A deep dive into the Foreign Corrupt Practices Act

US enforcement authorities have several options available to them in resolving Foreign Corrupt Practices Act (FCPA) investigations – among them imposing an independent compliance monitor to oversee the company’s anti-bribery and anti-corruption compliance programme. Historically, FCPA investigations have frequently resulted in the imposition of compliance monitorships. For example, of the 36 independent monitorships conducted by the US Department of Justice (US DOJ) since 2012, 25 have been FCPA monitorships.^[2]

This chapter describes the FCPA, the distinguishing features of an FCPA monitorship, best practices for conducting an FCPA monitorship and the potential outlook for FCPA monitorships in the future.

Overview of the FCPA

In 1977, following investigations into corrupt overseas payments by US corporations, Congress passed the FCPA. The first statute to govern the foreign conduct of domestic businesses, the FCPA consists of two components: the anti-bribery provisions and the accounting provisions.^[3]

The anti-bribery provisions prohibit persons and entities from making corrupt offers, payments or promises of payment of money, or anything of value, to foreign officials to obtain or retain business. Crucially, ‘foreign official’ is an expansive notion, defined as:
 

any officer or employee of a foreign government or any department, agency, or instrumentality thereof, or of a public international organization, or any person acting in an official capacity for or on behalf of any such government or department, agency, or instrumentality, or for or on behalf of any such public international organization.^[4]

It includes high- and low-level foreign officials and intermediaries acting on their behalf. Further, the US DOJ has interpreted foreign ‘instrumentality’ to include functions often associated with the private sector, such as telecommunications, construction, utilities and healthcare.^[5]

Since 1977, the anti-bribery provisions have applied to all US persons and certain foreign issuers of securities, but the provisions were expanded in 1998 to apply to foreign firms and persons within the United States who cause the furtherance of corrupt payments. Thus, the territorial reach of the FCPA has substantially grown since the statute was passed in 1977.

The FCPA’s accounting provisions consist of two main requirements. The first, known as the books and records component, requires companies to make and keep books and records that accurately reflect the corporation’s transactions. The second, known as the internal controls component, requires companies to create and maintain an adequate system of internal accounting controls.

The FCPA is enforced by the US Securities and Exchange Commission and the US DOJ. These agencies exercise concurrent jurisdiction over the enforcement of the FCPA. Since the passage of the FCPA, they have charged hundreds of companies and individuals with violations of the FCPA, resulting in billions of dollars in monetary sanctions, with significantly more enforcement activity in the past 20 years than in previous decades.^[6]

Unique aspects of FCPA monitorships

FCPA monitorships may involve an array of potential issues and broad geographical reach. Bribery and corruption occur when ethical lapses, financial control gaps and external cultural opportunity converge. Accordingly, a compliance monitor’s review is holistic and must assess the effectiveness of the company’s compliance programme, its financial controls and its culture overall.

The inherently cross-border nature of an FCPA monitorship adds to the scope and complexity of the monitor’s assessment. As described in further detail in Section III, infra, this geographical reach has an impact on every aspect of an FCPA compliance monitorship. Monitors must determine how to focus their review based on a number of factors, including where the underlying misconduct occurred, the perceived corruption risk of the jurisdiction (based on public reports, such as Transparency International’s Corruption Perceptions Index, and the company’s own internal risk assessments), and how the nature and scope of the company’s business create heightened corruption risk (i.e., the use of third-party agents or distributors).

