Global Investigations Review - The law and practice of international investigations

The Guide to Monitorships - First Edition

The Foreign Corrupt Practices Act

23 April 2019

Simpson Thacher & Bartlett LLP

When resolving alleged violations of the Foreign Corrupt Practices Act (FCPA), US authorities have a range of options available to them. In addition to the standard consequences for violation of US laws, including penalties, disgorgement and imprisonment of individuals, US authorities also may require a company to appoint an independent FCPA compliance monitor. The monitor, who may not have any material connection to the company, its executives or its directors, is charged with objectively evaluating the company's compliance with the FCPA and its measures in place to mitigate corruption risk. An effective monitor also will indirectly assist companies with developing and implementing effective compliance programmes by providing an outsider's assessment of the programme and making actionable recommendations for improvements.

US authorities have required the appointment of monitors as part of the resolution of FCPA investigations involving a range of alleged forms of foreign bribery. The frequency of FCPA monitorships, however, has changed over time, and the number of FCPA settlements that have included a monitor has dropped significantly in recent years. Based on recent developments, including growing debate about the value proposition of monitorships and new US government policies, some practitioners expect the number of FCPA monitors to continue dropping, at least under today's US enforcement regime.

This chapter focuses on the role of an independent compliance monitor appointed as part of an FCPA settlement. Set forth below is a brief overview of trends in FCPA enforcement actions; a discussion of the distinguishing features of FCPA monitorships, including most notably their inherently broad, cross-border nature; and approaches for conducting efficient and successful monitorships, particularly in light of these unique aspects. Finally, this chapter discusses the future of FCPA monitorships in light of current enforcement trends and recent FCPA guidance issued by the US Department of Justice (DOJ).

Overview of the FCPA

The US Congress enacted the FCPA2 in 1977 to address concerns about widespread bribery of foreign officials by US companies.3 The DOJ is commissioned with investigating and prosecuting criminal violations of the anti-bribery and accounting provisions of the FCPA, and the SEC is commissioned with civil enforcement of these provisions. After relatively modest enforcement levels for many years, enforcement activity increased steadily through the 2000s and peaked in 2016.4

The FCPA has extraterritorial reach, and US authorities may pursue violations against non-US entities based on alleged corruption that has only a limited nexus to the United States. In terms of the actual composition of defendants in FCPA cases, US-based entities and individuals have been involved in the majority of FCPA charges brought by the DOJ and the SEC. Nonetheless, in recent years, US enforcement agencies increasingly have pursued non-US companies for FCPA violations.

Distinguishing features of FCPA monitorships

While all US-style monitorships bear some similarities, FCPA monitorships are unique in a number of important respects, including the scope of the issues to be reviewed; the geographic reach of the review; and the challenges that routinely confront both the company and the monitor in markets where common business practices may create risk under either the FCPA or US regulatory expectations more generally, or where ethical norms are more lenient than under the prevailing US governance and compliance standards.

Breadth of issues

Because corrupt payments may be processed, paid and concealed through a wide variety of mechanisms, FCPA monitorships generally require an assessment of a broad range of a company's policies, procedures and internal controls. In addition to evaluating the company's policies specifically addressing anti-corruption, the monitor should evaluate ancillary policies that mitigate the risk that corrupt payments will be made. These policies and procedures generally govern:

  • charitable donations and sponsorships;
  • gifts and free merchandise;
  • use of cash;
  • travel and entertainment reimbursement;
  • licensing and other regulatory payments;
  • payments to vendors and third parties;
  • commissions or other service fees; and
  • discounts and rebates.

In addition, an FCPA monitorship is multidimensional. Assessing the sufficiency of these policies at face value is an important first step. The FCPA monitor, however, will need to dig beneath the 'paper' dimension of the company's anti-corruption compliance programme to assess whether the programme is not only well designed but also effectively implemented. The monitor should evaluate whether employees, from the most senior executives to the lowest rank-and-file employees, understand and comply with the policies, procedures and controls. One of the most effective ways to make this assessment is through interviews in person with employees at various levels of seniority.

