March 20, 2016

FCPA Enforcement in 2016: Trends and Best Practices for Internal Investigations

The year 2015 was unusual for Foreign Corrupt Practices Act (FCPA) enforcement. Two agencies responsible for enforcing the FCPA, the Securities and Exchange Commission (SEC) and the Department of Justice (DOJ), had markedly different outcomes for FCPA investigations. The SEC had a busy enforcement year: it filed 14 actions for FCPA violations against both corporate entities and individuals and obtained more than $215 million in financial remedies for FCPA violations. The DOJ, on the other hand, had its lowest enforcement numbers in years, following the 2014 departures of the FCPA unit chief and several veteran attorneys who worked on foreign corruption cases. 

Although the DOJ settled fewer cases and collected only a small fraction of the corporate penalties it collected in prior years, it also increased its enforcement capabilities. The FBI added three new operational squads focused on FCPA and kleptocracy (involving corruption by government officials) to its International Corruption Unit, tripling the number of federal agents focused on overseas bribery from around 10 to more than 30, while the DOJ’s Fraud section planned to add 10 more prosecutors to the FCPA unit. Integrating new resources takes time – 2015 might have been an anomaly as the DOJ and the FBI operationalized its new staff. If that is the case, expect enforcement to ramp back up in 2016 as the DOJ and the SEC pursue “higher impact” cases and focus more heavily on individual accountability in 2016. 

The DOJ did not issue an FCPA opinion regarding its approach to investigations in 2015, unlike in most recent years. Throughout the year, however, government officials gave a series of speeches that outlined the importance the government places on internal investigations and self-reporting FCPA violations. This article will provide an overview of the basics of FCPA government enforcement actions as described by SEC and DOJ officials this year and discuss investigation best practices for companies that suspect violations. 

FCPA Government Enforcement Actions: The Importance of Cooperation 

Both DOJ and SEC officials focused on the importance of self-reporting violations in order to enable companies to take advantage of cooperation agreements with the government. For example, in a speech on November 17, 2015, SEC Enforcement Director Andrew Ceresney announced that companies must self-report misconduct in order to be eligible for the SEC to recommend that prosecution either be deferred or not pursued. That same day, in a separate speech DOJ Assistant Attorney General Leslie Caldwell elaborated that in order to obtain the benefits of self-reporting, voluntary self-disclosure, including naming culpable individuals, must occur before a government or regulatory investigation is “underway or imminent.” If internal controls to prevent FCPA violations fail, companies must be able to detect and investigate potential misconduct in order to benefit from cooperation agreements with the government.

There are a few ways that the government might obtain information leading it to launch an investigation into potential misconduct. One avenue is whistleblowers. The Dodd-Frank Act provides significant incentives for whistleblowers to report FCPA violations, who may be entitled to receive up to 10–30 percent of monetary sanctions recovered in enforcement actions that exceed $1 million. Another potential avenue of information is foreign governments. In his November 2015 speech, Director Ceresney highlighted the SEC’s cooperation with international regulators and indicated that FCPA investigations “often are conducted in parallel with foreign governments.” A third avenue – and often the government’s preferred avenue – is self-reporting by the company. 

As Assistant Attorney General Caldwell acknowledged in her in November 2015 speech, companies are often in the best position to detect potential FCPA misconduct “and get to the bottom of things in an efficient and timely fashion.” Overseas bribery, she noted, can be “especially difficult to detect, investigate, and prosecute.” Thus, the government may offer a range of significant benefits to encourage companies to self-report potential misconduct through cooperation credits used by the SEC and the DOJ. 

SEC and DOJ Cooperation Credits 

The SEC “credits” companies that cooperate in SEC investigations, including FCPA investigations. Director Ceresney reviewed the components of the cooperation program in a speech about the SEC Cooperation Program on May 13, 2015. As he stated, SEC credits include narrowing charges; limiting sanctions; use of mitigating language in charging documents; and the “extraordinary” step of declining an enforcement action, such as deferred prosecution (DPA) or non-prosecution (NPA) agreements. In a DPA, the government defers prosecution, and in an NPA the government declines to prosecute. The SEC uses DPAs or NPAs to address a relatively narrow set of circumstances where “cooperation is extraordinary, but the circumstances call for a measure of accountability.” The SEC has signed only ten such agreements over the past five years. In contrast, however, Director Ceresney stated that the SEC had signed over 80 cooperation agreements in that same five year period. Of these 80 agreements, the SEC declined to recommend charges in what Director Ceresney characterized as a “significant” percentage. Such agreements are not normally announced and, unless an individual testifies, “that exercise of discretion likely will not become public.” Thus, companies that the SEC deems to have cooperated in investigations might avoid charges and public disclosure of the misconduct. 

The DOJ, like the SEC, also extends “cooperation credit” to incentivize self-reporting. As a reward for cooperation, for example, the DOJ might reduce the fine assessed to a company, or allow the company to self-monitor FCPA compliance as opposed to submitting to independent compliance monitors. Alternatively, albeit more rarely, the DOJ might make a public announcement that it has declined to prosecute a company based on its cooperation. In a recent example, in June 2015, the DOJ announced that it had declined to prosecute PetroTiger for alleged FCPA violations based on PetroTiger’s “voluntary disclosure, cooperation, and remediation, among other factors.” 

