Anti-Corruption Compliance: What the Regulators Want

Don't expect the intensified crackdown on international corruption by U.S. regulators to ease up anytime soon.

Speaking at last week's Compliance Week 2013 conference in Washington, D.C., representatives of the Department of Justice and the Securities and Exchange Commission said the agencies expect that when red flags for potential violations of the Foreign Corrupt Practices Act arise, companies will react quickly to investigate.

Charles Duross, deputy chief of the Justice Department's FCPA Unit, and Kara Novaco Brockmeyer, chief of the SEC's FCPA Unit, said investigators do not expect a pristine environment, but they expect companies to have a program in place to combat corruption and that they follow it. Paul McNulty, a partner at law firm Baker & McKenzie and former U.S. deputy attorney general, moderated the discussion.

Recognition is growing that “good on paper” is not good enough, Brockmeyer said. “You have to kick the tires and see ‘does it really work in practice?'”

Brockmeyer also pointed out that although anti-corruption programs are more sophisticated, there are still plenty of indications that corruption and fraud are widespread at many companies. For example, the findings of Ernst & Young's 2013 Europe, Middle East, India, and Africa Fraud Survey, released May 7, indicate that companies still have a lot of work to do. The survey found that one in five employees is aware of financial manipulation in their companies, and 42 percent of senior managers and board directors know of irregular financial reporting. “I would be extremely concerned about some of the data that came out of that report,” Brockmeyer said.

To combat those concerns, and to give companies a better sense of the regulators' expectations, she and Duross explained their views of what a robust compliance program should look like. Both worked on guidance issued last November in the publication, “A Resource Guide to the U.S. Foreign Corrupt Practices Act,” to provide more detail on FCPA enforcement.

“My message is that FCPA compliance and FCPA issues aren't limited to one industry or one country or any particular size company or whether it's a U.S.-company or foreign-based company,” Duross said. “It covers the gamut.”

He described as naïve managers who believe they can land business with a bribe and then keep the contract through stellar products and service. In reality, he said, they are entering a vicious cycle: “The first bribe is exactly that—the first bribe in a series of bribes.”

Measures of Success

One of the best signs of a successful program, according to Brockmeyer, is that concerns rise to the surface. She said that an environment where employees aren't raising concerns doesn't mean that no problems exist. “If your compliance program is telling you ‘We don't have any problems,' maybe that is one red flag you want to take a look at,” she said.

Duross emphasized that how a company responds to red flags has significant bearing on any investigation. If an audit or a hotline report prompts compliance staff to look into an issue, they may determine no problem exists. What matters to the government is that a program was in place and it was followed. “The fact that procedures and processes worked to achieve an ultimate resolution shows that this is not just a paper program,” Duross said.

Companies score points—“meaningful credit,” in FCPA parlance—when they can tell investigators exactly what they did in response to a concern.

So what, exactly, is Duross hoping to hear? When a compliance officer says in response to a question: “I was wondering the same thing and let me tell you what we did.” That demonstrates a good-faith effort to get it right and carries tremendous weight with investigators, he said.

“My message is that FCPA compliance and FCPA issues aren't limited to one industry or one country or any particular size company or whether it's a U.S.-company or foreign-based company. It covers the gamut.”

—Charles Duross,

Deputy Chief of the FCPA Unit,

Justice Department

Duross also pays attention to a company's discipline history, and is skeptical of those that don't have one. “You have how many thousands of employees and you operate in how many companies and you're telling me no one has been disciplined in the last five years? That tells me either you have a perfect company…or you have such profound problems you're not dealing with any of it.”

Consistency and an even-handed approach are also good signs. If a low-level employee is fired for the same behavior a sales director skates on, said Duross, that sends the wrong message: Different standards apply to money-makers.

Trouble Spotting

Two of the trouble spots that the regulators said companies may consider giving more focus to are acquisitions and third parties. More vetting of third parties provides an opportunity to re-assess those relationships, and companies may even find that corruption risks are too great to do business with some third parties. One CEO told Duross, for example, that compliance efforts led him to reconsider the business model of spending so much on third parties, some of which added little value.

Brockmeyer said that companies should be careful with acquisitions where they find other problems, since that could be an indication that corruption is lurking under the surface. “At some point, one red flag may turn into two or three, and you may need to revisit,” she said.

She also said that buying a company, especially in regions where bribery and kick-backs are sometimes considered part of doing business, is a risky proposition. “If you get in and find their business model is based on corruption, you're also likely to find they're not complying with the same good accounting principles we use in the United States,” she said.

A company may spot a red flag, but be unable to dig into the matter until the relationship progresses. Investigators know red flags crop up, Brockmeyer said, but what matters is a company's reaction. It's the difference, she said, between engaging in a third-party relationship for a few months, then calling it quits when concerns are confirmed, versus ignoring concerns for years.

At the Justice Department, Duross said, investigators want to see evidence of solid due diligence on vetting acquisitions and third parties. Thin or empty files on third parties put them on alert.

The SEC is noticing more cases of third-party distributors that provide a legitimate service, but have an “extra” service on the side. Compliance officers should ask hard questions about what exactly distributors are doing to earn that extra commission, Brockmeyer said.

She also clarified the SEC's stance on successor liability, saying an overseas subsidiary becomes subject to the FCPA at the time of acquisition. “If you look at … successor liability cases, really what they're getting hit for is they didn't catch problems after the acquisition,” she said. “We're talking years, not months.”

In cases where companies come forward some months later to report they found—and fixed—a problem, the SEC generally declines, she said.

Deferred Prosecution Agreements

Between declinations and prosecutions lie deferred prosecution agreements (DPAs), which allow companies to meet obligations under Justice Department oversight—“trust but verify,” Duross explained.

DPAs should be confused with the idea that regulators are going easy on companies that agree to them, said Duross. “Anybody who has gone through a deferred prosecution agreement with us will know we ask tough questions and we continue to,” he said. But, they do give the Justice Department leeway to determine individual outcomes. “It's been my experience, anecdotally, companies see these as an opportunity to turn themselves around in a meaningful way,” he said.

Pictured above: Paul McNulty (left), former U.S. deputy attorney general; Kara Brockmeyer, chief of the SEC's FCPA unit, and Charles Duross, deputy chief of the Justice Department's FCPA unit. 

Equally important, such agreements reward companies that report wrongdoing, while holding them accountable. From the Justice Department's perspective, that may compel others to follow suit. “I recognize companies have a very serious decision to make when it comes to voluntary disclosure,” Duross said. “[DPAs] can be a powerful tool to do the right thing.”

At the SEC, DPAs and non-prosecution agreements (NPAs) are a newer tool. The SEC's first FCPA-related NPA, in fact, was announced in April: Ralph Lauren Corp. will surrender more than $700,000 in illicit profits it obtained through a subsidiary's bribes to Argentinian officials. Under a separate NPA with the Justice Department, Ralph Lauren Corp. will pay a penalty of $882,000 and agree to improve its compliance program.

In a press release issued at the time, Brockmeyer said the NPA was based on Ralph Lauren's self-reporting, cooperation, and discovery of the bribe through an enhanced compliance program. “Even if you have identified a problem and you don't have a good explanation … there are a lot of steps you can take at that point to improve the resolution going forward,” she said.