The DOJ has stated that non-prosecution and deferred prosecution agreements “benefit the public and industries by providing guidance on what constitutes improper conduct.” (See here).
With that in mind, consider the recent Total enforcement action (see here for the prior post). The DOJ alleged, in support of criminal FCPA internal controls violations, as follows.
“Total: (a) failed to implement adequate anti-bribery compliance policies and procedures; (b) failed to maintain an adequate system for the selection and approval of consultants; (c) failed to conduct adequate audits of payments to purported consultants; (d) failed to establish a sufficiently empowered and competent corporate compliance office; (e) failed to take reasonable steps to ensure the company’s compliance and ethics program was followed; (f) failed to evaluate regularly the effectiveness of the company’s compliance and ethics program; (g) failed to provide appropriate incentives to perform in accordance with the compliance and ethics program; (h) concealed the consulting agreements’ true nature and true participants; (i) performed no due diligence concerning the named or unnamed parties to these agreements; and (j) lacked controls sufficient to provide reasonable assurances that the consulting agreements complied with applicable laws.”
If the DOJ believes that each of the above constitutes a criminal violation of the internal controls provisions, then a significant percentage of issuers are engaged in criminal acts.
Survey after survey indicates that a significant percentage of companies, including issuer’s subject to the FCPA’s internal controls provisions, fail to maintain an adequate system for selection and approval of consultants, fail to conduct audits of payments to consultants, fail to conduct due diligence of third-parties, and fail to regularly evaluate the effectiveness of its compliance and ethics program.
For instance, the recently issued Kroll / Compliance Week Anti-Bribery and Corruption Benchmarking Report found “that 47 percent of all respondents say they conduct no anti-corruption training with their third parties” and “of the remainder who do train their third parties on anti-corruption, only 30 percent of that group believe their efforts are effective.”
Likewise, as noted in this recent post, according to a recent survey “only 30% of all survey respondents say their companies always conduct a risk review of existing business relationships and ties to agents in foreign countries.”
Further, as noted in this prior post, a survey found as follows. “Despite the significant risks and specified demands of regulators [as to third parties], our survey suggests that the corporate response to mitigating third-party risks is still inadequate. Many companies are failing to adopt even the most basic controls to manage their third-party relationships.” “Effective third-party management does not end at the performance of due diligence. Third parties also should be monitored on an ongoing basis, including regular compliance assessments and audits. It is therefore worrying that only 45% of respondents identified audit rights or regular audits of the third party as a process in place to monitor the relationship.”
Indeed, as even the DOJ and SEC recognized in the November 2012 FCPA guidance, “64% of general counsel whose companies are subject to the FCPA say there is room for improvement in their FCPA training and compliance programs.” (See here for the prior post).
The DOJ’s allegations in the Total enforcement action are all the more alarming given that the time period relevant to the conduct at issue was between 1995 to 2004. Is the DOJ suggesting that nearly every issuer during this time period was engaged in criminal acts given that issuers during that time period likely failed to engage in all of the compliance practices identified in the Total enforcement action?
Perhaps the Total enforcement action is the product of vague and sloppy pleading. Because there is little chance that the DOJ will ever have to prove its allegations, this tends to happen in many FCPA enforcement actions. Yet, if the DOJ truly believes that all of the above generic allegations in the Total enforcement action represent issuer criminal violations, then the DOJ is suggesting that a significant percentage of issuers are engaged in criminal acts.
If so, this is troubling.
In my article “Grading the Foreign Corrupt Practices Act Guidance” and in this prior post, I detailed how DOJ officials stated that the legal community can have confidence that the enforcement agencies will act consistently with the Guidance. I then observed that the FCPA Guidance can serve as a useful measuring stick for future enforcement agency activity and detailed various statements in the Guidance that can serve this purpose.
Certain statements concerned the FCPA’s book and records and internal controls provisions, including that the FCPA “does not specify a particular set of controls that companies are required to implement” and that the concept of reasonableness (a key statutory element) “of necessity contemplates the weighing of a number of relevant factors, including the costs of compliance.”