This is Part I of a two-part paper on this topic.
The recent news that HP will pay a total of $108 million to the US Department of Justice and the Securities and Exchange Commission to settle investigations into violations of the Foreign Corrupt Practices Act is merely the latest example in a long and growing list of such cases.
Hewlett-Packard said in a statement about the case:
“The misconduct described in the settlement was limited to a small number of people who are no longer employed by the company. HP fully cooperated with both the Department of Justice and the Securities and Exchange Commission in the investigation of these matters and will continue to provide customers around the world with top quality products and services without interruption.”
The SEC said HP “was charged with violating the Foreign Corrupt Practices Act (FCPA) when its subsidiaries in three different countries made improper payments to government officials to obtain or retain lucrative public contracts.” The charges include violations of the anti-bribery provisions of the act, conspiracy, inadequate internal controls, and falsified accounting records.
The scope of these charges underscore the risk of doing business in foreign countries and how critical it is for companies to create and sustain a corporate culture that fosters and encourages ethical behavior throughout the organization. Too often, risk is viewed through a very narrow lens in the corporation and is seen as the exclusive responsibility of a small group or a dedicated silo, such as compliance or legal.
Corruption, like any other risk issue, can have far-reaching implications. The risks involved with violations of the FCPA must be looked at it in terms of how they relate to reputation and the possibility of business disruption, loss of clients, and time-consuming, distracting, and expensive litigation. A company should see compliance with the FCPA as part of its value proposition and competitive advantage; it should examine how it can leverage culture to create economic and reputational value. In the long run, doing so will help the company avoid costly litigation, fines, a damaged reputation, and possible criminal penalties.
So, how does a company create such a culture and not fall afoul of the FCPA? Through both guidance and enforcement, the DOJ and SEC provide companies with a roadmap for anti-corruption best practices and for an effective and efficient compliance program. Yet it must also be recognized that the DOJ has consistently stated that there is no “one-size fits all” compliance program. A company’s compliance program must be tailored the specific needs of the organization.
DOJ guidance asks three high-level questions regarding a company’s compliance program:
The company’s risk-assessment program must also be tailored to the company’s specific needs. Assessment is multi-faceted and includes such steps as planning, gathering information, analysis, prioritization, reporting, and reacting to the identified risks. Only with this level of specificity will an organization know its risks and have the insight to react to the dangers it faces.
What follows are broad, high-level guidelines to help companies navigate the FCPA. These guidelines should not be considered a substitute for legal advice. It is also important to realize that they don’t deal with the specifics of third parties, who are at the crux of FCPA violations. Next week, we will follow up with questions a company should ask itself vis-a-vis best practices related to third parties in the three critical areas of risk assessment, due diligence, and training and monitoring.
BEYOND LIP SERVICE
A sophisticated, thought-out compliance program should be established and implemented by the CEO and the board of directors. Senior management must lead from the top in ethics and compliance. Yes, such programs are expensive, but in the long run they may help you avoid more costly alternatives, which can include hefty fines, or other civil or criminal penalties. Should your company ever be the subject of an investigation, one of the first things the DOJ will do is look to see what kind of compliance program you have in place.
The DOJ and The SEC have highlighted 10 hallmarks of an effective compliance program, including: commitment from senior management; oversight, autonomy, and resources; adequate policies and procedures; risk assessment; third-party due diligence; and continued improvement and periodic testing. Other areas the DOJ and SEC will look at: whether you reward or highlight individuals who bring to light problems and assure those individuals that there will not be retribution for bringing forward information; if you have customized, real-life scenario training for management and staff in susceptible areas such as accounting, finance, sales and contract work with consultants; and does the company perform a level of risk assessment commensurate with the company size and the levels of transaction?
COMMON TRIGGERS
There are several common triggers for a DOJ investigation. It could be a whistleblower; someone who has gone to the government because he or she is frustrated with the company for not handling their complaint properly. The DOJ might come knocking with a subpoena because of a tip from a competitor, or a referral from another jurisdiction, or it could be because they are looking at the industry as a whole.
ACTION PLAN
You need to have in place a first-response plan, should your company come under investigation. You need to ask who will lead the internal investigation, what will be the scope of the investigation, do you have the necessary resources, how you identify and collect documents, who will be responsible for doing so, who will conduct witness interviews, and how will you address the important three-prong area of self-reporting, cooperation and remediation? And you must decide if you are going to cooperate.
As has been made clear from previous cases, the DOJ has lauded companies that have cooperated early and extensively throughout the investigation, made extraordinary efforts to uncover evidence of prior corrupt activities and made a comprehensive commitment to restructure and remediate its operations. Cooperation with the DOJ and SEC may lead to lessening the total exposure in the “calculation of culpability score” and may provide a rationale for reduced fines and other sanctions.
When conducting your internal investigation you should also bear in mind that an anticorruption investigation could also trigger investigations into other areas, such as tax code, money laundering, and the Travel Act violations.
Another consideration is when outside legal counsel be used vs. only internal resources to investigate. Some of the immediate questions that must be answered include: What is the scope and depth of the investigation? Do you have the requisite skill sets in–house and does the staff have experience in conducting an anti-corruption investigation? Will the investigation spread staff too thin? Will in-house or outside counsel spearhead the investigation or will responsibility be shared?
The current thinking is overwhelmingly in support of hiring outside counsel with experienced attorneys and staff. Conducting the internal investigation solely with in-house resources generally raises suspicions and can give the perception (fair or not) that the investigation may not be thorough and may be biased.
IF YOU SUSPECT A VIOLATION
You also need an action plan if you internally receive a report of suspicious activity – through a hotline or an ombudsman, for example. Again, you need to develop a methodology for initiating an investigation through your GC, Chief Compliance Officer, or other responsible senior executive tasked with compliance responsibilities. Once you start delving into the matter and there is indication that a wider violation may have occurred than initially thought, you may want to consider outside counsel for reasons cited above.
Again, you will have to decide who will conduct the risk assessment. Is it internal staff, outside consultants, or a mix of both? If it is the internal staff, be certain that they have the time, industry-specific skills and language skills, and available resources to do the investigation. You will need a general investigation conducted by people who are adept at interviewing and are on-site where the suspected breach took place.
Early detection, remediation, and cooperation can be significant factors in the reduction of fines, penalties, and resolution of a DOJ investigation.
