The closest the FCPA comes to actually discussing compliance is its books and records and internal controls provisions. These provisions – applicable only to issuers (a relatively small group of companies when one considers the full range of business organizations that may be subject to the FCPA’s anti-bribery provisions) – require that issuers shall:
“make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the issuer” and
“devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that” that certain specific financial objectives are met.
The FCPA further states that the terms “reasonable assurances” and “reasonable detail” mean such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.
The FCPA’s legislative history makes clear that management is given discretion as to how to accomplish these objectives and that a variety of circumstances are relevant to the analysis.
The 1977 Senate Report stated:
“[M]anagement must exercise judgment in determining the steps to be taken, and the cost incurred, in giving assurance that the objectives expressed will be achieved.”
In SEC v. World-Wide Coin (a rare judicial decision to directly address the internal controls provisions), the judge stated:
“The size of the business, diversity of operations, degree of centralization of financial and operating management, amount of contact by top management with day-to-day operations, and numerous other circumstances are factors which management must consider in establishing and maintaining an internal accounting controls systems.”
As the SEC stated in formal FCPA Guidance:
“The Act does not mandate any particular kind of internal controls system. […] Private sector decisions implementing these statutory objectives are business decisions. And, reasonable business decisions should be afforded deference. This means that the issuer need not always select the best or the most effective control measure. However, the one selected must be reasonable under all the circumstances.”
In the 2012 FCPA Guidance, the DOJ/SEC stated (and repeated in the Second Edition of the FCPA Guidance released in 2020):
“The Act does not specify a particular set of controls that companies are required to implement. Rather, the internal controls provisions gives companies the flexibility to develop and maintain a system of controls that is appropriate to their particular needs and circumstances.”
In short, contrary to the FCPA Blog’s assertion, there is no requirement that an anti-bribery compliance program “prevent” FCPA violations nor is there any requirement in the statute concerning detection, remediation, and reporting.
To the extent, business executives have “unrealistic expectations” about compliance (and who knows if they really do), perhaps its because information sources like the FCPA Blog spread false information.
This recent FCPA Blog post asks: “Do your C-suite and boardroom have ‘unrealistic expectations’ about compliance?”
The post asserts that “what’s required are [anti-bribery] compliance programs that can help prevent FCPA violations, and if violations happen, can help detect, remediate, and report them.”
This is false.
One will not find the words “prevent” “detect” “remediate” or “report” in the FCPA.