The Foreign Corrupt Practices Act
This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
When resolving alleged violations of the Foreign Corrupt Practices Act (FCPA), US authorities have a range of options available to them. In addition to the standard consequences for violation of US laws, including penalties, disgorgement and imprisonment of individuals, US authorities also may require a company to appoint an independent FCPA compliance monitor. The monitor, who must not have any material connection to the company, its executives or its directors, is charged with objectively evaluating the company’s compliance with the FCPA and the measures in place to mitigate corruption risk. An effective monitor also will indirectly assist a company with developing and implementing an effective compliance programme by providing an outsider’s assessment of the programme and making actionable recommendations for improvements.
US authorities have required the appointment of monitors as part of the resolution of FCPA investigations involving a range of alleged forms of foreign bribery. The frequency of FCPA monitorships has changed over time and the number of FCPA settlements that have included a monitor has dropped significantly in recent years. However, in light of recent guidance from the US Department of Justice (DOJ), many practitioners expect a rise in the number of FCPA monitors in the next few years.
This chapter focuses on the role of an independent compliance monitor appointed as part of an FCPA settlement. It gives is a brief overview of trends in FCPA enforcement actions; a discussion of the distinguishing features of FCPA monitorships, including most notably their inherently broad, cross-border nature; and approaches for conducting efficient and successful monitorships, particularly in light of these unique aspects. Finally, the chapter discusses the future of FCPA monitorships in light of current enforcement trends and the most recent guidance issued by the DOJ.
Overview of the FCPA
The US Congress enacted the FCPA in 1977 to address concerns about widespread bribery of foreign officials by US companies. The DOJ and the US Securities and Exchange Commission (SEC) share responsibility for enforcing the FCPA. The DOJ focuses primarily on investigating and prosecuting criminal violations of the anti-bribery and accounting provisions of the FCPA, while the SEC has authority to pursue civil enforcement of the FCPA against issuers of securities in the United States and those who act on their behalf. After relatively modest enforcement levels for many years, enforcement activity increased steadily through the 2000s and peaked in 2016.
The FCPA has extraterritorial reach and US authorities may pursue violations against non-US entities based on alleged corruption that has only a limited nexus to the United States. In terms of the actual composition of defendants in FCPA cases, US-based entities and individuals have been involved in the majority of FCPA charges brought by the DOJ and the SEC. Nonetheless, in recent years, US enforcement agencies increasingly have pursued non-US companies for FCPA violations; indeed, for several years now, the DOJ has brought FCPA charges against more non-US companies than US companies.
Distinguishing features of FCPA monitorships
Although all US-style monitorships bear some similarities, FCPA monitorships are unique in a number of important respects, including the scope of the issues to be reviewed, the geographical reach of the review and the challenges that routinely confront both the company and the monitor in markets where common business practices may create risk under either the FCPA or US regulatory expectations more generally, or where ethical norms are more lenient than under the prevailing US governance and compliance standards.
Breadth of issues
Because corrupt payments may be processed, paid and concealed in a variety of ways, FCPA monitorships generally require an assessment of a broad range of a company’s policies, procedures and internal controls. In addition to evaluating the policies that specifically address anti-corruption, the monitor should evaluate ancillary policies that mitigate the risk of corrupt payments being made. These policies and procedures generally govern:
- charitable donations and sponsorships;
- gifts and free merchandise;
- use of cash;
- travel and entertainment reimbursement;
- licensing and other regulatory payments;
- payments to vendors and third parties;
- commissions or other service fees; and
- discounts and rebates.
In addition, an FCPA monitorship is multidimensional. Assessing the sufficiency of these policies at face value is an important first step. However, the FCPA monitor will need to dig beneath the ‘paper’ dimension of the company’s anti-corruption compliance programme to assess whether it is not only well designed but also effectively implemented. The monitor should evaluate whether employees, from the most senior executives to the lowest rank-and-file employees, understand and comply with the policies, procedures and controls. One of the most effective ways to make this assessment is through interviews in person with employees at various levels of seniority.
Another dimension of an anti-corruption compliance monitorship is assessing the company’s overall compliance culture and commitment to ethical business conduct (see Chapter 1). Although this is an unavoidably amorphous concept, and no two companies are the same, a company’s commitment to lawful business practices may be evaluated through several criteria, including:
- the tone at the top – or efforts by senior management to promote compliance, including compliance-related messaging;
- distribution and accessibility of compliance-related policies and procedures;
- the scope and effectiveness of training, including attendance rates and the substantive content;
- the availability and use by employees of ethics hotlines and other channels for reporting suspected misconduct, and the company’s efforts to publicise these channels to employees;
- the willingness of employees to report misconduct and employees’ fear of retaliation;
- the company’s willingness and capacity to investigate alleged wrongdoing, discipline wrongdoers and remediate deficiencies; and
- the company’s continuing efforts to monitor anti-corruption compliance in-house, such as internal audits.
