Audit committees have many concerns on their plates these days. But none, it seems, are as vexing and consequential as the Foreign Corrupt Practices Act.
Board directors see all the same headlines that compliance officers do, trumpeting the latest huge fines and regulatory settlements stemming from some violation of the FCPA. Worse, other governments are now also adopting the same no-nonsense attitude toward overseas bribery that U.S. regulators have pushed under the FCPA for years. As a result, boards’ worries about bribery risk and compliance programs have become that much larger and global in nature.
“The risk today is huge,” says Martin Weinstein, a partner in the law firm Wilkie Farr & Gallagher. “There’s no confusion about the U.S. government’s desire to enforce this law aggressively. For those caught in the government’s crosshairs, the enforcement results can be catastrophic.”
Audit committees in particular have a strong incentive to prevent an FCPA problem in the first place, because if a bribery issue does arise, the audit committee will have to spend a significant amount of time—possibly years—and resources managing an investigation, Weinstein says.
Stuart
Tripping into an FCPA investigation “cannot be viewed as an insignificant cost of doing business anymore,” says David Stuart, a senior lawyer with Cravath Swaine & Moore. “There’s so much harm that can flow from corporate bribery and investigations of bribery, audit committees really do need to be paying attention.”
Compliance officers wanting to drive home that point with the audit committee can use any number of recent examples. Just last month, the French company Technip SA agreed to pay a $240 million criminal penalty as part of a two-year deferred prosecution agreement with the Justice Department, plus $98 million in disgorgement to the Securities and Exchange Commission, to resolve FCPA charges related to a decade-long scheme to bribe Nigerian government officials to obtain engineering, procurement, and construction contracts.
Worse yet, FCPA issues can lead to personal liability for directors. The SEC and Justice Department have been “very vocal about their interest in identifying the highest-level individuals within the organization who are responsible for the tone, culture, or weak internal controls that may contribute to, or at least fail to prevent, bribery and corruption,” Stuart says.
Another development worth noting, Stuart says, is last year’s SEC enforcement action against two senior executives at Nature’s Sunshine, holding them responsible for FCPA violations committed by the company’s Brazilian subsidiary even though they had no knowledge of the wrongdoing. The SEC held the pair liable under the theory of “control person liability” contained in the Securities Exchange Act—essentially saying that since they were the bosses of the whole operation, they should have known what was going on.
“Under certain circumstances, I could see the SEC invoking the same provisions against audit committee members—for instance, for failing to oversee implementation of a compliance program to mitigate risk of bribery,” Stuart says.
Beyond Regulators
LaCroix
Civil lawsuits are another risk from poor FCPA compliance. The law itself does not allow plaintiffs any right to private action, but that hasn’t stopped investors or other litigants from filing claims based on FCPA violations. Typically those claims are securities class-action lawsuits or shareholder derivative lawsuits, where plaintiffs argue that the FCPA problem is proof of poor management, says Kevin LaCroix, a director with OakBridge Insurance Services who blogs about D&O liability issues.
“There’s so much harm that can flow from corporate bribery and investigations of bribery, audit committees really do need to be paying attention.”
—David Stuart,
Senior Attorney,
Cravath Swaine & Moore
Companies such as Pride International, Parker Drilling, and Panalpina have all seen board members get sued by shareholders for failure to impose proper FCPA controls (to name only a few). Those lawsuits aren’t always successful; for example, earlier this year the Delaware Chancery Court cited Dow Chemical’s extensive corporate compliance program as a reason for dismissing a shareholder derivative suit accusing the directors of failing to prevent overseas bribery.
Cassin
Courts have not been particularly welcoming to shareholder lawsuits based on FCPA-related claims, but “they keep coming,” says Richard Cassin, managing partner of Cassin Law. That’s probably because some boards and insurers settle such lawsuits rather than defend them, giving plaintiffs the incentive to try, he says.
Civil lawsuits can also raise problems with a company’s director and officer insurance coverage. Most policies won’t cover FCPA civil penalties awarded against officers, directors or employees of a company, LaCroix says, but coverage might be available for individual directors and officers for the cost of defending against an FCPA proceeding. The key there is how a policy defines the term “claim,” and assumes that a policy doesn’t have a so-called “commissions exclusion” clause that precludes coverage. However, the extent of coverage depends on the nature and target of the claims, and the wording of the policy.
So what should compliance officers be telling audit committees about FCPA risk? Foremost, Stuart says, “Audit committees need to have an understanding of how exposed the company is with respect to bribery and corruption, where that risk lies, what controls are in place to mitigate it, and how management is testing those controls.”
From there, the audit committee needs to be sure that a strong anti-bribery compliance program is properly in place and operating. Albert Vondra, a partner with PricewaterhouseCoopers, divides corporations into two groups on that point: Those that have had FCPA problems and have put in strong controls and a robust compliance program, and those that haven’t had issues.
CHECKLIST QUESTIONS
The following checklist can help companies thwart an FCPA investigation:
Does your company’s compliance program promote a culture of compliance?
Does your FCPA program have processes in place to ensure that policies are followed, such as monitoring and auditing?
Is there adequate training?
Does the program promote accountability?
Does the board receive reports about the anti-corruption compliance program on regular and sufficient basis?
Does the internal auditing team monitor and test FCPA compliance?
Is there appropriate due diligence on third parties?
—PwC
The latter group is made up of “companies where the boards may be the most at risk,” Vondra says. “They sometimes don’t have the incentive to spend the resources or take the rigorous approach to their anti-compliance programs. Their attitude is, ‘We’ve got it covered,’ but they don’t.”
Compliance officers also then need to nail down the “must-haves” in FCPA programs: written compliance policies and procedures to implement them; written records of the education and training provided to employees, third-party agents and intermediaries; and due diligence records, Cassin says.
Most importantly, there must be written records demonstrating that the audit committee or wider board receives regular reports from responsible company executives and managers about the compliance program and its results, and that the board members asked questions and received answers.
“That’s how boards demonstrate they’ve fulfilled their fiduciary obligations,” Cassin says.
Weinstein
Weinstein says board members should ask for actual examples of how the company conducts due diligence on third parties, and how compliance concerns were handled. “Have the compliance team show you what the company actually did,” he says.
Stuart says FCPA programs must also consider how the company does business in different regions, so its controls address specific practices and operations in those regions, and aren’t just generic controls that apply (with mixed results) worldwide.
Those considerations should include where the company uses third parties such as agents and independent contractors, who might be more difficult to control and oversee than the company’s own employees; the company’s gift-giving and entertainment practices that might be perceived as bribery; and where the company’s operations require government approvals or licenses creating an opportunity to give a bribe.
No comments yet