Naturally, and understandably, those tasked with Foreign Corrupt Practices Act compliance within a business organization want clear answers to many questions.
However, the FCPA rarely provides clear answers and this is particularly true with the internal controls provisions.
The provisions are not rule-based, but principle-based in the sense that the key statutory language is that issuers shall “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances” certain financial objectives are met. The FCPA then defines “reasonable assurances” to mean “such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.”
In a rare judicial opinion interpreting these provisions, a court stated:
“The main problem with the internal accounting controls provision of the FCPA is that there are no specific standards by which to evaluate the sufficiency of controls; any evaluation is inevitably a highly subjective process in which knowledgable individuals can arrive at totally different conclusions.”
The FCPA enforcement agencies rightly acknowledge this as well. For instance, the 2012 FCPA Guidance and the 2020 Second Edition of the FCPA Guidance state:
“The Act does not specify a particular set of controls that companies are required to implement. Rather, the internal controls provisions gives companies the flexibility to develop and maintain a system of controls that is appropriate to their particular needs and circumstances.”
Nevertheless, and returning to the opening sentence, naturally, and understandably those tasked with Foreign Corrupt Practices Act compliance within a business organization want clear answers to many questions.
However, there rarely are clear answers and set forth below is an admittedly small – yet representative – list of questions compliance professionals often want answers to.
- Is due diligence of third parties required? If so, which third parties? What should the due diligence consist of? How much due diligence is enough? Who should conduct the due diligence?
- A written agreement with a third party is certainly a good idea, but what FCPA specific or relevant provisions should be included in the agreement? Should the company reserve the right to audit the third party? If so, how often?
- What are the specifics of monitoring and supervising a third party once engaged? Is the company actually required to obtain an annual certification letter from the third party?
- Sure, risk assessments are a good idea and serve as the foundation from which other compliance policies and procedures flow – but are companies required to do a risk assessment? What is the best way for a company to conduct a risk assessment? How often should a risk assessment be repeated?
- The company has an overall written compliance policy, but does the company need specific written policies and procedures targeted to specific areas?
- Does the company have to have its compliance policies and procedures translated into various languages and if so which languages?
- Does the company have to conduct FCPA training? If so, who should be included in the training? What type of training should occur? Should different individuals within the company receive different training or should the training be the same?
- What does “tone at the top” really even mean? When the FCPA enforcement agencies state that directors and senior managers should provide “strong, explicit, and visible support and commitment” to policies and procedures – what does that mean?
- Who within a company should be responsible for oversight and implementation of the FCPA compliance program? Does it have to be a lawyer? Whoever this person is, what sort of reporting relationship should they have to the audit committee / board of directors?
- Does a company need a dedicated compliance officer located in each country or region of the world in which they operate? Should foreign subsidiaries, affiliates etc. have the autonomy to design and implement their own compliance policies and procedures?
- Is the company required to have an internal hotline for reporting of potential compliance issues? If so, should the hotline be outsourced?
- When a compliance issue arises, how should it be handled? What sort of investigative steps should follow? What is the line between investigating the issue internally vs. calling in outside resources?
- If a credible and provable FCPA violation exists, should the company voluntarily disclose the conduct?
- Are companies required to test their compliance program? If so, what does this even mean?
Granted, many of the above questions have “good, better, and best” answers depending on the specifics of the company. However, the point remains the FCPA statute does not provide the specific answer.
Sure, FCPA Inc. often pretends like it knows the best answer, but that best answer often magically aligns with the services and/or product offering of the FCPA Inc. participant.
And here is the unfortunate reality.
Even though the FCPA statute does not provide the specific answer, and even though the FCPA enforcement agencies acknowledge that the FCPA “does not specify a particular set of controls that companies are required to implement,” nearly every question above was formed using actual allegations or findings in actual FCPA enforcement actions in which a company was “dinged” for not doing what the government thought they should have been doing.
Strategies For Minimizing Risk Under The FCPA
A compliance guide with issue-spotting scenarios, skills exercises and model answers. "This book is a prime example of why corporate compliance professionals and practitioners alike continue to listen to Professor Koehler."