Make that Thirteen Labors: FCPA requirements present Herculean labor for compliance officers

It is well reported that Foreign Corrupt Practices Act (FCPA) enforcement sanctions have increased significantly in recent years. Headlines focus on monumental monetary penalties, such as Alstom S.A.’s $772 million settlement.[1] Alstom’s record-setting fine was due, in part, to Alstom’s failure to voluntarily self-disclose and cooperate with the government’s investigation.[2] Another important trend has emerged: FCPA enforcement is no longer a concern only for Fortune 100 global companies. FCPA compliance is a prerequisite for companies of all sizes, especially those in the middle market.

To navigate and comply with this “new reality,” the role of compliance officers is changing and growing. The U.S. Department of Justice recognizes that a one-size-fits-all approach to compliance is not realistic.[3] At the same time, however, the DOJ explains that companies, no matter their size, should have policies and procedures in place to help ensure compliance with the FCPA. Speeches by recently confirmed U.S. Attorney General Loretta Lynch and Assistant Attorney General for the Criminal Division Leslie Caldwell show that the DOJ is looking for mid-sized companies to tailor their compliance programs to their industry and specific risk areas.

While recent speeches by top government officials provide guidance regarding effective FCPA compliance, these speeches underscore the Herculean task that companies and their compliance officers face in determining exactly what is required. For example, according to recent statements by the DOJ and the SEC, which also enforces the FCPA, a company should:

  • create a comprehensive FCPA compliance program, but assure that it is also specifically tailored to the company’s needs, structure, risk exposure and budget;
  • develop an FCPA compliance program that meets the company’s business needs, such as the use of third parties to help sell or promote the company’s products or services in foreign countries, but have procedures that can quickly and effectively catch potential FCPA issues related to third parties, no matter where the location;
  • take whistleblower or other information seriously, but should not investigate too broadly or spend too much time or too many resources investigating issues; and
  • work closely with senior management to emphasize the importance of compliance from the top down and periodically review the strength of the compliance program.
A Comprehensive, Tailored Anti-Bribery Compliance Program

On May 19, 2015, in a speech describing the “hallmarks” of an effective compliance program, Caldwell explained that effective compliance programs are tailored to the company’s or industry’s “unique needs, risks and structure.”[4] Regarding FCPA compliance, she stated that “businesses that tend to be exposed to corruption must employ different internal controls than businesses that have less exposure to corruption.”[5] For middle-market companies, Caldwell’s statements explained that when risk exposure is low, the DOJ does not expect a company to spend unnecessary time and resources monitoring low-risk areas.

Caldwell continued to emphasize that corporate accountability “is a good practice for all of your companies.”[6] Yet without qualification for company size, she made clear that companies need a compliance team that has “adequate funding and access to necessary resources [and] an appropriate stature within the company.”[7] Attorney General Lynch, the first attorney general with significant FCPA experience, has praised corporate compliance programs that apply a “single global standard” wherever the company does business.[8] In addition, disclosure and corporate cooperation requires providing information to the DOJ about employees and other individuals involved.

The Alstom case showed the problems of delayed and incomplete cooperation with the DOJ. The recent case of BHP Billiton Ltd. and BHP Billiton Plc (collectively, “BHPB”) underscores a different problem: the potential pitfalls for mid-sized companies that do cooperate but do not have a dedicated compliance team or procedures. They simply have a “paper policy.” On May 20, 2015, BHPB agreed to pay a $25 million penalty to settle the SEC’s FCPA charges related to BHPB’s conduct during the 2008 Olympics in China.[9] BHPB paid for foreign government officials and their spouses to attend the Olympics when BHPB had contracts or regulatory deals pending before those foreign government officials. Until this case, BHPB did not have an independent compliance group, though it had a “Global Ethics Panel” advisory body. The SEC required that BHPB establish, as part of its settlement, a centralized compliance group, “within its legal department that is independent from the business units [and] responsible for FCPA compliance, among other things, and reports directly to BHPB’s general counsel and Audit Committee.”[10]

Monitoring Third Parties: A Major Concern for Compliance

Compared to large multinational companies, mid-sized companies may appear to have less exposure to FCPA risk because they often cover a more limited geographic territory and have fewer employees. Nevertheless, the FCPA risk cannot be underestimated. A “smaller” fine can be more devastating, perhaps fatal, than a much larger fine to a multinational company. Indeed, due to their sizes, mid-sized companies frequently engage third parties or hire “foreign consultants” to help make entrées into foreign markets, including those in countries with a high risk for corruption. In addition, due to their sizes, middle-market companies may expand into new foreign markets by entering into joint ventures or other business partnerships. These are all areas of major FCPA risk. Thus companies need to determine the compliance protocols to follow with joint ventures or other partnerships.

Recent cases show the importance of monitoring relationships with third parties, agents and consultants. For example, Texas company Dallas Airmotive, Inc. paid a $14 million penalty to resolve FCPA charges, including that it paid third-party representatives in order to direct that money to foreign officials in Brazil and Argentina.[11] Third parties are often difficult to monitor since these people are often located many thousands of miles away and are not employees. In recent years, a high percentage of FCPA cases involved third-party agents.