Finally, in light of the accounting provisions of the FCPA, depending on the scope of the monitorship as agreed with US authorities, the monitor also may need to evaluate the accuracy of the company’s books and records, and related internal accounting controls.
FCPA monitorships are almost always cross-border in nature, even when the charges that lead to a monitorship only involve deficiencies in internal controls. Therefore, in addition to evaluating a company’s enterprise-wide compliance measures, a monitor should assess compliance measures in markets outside the United States. Although there are different ways to approach this more granular review, it is often not practical to conduct testing procedures in every one of the markets around the world where a company conducts business.
As a result, the selection of markets for review is a critically important step in the monitorship process. If FCPA violations are known to have occurred in a particular location, the monitor should usually include that market in the scope of its review. At the same time, a robust review will typically need to extend beyond the markets that were the subject of the settlement with the US authorities. Perhaps not surprisingly, the selection of markets for close inspection can present a challenge to a monitor striving to balance the breadth of the review with the need to complete the work both within a prescribed period and with minimal disruption and cost to the company.
In deciding which markets to inspect, the FCPA monitor typically considers a range of factors, including where corruption-related misconduct is known to have occurred, the perceived corruption risk (based on public reports, such as Transparency International’s Corruption Perceptions Index, and a company’s own internal risk assessments that are based on historical compliance violations and audit findings), where the nature and scope of the company’s business creates heightened corruption risk and, if possible, a diversity of markets in terms of revenue generation and location.
Once a group of markets has been selected, the monitor will conduct an in-depth review in those locations. Based on what the monitor learns during these in-country assessments, he or she will be in a position to make informed decisions about any additional markets worth visiting, and also may be able to draw broader conclusions about the overall effectiveness of a company’s compliance programme. In addition, the monitor should be able to formulate practical recommendations for enhancements to the programme informed by patterns and trends that emerge across markets, as well as by deficiencies identified in one particular market that reflect a broader, enterprise-wide weakness.
Effective practices for conducting FCPA monitorships
FCPA monitorships are guided by the specific requirements of the agreement between the company and the US government agency imposing the monitorship, including the scope of the subject matter, and general guidance issued by the US government concerning effective anti-corruption compliance programmes.
In the course of its preliminary work, including through an introductory overview provided by the company (discussed below), the monitor should identify the company’s key risk areas, including its touchpoints with non-US government officials, the frequency of those touchpoints and the employees engaged in those interactions, and the maturity of the compliance programme. The monitor then should develop a written work plan that details his or her plans for evaluating whether the company’s compliance programme is adequately designed on paper to identify, mitigate and respond to corruption risk, and is effectively understood by employees and implemented in practice.
Procedures commonly incorporated into monitorships
- Document review: A monitor should review a company’s prior risk assessments, policies, procedures, training materials, organisational charts, compliance committee materials, all relevant investigative, audit and monitoring reports, reports of wrongdoing and relevant compliance-related communications.
- Interviews: A monitor should conduct interviews with employees from relevant functional groups, various regions and different levels of seniority within a company. Attention should be paid to the order of these interviews, as it often makes sense to begin with corporate-level executives who can provide high-level perspectives on how the compliance programme operates and its key challenges, followed by interviews with relevant lower-level personnel in the markets. Before arriving in a country for field work, the monitor should consider speaking with relevant senior personnel from that country to obtain a preliminary understanding of how business is conducted in the market. This approach will help to improve the efficiency of sometimes limited time on-site by ensuring that the work is appropriately focused on the relevant issues and employees.
- Forensic transaction testing: An important tool for evaluating whether policies and procedures have been effectively implemented is forensic transaction testing, which typically requires the services of an experienced, independent forensic accountant. By selecting a sample of transactions based on indicia of potential red flags (such as unusual payments to third parties or to government agencies) and then reviewing whether the selected transactions were executed in compliance with the company’s applicable policies and controls, a monitor is able to identify policies that might warrant clarification or revision, because they are either not sufficiently understood by employees or not effective in achieving their objective.
