3. The Foreign Corrupt Practices Act
When resolving alleged violations of the Foreign Corrupt Practices Act (FCPA), US authorities have a range of options available to them. In addition to the standard consequences for violation of US laws, including penalties, disgorgement and imprisonment of individuals, US authorities also may require a company to appoint an independent FCPA compliance monitor. The monitor, who must not have any material connection to the company, its executives or its directors, is charged with objectively evaluating the company’s compliance with the FCPA and the measures in place to mitigate corruption risk. An effective monitor also will indirectly assist a company with developing and implementing an effective compliance programme by providing an outsider’s assessment of the programme and making actionable recommendations for improvements.
US authorities have required the appointment of monitors as part of the resolution of FCPA investigations involving a range of alleged forms of foreign bribery. The frequency of FCPA monitorships, however, has changed over time and the number of FCPA settlements that have included a monitor has dropped significantly in recent years. Based on the latest developments, including growing debate about the value proposition of monitorships and new US government policies, some practitioners expect the number of FCPA monitors to continue dropping, at least under today’s US enforcement regime.
This chapter focuses on the role of an independent compliance monitor appointed as part of an FCPA settlement. Set out below is a brief overview of trends in FCPA enforcement actions; a discussion of the distinguishing features of FCPA monitorships, including most notably their inherently broad, cross-border nature; and approaches for conducting efficient and successful monitorships, particularly in light of these unique aspects. Finally, this chapter discusses the future of FCPA monitorships in light of current enforcement trends and the FCPA guidance issued by the US Department of Justice (DOJ).
Overview of the FCPA
The US Congress enacted the FCPA in 1977 to address concerns about widespread bribery of foreign officials by US companies. The DOJ and the US Securities and Exchange Commission (SEC) share responsibility for enforcing the FCPA. The DOJ focuses primarily on investigating and prosecuting criminal violations of the anti-bribery and accounting provisions of the FCPA, while the SEC has authority to pursue civil enforcement of the FCPA against issuers of securities in the United States and those who act on their behalf. After relatively modest enforcement levels for many years, enforcement activity increased steadily through the 2000s and peaked in 2016.
The FCPA has extraterritorial reach and US authorities may pursue violations against non-US entities based on alleged corruption that has only a limited nexus to the United States. In terms of the actual composition of defendants in FCPA cases, US-based entities and individuals have been involved in the majority of FCPA charges brought by the DOJ and the SEC. Nonetheless, in recent years, US enforcement agencies increasingly have pursued non-US companies for FCPA violations; indeed, over the past several years, the DOJ has brought FCPA charges against more non-US companies than US companies.
Distinguishing features of FCPA monitorships
While all US-style monitorships bear some similarities, FCPA monitorships are unique in a number of important respects, including the scope of the issues to be reviewed, the geographical reach of the review and the challenges that routinely confront both the company and the monitor in markets where common business practices may create risk under either the FCPA or US regulatory expectations more generally, or where ethical norms are more lenient than under the prevailing US governance and compliance standards.
Breadth of issues
Because corrupt payments may be processed, paid and concealed in a variety of ways, FCPA monitorships generally require an assessment of a broad range of a company’s policies, procedures and internal controls. In addition to evaluating the policies that specifically address anti-corruption, the monitor should evaluate ancillary policies that mitigate the risk of corrupt payments being made. These policies and procedures generally govern:
- charitable donations and sponsorships;
- gifts and free merchandise;
- use of cash;
- travel and entertainment reimbursement;
- licensing and other regulatory payments;
- payments to vendors and third parties;
- commissions or other service fees; and
- discounts and rebates.
In addition, an FCPA monitorship is multidimensional. Assessing the sufficiency of these policies at face value is an important first step. However, the FCPA monitor will need to dig beneath the ‘paper’ dimension of the company’s anti-corruption compliance programme to assess whether the programme is not only well designed but also effectively implemented. The monitor should evaluate whether employees, from the most senior executives to the lowest rank-and-file employees, understand and comply with the policies, procedures and controls. One of the most effective ways to make this assessment is through interviews in person with employees at various levels of seniority.
