Introduction
Compliance with anti-corruption and anti-bribery laws is always a critical piece of any compliance program. In today’s environment—with global economies emerging from the COVID-19 pandemic and facing issues with inflation, supply chains, and labor—this area is particularly challenging. Aggressive enforcement of anti-corruption and anti-bribery laws, a growing web of country-specific anti-corruption legislation, and increasing cross-border cooperation by enforcement authorities continues to create risks for companies and keeps compliance professionals on their toes.
In this chapter, we provide an overview of the legal landscape surrounding anti-corruption/anti-bribery laws, highlighting a few of the most prominent national and international regimes. We also provide a series of best practices and considerations for developing a compliance program that effectively addresses risk and complies with legal requirements. Finally, we share our observations on emerging trends and recent developments in the anti-corruption/anti-bribery space.
Although this article is intended to provide a helpful introduction, we strongly encourage you to use the information below as a launching point. As you undoubtedly know, there are numerous resources provided by governments, law firms, trade groups, and other entities designed to keep practitioners updated on the latest anti-corruption/anti-bribery developments. This field is fast-moving and ever-developing, and country-specific enforcement priorities and legislation are shifting constantly. Accordingly, we recommend you take advantage of the numerous topical resources to ensure your compliance program remains effective and responsive to the latest developments in the legal and regulatory environment and the evolving risks at your company.
Background on the FCPA
Enacted in 1977, the Foreign Corrupt Practices Act (FCPA) prohibits corrupt payments of money or anything of value to foreign officials in order to obtain or retain business.[3] The FCPA was enacted by the U.S. Congress in response to the Securities and Exchange Commission’s (SEC) 1976 groundbreaking Report of the Securities and Exchange Commission on Questionable and Illegal Corporate Payments and Practices, which characterized the problem of corrupt and illegal corporate payments as “serious and widespread.”[4]
The FCPA consists of two criminal sections that prohibit the following: (1) a company’s knowing, and an individual’s willful, violation of the Act’s recordkeeping and internal accounting control provisions (commonly referred to as “books and records” and “internal controls” provisions); and (2) the direct or indirect payment by issuers, American businesses, citizens, residents, or others acting on their behalf, of money or anything else “of value” to “foreign officials” or a foreign political party or official thereof (or any candidate for political office) in order to influence any act or decision of that person in his or her official capacity or to secure any other improper advantage in order to obtain or retain business (commonly referred to as the “anti-bribery provision”).
The FCPA is enforced by two federal government agencies: the SEC and the U.S. Department of Justice (DOJ). The SEC is responsible for civil enforcement of the FCPA and may bring enforcement actions against “issuers” (primarily publicly traded companies) and their officers, directors, employees, agents, or stockholders acting on the issuer’s behalf. The SEC can enforce both the anti-bribery and the recordkeeping and internal controls provisions as they apply to issuers. DOJ, in contrast, is responsible for all criminal enforcement of the FCPA, as well as civil enforcement of the anti-bribery provision as it applies to privately held companies.
The consequences of a DOJ investigation on an organization can be substantial and resource-diverting, a settlement can be costly, and an indictment can be crippling. Adherence to the directives of the FCPA continues as one of the most prominent issues in corporate compliance.
The FCPA Recordkeeping and Internal Controls Provisions
The FCPA recordkeeping and internal accounting controls provisions are codified in the Securities and Exchange Act, which is enforced by the SEC. These provisions apply only to issuers—companies that issue stock to be traded on U.S. stock exchanges, regardless of whether they operate inside or outside of the United States. The accounting provisions of the FCPA contain two major requirements for public companies:
-
Maintain detailed books and records. The first requirement is to “make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets” of the company. This obligation is quite extensive because “records” is defined broadly to include “accounts, correspondence, memorandums, tapes, discs, papers, books, and other documents or transcribed information of any type.” The recordkeeping provision covers three types of improprieties, any one of which is unlawful: (1) the failure to record any single transaction, whether or not it’s improper; (2) the falsification of records to cover up improper transactions; and (3) the creation of records that are quantitatively correct, but fail to specify the qualitative aspects of a transaction that might disclose the transaction’s real improper purpose.
