We serve as external General Counsel or Chief Compliance Officers on all types of FCPA investigations and compliance matters.Samer B. Korkor – Head of FCPA Group
Originally enacted in 1977, the Foreign Corrupt Practices Act (FCPA) has been one of the main sources of federal authority for combatting bribery in the U.S. and abroad for more than 40 years. Amendments in 1998 significantly expanded the statute’s scope; and, today, the FCPA imposes substantial penalties for U.S. individuals and companies, foreign issuers of U.S. securities, and other foreign entities that engage in prohibited conduct around the globe.
In this Guide to the Foreign Corrupt Practices Act (FCPA), we will cover all aspects of FCPA compliance and risk mitigation. We have broken the key information into five parts:
- Part I: Determining Your Company’s FCPA Compliance Obligations
- Part II: Establishing FCPA Compliance
- Part III: Understanding the Risks of Non-Compliance
- Part IV: FCPA Training and Certification
- Part V: Additional Compliance and Mitigation Strategies
Part I: Determining Your Company’s FCPA Compliance Obligations
1. Does the FCPA Apply?
The FCPA prohibits U.S. entities from paying bribes to foreign officials, and it prohibits foreign entities from facilitating unlawful payments within the territory of the United States. As explained by the U.S. Securities and Exchange Commission, “[t]he FCPA can apply to prohibited conduct anywhere in the world and extends to publicly traded companies and their officers, directors, employees, stockholders, and agents.”
Under the FCPA, companies that offer securities in the U.S. markets (referred to as “issuers,” as discussed in more detail below) are also subject to various specific accounting requirements. This includes not only requirements pertaining to the maintenance of accurate books and records (in order to prevent bribes from being fraudulently concealed), but also requirements for establishing internal controls that sufficiently discourage FCPA violations.
Within its broad scope, the FCPA applies to three specific types of individuals and corporate entities. These are: (i) issuers, (ii) domestic concerns, and (iii) certain foreign nationals.
- What is an “issuer”? An issuer is any company that is listed on a U.S. stock exchange, or that is subject to SEC reporting requirements due to its securities being traded in the over-the-counter (OTC) market.
- What is a “domestic concern”? A domestic concern is any “person” (whether an individual or business entity) that is a citizen or resident of the United States or that is formed under U.S. state or federal law. U.S. nationals living abroad may be classified as domestic concerns as well.
- Who qualify as “certain foreign nationals”? Foreign nationals that are subject to the FCPA include citizens of foreign countries and foreign non-issuer entities that commit acts “in furtherance” of the payment of illegal bribes. This is why an experienced FCPA attorney that is a former DOJ attorney is so important.
2. How Does the FCPA Apply?
For U.S. companies that qualify as issuers and domestic concerns, compliance with the FCPA must necessarily address both of the statute’s core concerns—preventing foreign corruption and providing accounting transparency. Companies must ensure that their transactions with foreign nationals, foreign governments, and foreign state-controlled entities do not entail prohibited payments, and they must ensure that their records adequately reflect their compliance efforts in this regard.
Unlike many other federal statutes focused on corporate compliance and transparency, the FCPA does not have a specific threshold or other set triggering event for which a company becomes subject to its prohibitions. Engaging in a prohibited transaction triggers FCPA culpability, and this is true without regard to company size or any event or occurrence that may or may not have preceded it.
3. What Transactions Raise FCPA Compliance Concerns?
With this in mind, company executives and in-house counsel need to be cognizant of the types of transactions and business operations that have the potential for FCPA implications. Prior to engaging in such transactions or operations, they must address the FCPA’s stringent requirements, and they must take the steps necessary to ensure compliance (see Part II, below). Examples of transactions and business operations that have the potential to implicate the FCPA’s anti-bribery and accounting provisions include (but are not limited to):
- Import and export operations
- Political activities, including lobbying and involvement in democratic processes
- Direct payments to foreign officials
- Transactions and business activities with national security implications
- Government contracting
- Seeking government approvals
Part II: Establishing FCPA Compliance
1. Adopting Compliance Policies and Procedures
For companies that are engaged in transactions or business activities that have the potential to implicate the FCPA, establishing compliance needs to be a priority. Once a violation has been committed, it cannot be “undone;” and, as we discuss in Part III, the penalties for FCPA violations are severe. So, companies need to take the necessary measures to prevent violations if at all possible.
The first step toward establishing FCPA compliance is to adopt appropriate internal policies and procedures. These policies and procedures must be specific to the concerns raised by the FCPA, and they must be specific to the company’s unique management structure and operational risks as well. That said, FCPA compliance policies and procedures do not necessarily need to be stand-alone documents. If they can be integrated into the company’s existing compliance documentation, and if integrating them better facilitates corporate compliance, then there generally should not be an issue with simply updating the company’s existing internal documents.
