The Department of Justice recently issued its eighth public declination in a Foreign Corrupt Practices Act case and the first under its FCPA Corporate Enforcement Policy—an indication that the policy is alive and well. But the case also brings with it a clear warning: The anti-bribery provisions are not the only way to trip over the FCPA.

The Securities and Exchange Commission on April 23 fined commercial data and analytics provider Dun & Bradstreet (D&B) $9 million after FCPA charges arose from misconduct at two of D&B’s indirect subsidiaries in China. According to the SEC, the two Chinese subsidiaries—HDBC and Roadway—made unlawful payments to Chinese officials through third-party agents and kickbacks to obtain otherwise non-public financial statement data that was vital to D&B’s business as a provider of business financial information.

HDBC and Roadway did not accurately reflect these unlawful payments in their books and records, which were then consolidated into D&B’s books and records. According to the SEC’s administrative order, D&B “failed to devise and maintain sufficient internal accounting controls to detect or prevent the improper payments.” D&B did not confirm or deny the findings.

Concurrently, D&B’s counsel received a letter from the Justice Department’s Fraud Section – FCPA Unit stating that it was declining prosecution “consistent with the FCPA Corporate Enforcement Policy. We have reached this conclusion despite the bribery committed by employees of the company’s subsidiaries in China,” the letter reads. 

Compliance officers and in-house counsel hoping to draw lessons from the first-ever declination under the FCPA Corporate Enforcement Policy may be left scratching their heads, given that any evidence pointing to FCPA anti-bribery violations in this case is opaque at best.

Reading between the lines of the letter, the Department of Justice cryptically indicated that it declined criminal charges for “bribery committed.” (Note: It hints to nothing about potential criminal charges for violations of the books and records and internal controls provisions of the FCPA).

Turning to the SEC order in the D&B case, nothing suggests that D&B even civilly violated the FCPA’s anti-bribery provisions. The FCPA charges mentioned in the SEC order speak only to violations of Section 13(b)(2)(A) and Section 13(b)(2)(B) of the Exchange Act, pertaining to recordkeeping and internal controls. Given that the SEC has a much lower burden of proof than the Department of Justice, it doesn’t appear D&B could have been charged with FCPA anti-bribery violations at all.

Compliance considerations

Taking the declination at face value, there is a litany of compliance considerations that compliance officers, in-house counsel, and internal audit can draw from the case:

FCPA cases that pre-date the FCPA Pilot Program will be considered. In this case, D&B self-disclosed the misconduct in 2012—four years before the Criminal Division’s Fraud Section FCPA Unit implemented the predecessor FCPA Pilot Program and the current FCPA Corporate Enforcement Policy.

“It’s interesting that [D&B] still got credit for voluntary disclosure, even though it was a prompted by a Chinese government investigation.”
James Tillen, Vice Chair, International Department, Miller & Chevalier

This signals that the Department of Justice is willing to reward companies that meet the requirements of the FCPA Corporate Enforcement Policy, even if the case predates the Pilot Program, says Ryan Rohlfsen, a former senior trial attorney with the Criminal Division’s Fraud Section – FCPA Unit and now a partner at Ropes & Gray.

Under the Pilot Program, a company qualifies for the full range of potential mitigation credit when it has:

voluntarily self-disclosed misconduct in an FCPA matter;

fully cooperated;

remediated in a timely and appropriate manner; and

disgorges all profits resulting from the FCPA violation.

The new FCPA Corporate Enforcement Policy added new language, stating that when a company satisfies these requirements, absent aggravating circumstances, it will receive a declination.

What’s notable about this case, however, is that D&B made the initial self-disclosure in a securities filing in 2012, “shortly after local police raided its Roadway subsidiary,” according to the SEC order. The raid by the Shanghai police followed a local television broadcast, featuring a Roadway sales executive speaking about a database Roadway had created containing the personal financial, employment, and contact information of more than 150 million Chinese citizens that Roadway sold to companies for marketing purposes. The broadcast stated that Roadway had purchased the personal information from banks, insurance companies, and real estate agents or by cold calling companies, sparking the raid by local authorities.

Based on these facts, “it’s interesting that [D&B] still got credit for voluntary disclosure, even though it was a prompted by a Chinese government investigation,” says James Tillen, vice chair of the International Department at Miller & Chevalier. Under the FCPA Corporate Enforcement Policy, the Justice Department said in evaluating credit to be received for voluntary self-disclosure, it will require, among other factors, that the voluntary disclosure occur “prior to an imminent threat of disclosure, or government investigation.”

Anti-bribery violations aren’t the only FCPA pitfall. D&B joins a growing list of companies—including BHP Billiton, Hyperdynamics, FLIR Systems, and Goodyear, to name a few—that in recent years have been ordered to pay a civil penalty to the Securities and Exchange Commission for FCPA violations, even in the absence of any criminal charges imposed by the Department of Justice. “It does signal to companies that even if you come in and self-disclose to the Department of Justice, fully cooperate, and remediate, it doesn’t mean you’re going to avoid paying a penalty to the SEC or the Department of Justice,” Rohlfsen says.