-
Create a reasonable system of internal controls. The second major requirement of a public company is to create a system of internal accounting controls that provide “reasonable assurances” that the transactions are (properly) authorized. The internal control provisions mandate that companies comply with several procedural requirements. These provisions require issuers to:
[D]evise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that (i) transactions are executed in accordance with management’s general or specific authorization; (ii) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets; (iii) access to assets is permitted only in accordance with management’s general or specific authorization; and (iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences [. . .][5]
The government considers these factors holistically. The test for compliance with the internal controls provisions is “whether a system, taken as a whole, reasonably meets the statute’s specified objectives.”
Any violation of either the recordkeeping or internal controls provisions will give rise to civil liability unless the violation was the result of an inadvertent mistake. For a company to be held criminally liable, it must commit a knowing violation of these provisions or act with reckless disregard of a known risk.
The FCPA Anti-Bribery Provision
The FCPA anti-bribery provision prohibits any U.S. company (whether publicly traded or not) or individual from paying, directly or indirectly, bribes to foreign government officials “in order to assist [. . .] in obtaining or retaining business for or with, or directing business to, any person.” The anti-bribery provision applies to all issuers[6] and “domestic concerns,”[7] as well as foreign nationals or businesses (or agents thereof) who engage in the prohibited conduct on U.S. soil or through the use of U.S. mediums like banks or U.S.-based email servers.
There are five elements that must be shown to prove a violation of the anti-bribery provision:
-
A gift or offer. A covered entity must make an act in furtherance of providing an offer, payment, promise, or authorization to pay money or anything of value, directly or indirectly.
-
To a foreign government official. The offer, payment, promise, or authorization must be given to: (1) any foreign political party or party official; (2) any candidate for foreign political office; (3) any foreign official (defined as any officer or employee of a foreign government or public international organization acting on behalf of that government or organization); or (4) any person that the entity knows will pass the payment offer, promise, or authorization on to any of the above.
-
With a corrupt intent. The offer, payment, promise, or authorization is being provided with an improper intent.
-
For the purpose of influencing, inducing, or securing. The entity must act for the corrupt purpose of (1) influencing an official act or decision of that person; (2) inducing that person to do or omit doing any act in violation of his or her lawful duty; (3) securing an improper advantage; or (4) inducing that person to use his influence with a foreign government to affect or influence any government act or decision.
-
To obtain or retain business. The act must be intended to assist the company in obtaining, retaining, or directing business.
However, companies should be cognizant that DOJ may bring charges under the general conspiracy statute for conspiracy to violate the anti-bribery provision of the FCPA, which is easier for a prosecutor to prove than the underlying anti-bribery violation itself. Additional items of note include the following:
-
Attempt liability. There is no requirement that a payment actually be made or a benefit bestowed for liability to attach—all that is required is the attempt. After all, the FCPA itself also prohibits any offer, promise, or authorization to provide anything of value to a government official.
-
Broad definition of “foreign official.” The term includes anyone acting on behalf of an “instrumentality” of a non-U.S. government, department, or agency—including state-owned enterprises. “Foreign officials,” therefore, include judges and court employees, police and law enforcement officers, customs agents, government employees who issue licenses or permits, and any individual elected or appointed to a political office.
-
“Thing of value” means anything of value. Companies are liable for providing anything of value to a foreign official. Liability, therefore, exists from the first dollar; there is no de minimis exception. In addition to tangible items of economic value (cash for tips or bribes), “things of value” may include nontangible benefits, such as gifts, entertainment, meals, trips/travel, professional training, education, loans, employment, discounted prices, and internships for relatives.
-
Political and charitable contributions. Political or charitable contributions may also violate the FCPA if they are made corruptly to obtain or retain business, or as part of an improper exchange of favors with a government official.
-
Vendors/business partners are a major compliance risk. The FCPA also prohibits indirect corrupt payments and imposes liability if a U.S. company knowingly authorizes its third-party agent to make a corrupt payment, offer, or promise to a foreign official. Third parties can include any service provider acting on behalf of the company, such as local agents, suppliers, and distributors.
