FCPAméricas Blog

FCPA Myths and Misconceptions, Debunked (Part 1: Compliance)

Author: Matteson Ellis

FCPAmythWhen it comes to FCPA compliance and enforcement, myths and misconceptions abound. I’m not surprised to hear them from foreign business people with limited exposure to the FCPA. I am more concerned when I hear them in boardrooms, from the very executives most often exposed to individual liability under the law. These myths sometimes reflect a mere lack of knowledge about the FCPA. Other times they flow from a more “active” misunderstanding of the law – when employees hear what they want to hear and misconstrue rules in the most convenient way possible.

FCPA misconceptions are dangerous and compliance officers should be alert to them. A compliance program’s value depends on everyone understanding the rules to mean the same thing. This post overviews several common FCPA myths related to compliance. A subsequent post will discuss myths related to FCPA enforcement.

1. “Our third party is big and reputable, so we don’t need to vet it.” Shady, unknown agents and consultants in foreign territories create obvious risk under the FCPA. But third party intermediaries that are large and established, and their employees, can violate the law too. Just ask Baker Hughes – it settled an FCPA action with the SEC when KPMG paid a bribe to Indonesian officials to reduce the tax liability of its Indonesian subsidiary from $3.2 million to $270,000. Similarly, Pride International, Tidewater Marine, Transocean, Shell, and others used the well-known Swiss freight-forwarder Panalpina, only to learn that the firm was making payments to customs officials in Nigeria on their behalf. All wound up with FCPA issues.

When relying on larger, established third parties in high-risk jurisdictions, it is particularly important to vet the local operations of these global entities. The local units might not share the same reputations or control structures as headquarters. They might also rely on local partners, who might themselves engage in wrongdoing.

2. “We don’t need to perform due diligence on our lawyers.” Companies too often assume that their foreign lawyers are exempt from third party due diligence and monitoring. After all, lawyers are usually bound by stricter codes of ethics and can usually lose their licenses if they engage in corruption. But lawyers have been involved in numerous FCPA enforcement violations. In Stryker, a lawyer served as a conduit for a $46,000 improper payment to Mexican officials so that the company could retain a contract. The TSKJ joint venture in Nigeria, which spawned the series of “Bonny Island” FCPA enforcement actions for improper payments to win EPC contracts, relied on a British lawyer, Jeffrey Tesler, to serve as the bagman. Certain roles for lawyers are high risk by their very nature, such as when they serve as intermediaries with regulatory or judicial officials (including judges). In some jurisdictions, lawyers have especially poor reputations.

3. “Employees that don’t interact with foreign officials don’t need compliance training.” Anti-corruption compliance training should not stop with “front office” employees who interact with foreign officials. Other employees can be pulled into schemes even if they have no connection to an official. Some employees might manage third parties that interact with officials on the company’s behalf, and they should be prepared to spot red flags. Employees in finance manage the accounting controls that help a company spot corruption and that ensure compliance with the FCPA’s accounting provisions. Legal positions are particularly important to a compliance infrastructure, even if their occupants never leave the United States. As such, tailored FCPA training should be given to a wide range of employees to ensure that they know the rules, understand how their functions support FCPA compliance, and know where to report knowledge of violations. One of my favorite compliance mantras is: “Everyone is a Controller.”

4. “We have a policy so we’re fine.” Executives sometimes think it is enough to adopt an FCPA policy and communicate it to their company’s employees. Unfortunately, that is not the view of enforcement officials. The DOJ and SEC say that there must be a significant check on the back-end too – through testing, monitoring, and audits – for a program to be fully effective. It is not enough to promote compliance rules and blindly expect employees to follow them. Detection must also lead to remediation when weaknesses are uncovered.

5. “Risk assessments don’t really matter.” Companies often adopt policies and launch programs before they have assessed their actual risk profiles. But enforcement officials expect to see a formal risk assessment. This makes sense – without analyzing a company’s actual FCPA risks, it is very difficult to design a credible program to address those risks. Companies can easily waste resources setting up stringent controls for risks they do not face, while failing to tailor their “generic” program to address the risks they do face.

The opinions expressed in this post are those of the author in his or her individual capacity, and do not necessarily represent the views of anyone else, including the entities with which the author is affiliated, the author`s employers, other contributors, FCPAméricas, or its advertisers. The information in the FCPAméricas blog is intended for public discussion and educational purposes only. It is not intended to provide legal advice to its readers and does not create an attorney-client relationship. It does not seek to describe or convey the quality of legal services. FCPAméricas encourages readers to seek qualified legal counsel regarding anti-corruption laws or any other legal issue. FCPAméricas gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to FCPAméricas LLC.

© 2014 FCPAméricas, LLC

Matt Ellis

Post authored by Matt Ellis, FCPAméricas Founder & Editor

Categories: Anti-Corruption Compliance, Audits, Due Diligence, English, FCPA, Risk Assessments, Third Parties, Trainings

CommentsComments | Print This Post Print This Post |

1 Comment


One Response to “FCPA Myths and Misconceptions, Debunked (Part 1: Compliance)”

  1. John Fanning Says:

    This is an excellent article. The preservation of a company’s ethics and compliance policy needs on-going vigilance. Once you start cutting corners, it’s like cutting class or cheating, it gets easier and easier. Look the other way, for whatever reason, and you will find yourself doing it again and again.

Leave a Reply


Subscribe to our mailing list

* indicates required

View previous campaigns.