- FCPA Professor - http://fcpaprofessor.com -

The Challenges Of Detection And Prevention

The recent Sutherland Springs church massacre. The recent New York City bike path attack. Before that, the bridge attack in London. Before that, the shooting at the Fort Lauderdale airport. Before that, the shooting at an Orlando nightclub.

These recent instances, and several other similar acts of violence, have little in common with alleged Foreign Corrupt Practices Act offenses.

Except there is often a common thread in terms of the challenges of detection and prevention.

According to media reports [1], Devin Kelley (the Sutherland Springs Church assailant) was well known to the government based on his prior acts of violence and other improper conduct. Yet, the Air Force failed to provide key information to the FBI that should have prevented the attacker from purchasing firearms. As noted in the report:

“the Air Force said [Kelley’s] offense was not entered into a national database, which meant he was able to pass background checks to purchase weapons. Kelley was convicted on charges of assaulting his then-wife and stepson and served 12 months in confinement before being released in 2014 with a bad-conduct discharge.”

According to media reports [2], Sayfullo Saipov (the New York City bike path assailant) was also well known to the government. As noted in the report, Saipov:

“was interviewed in 2015 by federal agents about possible ties to suspected terrorists but a case was never opened against him, law enforcement officials tell ABC News.Saipov was listed as a “point of contact” for two men whose were listed in a Department of Homeland Security counterterrorism database and later overstayed their tourist visas, a federal official told ABC News. One was flagged after arriving from a so-called “threat country,” while the other vanished and was being actively sought by federal agents as a “suspected terrorist.”

As highlighted in this prior post [3] of the same title, the other recent attacks also highlighted above followed a similar theme in that the assailants were on the radar screen of government prior to their cowardly acts of violence that destroyed and forever altered so many lives.

The deficiency (and thus problem) in these instances was one of detection and prevention.

[4]

In other words, the same challenges that law enforcement often has in detecting and preventing acts of terrorism or violence are often similar to the challenges business organizations have in detecting and preventing FCPA violations (or other legal violations for that matter).

Yet law enforcement deficiencies in detection and prevention seem to be tolerated to a greater extent than say internal control deficiencies in detection and prevention of alleged FCPA violations.

Policy makers and the public at large seem to acknowledge and accept that a government’s duty (loosely defined) is not absolute, but rather subject to a reasonableness requirement. Governments have, in good faith, invested substantial resources both in terms of money and personnel and often hope for the best. In other words, governments are cognizant of cost/benefit issues as well as the balance inherent in detecting and preventing harm while otherwise not infringing on the legal and privacy rights of its citizens.

Sure, when one knows the end of the story, when one knows the perpetrator of a violent attack it is always easier to work backwards and say (as the above examples indicate) that law enforcement woulda, coulda, shoulda done more and if only law enforcement did more and connected-the-dots in real time, then the violent attack would have been averted. However, society seemingly acknowledges that hindsight driven law enforcement is not the proper lens to view real-world, fluid situations.

Issuers subject to the FCPA have a legal duty under the FCPA’s internal controls provisions to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that,” generally speaking, corporate assets are properly used and accounted for.

As is explicit from the statutory term, this duty is not absolute, but rather subject to a reasonableness requirement, a concept the FCPA specifically defines as “such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.”

In other words, cost/benefit issues, as well as balance, are inherent in the FCPA’s internal controls provisions.

Indeed, in its earliest FCPA Guidance [5] (1981), the SEC explicitly rejected the notion that internal controls “conform to a standard of absolute exactitude or that a company’s control system meet some absolute ideal.” On this issue, the SEC stated:

“Inherent in [the reasonableness] concept is a toleration of deviations from the absolute. One measure of the reasonableness of a system relates to whether the expected benefits from improving it would be significantly greater than the anticipated costs of doing so. Thousands of dollars ordinarily should not be spent conserving hundreds.”

The SEC further stated: “The test of a company’s internal control system is not whether occasional failings can occur. Those will happen in the most ideally managed company.”

This balance inherent in the internal controls provisions has been formally acknowledged by the government on several other occasions. For instance in a 1999 Staff Accounting Bulletin [6] the SEC stated: “The concept of reasonableness of necessity contemplates the weighing of a number of relevant factors, including the costs of compliance.” Most recently, in the 2012 FCPA Guidance [7], the government acknowledged:

“The term ‘reasonable detail’ is defined in the statute as the level of detail that would ‘satisfy prudent officials in the conduct of their own affairs.’ Thus, as Congress noted when it adopted this definition, ‘[t]he concept of reasonableness of necessity contemplates the weighing of a number of relevant factors, including the costs of compliance.’”

In furtherance of its FCPA-imposed internal controls duties, most all issuers (but regrettably not all issuers) have, in good faith, invested substantial resources both in terms of money and personnel.

Yet, when an issuer’s internal controls are not 100% effective, the government often drops the hammer on an issuer in the form of an FCPA enforcement action. The enforcement theory advanced in several FCPA enforcement actions is very much a woulda, coulda, shoulda theory of enforcement. What the government (particularly the SEC) often does is start with the end of the story, when the problematic employee (among the thousands of employees in the company) or the problematic third party (among the thousands of third parties engaged by the company) is known and then work backwards in what amounts to hindsight driven enforcement.

As highlighted above, such an enforcement approach is entirely inconsistent with the FCPA’s express language and indeed the government’s own guidance.

In short, it would be nice to see some consistency between expectations for government and expectations for business organizations and for the government to be consistent in holding itself accountable for the challenges of detection and prevention vs. how it holds business organizations accountable for the challenges of detection and prevention.

FCPAnalytics Is Data Driven

As stated by the DOJ's compliance counsel: "strong compliance must be data driven." FCPAnalytics strives to do just by assisting professionals in making efficient and informed decisions guided by data driven statistics.  

Learn More [8]