12 Keys to Building a Successful FCPA Compliance Program with Attorney Nick Oberheiden

The Foreign Corrupt Practices Act (FCPA) is a federal law that imposes substantial penalties for offering bribes and other unlawful payments to government officials. It applies to U.S. companies that do business with foreign state-controlled entities; and, under amendments enacted in 1998, it applies to foreign entities that do business on U.S. soil.

FCPA being signed by President Jimmy Carter in 1977
Image: courtesy of Carter archives.

Under the FCPA, companies and their owners, officers, directors, and other key personnel can face civil or criminal penalties for violating the law. So, compliance needs to be a priority. Here, federal compliance and defense attorney Nick Oberheiden, PhD, discusses 12 keys to building an effective FCPA compliance program:

1. Determining Whether the FCPA Applies to Your Company

First, you need to determine if the Foreign Corrupt Practices Act applies to your company. At a threshold level, there are three types of entities that are subject to the FCPA. As the U.S. Department of Justice (DOJ) and the U.S. Securities and Exchange Commission (SEC) explain in their jointly-published FCPA Resource Guide, these are:

  • Issuers – “A company is an ‘issuer’ under the FCPA if it has a class of securities registered under Section 12 of the [Securities] Exchange Act or is required to file periodic and other reports with SEC under Section 15(d) of the Exchange Act. In practice, this means that any company with a class of securities listed on a national securities exchange in the United States, or any company with a class of securities quoted in the over-the-counter market in the United States and required to file periodic reports with SEC, is an issuer.”
  • Domestic Concerns – “A domestic concern is any individual who is a citizen, national, or resident of the United States, or any corporation, partnership, association, joint-stock company, business trust, unincorporated organization, or sole proprietorship that is organized under the laws of the United States or its states, territories, possessions, or commonwealths or that has its principal place of business in the United States.”
  • Certain Foreign Nationals – “[T]he FCPA’s anti-bribery provisions have applied to foreign persons and foreign non-issuer entities that, either directly or through an agent, engage in any act in furtherance of a corrupt payment (or an offer, promise, or authorization to pay) while in the territory of the United States.”

Of course, since all U.S. residents and businesses qualify as “domestic concerns” for purposes of FCPA applicability, domestic companies must conduct further analysis in order to determine whether it is necessary to implement an FCPA compliance program. To do this, it is necessary to look at how the law applies.

2. Determining How the FCPA Applies to Your Company

The FCPA addresses two main issues: bribery and accounting. The statute’s anti-bribery provisions apply to U.S. companies that transact business with foreign governments and foreign entities that operate in on U.S. soil. So, if you own, manage, or direct a U.S. company that exclusively operates within the United States, the FCPA compliance likely is not a concern. However, if your company does business overseas or – or if your company utilizes suppliers or vendors that operate globally – then it will be necessary to implement an FCPA compliance program focused on the statute’s anti-bribery provisions.

The FCPA’s accounting provisions apply to entities that fall within the SEC’s enforcement jurisdiction. So, for example, not only must publicly-traded companies comply with the FCPA’s anti-bribery provisions, but they must comply with its accounting provisions as well. These accounting provisions establish recordkeeping requirements and an obligation to adopt “internal controls” that are sufficient to maintain control of the company’s assets for purposes of preventing the payment of unlawful bribes.

Dr Nick Oberheiden
Image: https://federal-lawyer.com/dr-nick-oberheiden/

3. Understanding What Types of Transactions Implicate the FCPA

The last major step prior to beginning the process of building a successful FCPA compliance is to understand what types of transactions implicate the statute within the context of your business’s operations. In most, but not all cases, the FCPA comes into play in the following contexts:

  • Legislative and judicial affairs
  • Cybercurrency transactions
  • Cybersecurity
  • Government contracting
  • Importing and exporting
  • Involvement with democratic processes
  • Securing government approvals

Within these (and other) contexts, efforts undertaken by company personnel (or third parties operating in concert with or on behalf of your company) that can trigger the FCPA’s anti-bribery provisions include, but are not limited to: efforts to gain access to non-public information, efforts to influence government contract awards, and other efforts to secure favorable outcomes in governmental matters through prohibited means. Additionally, keep in mind that even if your company does not engage in transactions that implicate the FCPA’s anti-bribery provisions, it must still comply with the law’s accounting provisions if they apply.

4. Developing Comprehensive FCPA Compliance Policies and Procedures

Once you have a clear understanding of your company’s obligations under the Foreign Corrupt Practices Act, you can begin the process of developing a set of comprehensive policies and procedures focused specifically on FCPA compliance. These policies and procedures can be incorporated into your company’s existing compliance documentation, or they can serve as stand-alone compliance manuals. In either case, the key is to ensure that these policies and procedures reflect your company’s specific risks and are tailored to ensuring compliance in light of your company’s specific needs.

While many discussions of FCPA compliance go into the contents of the relevant policies and procedures in detail, developing FCPA compliance documentation is an extraordinarily nuanced task that is truly different for every company. As a result, for most company executives and in-house lawyers, a discussion of general compliance documentation is not particularly useful. With this in mind, the remainder of this discussion will focus instead on the remaining key aspects of FCPA compliance: implementation, monitoring, ongoing documentation, and reassessment of compliance needs.

