Not All Risks Are Equal: Best Practices for Complying with the Foreign Corrupt Practices Act

Let’s start with a glaring generality. Complying with global anti-corruption regulations across 150 or more countries will not happen by itself, and it is not a “one and done” exercise. Nor can you treat every potential risk the same, otherwise you risk spending all of your company’s resources on low-level risks that likely will never materialize. There is much you can do to reduce risks, and mitigate the impact of any government investigation into employee or intermediary misconduct.

LexisNexis recently hosted a Webinar for in-house counsel and compliance officers across the country, featuring three speakers: the head of compliance for a major global corporation, an accounting and finance expert who advises companies on compliance programs and investigations, and a former federal prosecutor now in private practice.  

Essential Elements of a Training and Compliance Program

Speaking first was Susan M. Frank Divers, senior vice president and assistant general counsel for Global Compliance for AECOM^SM, an $8 billion global provider of professional technical and management support services.  Divers took attendees through what she considers to be essential components of a solid global program.  And she would know.  AECOM, an $8 billion company with 45,000 employees—engineers, architects and many others—in more than 150 countries, has been named one of the World’s Most Ethical Companies four years running by The Ethisphere Institute.  

Awareness.  It is essential that leaders in your organization champion compliance, Divers said.  Training, guidance, support and awareness all need to work together.  Everyone in a worldwide organization needs to be encouraged to do the right thing, and that includes shareholders.   “Our mission is to enhance the social environments in which we work,” Divers said.  “If we don’t conduct programs with highest ethical standards, bridges will collapse and clean-water systems may fail.”  

Communication.  This is challenging, she said.  It takes time and effort to ensure people really understand the policies and challenges you face.  “We have a very active sustainability and corporate responsibility program,” Divers said.  “For example, we will not pursue business if it cannot be accomplished within our standards of ethics and transparency.  Communication needs to include messages from your CEO as well as from regional leaders and middle management.  And these must be shared in the native language of your operations.”

Effectiveness Monitoring.  AECOM actively monitors employees’ views to see how effective their program is.  “Eighty-two percent of our employees participated in our survey.  Sixty-nine percent said ethics and compliance is a strength.  Eighty-two percent said they believe we operate ethically,” Divers said.  

Participation.  Fellow panelist and financial expert Christopher Grippa, a managing director with Alvarez & Marsal Holdings, LLC, commented that AECOM has every right to be proud of the active participation of its employees because that is an important part of their learning process.   “It demonstrates they are comfortable sharing their opinions,” Grippa said.  “It is invaluable if employees feel like they have a seat at the table and can provide feedback from the business side as to what’s effective and what’s not effective.”  Divers added that AECOM has an annual “ethics week” to accelerate employee participation and to give them a chance to share their ideas from all geographies and business lines.  

Being Out There. “We believe it’s not enough to do things only inside the company,” Diver said.  As examples, she said their leadership has published ethics insights in Ethisphere Magazine; they recently joined the United Nations Global Compact; and they have run a “Best Practices in Ethics Communication Workshop,” involving leadership from organizations like General Electric, Hill & Knowlton and the U.S. Navy.

Social Media.  Divers said her company maintains active discussion groups to share comments and guidelines.  

Training.  AECOM maintains its code of conduct in 12 languages and has deployed a multi-faceted approach to anti-corruption training, with live training, online courses and instructive tools that make learning fun.  For example, she said they use such things as RealBiz Shorts^TM, a collection of humorous video vignettes depicting ethical “learning moments.”

Certification & Engagement.  Since 2010, all AECOM employees have been using the company’s online Performance Management System.  This is used to deliver messages from the top, to alert their workforce to rule changes, new sanctions decisions and boycotts, to provide information on partners and agents, to provide fraud prevention tools and discuss recent case developments.  They engage the employee with a theme of “it’s up to you,” Divers said, underscoring that this is “not a checkbox program.”  “We emphasize that retaliation is not tolerated; if you see something, say something,” she said.   Divers pointed to a program in which they held a  global contest for the best employee-produced compliance video.    “The response was terrific!” she said.