- Hotline testing: A monitor must ensure that the available channels of reporting – such as ethics hotlines that operate independently of personnel in local markets – are functioning properly. To do this, in addition to reviewing the records of a company’s handling of prior reports, a monitor may consider testing a hotline in real time by submitting (with advance notice to a limited number of personnel at the company) mock reports in various languages and involving a range of alleged misconduct, and then tracking the company’s response.
Aspects of a compliance programme that a monitor should evaluate
- Policies, procedures and controls: A monitor should evaluate the substantive sufficiency of policies, procedures and controls designed to mitigate corruption. These typically include a company’s general anti-corruption policy and any policies and procedures governing the company’s interactions with non-US government officials; the onboarding and use of third parties; entertaining, hosting and reimbursement of related expenses; use of cash; gifts; sponsorships and charitable contributions; marketing; and promotional products. In addition, a monitor should consider whether the policies are sufficiently clear, understood by employees and practical.
- Tone at the top: Although a company’s ‘tone at the top’ is an amorphous concept, and different companies have different ways of approaching this issue, a monitor should review the extent and substance of any compliance messaging by the board and leadership at the corporate and market levels. In addition, interviews with employees at various levels of the company may provide insight into whether the company’s commitment to compliance has cascaded down to the rank and file.
- Resources and autonomy: A monitor should assess whether a company has sufficient resources allocated to anti-corruption compliance, including budget, headcount and subject-matter expertise; whether these resources are appropriately assigned based on the risk profile of the regions in which the company operates; whether the compliance function has sufficient independence from senior leadership; and how the compliance function reports to the company’s board of directors.
- Training: A monitor should review compliance-related training materials; evaluate the frequency, format and substantive scope of the training; speak with employees about the effectiveness of the training; determine whether the company tracks employees’ attendance at training sessions; and consider attending a training session.
- Use of third parties: Because vendors, sales agents and other third parties used by companies often present a heightened corruption risk, a monitor should evaluate the design and implementation of any policies, procedures and controls governing the onboarding and use of third parties, including the process for selecting third parties, conducting due diligence, the representations and rights included in contractual agreements with third parties (such as anti-corruption representations and audit rights), and the controls for payments to and from third parties. In this regard, it can be valuable to conduct forensic testing on a sample of third parties to assess whether they have been properly onboarded in compliance with the company’s applicable policies and controls, and whether payments complied with company policy.
- Reporting, investigations and discipline: A monitor should evaluate the adequacy of a company’s reporting channels and investigative processes. This assessment should include a review of available reporting channels (including the availability of anonymous reporting), the company’s efforts to encourage employees to speak up about suspected misconduct and whether employees are not only aware of the reporting channels but are both comfortable about reporting and believe that the company will take appropriate action in response to reports. A monitor also should enquire about the company’s efforts to prohibit retaliation against employees who report suspected misconduct. Relatedly, a monitor should explore whether a company’s resources and processes for investigating complaints and disciplining employees for substantiated misconduct are sufficiently robust. Finally, a monitor may examine whether a company’s employee performance review process and related compensation decisions assign appropriate weight to an employee’s compliance with anti-corruption policies and procedures.
- Self-monitoring: A monitor should evaluate a company’s internal audits and compliance monitoring programmes to determine whether the company has appropriate standing measures in place to self-identify and mitigate corruption risks and incidents of non-compliance.
- Mergers and acquisitions: A monitor should evaluate a company’s policies concerning transactional due diligence on potential acquisition targets and joint venture partners, and whether this diligence includes an anti-corruption risk assessment.
Considerations in FCPA monitorships
Although there is an inherent tension given the nature of the oversight work that a monitor is charged with conducting, it is incumbent on both the monitor and the company to develop a collaborative, respectful working relationship from the outset. Some of the key aspects of FCPA monitorships that bear on this dynamic are described below.
Considerations for the company
FCPA settlements often arise from conduct in regions of the world where business practices, ethical norms and government oversight are more lenient, or where anti-corruption compliance generally is viewed as less of a priority than in the United States. This raises several issues. In these markets, compliance with the anti-corruption regulations of a foreign state may not be fully incorporated into local corporate practices and culture. Employees and third parties who act on a company’s behalf may not appreciate the scope of the FCPA and how its requirements affect what may be routine but problematic business practices. Moreover, personnel might struggle to conform their conduct to US regulatory requirements and expectations in the face of the practical commercial realities of doing business in regions where standards of business conduct are less restrictive than in the United States. Non-US personnel also may be inherently suspicious of an independent monitor reporting to US authorities. Finally, personnel may be reluctant to report suspected violations within their company owing to a fear of retaliation or a more generalised but not uncommon social stigma associated with whistleblowing. These cultural circumstances are often more acute in remote markets that have fewer compliance resources, present language barriers and generally fall outside the field of vision of a company’s corporate compliance centre.
