A robust compliance program spared Morgan Stanley from prosecution under the Foreign Corrupt Practices Act (FCPA). Organizations with less rigorous compliance regimes that find themselves under investigation may not fare as well. FCPA has had an enormous impact on the way American firms do business.
Having a proactive, well-structured plan in place is critical to mitigate risk of penalization and secure a more favorable view among regulators. While each FCPA plan should be customized to address the needs of the organization, it is prudent to ensure particular items are addressed.
Enhance Internal Focus and Controls
The time for a company to look at its internal compliance policy is not when it finds itself in a courtroom facing the wrong end of FCPA enforcement. In order to be fully protected, a company needs to address and enhance its compliance measures before there is an immediate need.
In the case of Morgan Stanley, a well-defined, robust and dynamic compliance program saved it from paying for one rogue employee’s actions. What many did not expect was how much the U.S. Department of Justice and U.S. Securities and Exchange Commission revealed about the reasoning behind its decision to not take any action against Morgan Stanley.
As both agencies made clear, Morgan Stanley’s FCPA plan had a series of internal controls that allowed it to prove that the action was limited to one employee and not part of a larger corporate culture of corruption. Morgan Stanley’s policies had passed the test and taught the industry three important lessons relating to internal controls.
- A consistent culture of compliance breeds conformity. Set the tone that corruption has no place in the company. A strict code of conduct should be implemented, the reporting of fraud and corrupt practices should be supported and employees should expect to be randomly tested for compliance. Maintaining a culture determined to fight corruption will only improve the organization’s standing with regulators.
- Persistent training is the best defense. When it comes to educating employees about FCPA regulations, an annual training is not enough. According to the DOJ, over a six-year span, Morgan Stanley’s rogue employee was trained on the company’s FCPA measures seven times. Additionally, the company reminded the employee about compliance measures at least 35 times and required all employees to certify annually that it was complying with Morgan Stanley’s Code of Conduct, which included anti-corruption provisions. Through strict education programs, Morgan Stanley effectively reduced its culpability to zero.
- Compliance programs are dynamic, living documents. FCPA compliance programs will fail if they are static. Policies should be constantly updated to account for changes in global business, growth or decline of the company workforce or new legal policies. Businesses also need to account for differing FCPA policies during the merger and acquisition (M&A) process. Ensuring that all employees are working from the same compliance protocol is critical as businesses combine.
Managing External Threats
For many companies, internal compliance measures can be the easiest to control. The difficulty comes with managing risks from outside forces. External threats are varied and based on a company’s industry and where it conducts business.
The first step to mitigating external risk is geographical awareness. When doing business abroad, companies should consider a customized approach to compliance for each region.
Use New Zealand and Venezuela as examples. According to Transparency International’s 2011 Corruption Perceptions Index, which ranks countries on a scale from zero to 10 — with zero being “highly corrupt” and 10 being “very clean” — New Zealand had the lowest level of corruption, earning it a score of 9.5, while Venezuela had one of the highest corruption rates and a score of just 1.9. A strong international compliance program would account for this difference in risk and address each location individually.
In a high-risk country like Venezuela, companies should take a more proactive approach to compliance by increasing the frequency of on-site internal audits, providing more rigorous FCPA training and creating a detailed corruption response plan.
Another factor to take into account is the extent to which the industry in which the company operates is subject to intense governmental regulation. Consider the pharmaceutical industry, where companies have been under intense scrutiny. Major industry players — including Pfizer Inc., Johnson & Johnson and Zimmer Inc. — have been penalized as a result of enforcement actions brought by the DOJ and SEC, while others, such as Merck & Co. Inc. and AstraZeneca plc are in the midst of ongoing inquiries. Updating compliance measures should coincide with changes in overall industry regulation.
A hands-on approach will help reduce risk created by third parties conducting business in the company’s behalf. Under both the FCPA and the United Kingdom Bribery Act, organizations are culpable for certain actions of their intermediaries. Due to this responsibility, every relationship should begin with an extensive investigation. This will require background checks for joint venture partners and foreign representatives to confirm their qualifications.
During this process, it helps to think as broadly as possible. Check those third-party intermediaries for possible fraudulent activity. Seek recommendations from professional clients, local banks and anyone who may be able to confirm character traits. As each contact is polled, organizations should also be looking at the people that are speaking on behalf of the intermediary agent. Criminal histories, shallow professional records and ties to the government are all signals that a third-party agent may be more of a liability than it’s worth.
Perform Due Diligence During M&A
FCPA regulation does not have to hinder an organization’s merger and acquisition activity. However, without an adequate due diligence strategy, organizations may find themselves inadvertently not complying with FCPA regulations.
There are several things to keep in mind during the acquisition process. Most important is that the acquiring firm will be liable for FCPA violations committed by the acquired company both before and after closing the deal. For this reason, it is critical that the target company’s code of conduct, anti-corruption policies and procedures, compliance audit results and agreements with third-party representatives be requested as early as possible.
Post-acquisition, the focus turns to integration. Allocating resources toward FCPA training for the recently acquired company will help integrate it into the broader compliance program and demonstrate how risk-averse an organization is.
Maintenance and persistence will demonstrate this due diligence to regulators. Ultimately, the acquiring company needs to demonstrate to the authorities that it has taken responsibility for compliance by the target company.
Creating FCPA Best Practices
Many FCPA penalties result from incidents outside the direct view of company leadership. Thus, corporations should constantly be asking:
- Are employees aware of how seriously this company takes compliance?
- Do we proactively and regularly check policies to ensure they are adapted for an evolving business environment?
- What risks are we exposed to as a result of the places in which we conduct business?
- Is the company confident that the third parties we work with are pursuing our best interests?
- Do we take steps to encourage a culture of compliance internally and externally?
As regulators bear down, so should companies, ensuring they are doing everything they can to keep their organizations in full compliance.
Brian Mich ([email protected]) is a managing director with BDO Consulting in New York, who specializes in anti-corruption compliance and employee misconduct investigations, as well as anti-money laundering engagements.