While not always a top priority for businesses, in today’s hyper-regulated world, no company can afford to be without a comprehensive compliance program to ensure that its employees and agents act within the law and regulatory requirements at all times. Most often, the point at which compliance issues arise is when transactions are about to occur, whether between the company and an agent or other third-party, between an employee and a customs officer or between an employee and other government official.
The legal consequences may flow from illegitimate transactions under the securities laws, U.S. criminal laws (including the money laundering statute and the Foreign Corrupt Practices Act (FCPA)), U.S. tax laws, the recently passed Dodd-Frank legislation and foreign laws. The FCPA is perhaps the best known of these laws and provides for extremely harsh penalties. Several companies have paid criminal fines or penalties in the hundreds of millions of dollars.
The FCPA prohibits bribery of foreign government officials, but its reach is very broad, as a practical matter, covering, for example, even low-level government employees, such as a doctor who practices in a government-owned hospital and is employed by the health ministry. Any “thing of value” provided, directly or indirectly, to any “official” could be determined to violated the FCPA.
The five “basic pillars” of a sound anti-corruption program, according to Transparency International UK, are the following: (1) leadership, governance and organization; (2) risk assessment; (3) company codes and policies; (4) training; and (5) personnel helplines.
Tone at the Top
As indicated above, a prerequisite of a sound compliance program is the communication to all employees, agents and third-parties of management’s commitment to compliance with all U.S. and foreign laws — and to training its personnel and any other persons who may act for the company in what those laws require. Dr. Henry Wong Meng Yeong provides the following story, apropos of the necessity of showing an example from the top down, from Confucius: “The Duke of Lu asked Confucius what he could do to get the support and obedience of his citizens. Confucius replied that if you advance the upright and virtuous and set them on top of the crooked, you will gain everyone’s support. But if you raise the crooked and set them on top of the upright and virtuous, no one will submit.” The moral: People who lead organizations must not preach what to practice until they themselves have practiced what they preach. In the event of a failure to prevent unlawful conduct before it occurs, assuming it is brought to the attention of authorities, the company will be expected to be able to describe the detection system it had in place, defend its adequacy (despite its failure) and offer an analysis as to the reason for its failure. Management will also often be expected to have remedied the consequences of the failure and have taken steps to discharge or discipline persons engaged in the conduct on behalf of the company. Ideally, as well, the company will have self-reported the conduct prior to discovery of it by federal or non-federal investigators.
Customized Compliance Policies
No “cookie cutter” or “off-the shelf” compliance program is likely to suffice as a way for management to document its commitment to compliance. Enforcement agencies view the benefits of these programs as marginal at best. An effective compliance program will, therefore, be tailored to the specific organization to which it is to apply. The program must include training and internal reporting policies, but it also must be able to be effectively projected outside the company. Running afoul of FCPA does not always involve malfeasance; in many countries, such as China, for instance, many companies are owned or controlled by the government. A solid compliance program therefore will have specific procedures explaining what may and may not be done to market the company’s products or services to such officials and properly to record any expenses associated with such marketing.
Cross-Program Breadth and Reach
The last five years of FCPA enforcement and international cartel enforcement by the U.S. Department of Justice, Criminal Division, U.S. Attorney’s Offices and international cartel enforcement by the U.S. Department of Justice, Antitrust Division have seen a significant increase in prosecutions that combine violations of FCPA, other violations of the Criminal Code (Title 18 (U.S. Code) offenses) and Sherman Antitrust Act offenses. Mixed offense investigations can stimulate the interest of an array of investigative and prosecutorial agencies, all of which have different management chains, policy agendas and approaches for measuring success — a fact that can significantly complicate risk analysis. For this reason, the likelihood that implementation of an FCPA compliance program will dislodge Sherman Act violations has significantly increased, but it is also the case that the components of the Department of Justice have gained more experience with these cross-program prosecutions. Such cross-program prosecutions create complex disclosure issues regarding timing, order of the disclosure and scope of the disclosure — and these concerns multiply when the investigations span foreign governments and multinational organizations, such as the development banks.
