A Cautionary Lesson For Any Potential FCPA Targets

Editor: Has the passage of Dodd-Frank made it incumbent on U.S. companies to make any changes to their FCPA compliance programs?

Harmon: Yes, I believe so. Among other things, Dodd-Frank established a whistleblower award program that incentivizes whistleblowers to report possible violations of federal securities laws, including the FCPA. The rules for this “bounty” program are complicated and still somewhat unsettled, but, in short, the program rewards whistleblowers who voluntarily report original information to the SEC resulting in sanctions exceeding $1 million by awarding them 10 to 30 percent of the total monetary sanctions.

In an additional stroke of misfortune for companies, the SEC resisted intensive lobbying during enactment of the bounty program rules and opted not to require that whistleblowers first report allegations internally before lodging their complaints with the SEC. Under the program rules, employees may report their concerns internally first – and there are some incentives for taking this approach – but they are not required to do so. Therefore, the big-picture result of Dodd-Frank’s bounty program is that there is now a much higher risk that companies will have to respond to informed inquiries from the SEC concerning FCPA and other securities law allegations that are “news” to company management.

To counter this increased chance of being caught off guard and with limited, if any, time to self-investigate, companies should consider taking several steps. First, they should provide effective training to employees regarding the new bounty program provisions. This may seem counter-intuitive, but absent proper training, misinformation about the program is likely to compound the challenges arising from Dodd-Frank. For example, many employees likely will believe that they must lodge complaints with the SEC before reporting their concerns internally. That is not the case. Following an internal disclosure, whistleblowers can wait up to 120 days before bringing the same information to the attention of the SEC. Moreover, whistleblowers receive full credit from the SEC for all additional violations uncovered during a company’s internal investigation, so whistleblowers have a vested interest in serious and thorough investigations by the companies. Employees should be informed of this vested interest.

Second, when calculating a whistleblower’s award, the SEC is required to consider whether the whistleblower followed applicable compliance policies. It is therefore in a company’s interest to require that employees first report all suspected violations internally and that they do so as soon as their concerns arise.

Third, because the bounty program rules contain a number of 120-day timelines, compliance programs should prioritize a rapid triage of alleged violations. Companies should consider involving counsel early in these assessments because, among other reasons, information that is subject to the attorney-client privilege and information obtained in connection with legal representation (e.g., during an internal investigation interview) generally cannot form the basis of a whistleblower claim.

Fourth, to further encourage early internal reporting, a company’s reporting procedures should match the simplicity of the SEC’s reporting procedures – namely, an anonymous submission process requiring a simple form which can be submitted electronically, by fax or by mail. And finally, an effective FCPA education and compliance program is essential because, more than ever, employees need to understand what conduct actually constitutes a FCPA violation – and just as importantly, what conduct does not.

Editor: Why is it of utmost importance for a company to know and conduct due diligence on its agents, joint venture partners and representatives of any kind who are representing the company in overseas markets? And what should companies do when it comes to third-party due diligence?

Harmon: A very senior FCPA prosecutor recently noted that over 90 percent of FCPA cases against corporations during a one-year period involved payments made by third parties. This remarkable statistic helps to explain the FCPA enforcement authorities’ expectation that third-party due diligence should be, in the words of that senior prosecutor, “robust, thorough, impeccably documented and preserved.” The statute expressly prohibits indirect bribes – e.g., bribes made by third-party representatives – and it is clear that the authorities will seek to hold companies accountable for failing to adequately vet or monitor their third-party representatives and business partners. Unfortunately, while the expectations of the authorities are unmistakably high, it is considerably less clear what specific steps companies should follow when vetting, monitoring and even compensating third-party representatives and business partners.

As a result, a number of notable practice trends have emerged that draw from resolved FCPA cases, limited official and informal guidance offered by the enforcement authorities, and other such guidance. As greater numbers of companies have gravitated towards these evolving but increasingly “standardized” practice trends, those companies that have elected not to adopt the practices are at increased risk of being viewed as outliers. Predictably, those companies may be harder pressed by enforcement authorities to justify their “non-standard” approaches in the event of alleged misconduct by their third-party representatives or business partners. Thus, while one size most definitely does not fit all in FCPA compliance, companies should carefully evaluate their risks and attendant compliance practices and be prepared to defend the approaches they have taken. As the 2009 conviction of Frederick Bourke demonstrated, the stakes are high when it comes to FCPA due diligence of business partners.