Another dimension of an anti-corruption compliance monitorship is assessing the company’s overall compliance culture and commitment to ethical business conduct (see Chapter 1). While this is an unavoidably amorphous concept, and no two companies are the same, a company’s commitment to lawful business practices may be evaluated through several criteria, including:
- the tone at the top – or efforts by senior management to promote compliance, including compliance-related messaging;
- distribution and accessibility of compliance-related policies and procedures;
- the scope and effectiveness of training, including attendance rates and the substantive content;
- the availability and use by employees of ethics hotlines and other channels for reporting suspected misconduct, and the company’s efforts to publicise these channels to employees;
- the willingness of employees to report misconduct and fear of retaliation;
- the company’s willingness and capacity to investigate alleged wrongdoing, discipline wrongdoers and remediate deficiencies; and
- the company’s continuing efforts to monitor anti-corruption compliance in-house, such as internal audits.
Finally, in light of the accounting provisions of the FCPA, depending on the scope of the monitorship as agreed with US authorities, the monitor also may need to evaluate the accuracy of the company’s books and records, and related internal accounting controls.
FCPA monitorships are almost always cross-border in nature, even when the charges that lead to a monitorship only involve deficiencies in internal controls. Therefore, in addition to evaluating a company’s enterprise-wide compliance measures, a monitor should assess compliance measures in markets outside the United States. While there are different ways to approach this more granular review, it is often not practical to conduct testing procedures in every one of the markets around the world where a company conducts business.
As a result, the selection of markets for review is a critically important step in the monitorship process. If FCPA violations are known to have occurred in a particular location, the monitor should usually include that market in the scope of its review. At the same time, a robust review will typically need to extend beyond the markets that were the subject of the settlement with the US authorities. Perhaps not surprisingly, th selection of markets for close inspection can present a challenge to a monitor striving to balance the breadth of the review with the need to complete the work both within a prescribed period and with minimal disruption and cost to the company.
In deciding which markets to inspect, the FCPA monitor typically considers a range of factors, including where corruption-related misconduct is known to have occurred, the perceived corruption risk (based on public reports, such as Transparency International’s Corruption Perceptions Index, and a company’s own internal risk assessments that are based on historical compliance violations and audit findings), where the nature and scope of the company’s business creates heightened corruption risk and, if possible, a diversity of markets in terms of revenue generation and location.
Once a group of markets has been selected, the monitor will conduct an in-depth review in those locations. Based on what the monitor learns during these in-country assessments, he or she will be in a position to make informed decisions about any additional markets worth visiting, and also may be able to draw broader conclusions about the overall effectiveness of a company’s compliance programme. In addition, the monitor should be able to formulate practical recommendations for enhancements to the programme informed by patterns and trends that emerge across markets, as well as by deficiencies identified in one particular market that reflect a broader, enterprise-wide weakness.
Effective practices for conducting FCPA monitorships
FCPA monitorships are guided by the specific requirements of the agreement between the company and the US government agency imposing the monitorship, including the scope of the subject matter, and general guidance issued by the US government concerning effective anti-corruption compliance programmes.
In the course of its preliminary work, including through an introductory overview provided by the company (discussed below), the monitor should identify the company’s key risk areas, including its touchpoints with non-US government officials, the frequency of those touchpoints and the employees engaged in those interactions, and the maturity of the compliance programme. The monitor then should develop a written work plan that details his or her plans for evaluating whether the company’s compliance programme is adequately designed on paper to identify, mitigate and respond to corruption risk, and is effectively understood by employees and implemented in practice.
Procedures commonly incorporated into monitorships
- Document review: A monitor should review a company’s prior risk assessments, policies, procedures, training materials, organisational charts, compliance committee materials, all relevant investigative, audit and monitoring reports, reports of wrongdoing and relevant compliance-related communications.
- Interviews: A monitor should conduct interviews with employees from relevant functional groups, various regions and different levels of seniority within a company. Attention should be paid to the order of these interviews, as it often makes sense to begin with corporate-level executives who can provide high-level perspectives on how the compliance programme operates and its key challenges, followed by interviews with relevant lower-level personnel in the markets. Before arriving in a country for field work, the monitor should consider speaking with relevant senior personnel from that country to obtain a preliminary understanding of how business is conducted in the market. This approach will help to improve the efficiency of sometimes limited time on-site by ensuring that the work is appropriately focused on the relevant issues and employees.
- Forensic transaction testing: An important tool for evaluating whether policies and procedures have been effectively implemented is forensic transaction testing, which typically requires the services of an experienced, independent forensic accountant. By selecting a sample of transactions based on indicia of potential red flags (such as unusual payments to third parties or to government agencies) and then reviewing whether the selected transactions were executed in compliance with the company’s applicable policies and controls, a monitor is able to identify policies that might warrant clarification or revision, because they are either not sufficiently understood by employees or not effective in achieving their objective.
