Risk assessments: the key to FCPA compliance
Recent Foreign Corrupt Practices Act (FCPA) enforcement actions by the Department of Justice (DoJ) and the SEC have taken place across a broad range of industries. The DoJ’s and SEC’s efforts demonstrate that companies with any degree of international presence need to consider the effectiveness of their anti-corruption compliance. And for any compliance program to be successful, it must be based on a robust FCPA risk assessment. Further, best practice requires companies to revisit their risk assessment on a periodic basis to evaluate the effect of internal and external changes to the company and the marketplace.
Conducting an FCPA risk assessment is more than just good governance; it can be a powerful advocacy tool should problems arise later on. DoJ and SEC enforcement officials expect to see compliance programs specifically tailored to the risks particular to a company, its industry and the geographic regions in which it operates. How the government decides to resolve an enforcement action may depend on convincing the authorities that the compliance program that was being implemented was properly designed in the first place. In the UK, the effectiveness of a risk assessment may be a factor for the government in evaluating whether a company qualifies for the compliance defense to the UK Bribery Act. In either case, an effective risk assessment may be the determining factor as to whether the government decides to pursue a prosecution or resolve the matter with a declination.
Made to measure
The scope and focus of an FCPA risk assessment will vary from company to company. Typically, firms determine the level of corruption-related risk by examining factors such as the industry the company belongs to, the geographic regions in which it operates, and the history of compliance within the company itself.
Certain industries are particularly prone to corruption risks, either because of a significant degree of contact between the company and government officials, or due to the history of enforcement actions within the industry. Some industries are already the focus of government scrutiny for potential corruption; by their nature, they are simply more likely to expose a company to requests by government officials for corrupt payments.
Similarly, certain geographic regions have a history of corruption problems and are deserving of increased attention. Companies that have had difficulty with compliance issues in the past should focus on those areas to eliminate any remaining compliance weaknesses. All companies should ensure regular, up-to-date and appropriate anti-corruption training is reviewed and conducted for all geographic and line-of-business areas.
For an anti-corruption compliance program to be truly effective and tailored to the specific needs of the company, however, the risk assessment must go beyond these typical factors. Companies need to examine their organizational structures, the diversity of business prac tices within the company, and the accounting controls surrounding payment authorization and expenditure reporting. In particular, companies must examine the following key areas as part of any FCPA risk assessment.
Assess controls around payment authority, expenditure reporting and use of cash. For example, authority to make charitable contributions should be examined with an eye toward preventing indirect payments to government officials. Expenditures for travel and entertainment expenses should be tied to specific business purposes. A lack of such controls should raise serious concerns.
Supply chain structure
Companies must consider how their products and services move to the end user, and what people and entities are involved throughout the process. The potential for corruption exists not only in sales, but also in customs, distribution, installation, servicing and related financial systems. For example, rather than paying bribes directly, companies may obscure corrupt payments through artificial discounts or excessive commissions. Government officials may direct companies to use only ‘preferred’ installation servicers that actually serve as conduits for back-channel payments to the officials themselves. Any step in the supply chain between the company and the customer is an opportunity for potential corruption and should be examined closely for any compliance gaps.
Along these lines, it is important for companies to understand exactly who it is they are dealing with on the other side of each transaction. The FCPA and many other anti-corruption laws deal with illicit payments to government officials, not to employees of private entities (though commercial anti-bribery laws may apply to any such interactions). The line between public and private entities outside the US is not always clear. Generally speaking, US enforcement authorities will consider a ‘non-exclusive list of factors’ to determine whether an entity’s employees qualify as government officials for FCPA purposes. The greater the degree of sales and services involving employees who may be considered government officials, the greater the risk for potential FCPA exposure.
Agents and other third parties
A specific area of focus for any FCPA risk assessment must be the company’s use of third-party agents. In many environments, a company is not able to conduct business without the involvement of such third parties. Reliance on an outside agent puts a company at risk from any activity that agent conducts for the benefit of the company. Therefore, a proper FCPA risk assessment must consider the degree to which the company relies on third parties for its interactions with government officials, and the nature of the company’s dealings with such third parties.
The risk assessment should focus on the degree of transparency the company has with respect to such agents. Companies should be able to establish the identity and ownership of the agent, the reasonableness of the fees being charged, and the specific activities the agents are performing on the company’s behalf. Any inability to answer such questions should be considered a significant risk, and one worth addressing.
Similarly, companies should determine whether their procedures for conducting due diligence on potential third-party agents are sufficiently robust to detect and prevent corruption at the outset of an engagement. If such procedures are not in place, or for some reason are not possible to enforce, companies should consider their absence a significant risk factor. Agreements with agents should be examined to ensure appropriate representations and warranties regarding anti-corruption, and should include rights of inspection and requirements for co-operation. An agent’s unwillingness to agree to such provisions should be a consideration for the company in evaluating its potential risks.
Anti-corruption risk assessments serve two goals. First, a proper risk assessment is critical to ensuring a company’s anti-corruption programs are reasonably designed to meet the needs of a changing and dynamic international marketplace. Second, should a problem arise, a robust risk assessment can be a powerful advocacy tool in making the case to enforcement officials that the company has tailored its compliance program to address the particular risks it faces, and therefore is deserving of leniency or even a declination.
To accomplish these goals, companies must look beyond the basic criteria for potential FCPA risk and work to ensure every opportunity for potential corruption is identified and addressed.
Robertson Park and Tim Peterson are both partners at Murphy & McGonigle, a boutique securities and litigation enforcement practice.