What level of cooperation would compel the government to decide not to charge a company or defer prosecution for alleged FCPA violations? To determine whether a company or individual is a “cooperator,” the SEC assesses four criteria: (1) assistance provided by the cooperator; (2) importance of the underlying matter; (3) interest in holding the individual accountable; and (4) the profile of the individual. Additionally, in his May speech, Director Ceresney stated that internal investigations are now a “clear best practice” for companies that discover significant potential misconduct, and it is “commonplace” to share the results of those investigations with the government. Furthermore, Director Ceresney and AAG Caldwell have been increasingly clear that self-reporting FCPA violations is expected, and that self-reporting must identify both the conduct and the associated individuals. 

Cooperation and Self-Reporting: The Role of Internal Investigations

When it comes to internal investigations of FCPA violations, on one hand, it is important to note that the government says it prefers efficient and timely investigations. The government is not looking for what AAG Caldwell described in a speech in April 2015 as “overly broad and needlessly costly investigations” that “aimlessly boil the ocean” and in some cases delay the government’s ability to “resolve matters in a timely fashion.” This message appears inconsistent with prior situations in which the government wanted to be confident that any internal investigation turned over virtually every stone and that there were no uncovered problems. AAG Caldwell acknowledged this perception in her November speech and reiterated that companies need not conduct “more extensive – and expensive – investigations to obtain credit for cooperation.” 

On the other hand, the government does expect that companies will conduct a “thorough and timely investigation” and that the company will disclose to the government all relevant facts, including all relevant facts about the individuals involved in the alleged misconduct. This is particularly important because a company must now disclose culpable individuals in order to receive “any” credit for cooperation with the DOJ. As an example of this focus on holding individuals accountable for FCPA violations, when the DOJ announced that it had declined to prosecute PetroTiger for alleged FCPA violations, it also announced that a third former PetroTiger executive had pled guilty to conspiracy to commit FCPA violations. The DOJ has thus demonstrated, in policy and in practice, that the goals of an internal investigation should be to both learn the facts and to identify the responsible individuals. As AAG Caldwell stated in her November 2015 speech, the DOJ “continue[s] to expect investigations to be thorough and tailored to scope of the wrongdoing, and to identify the wrongdoing and the wrongdoers. We expect cooperating companies to make their best effort to uncover the facts with the goal of identifying the individuals involved. To the extent companies and their counsel are unclear about what this means, we remain willing to maintain an open dialogue about our interests and our concerns, which should help save companies from aimless and expensive investigations.” 

It is important to approach the government as soon as possible after learning about a potential FCPA problem. Ideally, a company can learn the facts and remediate before even reaching out to the government, but that is not always possible. How then do companies balance a thorough investigation, in order to be able to take advantage of cooperation agreements, with expediency? By conducting an investigation tightly focused on the alleged misconduct. 

Companies that are able to quickly detect misconduct related to the FCPA may be able to conduct narrower investigations targeted to the suspected violation, rather than a wide-ranging investigation. Early detection might also prevent a violation from metastasizing into a larger issue, which is one of the criteria the SEC assesses to determine cooperation. Robust compliance procedures provide a window of opportunity for early investigations with a more narrow and specific scope, creating savings for the company and enhancing the potential that the government might decline to bring an enforcement action. But regardless of the strength or weakness of a company’s internal controls, when it learns of potential misconduct, the manner in which it investigates such misconduct can have a significant impact on the government’s charging decisions. 

The importance of internal controls and targeted, focused investigations are illustrated in the SEC’s investigation of alleged FCPA violations by Goodyear in 2015. According to the SEC in February 2015, Goodyear paid $16 million to settle charges that it violated FCPA books and records regulations and internal control provisions when it failed to detect corrupt payments by subsidiaries in Kenya and Angola. The SEC said that over a four-year period, Goodyear had not detected more than $3.2 million in bribes to employees of local authorities and both government-owned companies and private companies affiliated with government. As the bribes were paid, the amounts were debited from the balance sheet account and falsely recorded as payments to vendors for freight and clearing costs. 

The SEC alleged books and records violations and that Goodyear failed to implement adequate controls to prevent and detect these violations. It required Goodyear to disgorge more than $14 million in profits, plus interest of more than $2 million. But the SEC did not impose any civil penalties. Citing Goodyear’s cooperation and remedial efforts, the SEC noted that Goodyear “promptly respond[ed]” to requests for information and documents and voluntarily produced information from the company’s internal investigation, which assisted the commission in “efficiently collecting evidence” (emphasis added). 

“Prompt” and “efficient” investigations save time both for the company and for the government. Targeted investigations obviously save money for the company, but they also are more likely to get to the heart of the problem, and to get there quickly, which can prevent a situation from getting worse. Speedier investigations also are advantageous to the government, allowing it to quickly resolve an issue and focus its resources its other priorities. The difficulty lies in balancing efficiency with accuracy. While in hindsight the problem may be clear, when a company initially faces a situation involving potential misconduct, the true story is often hidden and can take significant digging to uncover. Thus, for the company, the investigation is really about piecing together the story of what did (or did not) happen. 