-
“Knowing” about misconduct is a deceptively low standard. “Knowledge” is statutorily defined to mean either (1) awareness of conduct or substantial certainty that such conduct will occur; or (2) conscious disregard of a “high probability” that a corrupt payment or offer will be made. As a result, a “head in the sand” approach will not work. A company or individual will be deemed to have knowledge of its agents’ corrupt acts if the company/individual is aware of a high probability that the agent was engaged in a corrupt act and intentionally avoids confirming that fact. The net result is that solid compliance and proper investigations are no longer optional.
Exceptions and Affirmative Defenses in the FCPA
The FCPA provides one exception to—and two affirmative defenses for—the anti-bribery provision. In general, the exception and the affirmative defenses should be construed extremely narrowly.
Facilitating or Expediting Payments
The FCPA’s only exception allows for “facilitating or expediting payment[s]” to foreign officials for the purpose of “expedit[ing] or [. . .] secur[ing] the performance of a routine governmental action.” Courts have characterized expediting and facilitating payments as “‘essentially ministerial’ actions that ‘merely move a particular matter toward an eventual act or decision or which do not involve any discretionary action.’” These payments may include, but are not limited to, payments for the following: Obtaining permits, licenses, or other official documents to do business in a foreign country; processing government papers; providing police protection or mail services or scheduling inspections; and providing utilities services or cargo services or protecting perishable commodities. As a practical matter, the facilitating payments exception is construed extremely narrowly. Even more, it does not exist under the laws of almost any another country, including the United Kingdom. Because the facilitating payment exception is routinely misunderstood by employees (and inherently difficult to prove when a company is the target of an enforcement action), companies would be wise to prohibit facilitation payments altogether and not rely on this exception.
Local Law
The FCPA allows for an affirmative defense for what otherwise would be an anti-bribery violation if the defendant can prove that “the payment, gift, offer, or promise of anything of value that was made, was lawful under the written laws and regulations of the foreign official’s, political party’s, party official’s, or candidate’s country.” The defense is statutorily limited to the written laws and regulations of a country—and very few, if any, local laws permit forms of bribery. As such, it is never a defense to claim that the prohibited payments were made because “this is how business is done” in a particular foreign country.
Bona Fide Business Expenditures
An affirmative defense is also provided if “the payment, gift, offer, or promise of anything of value that was made, was a reasonable and bona fide expenditure … incurred by or on behalf of a foreign official, party, party official, or candidate.” However, the payment or gift must be “directly related to (A) the promotion, demonstration, or explanation of products or services; or (B) the execution or performance of a contract with a foreign government or agency thereof.” This is the exception most likely to be invoked by companies or individuals accused of making “marginal” bribes—that is, engaging in conduct that is close to the line.
Trends and Developments
Enforcement Trends Signal Continued Emphasis on FCPA
Several factors favor the view that the business community can expect DOJ and SEC’s FCPA enforcement efforts to continue to remain aggressive, including:
-
Multijurisdictional cooperation and parallel investigations and prosecutions are becoming more common.
-
Whistleblower bounty provisions are being fine-tuned to lure in additional tipsters.
-
Increased compliance and promises of leniency are being used to encourage self-disclosure.
-
The prosecution of individual defendants increasingly continues to be a top enforcement priority.
-
Law enforcement agent specializations have promoted more effective industry-specific enforcement.
-
The “demand side” of the enforcement net is being widened to also catch bribe recipients and those middlemen who assist them.
-
Congress is considering mandatory debarment of government contractors found to be FCPA violators.
Enforcement actions by DOJ and SEC in recent years have remained consistent in light of these long-term trends, though FCPA enforcement actions dropped significantly during the COVID-19 pandemic. As noted below, however, there are signs FCPA enforcement is picking up again.
More Aggressive Enforcement Policies
Recently, Deputy Attorney General Lisa O. Monaco has indicated that DOJ will be engaged in more aggressive enforcement of corporate crime across the board (articulated in the September 2022 “Monaco Memorandum”).[8] Specifically, Monaco indicated there would be a step-up in corporate crime enforcement on both the individual and corporate level, including: (1) increased individual accountability; (2) a focus on corporate recidivism; and (3) greater scrutiny of corporate resolutions with DOJ.