New Era of Responsibility and Liability for Compliance Officers

Compliance officers and general counsel also face significant challenges when a company fails to respond to potential misconduct. If senior management fails to act after concerns of misconduct are brought to management’s attention, the compliance officer must be prepared to confront a Hobbesian choice: consider reporting to government agencies or being held responsible for the company’s failure to correct the conduct. Recent DOJ speeches on corporate cooperation, along with a renewed emphasis on individual liability, have brought this dilemma into focus.

Since September 2014, Assistant Attorney General Caldwell has emphasized the DOJ’s position on individual liability, noting the DOJ’s “strong record of successful prosecutions on matters involving both individuals and corporations.”[12] This position was reiterated in May 2015, when Caldwell stated that a company seeking to receive cooperation credit must “affirmatively [] identify responsible individuals (and provide evidence supporting their culpability).”[13] Compliance officers are under pressure to remediate FCPA violations, but when it is not done, the compliance officer may now also be liable. In other words, a compliance officer cannot simply rely on establishing procedures and not follow up on allegations of potential misconduct.

The Dodd Frank Act has also brought this issue to the forefront by providing monetary awards to persons who provide information that leads to the successful prosecution of a violation. Indeed, in two cases since the SEC’s whistleblower program began, employees with compliance responsibilities received “whistleblower awards.” In April 2015, the SEC announced a whistleblower award of between $1.4 and $1.6 million to a compliance officer.[14]

Under the SEC’s rules, compliance officers are not usually eligible for a whistleblower award. The compliance officer may be eligible if, however, there is a reasonable basis to believe that disclosure of the information to the SEC “is necessary to prevent the relevant entity from engaging in conduct that is likely to cause substantial injury to the financial interest or property of the entity or investors,” and “responsible management or governance personnel at the entity were aware of the imminent violation and were not taking steps to prevent it.”[15]

When the SEC announced its first whistleblower award to a compliance employee in August 2014, Sean McKessy, chief of the SEC’s Office of the Whistleblower, stressed: “Individuals who perform internal audit, compliance and legal functions for companies are on the frontlines in the battle against fraud and corruption. They often are privy to the very kinds of specific, timely and credible information that can prevent an imminent fraud or stop an ongoing one, [and they] may be eligible for an SEC whistleblower award if their companies fail to take appropriate, timely action on information they first reported internally.”[16]

The SEC whistleblower program contains rules that apply directly to compliance officers and employees. As the SEC explained in its April 2015 order, the “original information” exception permits granting an award to a person whose principal duties are “compliance or internal audit responsibilities.”[17] In that case, the compliance officer believed disclosure was necessary to prevent imminent harm to investors under this. Another exception in the SEC whistleblower program is for an officer of a company. Though not usually eligible for an award, any officer may be eligible should a company fail to address compliance issues brought to its attention by the responsible compliance personnel within 120 days.[18]

In conclusion, the government’s focus on individual liability means that compliance officers must be prepared not only to assist the government in identifying misconduct of executives and employees, but also to consider their own role in identifying and attempting to root out the misconduct. When the misconduct is not reported or is allowed to persist, it is the compliance officer who may be at risk along with others. The December 2014 case brought against former Moneygram International Chief Compliance Officer Thomas Haider, although not an FCPA case, shows the DOJ’s willingness to take action against compliance officers. Because FCPA enforcement is unlikely to subside, compliance officers and general counsel who oversee compliance must understand the potential ramifications when the company does not act, or is slow to do so, in the face of potential FCPA violations.

[1] The Wall Street Journal, "Alstom to Pay $772 Million to Settle Bribery Charges" (Dec. 22, 2014),

[2] Leslie R. Caldwell, Assistant Attorney Gen., U.S. Dep’t of Justice, Remarks at the Compliance Week Conference (May 19, 2015), available at

[3] Id.

[4] Id.

[5] Id.

[6] Id.

[7] Id.

[8] Adam Turteltaub, "In the Spotlight: Loretta Lynch," Compliance & Ethics Prof’l, Sept./Oct., 2013, at 70, available at

[9] Order Instituting Cease-and-Desist Proceedings Pursuant to Section 21C of The Securities Exchange Act of 1934, Making Findings, and Imposing a Cease-and-Desist Order, No. 74998 (May 20, 2015), available at

[10] Id. at 9.

[11] U.S. Dep’t of Justice, Dallas Airmotive Inc. Admits Foreign Corrupt Practices Act Violations and Agrees to Pay $14 Million Criminal Penalty, (Dec. 10, 2014),

[12] Leslie R. Caldwell, Assistant Attorney Gen., U.S. Dep’t of Justice, Remarks at the Taxpayers Against Fraud Education Fund Conference (Sept. 17, 2014), available at

[13] Caldwell, supra note 2.

[14] U.S. Sec. and Exch. Comm’n, SEC Announces Million-Dollar Whistleblower Award to Compliance Officer, (April 22, 2015),

[15] Implementation of the Whistleblower Provisions of Section 21F of the Securities Exchange Act of 1934, 17 C.F.R. § 240, 249 (2011), available at

[16] U.S. Sec. and Exch. Comm’n, SEC Announces $300,000 Whistleblower Award to Audit and Compliance Professional Who Reported Company’s Wrongdoing, (Aug. 29, 2014),

[17] Order Determining Whistleblower Award Claim at 1, No. 74781(April 22, 2015), available at

[18] U.S. Sec. and Exch. Comm’n, SEC Adopts Rules to Establish Whistleblower Program, (May 25, 2011),

Published .