What Elements Should an Effective FCPA Program Include?

Published January 18, 2021 by 5 min read

The U.S. Foreign Corrupt Practices Act (FCPA) sounds like something straight out of a spy thriller. The bad guys try to get over on the good guys, using shady dealings and underhanded tactics. Well, as the saying goes: Truth is stranger than fiction.

There are, indeed, some bad guys out there who made it necessary for the U.S. Department of Justice (DOJ) and the Securities and Exchange Commission (SEC)—the good guys—to take a stance against global corruption.

First enacted in 1977, the FCPA has been amended over the years to increase the scope of the regulations and fine-tune the FCPA compliance program. Publicly traded companies in the United States, their foreign subsidiaries, and any employee, no matter where they reside, are subject to the FCPA. Because companies can be held accountable, even if senior management is not aware of FCPA violations, it’s in the entity’s best interest to develop and maintain a rock-solid FCPA compliance program.

Your mission (one you should choose to accept) is to continue reading this blog.

What is FCPA compliance?

FCPA compliance policies cover two areas:

FCPA anti-bribery provisions

Anti-bribery provisions prohibit the unethical practice of bribing foreign governments or foreign officials to gain an unfair commercial advantage.

FCPA accounting provisions

The Criminal Division of the DOJ and Enforcement Division of the SEC released A Resource Guide to the U.S. Foreign Corrupt Practices Act (second edition) in July 2020. The Resource Guide breaks accounting provisions into two components:

  • Book and records provision: “Issuers must make and keep books, records, and accounts that, in reasonable detail, accurately and fairly reflect an issuer’s transactions and dispositions of an issuer’s assets.”
  • Internal controls provision: “Issuers must devise and maintain a system of internal accounting controls sufficient to assure management’s control, authority, and responsibility over the firm’s assets.”

As in any facet within the business world, the FCPA compliance program developed by a business opening their first foreign subsidiary will look quite different from that of a multinational entity with divisions located in an area marked as a high-risk country for corrupt payment activity. 

An anti-bribery/anti-corruption compliance program must be robust, comprehensive, agile, and meticulously tailored to address FCPA risks associated with the scope of the business.

How do you comply with the FCPA?

To guide companies in this endeavor the DOC/SEC outlines standards for an effective compliance program. Here’s a distilled (shaken, not stirred) take on the DOC/SEC 10 hallmarks of a strong, risk-based corruption compliance program.

1: Commitment from senior management and a clearly articulated policy against corruption

One thing corrupt compliance programs have in common, whether a system of internal controls or an FCPA compliance program, is the importance of the culture created within the organization regarding compliance. The “tone at the top” sets the stage for all employees. A positive control environment, plus a clearly stated policy detailing all prohibited conduct, foster the ability and desire to reinforce compliant behavior.

2: Code of conduct and compliance policies and procedures

A laminated poster highlighting company do’s and don’ts isn’t sufficient. A code of conduct is the organization’s statement on ethical values and must be fortified by policies that reinforce those ethical values and specifically detail what it is and is not acceptable behavior and practices. Clear-cut procedures describe the actions required to abide by compliance policies. 

All guidelines must be translated into respective local languages and distributed to overseas subsidiaries.

3: Oversight, autonomy, and resources

Oversight: An FCPA compliance program must have adequate staffing dedicated to oversight and execution. This often includes appointing a compliance officer. Compliance staff are tasked with monitoring, internal auditing, and taking immediate action on reported FCPA violations.

Autonomy: The compliance officer is given an appropriate level of authority, plus a direct line of communication with the board of directors.

Resources: Compliance staff must be supplied with sufficient resources to implement and manage the anti-corruption compliance program.

4: Risk assessment

Risk assessment is fundamental to the success and ongoing improvement of any compliance program. When investigating an alleged FCPA violation, DOJ/SEC regulators start by evaluating the level of prioritization organizations put on risk management. The Resource Guide offers specific examples of “factors to consider” when assessing corruption risks:

  • “Country and industry sector”
  • “Business opportunity”
  • “Potential business partners”
  • “Level of involvement with governments”
  • “Amount of government regulation and oversight”
  • “Exposure to customs and immigration in conducting business affairs”

According to KUBARK’s (the CIA’s self-imposed codename) Field Double Agent Guide, the most effective method for uncovering a double agent is through continued independent probing.

5: Training and continuing advice

A comprehensive new hire training program is imperative but to classify a compliance program as effective, governing authorities expect much more from a training plan. Training must be ongoing, customized according to roles and responsibilities (function-specific), and a requirement that is tracked to completion. An additional piece of a strong compliance program should include in-person training for persons in high-risk markets, affording advice on how to recognize the red flags of fraudulent activity.

6: Incentives and disciplinary measures

FCPA enforcement, as the Resource Guide explains, “should apply from the boardroom to the supply room—no one should be beyond its reach.” Whether incentivizing ethical and compliant behaviors or taking disciplinary actions against misconduct, actions should be swift, fair, and consistent.

7: Third-party due diligence and payments

The degree to which a company mitigates third-party risk is a direct reflection of their overall FCPA compliance program. In addition to verifying a third party’s FCPA certification, a company should fully vet a third-party, investigate possible relationships with government officials, have a thorough understanding of the role and the necessity of the third-party, and develop procedures for monitoring third party activities regularly.

8: Confidential reporting and internal investigation

A whistleblower system—in person or anonymous—must be available to all personnel for reporting possible FCPA violations. Whether the misconduct is suspected or has been committed, well-defined investigative procedures must be in place, including documentation of the company’s investigation, response, disciplinary actions or remediations.

Personnel should have complete confidence that there will be no retaliation after reporting misconduct.

9: Continuous improvement: periodic testing and review

As the operating landscape of an organization evolves—due to growth, relocation, new products, or changes in laws and industry standards—their FCPA compliance program should be reviewed, then adapted and improved, accordingly. But, even if broad-stroke changes in operations don’t occur, the organization should constantly re-evaluate and fine-tune internal controls.

10: Mergers and acquisitions: pre-acquisition due diligence and post-acquisition integration

The importance of conducting due diligence prior to mergers and acquisitions cannot be overstated. The company that performs due diligence and uncovers fraudulent activity in the acquisition target, then promptly discloses these findings, is viewed favorably by the DOJ and SEC. 

These good-faith actions are subsequently “taken into account when evaluating any potential enforcement action.” On the other hand, failure to perform pre-acquisition due diligence exposes a company to potential “harms to a business’ profitability and reputation, as well as potential civil and criminal liability.”

Read more about what to include on an FCPA compliance checklist.

Why implement an FCPA compliance program?

An invaluable instrument for fighting corruption, a quality FCPA compliance program benefits the global economy as a whole. It maintains an even playing field, allowing for fair competition and opportunities for growth in both domestic and international market sectors.

Perhaps a more compelling reason for implementing an effective compliance program is realized in instances where misconduct is discovered. DOJ/SEC authorities may offer a declination (a decision not to take legal action) if they deem the misconduct occurred despite the organization’s implementation of a diligent and substantial FCPA compliance program.

Here’s to being one of the good guys!

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Get a demo