Another dimension of an anti-corruption compliance monitorship is assessing the company's overall compliance culture and commitment to ethical business conduct (see Chapter 1). While this is an unavoidably amorphous concept, and no two companies are the same, a company's commitment to lawful business practices may be measured indirectly through several criteria, including:

  • the 'tone at the top' – or efforts by senior management to promote compliance, including compliance-related messaging;
  • distribution and accessibility of compliance-related policies and procedures;
  • the scope and effectiveness of training, including attendance rates and the substantive content;
  • the availability and use by employees of ethics 'hotlines' and other channels for reporting suspected misconduct, and the company's efforts to publicise these channels to employees;
  • the willingness of employees to report misconduct over a fear of retaliation;
  • the company's willingness and capacity to investigate alleged wrongdoing, discipline wrongdoers, and remediate deficiencies; and
  • the company's ongoing internal efforts to monitor anti-corruption compliance, such as internal audits.

Finally, in light of the accounting provisions of the FCPA, depending on the scope of the monitorship as agreed with US authorities, the monitor also may need to evaluate the accuracy of the company's books and records, and related internal accounting controls.

Geographic scope

FCPA monitorships are almost always cross-border in nature, even when the charges that led to the monitorship only involve deficiencies in internal controls. Therefore, in addition to evaluating the company's enterprise-wide compliance measures, a monitor should assess compliance measures in markets outside the United States. While there are different ways to approach this more granular review, it is often not practical to conduct testing procedures in every one of the markets around the world where a company conducts business.

As a result, the selection of markets for review is a critically important step in the monitorship process. If FCPA violations are known to have occurred in a particular location, then the monitor should usually include that market in the scope of its review. At the same time, a robust review will typically need to extend beyond the markets that were the subject of the settlement with the US authorities. Perhaps unsurprisingly, this selection of markets for close inspection can present a challenge to a monitor striving to balance the breadth of the review with the need to complete the work both within a prescribed period of time, and with minimal disruption and cost to the company.

In deciding which markets to inspect, the FCPA monitor typically considers a range of factors, including where corruption-related misconduct is known to have occurred; the perceived corruption risk (based on public reports such as Transparency International's Corruption Perceptions Index, and the company's own internal risk assessments that are based on historical compliance violations and audit findings); where the nature and scope of the company's business creates heightened corruption risk; and, if possible, a diversity of markets in terms of revenue generation and location.

Once a group of markets has been selected, the monitor will conduct an in-depth review in those locations. Based on what the monitor learns during these in-country assessments, it will be positioned to make informed decisions about any additional markets worth visiting, and also may be able to draw broader conclusions about the overall effectiveness of the compliance programme. In addition, the monitor should be able to formulate practical recommendations for enhancements to the programme informed by patterns and trends that emerge across markets, as well as by deficiencies identified in one particular market that reflect a broader, enterprise-wide weakness.

Effective practices for conducting FCPA monitorships

FCPA monitorships are generally guided by the specific requirements of the agreement between the company and the US government agency imposing the monitorship, including the subject-matter scope; and general guidance issued by the US government concerning effective anti-corruption compliance programmes.

In the course of its preliminary work, including through an introductory overview provided by the company (discussed below), the monitor should identify the company's key risk areas, including its touchpoints with non-US government officials, the frequency of those touchpoints and the employees engaged in those interactions, and the maturity of the compliance programme. The monitor then should develop a written work plan that details the monitor's plans for evaluating whether the company's compliance programme is both adequately designed on paper to identify, mitigate and respond to corruption risk, and effectively understood by employees and implemented in practice.

Procedures commonly incorporated into monitorships

Document review

The monitor should review the company's prior risk assessments, policies, procedures, training materials, organisational charts, compliance committee materials, relevant investigative, audit and monitoring reports, reports of wrongdoing, and relevant compliance-related communications.

Interviews

The monitor should conduct interviews with employees from relevant functional groups, various regions, and different levels of seniority within the company. Attention should be paid to the order of these interviews, as it often makes sense to begin with corporate-level executives who can provide high-level perspectives on how the compliance programme operates and its key challenges, followed by interviews of relevant lower-level personnel in the markets. Before arriving in-country for field work, the monitor should consider speaking with relevant senior personnel from that country to obtain a preliminary understanding of how business is conducted in the market. This approach will help improve the efficiency of sometimes limited time on-site by ensuring that the work is appropriately focused on the relevant issues and employees.

Forensic transaction testing

An important tool for evaluating whether policies and procedures have been effectively implemented is forensic transaction testing, which typically requires the services of an experienced, independent forensic accountant. By selecting a sample of transactions based on indicia of potential red flags (such as unusual payments to third-parties or to government agencies), and then reviewing whether the selected transactions were executed in compliance with the company's applicable policies and controls, the monitor is able to identify policies that might warrant clarification or revision, either because they are not sufficiently understood by employees or otherwise are not effective in achieving their objective.

