As FCPA enforcement toughens and settlements rise, compliance officers need to opt for administrative simplicity that won’t confuse employees
The US Department of Justice and the SEC just completed a very busy, record-setting quarter of enforcing the Foreign Corrupt Practices Act (FCPA). Should compliance officers be concerned about the risks their companies face? It depends on who you ask.
Matthew Reinhard, a lawyer at Miller Chevalier, which recently released its quarterly analysis of enforcement actions, believes the stricter enforcement trends demand more of companies’ attention. He points to both the skyrocketing settlements and the DoJ’s renewed focus on prosecuting individuals.
Until 2008, the top settlement paid by a company in a corruption case was $44 million, paid by Baker Hughes in 2007, followed $40 million paid by Chevron and $29 million paid by Titan Corp. At the end of 2014, the top three amounts were $800 million by Siemens in 2008, Alstrom’s $772 million in 2014, and Halliburton’s $579 million in 2009. Indeed, the tenth highest settlement by 2014--$185 million, paid by Daimler Chrysler in 2010 -- is more than quadruple the Baker Hughes settlement that topped the chart as of 2007.
These days, when FCPA allegations are most often resolved by Deferred Prosecution Agreements (DPAs) or Non-Prosecution Agreements (NPAs) with corporations, for a company to be deemed by the DoJ as ‘cooperating’ is very important for the purpose of prosecuting individuals, Reinhard explains. In the past few years ‘the DoJ has been very clear that to get cooperative credit, [it] needs the company to help with the prosecution of the individuals within the company that were responsible,’ says Reinhard.
Professor Michael Koehler at the Southern Illinois University School of Law, an FCPA expert, believes companies face FCPA risk, but advises keeping things in perspective. ‘Every single US company is subject to the FCPA. Thousands of foreign companies that trade on the US exchanges are subject to the FCPA, and theoretically. all companies of the world, to the extent certain jurisdictional requirements are meant, are subject to the FCPA. Against that backdrop, is 10 to 15 enforcement actions a year a lot?’
Koehler’s count of 10 to 15 actions a year is less than half that of Miller Chevalier, reflecting his use of the DoJ’s ’core’ method of counting FCPA actions, which lumps together all enforcement actions arising from the same case of misconduct. By this method, Siemens’ record-setting settlement, which resolved both DoJ and SEC charges against the company and three subsidiaries (five actions in all) and 15 actions against individuals, is counted as one FCPA action, though others might see it as 20 actions, or something in between.
Koehler also dismisses the idea that the DoJ is targeting individuals. He notes that in 2014 the DoJ filed charges against individuals in only one of seven cases it brought against corporations, or 14 percent of the time. (Miller Chevalier puts the total at 5 individual actions and 13 corporate actions by DoJ in 2014.) According to Koehler, prior to December 2004, when the DoJ started using DPAs and NPAs to resolve cases, 90 percent of the agency’s criminal enforcement actions also involved charges against individuals. That’s been true of only 25 percent of criminal enforcement actions since 2004, by Koehler’s count.
Rather than the low percentage of actions against individuals reflecting willingness to ignore individuals in favor of targeting the companies; Koehler suggests the widespread use of NPAs and DPAs without charging individuals may indicate weakness in the DoJ’s cases.
‘Per DoJ policy, all FCPA enforcement is consolidated through [DoJ’s headquarters] in DC. That means a handful of people essentially control this area of law. And they enforce it largely against corporations around conference tables in DC where the facts and legal theories are not subjected to one ounce of judicial scrutiny,” Koehler says.
Corporate boards, faced with the choice of either accepting an NPA or DPA they don’t believe is appropriate, or fighting the DoJ,—where the company would be criminally charged and its stock price would likely take a substantial hit—usually will simply take the deal, he explains.
Against this backdrop of low-probability, high-stakes FCPA enforcement, what should compliance officers do to protect their companies? Reinhard suggests they adopt ’a unitary corporate policy if at all possible for both administrative and legal reasons.’ A unitary policy is administratively simple and helps avoid problems caused by personnel moving to a location whose laws are different from those in their former location, but continuing to follow the company’s policy for their former location, he explains.
When multiple enforcement regimes may cover the same conduct, a company must choose which law to define its policy by. He suggests that ‘as a general matter, you take the most conservative approach’ so that conduct the company permits by policy is legal everywhere the company operates.
Koehler agrees that approach is effective. He also cautions companies to be skeptical when evaluating aggressive marketing materials from the multi-billion dollar FCPA compliance and defense industry; Not all companies need a Rolls Royce version of FCPA compliance -- just one uniquely tailored to the company's risk.