As the leader of KPMG’s Forensic network, Amanda Rigby has witnessed the disruption of regulatory investigations and knows the value of compliance measures. She details the nuances of the Foreign Corrupt Practices Act (FCPA) and proclaims the single most important thing that companies can do when entering emerging markets. Her remarks have been edited for length and style.
How do you see companies responding to the changing regulatory enforcement landscape of the FCPA?
Amanda Rigby: Since the FCPA was enacted in 1978, there have been a large number of enforcements against companies across all industries. In the past five years, we have seen a significant increase in efforts by companies to develop compliance programs that include and encompass procedures, policies and controls to prevent bribery and corruption.
Companies are also increasingly performing more thorough reviews of their known problems. When companies identify issues at their subsidiaries or operations across the world, they are responding to those issues in a more timely manner to identify the root causes and immediately address the problem.
Further, we’re increasingly seeing companies develop and implement compliance programs across various departments in the organization. While it used to be common for companies to establish their compliance programs in standalone departments, companies are now integrating compliance within all of the departments across the organization, and numerous company stakeholders are invested in creating a culture of compliance.
Finally, we are seeing companies move from having shelved anti-bribery/anti-corruption policies and procedures that are not accessible, implemented or part of the core values of a company to a culture of compliance that is a fundamental part of the organization’s operations.
Please take a moment to briefly describe the FCPA pilot program?
Rigby: The FCPA pilot program was initiated in April 2016 with a one-year pilot period. In March 2017, the DOJ extended the program indefinitely. The pilot program sets forth requirements for the voluntary self-disclosure of FCPA matters and allows companies to be eligible to receive reduced fines and penalties in those matters that are self-disclosed. The pilot program demonstrates that the DOJ would like companies to come forward and self-disclose FCPA violations. The extension of the pilot program may also suggest that aggressive FCPA enforcement is likely to continue in the future.
Has there been a significant increase in self-disclosure of potential violations?
Rigby: It is important to note that, before the pilot program, companies did self-report, so it’s very difficult for us to assess whether there are more cases of self-disclosure than there used to be. The DOJ is currently assessing the pilot program’s effectiveness, but we don’t yet have clear key performance indicators for the pilot program.
How are companies using data analytics to identify their greatest areas of FCPA anti-bribery risk, and what data sources are of particular value to companies when planning FCPA initiatives?
Rigby: Data analytics can provide useful metrics and monitoring tools that allow an organization to measure the effectiveness of its compliance program, monitor the emergence of compliance issues, and understand the root causes of these issues in order to predict and control misconduct. This data can exist throughout an organization, not just in the compliance department. The accounting department, Human Resources, sales, procurement – all of these departments can be sources of data that a company can use in understanding and measuring its compliance efforts. At a minimum, companies should be looking at accounting data, data related to third-party interactions, and the number, types and geographic locations of each of its known FCPA issues.
What advice would you provide to companies that are looking to enter emerging markets where bribery and corruption risk may be higher, and what advice could you provide to companies that have been in emerging markets for a long time but are looking to enhance their existing anti-bribery/anti-corruption programs?
Rigby: If I was to summarize my advice in one sentence for companies looking to enter emerging markets, it is, “Know your third-party providers.” A company’s third parties can include joint-venture partners, customers and vendors. We recommend performing background searches and other due diligence on third parties prior to entering into relationships with those third parties. That means understanding their owners and shareholders; the corporate operating structure; any reputational issues, including allegations in public records or media; criminal and/or civil litigation data that is available in a given jurisdiction; and any sanctions, regulatory enforcement matters or politically exposed persons. Companies should document this due diligence in their own books and records.
Emerging markets are generally considered to be a higher risk for bribery and corruption, and understanding who the company is doing business with helps the company protect against and mitigate the risk. The actions of third parties acting on a company’s behalf could be considered by the regulators to be the actions of the company itself, so the company may potentially be prosecuted for any illegal activities by those third parties.
I also recommend that companies understand the legal, business and social environment in which they will operate before entering a new market. Often, I suggest that companies work with local legal counsel, who can assist them in navigating the regulatory landscape in each individual country.
