Compliance lessons from recent nine-figure FCPA settlements

“It is very clear that the government’s expectations for compliance programs have evolved significantly and that their expectations are higher now than they ever have been.”

Kara Brockmeyer, former chief of the SEC Enforcement Division’s FCPA Unit

Collectively, the latest enforcement actions speak volumes about how companies can minimize their FCPA risk. Prudent compliance officers will also want to use these real-life FCPA cases in their ethics and compliance training to help deter bribery and corrupt practices.

“It is very clear that the government’s expectations for compliance programs have evolved significantly and that their expectations are higher now than they ever have been,” says Kara Brockmeyer, former chief of the Securities and Exchange Commission Enforcement Division’s FCPA Unit and now a partner at law firm Debevoise & Plimpton. The government has indicated as much not only through the “Evaluation of Corporate Compliance Programs” guidance the Department of Justice has released, but also in the settlement agreements that have been reached.

Particularly notable about this year’s FCPA enforcement numbers is the unusually large quantity of cases—four—that resulted in nine-figure penalties, each case involving widespread bribery schemes that spanned multiple countries over a period of several years. Consider the following:

• Walmart. On June 20, Walmart reached a $283 million settlement to settle SEC charges for violations of the books and records and internal accounting controls provisions of the FCPA for operating “without a system of sufficient anti-corruption related internal accounting controls” for more than a decade. Walmart also entered into a non-prosecution agreement (NPA) with the Justice Department.
• TechnipFMC. On June 25, TechnipFMC, a global oil and gas services provider, and its wholly owned U.S. subsidiary Technip USA agreed to pay a combined $301.3 million settlement to resolve foreign bribery charges with authorities in the United States and Brazil arising out of two independent bribery schemes: a scheme by Technip to pay bribes to Brazilian officials, and a scheme by FMC to pay bribes to officials in Iraq.
• Fresenius Medical Care. On March 29, German healthcare company Fresenius Medical Care reached a $231 million settlement to resolve parallel investigations by the Department of Justice and the SEC for paying millions in bribes to public officials and doctors to win contracts at hospitals in several countries, including in Angola, Saudi Arabia, Morocco, Turkey, Spain, China, Serbia, Bosnia, and Mexico. Fresenius also entered a three-year non-prosecution (NPA) agreement with the Justice Department.
• MTS. On March 6, Russian telecommunications provider Mobile TeleSystems (MTS) reached an $850 million settlement with both the Justice Department and the SEC to resolve charges that it made at least $420 million in bribery payments to an Uzbek official for the purpose of entering the telecommunications market in Uzbekistan. This was the third FCPA case (following VimpelCom in 2016 and Telia in 2018) to involve the Uzbek telecommunications market.

Many of these cases showcase egregious compliance failures, such as ignoring red flags that pointed to corruption; active engagement in corrupt schemes by senior management; using third-party intermediaries and other channels to funnel bribes to government officials in exchange for business; and falsifying documents.

Third-party risk

Concerning specific FCPA risk areas, third-party agents continue to pose a high threat, especially in the technology sector, as demonstrated in the Microsoft and Juniper Networks FCPA settlements this year. Both cases describe very similar schemes, where employees of the companies’ subsidiaries—in Hungary and Russia, respectively—falsely represented steep discounts to end users were necessary in order to conclude a deal. In truth, rather than pass these discounts onto end users, the additional profits were directed to off-book funds held by third-party channel partners used to improperly provide travel and entertainment to government officials.

Under the settlement terms, Microsoft and Microsoft Hungary agreed to pay $25.3 million in combined criminal and civil penalties. Microsoft Hungary also entered an NPA with the Department of Justice. With Juniper Networks, the company agreed to a cease-and-desist order and paid $11.7 million in disgorgement, interest, and civil penalties for violations of the books and records and internal controls provisions of the FCPA.

In the Juniper Networks case, the allegations further describe improper travel practices in China, where certain sales employees of Juniper’s Chinese subsidiaries falsified trip and meeting agendas for customer events that understated the true amount of entertainment involved on the trips. The sales employees submitted these falsified and misleading trip agendas to Juniper’s legal department to obtain event approval. In violation of Juniper’s travel policies, Juniper’s legal department approved numerous trips without adequate review and after the event had occurred.

In Microsoft’s case, even though the NPA acknowledged Microsoft had extensive internal controls in place to prevent payments above a certain threshold, the company was still faulted for failing to exercise “meaningful oversight” over its subsidiary to ensure discounts were passed onto the end customers. “That’s a high burden to meet,” Brockmeyer says. “It basically means the company is going to have to think not just about the program they have in place, but how the company is testing the program to make sure it is actually working and catching situations where employees may be actively lying about their activities.”

