FCPA Enforcement and Corporate Compliance: Four Things to Know for 2018

2017 saw continued aggressive enforcement of the Foreign Corrupt Practices Act by the Department of Justice, and all indicators are that investigations are not going to slow down in 2018. During the recent ABA White Collar Crimes Conference, current and former enforcement officials from the DOJ and the Securities and Exchange Commission discussed updates and current trends, and communicated that we should expect a level of enforcement under the FCPA that is consistent with past years. While expectations for compliance will remain high, the DOJ indicated it will move more quickly to resolve investigations that fall within the new FCPA Corporate Enforcement Policy, and will also use that policy as non-binding guidance for companies that have adopted a culture of compliance and self-disclose other violations handled by the Criminal Division. Here are four things to watch for in 2018.

1. Continued International Cooperation

And Multi-Jurisdictional EnforcementBased upon recent multi-jurisdictional FCPA case examples, such as the resolutions reached in the Telia, Keppel, and SBM investigations, it makes even more sense that momentum will continue to build for multi-jurisdictional enforcement actions as authorities from different countries increasingly see the benefits of sharing information and pursuing parallel investigations. In each of these three matters, international cooperation resulted in hundreds of millions of dollars in fines being paid to multiple countries.

Success breeds success, and foreign authorities are increasingly interested in cooperating with the United States as a way of also advancing their own domestic prosecutions, and potentially obtaining their own large fines, or working with the DOJ to allocate fines that are ultimately paid.

When multi-jurisdictional cases are ultimately resolved, and fines are paid, the DOJ has shown and expressed an interest in dividing up the pie with other cooperating countries based upon multiple considerations, such as the relative investigative roles, the location of the illegal conduct, and the location of the harm. The United States certainly has an interest in having other countries in the anti-bribery game. Another serious international anti-corruption player is of course the U.K. Serious Frauds Office (SFO), whose enforcement authority under the U.K. Bribery Act includes the ability to prosecute companies for failing to prevent bribery, a point that was emphasized by current head of the SFO who also participated in ABA White Collar Crimes Conference. Companies who get into trouble based upon the actions of “rogue” employees may well be asked by the SFO and/or DOJ what they did to try and stop the conduct before it occurred.

2. Big Credit for Self-Disclosure

And Serious ComplianceThe DOJ reinforced the positive news for companies who invest in corporate compliance and anti-corruption efforts, and who truly adopt a culture of compliance. Under the new FCPA Corporate Enforcement Policy, announced in November 2017, there is a presumption that the DOJ will decline prosecution if a company self-discloses, cooperates, and mediates the harm, and where there are no aggravating factors present. While this is always a fact specific analysis, the presence of a legitimate, reasonably tailored, and enforced compliance program is certain to be a factor.

Looking beyond FCPA cases, DOJ officials gave every indication that significant credit will similarly be given for other types of criminal violations when companies meet these same criteria. Deputy Attorney General Rod Rosenstein emphasized this point by stating that “we want to reward companies that invest in strong compliance measures.” On that note, the Evaluation of Corporate Compliance Programs document issued by the DOJ Fraud Section in 2017 is still a very relevant and instructive document. While not intended to be a checklist, the corporate compliance document can help companies assess their own programs using criteria that the DOJ created. At the same time, the DOJ recognizes that compliance cannot and should not take a one-size fits all approach. What works for one business may not work, or be appropriate or feasible, for another. What the DOJ will likely be looking for is not whether all the possible elements of a compliance program are present, but rather, whether a company has systematically thought through its compliance plan, implemented it effectively, and also taken steps to evaluate that it is actually working. Here again, some good fact-specific and company-specific analysis will go a long way.

The take-home here may be that spending a lot of money to purchase off-the-shelf compliance products, and signing up for outside compliance services, may not be money well spent if such products and services do not match the individualized needs of a particular company. Likewise, having a comprehensive compliance plan means little if it is not accompanied by a set of knowledgeable and experienced set of inside and outside advisors responsible for implementing and reviewing the effectiveness of these efforts.

If the DOJ follows through on the intentions of its self-disclosure policy, it may result in quicker resolutions and less time, money, and stress on companies who in the past have often had to endure a very lengthy government investigation and decision-making process.

3. Due Diligence

And Third-Party RisksLooking ahead, the FCPA panel at the ABA Conference discussed that one of the primary and continuing risk vectors for corporations is the third parties with whom companies must necessarily do business, but about whom they may not be doing enough due diligence.

In 2018, it is not enough to reserve due diligence efforts for mergers and acquisitions, when there are large risks inherent in the fact that business partners, agents and third-party vendors can act as agents for companies in ways that can violate the FCPA or U.K. Bribery Act. Looking for third parties that have certifications, such as ISO 9000 compliance, is certainly a good option, but not always a realistic one, particularly for small to medium sized enterprises. In the alternative, corporations should look to do business with companies that have their own robust and thoughtfully implemented compliance plans with components of the type the DOJ expects to see.

4. Plan Your PreservationAnother topic of discussion related to compliance, and worthy of attention in 2018, is the myriad of ways employees communicate and exchange information both inside and outside of organizations, and how these records are preserved (or not preserved) by companies. It is of course common knowledge that emails are backed up and retained for extended periods of time. The problem is that for many businesses, and certainly for anyone with employees under 30, email is out. The increasingly ubiquitous use of instant messaging apps and works sharing platforms like Slack, Google Hangouts and Hive make retention policies more complicated, to say nothing of the even more ephemeral seeming WhatsApp and WeChat used routinely throughout much of the world.

Rather than ignore what companies know are increasingly common ways for their employees to communicate, it is likely wise for corporations to develop reasonable use and retention policies for each method of communication being used for business purposes. Thus far, it has likely been viewed as convenient (and perhaps even beneficial) that many communication platforms are encrypted and do not store messages, but those justifications for not preserving what would otherwise be a business record may be challenged by government investigators and prosecutors. In 2018, failing to have a preservation and retention plan that covers all forms of communication may be viewed as a plan in and of itself, with negative inferences being drawn.

Overall, companies can expect the DOJ to continue to aggressively enforce the FCPA and white collar criminal statutes, and to hold corporations to high compliance standards. At the same time, companies that can demonstrate that they have thought through all the permutations of a modern compliance program, including for example third-part due diligence and document retention tailored to the realities of their business, and who voluntarily disclose when something goes wrong, can also expect to be recognized for their efforts to a greater degree than has likely been the case in recent years.

Kevin Feldis is a partner at Perkins Coie LLP. Feldis is a former First Assistant U.S. Attorney in Alaska who spent 18 years with the Department of Justice, including serving overseas as the DOJ Legal Advisor in Indonesia and Azerbaijan working on anti-corruption issues. His practice focuses on FCPA and global anti-corruption, government investigations, cybersecurity, corporate compliance, internal investigations and business litigation. He can be reached at kfeldis@perkinscoie.com.