Compliance Programs Under the FCPA: Ways to Minimize Liability for Payments to Foreign Officials
Compliance Programs Under the FCPA: Ways to Minimize Liability for Payments to Foreign Officials
By Adam Rouse, Vazantha Meyers, and Ashish Prasad*
After lying in a relatively dormant state for the first quarter-century of its existence, the Foreign Corrupt Practices Act emerged as a statutory late-bloomer. From its inception in 1977 to roughly 2002, the FCPA was enforced far less robustly than in recent years by its two primary enforcing agencies, the U.S. Securities and Exchange Commission and the Department of Justice.[1] The dramatic increase in prosecutions over the past decade—marked by a steep rise in enforcement activity and record settlements—has elevated the law to a top concern of international businesses.[2]
To alleviate that concern, companies conducting business abroad must understand the FCPA’s basic terms. It is particularly important that they understand a provision that has become the source of great liability: the FCPA’s ban on payments to “foreign officials.” This article will illustrate how that liability can and does arise, review the provision’s state of mind requirement, and finally, offer practical strategies for minimizing liability through a compliance program. Along the way, it will answer common questions, like whether a company can shield itself from FCPA liability by hiring an agent to represent it in a foreign country (short answer: no) and what businesses can do to protect themselves from employees that “go rogue.”
A Cautionary Tale of FCPA Liability
One case involving Alcoa Inc. provides a cautionary tale for corporations tempted to give money to foreign officials for business. Alcoa of Australia, a subsidiary of Alcoa, was engaged in long-term business with the government of Bahrain.[3] Its goals included securing good deals from Aluminum Bahrain B.S.C., a smelter controlled by the government.[4] As the DOJ details, at the request of the Bahrain royal family, Alcoa used a middleman to funnel bribes to the royals.[5]
Specifically, Alcoa hired a London-based consultant to nominally serve as a sales agent for the deal with Bahrain and its royal family.[6] The consultant was tasked with marking up sales to Bahrain, with the difference between the marked-up price and the actual price serving as bribes.[7] To channel the payments, the consultant formed a number of shell corporations, providing a would-be barrier between Alcoa and the bribe-takers.[8]
This plot did not end well for Alcoa. The company pled guilty and agreed to pay the DOJ $223 million in criminal fines and forfeiture, and the SEC an additional $161 million in disgorgement.[9] In sum, Alcoa’s FCPA price tag came out to $384 million.[10]
The State of Mind Requirement
The FCPA has two distinct parts, the first of which includes the anti-bribery provisions.[11] The second addresses the problem of tracing corruption, by imposing record-keeping requirements to track international business activity.[12] The Alcoa case shows how the FCPA anti-bribery measures prohibit payments to foreign officials, at least where a company had actual knowledge that its middleman was involved in bribery. “The law does not permit companies to avoid responsibility for foreign corruption by outsourcing bribery to their agents,” the DOJ said in its press release.[13]
But what if a company has some lesser degree of knowledge? Can it avoid liability by closing its eyes to any bribery that a productive sales agent or other middleman may be engaged in?
Under the FCPA, acts prohibited by the anti-bribery provision must be done corruptly.[14] The word “corruptly” has been interpreted to mean the conduct was done “voluntarily,” “intentionally,” and with a “bad purpose.”[15] The DOJ or SEC, however, need not demonstrate that the alleged violator, when dealing with a third party, actually knew that the entity was doing something that violated the act; the FCPA allows its knowledge requirement to be imputed.[16] As the agencies have noted, the act considers a person “knowing” of the illegal conduct if:
- The person is aware that he or she is engaging in such conduct, that such circumstance exists, or that such result is substantially certain to occur; or
- Has a firm belief that such circumstance exists or that such result is substantially certain to occur.[17]
The statute establishes knowledge if the investigated person or entity “is aware of a high probability of the existence of such circumstance, unless the person actually believes that such circumstance does not exist.”[18] The “high probability” standard may be determined by reference to factors such as international corruption metrics, common business understandings of geographic corruption practices, and concerns specific to various industries.[19]
Most FCPA actions are resolved through settlement agreements due to the risk-averse nature of corporations and the potentially dramatic consequences of taking a bribery prosecution to trial.[20] Nevertheless, DOJ and SEC guidance with respect to enforcement trends is available, and agency documents offer guidance in navigating the FCPA’s requirements. In 2012, and again with a 2nd edition in 2020, both the DOJ and SEC released a Resource Guide on the requirements of the act,[21] which described the agencies’ views on certain prominent provisions (and regulations).[22]
The guide devotes significant space to third-party payments that might end up being used as a bribe.[23] It notes that companies often legitimately use local consultants and business contacts to communicate with foreign officials and help promote their interests.[24] Of course, third-party payments violate the act if the company knew the money was to be used, in part or full, to influence a government official.[25] However, the guide notes that the onus of compliance with the FCPA falls on the corporation. In discussing the “knowing” requirement of the act,[26] it notes that Congress intended to address the problem of “head-in-the-sand” defendants.[27] Remaining ignorant of bribery while subtly sanctioning it, then, is not an effective strategy to avoid meeting the FCPA’s knowledge requirement. The more expansive interpretation of that requirement by the DOJ and SEC, instead, has allowed them to regulate a wide variety of business conduct under the act.
