FCPA compliance checklist

Published April 28, 2020 by 3 min read

An FCPA compliance program checklist outlines the things an American company needs to check when it wants to do business in a foreign country to ensure it follows the guidelines of the U.S Foreign Corrupt Practices Act (FCPA) of 1977.

The FCPA is a federal law that aims to prevent all U.S. companies and their officers, directors, employees, and agents from making corrupt payments to foreign government officials to retain or obtain business. 

Agents, including consultants, third-party business partners, distributors, and joint-ventures, are also subject to the FCPA’s anti-bribery provisions. The FCPA also applies to foreign companies with subsidiaries in the United States, that do business in the U.S., or whose transactions go through the U.S. banking system

FCPA violations can also occur if companies make payments to non-government third parties acting for or on behalf of foreign government officials. 

In addition to the anti-bribery provision, the FCPA also has specific accounting transparency requirements mandating that every company that reports to the SEC maintain accurate books and records and have a system of internal controls

Corporations that don’t comply with the FCPA could be hit with huge government fines, and individuals could be fined and imprisoned. The SEC and the DOJ (U.S. Department of Justice) are jointly responsible for FCPA enforcement actions. The FCPA is the most enforced U.S. anti-corruption law.

Follow an FCPA Compliance Checklist

An organization can avoid an FCPA violation by following an FCPA compliance checklist. The DOJ and the SEC evaluate the adequacy of a company’s compliance program. The key factors they look at to determine whether an organization’s compliance program is effective are training, risk assessment, and corporate policies.

Before companies draft their compliance programs they should conduct comprehensive risk assessments. 

The risk assessment should identify key risk areas, including where they have significant dealings with foreign officials and workers of state-owned companies; business units operating in countries with high levels of supposed corruption; locations where anti-corruption concerns have been identified in the past, and business operations that depend heavily on third-parties, such as agents, business partners, and distributors.

The DOJ and the SEC don’t establish the requirements for a compliance program because there isn’t anyone compliance program that can meet the needs of every business. Therefore, each company will formulate its own compliance program based on its size and risk exposure.

What to Include in an FCPA Compliance Checklist

To help organizations design effective compliance programs, the FCPA recommends that a compliance program include the following: 

  • A clear policy that prohibits FCPA violations and violations of other applicable anti-corruption laws.
  • A commitment from senior management that trickles down through the organization.
  • Compliance program policies and procedures that detail proper internal controls, auditing practices, and documentation policies.
  • Communicate the compliance program policies and procedures throughout the organization.
  • Clear disciplinary measures for violating compliance policies and procedures. Encourage employees to adhere to compliance policies and procedures and offer compliance incentives.
  • Employees in charge of oversight should be separate from management and have sufficient resources to implement the compliance program correctly.
  • Regularly assess third-parties, including business partners, and inform them of the company’s compliance program and code of conduct.
  • A whistleblowing mechanism based on confidentiality where employees can report possible FCPA violations without being afraid of retaliation. After an internal investigation, an organization should update its compliance program and internal controls.
  • Review and update the compliance program and internal controls regularly because the business environment is constantly changing.

Additional Questions to Ask

As they assess and improve their compliance programs, companies should also consider these questions:

  • Do you periodically analyze the results of your investigations to look for patterns of wrongdoing or other red flags that could indicate weaknesses in your FCPA compliance?
  • How often and how do you measure your culture of compliance?
  • How do you determine which FCPA complaints or red flags you should investigate further? Red flags are conditions or activities that increase the chances of possible FCPA violations.
  • How do you determine who should conduct an investigation of potential FCPA violations? Who makes that determination?
  • Do you have a process to monitor the outcome of your FCPA investigations and ensure accountability for the response to any recommendation or finding?
  • Have your supervisors received role-specific or supplemental training?
  • Have you conducted a gap analysis to determine whether you’re sufficiently addressing particular areas of risk in your policies, internal controls, and training?
  • If you have foreign subsidiaries, are there language or other barriers that hinder your foreign employees’ access to your FCPA compliance program policies and procedures?
  • Have you updated your FCPA compliance program policies and procedures in light of the lessons that you’ve learned?
  • Do you periodically analyze the results of your investigations to look for patterns of wrongdoing or other red flags that could indicate weaknesses in your FCPA compliance?
  • How often and how do you measure your culture of compliance?

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Help us get to know you.

Get a demo