Effective practices for conducting FCPA monitorships

First and foremost, an FCPA monitor’s priority is to enforce the terms of the resolution between the company and the US government, which is intended to improve the company’s anti-corruption infrastructure and prevent future FCPA violations. In doing so, monitors must employ the principles of effective compliance programmes issued by the US government, such as the US DOJ’s Evaluation of Corporate Compliance Programs (most recently updated in March 2023).^[7]

At the outset, the monitor should identify the company’s business operations and key risk areas, such as interactions with government officials, the context of those interactions, the employees involved and the strength of the company’s compliance programme. The monitor should then develop a written work plan, outlining how the monitor intends to evaluate whether the company’s compliance programme is structured appropriately and effective in practice. The written work plan will typically include all aspects of the monitor’s scope of review for a defined time period, including (1) the documentation the monitor intends to review, (2) any geographical areas on which the monitor intends to focus, (3) the interviews the monitor intends to conduct, (4) a description of the scope and sample selection process for any transaction testing the monitor intends to conduct, and (5) any other events or functions the monitor intends to observe.

Compliance programme assessment

In assessing the effectiveness of a company’s compliance programme based on the US DOJ’s guidance on the Evaluation of Corporate Compliance Programs,^[8] a compliance monitor must evaluate (1) whether a corporation’s compliance programme is well designed, (2) whether it is adequately resourced and empowered to function effectively, and (3) whether it works in practice. In doing so, the monitor must employ a variety of procedures to review and test various components of the compliance programme.

Compliance programme design

When evaluating the design of a corporate compliance programme, a monitor must assess whether key structural components are in place to prevent or detect bribery and corruption. These include the company’s risk assessment, policies and procedures, training and communications, confidential reporting structure and investigation process, third-party management, and mergers and acquisitions. As described herein, the monitor’s approach to evaluating each of these elements must be tailored to the unique nature of an FCPA monitorship.

Risk assessment

In any monitorship, the monitor must understand a company’s business, including how the company has assessed its risk, and evaluate whether the company controls for those risks appropriately. This is all the more complex in an FCPA monitorship where the company’s business practices may differ significantly across different geographies based on legal, regulatory or cultural norms. The monitor also needs to develop an understanding of the bribery and corruption index to identify which geographical locations may present inherently increased bribery and corruption risk. The monitor then must leverage deep knowledge in both of these areas to assess whether the company’s risk assessment and compliance programme is designed effectively.

Policies and procedures

In an FCPA monitorship, the monitor’s review of the company’s policies and procedures must delve well beyond the company’s code of conduct and anti-bribery and anti-corruption policies. The monitor should also evaluate ancillary policies and procedures that mitigate the risk of corrupt payments. These policies and procedures generally govern or relate to third-party due diligence; payments to vendors and third parties, including distributors, agents and consultants; travel and entertainment expenses and reimbursement; commissions or other service fees; charitable donations and sponsorships; political donations; gifts and free merchandise; use of cash; licensing and other regulatory payments; and discounts and rebates. And, because companies subjected to FCPA monitorships often operate globally, the monitor should ensure that such policies are clear, accessible to all employees in their native language and understood by employees.

Training and communications

A company’s anti-corruption programme training materials can give a monitor insight into how the company understands its mandates, as well as how it communicates rules to employees. A monitor should review training materials to ensure that they are clear and that they address the key points necessary to educate employees on the company’s corruption prevention policies. The monitor should also evaluate the training plan overall (such as the frequency, format and content of training sessions) and review the company’s historical training attendance. The monitor should assess whether the training is tailored to individual employees’ roles and responsibilities, whether the format of the training is appropriate and whether training is delivered in employees’ native language.

Confidential reporting structure

A monitor should analyse the company’s reporting channels and investigative process, including how employees can report potential wrongdoing (and whether the employer has an anonymous reporting mechanism available), and what steps the company has taken to encourage employee reporting. Attention should be paid to whether employees are comfortable reporting and have confidence that the company will respond appropriately to such reports and whether the company’s policies prohibiting retaliation are sufficient. In FCPA monitorships specifically, the monitor should also consider cultural norms and assess whether the reporting structure – and the messaging regarding reporting – is appropriate and consistent with those norms.

