This recent post discussed how the COVID-19 crisis once again demonstrates that there is a difference between the FCPA anti-bribery provisions (the statute) and how the FCPA’s anti-bribery provisions are enforced by the DOJ/SEC.
In the current crisis, some have raised legitimate concerns that doing risk assessments, due diligence of third parties, monitoring of third parties, in-country audits, and a host of other internal controls “best practices” have become difficult if not practically impossible – and thus Foreign Corrupt Practices Act violations are lurking. After all, the DOJ says a business organization should do the above-listed things (among others) in its Evaluation of Corporate Compliance Programs (“ECCP”)
Compliance professionals – take a deep breath. The ECCP is not the law and courts have held that failure to follow supposed “best practices” is not a legal violation.
Rather, in times like these remember that the internal controls standard is “reasonable.” “Reasonable” is a term used throughout the law and when used the standard contemplates a variety of factors including the circumstances in which conduct occurs. Indeed, this position finds grounding in the FCPA itself, its legislative history, FCPA judicial decisions, and even prior FCPA enforcement agency guidance.
The FCPA’s internal controls provisions (which after all only applicable to issuers) state that an issuer shall “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that” certain financial objectives are met.
The FCPA then defines “reasonable assurances” to “mean such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.”
The FCPA’s legislative history makes clear that management is given discretion as to how to accomplish these objectives and that a variety of circumstances are relevant to the analysis.
The 1977 Senate Report stated:
“[M]anagement must exercise judgment in determining the steps to be taken, and the cost incurred, in giving assurance that the objectives expressed will be achieved.”
In SEC v. World-Wide Coin (believed to be the only judicial decision to directly address the internal controls provisions), the judge stated:
“The size of the business, diversity of operations, degree of centralization of financial and operating management, amount of contact by top management with day-to-day operations, and numerous other circumstances are factors which management must consider in establishing and maintaining an internal accounting controls systems.”
As the SEC stated in formal FCPA Guidance:
“The Act does not mandate any particular kind of internal controls system. […] Private sector decisions implementing these statutory objectives are business decisions. And, reasonable business decisions should be afforded deference. This means that the issuer need not always select the best or the most effective control measure. However, the one selected must be reasonable under all the circumstances.”
In the 2012 FCPA Guidance, the DOJ/SEC stated:
“The Act does not specify a particular set of controls that companies are required to implement. Rather, the internal controls provisions gives companies the flexibility to develop and maintain a system of controls that is appropriate to their particular needs and circumstances.”
Compliance professionals needs to keep the above in mind as they navigate their companies through these most unusual current circumstances.
What can’t be guaranteed however is how the DOJ / SEC – 1-3 years from now and with the perfect benefit of hindsight – evaluate business conduct during the COVID-19 crisis.
And therein lies the problem.
Strategies For Minimizing Risk Under The FCPA
A compliance guide with issue-spotting scenarios, skills exercises and model answers. "This book is a prime example of why corporate compliance professionals and practitioners alike continue to listen to Professor Koehler."