This 2014 post  highlighted Citigroup’s FCPA scrutiny after it disclosed various business practices in its Mexican Banamex unit. The prior post highlighted how the FCPA’s generic books and records and internal controls provisions can be implicated in the absence of any FCPA anti-bribery issues.
Fast forward to last week as the SEC announced two enforcement actions (see here  and here ) against Citigroup finding violations of, among other things, the FCPA’s books and records and internal controls provisions.
First, a bit of background.
The Foreign Corrupt Practices Act has always been a law much broader than its name suggests. The anti-bribery provisions are just one prong of the FCPA.
Indeed, most technical FCPA enforcement actions do not involve allegations of foreign bribery, but rather violations of the generic books and records and internal controls provisions. These provisions generally provide that issuers shall: (i) maintain books and records which, in reasonable detail, accurately and fairly reflect issuer transactions and disposition of assets (the books and records provisions); and (ii) devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are properly authorized, recorded, and accounted for by the issuer (the internal controls provisions).
For lack of a better term, let’s call such actions “non-FCPA FCPA enforcement actions.” By one estimate , since the FCPA’s enactment in 1977, there have been over 1,200 “non-FCPA FCPA enforcement actions.” Such actions are not dissected in the FCPA space and do not appear on the DOJ or SEC’s FCPA websites (here  and here ). Yet such actions most certainly involve the same books and records and internal controls provisions implicated in FCPA enforcement involving foreign bribery.
This salient aspect of the FCPA is often confusing to those new to the FCPA (as well as certain commentators who portray themselves as FCPA experts – see here  for instance).
Back to the Citigroup actions.
In summary fashion, the SEC’s first administrative order  finds:
“These proceedings involve Citigroup Inc.’s (“Citigroup”) failure to devise and maintain a sufficient system of internal accounting controls concerning a wholly-owned subsidiary, the Mexican bank Grupo Financiero Banamex, S.A. de C.V. (“Banamex”), sufficient to provide reasonable assurances that Banamex’s transactions were recorded as necessary to permit the preparation of Citigroup’s financial statements in accordance with generally accepted accounting principles (“GAAP”) and to maintain accountability for assets. Over the period between 2008 and February of 2014, Banamex loaned billions of dollars on the basis of invoices and work estimates – also known as “accounts receivable factoring” in the banking industry – reflecting work performed for Petroleos Mexicanos, S.A. de C.V. (“Pemex”) by Oceanografia, S.A. (“OSA”), a Mexican marine services provider for the oil industry in the Gulf of Mexico. However, some of the factored documents received from OSA, amounting to about $400 million, were fraudulent and included forged signatures. Banamex had deficient internal accounting controls over its accounts receivable factoring program used by OSA, including lacking internal accounting controls necessary to test the authenticity of the factored documents prior to advancing funds to OSA and recording them as accounts receivable. Banamex also lacked internal accounting controls sufficient to identify and respond to red flags that arose during the relationship between Banamex and OSA potentially warning Banamex of the ongoing fraud. Instead, it was not until the Government of Mexico itself accused OSA of failing to post a satisfactory insurance bond and decided to temporarily cease doing new business with OSA in February of 2014, at a time when Banamex had approved funding of over $600 million dollars to OSA and was still advancing monies to OSA, that Citigroup discovered many of the work estimates were falsified. Banamex’s internal accounting controls surrounding the factoring program were not sufficient to allow the earlier detection of OSA’s fraud. As a result, Citigroup recorded nearly $475 million in expenses in its financial statements. In particular, Citigroup adjusted its fourth quarter and full year 2013 financial results downward by the then estimated $360 million loss and recognized an additional loss of $113 million in 2014, when Citigroup had determined the full magnitude of the fraud.”
Based on the above, the SEC found violations of the FCPA’s internal controls provisions and Citigroup, without admitting or denying the SEC’s findings, agreed to pay a $4.75 million civil penalty.
In the other administrative order , the SEC found in summary fashion:
“This matter involves CGMI’s [Citigroup Global Markets Inc. – an indirect, wholly owned subsidiary of Citigroup] failure reasonably to supervise its traders with a view towards preventing mismarking and unauthorized trading in Citi proprietary accounts that ultimately caused CGMI’s books and records, and those of its parent, Citigroup, to be inaccurate.
During the period from December 2014 to March 2016, CGMI discovered and reported to the Commission staff three separate instances involving mismarking by three traders, each on a different trading desk. The discovery of each mismarking resulted in the recognition of millions of dollars of previously-unreported losses or the reversal of improperly reported unrealized gains in Respondents’ books and records. The three mismarking episodes overlapped in time, spanning the period mid-2013 through early 2016 (the “Relevant Period”), with each persisting for multiple quarters. All three mismarking scenarios involved opaque, illiquid positions that were overvalued by traders and not effectively price verified by Citi’s valuation control group. Two of the scenarios also involved unauthorized trading in U.S. Treasury securities (“USTs”), leading to losses that were largely concealed by the mismarkings; in both of those cases, the unauthorized trading and mismarking persisted for more than a year without being detected within CGMI’s supervisory framework.
The mismarking and unauthorized trading caused CGMI’s books and records required to be made and kept pursuant to Section 17(a) of the Exchange Act and Rule 17a-3(a) thereunder, including its “[l]edgers (or other records) reflecting all assets and liabilities, income and expense and capital accounts,” to be inaccurate during the Relevant Period. The mismarking by one trader also rendered CGMI’s Financial and Operational Combined Uniform Single (“FOCUS”) reports filed with the Commission pursuant to Rule 17a-5 under the Exchange Act inaccurate during the Relevant Period. As a direct result of the inaccuracies in the books and records of CGMI and other affected subsidiaries, the consolidated books and records of Citigroup were inaccurate in violation of Section 13(b)(2)(A) of the Exchange Act.”
Based on the above, the SEC found violations of, among other things, the FCPA’s books and records provisions and Citigroup, without admitting or denying the SEC’s findings, agreed to pay a $5.75 million civil penalty.
In this release , Marc Berger (Director of the SEC’s New York Regional Office) stated:
“[These] charges reflect the Commission’s view that Citigroup fell short of its obligations to supervise its traders and maintain appropriate controls to guard against fraud. Citigroup’s lax supervision and weak internal accounting controls allowed a handful of rogue traders to mismark positions over several years and, separately, resulted in the unnecessary loss of hundreds of millions of dollars of its shareholders’ assets to fraud.”
As highlighted in several prior posts (see here , here  and here ), such non-FCPA FCPA enforcement actions are deserving of analysis because they highlight a troubling aspect of FCPA enforcement: that being how the same alleged legal violations are sanctioned in materially different ways.
For instance, in the Citigroup actions, the SEC stated that the conduct at issue “resulted in the unnecessary loss of hundreds of millions of dollars of its shareholders’ assets to fraud.”
Can you imagine a books and records and internal controls enforcement action involving foreign bribery where the underlying conduct involved “hundreds of millions of dollars” being resolved for “only” approximately $10.5 million?
I can’t either.
FCPA Institute - Minneapolis (June 20-21, 2019)
A unique two-day learning experience ideal for a diverse group of professionals seeking to elevate their FCPA knowledge and practical skills through active learning. Learn more, spend less. CLE credit is available.