Hotline testing

The monitor must ensure that the available channels of reporting – such as ethics hotlines that operate independently of personnel in local markets – are functioning properly. To do this, in addition to reviewing the record of the company's handling of prior reports, the monitor should consider testing of the hotline in real time by submitting (with advance notice to a limited number of personnel at the company) mock reports in various languages and involving a range of alleged misconduct, and then tracking the company's response.

Aspects of the company's compliance programme a monitor should evaluate

Policies, procedures and controls

The monitor should evaluate the substantive sufficiency of policies, procedures and controls designed to mitigate corruption. These typically include the company's general anti-corruption policy as well as any policies and procedures governing the company's interactions with non-US government officials; the onboarding and use of third parties; entertaining, hosting and reimbursement of related expenses; use of cash; gifts; sponsorships and charitable contributions; marketing; and promotional products. In addition, the monitor should consider whether the policies are sufficiently clear, understood by employees and practical.

Tone at the top

While a company's 'tone at the top' is an amorphous concept, and different companies have different ways of approaching this issue, the monitor should review the extent and substance of any compliance messaging by the board and leadership at the corporate and market levels. In addition, interviews with employees at various levels of the company may provide insight into whether the company's commitment to compliance has cascaded down to the rank and file.

Resources and autonomy

The monitor should assess whether the company has sufficient resources allocated to anti-corruption compliance, including budget, headcount and subject-matter expertise; whether these resources are appropriately assigned based on the risk profile of the regions where the company operates; whether the compliance function has sufficient independence from senior leadership; and how the compliance function reports to the company's board of directors.

Training

The monitor should review compliance-related training materials; evaluate the frequency, format and substantive scope of the training; speak with employees about the effectiveness of the training; determine whether the company tracks employees' attendance at training sessions; and consider attending a training session.

Use of third parties

Because vendors, sales agents and other third parties used by companies often present heightened corruption risk, the monitor should evaluate the design and implementation of any policies, procedures, and controls governing the onboarding and use of third parties, including the process for selecting third parties, conducting due diligence, the representations and rights included in contractual agreements with third parties (such as anti-corruption representations and audit rights), and the controls for payments to and from third parties. In this regard, it can be valuable to conduct forensic testing on a sample of third parties to assess whether they have been properly onboarded and documented in compliance with the company's applicable policies and controls, and whether payments complied with company policy.

Reporting, investigations and discipline

The monitor should evaluate the adequacy of the company's reporting channels and investigative processes. This assessment should include a review of available reporting channels (including the availability of anonymous reporting); the company's efforts to encourage employees to 'speak-up' about suspected misconduct; and whether employees are not only aware of the reporting channels but are both comfortable reporting and believe that the company will take appropriate action in response to reports. The monitor also should inquire about the company's efforts to prohibit retaliation against employees who report suspected misconduct. Relatedly, it should explore whether the company's resources and processes for investigating complaints and disciplining employees for substantiated misconduct are sufficiently robust. Finally, the monitor may examine whether the company's employee performance review process and related compensation decisions assign appropriate weight to an employee's compliance with anti-corruption policies and procedures.

Self-monitoring

The monitor should evaluate the company's internal audits and compliance monitoring programmes to determine whether the company has appropriate standing measures in place to self-identify and mitigate corruption risks and incidents of non-compliance.

Mergers and acquisitions

The monitor should evaluate the company's policies concerning transactional due diligence on potential acquisition targets and joint venture partners, and whether this diligence includes an anti-corruption risk assessment.

Noteworthy considerations in FCPA monitorships

While there is an inherent tension given the nature of the oversight work that the monitor is charged with conducting, it is incumbent on both the monitor and the company to develop a collaborative, respectful working relationship from the outset. Some noteworthy aspects of FCPA monitorships that bear on this dynamic are described below.