Turning to the second part of your question, companies use a variety of increasingly common tools to conduct third-party due diligence, for example: (1) forms requiring that stakeholders within the company that is conducting the diligence must provide basic information such as the reasons for the prospective engagement, the specific services sought, how the prospective third party (or parties) were selected, relevant experience and capabilities of the prospective third party, whether the prospective third party would need to interact with non-U.S. government officials, how much and in what manner the third party would be compensated, etc.; (2) forms used to elicit similar information from the prospective agent; and (3) some method of vetting the reputation and background of the prospective third party. Moreover, it bears noting that many of the increasingly standard practices related to contract provisions, certifications, the manner and method of compensation, etc. all need to be resolved during the early stages of the courtship, and in any event before the contract is executed.

Editor: Certain industries – the medical device, pharmaceutical and oilfield service industries – have been targeted recently. The biomedical industry was recently in the news, as Biomet was fined $22.7 million for bribery offenses in Argentina, Brazil and China. Why are these three industries under such intense scrutiny?

Harmon: The short answer to your question is that doing business in each of these three industries necessarily involves extensive interaction with persons viewed by the FCPA enforcement authorities as “foreign officials” under the Act. Taking first the oilfield services industry: in many of the countries blessed with vast energy resources, these resources fall under government control. Government ministries and state-owned energy companies govern the award of contracts, as well as the terms under which energy companies may operate within their boundaries. Moreover, there is certainly a perception – as reflected, for example, in the Transparency International index – that corruption is widespread in many of these countries. Given this combination, it is not surprising that the FCPA authorities have for many years focused on the risks of oilfield service work within certain of these countries.

The more recent focus on the medical device and pharmaceutical industries likely arises from similar concerns. Health care systems are highly regulated – even “state-operated” in many countries – and the perceived taint of widespread corruption in some of these countries does not spare the life science industries. It is also fair to assume that U.S. authorities may be somewhat cynical about business practices within the life science industries because of cases in the U.S. concerning improper inducements made to healthcare professionals. Much of the recent FCPA focus on life science companies stems from the notion that such improper inducements made to non-U.S. health care professionals can, under certain circumstances, run afoul of the FCPA. In the FCPA authorities’ view, doctors and other healthcare professionals employed by state-controlled institutions can be “foreign officials” under the FCPA. As most of your readers probably are aware, the breadth of the term “foreign official” is a point of long-standing debate and the key issue in several recent cases under the FCPA. However, unless and until the authorities modify their broad interpretation of this statutory term – and perhaps even if they do – life science companies are likely to face continuing scrutiny. Senior FCPA authorities have stated this expectation quite clearly. On the bright side, the large number of overseas investigations by both U.S. and non-U.S. authorities of life science companies has reinforced the need for strict adherence to effective compliance policies, and companies and their advisors now understand the most common risks and how to mitigate them.

Editor: Why have companies shied away from making facilitating payments?

Harmon: I attribute this trend to two developments: first, many countries that have enacted anti-corruption laws with extraterritorial application similar to the FCPA do not make an exception for facilitating payments. The U.K. Bribery Act is an obvious recent example. Accordingly, in our increasingly global marketplace, multinational companies – or those with multinational aspirations – find it risky to permit facilitating payments. Second, the facilitating payment exception under the FCPA has been construed so narrowly by the U.S. enforcement authorities that companies risk at least hard questions in all but the most limited of situations. Moreover, company personnel often encounter real difficulty trying to comply with this limited exception. That difficulty is not surprising given the ambiguity of statutory concepts such as “routine governmental action” and the exercise of official discretion. Companies that choose to allow facilitating payments typically expend considerable time and energy evaluating and monitoring these payments. Many end up working with their advisors to draft narrow protocols intended to govern such payments and their recordation, and, even then, the work in managing facilitating payments is substantial.

Editor: There is a perception that private equity firms, broker-dealers, trading and market making firms, and other financial service companies are facing increased FCPA scrutiny. If that perception has any basis in fact, what are the greatest areas of risk for these companies?