As the stock option backdating cases wind down, what will be the next corporate scandal to gain widespread notoriety?
It is always difficult to predict what alleged misdeeds will be front page news in the coming years, but many believe that Foreign Corrupt Practices Act ("FCPA") violations may be this year's corporate crime of the century.
The FCPA was enacted in 1977. But it was rarely enforced throughout the 1980s and 1990s. Now, in recent years, the Department of Justice and the Securities and Exchange Commission have picked up the pace of enforcement. The average number of FCPA criminal prosecutions and civil enforcement actions increased fourfold over the last five years compared to the previous five years, and the average fine for corporate violators has steadily increased over the last several years.
By all accounts, 2007 was a watershed year for FCPA enforcement for several reasons:
We expect FCPA enforcement activity to continue to rise throughout 2008. In addition, we expect a continued focus by the regulators on technology companies who conduct business in Asia, Eastern Europe, Central and South America, and other high risk areas, in part because of a perception by the regulators that many technology companies have not adopted adequate FCPA internal controls. We recommend that all companies based in the U.S. or with officers or directors who are U.S. citizens, regardless of their size or whether they are publicly traded or privately held, implement FCPA internal controls, including FCPA compliance and training programs. We also recommend responding aggressively to signs of an FCPA violation – so called "red flags" – by conducting an internal investigation through qualified counsel.
The FCPA has three principal components:
The FCPA is enforced by both the DOJ and SEC, and each of the three principal provisions of the FCPA carries both criminal and civil penalties. In many cases, companies find themselves the target of concurrent criminal and civil investigations by the DOJ and SEC.
The potential criminal penalties for knowing or willful violations of any of the FCPA provisions are severe:
In addition, debarment and other collateral consequences of a criminal conviction under the FCPA can be catastrophic for companies largely dependent on government contracts.
The SEC has equally dramatic civil remedies available to it, including injunctive relief, substantial civil fines, and the disgorgement of any ill-gotten gains. The SEC is significantly aided in its enforcement efforts by the fact that there is no mens rea (i.e. intent) requirement for civil violations of the FCPA's books and records or internal accounting controls provisions.
The scope of the FCPA's anti-bribery provisions is extraordinarily broad. Among other things, the FCPA makes it unlawful for:
The FCPA defines "foreign official" to include any employee of a business enterprise that is owned or controlled by a foreign government. For many countries in Asia, Eastern Europe, and South America, a large percentage of the businesses are owned or controlled by the state, especially in the telecommunications, banking, power, and medical industries. Recent case law has also expanded the scope of the "retaining or obtaining business" prong to include virtually any government action that may be favorable to a company, such as favorable tax treatment or securing any "improper advantage."
In addition to prohibiting direct payments to foreign officials, the FCPA prohibits payments to third parties (such as agents, consultants, foreign subsidiaries, or joint venture partners) while "knowing" that the third party will, directly or indirectly, make a payment or offer of payment to a foreign official. In practice, this means that a company may be held liable for the acts of its agents – even though the company did not directly make or offer to make any payments to foreign officials – if it knew about or authorized the payments. Further, the FCPA also provides that the level of knowledge required for a criminal violation can be established not just by actual, affirmative knowledge of improper payments, but also by merely being aware of a "high probability" that such conduct may have occurred.
The FCPA also imposes obligations on companies with respect to the conduct of their subsidiaries, joint venture partners, and other entities they own in whole or in part, which can vary based upon the extent of the ownership interest.
When the FCPA was enacted, Congress was primarily concerned with companies within the oil and gas industry bribing foreign officials for access to natural resources abroad. Now, the FCPA is being actively enforced across industries, including against technology companies. FCPA investigations are on the rise for several reasons:
First, companies have gone global. Many companies are aggressively seeking to increase sales by marketing their products and services in foreign countries, especially in high growth markets like China. That pattern is particularly prevalent in Silicon Valley. Several years ago, most technology companies recorded the bulk of their sales in the domestic market. The inverse is now true: it is not unusual for such companies to record over half their sales abroad.
Second, the business and legal cultures in many countries tolerate bribery. Within the last 20 years, bribes were tax deductible in some western European countries. Today, most countries have adopted anti-bribery laws to be in compliance with certain international conventions and treaties. However, even where such laws exist, they are not always enforced, and many foreign officials continue to solicit and expect bribes.
Third, after the enactment of the Sarbanes-Oxley Act and the issuance of various policy statements by the SEC and DOJ purporting to reward cooperation by corporations, companies are now much more likely to conduct internal investigations when they spot a "red flag" or otherwise learn of a potential FCPA problem and then self-report any legal violations to the regulators. In the last few years, the vast majority of publicly disclosed FCPA investigations were initiated by the government because a company self-reported a problem following an internal investigation by outside counsel. In contrast, prior to 2005, the government initiated the majority of publicly disclosed FCPA investigations.
Fourth, the DOJ and SEC have put more resources into FCPA enforcement. Last March, then-Attorney General Alberto Gonzales highlighted the importance of FCPA enforcement during a speech to members of the white collar bar. In addition, during 2007, Assistant Attorney General Alice Fisher gave multiple speeches during which she discussed the significance of FCPA enforcement.
