. That scope of training would help create a true “culture of compliance.” Alternatively, training could be focused on those employees actually engaged in overseas business, with special attention on company executives dealing with foreign government clients and potential clients, especially in high-risk countries.

Also consider tailoring the training for each functional area of the organization. A business unit that relies heavily on the use of overseas sales agents, for instance, would benefit from training that focused in particular on due diligence procedures for vetting such agents and what “red flags” to look for (e.g., agents that refuse to divulge their ownership structure or request unusual payment terms).

Finally, there is the question of training format. For the widest possible dissemination of the training, Webinars or other online training programs are ideal. A number of corporate compliance companies offer packaged FCPA training for this purpose, although you may want to tailor such training to reflect your company's specific businesses.

For employees who are heavily involved in overseas business, however, live training is particularly effective, as it provides an opportunity for questions and discussion around what activities are permissible under the FCPA. For overseas offices, live training allows for more detailed discussion of local customs and business practices and how they jibe with the FCPA. One particularly effective format for overseas office training is to pair up an FCPA-oriented presentation with a presentation ' preferably by local in-house or outside counsel ' focused on local anti-corruption laws.

Whether training is live or recorded, however, it is critical that the training be both practical and scenario based. A presentation devoted solely to black-letter FCPA law will put an audience to sleep. A presentation focused on real-life situations, in contrast, will hold everyone's attention ' especially if the discussion includes examples drawn from actual scenarios that the company faces.

In our own training, we like to pose scenarios that our audience is likely to encounter in their day-to-day business transactions, and then ask, “What would you do?” This approach to training not only engages the audience in a dialogue ' and sometimes a heated debate ' but helps drive home the FCPA principles.

A Word of Caution

One word of caution, however. Even if the three critical compliance program elements outlined above are put in place, a company can't simply rest easy. One of the lessons of recent FCPA prosecutions is that the DOJ will look to see whether red flags are actually investigated and internal controls to prevent overseas corruption are actually monitored and maintained.

If a company carries out a compliance and training program that does all that, it can take solace that it is meeting its obligations under the FCPA ' and greatly reducing the chances that federal prosecutors may come knocking on its door.

Michael Whitener and Robert Walton are principals in the Washington, DC, office of VistaLaw International LLC (www.vistalaw.com), a global legal services firm.