What is FCPA?
The Foreign Corrupt Practices Act (FCPA) was passed into law in 1977 after over 400 US companies were found to have made questionable or illegal payments to foreign government officials, politicians, and political parties. The intent was to provide a guideline under which US companies conducting business overseas could do so without scrutiny of unethical business practices. At the time, the US was a lone voice against corruption as much of the world still viewed the practice as a means to an end. As the rest of the world has seen the destructive nature of corruption and taken steps to curb those practices, the FCPA has gone from a nearly unenforceable piece of legislature to one of the highest law enforcement priorities after terrorism.
The FCPA started its rise to the forefront of enforcement in the early 2000s with the passage of the Sarbanes-Oxley Act, which put a focus on financial transparency of corporations. This transparency gave the government access to a treasure trove of potential FCPA violations and prosecutions have increased exponentially. In the first 20 years after the FCPA’s enactment in 1977, the government prosecuted only 17 companies, whereas, between 1998 and 2008, more than 50 companies were prosecuted. Approximately 120 FCPA investigations are currently open, and the DOJ and the FBI have augmented prosecutorial and agent resources to pursue FCPA cases.
Obstacles to International Adoption
One of the major obstacles the US government faced during the first 30 years of the FCPA’s existence was getting documentation and evidence from foreign countries. The law was not seen as leveling the playing field but rather putting US companies at a competitive disadvantage because their competitor’s aboard did not have to operate under the same guidelines and saw bribery as business as usual. A report from the OECD, discussed further below, found that several member nations had laws that enabled firms to claim tax deductions on bribes paid to overseas businesses.
It was clear that international cooperation was required in order to truly level the playing field. One of the first steps the international community took to address the issue was the establishment of an Anti-Bribery Convention by the Organisation for Economic Co-operation and Development (OECD) in 1997. This convention, now signed by 38 countries, establishes legally binding standards to criminalize bribery of foreign officials in international business. This convention falls solidly on the mission of the OECD, which is to promote economic growth and stability in the world economy. The message was clearly sent that bribery was no longer thought to be business as usual; further, it is a serious threat to the development and preservation of democratic institutions. Member countries are required to adopt national laws to criminalize bribery. Obligations included requiring corporate responsibility for any offense, books and records transparency, and willingness to provide legal assistance in any international prosecution. In essence, it was an international version of the FCPA passed by the US nearly 20 years prior.
A similar convention was passed by the United Nations in 2003 - the United Nations Convention against Corruption. A large focus of the UN convention was prevention, and went so far as to offer model preventative policies, codes of conduct, and appropriate penalties. It also goes beyond previous instruments, criminalizing not only bribery and embezzlement of public funds but also focuses on improperly using influence and obstruction of justice. International cooperation is also required and member countries are bound by the Convention to cooperate with international investigations. It is currently signed by 140 countries.
Greater international cooperation and an increased focus on financial transparency for corporations have created a much easier environment for prosecutions under the FCPA. Companies found in violation can face financial penalties for up to twice the gain from the corrupt practices. The size of the actual bribe is insignificant; penalties are assessed based on the amount of benefits collected from that bribe. The landmark case to date was the December 2008 case against Siemens where Siemens agreed to settle with US and German authorities to the tune of $1.6 billion in fines and penalties. Governments are highly motivated to prosecute these cases to reap the financial windfall.
Who is accountable?
There are three types of entities addressed by the FCPA – issuers, domestic concerns, and foreign nationals and businesses. All three are prohibited from making improper payments under the FCPA and are subject to investigation. Issuers are companies that have securities registered in the US or are required to file with the SEC. A company like Siemens, whose headquarters is in Germany, is still held accountable under the FCPA because of their status with the SEC as an issuer of stock on the US market. Domestic concerns include any person or business entity who have their principle place of business in the US or are organized under US law. Foreign nationals and businesses make up the third group and they are only accountable for corrupt payments made in the US. The FCPA provides no jurisdiction for prosecuting foreign companies or individuals for violations outside of the US.
Third parties and agents could be considered a forth entity accountable under the FCPA but only if they are acting on the behalf of an issuer, domestic concern, or foreign national or business. This presents a large pool of potential violations, especially in industries where the use of third parties is common, such as the medical device industry. A company could have a bullet proof compliance program but if their sales agency in India is making improper payments to government officials they open themselves up to potential violations under the FCPA. It would not be a defense to say that the company did not know its third party was making corrupt payments as “not knowing” includes conscious disregard and deliberate ignorance.
