Editor: Since the November 2012 Guidance on the Foreign Corrupt Practices Act (FCPA) was issued by the Department of Justice, has the compliance attitude on the part of businesses changed?
deGrasse: For experienced FCPA compliance and legal practitioners, the guidance set forth governmental analysis and positions of which they were already aware, and I don’t think it has made those practitioners any more cautious or conscious of FCPA exposure. For others, it certainly has provided some fundamental guidance on the government’s approach to FCPA enforcement; I have seen it influence their perspectives on the statute.
Miller: Release of the guidance did not seem to make major changes to how most corporations implement their compliance program but likely helped further prioritize the importance of this risk. For many of our clients, the enforcement trends have continued both in the U.S. and, more so, abroad, with more regulators outside the U.S. taking actions against corporations. The guidelines were helpful in that they were a conglomeration of different guidance put out by the DOJ and SEC in different forms, including deferred prosecution agreements, DOJ opinion releases, federal sentencing guidelines and commentary by the DOJ and SEC at conferences.
Editor: Do you think there’s anything in the guidelines that a defendant can hang his hat on that would help him in mitigating his sentence?
deGrasse: The guidelines reiterate the fundamental concepts that the DOJ has always maintained in terms of what can be used in mitigation. It’s a very handy document because it contains both the DOJ and SEC positions in that regard. I don’t think there’s anything new that experienced professionals would not have already been aware of in terms of mitigation.
Editor: What key elements must a good compliance program have? Are there protective measures that virtually every company should undertake to minimize its exposure to liabilities under extensive government theories of FCPA application? If so, what minimum measures would you suggest?
deGrasse: The essential elements are set forth in the U.S. Sentencing Guidelines that are well known to most experienced compliance professionals. Any effective compliance program must include an effective risk assessment process that accurately depicts the company’s FCPA risk profile. It is not enough to determine whether your industry has been subject to prosecutions and enforcement actions. That is a factor, but it’s not dispositive; nor is it dispositive to evaluate risk based solely on the corruption index score associated with those countries in which the business operates. A good risk assessment process certainly incorporates those considerations but also includes factors such as the number of government interactions in operations, the qualifications and experience of home office and in-market legal, compliance and finance personnel, the efficiency of accounting systems, and the company’s ability to monitor on a regular basis. These are some of the considerations that factor into a competent risk assessment component of an effective FCPA compliance program.
A well-done risk assessment will place a company in a good position to design or revise the design of FCPA-based policies and procedures that reduce FCPA risk and exposure. A good compliance program will continue to evolve as cases are litigated and legal interpretation in this area continues to evolve.
Implementation is another essential component of an effective compliance program. Many companies design well but fail to implement new or revised policies and procedures. It is easy to short change or underestimate the challenge associated with change management. Communications from senior management, training, and continuous monitoring each have a role to play in implementation and its measurement.
Lastly, an effective compliance program must include a proficient monitoring function, including an experienced internal audit function. Companies sometimes fail to accurately evaluate the severity of certain findings as well as the degree of execution of new controls, whether those controls are compliance, operational or financial controls. The audit function is designed to be the ultimate measure of the effectiveness of the program, as ultimately determined in conjunction with legal and finance personnel. Those are the essential components of an effective compliance program.
Miller: A recurring theme that we keep hearing is “rigorous monitoring efforts.” For some of our clients, global policies have been put into place, adopted, and enforced in the local markets. It’s been a challenge for some clients, however, to implement consistent risk assessment frameworks, which help achieve the result of higher-impact monitoring efforts focused on risks that have relatively higher impact and probability at a given business unit, division or location. Designing and applying monitoring efforts that incorporate transactional data analytics performed around key risk areas better enables the organization to test and improve the overall effectiveness of its compliance program – while also demonstrating that the program is for real. One of the key things that we are seeing our clients do is bring the finance organization into these efforts so they can also better anticipate and identify “red flag” transactions.
Editor: Are there recognizable patterns of offshore business conduct that should alert a company to increased likelihood of FCPA violations?
deGrasse: Offshore transactions are an issue in several different contexts, including third-party risk management. It is a particular red flag if a third party doesn’t reside in the jurisdiction to which money is flowing, especially if that jurisdiction is a “tax haven.” An effective compliance program should have procedures designed to address the heightened risk of offshore transactions involving third-party intermediaries.
Editor: How does a company best tailor its FCPA compliance program to the particular risks it perceives in its own business?
Miller: Again, it goes back to the risk assessments, which should be done by in-country personnel, obviously with guideposts given by corporate or regional personnel who oversee and hold people accountable. For many of our clients, this means establishment of local compliance committees comprised of a cross-section of personnel who come together on a periodic basis to discuss risks and efforts being taken to better improve policies, processes and controls. Often, they can best identify those risks that have a higher likelihood of hurting the business and can then evaluate and modify what they’re doing from a control standpoint to make sure those risks are mitigated as effectively as possible.
