It’s every compliance officer’s worst nightmare: The company has just become the target of a global anti-corruption investigation, and now there are multiple enforcement agencies knocking on the door.
As global regulators collaborate more on corruption investigations and new countries pass laws and strengthen enforcement in the area, that scenario is becoming more common. Tread carefully, because how you respond could mean the difference between a favorable outcome and a legal disaster.
Long gone are the days when companies only had to contend with the Securities and Exchange Commission and the Department of Justice in the course of an anti-corruption investigation. Large-scale investigations into bribery and corruption are now a multinational affair.
Where the increase in cooperation has become most apparent is in enforcement of the Foreign Corrupt Practices Act, says Nathan Garrett, former prosecutor and special agent with the FBI and now an attorney with law firm Graves Garrett. “I see that trend only increasing,” he says.
“The new normal is multi-jurisdictional investigations,” says Greg Brower, former U.S. Attorney for the District of Nevada and now a partner with law firm Snell & Wilmer. Even as multi-jurisdictional investigations become more commonplace, “that doesn’t mean they’re going to become easy to deal with. Companies need to be prepared,” he says.
The biggest challenge multinational companies will face in the course of a multi-jurisdictional investigation is the diverse rules of the game, Garrett says. “How in-house or outside counsel go about conducting the investigation can, and should be, affected by the rules that apply in the respective jurisdictions where the investigations are taking place,” he says.
When a company finds itself the target of a global investigation, the first step is to put together a team that includes experienced counsel, with specific familiarity and experience in the respective jurisdiction involved, Brower says.
“You must have foreign expertise,” Garrett stresses. Each foreign government has “so many unspoken, unwritten rules that apply and cultural considerations,” he says, that knowing how to navigate local rules—both written and unwritten—is essential.
The company may also want to have on its investigative team forensic accounting expertise, “or a forensic technology team that can conduct electronic discovery when needed,” says Joseph Spinelli, managing director in the global investigations and compliance practice at Navigant Consulting. A forensic accounting team can be an invaluable asset in looking at relevant accounting records to identify irregularities and potential fraudulent transactions that may exist, he says.
Spinelli further recommends hiring outside counsel that has established credibility with enforcement agencies. For the company, building that rapport starts with informing the agency that a potential issue has been discovered, that you’ve launched an internal investigation, that you’re making a good faith effort to get to the bottom of the allegations, and that you intend of fully cooperate moving forward, he says.
How in-house or outside counsel go about conducting the investigation can, and should be, affected by the rules that apply in the respective jurisdictions where the investigations are taking place.
Nathan Garrett, Attorney-at-Law, Graves Garrett
“Establishing communications with the government at the outset is often overlooked,” Brower says. Sometimes companies can be in denial about the existence of an investigation and hesitate to reach out to relevant agencies, he says. “It never hurts to ask questions and try to get information.”
Having that open line of communication with enforcement agencies goes a long way not only toward building rapport, but also helping the company to better understand what documents are—and are not—required and to more readily identify any potential conflicts that may arise, Garrett says.
With a global investigation, in particular, the scope can vary widely from one jurisdiction to the next. Thus, it’s important for the company to preserve a wide swath of documents at the very outset under the assumption they may need to produce it later, says Michele Wiener, senior managing director at consulting firm Control Risks.
Spinelli also advises a targeted company to have a plan in place for who will have responsibility for those documents: “Who is the custodian of those documents and records? How available are they going to be to partner with you and assist in the investigation? Which team members are going to review those records?”
After the company has a team in place, they’ll need to establish an overall investigative plan: What’s the scope of the investigation in that jurisdiction? What violations have been committed? What employees and third parties are potentially involved?
Certain information given to one enforcement agency in the course of parallel civil or criminal investigations could potentially be available to multiple government agencies pursuing similar actions. Thus, Wiener advises companies to exercise “a certain level of caution” in this regard.
Below, the Department of Justice outlines what makes an effective risk assessment.
