Beyond Reproach Why compliance with anti-corruption laws is increasingly critical for multinational businesses

For much of the last 25 years, the U.S. Foreign Corrupt Practices Act has been on the books and in the background. More recently, its enforcement has begun to be felt worldwide, and multinational business leaders will need to consider the implications.

The United States has led the fight against official corruption in international business transactions for more than 30 years. Congressional passage of the Foreign Corrupt Practices Act (“FCPA” or “the act”) in 1977 established that, at least for U.S. companies and other firms accessing U.S. capital markets, global business would not be a “Wild West” of bribing public officials to win business.

For the first 25 years of the FCPA’s existence, enforcement could be described fairly as languid. The U.S. Department of Justice (DOJ) and Securities and Exchange Commission (SEC) brought few actions against companies for alleged violations.  Although there were a number of prominent prosecutions, challenges in obtaining documentary and testimonial evidence from foreign countries made enforcement cumbersome and time-consuming.

Today, it’s a different story. FCPA investigations and prosecutions have increased dramatically, and, as described below, all indications are that this trend will continue in the foreseeable future. Also, after years of inaction, other countries are stepping up their anti-corruption efforts and expanding cross-border cooperation.

The growing intensity of anti-corruption enforcement in the United States and around the world, coupled with the continuing expansion of cross-border commerce, compels global companies to closely examine their anti-corruption compliance programs. If properly designed, implemented and monitored, such programs can enable companies to accurately assess corruption risk and devote appropriate resources to minimizing it. Also, effective compliance programs may provide the best avenue for mitigating criminal or civil liability or both for violations brought to authorities’ attention.

Companies involved in mergers and acquisitions face additional FCPA exposure because they may inherit corruption issues from acquirees or assume them in business combinations. U.S. enforcement authorities have brought a number of cases arising from proposed and completed acquisitions, and have announced repeatedly that acquirers and investors must conduct FCPA due diligence on transactions presenting corruption risk. In an interesting development, the DOJ recently issued an opinion in which it granted a buyer’s (pre-closing) request to conduct post-closing due diligence based on legal obstacles it faced in obtaining relevant information from the target company prior to closing.

Whatever their current FCPA profile, companies can strengthen their anti-corruption efforts by implementing a compliance program tailored to address business-specific and regional risks. As discussed below, key components of such a program would include a risk assessment of global operations; clearly explained policies and procedures; and training and testing of controls.  Companies can also benefit by proactively adopting measures that take changing business environments into account (for example, increased government sales in a higher risk jurisdiction) or, through the use of sophisticated data analytics tools, identifying potentially problematic transactions in the accounting data.

Increased enforcement and penalties raise the stakes

The FCPA contains two primary provisions. First, its anti-bribery provision makes it illegal to bribe foreign officials to retain or obtain business or otherwise gain a business advantage. Its second provision requires companies to make and keep books, records and accounts that accurately and fairly reflect their transactions. Companies are also required to maintain a system of controls that can provide reasonable assurances of the propriety and legality of those transactions.

The FCPA began to take on a higher profile in the early 2000s. One key factor in its ascent was the passage of the Sarbanes-Oxley Act of 2002, which emphasized greater corporate transparency, senior management accountability, enhanced control systems, and whistleblower protections. The increased focus on Sarbanes-Oxley requirements and the additional resources dedicated to implementing them in many instances led to the discovery of improper payments and of control and compliance weaknesses that enabled such payments to go undetected.  Moreover, companies sought to reduce their potential liability for violations found by voluntarily disclosing such conduct to the authorities and pledging to conduct thorough investigations, report the results of such investigations to the government, and remediate the gaps in their control structures.

The number of FCPA investigations and cases brought by the DOJ and the SEC continues to grow; new corporate investigations rose from 9 in 2003 to 29 in 20071 and, on a cumulative basis, investigations involving 82 corporations remained open at the beginning of 2008.2  Similarly, corporate FCPA anti-bribery prosecutions and enforcement actions rose from 5 in 2004 to 38 in 2007. At mid-year 2008, 16 new prosecutions were underway — more than in any full year prior to 2007.3

As enforcement activity has grown, so have the costs for noncompliance.  In a 2007 case, Baker Hughes, a global oilfield services company, agreed to pay US$44 million in penalties and disgorgement of profits for FCPA violations in several countries, the largest U.S. levy to date.4  The size and scale of a number of cases reportedly under investigation, along with an increase in dedicated staffing by U.S. enforcement agencies (including the formation of an FBI FCPA task force), strongly suggest that the number of cases, as well as the frequency and severity of penalties, will continue to grow in the near term.

