FCPA, Anti-Kleptocracy and the Panama Papers: The Playing Field Has Changed

With the recent establishment of three new squads devoted to the Foreign Corrupt Practices Act (FCPA), the FBI is sending a message that corruption violations will no longer go unexposed. Though the focus of the FCPA is the prosecution of bribe payers, not the bribe recipients, the program’s focus on kleptocracy allows law enforcement to focus on the demand side of bribery.

Attendees of Protiviti’s FCPA and Anti- Kleptocracy Conference in New York last week learned the latest details about FCPA enforcement and other compliance risks during presentations by former and current FBI agents, DOJ prosecutors, and cybersecurity and compliance experts on topics ranging from a new DOJ FCPA pilot program to preventing cyber attacks.

According to Jackie Kasuli, Deputy Chief, Business and Securities Fraud Section, U.S. Attorney’s Office, Eastern District of New York, “The pilot program is reflective of the department’s increased focus and emphasis on these kinds of violations, and gives us more resources to investigate and prosecute cases.” A significant aim of the program is to motivate companies to voluntarily self-disclose FCPA-related misconduct, and thus increase transparency.  If one company self-reports, it often leads to other discoveries, Kasuli said, as intermediaries typically don’t work for just one company.

On the subject of remediation, Kasulis said the DOJ considers what a company did to implement and enhance its compliance program and controls after it learns of a compliance and controls failure. Also examined is whether or not the company disciplined the individuals involved in the misconduct appropriately.

Chuck Duross, Partner at Morrison & Foerster LLP and a former Deputy Chief in the Fraud Section in the Criminal Division of the DOJ, said, “The one question you must answer in remediation is ‘what about your program today would have prevented this problem from happening before?’ What I’ve found to be the most impressive in compliance programs isn’t checking-the-box. The most impressive is if someone made the decision that they were only going to do this level of due diligence on a third party, or they were going to focus more on this country than that country. That kind of a thoughtful process, with contemporaneous documentation showing that’s what you’ve done, shows that the compliance personnel, the in-house counsel, the company itself made thoughtful choices about the best way to proceed.”

Ninety percent of the FCPA cases involve third parties as the problem, and they account for approximately 98 percent of the penalties. For companies seeking to avoid FCPA liability for third-party business partners, Matt Tanzer, Associate General Counsel, Tyco International, gave the following  tips:

1. Identify all third parties: who are you doing business with and why?
2. Evaluate the risk they present: the countries they’re in, the type of business relationship you have with them, how close they are to your customers, and how close they are to government officials.
3. Determine how much you need to know about them based on the risk profile: learn about their backgrounds and ensure they are trustworthy.

A challenge executives face when learning about their business partners or potential business partners is getting everyone onboard with the often-slow process of vetting third party companies, which business units may see as a competitive disadvantage. To address this internal resistance, Tanzer suggests creating a system that is easy and providing a compelling reason for why it has to be done.

The highly publicized Panama Papers has many implications for compliance programs. As an in-house compliance officer, it’s necessary to address the unanticipated disclosures of confidential information in the design of your program. “I don’t engage in the practice with my internal stakeholders of calibrating the likelihood that their potential misconduct will be discovered,” said Daryl Kreml, Compliance Officer at Biogen. “Trying to calculate the odds of disclosure is a pretty bad idea. My role as a compliance officer is to focus on the conduct.”

The Panama Papers leak is certainly not the first high-profile security breach, and won’t be the last. What can a compliance officer do to prevent this kind of an attack? According to Billy Gouveia of Protiviti, there are three actions compliance officers should take:

1. Conduct assessments of your cybersecurity program.
2. Understand where your vulnerabilities are.
3. Segregate sensitive client information.

Compliance officers need to establish a good defense against attacks, and should plan how to react if a breach occurs. In a crisis, senior-level executives need to know their roles and responsibilities. When a security breach takes place, compliance officers must collaborate with security officers to mitigate the potential damage. Companies must:

1. Take a significant alert seriously.
2. Determine what was lost, not only in terms of size but also of sensitivity.
3. Understand any applicable notification requirements.
4. Build confidence with stakeholders that you’ve identified and resolved the issue and have a stronger program as a result.

For compliance officers, the Panama Papers serves as a reminder to look at traditional exposures, such as identifying and understanding your third parties, as well as to acknowledge the changing landscape. The leak should in no way be seen as a one-off, but as representative of the cyber climate we live in. An effective compliance program will not only make your organization less attractive to criminals, but will speed up the recovery process.