Noteworthy considerations for the company

FCPA settlements often arise from conduct in regions of the world where business practices, ethical norms and government oversight are more lenient, or where anti-corruption compliance generally is viewed as less of a priority than in the United States. This raises several issues. In these markets, compliance with anti-corruption regulations of a foreign sovereign may not be fully incorporated into local corporate practices and culture. Employees and third parties that act on the company's behalf may not appreciate the scope of the FCPA and how its requirements impact what may be routine but problematic business practices. And, in any event, personnel might struggle to conform their conduct to US regulatory requirements and expectations in the face of the practical commercial realities of doing business in regions where standards of business conduct are less restrictive than in the United States. Non-US personnel also may be inherently suspicious of an independent monitor reporting to US authorities. Finally, personnel may be reluctant to report suspected violations to their companies owing to a fear of retaliation or a more generalised but not uncommon social stigma associated with whistleblowing. These cultural circumstances are often more acute in remote markets that have fewer compliance resources, confront language barriers, and generally fall outside the field of vision of the company's corporate compliance centre.

While the company's headquarters may understand, or at least accept, the appointment of a monitor and perhaps may even embrace the monitor with a collaborative spirit, company leadership must work to ensure that support of the monitor cascades to employees abroad. In this regard, the company should educate and sensitise employees to the concept of the monitorship, including, for example, through information sessions for employees who will interact with the monitor.

Another challenge confronting monitored companies is time and resource management. The inherently international nature and substantive scope of FCPA monitorships make them especially vulnerable to significant costs, in terms of both the monitor's professional fees and management distraction. It is, therefore, important for companies early in the negotiating process with the US authorities to explore ways to limit the scope of the monitor's mandate to issues that correlate closely to the underlying alleged misconduct. For example, for a settlement based on bribes paid by third-party vendors, the company might seek to limit the monitorship to a targeted review of policies, procedures and controls relating to the use of third parties.

In terms of managing the monitorship efficiently, one effective approach is for the company, at the outset, to present the monitor with a description of the conduct underlying its FCPA settlement as well as an overview of its business operations, key components of its compliance programme, its primary risk areas, and relevant findings from internal investigations and internal audits. With the benefit of this background, the monitor should be better equipped to immediately focus on the core issues and avoid fact-gathering on foundational issues. During the course of the monitorship, the company should strive for an open dialogue with the monitor with respect to the monitor's work plan, highlighting proposed areas for review that are inconsequential, present limited risk or exceed the monitor's mandate. The company also should work with the monitor to avoid scheduling responses to information and document requests, interviews and in-country reviews at times of year that conflict with essential business functions, such as financial close periods.

Finally, the company should ask to review drafts of the monitor's reports to address factual inaccuracies and to discuss the feasibility and sustainability of the monitor's recommendations for remedial measures, particularly given the diverse markets in which the company might operate. With guidance from the company, the monitor might recast proposed remedial measures in a less burdensome and more practical fashion while still addressing the perceived deficiencies and without sacrificing its objectivity and independence.

Noteworthy considerations for the monitor

As discussed above, when assessing the design and implementation of an anti-corruption programme, monitors need to understand the specific corruption risks facing the company and how the compliance programme mitigates these risks.5 At the same time, just as a compliance programme always could include more policies, more controls and more resources, a monitor always could take more steps and perform more testing. A monitor that dives into an assessment without fully understanding the unique risk profile and business needs of the company, therefore, is more likely to become sidetracked at the outset with issues that, while in theory might seem important to a compliance programme, are less important given the profile and history of the monitored company. A company's risk profile may be evaluated based on its industry and commercial sector; its use of agents and other third parties; its interactions with non-US government agencies and officials; its compliance history; and the perceived corruption risk of the markets in which it operates.

While the monitor must maintain objectivity and independence, the monitor should leverage the company's experience and existing risk assessment mechanisms to ensure an efficient, streamlined evaluation. Perhaps unsurprisingly, the company's senior leadership is often the best and most accessible source of information on the company's business practices and risk profile – or at least the best starting point for understanding these issues.

In addition, the monitor should be mindful of how it interacts with non-US employees, including the tone and body language of the monitor's team. Other steps for maximising the success and efficiency of the monitor's work include:

  • developing open communication channels with the company for sharing updates and information;
  • seeking the company's input on draft work plans (including witness interview lists and countries proposed for in-market scrutiny), accuracy of factual findings and proposed recommendations for remedial measures;
  • adjusting work schedules to accommodate the company's ongoing business, including avoiding deadlines around periods when relevant personnel are likely to be distracted; and
  • maintaining sensitivity to the feasibility and sustainability of remedial measures, and being receptive to constructive, valid criticism from the company.