Companies that are already in emerging markets should keep their compliance programs up-to-date, assess them periodically, and perform continuous monitoring of the programs and their effectiveness in the emerging markets. Compliance programs should constantly evolve, adjust and respond to the changes in those markets. Companies should understand the DOJ’s sentencing guidelines, ISO 37001, and other available guidance to aid in monitoring and assessing their programs. They should also perform a compliance program gap assessment and take corrective measures if their compliance program is not in line with the recommended standards.
While many companies are aware of the potential consequences of FCPA violations as they relate to the company itself, we’ve seen today that regulators also look at the conduct of individuals in these matters and may take individual action as well. How does a continued emphasis on individual accountability change the approach that companies take in educating and training their employees regarding FCPA compliance?
Rigby: Many of the enforcement actions against individuals have focused on officers of the company or high-ranking directors, thus showing the importance of “tone at the top.” However, companies shouldn’t just look at the actions of their highest ranking officials; they should also understand the actions of their employees. Recently, I have seen that companies are increasing their efforts both in communicating the right tone at the top to demonstrate zero tolerance for corrupt activities and in training employees around the world – not only virtually, but also with local trainers on-site – on their codes of conduct and the other policies and procedures that the employees must adhere to.
How are whistleblower hotlines made most effective, especially internationally when there are cultural differences about the impact of using a whistleblower hotline?
Rigby: It is best practice to have hotline telephone numbers or emails available and posted prominently so everyone at the company can see them. The hotlines should be clearly communicated, most notably when employees are hired, as well as when companies engage with third parties.
Many bribery and corruption matters have been brought to the attention of companies not by their employees but by third parties – former employees, vendors or customers of the company – who notice illegal activities and contact the hotline.
Hotline information should also be presented in several languages, especially if the company has a third party manage the hotline service. Companies should have local hotline telephone numbers and local language speakers answering the calls, not just a U.S. telephone number and English speaking representatives.
Based on the recent enforcement actions we’ve seen, where does it appear as if companies are failing in their FCPA anti-bribery and corruption efforts?
Rigby: I often see companies failing in their response to indirect bribery. Many enforcement cases in recent years are related to bribery not by the company itself but by third parties acting on the company’s behalf. Companies need to do a better job of managing third-party risk, doing due diligence and having the proper financial and contractual controls in place to ensure that third parties are not engaging in illegal activities on behalf of the company.
Companies also often fail to maintain proper books and records. As an example, we’ve seen cases of the failure to properly disclose gifts made to government officials in the company’s books and records. In those cases, regulators prosecuted the company for not having proper books and records in accordance with the FCPA.
How can companies better align their M&A activity with their FCPA and anti-bribery and corruption compliance programs? What specific procedures, due diligence, should companies be undertaking in the pre-acquisition stage related to bribery and corruption risks?
Rigby: If a company is targeting a foreign company for acquisition or merger, the company should assess the bribery risk related to that target company. Where does the target operate, how does the entity interact with government officials, in what industry does it operate, etc.? All of these factors should be considered in determining the overall anti-bribery and corruption risk related to that entity.
Once the company has done this risk assessment, it should perform due diligence on the target’s existing third parties and understand if there are any concerns with those third parties from a bribery and corruption point of view. For example, has the target company or its third parties been involved in any corruption scandals, has it been prosecuted by any authorities, etc.?
Beyond due diligence, companies can also undertake pre-acquisition integrity due diligence procedures, which includes assessing the target’s own compliance program. Does the target have a code of conduct, does it have the right tone at the top, are there communications and trainings in accordance with the guidelines that have been issued by the DOJ and other regulatory bodies, etc.? The company may then perform transactional testing on the target’s books and records, with a focus on areas that are high-risk for bribery and corruption.
What is the one piece of advice that you would give to global companies as they navigate these regulatory requirements for cross-border activities?
Rigby: Identify and address bribery and corruption risk early on. Recognize the importance of compliance and don’t be afraid to ask for outside advice.
Amanda Rigby is a Principal in the Chicago office of KPMG, where she leads the U.S. Forensic network. Rigby focuses on investigations, regulatory compliance and dispute advisory services. She is also the leader of the Chicago chapter of the KPMG Network of Women. She can be reached at [email protected].
Published November 29, 2017.