One indication of the new enforcement atmosphere—particularly as it relates to the FCPA—is the change in tenor toward compliance monitorships. In the past, compliance monitorships have frequently been included as part of FCPA enforcement resolutions. In 2018, former Assistant Attorney General Brian Benczkowski stated that such monitorships should only be used in limited circumstances where their need and benefit were apparent considering the costs and burden.[9] These statements coincided with a two-year period in which monitorships were not included in FCPA resolutions.
However, the Monaco Memorandum indicates monitorships are back in play. Retracting Benczkowski’s prior guidance, which effectively resulted in a presumption against monitorships, the Monaco Memorandum states that monitorships should be considered on a case-by-case basis with no presumption. Unsurprisingly, more recent FCPA enforcement actions have once again included monitorships.
Corporate Enforcement & Voluntary Self-Disclosure Policy
In January 2023, Criminal Division Assistant Attorney General Kenneth Polite Jr. issued a new FCPA Criminal Division Corporate Enforcement & Voluntary Self-Disclosure Policy.[10] Most importantly, the new policy aims to increase self-reporting by companies in part by significantly increasing the maximum credit companies or individuals could receive against any criminal sentence or fine for self-disclosure of violations. Under prior guidance, the maximum credit for voluntary disclosure of misconduct (with subsequent cooperation and remediation) before DOJ was aware of it was a 50% discount below the Sentencing Guideline range and involuntary disclosure was a 25% discount below the Guideline Range. As of January 2023, the new maximum credit is a 75% discount for voluntary disclosure and 50% discount for an involuntary disclosure. That said, this adjustment is primarily to reward “extraordinary” cooperation and remediation efforts, and it should not be considered the new norm.
An Issue of Concern: “Carbon Copy Prosecutions”
One emerging trend is the phenomenon of “carbon copy prosecutions.” On occasion, a company will reach a negotiated resolution with U.S. authorities on international bribery-related charges—whether through a non-prosecution agreement, a deferred prosecution agreement, or a guilty plea. Although in those cases the U.S. authorities may be perfectly satisfied with the resolution, the authorities in other countries where the bribery occurred may not feel vindicated. In those situations, there is a bona fide risk that the other countries will initiate prosecutions based on the same operative facts as, and admissions arising out of, the U.S. investigation and resolution.
The next result is that, if an individual corporate officer is even tangentially involved or implicated in a U.S.-negotiated resolution, that corporate officer—even if not named at all in the resolution—faces potential criminal charges overseas. The officer, therefore, has a strong incentive to ensure that the resolution does not name them and describes the officer’s conduct in the most positive light (or at least neutrally).
The net effect of DOJ and SEC FCPA settlement policies is that when a company enters into a negotiated resolution with U.S. enforcers, it is essentially powerless to defend against—much less deny—the factual basis on which the resolution is based. This all but ensures that a company that settles with DOJ—or both DOJ and SEC in parallel proceedings—will have little or no choice but to settle with foreign authorities, should such authorities choose to exercise jurisdiction and enforce their corollary anti-corruption laws.
A country’s incentive to vindicate its own laws is not insubstantial, especially when a company or individual has already admitted, in another proceeding (say, in the United States), to violating local law. Accordingly, both named parties and nonparties implicated in a resolution in one country ought to give due consideration to the potential impact of that resolution in another territory, especially considering recent trends pointing to coordinated multinational cooperation and successive enforcement proceedings.
The days of one-dimensional government investigations appear to be over. Duplicative, serial enforcement actions are now part and parcel of the enforcement landscape, despite a healthy ongoing debate over the need for, and fairness of, serial enforcements. It is likely that, as globalization makes the world smaller, carbon copy prosecutions will increase in frequency, size, scope, and force.
Penalties: Civil and Criminal Fines and Sentences
Violation of the FCPA can result in stiff civil and criminal penalties for both entities and individuals. An entity that violates the anti-bribery provision may be faced with a criminal fine of up to $2 million per violation or twice the loss/gain (whichever is greater), disgorgement of profits, and possible debarment/suspension. An individual who violates this provision may face up to five years in prison, a fine of $250,000 (or twice the loss/gain), or both for every violation of the statute. An entity that violates the recordkeeping and internal controls provisions may be assessed criminal fines of up to $25 million. An individual who violates these provisions may be faced with a sentence of up to 20 years in prison, a fine of up to $5 million, or both. Civil actions brought against entities or individuals by DOJ under the FCPA are subject to a penalty of $10,000 per violation.