Finally, in the most practical terms, a monitor is granted broad discretion to decide how to carry out its mandate, and given the broad scope of issues involved in FCPA monitorships, it is the monitor's responsibility to continuously revisit its work plan and ensure that its procedures and scope are appropriate for the risk profile of the company. The monitor should guard against 'scope creep' by evaluating whether it is pursuing issues or undertaking procedures that, on balance, have limited value or fall outside its mandate. This is not necessarily straightforward or easy, as deciding, for example, how many countries to include for field work or to how many employees to interview often comes down the exercise of good judgement. As a result, rigorous self-regulation by the monitor is critical to ensuring an efficient, balanced and successful monitorship.

Looking ahead: the future of FCPA monitorships

In the wake of debate about the sometimes exorbitant costs of monitorships, there has been increasing dialogue in the United States about the cost–benefit ratio of independent monitors. In addition to the obvious out-of-pocket expenses, critics have pointed to the disruptive impact of monitorships on ongoing business activities, monitorships that have seemingly expanded beyond their original scope into broad investigatory exercises, and the relative long-term benefits to the company.

Perhaps in recognition of these concerns, FCPA settlements have include independent monitorships with decreasing frequency. In 2018, the number of companies resolving FCPA charges that were assigned a monitor had dropped significantly from just a few years earlier. While it may be too soon to conclude that this trend reflects a long-term shift, in October 2018, DOJ issued new, more rigorous standards for determining whether to include a monitorship as part of a corporate criminal resolution. As demonstrated by the following passage from this guidance, DOJ appears to have signalled a move away from monitorships:

In general, the Criminal Division should favor the imposition of a monitor only where there is a demonstrated need for, and clear benefit to be derived from, a monitorship relative to the projected costs and burdens. Where a corporation's compliance program and controls are demonstrated to be effective and appropriately resourced at the time of resolution, a monitor will likely not be necessary.6

In terms of when to impose a monitor, this guidance states that the DOJ will weigh the benefit of a monitorship against the potential costs, including the impact on the company's operations. The guidance articulates the following specific factors that will bear on this assessment:

  • whether the misconduct occurred under different corporate leadership or in a different compliance environment;
  • whether the underlying misconduct involved the manipulation of corporate books and records or the exploitation of an inadequate compliance programme or internal controls;
  • whether the misconduct at issue was pervasive across the company or approved or facilitated by senior management;
  • the adequacy of remedial measures or corrective actions implemented by the company to prevent or detect similar misconduct;
  • whether the company has made significant improvements to its compliance programme and internal controls;
  • the unique risks and compliance challenges faced by the company; and
  • the projected expense of a monitor.7

In addition, this guidance states that, when DOJ does require a monitor, the 'scope of any monitorship should be appropriately tailored to address the specific issues and concerns that created the need for the monitor'.8 Importantly, this guidance does not apply to the SEC (see Chapter 4), which has independent authority to impose monitors as a condition of civil FCPA settlements.


Footnotes

1 Nicholas S Goldin and Mark J Stein, both former US federal prosecutors, are partners in the New York office of Simpson Thacher & Bartlett. The authors would like to thank Kristina Green of Simpson Thacher for providing invaluable assistance in the preparation of this chapter based on her work on FCPA monitorships.

2 15 U.S.C. Sections 78m and 78dd-1 et seq.

3 US Dep't of Justice, Criminal Div. and US Securities and Exchange Commission, Enforcement Div., 'A Resource Guide to the U.S. Foreign Corrupt Practices Act' (14 November 2012), https://www.justice.gov/sites/default/files/criminal-fraud/legacy/2015/01/16/guide.pdf, at 2; S. Rep. No. 95-114, at 3-4 (1977),
https://www.justice.gov/sites/def ault/files/criminal-fraud/legacy/2010/04/11/senaterpt-95-114.pdf.

4 Foreign Corrupt Practices Act Clearinghouse: 'DOJ and SEC FCPA Enforcement Actions Per Year', Stan. L. Sch., http://fcpa.stanford.edu/statistics-analytics.html.

5 It is beyond the scope of this chapter, but a wealth of available literature addresses designing a risk-based compliance programme to meet the unique risk profile of a company.

6 Memorandum from Brian Benczkowski on Selection of Monitors in Criminal Division Matters to All Criminal Division Personnel of the U.S. Dep't of Justice, Criminal Div. (October 11 2018), https://www.justice.gov/opa/speech/file/1100531/download, at 2.

7 id.

8 id.

Previous Chapter:The Life Cycle of a Monitorship

Next Chapter:The Securities and Exchange Commission