by Homer E. Moyer, Jr., Miller & Chevalier
A board member's duty of care and oversight extends to the company's anti-corruption or FCPA compliance program. That responsibility, however, invites some basic questions: Is it enough that my company has a compliance program? How can I tell if it is an effective program, or an ineffective one? What standards should I use in evaluating and benchmarking my company's program?
The answers are not found in the FCPA itself. Apart from a requirement that public companies maintain "a system of internal accounting controls," the FCPA does not address compliance programs. Nor is guidance found in the OECD Convention on Combating Bribery, or even the comprehensive UN Convention against Corruption.
Consequently, for years companies turned for guidance to annexes sometimes appended to settlement agreements between enforcement agencies and companies. These occasional annexes, often keyed off the facts of the case being settled, specified compliance program elements that the company was required to establish. FCPA conferences and publications also sometimes enabled companies to benchmark their own compliance programs against programs considered to be state-of-the-art, such as those of Baker Hughes, GE, and, later, Siemens.
Not until 2010, when the OECD's Working Group on Bribery published "Good Practice Guidance on Internal Controls, Ethics, and Compliance" ( “OECD Guidance”) did official, systematic guidance become available. The OECD Guidance, which was surprising both because of the multi-national consensus it reflected and because it set the compliance bar reasonably high, set forth a dozen "non-legally binding" elements of effective compliance programs.
Twenty-one months later, the US Department of Justice (DOJ) and the Securities and Exchange Commission (SEC), also issued guidance through an unprecedented, joint publication entitled “A Resource Guide to the U.S. Foreign Corrupt Practices Act” ( “FCPA Guide”) The Guide, though legally not binding, includes a detailed 11-page discussion of what these agencies consider to be an effective compliance program.
A rough amalgam of the compliance program elements these two publications stress is as follows:
• A strong commitment to compliance by senior management and boards of directors (FCPA Guide: a commitment to creating a corporate "culture of compliance");
• A clear, explicit, and visible policy prohibiting foreign bribery;
• Oversight by senior executives and direct access to boards of directors and board committees;
• A risk-based program, tailored to the company's business and FCPA risk profile;
• Guidelines and procedures on gifts, travel, and entertainment, charitable and political contributions, the use of agents and other third parties;
• Due diligence on the business need to retain third parties, their qualifications, and their integrity;
• M&A due diligence, including immediate compliance integration post-acquisition;
• Training for employees at all levels of company, for third parties (FCPA Guide) and for subsidiaries (OECD Guidance);
• Resources and autonomy for compliance personnel and access to the board;
• Accurate books and records and a system of internal financial and accounting controls;
• Availability of internal advice and channels for confidential reporting of violations;
• Prompt responses to issues, including, as needed, independent investigations;
• Accountability and discipline for violations;
• Continuous improvement through testing, review, and updates.
Both the OECD Guidance and the FCPA Guide are useful references for directors. Both stress that a check-the-box approach to compliance is insufficient. The test of whether a company's compliance program creates a "culture of compliance" obviously goes far beyond simply having a written compliance program. It requires that the program be understood, accepted, and implemented in offices far flung from corporate headquarters. It explains why, when enforcement authorities require a company to retain an Independent Compliance Monitor to assess its compliance program, they insist that the monitor get out into the field and "kick the tires."
Of the best practices noted above, board members are perhaps best situated to evaluate their company's "tone at the top"—the genuineness of senior management's commitment to compliance, particularly in the face of potentially lucrative, but high-risk, business opportunities. Boards may also have insights into the level of resources devoted to compliance, another indicator of commitment.
Statistically, the single greatest FCPA risk today comes from doing business through consultants, sales agents, or other third parties over whom the company has limited control. Under the FCPA, companies may be held vicariously liable if third parties they retain pay bribes, even unauthorized ones. Also on the high-risk list may be doing business in China, where government-owned companies are the norm, thus making all their employees "foreign officials" under the FCPA. Recent enforcement actions in China suggest a prevalence of elaborate schemes by which local employees have defrauded companies and bribed officials.
Other FCPA risks may come, for example, from doing business in high-risk countries, having governments or government-owned companies as customers, being highly regulated under local law, or having an untrustworthy joint venture partner.
Board members can help reduce such FCPA risks by understanding their company's risk profile, by being accessible to company compliance officers, and by second-guessing management, if necessary. A working knowledge of the kind of corruption risks their company is likely to face and the basics of applicable anti-bribery laws, together with continuing inquisitiveness, can ensure that board oversight itself meets the standard of "best practice."
This article is the third in a series of FCPA-related articles written by Moyer.
Boardmembers, Meet the New FCPA
The Global Transformation in Laws Against Foreign Bribery
Homer Moyer is a senior partner in the Washington, DC law firm of Miller & Chevalier. A former General Counsel of the U.S. Department of Commerce, he is often described as the "dean" of the FCPA bar, having represented scores of corporate clients on FCPA matters.
Topic tags: board of directors, corporate governance, Federal Sentencing Guidelines, Foreign Corrupt Practices Act, Sarbanes-Oxley Act