However, this is not to suggest that establishing company-specific FCPA compliance policies and procedures is a simple or routine matter. Due to the nature of the conduct that the FCPA targets, it is especially important for FCPA compliance policies to take companies’ specific domestic and foreign business activities into consideration .While companies do not need to go overboard (and going overboard could actually suggest to federal regulators that the company is not adequately attuned to its specific FCPA compliance risks), they must also avoid overlooking potential issues that could lead to substantial liability exposure.
2. Implementing Compliance Policies and Procedures
After adopting necessary and appropriate FCPA compliance policies and procedures, issuers and domestic concerns must also take the steps necessary to ensure adequate implementation. The company’s new policies and procedures should be socialized across the organization, and relevant internal personnel must receive appropriate training. This means ensuring that employees who have the potential to interact with foreign nationals and foreign governments know the answers to questions such as:
- What is considered a “corrupt” payment under the FCPA?
- What qualifies as “anything of value”?
- What qualifies as a valid “business purpose”?
- What qualifies as a “bona fide expenditure”?
- Who qualifies as a “foreign official”?
- What does it mean to “facilitate” or “expedite” an unlawful payment?
Crucially, this implementation cannot be a one-time event. As the company’s operations change and expand, and as new employees step into positions in which they have the potential to interact with foreign entities, additional training will be required. Likewise, company executives and in-house lawyers must be keenly aware of the FCPA’s scope, and they must engage the company’s compliance counsel to assist with updating its FCPA compliance program when necessary.
3. Monitoring and Auditing Compliance
An effective corporate FCPA compliance program will also involve ongoing monitoring and auditing. Whether comprised of internal personnel or outside compliance counsel, the company should have a compliance team that is responsible for assessing the success (or failure) of the company’s compliance efforts. In an ideal scenario, the compliance team’s assessments will simply result in the generation of documentation that can be used to substantiate compliance in the event of an inquiry from the SEC. However, if there are issues that need to be remedied, then the FCPA law firm or compliance team will be responsible for identifying these issues before they trigger a federal inquiry.
Part III: Understanding the Risks of Non-Compliance
1. What Federal Agencies Enforce the FCPA?
As mentioned above, the SEC enforces U.S. individuals’ and companies’ obligations under the FCPA. However, the SEC is not the only agency responsible for assessing and enforcing FCPA compliance. The U.S. Department of Justice (DOJ) plays a major role in enforcing the FCPA as well, and it routinely participates in and independently conducts investigations targeting individuals and companies suspected of FCPA violations.
2. What Happens During an FCPA Investigation?
The specific steps involved in an FCPA investigation depend on the agency (or agencies) involved as well as whether the investigation is civil or criminal in nature (the FCPA includes provisions for both civil and criminal enforcement). In SEC investigations, the agency’s Enforcement Division follows a fairly consistent protocol, and the process ends with Enforcement Division personnel making a recommendation to the SEC Commissioner as to whether enforcement action is warranted.
In criminal matters involving the DOJ, the process is much more akin to federal investigations targeting other types of white-collar offenses. The DOJ may issue warrants and subpoenas, agents may show up at the company’s offices to question witnesses, and DOJ attorneys will ultimately determine whether they believe they have sufficient evidence to seek a federal grand jury indictment.
These, of course, are extremely abridged versions of the FCPA investigation process. SEC and DOJ investigations tend to be extraordinarily comprehensive, and avoiding civil or criminal enforcement requires a clear understanding of the FCPA as well as the procedural laws and regulations that apply to federal investigations. In many cases, it will be possible to avoid enforcement action; however, doing so requires a strategic approach, and companies will be well-served to have proactive defense mechanisms in place.
3. What are the Penalties for FCPA Violations?
In civil enforcement actions under the FCPA, penalties include fines of up to $10,000 per violation. These penalties can be imposed against issuers; corporate domestic concerns; company officers, directors, employees, and agents; and, foreign nationals. The SEC also has the authority to seek enhanced penalties equal to the amount of the financial gain achieved as a result of the violation or up to $500,000, whichever is greater. The SEC and DOJ can seek injunctive relief as well in order to prevent future bribes in violation of the FCPA.
In criminal FCPA cases, companies can face up to $2 million in fines, and individuals can face up to $100,000 in fines plus five years of federal imprisonment. Under the Alternative Fines Act, these fines can be increased in certain cases as well.
Part IV: FCPA Training and Certification
1. What is FCPA Certification?
There are two types of FCPA certifications. Some commercial entities offer “FCPA Certification” programs that provide training on the statute’s requirements. While this training can be useful, the certification itself is not regulatory in nature and generally does not provide much commercial value. Typically, companies will find it more effective to hire FCPA compliance counsel to provide training that is custom-tailored to their specific operations rather to put their employees through a generic training program.