What Microsoft did do right—and what compliance officers should take from this case—is it implemented an enhanced system of compliance and internal controls, company-wide; took disciplinary actions against the culpable employees; implemented a new global program to ensure transparency around discounts for government customers; and now uses data analytics to help identify high-risk transactions.

Unlike Microsoft, Juniper Networks did not appear to have a centralized approval or oversight process for discounts. According to the Juniper order, a member of Juniper’s senior management learned of these off-book accounts in late 2009 and instructed employees in Russia to discontinue their use. Even then, the practice didn’t stop until 2013.

The Juniper Networks case, however, serves as a helpful reminder that travel and entertainment (T&E) continue to pose FCPA risk. Moreover, although FCPA enforcement concerning T&E has traditionally focused on international travel and entertainment, Juniper Networks is an example of how even domestic travel and entertainment, where it is unwarranted, can pose an FCPA risk, Brockmeyer says.

Both the Microsoft and Juniper actions further highlight the importance of internal controls around pricing and discounts. Providing guidance and training and instilling controls to ensure the right questions are being asked and right documents are being obtained can help guarantee improper payments aren’t being funneled through the company’s system. Beyond due diligence and contracting procedures, third-party audits might also be necessary to detect such schemes.

In the technology industry, global supply chains inherently pose an FCPA risk, but sometimes the risk grows faster than the company has time to mature, particularly in the event of a merger or acquisition.

“Many tech companies have grown quite rapidly and, often times, there is a lag between that rapid growth and the recognized need by senior management for a more systematic and explicit compliance program,” says Dan Newcomb, a compliance specialist at law firm Shearman & Sterling.

“With some notable exceptions, such as Microsoft, a lot of the tech industry has been slow to put in place very robust compliance programs,” Newcomb says. “When we consult with international tech companies, it is often to help them develop something other than a ‘We don’t pay bribes’ statement in their general corporate policies.”

Hiring practices

Concerning specific FCPA risk areas in the SEC space, hiring practices in the financial services industry continue to generate enforcement actions. On Sept. 27, Barclays became the latest among a growing list of financial institutions to resolve violations of the FCPA for questionable hiring practices. As with other cases of its kind, numerous compliance failures were present.

The Barclays order found that, between 2009 and 2013, Barclays hired the relatives and friends of foreign officials in the Asia Pacific (APAC) region in exchange for business opportunities for the bank. As with similar cases of this kind, the bank’s anti-corruption policy prohibited this behavior, but Barclays employees in the region falsified corporate records to conceal the true source of the candidates and the reasons for hiring them.

Additionally, the SEC order stated Barclays failed to effectively train APAC employees on its policies; limited the scope of its compliance reviews; and, in some instances, turned a blind eye altogether. Without admitting or denying the findings, Barclays settled charges relating to violations of the accounting provisions of the FCPA and paid $6.3 million, including a $1.5 million civil penalty.

This settlement amount pales in comparison to similar FCPA cases in the financial services industry, when considering Deutsche Bank’s $16 million settlement, reached in August; Credit Suisse’s $47 million settlement, reached in June 2018; JP Morgan’s whopping $264 million total settlement reached with three agencies ($130 million to the SEC, $72 million to the Department of Justice, and $62 million to the Federal Reserve) in 2016; and starting with BNY Mellon’s $14.8 million SEC settlement in 2015.

While these hiring cases have been focused on financial services, such a risk is not unique to this industry. Consider, for example, the $7.5 million settlement digital telecommunications maker Qualcomm reached with the SEC in 2016 for hiring relatives of Chinese government officials. “It’s also probably an area that the compliance community until recently didn’t pay enough attention to,” Newcomb says.

Having in place a rigorous process to understand whom the company is hiring and making sure job applicants are being asked the right questions—such as whether they are personally associated with a government official—and ensuring those checks and balances are getting routed through a centralized HR process are all effective internal controls companies need to have in place.

Individual liability

Also notable about recent FCPA enforcement activity is the unusually high number of actions being brought against individuals over the last few years. In 2019 alone, the Department of Justice unsealed FCPA charges against roughly 20 individuals, whereas the SEC brought charges against three individuals—all pertaining to Cognizant’s bribery case.

The broader impact of individual cases on corporate enforcement numbers is that, when the Department of Justice is busy bringing these cases at trial, “that tends to slow down enforcement a little bit, because their resources are stretched,” Brockmeyer says.

While that’s true, any strain on resources likely will be temporary. “More significantly is that those cases going to trial are going to start creating case law,” Matthew Nielsen, a partner at law firm Bracewell, says. Those in the FCPA space finally will start getting answers to questions that have never been challenged at trial before—such as jurisdictional challenges; a company’s obligations to manage third parties; what constitutes ‘reasonable’ controls; and more.

For years, hardly any FCPA cases ever went to trial. “For so long, the Department of Justice and SEC decided what the rules were,” says Nielsen.

My, how the tables have turned.