The FCPA has two main provisions and is enforced by the Department of Justice and the Securities and Exchange Commission. The anti-bribery provisions makes it unlawful for companies to bribe foreign officials, political parties or any other person in a foreign country for the purpose of obtaining or retaining business or otherwise gain a business advantage and is under the jurisdiction of the DOJ. The bookkeeping provisions require companies to ensure that their books and records accurately reflect all transactions made by the company or any of its subsidiaries, which is under the jurisdiction of the SEC.
Both provisions seem simple on the surface - you can’t bribe government officials and you have to have your books in order. However, the general nature of each provision has given the government a lot of leeway in determining what falls under those categories. For example, anyone who is employed or receives money from a government agency is considered a foreign official. This is particularly important in the pharmaceutical / medical device arena; many foreign countries have public health systems and therefore the staff members of those institutions are considered foreign officials under the FCPA. As a result, companies can have millions of interactions each year that could come under scrutiny.
Risk, Prevention, and Accountability
Clearly, companies conducting business internationally must take measures to protect themselves against potential FCPA violations. Best practices for implementing a strong compliance program include assessing the areas of risks, defining policies and procedures, training, auditing, and documentation. Information technology can play a significant role in analysis and documentation and can provide a key defense in demonstrating that a company has taken reasonable steps to prevent violations should an investigation occur.
A thorough risk assessment should be the first step in establishing a compliance program. The general nature of the FCPA makes it nearly impossible to keep tabs on every aspect of doing business abroad so companies need to realize where the risk of violations are the highest. This is especially critical when evaluating third parties abroad, where regional and relationship risks must be given close attention. A formal risk assessment should integrate with technology, such as checking names against databases of known high risk individuals, and should look closely at the level of corruption present in the prospective country.
Once a company has established where its areas of greatest risk are, it must define it policies and procedures for ensuring compliance. Systems of checks and balances which prevent employees from making payments without proper accounting, ensuring that due diligence is conducted on foreign partners, and providing a system for accountability, such as a whistleblower program, are all steps that should be taken in establishing a compliance program. Having those policies written and translated into the languages of the foreign parties is necessary as well as training and monitoring to ensure the policies are being followed correctly.
Managing Risk with Technology
Technology can play a vital role in relieving some of the burden associated with validating and documenting a company’s compliance program. Companies are now able to store nearly all of their books and records in electronic format. Part of the process of building a strong compliance program is leveraging a company’s existing information technology as well as looking at new technologies that can contribute to a more efficient system. In addition to efficiency, a strong IT program can help to point out potential violations so corrective action can be taken. If a company is investigated, a strong IT program is vital in demonstrating that a firm has taken meaningful steps to prevent corruption.
FCPA compliance software should allow a firm to track the acceptance of its compliance policies in addition to providing traceability of training to make sure that the policies are understood. A compliance policy that isn’t translated into the language of all the employees would represent a significant risk should an investigation arise. Software should be used to provide a logical workflow where the people dealing with transactions don’t have to be compliance experts but they have the ability to escalate a case when potential red flags occur. This frees up an organization to focus on the business at hand as opposed to focusing on whether or not a particular transaction is subject to FCPA scrutiny. A properly designed and implemented compliance program should enable companies to quickly determine areas of risk and provide a strong foundation for addressing any potential investigation. Violations are bound to occur; the company that has a strong compliance program in place will be best equipped to minimize the potential for damaging penalties.
The current worldwide economic condition only heightens the potential for violations and scrutiny under the FCPA. Managers are facing increased competition, increased costs, and increased pressure to perform. This can lead to a willingness to “look the other way” when dealing with a foreign partner who might see bribery as a way of doing business. Many compliance programs are still paper and file processes; the cost of implementing a custom compliance solution is deemed too expensive. Those costs are often insignificant when considered against the heavy fines and loss of reputation resulting from a FCPA investigation.
Companies that are able to combine a strong FCPA compliance program with a successful international business model will find themselves in a great position to capitalize on the growing international marketplace. Conducting business ethically can become a value-add as opposed to a high cost and competitive disadvantage. As the FCPA and similar laws in foreign countries become more prevalent, companies who have already been playing by the rules will find themselves highly sought after.