Protecting the Organization with a Compliance Program
The Alcoa example demonstrates the considerable threat the FCPA presents to international businesses. Fortunately, many FCPA resolutions before the DOJ and SEC, along with a growing landscape of enforcement guidelines, provide general instruction on how to avoid FCPA liability.
- Show Regulators You Mean Well
As an initial matter, it benefits companies to demonstrate a “culture of compliance.”[28] Of course, businesses that demonstrate such a culture—through robust anti-corruption controls, for instance—create value for themselves by minimizing the likelihood of corporate conduct violating the FCPA in the first place.[29] Beyond that, if and when a violation does occur, compliance-focused businesses tend to receive more favorable treatment. FCPA punishments are meted out based on a range of fines and prison time set by the Federal Sentencing Commission’s Organizational Sentencing Guidelines.[30] This system gives the prosecuting agency discretion to moderate the punishment if the party promptly disclosed wrongdoing by its agent, or at least assisted the agency investigation.[31] These types of actions, along with the presence of corporate practices intended to preemptively discover possible violations, are some of the more essential factors considered when punishment is defined, according to the DOJ, SEC, and business observers.[32]
Therefore, one of the first steps to creating a culture of compliance is the creation of an effective compliance program. In its Resource Guide, The DOJ and SEC provide guidance on what it considers to be the “hallmarks” of an effective compliance program.[33] And, for starters, the DOJ and SEC caution companies against taking a “one-size-fits-all or a “check the box” approach to designing a compliance program.[34] Compliance programs should be designed based on the needs of the company and should be risk-based and tailored to a company’s specific needs, risks, and challenges.[35] Below, we discuss each factor briefly, but we strongly recommend that you review the Resource Guide for a more thorough discussion.
- Management Commitment
Compliance begins at the top. The board of directors and senior management set the tone for the organization, and managers and employees take their cues from corporate leaders.[36] Tone from the middle is equally as important. When senior managers inspire middle managers to promote a strong ethical culture, middle managers, in turn, inspire and encourage employees to promote and adhere to a strong ethical culture.[37]
- Code of Conduct
The code of conduct is the written company policy that outlines the rules, principles, and standards that all employees and third parties acting on behalf of the company must follow. As the Resource Guide notes, “[a] company’s code of conduct is often the foundation upon which an effective compliance program is built.”[38] The code must be clear, concise, accessible, and updated as needed to remain current.[39]
- Oversight, Autonomy, and Resources
The DOJ and SEC will consider whether there is proper oversight of a company’s compliance program.[40] And, whoever has oversight, must have appropriate authority within the organization and must have direct access to an organization’s governing authority. In addition, you must “put your money where your mouth is.” Whether a compliance program is adequately staffed and resourced will surely be part of the DOJ’s and SEC’s analysis.[41]
- Risk Assessment
A company must know and understand its risk profile and risk appetite. This can be achieved by conducting a risk assessment. The risk assessment (when adequately done) is a very valuable and effective tool at the company’s disposal and can be used to understand the risks associated with its business. It can also be used to help legal and compliance personnel advocate for resources to support a company’s compliance function and efforts. The risk assessment is, therefore, fundamental to a strong compliance program, and the DOJ & SEC “will take into account whether and to what degree a company analyzes and addresses the particular risks it faces.”[42]
- Training
All relevant policies and procedures must be effectively communicated throughout the company, including periodic training and certification for all directors, officers, relevant employees, and (where appropriate) agents and business partners.[43]
- Incentives and Disciplinary Measures
The compliance program should apply to all throughout the organization – no one should be exempt – and its disciplinary measures and procedures should be clear, reliable, and promptly enforced.[44]
- Conduct Due Diligence
Because third parties, including agents, consultants, and distributors, are commonly used to conceal bribes to foreign officials, it is incumbent upon companies to conduct risk-based due diligence and some form of monitoring of third parties to help minimize risks.[45] History has shown that having extensive due diligence programs in place and following them methodically, can significantly lessen the money an alleged violator will need to pay.[46]
Note that there are different levels and forms of due diligence. For example, due diligence can include background checks that examine any connections to foreign governmental interests,[47] and interviews[48] and questionnaires to key members of third parties, which might also help develop an understanding of the organization and assist in building a record to defend against accusations of wrongdoing in the future.[49]
Another effective form of due diligence is the use of the Corruption Perception Index (CPI). The CPI index is published by Transparency International and is used to rank perceived levels of corruption by country and is regularly used by U.S. businesses and regulators.[50]
- Confidential Reporting and Internal Investigations
An effective compliance program should also include a mechanism for the confidential reporting of misconduct without the fear of retaliation.[51] In addition, the compliance program should include an efficient, properly resourced, and reliable investigations program to investigate allegations of misconduct.[52]
- Testing and Review
Lastly, companies should periodically review and test their compliance programs to make sure they work.[53] A regular review and test of a company’s compliance program will uncover weaknesses in the program and allow for it to improve and evolve in response to changes in its business, the environment, and its various risks.[54]
The FCPA has grown in prominence over the last decade due to increased use by enforcement agencies, and payments to third parties have been an important area of focus. The DOJ and SEC understand that a compliance program cannot prevent all criminal activity by a corporation’s employees; companies will not be held to perfection. But a compliance program that includes the above recommendations will go a long way in mitigating risks and influencing the outcome of an enforcement action.
