Ericsson, a Swedish multinational communication technology and services company, announced that it has set aside 12 billion Swedish kronor (U.S. $1.2 billion) as a potential settlement amount with U.S. authorities to resolve a long-running Foreign Corrupt Practices Act investigation that spans several geographies.

The FCPA investigation, which remains ongoing, was launched by the Securities and Exchange Commission and Department of Justice six years ago. However, Ericsson did not confirm it was being investigated for potential FCPA violations until June 2016, when it first issued a statement saying it had received a voluntary request from U.S. authorities in March 2013 to answer several questions relating to its operations.

“Naturally, it is embarrassing that we did not take quicker action following initial questions from the SEC back in 2013,” Ericsson President and CEO Börje Ekholm candidly said on a Sept. 26 media call. “While the financial sanctions we face are severe, it is also critical that our company gets closure with U.S. authorities on these matters.”

Chief Legal Officer Xavier Dedullen said during the call the $1.2 billion provision constitutes the current “best estimate” of expenditures for resolving the U.S. investigation, of which it estimates the combined monetary sanctions from the SEC and Department of Justice to be about $1 billion. The remainder pertains to other costs associated with a resolution, which could include the costs of a monitorship, Dedullen said.

“It would not be a surprise if we ended up with a monitorship,” he said. “Monitorships with U.S. authorities typically are between two and three years, and so we have to see where we come out with authorities.”

In the course of its own internal investigation, Ericsson said it identified breaches of its Code of Business Ethics and the FCPA in six countries, to date: China, Djibouti, Indonesia, Kuwait, Saudi Arabia, and Vietnam. Whether more countries may be added to that list, Ekholm and Dedullen could not comment.

Specifically, U.S. authorities have also been investigating Ericsson over potential FCPA violations in Greece, a geography noticeably absent from the list. “We understand that U.S. authorities are aware of what is going on in Greece,” Dedullen said.

Ekholm would only say the investigation by U.S. authorities covers a long period and many geographies. “It’s hard for us to go into details at this point,” he said. “The reality is we need to continue negotiations with U.S. authorities before we start to comment on any ongoing activity.”

Compliance gaps and enhancements

During the media call, Ekholm and Dedullen spoke candidly about Ericsson’s compliance shortcomings, as well as its remediation efforts. “It is the company’s assessment that the breaches are the result of several deficiencies, including a failure to react to red flags and inadequate internal controls which enabled a limited number of employees to actively circumvent internal controls for illegitimate purposes,” Ekholm said.

What the company constitutes as a “limited number” of employees, however, is still significant. In total, so far, 65 employees have been subjected to disciplinary review, of which 49 are no longer with the company. “These are the numbers as we have them today,” Dedullen said.

In addition to disciplinary actions, the company is also making several enhancements to its ethics and compliance program. “We did not have a compliance program fit for purpose,” Ekholm said. “Over the last two years, we have addressed these shortcomings, and we are significantly enhancing our ethics and compliance program to ensure we are equipped to do business in the right way.”

Based on a thorough internal and external assessment of its ethics and compliance program, and in working with external advisors on this assessment, Dedullen said the areas the company is focusing on right now include leadership and culture; assessing its tone from the top; and training and engagement. Third-party risk management is another area of focus, “where we have enhanced third-party management, including the diligence of third parties, and, where increased corruption of money-laundering risk arises, taken proactive measures to prevent those,” he said.

“We have spent quite a bit of time and effort on increasing the robustness of our compliance function and other assurance functions, including the allegations management process,” Dedullen added. “And we also, together with the compliance function, have been working on making our internal control process more robust and rely more on the digitalization of those controls to better detect and preempt any suspicious transactions. These are the areas we are focusing on right now.”