A growing global priority

Efforts by other countries to combat corruption have been expanding since member nations of the Organization of Economic Cooperation and Development (OECD) adopted the OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions in 1997. Some countries also entered into regional pacts in Latin America, Asia and elsewhere to address the problem.

Foreign governments are also beginning to launch investigations that parallel U.S. enforcement efforts. The law firm of Shearman & Sterling identified 17 countries conducting such investigations, as well as six countries conducting investigations into the U.N.’s defunct Iraq Oil-for-Food program. The firm commented, “While the level of coordination between various governments and agencies currently conducting investigations is not fully apparent, the investigative and prosecutorial demands presented by these alleged violations are significant opportunities for the creation of an international standard of business propriety, casting aside any doubts about the strength of the international anti-corruption effort.”5

The law firm of Gibson, Dunn & Crutcher also anticipates growing global cooperation, noting that “…with an enhanced commitment on the part of many nations, coupled with pressure from nongovernmental organizations and a newfound willingness by the DOJ to defer to home state prosecution in appropriate circumstances, we expect anti-corruption enforcement to take on an increasingly global character in the future.”6

How prepared are companies?

Transparency International’s Corruption Perceptions Index, which rates countries’ perceived levels of corruption on a scale from one (highest level) to ten (lowest level), scores nearly half of the world’s nations at three or under.7 Such statistics suggest that many companies are likely exporting to, importing from, merging with, or acquiring businesses from one or more of these high-risk nations.

A poll of business executives provides a mixed picture as to the adequacy of their companies’ anti-corruption programs. In a recent survey of 328 global senior executives conducted by the Economist Intelligence Unit for Deloitte FAS LLP, 72 percent of respondents expressed the belief that their organization’s anti-corruption program adequately addresses the corruption risk in their industry. However, 25 percent of respondents believed that their programs did not adequately address the regional corruption risks their companies faced, and nearly a third said their companies should spend more on their anti-corruption compliance efforts.8

While many companies understand the growing importance of effective anticorruption programs, it appears that a significant number clearly need to consider taking steps to establish or improve their programs. More than half of the executives polled in the Economist Intelligence Unit survey believed that clearer guidance governing employee conduct, as well as the effective communication of those rules to relevant personnel through enhanced training, would be most helpful in improving their anti-corruption programs.

Dimensions of an effective anti-corruption compliance program

Companies engaged in cross-border transactions can benefit  from (1) paying closer attention to the potential impact of the FCPA and other countries’ anti-corruption statutes on their business strategy and operations, and (2) putting in place a compliance program with five key elements:

  • Risk assessment: Understand which operations are riskiest, taking into account geography, industry, foreign government sales, the foreign regulatory environment, and reliance on third-party representatives for foreign sales and regulatory interaction.
  • Policies and procedures: Clearly define policies and procedures so employees understand exactly what is and is not allowed.
  • Training: Conduct training appropriate to the sensitivity of an employee’s role and relationships.
  • Testing: Determine whether employees understand their responsibilities, assess anti-corruption controls, and perform checks on higher-risk transactions for potential violations.
  • Documentation: Elements of the compliance program’s design, implementation, and execution should be clearly documented to reflect program changes and testing protocols and results.

Conducting an intelligent FCPA risk assessment

Companies regularly assess credit, market, SEC compliance and many other kinds of risk. An FCPA risk assessment should become part of this process and lay the foundation for an overall FCPA compliance program.

In designing an FCPA risk assessment process, management should consider developing a framework that is flexible and gives consideration to risk factors including:

  • International business environment. Companies should carefully evaluate their exposure from operations in countries perceived to have significant levels of potential corruption. Information garnered through internal audit activities; employee feedback (informal or through whistleblower hotlines); competitors’ disclosures; corruption indices; and SEC, DOJ and foreign government inquiries into corruption activities can aid in assessing the overall business climate and FCPA risk exposure within the countries of operation.
  • International sales composition. Management should track the level of international sales to government entities, including sales to state-owned enterprises and through joint ventures and other business relationships.
  • International sales channels and channel partners. Channel partners, consultants, agents, distributors, joint venture partners and other third parties can expose the company to additional FCPA risks, particularly given the frequent lack of transparency into third-party business activities. In refining their FCPA risk frameworks, companies should identify and document all third parties and channel partners that liaise with foreign government officials (for example, customers, regulatory entities, and tax and customs authorities) and the portion of sales or other business activities that are handled by those third parties and channel partners.
  • Company environment. Company-specific considerations include whether the organization is centralized or decentralized, the nature of the internal control environment, the tone at the top, the compensation structure, possible incentives for bribery, the presence of a compliance officer, and the extent of anti-corruption training.
  • Industry-specific considerations. Companies should consider assessing potential FCPA risks with respect to industry-specific processes, such as government procurement, product regulatory approval, and licensing processes, and practices such as the provision of “trial equipment” or promotional trips for foreign government officials to the United States to view company operations. In assessing risk, management should seek to understand the various parties involved in securing foreign government business and approvals.