The U.S. Travel Act: The FCPA’s Near-Constant Companion
In contrast to the FCPA’s singular focus on government officials, the U.S. Travel Act, which has been on the books since the early 1960s, is aimed squarely at preventing “private” or “commercial” bribery.[11] Specifically, the Travel Act prohibits travel in interstate or foreign commerce or using the mail or any facility in interstate or foreign commerce with the intent to (1) distribute the proceeds of any unlawful activity, or (2) promote, manage, establish, or carry on any unlawful activity. “Unlawful activity,” in turn, is defined to include violations of state commercial bribery laws, and “facility of interstate or foreign commerce” has been defined to encompass all means of transportation and communication.
Bribery between private commercial enterprises (no matter where in the world it takes place), therefore, falls squarely within the Travel Act’s proscriptions, provided the minimal jurisdictional prerequisites are met (a low bar, given that all travel or interstate or foreign communications qualify).
As the DOJ and SEC pointed out in their recent FCPA guidance, when a company officer, employee, or even third party pays kickbacks to an employee of another company, such private-to-private bribery threatens to invoke the specter of up to a five-year imprisonment and a $250,000 fine per violation.
U.N. Convention
The United Nations Convention Against Corruption (UNCAC), adopted by the UN General Assembly in 2003 and made effective as of December 2005, highlights the international, cross-border effort to combat corruption.[12] The UNCAC was ratified by 140 countries and, as of 2021, there are 189 parties to the Convention. The key provisions of the UNCAC address preventative measures, punishment/criminalization of corruption, provisions for international cooperation, asset recovery, and various technical elements to assist in implementation and adoption. The UNCAC sets the expectation that ratifying countries should cooperate in anti-corruption enforcement actions and aid each other in relation to corruption-related proceedings and investigations. It is highly likely that corporations conducting business abroad will be doing so in countries who are signatories to the UNCAC.
OECD Anti-Bribery Convention
The OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions (OECD Anti-Bribery Convention) requires signatories to pass laws that criminalize offering or paying bribes to foreign public officials by companies or individuals. In 2009, marking the 10th anniversary of the Convention, the OECD released its Recommendation for Further Combating Bribery of Foreign Officials, which included publication of OECD’s Good Practice Guidance on Internal Controls, Ethics, and Compliance, which advised companies to: (1) adopt an anti-bribery policy supported by senior management; (2) take steps to instill responsibility for compliance throughout the company at various levels of seniority; (3) engage in regular communication and training on foreign bribery to both employees and business partners; and (4) take measures to encourage compliance, including disciplinary procedures.[13] In 2021, the OECD released an updated Recommendation aimed at further strengthening implementation efforts.[14]
Other Country-Specific Laws[15]
The U.K. Bribery Act
The United Kingdom Bribery Act of 2010 makes it illegal to pay or receive a bribe, either directly or indirectly.[16] The Bribery Act applies to U.K. citizens and residents, U.K.-based organizations, and foreign organizations conducting business in the U.K. The Bribery Act has broad applicability. It covers any transaction—public or private—that takes place in the U.K. or abroad. It also penalizes corporations for failing to prevent bribery where a bribe is paid on their behalf by an “associated person,” which includes employees, agents, or any person acting on behalf of the entity.
The primary offenses prohibited in the Bribery Act are:
-
bribing another person by offering, promising, or giving financial or other advantage to a person to induce or reward that person to perform a relevant function or activity improperly;
-
accepting, receiving, or requesting financial or other advantage as a reward for performing a relevant function or action improperly; and
-
bribing a foreign public official to obtain or retain business or a business advantage; and
-
a corporate offense for failing to prevent bribery.
There is no limit on the maximum fine under the Bribery Act, and the maximum potential incarceration is 10 years.
With passage of the Bribery Act, the U.K. has placed an emphasis on unimpeded reporting, early detection, and self-reporting. Similar to the U.S. Sentencing Guidelines, the Bribery Act offers a defense for organizations that are able to demonstrate that, at the time of the offense, they had “adequate” compliance procedures in place to prevent the offense being investigated. The U.K. Ministry of Justice has published guidance on what constitutes “adequate” procedures.[17]
Canadian Corruption of Foreign Public Officials Act
The Canadian Corruption of Foreign Public Officials Act (CFPOA) is largely consistent with the FCPA and U.K. Bribery Act.[18] The CFPOA prohibits Canadian persons or companies from bribing foreign public officials to obtain or retain a business advantage.