The last year saw the continuation of several trends in FCPA enforcement, including the following:
First, the DOJ and SEC have steadily increased the number of enforcement actions against both corporations and individuals. In 2007, the regulators brought over thirty enforcement actions under the FCPA, which was over double the number brought in 2006. Likewise, in 2007, fifteen individuals were charged with FCPA violations, which is an all time record for FCPA enforcement. When commenting on the recent enforcement actions, high ranking DOJ officials have stated that the current enforcement actions are "just the tip of the iceberg" and that there are many more matters under investigation.
Second, the DOJ and SEC have steadily increased the size of corporate penalties for FCPA violations. In 2007, Baker Hughes agreed to pay the largest FCPA penalty to date. The total penalty – $44 million – included a criminal fine of approximately $11 million and a civil penalty of approximately $33 million. Later in 2007, Vetco International paid the largest criminal penalty to date – $26 million. In addition, as part of any settlement, the SEC and DOJ now routinely require a company to disgorge any gains it received as a result of an FCPA violation. The fines are most severe where the company is a repeat offender or where the conduct is egregious. In contrast, the DOJ and SEC impose lower fines where the company conducts an internal investigation after discovering a potential violation, voluntarily discloses the results of that investigation to the regulators, and remedies the violation through improved internal controls. Likewise, the DOJ and SEC impose lower fines where the company has adopted FCPA internal controls and can demonstrate that the violation was the result of a rogue employee and not a rogue culture within the company.
Third, in recent years, the DOJ has shown an increased willingness to settle FCPA investigations by entering non-prosecution or deferred prosecution agreements with companies. The DOJ first settled an FCPA investigation through a non-prosecution agreement in connection with the InVision Technologies, Inc. ("InVision") matter at the end of 2004. Fenwick & West LLP represented the Special Investigation Committee of InVision's Board of Directors, conducted the internal investigation that uncovered the FCPA violations, helped the company report the results of that investigation to the DOJ and SEC, and negotiated the non-prosecution agreement with the DOJ. In the agreement, the DOJ promised not to prosecute InVision. In return, InVision agreed to adopt an FCPA compliance program and internal controls designed to deter future violations. Since the InVision investigation, the DOJ has settled several FCPA matters through similar agreements.
Fourth, the regulators continue to stress that a company and its officers can be held liable for the misconduct of distributors and other third-party business partners. The regulators demonstrated their resolve to pursue a corporation for FCPA violations based on the conduct of third-parties during the InVision FCPA investigation. In that matter, the allegedly improper payments included payments made to foreign officials by a distributor of InVision’s products. In the past, FCPA compliance practices with respect to distributors have generally been less extensive than those involving sales representatives or consultants. That can no longer be the case. In the last year, the regulators routinely stressed the importance of conducting due diligence before engaging a third-party business partner, obtaining written certification of FCPA compliance by the business partner, and investigating any signs that the business partner may be engaging in improper conduct.
Fifth, in the last few years, with the up tick in M&A activity, the number of FCPA issues discovered or addressed as part of an acquisition increased substantially. FCPA compliance is now a standard M&A due diligence item. FCPA issues can be a major sticking point in negotiations with the acquiring party, often causing a delay of the deal or a change in the price terms. Any company that is contemplating a possible sale to another company should be prepared to demonstrate the adequacy of its FCPA internal controls to the acquiring party.
Any U.S. company that conducts business overseas (regardless of size or whether publicly traded) and any foreign company that trades on a U.S. exchange or is operated by U.S. officers or directors should implement comprehensive FCPA internal controls, including FCPA compliance and training programs.
A company's FCPA compliance program should be tailored to its particular circumstances. As a result, FCPA compliance programs will vary from company to company. In most cases, an FCPA compliance program will be part of a company's broader compliance and ethics program, which should be structured to comply with the U.S. Sentencing Guidelines.
In general, an effective FCPA compliance program should include the following:
It is critically important that documentation exist for each aspect of the company's FCPA controls, including written policies and procedures, formalized reporting responsibilities within the organization, and written descriptions of specific compliance controls and procedures, as well as documentation relating to the testing of the adequacy of those controls and procedures. Indeed, without such documentation or other evidentiary proof, a company is without the means to demonstrate to the DOJ or SEC the adequacy, or even the existence, of its compliance program.
Establishing an effective FCPA compliance program can provide significant benefits. Such a compliance program may detect and prevent potential violations of the FCPA before they occur. In addition, in the event of a violation of the FCPA, the existence of an effective FCPA compliance program is an important factor used by both the DOJ and the SEC in deciding whether to prosecute. Finally, in the event of a prosecution and conviction, the existence of an effective FCPA compliance program can significantly reduce the punishment the company would otherwise receive under the U.S. Sentencing Guidelines.
For further information on the FCPA or how to implement an effective FCPA compliance program, please contact:
Christopher J. Steskal (firstname.lastname@example.org) or Susan Muck (email@example.com), both of whom have experience conducting FCPA internal investigations and advising companies regarding FCPA compliance issues.
Christopher J. Steskal
Partner, Securities Litigation Group
Chair, White Collar/Regulatory Group
©2008 Fenwick & West LLP. All Rights Reserved.
This update is intended by Fenwick & West LLP to summarize recent developments in the law. It is not intended, and should not be regarded, as legal advice. Readers who have particular questions about these issues should seek advice of counsel.