Even if a company’s headquarters understands, or at least accepts, the appointment of a monitor and perhaps even embraces the monitor with a collaborative spirit, company leadership must work to ensure that support of the monitor cascades to employees abroad. In this regard, the company should educate and sensitise employees to the concept of the monitorship, including, for example, through information sessions for employees who will interact with the monitor.
Another challenge confronting monitored companies is time and resource management. The inherently international nature and substantive scope of FCPA monitorships make them especially vulnerable to significant costs, in terms of both a monitor’s professional fees and management distraction. It is important, therefore, that, early in the negotiating process with the US authorities, a company should explore ways to limit the scope of the monitor’s mandate to issues that correlate closely to the underlying alleged misconduct. For example, for a settlement based on bribes paid by third-party vendors, the company might seek to limit the monitorship to a targeted review of policies, procedures and controls relating to the use of third parties.
In terms of managing a monitorship efficiently, one effective approach is for a company, at the outset, to present the monitor with a description of the conduct underlying its FCPA settlement as well as an overview of its business operations, key components of its compliance programme, its primary risk areas and relevant findings from internal investigations and internal audits. With the benefit of this background, the monitor should be better equipped to immediately focus on the core issues and avoid fact-gathering on foundational issues. During the course of the monitorship, the company should strive for an open dialogue with the monitor with respect to the monitor’s work plan, highlighting proposed areas for review that are inconsequential, present limited risk or exceed the monitor’s mandate. The company also should work with the monitor to avoid scheduling responses to information and document requests, interviews and in-country reviews at times of year that conflict with essential business functions, such as financial close periods.
Finally, the company should ask to review drafts of the monitor’s reports to address factual inaccuracies and to discuss the feasibility and sustainability of the monitor’s recommendations for remedial measures, particularly given the diverse markets in which the company might operate. With guidance from the company, the monitor might recast proposed remediation measures in a less burdensome and more practical fashion while still addressing the perceived deficiencies and without sacrificing the monitor’s objectivity and independence.
Noteworthy considerations for the monitor
As discussed above, when assessing the design and implementation of an anti-corruption programme, a monitor needs to understand the specific corruption risks facing a company and how its compliance programme mitigates these risks. At the same time, just as a compliance programme always could include more policies, more controls and more resources, a monitor always could take more steps and carry out more testing. A monitor that dives into an assessment without fully understanding the unique risk profile and business needs of a company, therefore, is more likely to become sidetracked at the outset with issues that, while in theory might seem important to a compliance programme, are less important given the profile and history of the monitored company. A company’s risk profile may be evaluated based on its industry and commercial sector, its use of agents and other third parties, its interactions with non-US government agencies and officials, its compliance history and the perceived corruption risk of the markets in which it operates.
Although a monitor must maintain objectivity and independence, he or she should leverage the company’s experience and existing risk assessment mechanisms to ensure an efficient, streamlined evaluation. Perhaps not surprisingly, a company’s senior leadership is often the best and most accessible source of information about the company’s business practices and risk profile – or at least the best starting point for understanding these issues.
In addition, a monitor should be mindful of how he or she interacts with non-US employees, including the tone and body language used by the monitor’s team. Other steps for maximising the success and efficiency of a monitor’s work include:
- developing open communication channels with a company for sharing updates and information;
- seeking a company’s input on draft work plans (including witness interview lists and countries proposed for in-market scrutiny), accuracy of factual findings and proposed recommendations for remediation measures;
- adjusting work schedules to accommodate a company’s existing business, including avoiding deadlines or site visits at times when relevant personnel are likely to be distracted; and
- maintaining sensitivity to the feasibility and sustainability of remediation measures, and being receptive to constructive, valid criticism from the company.
Finally, in the most practical terms, a monitor is granted broad discretion to decide how to carry out its mandate and, given the broad scope of issues involved in FCPA monitorships, it is a monitor’s responsibility to continuously revisit the work plan and ensure that its procedures and scope are appropriate for the risk profile of the company. A monitor should guard against ‘scope creep’ by evaluating whether issues are being pursued or procedures are being undertaken that, on balance, have limited value or fall outside the mandate of the monitorship. This is not necessarily straightforward or easy, as deciding, for example, how many countries to include for field work or how many employees to interview often comes down to good judgement. As a result, rigorous self-regulation by the monitor is critical to ensuring an efficient, balanced and successful monitorship.
