While the FCPA is a US law, it has vast extraterritorial reach that can snare overseas companies that are seemingly far from US jurisdiction.
The US Foreign Corrupt Practices Act (FCPA) is the most important corporate anti-bribery statute in the world. It bans companies from bribing foreign government officials to win business, and it requires publicly traded companies to keep books and records that adequately reflect financial transactions.
For the last 15 years, FCPA enforcement has also been a top priority when enforcing against corporate crime for the US Department of Justice (DOJ) and the Securities and Exchange Commission (SEC)—which means, given the potential penalties and costs involved, that FCPA compliance is also one of the highest priorities for corporate audit committees as well as for the C-suite. Resolving an FCPA enforcement action is nobody’s idea of a good time.
And while the FCPA is a US law, it has vast extraterritorial reach that can snare overseas companies that are seemingly far from US jurisdiction. The FCPA has also become the model for other anti-bribery statutes with similar compliance obligations in Brazil, Britain, Canada, France, and elsewhere around the world.
Appreciating the Two Parts of the FCPA
The more glamorous part of the FCPA is its criminal provisions, which are enforced by the DOJ. Those provisions forbid a company from offering anything of value to a foreign government official in exchange for a business benefit: in other words, no quid pro quo.
More relevant to audit, risk, and compliance officers, however, are the FCPA’s civil provisions, which require effective internal accounting controls: the books-and-records provisions. This section of the law is enforced by the SEC, and it’s more important for effective FCPA compliance for several reasons.
First, the SEC can—and routinely does—enforce the civil section even without any corresponding criminal enforcement action by the DOJ. And even though the DOJ might decide that allegations of FCPA bribery against a company aren’t worth enforcing or aren’t provable, the SEC can still bring civil charges for weak internal controls that allowed the potential for bribery. Poor internal accounting controls are an enforcement risk unto themselves.
Second, the FCPA works by amending the Securities Exchange Act so that all companies trading on US stock exchanges must maintain adequate books and records. In other words, the books-and-records provisions provide a legal basis for the SEC to punish accounting fraud generally, even without a bribery scheme.
Examples of FCPA Internal Control Failures
Strong internal accounting controls are crucial to FCPA compliance. To understand what that means at a practical level, it’s best to consider some examples of poor internal controls:
- Lax accounting policies, such as offering credit notes to distributors or resellers (who could then ask for those notes to be paid in cash) and not effectively tracking those credit notes
- Poor documentation processes, such as resellers in foreign countries asking for discounts on products—discounts that they don’t always pass on to customers
- Poor third-party spending controls, such as allowing payments to intermediaries that haven’t completed anti-corruption due diligence
- Lack of anti-bribery policies for spending approvals, receipts, or other documentation
- Weak leadership, such as not having an audit or compliance officer, or not requiring re-evaluation of the FCPA compliance program as the business evolves and its corruption risk changes
All of the above examples have appeared in FCPA enforcement actions in recent years. As you can see, they are a constellation of failures that range from ineffective controls to weak policies to poor leadership.
What Effective Compliance Looks Like
The good news is that regulators have provided extensive guidance about what effective FCPA compliance should accomplish. For example, the DOJ and the SEC have literally written the book1 (now in its second edition) on the subject, and have also provided general guidance on effective compliance programs2.
From that guidance, several items stand out as particularly important:
- An effective anti-bribery risk assessment as well as ongoing risk assessments that keep pace with the organization’s changing business landscape, including new products offered, new markets entered, and mergers or new business partnerships
- Anti-bribery policies and procedures that are commensurate with the risks identified in a risk assessment, including, for example, requiring receipts for travel and entertainment expenses related to foreign government officials, and annual anti-bribery training for all employees and third-party resellers
- Internal controls, such as setting spending limits or blocks on issuing payment to third parties where anti-bribery due diligence hasn’t been completed
- Regular testing of internal controls, followed by remediation where necessary
- Governance of third parties, such as performing due diligence sufficient to the risks they pose, requiring attestations that third parties won’t commit bribery on the organization’s behalf, and including a right-to-audit clause in contracts
Why Technology Matters So Much
Considering all of the ways that illicit payments can happen within a large organization, the need for strong technology to drive FCPA compliance is compelling. A global company simply has too many third parties and too many transactions to manage the task with manual, paper-based systems.
That strong technology should empower preventive controls, where anti-bribery procedures integrate into the accounting department’s payment systems. Examples of these controls include no reimbursements for gifts, travel, or entertainment expenses without evidence of prior spending approvals or receipts, and no payments to high-risk third parties whose due diligence is incomplete.
The technology should also include detective controls, where auditors can trace a questionable transaction and all of its attendant documentation. This also means that companies need a single source of truth about their transactions: due diligence performed on an intermediary, a contract signed with a third party, verified documentation for payments issued, etc. (Documentation compiled on fake spreadsheets that are passed along to management is regularly found in FCPA enforcement actions.)
Enforcement of the FCPA remains a high priority for US prosecutors, and enforcement of other anti-bribery statutes around the world is also on the rise. Moreover, the costs of an investigation into FCPA issues can be painful: the average cost of an investigation into violations of the FCPA is $1.82 million per month—and the average length of an investigation is 38 months!3
All of this emphasizes that building an FCPA compliance program, complete with effective internal accounting controls, is a crucial risk management priority.
It’s not easy, and putting the pieces together without technology is nearly impossible. However, with determination and the right technology, the path to an effective compliance program is fairly straightforward: risk assessment, followed by anti-bribery policies and procedures, supported by internal spending controls, and then test regularly to find weaknesses and remediate as needed.