Clearly, what Divers didn’t say explicitly, was that having an enthusiastic compliance champion in your organization—like herself—is key to keeping a program vibrant and alive.  

Commenting on AECOM’s ethics portal, Alvarez & Marsal’s Grippa said not only is it great to have all that information centralized, but you can tell how many times your employees and third-party intermediaries have visited the site.  He also mentioned the value of the mobile applications accompanying the portal since so many employees rely on smartphones and tablets to perform work.  

Prioritization

Grippa encouraged listeners not to think anyone is advocating dropping everything and giving every possible risk the full weight of their corporate resources.   The output of your risk assessments—which should be executed regularly—is risk prioritization, he said. Companies need to ask:  Which are the most significant risks and which may have the highest impact?  Address those first, he said.  “Not all companies should have the world's best compliance programs if they don’t have risk.  Programs should be proportional to the risk.  You can’t set the expectation that you will address every risk otherwise you will bankrupt your company,” Grippa said.  “You don’t want the compliance tail wagging the operational dog.”

Grippa endorses benchmarking, pointing to the FCPA Resource Guide released by the Department of Justice and the Securities and Exchange Commission as well as the fraud assessment guidance contained in Sarbanes-Oxley.  He also favors having an independent party perform a “sanity check” to make sure you are doing what the government wants.  

Much of your assessment will involve prioritizing the risks brought by various third-party intermediaries as well.  Again advocating proportionality, you may want to run a robust due diligence on a new company in a high-risk country, but if you are dealing with a Fortune 500® company with a great compliance track record you may not need the same level of due diligence.

Former federal prosecutor and now a member with Mintz Levin, Paul Pelletier commented that while there is no legal duty to research a third-party distributor,  a company may find out that the distributor has been doing something wrong—like not paying taxes—and you may then have a duty to audit them to make sure they are in compliance.

You want to be sure your company has the right to audit the books and records of an agent or distributor, Pelletier said.  You may be in a situation where—while you are not legally obligated to audit—you may have a responsibility and later face liability if you do not.   For example, you do not want to be the company that finds out your agent is bribing tax officials to avoid paying taxes to get your product to market faster—something you could have uncovered in an audit.  

An environment that is fertile for compliance violations is one where the product or service is a commodity and the only way to differentiate from competitors is on price, Grippa said.  There may, then, be more pressure on sales people to pay bribes because it may seem to be the only way to beat competitors.  You also want to know how prone your industry is to corruption.  Ask yourself:  are your competitors being tagged for violations?  “If so, it’s a good time to look in the mirror,” he said. Are government sweeps taking place in your industry?  Are you operating in a high-risk country, such as Brazil, Russia, India and China.   Corruption is especially prevalent in jurisdictions where there is a lot of M&A activity.   You may find the risk of compliance is higher where the country has a highly complex tax structure, like Brazil, or a lot of mom-and-pop companies, like India, or is plagued by organized crime, like Russia.  

Implementing a Program

Grippa is a fan of technology solutions to support your compliance efforts.  Technology will not do the work for you, of course, but it’s a “great enabler” that will place your organization in a “defensible and proportional” position, he said.  It can help prioritize vendor-related risks by cataloging and calling out high-risk attributes and activities.  The government does not expect that you will prevent all fraud, he said, but they do expect you to take a “thoughtful approach” to prevent it.  

It is important to pay attention to the higher risk areas such as general ledger accounts and transactions, and higher-risk employees.  Equally important is tracking and taking credit for anti-corruption efforts.  He reiterated the value of a central portal that can maintain documentation, such as compliance certification of intermediaries. Organizations are starting to create preventative controls over, for example, a high-risk distributor, and deciding they will not do business with a third party if they do not have anti-corruption programs or a robust system for doing background checks.  This kind of “attribute auditing” is a best practice in a good compliance program.  

