Q&As for FCPA best practices

Last week, I looked at the risks associated with violations of the Foreign Corrupt Practices Act and such issues as common triggers for an investigation; creating a culture of compliance; and possible action plans.

This week, I am offering guidance on the questions a company should ask itself vis-à-vis best practices in the three critical areas of risk assessment, due diligence, and training and monitoring. Much of it relates to doing business with third parties. This guidance should not be considered a substitute for legal advice but a starting off point for best practices.

DUE DILEGENCE

Are you conducting a risk-based due diligence of third parties? By definition, violations of the FCPA will happen overseas and will often involve third parties with whom you or your company are doing business. Don’t just look at their financials, references, and accomplishments. View them through the prism of risk.

Have you investigated the individuals and/or companies that will be representing your business? You need to look at their qualifications, reputation, and relationships with foreign officials. Have you personally met and interviewed the management and high-level employees of the third party? If not, you (or a trusted member of your team) should.

Have you evaluated the business rationale or justification for including the third party in the transaction? Is there a legitimate business need (or purpose), for this third party, with a specific role for them to play? Often third parties can be brought in for appearance rather than genuine need.

Have you determined that the compensation paid to the third party is reasonable for the services performed and in line with industry norms? Both overpayment and underpayment can be red flags to authorities or third parties. Regulators might be suspicious of either. Third parties might infer that “something extra” is warranted if you over pay them, and that “you owe them” if you under pay them.

Have you informed the third party of your anti-corruption policy and procedures? And just as important as informing them is ascertaining that they understand and agree to comply with your policy and procedures. This could include such things as requiring them to annually certify to their compliance and agreeing that you retain the right to audit.

Do you have a process in place to collect and document the due diligence performed? Your records for overseas need to be just as meticulous as any records kept for domestic transactions.

Does your company have a process to periodically monitor ongoing third-party relationships? You should have your own processes and people performing this function.

Do you have a process in place to resolve issues raised in the due diligence process?  These could be any kind of red flags, doubts or other concerns, about any aspect of the company or your joint work.

Do you have in place a process to raise the level of due diligence once any factor mentioned above become a concern? You should have a plan and process for enhanced due diligence.

RISK ASSESSMENT 

In its risk assessment process, does the company take into consideration the following:

• Country risk (such as corruption levels evidenced by Transparency International’s Corruption Perception Index, lack of effectively implemented anti-bribery legislation and the failure of the foreign government, media, local business community and civil society to effectively promote transparent anti-corruption policies);
• Industry sector risk;
• Transaction risk (such as charitable or political contributions, licenses and permits and transaction pertaining to public procurement);
• Business opportunity risk (such as high-value projects with a large number of intermediaries);
• Business partnership risk  (such as high use of intermediaries in a transaction with foreign officials, joint venture partners and/or relationships with politically exposed persons);
• Level of involvement with governments;
• Amount of government regulation and oversight;
• Exposure to customs and immigration in conducting business affairs;
• Internal risk (such as employee training and skill levels, the company’s compensation structure, bonus culture that rewards excessive risk taking, lack of clarity in the organization’s policies and procedures on hospitality, and promotional expenditures, and charitable and political contributions);
• Lack of clear commitment from top management. 

It’s critical to remember that there is no “one size fits all” risk assessment mechanism. It must be multifaceted and specific to each deal.

Has the company developed a method of prioritizing risk? A risk-assessment matrix should be created, and it shouldn’t be used exclusively for third parties. It will be a useful tool for identifying and prioritizing the risk according to their severity or impact on the company and likelihood of occurrence for the entirely of the risk assessment process.

Has the company periodically updated its risk-assessment processes? This needs to be done to account for new factors such as partners, industry sectors, and geographic areas to bring the assessment in line with changes within the company, including changes in its business needs.

MONITORING AND TRAINING

Training

Does your company conduct training of employees, consultants, joint venture partners, representatives and contractors to inform them of your company’s anti-corruption policy? Whether the training Web-based or in-person or a mix of methods should be determined by resources and what makes sense for the third parties. However, it should be required of all staff, management, officers and directors of the company.

Does your company provide in its training materials information and examples of how the policy would apply to individuals in specific job classifications? Giving relatable examples and scenarios in such areas as accounting and sales can help people better understand how to comply.

Is the training provided in local language and with local language handouts? It’s critical to offer the training and materials in this way so things don’t get “lost in translation.”

Is the training made specific for business units or job classifications? Different functions, such as accounting, sales, and HR, will be presented with different challenges. Training should be tailored accordingly.

Does the company require training at time of employment and annually thereafter, and require annual certification? Best practices call for/demand training at time of hire and annual re-training.

Does the company provide training regarding reporting suspected violations including urgent matters? This would include having a designated person or process that an employee may consult with or use if a question arises regarding the anti-corruption policy?

Does the company have in its training materials information regarding non-retaliation for whistleblowers? In its non-retaliation policy, the company should explicitly reassure employees that there will be no demotion, suspension, harassment, or other negatively impacting action to employees who in good faith report concerns regarding the compliance policy.

Monitoring

On-going third party relationships: Does the company update due diligence periodically and exercise its audit rights and provide training and request annual compliance certifications from the third party?

Does your company monitoring, review and evaluate internal procedures and policies throughout their lifecycle? Best practices are just as important internally as they are when dealing with third parties.

Have you considered some form of external verification or assurance of the effectiveness of anti-corruption procedures? This may not be viewed as necessary by the DOJ or the SEC, but it is surely a “good to have.”

Does the company provide the governing body with formal periodic compliance reviews and reports? With scrutiny on the C-Suite and boards increasing, doing this is necessary.