- Hotline testing: A monitor must ensure that the available channels of reporting – such as ethics hotlines that operate independently of personnel in local markets – are functioning properly. To do this, in addition to reviewing the records of a company’s handling of prior reports, a monitor may consider testing a hotline in real time by submitting (with advance notice to a limited number of personnel at the company) mock reports in various languages and involving a range of alleged misconduct, and then tracking the company’s response.
Aspects of a company’s compliance programme that a monitor should evaluate
- Policies, procedures and controls: A monitor should evaluate the substantive sufficiency of policies, procedures and controls designed to mitigate corruption. These typically include a company’s general anti-corruption policy and any policies and procedures governing the company’s interactions with non-US government officials; the onboarding and use of third parties; entertaining, hosting and reimbursement of related expenses; use of cash; gifts; sponsorships and charitable contributions; marketing; and promotional products. In addition, a monitor should consider whether the policies are sufficiently clear, understood by employees and practical.
- Tone at the top: While a company’s ‘tone at the top’ is an amorphous concept, and different companies have different ways of approaching this issue, a monitor should review the extent and substance of any compliance messaging by the board and leadership at the corporate and market levels. In addition, interviews with employees at various levels of the company may provide insight into whether the company’s commitment to compliance has cascaded down to the rank and file.
- Resources and autonomy: A monitor should assess whether a company has sufficient resources allocated to anti-corruption compliance, including budget, head count and subject-matter expertise; whether these resources are appropriately assigned based on the risk profile of the regions in which the company operates; whether the compliance function has sufficient independence from senior leadership; and how the compliance function reports to the company’s board of directors.
- Training: A monitor should review compliance-related training materials; evaluate the frequency, format and substantive scope of the training; speak with employees about the effectiveness of the training; determine whether the company tracks employees’ attendance at training sessions; and consider attending a training session.
- Use of third parties: Because vendors, sales agents and other third parties used by companies often present a heightened corruption risk, a monitor should evaluate the design and implementation of any policies, procedures and controls governing the onboarding and use of third parties, including the process for selecting third parties, conducting due diligence, the representations and rights included in contractual agreements with third parties (such as anti-corruption representations and audit rights), and the controls for payments to and from third parties. In this regard, it can be valuable to conduct forensic testing on a sample of third parties to assess whether they have been properly onboarded in compliance with the company’s applicable policies and controls, and whether payments complied with company policy.
- Reporting, investigations and discipline: A monitor should evaluate the adequacy of a company’s reporting channels and investigative processes. This assessment should include a review of available reporting channels (including the availability of anonymous reporting), the company’s efforts to encourage employees to speak up about suspected misconduct and whether employees are not only aware of the reporting channels but are both comfortable about reporting and believe that the company will take appropriate action in response to reports. A monitor also should enquire about the company’s efforts to prohibit retaliation against employees who report suspected misconduct. Relatedly, a monitor should explore whether a company’s resources and processes for investigating complaints and disciplining employees for substantiated misconduct are sufficiently robust. Finally, a monitor may examine whether a company’s employee performance review process and related compensation decisions assign appropriate weight to an employee’s compliance with anti-corruption policies and procedures.
- Self-monitoring: A monitor should evaluate a company’s internal audits and compliance monitoring programmes to determine whether the company has appropriate standing measures in place to self-identify and mitigate corruption risks and incidents of non-compliance.
- Mergers and acquisitions: A monitor should evaluate a company’s policies concerning transactional due diligence on potential acquisition targets and joint venture partners, and whether this diligence includes an anti-corruption risk assessment.
Considerations in FCPA monitorships
While there is an inherent tension given the nature of the oversight work that a monitor is charged with conducting, it is incumbent on both the monitor and the company to develop a collaborative, respectful working relationship from the outset. Some of the key aspects of FCPA monitorships that bear on this dynamic are described below.