Grippa said technology can offer a valuable built-in safeguard.  For example, if an agent has not met certain internal requirements—and the compliance system is linked to the accounting system—that system will block the payment until the required boxes are checked.   This is something the government has viewed favorably in cases.  He added that you will want an executive override in place so payments will not be delayed due to out-of-date information.  

Grippa advocated “transaction monitoring” to flag high-risk situations such as an intermediary who shares discounts or commissions with other parties.  Systems will bubble up high-risk activity to the CFO through a dashboard and real-time alerts when, for example, an agent has requested approval to entertain a politically exposed person.  

What the Government Wants

Pelletier, whose prosecutorial experience includes his time as principal deputy chief of the U.S. Department of Justice’s Fraud Section, noted the very different personalities of a government-initiated investigation, and one that the company itself initiated by self reporting. The government looks favorably upon companies with benchmarks, policies and controls to avoid corruption in general, and with third parties in particular, he said.   They will want to know if your procedures, training and controls address these third-party risks.  The same is true for your monitoring and testing efforts.  The government wants to know that you are on top of how an agent is being compensated and the nature of their relationship with government officials, he said.  You want to be able to document what you did to prevent corrupt transactions, what due diligence you performed, and what you did to cure and remediate the violation, and prevent it from happening again, he said.  Have you explored the history of your intermediary? How long they have been in business?  Whether they have or need a bricks and mortar operation?   Do they have the structure to perform the work they are promising?  All of these are questions you can expect from the government, he said.

Pelletier recommended reviewing the Transparency International Index for the risk score of the countries you are operating in.   When contracting intermediaries in these and other countries you will want to be able to answer questions like these:  Have you examined the intermediary’s relationships with government agencies?  Are there familial relations?  Have they had prior employment with the government?  Do they meet with government officials—which certainly can be a good thing—but are these meetings held in private?  Are they providing gifts and travel to officials and their family members?  Do they justify “unusual” practices as “customary” ones that are necessary to do business?  

When you are engaging a third-party intermediary, make sure it is for the same line of business they have been involved in historically, Pelletier said.  “If they are in the shipping business and are suddenly interfacing with government officials on technology projects, that should send up a flag,” he said.  

Grippa added that you can turn these elements into contractual obligations.  You will want purchase orders and an effective approval process.  You may see line items such as “miscellaneous consulting.”  There is risk with that kind of “soft service,” so you want to tie the activity back to the contract and the person who contracted for that service in your organization.  You also want to be sure that the pricing is commensurate with the contract.  “Otherwise,” he said, “that is where bribery can take place.”

Pelletier said that is one reason you want a contract that gives your company the right to audit the books and records of an agent.  Without audit rights you are foregoing an effective bribery detection mechanism for which you may be held responsible, he said.

In assessing compensation, Pelletier said, you want to know if remuneration is in line with market value, whether it was properly invoiced and whether it can be tracked to an agent.  Was compensation requested in the form of cash and on an urgent basis?  Is the remuneration being characterized as customary or as a special bonus?  Is the agent asking that the payment be made to his company or to him personally?  All of these are red flags, Pelletier said.

When investigating corruption, the government will want to know if you reacted quickly, whether you had processes in place, and whether compensation was abnormal, he said.   The government, and your company, will want to know why a compliance monitoring didn’t detect bribes or whether someone in the company or at the agency sanctioned it.  They will want to know how quickly you reacted, what you did to fix the problem, who was in charge of the remedy, and whether the situation was or should be investigated, he said.

Pelletier offered these situations that should give you “cause to pause”:  Does the agency refuse to certify compliance with anti-bribery laws?  Are agents answering due diligence questions with non-specific or boilerplate answers, such as simply “yes” or “no”?  Again, does the agent explain expenses as "customary”?  And, does the agent attempt to legitimize unusual relationships with officials?

Divers, Grippa and Pelletier provided an excellent overview of what your company will want to put in place to avoid corruption, how to focus your efforts, how to mitigate the impact of any corrupt behavior and how to prepare to answer any government questions by asking yourself those questions first.