Looking ahead: the future of FCPA monitorships
In March 2008, the then Acting Deputy Attorney General Craig Morford issued the first policy memorandum (the Morford Memorandum) outlining basic standards surrounding the imposition, selection and use of corporate monitorships. The Morford Memorandum advised prosecutors to consider the potential costs and benefits of a monitor, as well as the effects on the operations of a corporation, and cautioned that monitors should not be used to ‘further punitive goals’. A decade later, in October 2018, the then Assistant Attorney General Brian Benczkowski authored a memorandum (the Benczkowski Memorandum) that called for a more limited use of monitors. Notably, the Benczkowski Memorandum stressed that monitors should only be favoured ‘where there is a demonstrated need for, and clear benefit to be derived from, a monitorship relative to the projected costs and burden’. Importantly, the Benczkowski Memorandum explained that ‘a monitor will likely not be necessary’ if a company has a demonstrably effective compliance programme and controls. Not surprisingly, the DOJ imposed relatively few monitors in the years following the release of the Benczkowski Memorandum.
More recently, in October 2021, Deputy Attorney General Lisa Monaco issued a memorandum (the Monaco Memorandum) announcing important changes to the DOJ’s corporate criminal enforcement policies. With respect to monitorships, the Monaco Memorandum indicates that in deciding whether to impose a monitor, prosecutors should continue to consider the potential benefits of employing a monitor for the company and the public as well as the cost of a monitor and the effects on the operations of a corporation. In addition, the Monaco Memorandum reinforced guidance from the Benczkowski Memorandum that the ‘scope of any monitorship should be appropriately tailored to address the specific issues and concerns that created the need for the monitor’. As demonstrated by the following passage from this guidance, however, the DOJ appears to have signalled a relaxation of prior barriers to the imposition of monitors:
In general, the Department should favor the imposition of a monitor where there is a demonstrated need for, and clear benefit to be derived from, a monitorship. Where a corporation’s compliance program and controls are untested, ineffective, inadequately resourced, or not fully implemented at the time of a resolution, Department attorneys should consider imposing a monitorship. This is particularly true if the investigation reveals that a compliance program is deficient or inadequate in numerous or significant respects.
Importantly, this guidance does not apply to the SEC (see Chapter 14), which has independent authority to impose monitors as a condition of civil FCPA settlements.
It is perhaps too early to assess the long-term effects of the Monaco Memorandum. Nevertheless, its language – combined with the more aggressive posture that the Biden administration has conveyed more generally towards corporate criminal enforcement – suggests we are likely to see a significant increase in the use of monitors in the coming years.
1 Nicholas S Goldin and Joshua A Levine, both former US federal prosecutors, are partners at Simpson Thacher & Bartlett LLP.
2 15 U.S.C. Sections 78m and 78dd-1 et seq.
3 US Dep’t of Justice, Criminal Division, and US Securities and Exchange Commission, Enforcement Division, ‘A Resource Guide to the U.S. Foreign Corrupt Practices Act’ (Second Edition, July 2020), at 1, available at https://www.justice.gov/criminal-fraud/file/1292051/download (last accessed 10 Mar. 2022).
4 Foreign Corrupt Practices Act Clearinghouse: ‘DOJ and SEC FCPA Enforcement Actions Per Year’, Stanford Law School, at http://fcpa.stanford.edu/statistics-analytics.html (last accessed 21 Feb. 2022).
5 It is beyond the scope of this chapter, but a wealth of available literature addresses designing a risk-based compliance programme to meet a company’s unique risk profile.
6 Memorandum from Craig Morford for Heads of Department Components United States Attorneys on ‘Selection and Use of Monitors in Deferred Prosecution Agreements and Non-Prosecution Agreements with Corporations’ (March 7, 2008), at https://www.justice.gov/sites/default/files/dag/legacy/2008/03/20/morford-useofmonitorsmemo-03072008.pdf (last accessed 21 Feb. 2022).
7 Memorandum from Brian A Benczkowski to All Criminal Division Personnel of the US Department of Justice on ‘Selection of Monitors in Criminal Division Matters’ (October 11, 2018), at 2, at https://www.justice.gov/opa/speech/file/1100531/download (last accessed 21 Feb. 2022).
8 Memorandum from Lisa Monaco for all United States Attorneys on ‘Corporate Crime Advisory Group and Initial Revisions to Corporate Criminal Enforcement Policies’ (October 28, 2021), at 4, at https://www.justice.gov/dag/page/file/1445106/download (last accessed 21 Feb. 2022).