5. Implementing the Compliance Program on an Organization-Wide Scale

An FCPA compliance program is only effective to the extent of its implementation. Once a program has been developed and thoroughly vetted with outside counsel and key internal stakeholders, the next step is to implement the program through dissemination, education, and training. Relevant personnel at all levels of the organization should be made aware of the program and provided with easy access, and the company should provide mandatory education and training that is tailored to each individual employee’s role within the company.

There are a number of means of providing education and training, some of which are more effective than others. Whichever option your company chooses, it is essential not only to provide instruction, but to document the instruction that has been provided. Among other things, this may mean having employees complete questionnaires, sign certification forms, or take other steps to affirmatively acknowledge their receipt and understanding of the company’s FCPA compliance program.

6. Maintaining a Top-Down Culture of Compliance

Maintaining a top-down culture of compliance is important for all aspects of corporate compliance, but it is arguably especially important with respect to the FCPA. This is because company leaders are often in the “best” position to commit FCPA violations in the company’s name or while purporting to act on the company’s behalf.

With this in mind, it should be made clear that bribery and corruption will not be tolerated at any level, and that all company personnel – executives and managers included – will be held accountable if they are found to have violated the FCPA. Not only will this help demonstrate the importance of adhering to the company’s FCPA compliance program, but it will help demonstrate the company’s full commitment to compliance as well.

7. Managing Third-Party Relationships that Present FCPA Compliance Risks

In addition to internal compliance, there are various external aspects to FCPA compliance as well. In particular, companies need to effectively manage their relationships with third parties that have the potential to interact with government officials and state-controlled entities. This includes consulting firms, customs brokers, import and export agents, and various others; and, once again, the key is to thoroughly assess the specific risks your company faces in order to determine what compliance measures are necessary.

Minimally, companies will likely want to adopt contract provisions that prohibit FCPA violations and that provide for indemnification in the event of a DOJ or SEC inquiry. Depending on the scope and nature of the relationship, auditing and inspection rights (among other protections) may be desirable as well.

8. Conducting Internal Audits and Assessments to Ensure Compliance

Following implementation, companies must assess the effectiveness of their FCPA compliance policies. This means conducting periodic internal audits, which – to maintain the company’s culture of top-down compliance – should not spare anyone at any level of the corporate organization. Generally speaking, these audits should be conducted by outside counsel to establish the attorney-client privilege, and any issues that are identified during an internal audit should be remedied immediately (more on this below).

When conducting internal audits, the goal is not necessarily to “confirm” compliance or “catch” bad actors. Rather, the goal is to critically and honestly assess the effectiveness of the company’s FCPA compliance program. If an audit confirms that the program is sound, then the audit has served its intended purpose. Likewise, if an audit reveals deficiencies, it has served its purpose in this scenario as well. Over time, consistent internal auditing will help maintain compliance while eliminating uncertainty with regard to the sufficiency of the company’s compliance program.

9. Proactively Addressing Potential FCPA Exposure Risks

In the event that a proposed transaction or business strategy presents FCPA concerns, the transaction or strategy should be structured with FCPA compliance specifically in mind. This will mean different things under different circumstances.

For example, in some cases, it may be possible to structure transactions so that they meet the requirements of the affirmative defenses that are available under the FCPA. Under the “bona fide expenditure” affirmative defense, a payment does not violate the FCPA if it is for (i) “the promotion, demonstration, or explanation of products or services;” or, (ii) “the execution or performance of a contract with a foreign government or agency thereof.” It is also an affirmative defense to liability under the FCPA that a payment is compliant with the laws of the nation in which the payment is made.

10. Being Prepared to Respond to FCPA Compliance Violations

In the event that an internal audit (or other source) reveals an FCPA compliance violation, your company should be prepared to respond to the violation immediately. Depending on the circumstances involved, this could mean anything from updating the company’s compliance documentation to self-disclosing the violation to the SEC. Of course, self-disclosing a federal statutory violation presents its own unique set of risks, and the decision to self-disclose is one that needs to be made in a timely manner with the advice of the company’s FCPA compliance counsel.

11. Being Prepared to Demonstrate Compliance and Remediation Efforts to the DOJ and SEC

Whether due to self-disclosure, a whistleblower complaint, or an independently-initiated DOJ or SEC investigation, in the event of a federal investigation, your company must be prepared to affirmatively demonstrate its compliance efforts as well as any efforts to remediate identified FCPA violations. This means having its compliance policies and procedures, training documentation, and internal auditing records readily available, and it means being able to cogently address any questions that are raised.

However, dealing with the DOJ or SEC is – once again – a matter that should be handled by the company’s FCPA compliance counsel. Handling federal investigations is a niche area of legal practice in its own right, and you will need to rely on the advice and representation of counsel in all interactions with the DOJ or the SEC.

12. Continually Reevaluating the Company’s FCPA Compliance Needs

Finally, beyond auditing the effectiveness of your company’s current FCPA compliance program, it is also necessary to continually reassess whether alternate or additional compliance efforts are required. As the company pursues new opportunities, these new opportunities may present new risks under the FCPA. By maintaining a proactive approach to FCPA compliance, companies can safely pursue new opportunities in the U.S. and abroad, and they can prepare themselves to respond confidently in the event that the DOJ or SEC raises any concerns.


Interesting related article: “What is a Lawyer?