When implementing a formal FCPA risk assessment process, management should consider several important success factors, including:

  • Who will perform the assessment? Designating specific owners of the risk assessment will contribute to a process being performed regularly and consistently. Such owners should have experience in assessing FCPA risks and a strong understanding of the act’s requirements. This approach may warrant a cross-functional and global team comprising members from internal audit, sales, accounting, compliance and legal.
  • How can technology and data analytics be used to support the risk assessment process as well as ongoing monitoring, investigation and due diligence efforts?
  • How will assessment results be integrated into the company’s overall ongoing compliance monitoring efforts?
  • How will the assessment results be used to fine-tune FCPA compliance programs, including potentially identifying the need for additional training and monitoring?

FCPA risk assessments and compliance efforts can be complicated, time-consuming, and expensive for companies with extensive global operations because of differences in languages and accounting systems, cross-border logistics, shortages of qualified personnel, and the sheer volume of data under review. Analytical tools can help companies address these issues by identifying and assessing relevant accounting and financial information.  Experienced forensic professionals can then analyze various parts of the business in a targeted manner to assess risk and monitor activity.

Stay alert for red flags

As part of the risk assessment and ongoing compliance monitoring, it’s important for companies to identify functional areas that might be prone to problems.  For example, a relentless focus on the bottom line, along with aggressive sales targets, could drive sales department behavior into the gray zone, thereby putting companies at risk. As a result, it is critical for sales professionals to receive appropriate training on FCPA compliance to understand the permissible range of conduct and to know when to seek guidance if ambiguous situations arise.

Employees can be trained and their behavior tracked. But how transparent are international sales activities — particularly when government entities and third-party agents, distributors and joint ventures are involved? Signs to watch out for include:

  • Environmental cues, such as rumors of unethical behavior, a lack of transparency in third-party contracts, and charitable or potential donation work in high-risk jurisdictions
  • Unusual business relationships, including high-unit, low-frequency sales, vague deliverables, and inclusion of losing bidders in subcontracts
  • Agents who evade ownership questions, demand unusual payment terms, or resist measures to certify compliance with FCPA requirements
  • Transaction records that indicate anomalies such as cash payments, advance payments, significant write-offs or termination fees, or political or charitable contributions tied to agents

Many FCPA violations are not innocuous mistakes; they are committed by people who are aware of the regulations and impropriety of their actions. Companies need to view FCPA compliance with a heightened level of watchfulness and structure their programs accordingly. This may include examining how the management of sales promotions, sales records, and employees and agents influences behavior. Companies also should consider reviewing the structure of compensation and commissions for agents, consultants and other third parties, such as retainers, bonuses, success fees, and paid and reimbursed expenses.

FCPA compliance leading practices

Companies can improve FCPA compliance through targeted efforts in different parts of the business. Some leading practices to consider include:

  • Legal: Centralize legal approval of agents, conduct annual due diligence reviews, and use anti-corruption contract provisions.
  • Accounting/audit: Conduct annual FCPA risk assessments and embed FCPA controls into the Sarbanes-Oxley Section 404 control infrastructure.
  • Finance/systems: Segregate government contracts, monitor charitable and political contributions, entertainment and gift expenses, and third-party payments, and flag unusual payments such as those to offshore holding companies.
  • HR compliance and training: Build anti-corruption and FCPA guidelines into the company’s global ethics framework, supported by training that cascades to sales, legal, accounting, and country management.

Merger & acquisition considerations

Today, financial due diligence accompanying mergers and acquisitions should include procedures that specifically look for red flags that indicate potential corruption. A number of recent FCPA cases have focused specifically on the need for strategic and equity buyers to assess FCPA risk as a routine part of the M&A due diligence process.

FCPA issues have not historically been at the top of the M&A due diligence checklist. Yet in the wake of some recent high-profile FCPA actions and investigations — and with a heightened awareness of successor liability risk — buyers are paying more attention to identifying possible violations.