End Notes
[1] Amy Deen Westbrook, Enthusiastic Enforcement, Informal Legislation: The Unruly Expansion of the Foreign Corrupt Practices Act, 45 Ga. L. Rev. 489, 495, 502 (2011).
[2] Id. at 495-96.
[3] Off. of Pub. Aff., Dept. of Just., Alcoa World Alumina Agrees to Plead Guilty to Foreign Bribery and Pay $223 Million in Fines and Forfeiture (Jan. 9, 2014),
[4] Id.
[5] Id.
[6] Id.
[7] Id.
[8] Id.
[9] Id.
[10] Id.
[11] Mike Koehler, The Façade of FCPA Enforcement, 41 Geo. J. Int’l L. 907, 913-17 (2010); Westbrook, supra note 1, at 503-04.
[12] Koehler, supra note 11, at 922.
[13] Off. of Pub. Aff., Dept. of Just., supra note 3.
[14] Westbrook, supra note 1, at 503.
[15] Id. at n. 58.
[16] Id., at 544-45.
[17] Id., at 545.
[18] Id.
[19] Id. at n. 307.
[20] Leslie Wayne, Hits, and Misses, in a War on Bribery, N.Y. Times, March 10, 2012, at BU1.
[21] Dept. of Just. & SEC, a Resource Guide to the U.S. Foreign Corrupt Practices Act, 2nd Edition, 2020.
[22] Id.
[23] Id. at 22-23.
[24] Id.
[25] Id.
[26] Id.
[27] Id.
[28] Joseph W. Yockey, FCPA Settlement, Internal Strife, and the “Culture of Compliance,” 2012 Wisc. L. Rev. 689, 706-07 (2012).
[29] See generally id.
[30] Id. at 699-700.
[31] Id.
[32] Id.; see Foreign Corrupt Practices Act Review, No. 14-02, 3-4 (Dept. of Just. Nov. 7, 2014).
[33] Id. at 58.
[34] Id.
[35] Id.
[36] Id.
[37] Id.
[38] Id. at 59.
[39] Id.
[40] Id.
[41] Id at 60.
[42] Id.
[43] Id. at 60-61
[44] Id. at 61
[45] Id. at 62
[46] See Michael Volkov, Reminders from the Goodyear FCPA Settlement, JDSupra Business Advisor (2015), https://www.jdsupra.com/legalnews/reminders-from-the-goodyear-fcpa-settlem-91407/.
[47] De Ridder, supra note 34.
[48] Gabriel Colwell, Practical Guidance on How to Conduct FCPA Due Diligence, The Anticorruption Blog (June 4, 2012), https://www.anticorruptionblog.com/foreign-corrupt-practices-act/practical-guidance-on-how-to-conduct-fcpa-due-diligence/#_ftn1.
[49] Id.
[50] Id. Colwell, supra note 42; see Overview, Transparency International, https://www.transparency.org/research/cpi/overview (last visited Dec. 28, 2015).
[51] Dept. of Just. & SEC, a Resource Guide to the U.S. Foreign Corrupt Practices Act, 2nd Edition, 2020 at 66.
[52] Id.
[53] Id.
[54] Id.
Cite: Rouse, A., Meyers, V., & Prasad, A.. (2023, May 24). Compliance Programs Under the FCPA: Ways to Minimize Liability for Payments to Foreign Officials ComplexDiscovery. Retrieved from https://complexdiscovery.com/compliance-programs-under-the-fcpa-ways-to-minimize-liability-for-payments-to-foreign-officials/.
About the Authors
- Adam Rouse is Director and Senior Counsel eDiscovery at Walgreens.
- Vazantha Meyers is Vice President of Discovery Services at HaystackID.
- Ashish Prasad is Vice President and General Counsel at HaystackID.
*Shared with permission of authors. Originally published on ComplexDiscovery.