Even when the Department of Justice does not bring any criminal charges at all, a company often must still pay the disgorgement of ill-gotten gains, civil penalties imposed by the SEC, not to mention an exorbitant amount in legal fees, which can far exceed any penalties. D&B, for example, disclosed that it paid $30.3 million in “legal and other professional fees and shut-down costs related to matters in China,” from fiscal years 2012-2016. These are all important considerations in deciding whether to self-disclose a potential FCPA violation or not.

Moreover, since the Supreme Court, in Kokesh v. SEC, determined that disgorgement is a penalty for purposes of determining whether the five-year statute of limitations applied, the SEC has included language in its administrative orders that amounts ordered to be paid as civil money penalties…shall be treated as penalties paid to the government for all purposes, including all tax purposes. Translation: “None of the payments they are making as a result of the FCPA resolution can be deducted,” Tillen says.  This interpretation is consistent with IRS guidance issued in December 2017 following the Kokesh decision, in which the IRS concluded that, as a penalty, disgorgement cannot be deducted.

DECLINATION LETTER

Below is the letter to Dun & Bradstreet from the Department of Justice Criminal Division - Fraud Section.
We write regarding the investigation by the Department of Justice, Criminal Division, Fraud Section and the United States Attorney's Office for the District of New Jersey into your client The Dun & Bradstreet Corporation concerning violations of the Foreign Corrupt Practices Act, 15 U.S.C. § 78dd-1, et seq. Based upon the information known to the Department at this time, we have declined prosecution consistent with the FCPA Corporate Enforcement Policy. We based this decision on a number of factors, including but not limited to: the fact that the company identified the misconduct; the company's prompt voluntary self-disclosure; the thorough investigation undertaken by the company; its full cooperation in this matter, including identifying all individuals involved in or responsible for the misconduct, providing the Department all facts relating to that misconduct, making current and former employees available for interviews, and translating foreign language documents to English; the steps that the company has taken to enhance its compliance program and its internal accounting controls; the company's full remediation, including terminating the employment of 11 individuals involved in the China misconduct, including an officer of the China subsidiary and other senior employees of one subsidiary, and disciplining other employees by reducing bonuses, reducing salaries, lowering performance reviews, and formally reprimanding them; and the fact that the company will be disgorging to the SEC the full amount of disgorgement as determined by the SEC.
Source: Department of Justice

Don’t ignore red flags. In this case, an executive from D&B’s Greater China management conducted a due diligence review of HDBC’s data and operations, which noted that, unlike D&B’s China operations, HDBC used its government connections to source financial statement information directly from non-public sources—such as from the Chinese State Administration of Industry and Commerce (AIC) and Chinese National Bureau of Statistics. Knowing this, D&B’s only response was to provide HDBC executives with a brief FCPA training class and have them complete an anti-bribery questionnaire and certification. As a result, the improper payments to acquire data continued, according to the SEC order. 

Failure to perform pre- and post-acquisition due diligence can be costly. With Roadway, D&B did not conduct due diligence to verify whether sales representatives were making improper kickbacks of a portion of commissions to secure business, or determine whether any clients were state-owned or state-controlled entities. “Subsequent internal audit reviews after the acquisition failed to detect the improper payments,” the SEC stated. 

After D&B closed its transaction with Roadway in 2009, Roadway continued to acquire consumer data from agents and provide the data to companies for marketing purposes. Although agents provided certifications that they had legally obtained the consumer data, D&B failed to audit or otherwise review the sources from where agents acquired data to verify their certifications.

The case speaks to “the importance of doing thorough due diligence pre-acquisition, and then acting upon it, addressing those red flags immediately upon the close of the acquisition, integrating the acquisition into the internal controls of the company and the compliance program of the company, subjecting it to audits and reviews, and remediating based on any findings that come from those audits and reviews,” Tillen says.

Efforts matter. Both the SEC and Department of Justice acknowledged D&B’s self-disclosure, cooperation, and remedial measures. Specifically, the agencies credited D&B’s cooperation during the investigation by voluntarily producing documents from overseas, summarizing the findings of its internal investigation, translating documents to English, providing timely summaries of witness interviews, and making current and former employees available for interviews. “D&B’s cooperation assisted the Commission in collecting information that may not have been otherwise available to the staff,” the SEC stated.

In its declination letter, the Justice Department further credited D&B with identifying all individuals involved in, or responsible for, the misconduct, providing all facts related to the misconduct, and enhancing its compliance program and internal accounting controls.

The Justice Department noted that D&B’s full remediation also was a factor. Such remediation efforts included terminating the employment of 11 individuals involved in the China misconduct, including an officer of the China subsidiary and other senior employees of one subsidiary, and disciplining other employees by reducing bonuses, reducing salaries, lowering performance reviews, and formally reprimanding them.

All told, the first declination under the new FCPA Corporate Enforcement Policy is not exactly a home run, but it does offer compliance officers and in-house counsel a litany of considerations in addressing FCPA matters of their own.