Top Menu

The Challenges Of Detection And Prevention


The recent London Bridge attack in London. The January 2017 shooting at the Fort Lauderdale airport. The June 2016 shooting at an Orlando nightclub.

These recent instances, and several other similar acts of violence, have little in common with alleged Foreign Corrupt Practices Act offenses.

Except there is often a common thread in terms of the challenges of detection and prevention.

According to numerous media reports, two of the London Bridge assailants were on the radar screen of law enforcement. Indeed, one attacker was featured in a recent documentary “The Jihadis Next Door.”

The Fort Lauderdale airport shooter was on the radar screen of law enforcement. According to reports, prior to the incident, the individual “turned himself in to the FBI in Anchorage, complaining that the CIA had taken control of his mind and was directing him to view ISIS material on the Internet. The FBI passed his name to Anchorage police.” Perhaps most troubling, according to reports the gun used in the attack was previously confiscated by law enforcement yet handed back to the individual prior to the attack.

The Orlando nightclub shooter was on the radar screen of U.S. law enforcement and, according to reports, was interviewed twice by the FBI prior to his murderous rampage. According to reports, in the days leading up to the shooting, a gun shop owner declined to sell the shooter certain products given his suspicious behavior including his desire to obtain heavy-duty body armor. Even though gun sales are subject to a variety of rules and regulations, there was no apparent formal mechanism in place to connect the dots.

The deficiency (and thus problem) in these instances was one of detection and prevention.

In other words, the same challenges that law enforcement often has in detecting and preventing acts of terrorism or violence are often similar to the challenges business organizations have in detecting and preventing FCPA violations (or other legal violations for that matter).

Yet law enforcement deficiencies in detection and prevention seem to be tolerated to a greater extent than say internal control deficiencies in detection and prevention of alleged FCPA violations.

Policy makers and the public at large seem to acknowledge and accept that a government’s duty (loosely defined) is not absolute, but rather subject to a reasonableness requirement. Governments have, in good faith, invested substantial resources both in terms of money and personnel and often hope for the best. In other words, governments are cognizant of cost/benefit issues as well as the balance inherent in detecting and preventing harm while otherwise not infringing on the legal and privacy rights of its citizens.

Sure, when one knows the end of the story, when one knows the perpetrator of a violent attack it is always easier to work backwards and say (as the above examples indicate) that law enforcement woulda, coulda, shoulda done more and if only law enforcement did more and connected-the-dots in real time, then the violent attack would have been averted. However, society seemingly acknowledges that hindsight driven law enforcement is not the proper lens to view real-world, fluid situations.

Issuers subject to the FCPA have a legal duty under the FCPA’s internal controls provisions to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that,” generally speaking, corporate assets are properly used and accounted for.

As is explicit from the statutory term, this duty is not absolute, but rather subject to a reasonableness requirement, a concept the FCPA specifically defines as “such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.”

In other words, cost/benefit issues, as well as balance, are inherent in the FCPA’s internal controls provisions.

Indeed, in its earliest FCPA Guidance (1981), the SEC explicitly rejected the notion that internal controls “conform to a standard of absolute exactitude or that a company’s control system meet some absolute ideal.” On this issue, the SEC stated:

“Inherent in [the reasonableness] concept is a toleration of deviations from the absolute. One measure of the reasonableness of a system relates to whether the expected benefits from improving it would be significantly greater than the anticipated costs of doing so. Thousands of dollars ordinarily should not be spent conserving hundreds.”

The SEC further stated: “The test of a company’s internal control system is not whether occasional failings can occur. Those will happen in the most ideally managed company.”

This balance inherent in the internal controls provisions has been formally acknowledged by the government on several other occasions. For instance in a 1999 Staff Accounting Bulletin the SEC stated: “The concept of reasonableness of necessity contemplates the weighing of a number of relevant factors, including the costs of compliance.” Most recently, in the 2012 FCPA Guidance, the government acknowledged:

“The term ‘reasonable detail’ is defined in the statute as the level of detail that would ‘satisfy prudent officials in the conduct of their own affairs.’ Thus, as Congress noted when it adopted this definition, ‘[t]he concept of reasonableness of necessity contemplates the weighing of a number of relevant factors, including the costs of compliance.'”

In furtherance of its FCPA-imposed internal controls duties, most all issuers (but regrettably not all issuers) have, in good faith, invested substantial resources both in terms of money and personnel.

Yet, when an issuer’s internal controls are not 100% effective, the government often drops the hammer on an issuer in the form of an FCPA enforcement action. The enforcement theory advanced in several FCPA enforcement actions is very much a woulda, coulda, shoulda theory of enforcement. What the government (particularly the SEC) often does is start with the end of the story, when the problematic employee (among the thousands of employees in the company) or the problematic third party (among the thousands of third parties engaged by the company) is known and then work backwards in what amounts to hindsight driven enforcement.

As highlighted above, such an enforcement approach is entirely inconsistent with the FCPA’s express language and indeed the government’s own guidance.

FCPA Institute - Zoom (May 16-18, 2023)

Elevate your FCPA knowledge and practical skills. Nine hours of integrated and cohesive instruction led by Professor Koehler (an FCPA expert with teaching experience). Learn more, spend less. Professional credential available.

Learn More and Register

Powered by WordPress. Designed by WooThemes