If there are two companies whose FCPA settlements serve as textbook examples of the government’s steely expectations for third-party compliance, they’re Walmart and Ericsson.

So says Kara Brockmeyer, partner at Debevoise and Plimpton and former Chief of the Foreign Corrupt Practices Act (FCPA) Unit at the U.S. Securities and Exchange Commission (SEC). Brockmeyer delivered the keynote address at the Third-Party Risk Management and Oversight Summit, hosted by Compliance Week and Foundation Research Associates (FRA) in San Francisco this week.

One reason enforcement actions from the Justice Department and SEC make great case studies is because they all have a “Section C,” where the government describes the minimum of what a compliance program should have, Brockmeyer explained. Section C also lays out what the government says are compliance failures and how to fix them.

Walmart, for one, ushered in widespread awareness of FCPA risk within the retail industry, said Brockmeyer. The big-box retailer failed to ensure sufficient due diligence was conducted; sufficient internal controls existed; and third-party intermediaries (TPIs) had performed services prior to being paid. It also failed to monitor whether donations ostensibly made were not converted to personal use by foreign officials. In mid-2019, Walmart paid $282 million to settle the 17-year global corruption probe, and over the course of that time, the company also spent $900 million to both investigate the wrongdoing and get their compliance program up to speed.

“It wasn’t a drop in the bucket to Walmart,” Brockmeyer said.

Brockmeyer also drew attention to the DOJ’s announcement Dec .6 that Ericsson had entered into a $1 billion settlement to resolve the government’s long-running investigation into violations of the FCPA. According to government allegations—and Ericsson’s admissions—the company made and improperly recorded “tens of millions of dollars in improper payments around the world,” the DOJ’s press release states. For 17 years, the company used subsidiaries and TPIs to create slush funds and funnel money to foreign government officials. The company’s criminal conduct extended to Djibouti, China, Vietnam, Indonesia, and Kuwait; Ericsson’s parallel settlement with the SEC also included Saudi Arabia.

Former FCPA Unit chief Kara Brockmeyer speaks through several of her seven steps compliance officers should take to strengthen third-party compliance at CW's TPRM Summit in San Francisco.

Based on the enforcement cases, Brockmeyer itemized seven steps compliance officers should take to strengthen third-party compliance and avoid FCPA violations.

Step 1: Tally and rank all third parties. The DOJ and SEC have been very clear companies must use a risk-based approach to their programs, so compliance officers must not only identify all third parties but also bucket them according to low, medium, and high risk.

Step 2: Perform appropriate due diligence. Understand who each third party is and who the beneficial owners are. The degree of scrutiny should increase as red flags pop up.

Step 3: Document the specific services provided by the third party. Confirm the third party is performing the work before they are paid and that the compensation is commensurate with the work they are doing. In addition, “if companies can do the service more cheaply elsewhere or in-house, you need to look at that, because the government will, too,” Brockmeyer said.

Step 4: Make sure you understand your company’s process for managing third parties. (What they get paid, how they get paid, etc.)

Step 5: Ensure you have a system to handle red flags as they surface and that employees have the training to recognize and escalate them. Employee training should be differentiated, as well. Gatekeepers need more intensive training on how to recognize red flags, for example.

Step 6: Make sure you have contractual processes in place.

Step 7: Monitor, monitor, monitor. The government expects companies to do so periodically based on the third party’s risk profile. Monitor more closely and more often if they are high risk and have a process in place when a third-party relationship has expanded.

The evolution of compliance programs

In her keynote, Brockmeyer also discussed the evolution of compliance programs over the last decade. Programs have grown exponentially over that span, and with expectations and policies set forth by the Organisation for Economic Co-operation and Development (OECD) and the SEC, compliance officers have acquired an expansive cache of governmental guidance to which to tether their organization’s program.

In April 2019, the DOJ combined all of its data into a single document: an updated version of its Evaluation of Corporate Compliance Programs, which was first published in 2017. While it is a scary document in some respects—Brockmeyer described it as “basically a laundry list of questions arranged by topic that you’ll be asked by DOJ attorneys if you get in trouble”—she encouraged every compliance officer at the conference to read it.

“It’s useful because it helps you explain to your senior management, and to the board, why you need the resources to be able to answer these questions,” Brockmeyer reasoned.

While the SEC has remained relatively silent on what they expect from corporate compliance programs, it will ask the same questions laid out in the DOJ’s document and evaluate programs consistently with it, Brockmeyer said.

One compliance practitioner in the audience asked Brockmeyer why the government could not issue an overarching set of questions for all industries. Brockmeyer replied: “The government is not that organized and not that coordinated. But they’ll get there. It’s just going to take a while.”

When it comes to taking a risk-based approach, Brockmeyer cautioned there is no way to come up with a single risk score, for there are many different risk buckets to consider—financial, cyber, antitrust, OFAC, the list goes on—and the problem is the risk factors for those buckets are very different.

If you try to come up with a single risk score, “you’ll fail, because the risks will cancel each other out,” Brockmeyer said.

Brockmeyer worked for the SEC for 17 years and made her foray into FCPA cases in 2005. Her investigative work into cases like Halliburton, one of the world’s largest oil field services companies charged $177 million in disgorgement (together with KBR, Inc.) in 2009, opened her eyes to a whole new area of enforcement: massive bribes, codewords, and notebooks amounting to books and record violations and internal controls violations.

In 2005, companies were just starting to think about how to operationalize an anti-bribery and anti-corruption (ABC) function within their organizations, the former chief said in her address. But by the time Brockmeyer took control of the FCPA unit in 2011, the era of big cases—like Halliburton—had begun.