One of the most significant laws any company that does business outside the United States must navigate is the Foreign Corrupt Practices Act (FCPA), which prevents bribery of foreign government officials to obtain or retain business. Violations can lead to fines in the hundreds of millions of dollars. Investigations alone routinely cost companies between $50 million and $100 million. The U.S. Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have jointly published a volume titled FCPA Guidance in which they describe the Ten Hallmarks of an Effective Compliance Program. More than simply following these building blocks, a company must have a technological solution around its FCPA compliance program. A technological solution provides two key elements around FCPA compliance: ongoing monitoring, and documenting your compliance efforts so that they can be presented when a regulator comes knocking.
Paul McNulty, former U.S. Deputy Attorney General, said the DOJ would assess three general areas of inquiry regarding an enforcement action:
- “What did you do to prevent it?
- “What did you do to detect it?
- “What did you do when you found out about it?”
For a company to demonstrate what it has done in any of these three areas, it must document its overall compliance efforts. It is not enough to monitor and document the results of your company’s compliance efforts. A company needs to quickly and efficiently respond to a prosecutor’s request for information.
While most companies have a code of conduct with attendant implementation policies and procedures, training, and a hotline, many companies have yet to implement any type of self-audit program to measure FCPA compliance program performance. One of the concepts to emerge out of the Sarbanes-Oxley Act (SOX) is that of continuous monitoring for SOX compliance. The experiences beginning to come out of continuous monitoring programs demonstrate that monitoring is a powerful—and indeed necessary—tool to assist companies in their ongoing FCPA compliance programs.
One of the leading proponents of continuous monitoring is Norman Marks, who writes his own blog on the subject, “Norman Marks on Governance, Risk Management, and Internal Audit.” Marks describes continuous monitoring as more than simply an application of a monitoring program. In a post titled “A Look into the Future: The Next Evolution of Internal Audit,” he presents a top-down model that begins with “understanding enterprise goals and objectives,” then moves to “determine the potential risks to those objectives,” and finally goes on to “the assessment and testing of the controls required to manage the risks.”
French Caldwell and Paul Proctor of Gartner, in an article called “Magic Quadrant for Continuous Controls Monitoring,” describe three ways that continuous monitoring contributes to overall risk management and compliance initiatives:
- Continuous monitoring can lower audit costs by eliminating manual sampling.
- Continuous monitoring can improve financial governance by increasing the reliability of transactional controls and the effectiveness of anti-corruption controls.
- Continuous controls monitoring can improve actual operational performance by monitoring key financial processes.
Many examples on the use of continuous monitoring are available. One company, Visual Risk IQ, performs continuous monitoring and has published anonymous case studies on its results. Although these studies were not performed in connection with FCPA compliance audits, they are useful examples of how corporations can use continuous monitoring in an overall FCPA compliance program and will prepare a company to answer the first question McNulty posed, “What did you do to detect it?”
The Visual Risk IQ studies include a case study of both accounts payable and purchase card spend to determine if there was fraud and misuse of the cards. The key in both of these reviews involving continuous monitoring situations was that of data review. This same type of testing can be utilized in reviewing foreign business partners, including agents, resellers, distributors, and joint venture partners. All foreign business partner financial information can be recorded and analyzed. The analysis can be compared against an established norm that is derived from either a business’ own standard or an accepted industry standard. If a payment, distribution, or other financial disbursement or remuneration to a foreign business partner is outside an established norm—creating a red flag— such information can be tagged for further investigation.
Many companies have yet to embrace continuous monitoring as a standard part of their compliance programs. They have found that it is difficult to test behavioral aspects of an FCPA compliance policy, such as whether an employee will follow a company’s FCPA-based code of conduct. However, other testing can be used to form the basis of a thorough review.
For instance, it can be difficult to determine whether an employee will adhere to the requirements of the FCPA. However, continuous controls monitoring can be used to verify the employee’s pre-employment background check, the quality of the FCPA compliance training an employee receives after hire, and then to review and record an employee’s annual acknowledgement of FCPA compliance.
Moreover, the FCPA guidance has specified monitoring as a key component of oversight of a company’s compliance regime. Ongoing monitoring allows greater visibility to track employee spending, third- party disbursement, or other sources of monetary financing that could be used to pay a bribe and therefore violate the FCPA. For a multinational U.S. company with thousands of employees across the world, continuous monitoring of your FCPA compliance program will go a long way toward a positive response to McNulty’s inquiry, “What did you do to stay out of trouble?”
In “Demonstrating ‘Systemic Success’ in FCPA Compliance: Identifying and Maintaining Evidence to Respond to Government Investigations …. Before They Begin,” William Athanas also discussed the need for documentation. If your compliance program does not document its successes, there is simply no evidence that it has succeeded. In addition to providing to your company support to put forward to the Department of Justice, it is the only manner in which to gauge the overall effectiveness of your compliance program. Put another way, if you don’t document it, you cannot measure it, and if you cannot measure it, you cannot refine it.
If you need more evidence about why it is important to embed documentation into your anti-bribery compliance program, I will give you two words, Morgan Stanley.
The SEC initially charged a former Morgan Stanley executive with “violating the Foreign Corrupt Practices Act as well as securities laws for investment advisers by secretly acquiring millions of dollars worth of real estate investments for himself and an influential Chinese official who in turn steered business to Morgan Stanley’s funds.”
The government’s decision not to prosecute provides the most recent and powerful evidence of the benefits of investing in compliance. Morgan Stanley’s pre-existing compliance program was highlighted in press releases and public comments as the biggest reason for the government’s decision. Officials based their decision not to prosecute on evidence of:
- Rigorous internal controls
- Regular FCPA compliance training and reminders on the company’s FCPA policy
- Internal anti-corruption policies addressing the corruption risks associated with the giving of gifts, business entertainment, travel, lodging, meals, charitable contributions, and employment that were updated regularly to reflect regulatory developments and specific risks
- Compliance program monitoring and auditing
- Extensive pre-retention due diligence on business partners and stringent controls on payments to business partners
The key for Morgan Stanley was that it could document all of the above. That should be the key for your FCPA compliance program as well.
Monitoring and documenting are two of the most important prongs in a best practices compliance program. Payroll is a key link for both of these activities. In a subsequent article, I will drill down into how the payroll function is an important part not only of your detect prong— but also your prevent prong. Finally, if employed correctly, the global payroll function can move to a prescriptive component of your FCPA compliance program and prevent an issue from becoming a full-blown FCPA violation.