This new era of Foreign Corrupt Practices Act enforcement has resulted in many things, including FCPA Inc. marketing and selling the latest solution, software, or other strategy to purportedly achieve FCPA compliance. This previous post noted:
“Annual FCPA training, annual FCPA certifications, databases full of customers with government ownership, an automated process for this and that, periodic FCPA compliance reminders, FCPA compliance as an agenda item on each meeting, etc. All of these are considered best practices, but the question is asked – is too much FCPA compliance actually a net negative?”
This recent article “Trust: The Unwritten Contract in Corporate Governance” by David Larcker (the Morgan Stanley Director of the Center for Leadership Development and Research at the Stanford Graduate School of Business and senior faculty member at the Rock Center for Corporate Governance at Stanford University) and Brian Tayan (a researcher with Stanford’s Center for Leadership Development and Research) caught my eye.
The authors ask:
“Companies spend tens of millions of dollars annually on incentive compensation, director salaries, audit fees, internal auditors, and compliance efforts to satisfy a long list of rules, regulations, and procedures imposed by legislators and the market. Would corporate governance improve if companies instead had fewer controls. Would shareholders be better off if organizations instead demonstrated more trust in employees and executives?”
The authors state:
“Once established, a high-trust governance system allows for the reduction or elimination of many of the costs, controls, and procedures that characterize today’s governance systems. […] “[C]ompanies could eliminate many of the bureaucratic checks and controls that are often implemented to prevent and detect legal or regulatory violations. Instead, employees would self monitor, with line-managers responsible for reporting inadvertent legal or regulatory missteps to higher level executives.” […] “High-trust settings are characterized by lower bureaucracy, simpler procedures, and higher productivity. Would shareholders be better off if companies had fewer formal corporate governance requirements and instead devoted greater effort to fostering trust?”
Applied to the FCPA context, would FCPA compliance be better achieved if companies had fewer formal internal controls and instead devoted greater effort to fostering trust within a business organization?
Would such an approach even satisfy an issuer’s obligations under the FCPA’s internal controls provisions which require that issuers devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are properly authorized, recorded, and accounted for by the issuer?
The FCPA defines “reasonable assurances” as “such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.”
Relevant legislative history from 1988 when this definition was added to the FCPA states:
“The prudent [person] qualification [was adopted] in order to clarify that the current standard does not connote an unrealistic degree of exactitude or precision. The concept of reasonableness of necessity contemplates the weighing of a number of relevant factors, including the costs of compliance.”
The only substantive judicial decision concerning the FCPA’s internal controls provisions (SEC v. World-Wide Coin – see here for the prior post) states:
“The concept of ‘reasonable assurances contained in [the internal controls provision] recognizes that the costs of internal controls should not exceed the benefits expected to be delivered.”
Beyond this legal authority, in FCPA guidance issued in 1981, the SEC stated:
“The [FCPA] does not mandate any particular kind of internal controls system. The test is whether a system, taken as a whole, reasonably meets the statute’s specified objectives. ‘Reasonableness,’ a familiar legal concept, depends on an evaluation of all the facts and circumstances.” […] Private sector decisions implementing these statutory objectives are business decisions. And, reasonable business decisions should be afforded deference. This means that the issuer need not always select the best or the most effective control measure. However, the one selected must be reasonable under all the circumstances.”
Likewise in the 2012 FCPA Guidance the DOJ and SEC stated:
“Like the ‘reasonable detail’ requirement in the books and records provision, the Act defines ‘reasonable assurances’ as ‘such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.’”
“The Act does not specify a particular set of controls that companies are required to implement. Rather, the internal controls provision gives companies the flexibility to develop and maintain a system of controls that is appropriate to their particular needs and circumstances.”
Imagine a situation in which an issuer becomes the subject of FCPA scrutiny based on the conduct of a foreign country manager or sales representative.
During a meeting with the DOJ and SEC, the enforcement attorneys ask company counsel what internal controls existed as relevant to the country manager or sales representative.
Company counsel responds – “we trusted” him or her. This would likely cause the enforcement attorneys to laugh out loud.
However, the relevant legal question is – was trust prudent and reasonable?