Assessment of risk is fundamental to developing a strong compliance program, and is another factor the DoJ and SEC evaluate when assessing a company’s compliance program. One-size-fits-all compliance programs are generally ill-conceived and ineffective because resources inevitably are spread too thin, with too much focus on low-risk markets and transactions to the detriment of high-risk areas. Devoting a disproportionate amount of time policing modest entertainment and gift-giving instead of focusing on large government bids, questionable payments to third-party consultants, or excessive discounts to resellers and distributors may indicate that a company’s compliance program is ineffective. A $50 million contract with a government agency in a high-risk country warrants greater scrutiny than modest and routine gifts and entertainment.
Similarly, performing identical due diligence on all third-party agents, irrespective of risk factors, is often counter-productive, diverting attention and resources away from those third parties that pose the most significant risks. DOJ and SEC will give meaningful credit to a company that implements in good faith a comprehensive, risk-based compliance program, even if that program does not prevent an infraction in a low risk area because greater attention and resources had been devoted to a higher risk area.
Conversely, a company that fails to prevent an FCPA violation on an economically significant, high-risk transaction because it failed to perform a level of due diligence commensurate with the size and risk of the transaction is likely to receive reduced credit based on the quality and effectiveness of its compliance program.
As a company’s risk for FCPA violations increases, that business should consider increasing its compliance procedures, including due diligence and periodic internal audits. The degree of appropriate due diligence is fact-specific and should vary based on industry, country, size, and nature of the transaction, and the method and amount of third-party compensation. Factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs. When assessing a company’s compliance program, DOJ and SEC take into account whether and to what degree a company analyzes and addresses the particular risks it faces.
Source: Justice Department.
What a company doesn’t want to happen during an investigation is that it ends up producing certain documentation for multiple enforcement agencies simultaneously, when only one government agency requested that documentation to begin with, Garrett says. Now all of a sudden Country A starts taking an interest in something it originally hadn’t intended to, because of the documentation produced for Country B, he says.
“That’s why it’s very important that you treat them differently in terms of what’s provided or how it’s handled,” Garrett adds. “Don’t take a one-size-fits-all approach.”
To the extent possible, the company will want to leverage any work that’s already been done. “Onerous document requests can be negotiated, and it’s important to try to negotiate those document requests so as to mitigate the cost and the complexity involved,” Brower says.
With a multi-jurisdictional investigation, however, negotiating with foreign government agencies may be easier said than done. Typically, if a company is facing a parallel investigation among state and federal authorities in the United States, the target company can ask the agencies to coordinate their efforts. “It’s much more difficult when you’re talking about agencies in different countries,” Brower says.
How a company gathers, shares, and exports information from one country into another also poses challenges. When it comes to the United States, the rules of road regarding data protection are pretty well established in terms of legal precedent concerning the production of documents and the rules of discovery, Wiener says.
That’s not so in other jurisdictions.
Countries like China and Germany, for example, have stringent data privacy laws in terms of what data is accessible, and what data may be transferred out of its country. “That’s why it’s so important that you take into account the local laws that are going to dictate what’s permissible and what is not,” Spinelli says.
The issue of attorney-client privilege, which can vary from country to country, poses additional challenges. “[Attorney-client] privilege afforded to in-house counsel in the United States may not be recognized in other jurisdictions,” Wiener says. “So in-house counsel has to be cautious about their communications and assume that such information may or may not be privileged in other jurisdictions.”
“The attorneys have to be very much involved in directing the investigative group in such a way that they can form and adhere to all the various types of potential landmines that might exist in the relevant jurisdictions,” Spinelli says.
“You have to revisit your work plan and scope of the investigation each step of the way,” Spinelli advises. This is important, because as you go through documentation and conduct interviews, the work plan and scope will continue to evolve, he says.
In preparing your final report to government agencies, it may help to develop a chronological outline of the investigation, including any third parties and employees interviewed, what documentation has been reviewed, and any identified violations, Spinelli says. That final report also should include a section that identifies any remedial and corrective actions taken, and other steps taken to prevent future wrongdoing, he says.
“That’s something the government is going to look for when they examine just how comprehensive your investigation is,” Spinelli adds. If potential misconduct is identified, enforcement authorities are going to want to see what you’ve done to ensure similar violations are not replicated going forward, he says. “That could be, and should be, a mitigating factor in ensuring you avoid any potential draconic fines that could be imposed on your organization.”