Third-party management

A company’s interactions with third parties, including distributors, business partners and sales agents, can create higher risks of corruption. That is particularly true in the FCPA context, where a company may be engaging with third parties in countries with a higher bribery and corruption risk. Thus, a monitor should assess the company’s policies, procedures and controls regarding the onboarding and use of third parties, including the company’s criteria for selecting third parties, the due diligence process that it employs and what safeguards it includes in its contracts with third parties (including anti-corruption certifications and audit rights).

Mergers and acquisitions

Joining with another organisation can present a heightened risk of corruption. Potential acquisition targets or merger partners may not have a sophisticated compliance programme, a system of financial controls or a strong compliance culture. And systemically integrating multiple entities can result in policy inconsistencies or control gaps, particularly when integration is global. A monitor should review the company’s policies regarding transactional due diligence of potential acquisitions and joint venture partners, including whether that due diligence process incorporates an anti-corruption risk assessment. A monitor should also undertake an assessment of post-closing FCPA compliance. Additionally, when necessary, monitors should assess the integration status of any recently merged entities.

Compliance programme resources and empowerment

Commitment by senior and middle management

A monitor should consider the company leadership’s messaging about its anti-corruption values and compliance programmes to its employees and to external audiences in offices throughout the globe. The ‘tone at the top’ can be a helpful indicator as to whether the company has robust internal motivation to comply with anti-corruption policies and procedures and how strongly it prioritises anti-corruption efforts. Monitors should also evaluate the ‘tone at the middle’ to ensure that managers demonstrate a commitment to compliance, even in the face of competing business objectives.

Autonomy and resources

Companies need to devote resources to their anti-corruption compliance, including money, staff and expertise. Given the global nature of FCPA enforcement, a monitor should assist the company in ensuring that higher-risk jurisdictions and subject areas are given sufficient resources. Additionally, a monitor should check that the compliance programme is able to operate independently from senior leadership and that it has a direct reporting line to the company’s board of directors that includes regular compliance reports.

Compensation structures and consequence management

A monitor should ensure that the company has implemented a compensation system that incentivises compliance and disincentivises non-compliance with the company’s anti-bribery and anti-corruption policies. The monitor should consider whether compliance is a component in evaluating employee performance and, by extension, employee compensation. The monitor may also consider whether the company withholds compensation (or recoups previously awarded compensation) when employees violate or fail to enforce the company’s anti-corruption policies.

Compliance programme effectiveness in practice

Continuous improvement, periodic testing and review

The monitor should review a company’s internal audit programme, including the audit plan, the team’s resources, the audit procedures and audit reports, to assess whether it is effective in self-monitoring the application of the company’s internal controls.

Investigation of misconduct

A monitor should review the company’s policies, procedures and resources for investigating complaints and disciplining employees to ensure that they are appropriate. At a minimum, investigations should be properly scoped, by qualified individuals, who are able to remain appropriately objective and independent and who have the power to pursue alleged or suspected wrongdoing. Investigation procedures and steps taken should be well documented, and the company should put procedures in place to preserve relevant content on their corporate communication mediums that employees may use, with corresponding consequences for employees who do not abide by such communication and retention policies. A monitor should also ensure that the company’s process for responding to investigative findings is appropriate and productive.

Analysis and remediation of misconduct

An effective compliance programme must include a root cause analysis of misconduct and promptly and adequately address the root cause issues. An FCPA monitor should consider both the misconduct (including the number and seniority of employees, managers and leadership involved, as well as the seriousness and time span of the misconduct), as well as the company’s remedial efforts once the misconduct was discovered. Remedial measures may include adjustment of policies and procedures or discipline of those who partook in (or those who failed to report or appropriately monitor) misconduct.

Review procedures

Programme review

A monitor should review a company’s current anti-corruption programme, including relevant written policies, training materials, audits and investigations into alleged or suspected wrongdoing, and relevant compliance-related reporting and communications.