Considerations for the company
FCPA settlements often arise from conduct in regions of the world where business practices, ethical norms and government oversight are more lenient, or where anti-corruption compliance generally is viewed as less of a priority than in the United States. This raises several issues. In these markets, compliance with the anti-corruption regulations of a foreign state may not be fully incorporated into local corporate practices and culture. Employees and third parties who act on a company’s behalf may not appreciate the scope of the FCPA and how its requirements affect what may be routine but problematic business practices. Moreover, personnel might struggle to conform their conduct to US regulatory requirements and expectations in the face of the practical commercial realities of doing business in regions where standards of business conduct are less restrictive than in the United States. Non-US personnel also may be inherently suspicious of an independent monitor reporting to US authorities. Finally, personnel may be reluctant to report suspected violations within their company owing to a fear of retaliation or a more generalised but not uncommon social stigma associated with whistleblowing. These cultural circumstances are often more acute in remote markets that have fewer compliance resources, present language barriers and generally fall outside the field of vision of a company’s corporate compliance centre.
While a company’s headquarters may understand, or at least accept, the appointment of a monitor and perhaps even embrace the monitor with a collaborative spirit, company leadership must work to ensure that support of the monitor cascades to employees abroad. In this regard, the company should educate and sensitise employees to the concept of the monitorship, including, for example, through information sessions for employees who will interact with the monitor.
Another challenge confronting monitored companies is time and resource management. The inherently international nature and substantive scope of FCPA monitorships make them especially vulnerable to significant costs, in terms of both a monitor’s professional fees and management distraction. It is important, therefore, for a company early in the negotiating process with the US authorities to explore ways to limit the scope of the monitor’s mandate to issues that correlate closely to the underlying alleged misconduct. For example, for a settlement based on bribes paid by third-party vendors, the company might seek to limit the monitorship to a targeted review of policies, procedures and controls relating to the use of third parties.
In terms of managing a monitorship efficiently, one effective approach is for a company, at the outset, to present the monitor with a description of the conduct underlying its FCPA settlement as well as an overview of its business operations, key components of its compliance programme, its primary risk areas, and relevant findings from internal investigations and internal audits. With the benefit of this background, the monitor should be better equipped to immediately focus on the core issues and avoid fact-gathering on foundational issues. During the course of the monitorship, the company should strive for an open dialogue with the monitor with respect to the monitor’s work plan, highlighting proposed areas for review that are inconsequential, present limited risk or exceed the monitor’s mandate. The company also should work with the monitor to avoid scheduling responses to information and document requests, interviews and in-country reviews at times of year that conflict with essential business functions, such as financial close periods.
Finally, the company should ask to review drafts of the monitor’s reports to address factual inaccuracies and to discuss the feasibility and sustainability of the monitor’s recommendations for remedial measures, particularly given the diverse markets in which the company might operate. With guidance from the company, the monitor might recast proposed remediation measures in a less burdensome and more practical fashion while still addressing the perceived deficiencies and without sacrificing the monitor’s objectivity and independence.
Noteworthy considerations for the monitor
As discussed above, when assessing the design and implementation of an anti-corruption programme, a monitor needs to understand the specific corruption risks facing a company and how its compliance programme mitigates these risks. At the same time, just as a compliance programme always could include more policies, more controls and more resources, a monitor always could take more steps and carry out more testing. A monitor that dives into an assessment without fully understanding the unique risk profile and business needs of a company, therefore, is more likely to become sidetracked at the outset with issues that, while in theory might seem important to a compliance programme, are less important given the profile and history of the monitored company. A company’s risk profile may be evaluated based on its industry and commercial sector, its use of agents and other third parties, its interactions with non-US government agencies and officials, its compliance history, and the perceived corruption risk of the markets in which it operates.
While a monitor must maintain objectivity and independence, he or she should leverage the company’s experience and existing risk assessment mechanisms to ensure an efficient, streamlined evaluation. Perhaps not surprisingly, a company’s senior leadership is often the best and most accessible source of information about the company’s business practices and risk profile – or at least the best starting point for understanding these issues.
In addition, a monitor should be mindful of how he or she interacts with non-US employees, including the tone and body language used by the monitor’s team. Other steps for maximising the success and efficiency of a monitor’s work include:
- developing open communication channels with a company for sharing updates and information;
- seeking a company’s input on draft work plans (including witness interview lists and countries proposed for in-market scrutiny), accuracy of factual findings and proposed recommendations for remediation measures;
- adjusting work schedules to accommodate a company’s existing business, including avoiding deadlines or site visits at times when relevant personnel are likely to be distracted; and
- maintaining sensitivity to the feasibility and sustainability of remediation measures, and being receptive to constructive, valid criticism from the company.