Failure to perform appropriate due diligence can result in the acquiring firm assuming criminal and civil responsibility for the target firm’s violations. Indeed, a substantial number of current FCPA cases were first flagged during the course of routine financial and legal M&A due diligence procedures.

If and when a problem is discovered, it can affect the timing, structure and pricing of the transaction, or even whether it proceeds at all. In one well-publicized case, Lockheed Martin Corporation walked away from a proposed purchase of Titan Corporation because Titan was unable to resolve outstanding FCPA allegations with the government in a time frame acceptable to Lockheed.

In those instances where the purchaser wishes to proceed with the transaction, transparency can be critical. Violations reported and resolved prior to closing, coupled with a thorough investigation designed to uncover additional potential violations, may enable the purchaser to negotiate an agreement with the government that protects it from liability for the seller’s conduct, even if additional pre-closing violations surface following the transfer of ownership.

In such cases, scrutinizing the target company’s FCPA compliance history carefully can provide a real business benefit. No matter how attractive the deal appears, the purchaser will clearly want to avoid the risk of being saddled with liability for what may have happened in a remote location years before the transaction was even contemplated.

From a practical perspective, there are occasions where access to the kind of information necessary to conduct pre-closing due diligence may not be available.  Halliburton, the energy services company, recently found itself in such a situation in connection with its pursuit of a British company specializing in oilfield services. UK tender rules restricted Halliburton’s ability to obtain sufficient information from the target company to conduct appropriate FCPA due diligence. Halliburton sought an advisory opinion from the DOJ that would permit Halliburton to proceed with the transaction and not incur successor liability subject to a thorough post-closing due diligence, the prompt reporting of any violations, and a number of additional conditions.9 Although the DOJ opinion procedure carries no precedential value and applies only to the facts of the case, the government appears willing to take into account certain impediments to conducting due diligence if proper assurances of post-closing due diligence and remediation efforts are made and accepted.

FCPA integrity focused due diligence

Another critical component of FCPA due diligence focuses on identifying possible foreign government connections and links between individuals and entities, and exploring the backgrounds of those individuals to determine if there are any “red flags” of involvement in potential violations. As part of this process, buyers would seek to identify any direct or indirect foreign government ownership, including ownership through subsidiaries, as well as links between individual shareholders, officers or directors to see if they are related in any way to members of government bodies.

A great deal of information is available through public and proprietary sources. Although the availability of public records varies from country to country, information typically available electronically includes:

  • Business registration filings
  • Business reports on organizations
  • Civil and criminal litigation filings
  • Financial information
  • Media
  • Politically Exposed Persons (PEP) databases
  • Regulatory databases, both U.S. and foreign

In some locales with less developed electronic filing systems or online capabilities, visits to local courthouses or government offices may be required to obtain information.

Risk assessment and data analytics: Building the foundation for FCPA compliance programs

Implementing a formal FCPA risk assessment process that integrates technology and data analytics can aid attorneys, compliance officers, internal audit, executive management, and ultimately board and audit committee leaders in designing and implementing an effective anti-corruption compliance program. The process can also support the fine-tuning of FCPA compliance programs and the prioritizing of FCPA compliance monitoring efforts.

Relatively recent technological advances have increased companies’ migration of books and records to integrated electronic systems, a move that is likewise shifting their approach to FCPA investigations and associated data analytics. Now companies and their legal counsel not only need to implement legal and investigative strategies, but also to plan for dealing with massive amounts of related electronic transactional data.

Technological innovation is playing a key role in overcoming these challenges. With the standardization of accounting systems, forensic accountants and technology professionals have built tools that can facilitate extraction and analysis of large amounts of data. Location-neutral utilities accessed via secure Internet sites can provide quick, reliable access and capabilities to globally dispersed teams investigating FCPA violations.

Anti-corruption compliance: A crucial dimension of global business

Companies may consider anti-corruption requirements a secondary consideration as they rush to capitalize on emerging market opportunities. However, as recent and continuing developments show, governmental authorities view compliance as a top priority. Failing to actively and thoroughly address corruption issues can derail a company’s plans, and may lead to fines and criminal prosecutions.

On the other hand, companies that are forthcoming and careful can benefit from greater transaction transparency and improved regulatory consideration. Today’s enforcement climate heightens the need to identify, manage and respond proactively to FCPA exposure. Implementing an effective compliance program — supported by the right processes and technology — can help companies capture the potential of global business while managing the associated risks.