The CFPOA was amended in 2013 to bring it more in-line with other major anti-bribery laws. The amendment included the following:
-
the maximum incarceration under the CFPOA was raised to 14 years;
-
there is no longer an exception for facilitation payments;
-
added a books and records offense; and
-
established nationality jurisdiction that applies to all offenses under the CFPOA.
Since the 2013 amendment, Canadian authorities have increased their enforcement activity under the CFPOA. Although Canada has lagged behind peers in enforcement actions and hasn’t been as active as the U.S. or U.K. in enforcing its anti-bribery laws, Canadian enforcement authorities have indicated that they are now more-aggressively pursuing enforcement under the CFPOA.
French Sapin II Law
The French Sapin II law, which was passed by the French Parliament in 2016 and took effect in June 2017, applies to certain private companies and state-owned companies that are incorporated or headquartered in France and their subsidiaries. Like its counterparts in the U.S. and the U.K., Sapin II has extraterritorial reach.[19]
Sapin II creates a series of anti-bribery policy and procedures requirements for companies that fall within its purview. Most prominently, companies must create a code of conduct that specifically identifies prohibited behaviors associated with bribery and corruption. Other requirements include:
-
Creating disciplinary sanctions for violation of the code of conduct;
-
Instituting whistleblowing procedures;
-
Conducting a corruption risk assessment (that is regularly updated);
-
Reviewing procedures addressing the risks identified in the risk assessment;
-
Implementing certain internal and external accounting control procedures;
-
Developing training programs; and
-
Creating internal procedures to monitor and evaluate the aforementioned measures.
The French Anti-Corruption Agency has drafted guidelines to help practitioners comply with Sapin II.[20]
Brazil’s Clean Company Act
Brazil’s anti-bribery law, the Clean Company Act, became effective in 2014 and creates civil and administrative liability for Brazilian companies who pay (or attempt to pay) bribes domestically or abroad, and foreign companies who pay (or attempt to pay) bribes in Brazil.[21]
To encourage more effective compliance programs, the Clean Company Act is a strict liability regime. Accordingly, entities can be held liable regardless of their officers’ awareness of the acts. Although liability is strict, authorities will consider the comprehensiveness of the company’s compliance program when determining sanctions. It is critical that companies develop comprehensive programs that include the elements explained in the next section.
Compliance Programs
In a global marketplace, an effective compliance program is an essential component of a company’s internal controls and is fundamental in detecting and preventing FCPA violations. Effective compliance programs are tailored to the company’s specific business and to the risks associated with that business. In addition to considering whether a company has self-reported, cooperated, and taken appropriate remedial actions, the DOJ and SEC also consider the adequacy of the company’s compliance program when deciding what, if any, action to take.
The DOJ and SEC have no formulaic requirements regarding compliance programs. Rather, they employ a common-sense and pragmatic approach to evaluating compliance programs, with inquiries related to three basic questions:
-
Is the company’s compliance program well-designed?
-
Is it being applied in good faith?
-
Does it work?
A good compliance program, in broad terms, has the components described in the following sections. In addition, in March 2023 DOJ updated its guidance on how it would evaluate corporate compliance programs during enforcement actions. This guidance provides both helpful guidance on attributes of an effective compliance program and valuable insight into DOJ’s priorities in compliance program assessment, which can provide a helpful framework for discussions with the government during enforcement actions.[22]
Commitment from Senior Management and a Clearly Articulated Policy Against Corruption
Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company. The DOJ and SEC consider the commitment of corporate leaders to a “culture of compliance,” and look to see if this high-level commitment (“tone at the top”) is also reinforced and implemented by middle managers and employees at all levels of the business. A “paper-only” policy will fall short of the enforcers’ expectations. Instead, enforcers are looking for a compliance program with a strong policy that is understood and followed in the real world by actual managers, employers, vendors, and others who obtain permits and licenses, maintain books and records, and are the most likely to be presented with opportunities to commit violations.