Interviews

An anti-corruption programme is only as effective as the people who understand, apply and enforce it. A monitor should interview employees across the company, including those in the relevant control functions, those who frequently interact with foreign government officials, and a variety of employees across regions and leadership levels within the company. These interviews should be designed to elicit (1) whether employees understand (at an appropriate level for their job function and responsibilities) the general anti-bribery and corruption principles applicable to their job, (2) whether they understand the fundamental principles of the compliance programme as applicable to their job (i.e., policies and procedures and how to make an anonymous report of misconduct), (3) whether they have participated in required compliance training, (4) whether their views on the company’s culture are reflected by their direct superiors and company leadership, and (5) whether they have any compliance concerns or challenges to discuss. The monitor may also interview business partners or agents or other third parties working with the company. Interviews with employees can shed light on how leadership’s tone has resonated with employees and had an impact on the overall compliance culture.

Forensic transaction testing by accountants

An FCPA monitor should work with an experienced, independent forensic accountant to perform forensic testing on a company’s transactions. The accountant uses characteristics that may indicate red flags, such as unusual payments to government agencies or third parties, and then reviews such transactions for compliance with the company’s policies and controls. The controls for payments to and from third parties should also be reviewed. Forensic testing by an accountant can assist a monitor in evaluating proper onboarding and payments to third parties.

Shadowing and observation

In addition to conducting interviews and transaction testing, a monitor should look for opportunities to observe the functioning of both the compliance programme control functions and the business during the course of the monitorship. For example, to assess the effectiveness of an internal audit function, the monitor should consider shadowing an internal audit. To assess the effectiveness of the compliance function, the monitor should consider observing meetings of the compliance committee. And to assess the company’s business and the execution of company policies and procedures, the monitor should consider observing business events, such as sales meetings or interactions with customers.

Hotline testing

Monitors should also test ethics hotlines and other methods of reporting. A monitor may consider collaborating with a few members of personnel at the company to submit mock reports in various languages, with differing alleged misconduct, to see how the company responds.

Regional and cultural awareness

FCPA monitors should be mindful of the differing norms in other regions and cultures. In developing the work plan, and in preparation for conducting field work, the monitor should research and partner with the company to understand the applicable cultural norms and challenges in the various regions applicable to the monitorship. For example, in some cultures, gift giving in a professional setting is commonplace and culturally significant. But without that cultural awareness, such gifts could be perceived as bribes. It is therefore critical that the monitor endeavour to understand cultural norms that have an impact on business in the applicable region and understand the company’s business practices in the region and, importantly, why it engages in those practices. Further, cultural awareness may enable the monitor to better contextualise non-US employees’ efforts to comply with a US-based compliance programme, and even improve the cooperation the monitor receives from employees in the region. For example, anonymous reporting through a hotline is a core element of a US compliance programme, but in many parts of the world, filing an anonymous complaint is stigmatised. If aware of this issue, the monitor could better understand, for example, a lower number of hotline complaints in that region and be able to have more productive interviews with employees on that subject.

Best practices to foster collaboration between the company and the monitor

A monitor must carefully balance their role as an independent and impartial oversight agent and as a collaborator with the company, working to improve the company’s anti-corruption programme and prevent future FCPA violations.^[9] A positive and productive working relationship between the monitor and the company can help to minimise the cost of the monitorship for the company while staying true to the mandate of the resolution between the company and the US government. The monitor should keep in mind that the purposes of the monitorship are remedial rather than punitive.^[10] And company executives should lead by example through their own cooperation and collaboration with the monitor.

Companies should have in place systems, processes and personnel dedicated to supporting the monitor and providing them with the information necessary to efficiently facilitate their work. It may be helpful for the company to create one point of contact to coordinate with the monitor. This will aid in appropriately limiting the scope of the monitor’s work to the terms of the settlement agreement and, consequently, to help reduce the inevitable financial costs of the monitorship to the company. Collaboration with the company to minimise employee time demands relating to the monitorship during busy seasons can help to reduce some of the costs and inconveniences of the monitorship.