Finally, in the most practical terms, a monitor is granted broad discretion to decide how to carry out its mandate and, given the broad scope of issues involved in FCPA monitorships, it is a monitor’s responsibility to continuously revisit his or her work plan and ensure that its procedures and scope are appropriate for the risk profile of the company. A monitor should guard against ‘scope creep’ by evaluating whether he or she is pursuing issues or undertaking procedures that, on balance, have limited value or fall outside his or her mandate. This is not necessarily straightforward or easy, as deciding, for example, how many countries to include for field work or how many employees to interview often comes down to the exercise of good judgement. As a result, rigorous self-regulation by the monitor is critical to ensuring an efficient, balanced and successful monitorship.
Looking ahead: the future of FCPA monitorships
In the wake of debate about the sometimes exorbitant costs of monitorships, there has been increasing dialogue in the United States about the cost–benefit ratio of independent monitors. In addition to the obvious out-of-pocket expenses, critics have pointed to the disruptive effects of monitorships on business activities, monitorships that have seemingly expanded beyond their original scope into broad investigatory exercises, and the sometimes modest long-term benefits to the company.
In recognition of some of the costs of monitorships, in October 2018, the DOJ issued new, more rigorous standards for determining whether to include a monitorship as part of a corporate criminal resolution. As demonstrated by the following passage from this guidance, the DOJ appears to have signalled a move away from monitorships:
In general, the Criminal Division should favor the imposition of a monitor only where there is a demonstrated need for, and clear benefit to be derived from, a monitorship relative to the projected costs and burdens. Where a corporation’s compliance program and controls are demonstrated to be effective and appropriately resourced at the time of resolution, a monitor will likely not be necessary.
In terms of when to impose a monitor, this guidance states that the DOJ will weigh the benefit of a monitorship against the potential costs, including the effects on a company’s operations. The guidance articulates the following specific factors that will bear on this assessment:
- whether the misconduct occurred under different corporate leadership or in a different compliance environment;
- whether the underlying misconduct involved the manipulation of corporate books and records or the exploitation of an inadequate compliance programme or internal controls;
- whether the misconduct at issue was pervasive across the company or approved or facilitated by senior management;
- the adequacy of remediation measures or corrective actions implemented by a company to prevent or detect similar misconduct;
- whether a company has made significant improvements to its compliance programme and internal controls;
- the unique risks and compliance challenges faced by a company; and
- the projected expense of a monitor.
In addition, this guidance states that, when the DOJ does require a monitor, the ‘scope of any monitorship should be appropriately tailored to address the specific issues and concerns that created the need for the monitor’. Importantly, this guidance does not apply to the SEC (see Chapter 4), which has independent authority to impose monitors as a condition of civil FCPA settlements.
It is perhaps too early to assess the long-term effects of the DOJ guidance. Indeed, while the number of DOJ FCPA resolutions that imposed a monitor had dipped in the period immediately preceding the DOJ guidance, it ticked back up in 2019. Nevertheless, the guidance suggests that the DOJ will certainly place greater weight on the potential costs of a monitor than it has in the past, and may be more receptive to arguments that a monitor is not warranted, or that the scope of a monitorship should be tailored narrowly to avoid unnecessary costs and disruption.
1 Nicholas S Goldin and Joshua A Levine, both former US federal prosecutors, are partners at Simpson Thacher & Bartlett LLP.
2 15 U.S.C. Sections 78m and 78dd-1 et seq.
3 US Dep’t of Justice, Criminal Division, and US Securities and Exchange Commission, Enforcement Division, ‘A Resource Guide to the U.S. Foreign Corrupt Practices Act’ (14 November 2012), at https://www.justice.gov/sites/default/files/criminal-fraud/legacy/2015/01/16/guide.pdf, at 2; S. Rep. No. 95-114, at 3 to 4 (1977), at https://www.justice.gov/sites/default/files/criminal-fraud/legacy/2010/04/11/senaterpt-95-114.pdf.
4 Foreign Corrupt Practices Act Clearinghouse: ‘DOJ and SEC FCPA Enforcement Actions Per Year’, Stanford Law School., at http://fcpa.stanford.edu/statistics-analytics.html.
5 It is beyond the scope of this chapter, but a wealth of available literature addresses designing a risk-based compliance programme to meet the unique risk profile of a company.
6 Memorandum from Brian A Benczkowski on ‘Selection of Monitors in Criminal Division Matters’ to All Criminal Division Personnel of the U.S. Department of Justice, (October 11 2018), at https://www.justice.gov/opa/speech/file/1100531/download, at 2.