Code of Conduct and Compliance Policies and Procedures
A company’s code of conduct is often the foundation on which an effective compliance program is built. DOJ has repeatedly noted in its charging documents that the most effective codes of conduct are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf. Components of such a code of conduct may include due diligence checklists and questionnaires for prospective vendors; periodic employee training and annual compliance certifications from both employees and vendors; hotline reporting and anti-retaliation policies; gift, entertainment, charitable giving, and political giving policies; prior approval tables; and standard anti-corruption contract language for vendors.
Risk Assessment
Assessment of risk is elemental to developing a strong compliance program, and it is another factor that the DOJ and SEC consider when assessing a company’s compliance program. One-size-fits-all compliance programs are generally poorly conceived and ineffective because resources are spread too thin.
Companies should establish systems and processes to identify the key “red flags” of potential bribery and corruption and, relatedly, use these flags to conduct their risk assessments. The key “red flags” indicating bribery or corruption include:
-
Conducting business in countries with a reputation for corruption.
-
Industries or companies with a reputation for corruption.
-
Close personal connections with government officials.
-
Requests for payments to unrelated third parties.
-
Requests for payments in cash.
-
Proof of performance lacking in detail or documentation (e.g., an invoice that does not have attached receipts).
-
Payments requested to be made outside of the usual process or accounting structure.
-
Incorrect/incomplete information relative to payment request.
-
The contracting party does not have offices or staff.
-
The contracting party lacks significant experience.
-
Unusually high fees or commissions.
-
Requests for unusual bonuses, advance payments, or special payments.
-
Agents or consultants hired at the strong recommendations of a government official.
-
Agents or consultants who are former government officials dealing with their former agencies.
Training and Continuing Advice
Compliance policies cannot work unless effectively communicated throughout a company. Accordingly, the DOJ and SEC evaluate whether the company has taken steps to ensure that the relevant compliance policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, when appropriate, agents and business partners.
Incentives and Disciplinary Measures
Enforcement of the compliance program is fundamental to its effectiveness. The DOJ and SEC will consider whether, when enforcing its compliance program, the company has appropriate and clear disciplinary procedures; whether those procedures are applied reliably and promptly; and whether they are proportionate to the violation.
In addition, DOJ has recently launched its first-ever Pilot Program Regarding Compensation Incentives and Clawbacks.[23] The Pilot Program expects companies to develop compliance-promoting compensation and bonus systems. In addition, the DOJ will reduce fines when companies, in good faith, attempt to clawback compensation from employees who engaged in wrongdoing or who both (1) had supervisory authority over the employee(s) or business area engaged in the misconduct and (b) knew of, or were willfully blind to, the misconduct.
Third-Party Due Diligence and Payments
The DOJ’s and SEC’s enforcement actions demonstrate that third parties—including agents, consultants, and distributors—are commonly used to conceal the payment of bribes to foreign officials in international business transactions. Accordingly, an effective compliance program should aim to prevent and detect foreign bribery applicable to third parties. This includes the following elements: Requiring due diligence about the hiring, retention, and oversight of third parties; informing third parties of the company’s commitment to abide by the anti-bribery laws and the company’s compliance program policies against bribery; and seeking a reciprocal commitment from third parties.
Confidential Reporting and Internal Investigation
An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation.
Timely, thorough investigations are, in the words of DOJ, a “hallmark” of an effective compliance program. Accordingly, companies should ensure that they have policies and procedures in place to promptly conduct effective internal investigations. This includes record retention policies that will facilitate internal investigations. Notably, record retention policies are increasingly expected to include messaging applications (including ephemeral applications) and personal devices. Per DOJ, these policies should ensure that “to the greatest extent possible, business-related electronic data and communications are accessible and amenable to preservation by the company” and “should be tailored to the corporation’s risk profile and specific business needs.”[24]
Continuous Improvement: Periodic Testing and Review
Finally, a good compliance program should constantly be evolving. A company’s business changes over time, as do the environment in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its industry. In addition, compliance programs that do not just exist on paper but are also followed in practice will inevitably uncover compliance weaknesses and require enhancements to the compliance program. Consequently, the DOJ and SEC evaluate whether companies regularly review and improve their compliance programs.