The company and monitor should engage in a constructive, ongoing discussion about the monitor’s work plan. The monitor should establish a detailed work plan – with a proposed timeline – to minimise burdens and maximise efficiency, and the company should regularly request updates from the monitor to minimise wasted resources and help the monitor stay on track.^[11] As part of this ongoing dialogue, the company should provide the monitor with feedback as to the feasibility of their suggested remedial measures, and the monitor should strive to propose solutions that are realistic and workable, rather than overly aspirational and ultimately impossible. Additionally, a monitor should avoid proposing solutions that would fundamentally change the character of the company’s business.^[12]

Company leadership should educate employees about how a monitorship works, and should ensure that employees understand why the underlying conduct gave rise to the need for the monitor. Because an effective monitorship requires collaboration between the company and the monitor, company leadership should convey the importance of cooperating with the monitor to employees at all levels. The monitor, too, should emphasise the collaborative, rather than punitive, goals of the monitorship, especially because it is unlikely that employees will have had previous experiences with investigations.

Future outlook for FCPA monitorships

While the number of FCPA enforcement actions has ebbed and flowed over the years, the US DOJ has expressed its commitment to corporate criminal enforcement, including enhancement of its FCPA enforcement efforts.^[13] With the US DOJ bringing more resources to bear in its prosecution of FCPA violations, it is reasonable to assume that the US DOJ will continue to impose monitors as a tool to shape compliance and curb bribery and corruption.

Endnotes

^[1] Allison DeLaurentis and Miranda Hooker are partners at Goodwin Procter LLP.

^[2] See US Dep’t of Justice, Criminal Division, ‘Monitorships’ (Oct. 2023), https://www.justice.gov/criminal/criminal-fraud/monitorships.

^[3] 15 U.S.C. Sections 78m and 78dd-1 et seq.

^[4] 15 U.S.C. Section 78dd-1(f).

^[5] US Dep’t of Justice, Criminal Division, and US Securities and Exchange Commission, Enforcement Division, ‘A Resource Guide to the U.S. Foreign Corrupt Practices Act’ (Jul. 2020), at 20, at https://www.justice.gov/criminal/criminal-fraud/file/1306671/dl?inline.

^[6] Foreign Corrupt Practices Act Clearinghouse: ‘DOJ Enforcement Actions Per Year’, Stanford Law School, at https://fcpa.stanford.edu/statistics-analytics.html.

^[7] US Dep’t of Justice, Criminal Division, Evaluation of Corporate Compliance Programs (Mar. 2023), at https://www.justice.gov/criminal-fraud/page/file/937501/download.

^[8] Evaluation of Corporate Compliance Programs, supra note 7.

^[9] 'A Resource Guide to the U.S. Foreign Corrupt Practices Act', supra note 5.

^[10] Assistant Attorney General Brian A Benczkowski, ‘Remarks at NYU School of Law Program on Corporate Compliance and Enforcement Conference on Achieving Effective Compliance’ (12 Oct. 2018), at https://www.justice.gov/opa/speech/assistant-attorney-general-brian -benczkowski-delivers-remarks-nyu-school-law-program.

^[11] F Joseph Warin, Michael S Diamant and Veronica S Root, ‘Somebody’s Watching Me: FCPA Monitorships and How They Can Work Better’, U. of Pennsylvania Journal of Business Law (2011), at https://www.gibsondunn.com/wp-content/uploads/documents/publications/WarinDiamantRoot-SomebodysWatchingMeFCPAMonitorshipsandHowTheyCanWorkBetter.pdf.

^[12] Warin, Diamant and Root, supra note 11.

^[13] ‘Acting Assistant Attorney General Nicole M Argentieri Delivers Keynote Address at the 40th International Conference on the Foreign Corrupt Practices Act’, US Department of Justice (Nov. 2023), at https://www.justice.gov/opa/speech/acting-assistant-attorney -general-nicole-m-argentieri-delivers-keynote-address-40th.