The other type of FCPA certification is a contractual certification that one or both parties to the contract will abstain from violating the FCPA. Obtaining these certifications can be an essential component of an FCPA compliance program, as companies can face exposure due to the acts of third parties in some circumstances. Additionally, the U.S. Government requires foreign entities to certify to FCPA compliance in some cases. For example, “as a condition of its facilitation of direct loans and loan guarantees to a foreign purchaser of U.S. goods and services, the Export-Import Bank of the United States requires the U.S. supplier to make certifications concerning commissions, fees, or other payments paid in connection with the financial assistance and that it has not and will not violate the FCPA.”
2. Is FCPA Certification Required?
Except in circumstances in which certification is required as a condition of receiving government loans, guarantees, or other benefits, there is not a legal requirement for any company or individual to obtain or provide FCPA certification. However, as a practical matter, when dealing with third parties in circumstances that have the potential to trigger the FCPA’s prohibitions, companies should require third-party FCPA certifications as a component of their broader compliance programs.
3. Where Can Companies Go for FCPA Training and Certification?
As mentioned above, there are various companies that offer commercial FCPA training and certification programs. Law firms that practice in the area of FCPA compliance offer trainings for their clients as well. As noted previously, engaging a FCPA law firm to provide a provide training that is tailored to the company’s specific compliance concerns will be the more-prudent approach in most cases.
Part V: Additional Compliance and Mitigation Strategies
1. Documenting Compliance and Enforcement
As we discussed in Part II, establishing and maintaining FCPA compliance is an ongoing process. Developing policies and procedures is an important first step, but it is not sufficient to protect companies against the risk of violating the statute and facing SEC or DOJ enforcement.
In addition to implementation, monitoring, and auditing, ongoing compliance efforts should include documentation of these (and other) proactive compliance measures. At a minimum, companies should document their employees’ completion of FCPA training programs, they should create records of their monitoring efforts and audits, and they should document any decisions with potential FCPA implications (i.e. a decision to move forward with a transaction based on the statute’s “bona fide expenditure” clause).
2. Reacting to FCPA Compliance Deficiencies
In the event that a company’s monitoring or auditing efforts reveal a possible violation of the statute – whether in the form of an improper payment by the company or a third-party agent, or an accounting flaw that runs afoul of the FCPA – the company must react swiftly to remedy the violation. What is required will depend on the specific circumstances involved, and companies must be careful not to undertake unnecessary measures that could trigger unwanted scrutiny.
The DOJ encourages companies to self-report FCPA violations; and, in some cases, self-reporting may be in a company’s best interests. However, self-reporting does not provide complete immunity; and, as a result, company leaders should consult with legal counsel to determine if, when, and how to self-disclose identified FCPA violations.
3. Being Prepared for FCPA Investigations
Whether due to self-disclosure, a whistleblower complaint, or some other factor, many companies will face FCPA investigations at some point during their lifecycle. In order to avoid unnecessary penalties in civil or criminal enforcement proceedings, companies must be prepared to defend themselves during these investigations. FCPA compliance programs should include protocols for responding to SEC and DOJ inquiries; and, as discussed above, companies should maintain ongoing documentation with an eye toward proving compliance if and when necessary.
Due to the complexities and risks involved, FCPA investigations should generally be handled by companies’ outside counsel, and companies should choose counsel with specific experience in FCPA compliance and enforcement matters. By engaging with the SEC or DOJ early in the investigative process, and by effectively presenting evidence of the company’s compliance efforts, experienced FCPA defense counsel will be able to prevent investigations from leading to civil or criminal charges in many cases.
Contact the FCPA Law Firm of Oberheiden P.C. about FCPA Defense Strategies Today
Oberheiden P.C. is a FCPA law firm comprised of career federal compliance and defense attorneys, former DOJ prosecutors, and former senior officials with various federal agencies. We offer comprehensive FCPA compliance and defense representation for companies throughout the United States and around the world.
If you would like more information about what it takes to be FCPA compliant and to avoid charges in government investigations, we encourage you to get in touch. To schedule a complimentary initial consultation, please call 888-680-1745 or contact us online today.
FCPA Lawyers – FCPA Investigation Defense Firm – Looking for a top FCPA lawyer?
Additional Information About the Foreign Corrupt Practices Act
- 5 Things You Need to Know About FCPA Compliance in 2020
- Anti-Corruption Laws
- Does the FCPA Apply to Foreign Companies?
- DOJ FCPA Guidance
- FCPA Compliance Best Practices
- FCPA Compliance Jobs and Salary
- FCPA Investigation Checklist
- FCPA Investigation Law Firm
- FCPA Violation Overview
- How to Conduct FCPA Due Diligence and Audits
- How to Develop A FCPA Compliance Policy
- Where to Go for FCPA Compliance Training