Internal Investigations Best Practices 

There are no checkboxes for internal investigations – and moreover, the SEC does not favor a “check-the-box” mentality – but there are six basic principles to guide any investigation: who, what, how, when, why, where. As simple as this sounds, focusing on these questions should keep an investigation on track and ultimately enable the company to piece together the story or picture of the potential violation. 

1. Who was responsible? This includes not only the alleged perpetrator, but other personnel or departments with whom he or she interacted. To uncover all of the players, focus on the person at the heart of the matter. You do not necessarily need to investigate everyone with whom that person works or routinely interacts. Rather, as the investigation progresses and new facts come to light, you can expand the investigation to include new people with a possible connection to the incident at the heart of the matter. Keeping focused on who is plausibly part of the story, on the basis of the facts in front of you, should help keep the investigation on target. 

2. What happened? This may seem obvious, but it bears emphasis – your primary task is to figure out what happened. Start your inquiry with the people, places, and actions that relate to the specific incident that triggered the investigation. Of course, this does not mean you should ignore further or more extensive wrongdoing if it is uncovered in the course of your investigation. But overall, the investigation should be focused on what happened, rather than a broad search for anything that might have ever gone wrong. Going off on ill-defined tangents can unnecessarily delay the investigation. 

3. How did the wrongdoing occur? Are there control deficiencies that allowed it to take place? Identifying how the perpetrators were able to carry out the actions will help you identify the source of the problem. This might point to systems, or to additional people, or both. For example, if you suspect an improper payment to a government employee was made in violation of the FCPA, it would be important to determine how the employee accessed the money and how she or he transferred that money to the government employee. Determining how the wrongdoing occurred may expand the scope of who is involved – but by focusing on these questions, it ensures that as your scope expands, it is still rooted in the same problem, rather than branching out to another unrelated matter. And knowing that a system failure was responsible for one act of wrongdoing may enable you to ask whether that same system failure contributed to other wrongful acts. 

4. When did the wrongdoing occur? How long did this go on? The government will want to know how long this problem has been taking place. This will require some digging into the origination of the problem. Work back from the facts in front of you. If you are investigating a suspicious payment, for example, look as far back as the evidence points. If your evidence indicates an on-going relationship, keep looking back until you find the beginning. However if, for example, the conduct appears to have first occurred two years ago, you needn’t begin by including records over the past ten years. Focus on the facts at hand, and follow those facts. 

5. Why did the problem occur? What prevented the problem from being detected earlier? Understanding why you are learning about this incident now will help you keep your investigation on track. For example, if you have a system in place that flags suspicious payments, examine the criteria for the flag and how this incident triggered that threshold. Was a trigger missed? If so, find out why. This will provide you with crucial facts for your investigation in its initial stages to determine on whom and what you should focus your initial efforts, but it will also help define your parameters. If your system flagged a suspicious payment from a subsidiary in a foreign country, for example, keep your focus on that country until you find the answer to why the problem occurred. You may not need to expand your search to other subsidiaries unless or until your facts tell you otherwise. 

6. Where did the system break down? This is where you identify the weak link in your systems and controls. Maybe you need better accounting controls. Maybe you need better training for subsidiaries. Perhaps you need to strengthen your due diligence procedures or training for third-party agents and vendors. Identifying some systemic source that you can and have corrected is an important part of the package you present to the government. Determining where the system broke down tells not only the story of what happened, but also establishes the parameters for how you intend to fix the problem. If there were suspicious payments to a foreign office using petty cash, for example, you have not only focused your investigation on suspicious petty cash payments, but you have also pinpointed a target for remediation – to put better controls on petty cash. Identifying the problem and addressing it through appropriate remediation are important considerations for the government in assessing potential penalties. 

The goal of an internal investigation is to answer these questions, because they tell the story of the incident at issue. Therefore, they provide the parameters for the investigation. Using these parameters to keep your focus on the target will help ensure that beyond checking the investigations box, your investigation begins and stays on track. 

Director Ceresney’s and AAG Caldwell’s comments over the past year highlight the premium the government is placing on prompt and efficient investigations in its cooperation calculus. The government expects internal investigations to be “thorough and tailored to [the] scope of the wrongdoing, and to identify the wrongdoing and the wrongdoers,” according to Caldwell. Thus, to realize the benefits of cooperation in the event of an FCPA violation, and to conserve time and resources, use these guiding principles as the framework for a “thorough and tailored” internal investigation.

Additional Resources

For other materials on this topic, please refer to the following. 

The Business Lawyer

Corporate Compliance Survey
By Paul E. McGreal
Vol. 71 No. 1 Winter 2015–2016 

Business Law Section Program Library

What Every Business Lawyer Needs to Know about the Foreign Corrupt Practices Act (PDF) (Audio)
Presented by: White-Collar Crime, Corporate Counsel, Corporate Governance, Mergers and Acquisitions
Location: 2013 Annual Meeting