Joint Venture and Merger Conduct
Merger and joint venture activity significantly increases the likelihood of encountering issues related to FCPA, Anti-Money Laundering (AML) statutes and the antitrust laws. Thus, a Federal Trade Commission (FTC) or an Antitrust Division (civil) pre-merger investigation may generate referrals to criminal enforcers. Or, the connections may run in the opposite direction, such as in the case where prosecutors in a cartel investigation or in an FCPA investigation obtain access to a prior Hart-Scott-Rodino (merger) filing that leads to the discovery of evidence of foreign bribery or unlawful collusion. This can have the effect of leap-frogging a traditional criminal investigation timeline by increasing the prosecution team’s knowledge of the subject area, potential subjects and conduct — as well as providing additional evidence of illegality to prosecutors, which may be completely unknown to current counsel. Companies therefore need to incorporate specific procedures or protocols to be followed prior to the formation of any foreign joint venture or any joint venture enterprise that will operate abroad. They should also conduct extensive due diligence regarding any potential joint venture partner. Assuming the information discovered doing due diligence does not lead to a decision to abandon the potential business relationship, that information should be preserved in the event of any subsequent investigation or prosecution. Moreover, any joint venture agreement should make clear that the joint venture partner will keep its U.S. partner informed of its relationships with agents operating in any foreign jurisdiction where the venture will operate, agree to abide by all anti-corruption laws and regulations and acknowledge that any violation of the anti-corruption laws by it will constitute a material breach of the agreement and grounds for termination. [Reflecting the need to perform extensive due diligence on joint venture partners in advance of agreeing to engage in any joint activity, in October 2012, Owens-Illinois Group, Inc., the glass maker, disclosed an internal investigation into possible violations of the FCPA. The company said in an SEC filing that violations of the FCPA's antibribery and books and records provisions may have occurred in overseas operations. Although the disclosure did not identify the location or amount of payments under review, the company was know to have joint ventures in China, Italy, Malaysia and Vietnam.] Finally, in agreeing to buy a company, the acquiring company must perform even stricter due diligence, recognizing that any latent criminal acts will ultimately become the acquirer’s responsibility.
Agents and other third-party representatives pose a significant compliance risk. Almost by definition, foreign representatives will have more interactions with foreign officials than any stateside officers. Furthermore, their business skills will usually have been honed in jurisdictions where ordinary business practices routinely run afoul of the FCPA, AML or competition laws. Such representatives often may be detached from a company’s compliance culture and programs. Thus, before their are hired or contracted to carry out an assignment, foreign-based representatives must be thoroughly vetted for honesty and general integrity or reputation. The wise employer will also wish to ensure that they actually possess the business or technological skills reflected on their vitas, and not simply in a position to influence contacting decisions by the king or other government officials. The employer will also insist that subcontractors be contractually required to submit to routine audits and that any payments they receive may be clawed back in the event they are determined to have violated the law with regard to the contract for which they were engaged. The employer will also ensure that agents and third-parties have had appropriate training in U.S. laws and that this training, as well as the due diligence conducted before the agent was engaged is well documented. Finally, all compliance “red flags” need to be addressed and an accurate threat assessment performed to determine how best to respond to the issue.
U.S. companies should expect that their foreign-based representatives in many countries will likely be solicited by officials seeking bribes (however they might be described) in exchange for granting approvals that the company needs to operate successfully. This is why interactions between company representatives and regulators should be tracked and, in some instances, even more carefully monitored. For example, in the case where a foreign representative must transfer funds to a government official, a government official’s agent or to a regulator. In these sorts of cases, there must be an ironclad procedure to obtain an official receipt from the government official’s department or agency as proof that the payment was legitimate should be obtained to show that the payment was consistent with local law and not for the purpose of bribery.
Training is extraordinarily important and needs to be comprehensive, engaging, systematic and well documented. All personnel receiving the training need to have an understanding of the laws in the applicable jurisdictions, how these laws interrelate and (in some cases) how they create conflicting interests. We recommend program features that are proven to generate immediate disclosures and trigger a conversation with the appropriate organizational decision-maker. To change the “gestalt” of an organization requires programmatic changes, including implementation of an internal hotline structure and other improvements to make detection of wrongdoing more likely. The name of the game in any training program is to make sure that concerns and complaints are brought to the attention of management so they may be appropriately addressed. Employees and even third-parties should be encouraged to report potential wrongdoing and assured confidentiality for such reports. They should also be kept informed of the investigation and told when remedial action has been taken to address their concerns.
The goal of a successful compliance program is to “catch and evaluate” all tips or information to detect possible law violations by employees, agents or other third-parties for which the company may be held legally responsible. To detect these sorts of issues, organizations must have an effective means of monitoring, to the extent reasonably possible, actions taken in the company’s name. Thus, for one thing, personnel should be trained to identify compliance “red flags” and should be obligated by their employment contracts — and in the certifications they make to the company annually — to affirm that they have complied with all applicable local and U.S. laws and that they have reported all potential law violations by others about which they have became aware. In this way, as well as through at least annual training, employees will come to recognize that compliance is not merely an afterthought, but is a central part of their responsibility to the company.