Editor: Which countries are cooperating with FCPA-type investigations?
deGrasse: The DOJ and SEC cases provide a glimpse into coordination between law enforcement agencies of various jurisdictions. The OECD’s Phase Three reports, moreover, provide insight into the willingness of countries to enforce their own statutes prohibiting bribes to foreign government officials. Countries examined are those that are signatories to the OECD Anti-Bribery Convention. These reports provide detailed observations regarding a particular country’s enforcement of its own anti-corruption statutes addressing bribery of foreign officials. One of the main challenges globally is the uneven enforcement of local anti-corruption laws by various foreign jurisdictions. This disparity between jurisdictions puts in-house counsel in an awkward situation when advising their clients in countries in which these statutes are not enforced.
Editor: What are the trends in global enforcement, and what international anti-corruption initiatives should U.S. corporations be especially aware of?
deGrasse: We have seen recent enforcement actions that show extensive coordination between the law enforcement agencies of various countries. That is only going to increase with increasing sophistication of law enforcement tools and methods and resulting coordination between agencies around the world. Certainly most companies are aware of the U.K. Bribery Act. There also have been laws recently passed in a number of jurisdictions, including Canada, Brazil and Russia, of which many of our clients are very aware. I think understanding the OECD’s review process can be informative for businesses that work in jurisdictions that have been subject to the Phase Three reviews.
Miller: China has become a bit of a game changer in terms of the anti-corruption actions they’re taking against corporations. Historically, their attention has been focused on individuals and central government officials. As mentioned, Brazil now has its Clean Company Act being enacted, which bears certain similarities to the U.K. Bribery Act. We are waiting to see how Brazil will hold corporations accountable for missteps.
Other top economies are enforcing their laws and sending new signals of enforcement activity. In addition to the UK, Brazil and China, Germany continues to be active in its anti-corruption drive. As multinationals look to go into new markets for new customer bases, they often enter emerging markets where they have to partner with a joint venture partner or intermediary. It is important to apply scrupulous due diligence in detecting third-party risks while also making sure that contractual rights are in place together with processes to monitor these relationships for ongoing transactional risk – these points are common expectations of most anti-bribery and corruption laws.
Editor: If a company must use third-party agents, how can it better structure its compliance program to monitor those agents, given companies’ possible liability for those agents’ actions?
deGrasse: The question of liability is a legal one that involves case-by-case analysis, but it is instructive to know that a few years ago, companies maintained that they were not responsible for what their distributors were doing. Once a distributor takes title to the product, how could we know what’s going on? The government has been able to show that very often the company knows exactly what’s going on because it has to understand its distributor’s business, its margins, and the extent to which the company will provide support indirectly or directly to that business. In short, the fact that a company provided products to a distributor or third-party agent is not alone going to absolve it of liability. Third-party risk management is a very dynamic area, because it is now being driven greatly by technology. Companies struggle to find a way to manage third-parties that can number in the thousands, and it’s an expensive process. Right now that involves risk-based evaluations, many of which are done manually or rely solely on the representations of the business to identify who the third-party intermediaries are. Technology is driving efficiency in this area as companies look to technology to analyze third-party intermediaries when performing an appropriate level of due diligence.
Miller: From the monitoring side, it’s not a case of one size fits all for each relationship. If we focus just on distributors that perhaps are most often involved in FCPA actions (reports suggest that 70 percent of FCPA cases have involved third-party intermediaries), more of our clients are utilizing their own data to analyze their sales in the channel for such things as charge-backs, offsets, rebates, historical pricing anomalies at a skew or product family basis, either within one distributor over time or across similar distributors, and/or across geographies to identify any aberrations in pricing. Also, more of our clients are applying data analytics to self-reported data from distributors, such as the distributor’s ultimate sales price, to evaluate such things as achieved margins as a means to evaluate its own pricing as well as potential compliance red flags associated with excess margin going through intermediary channels. Clients are then asking questions of the distributor and utilizing desk-audits or full exercise of their contracted audit rights with the distributor to evaluate compliance.
Editor: Do you have anything more to say about third-party intermediaries?
deGrasse: Before an employee can pay a bribe to a government official, he/she needs to appropriate the money from the business – in my experience a bribe payer rarely takes money out of his own pocket to pay a bribe. Third-party service providers are a popular avenue by which to misappropriate company funds because service contracts are more difficult to audit. There often is no standard against which to audit; compensation usually is a discretionary consideration thereby making it more challenging to evaluate the contract’s payment terms.
Miller: We are seeing increasing interest on the part of companies regarding technology-enabled monitoring of the third-party risk management process – moving away from paper forms and implementing technology-enabled business process flows to originate, approve, and maintain the third-party due diligence process. The technology-enabled side helps make this high-risk process more consistent worldwide. Also, from the standpoint of audit or having to react to a probe, key information is more readily accessible as it is resident in one repository in terms of the parties with whom a company has relationships.
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. KPMG LLP does not provide legal services.
Published June 30, 2014.