Avoid being guilty by association

The past two years have seen a dramatic surge in enforcement actions under the Foreign Corrupt Practices Act (FCPA). The rate of enforcement by the Department of Justice (DoJ) and the SEC during 2007 and 2008 has more than doubled from the then-record pace of 15 enforcement actions in 2006. This trend has grabbed the attention of corporate America and has received a growing amount of media coverage. What has received less notice, however, is that this significant uptick in investigations and prosecutions has been characterized by a sharp rise in the number of cases in which company liability arises, not necessarily from a company’s own actions but from the actions of a third party.

Vicarious liability

Although the FCPA has prohibited bribery through third parties since its passage in 1977, the risk of ‘vicarious liability’ was for almost 30 years more talked about than invoked. This has changed significantly in the past three years, however. In 2006, 11 of the 15 enforcement actions involved third parties. In 2007 the number jumped to 20. Thus far in 2008 the number sits at 19. The cases reflect a diverse assortment of third-party intermediaries: agents, consultants, contractors, customs brokers, freight forwarders and, under certain circumstances, even distributors. Many of these third parties also turn out to be foreign companies or nationals.

On September 3, 2008, US enforcement authorities settled charges against Albert Stanley, the former CEO of Kellogg, Brown & Root (KBR), for helping to channel approximately $182 million in illicit payments to Nigerian officials through two foreign agents. One of these reputed agents, Jeffrey Tesler, is a London attorney who is himself being investigated by the UK’s Serious Fraud Office for his possible role as a middleman in Stanley’s bribery scheme. The facts alleged suggest a classic profile of liability for the acts of a third party, although in this case the company was apparently complicit in that it knew of and supported the third party’s activities. Yet liability can be found simply because a company ignores red flags that suggest the potential of misconduct by a third party. 

Reducing liability risk for third-party conduct

The risk of vicarious liability obviously depends most directly on the behavior of the third party. So what can a company do to minimize exposure to liability resulting from the actions of others? Aside from choosing not to use third parties at all – the ultimate safeguard – companies can employ other safeguards to reduce the risk that third parties they retain will make improper payments. By definition they do not have the same degree of direct control over a third party that they have over an employee or controlled entity. This is where the complication lies. You do not have direct control and therefore cannot explicitly prevent behavior and it can also be difficult to detect if an improper or illegal event is taking place.

The first thing that a company should make sure to do when employing a third party is to conduct thorough due diligence on that entity, screening out high-risk candidates and addressing any red flags that due diligence reveals. Ignorance is no excuse. A company must take reasonable steps to ensure business partners and third parties are not participating in any illegal payments or other activities.

Effective due diligence is intended to determine a prospective third party’s reputation, integrity, trustworthiness and willingness to comply with US laws and compliance standards. US enforcement authorities view due diligence prior to retaining a third party as a tacitly basic element of any company’s effective FCPA compliance program. As such, enforcers will most certainly treat the absence of such due diligence as an internal controls issue under the FCPA.

For example, in the case of York International, enforcement authorities alleged that the internal controls of York, a provider of heating and air conditioning services, were insufficient, in part because the company conducted no due diligence and had no contracts with some of its agents and consultants.

York wasn’t the only company to endure such punishment for FCPA violations. In several recent cases the DoJ has required offending companies not only to conduct due diligence, but also to employ other safeguards to reduce the risk of vicarious liability. See ‘Extreme measures’ on this page. Such preventive measures reduce, but do not necessarily eliminate, the risk of an improper payment or other improper conduct by a third party.

Even though due diligence is a prudent and valuable safeguard, it does not provide an affirmative defense. If a company has rigorous safeguards, is not itself implicated in a third party’s improper conduct and takes aggressive, decisive action upon discovering that a third party has acted contrary to the FCPA’s prohibitions or company policy, the company may well be able to avoid vicarious liability. Without each of those elements, however, a company that discovers that its third party has made an improper payment to a government official or employee takes a risk of being caught by the aggressive vicarious liability provisions of the FCPA.

As noted earlier, FCPA enforcement is on the rise and the DoJ is becoming more adept at leveraging information that it uncovers during one investigation into action against other firms it suspects to have been involved in similar situations. If it is discovered that a third party is making payments, the DoJ will quickly look for all other companies that have used or are using that third party. For this reason, many companies keep an eye on enforcement action disclosure and when it is revealed that a particular third party is under suspicion, they initiate voluntary internal investigations and may discontinue the relationship with the agent in question. Taking such proactive steps in addition to the action highlighted above will go a long way to ensuring you do not end up on the wrong side of an FCPA enforcement action.