From harm to company reputation to actual financial fines levied, recent Foreign Corrupt Practices Act (FCPA) enforcement actions confirm that noncompliance can be incredibly costly. For regulated companies, regulators are turning more attention to the internal controls designed to prevent and detect corruption. While enforcement actions typically have been aimed toward the financial institutions, it seems more and more companies outside of that sector are feeling the brunt of investigations and fines. Corporate Counsel Connect spoke with Michael Shepard of Hogan Lovells to learn more about the state of corruption, what corporate counsel across industries should be looking for, and how to create an environment of compliance.
"Financial institutions, in some sense, are ahead of the curve on this because of the various money laundering and KYC requirements they've had to deal with for a longer period of time," explains Michael.
However, it is not just the financial institutions at risk – all regulated companies are vulnerable, and regulators will no longer be allowing them to get by with relaxed controls. The fortunate part of having the financial institutions pioneer in this area is that there have been improvements in hardware and software that allow for closer monitoring of these kinds of things, and that are available to everyone. But the ultimate lesson for all companies is that "you better watch out for it." Michael warns, "Sometimes [the DOJ and SEC] get caught up in particular industries because they got a lead, but over time, they seem to be hitting a whole lot of different industries."
Furthermore, the DOJ and SEC are under pressure and the publicity in this area is growing substantially. It seems like each new fine is a headline grabber, becoming significantly bigger than the last. These agencies also keep saying that they are going to process more individuals either as bad actors or for lack of internal controls. While proving a bad actor may be difficult, proving that a company did not maintain a proper system of internal controls is considerably easier, and individuals can be prosecuted under the FCPA's internal controls provision. Fortunately for those individuals at risk, the "success rate is not all that great." In the past, when the DOJ and SEC came, companies tended to roll over and settle on these to avoid the negative publicity, and therefore the DOJ and SEC are not used to prosecuting. "But we will continue to see them try because they are under political pressure [to do so]," shares Michael.
For anyone who feels their organization doesn't face risk, think again. A common opportunity for fraud is through vendors. Are you able to track all company payments and determine the legitimacy of vendors and transactions? For example, there could be an issue where somebody in a company pays money to a supposed vendor – only to find out that vendor was fake and the money ended up as a bribe to a public official. The government is now going to start pushing on these issues, like enforcing a due diligence program that not only looks at new vendors, but new products from current vendors. Other questions include: Who signs off on the review of the vendor? Is it possible for someone to get around requirements? Can they break up a payment into different dollar amounts to avoid scrutiny? "These are the kinds of questions you now get from the government," Michael explains.
Furthermore, companies should ask questions of the vendors they are screening, such as:
"One lesson for general counsel is to find the chief financial officer, befriend them, and get them to be part of your team," advises Michael. This is someone you need on your side for anticorruption and compliance. "If they are not doing you a whole lot of good, they can put you in some hot water," Michael shared.
Many companies separate compliance from finance and the in-house legal department. "This really is a three- headed hydra," states Michael, suggesting the need to involve corporate counsel, compliance, and finance. In addition to having the right teams working together, creating a culture of compliance is critical; a company "need(s) the tone at the top – the CEO needs to be invested in getting this right," he explains. The message needs to be clear from the highest level of managers and work its way down. "If you don't get the top line managers in the field to really understand it and work hard to get it right with their troops, then you will have problems," Michael says, "because that's where these problems develop."
Unfortunately, compliance is expensive and time consuming, and despite the increasing costs of fines, companies have not changed behaviors or practices to stem corruption and bribery. Explains Michael, "When we talk to CFOs about internal controls, they will say 'yeah, yeah, yeah, we do that,' but when we drill into that, we find that at many companies, they are doing that work at a financial statement level of materiality." This level of compliance does not suffice for the SEC and DOJ; investigators are reviewing individual transactions, for instance between an employee and vendor, for evidence of corruption. "It does take some explaining to get people motivated to get down to that level, which is much costlier," adds Michael. It is at that very bottom level that is rarely monitored that companies have a lot of risk. The more leadership pushes on compliance and proper reporting from top to bottom, the better chance a company has to achieve this transparency and avoid any issues.
Enforcement actions are only going to become more prevalent as corruption grows. "We are going to see companies have their internal controls examined more closely," shared Michael. He also warns that those companies who do not keep up will receive more pressure to do so. "The more your peers are upgrading their internal controls, the more pressure you will receive," says Michael.
It's best to build a strong program of internal controls based on your industry's specific risks now and get ahead of the issue for many reasons. Advises Michael, "The reputational hit and loss of management attention that these things entail can really set a company back. Those things make it important to spend a little effort in the front end and try to avoid the problems."