Page 1 of 7 Potential Exposure Under The FCPA Portfolio Media. Inc. 648 Broadway, Suite 200 New York, NY 10012 www.law360.com Phone: +1 212 537 6331 Fax: +1 212 537 6371 customerservice@portfoliomedia.com Law360, New York (August 08, 2008) -- Much has been written about the significant recent growth in government enforcement of the Foreign Corrupt Practices Act (FCPA), 15 U.S.C. 78dd-1, et seq. Indeed, it is hard to understate. For the Securities and Exchange Commission (SEC) and the Department of Justice (DOJ), who share enforcement responsibility under the Act, 2007 and the first half of 2008 have been banner years. This reflects the increasingly-bright regulatory spotlight that shines on the FCPA. Moreover, recently introduced legislation, although itself unlikely to have a significant effect on regulatory activity in the area, reflects an increasing political focus on fair global business practices. So what can a company do to help contain its potential exposure First, understand the risks. Second, institute compliance programs designed to contain the risks. Below we discuss each in turn. Risks Of The FCPA Simply put, the FCPA prohibits the actual or attempted bribery of foreign government officials in order to assist in obtaining or retaining business. Notably, the FCPA does not have a materiality threshold as to the size of the bribe or the business sought. While there are a few safe harbors for payments to foreign officials, these exceptions are narrowly construed and apply only rarely. The FCPA also contains books and records and internal controls provisions. These require companies to maintain records that accurately reflect their business, as well as sufficient controls to ensure compliance. Unlike the anti-bribery provisions, these provisions do not require proof of any bad intent; they can be violated by mere negligence. Risk 1: Aggressive Enforcement The government s aggressive enforcement constitutes the primary risk companies and their employees face under the FCPA. The SEC and DOJ will pursue violators that have virtually any connection to the U.S. securities markets.
Page 2 of 7 Thus, domestic companies can be held liable for the actions of their foreign affiliates (e.g., Flowserve Corp., a U.S.-based company, settled alleged books and records and controls violations for the actions of its foreign subsidiaries). Foreign companies with a U.S. connection, such as by trading on the U.S. securities markets, can be held liable for their international activities (e.g., FCPA actions were brought against AB Volvo and Akzo Nobel, which are both foreign-based companies trading in the U.S. through American Depository Receipts). And companies that act through foreign third-party agents may be pursued for the acts of those agents (e.g., Textron, Inc., a U.S. company, settled alleged books and records and internal controls violations because consultants based in Jordan and Lebanon paid bribes to Iraqi officials). Companies may also face concurrent enforcement actions in multiple jurisdictions. For example, the SEC and DOJ recently opened their own investigations into a company that already had been penalized over 200 million by a German court for foreign bribery charges. Indeed, the DOJ or SEC may attempt to influence interactions with the foreign agencies. Akzo Nobel, for example, entered into a non-prosecution agreement with the DOJ that required the company to settle with Dutch authorities and pay a penalty of at least 381,000. In some cases, investigations that begin in one country or with one company can expand into global investigations. In one matter, it has been reported that the investigation involves activities in over sixty different countries. And 2007 saw several industry-wide investigations involving multiple companies operating in the same field. For example, there were investigations of participants in the U.N. s Oil for Food program, of companies who had done business with a global freight-forwarding entity, and of the international sales practices of several medical device companies. Risk 2: Large Financial Costs As the SEC and DOJ have increased their enforcement of the FCPA, they have also increased their demands for settling such cases. Recently, the SEC and DOJ not only have imposed high civil penalties and criminal fines, but also have required the disgorgement of profits of the business obtained from the violative conduct. Two cases from 2007 are illustrative. First, Baker Hughes agreed to pay the largest overall monetary remedy in FCPA history: $44 million. The company, in the context of securing an oilfield development contract in Kazakhstan and in response to the demands of local officials, retained and paid commissions to a local consulting firm.
Page 3 of 7 The total payment included over $23 million of disgorgement, which represented some of the profits Baker Hughes obtained by virtue of its conduct, plus interest. The remaining $21 million consisted of a civil penalty and criminal fine. Second, Vetco Gray, a U.S.-based oil and gas company, and two of its foreign subsidiaries pled guilty to violating the anti-bribery provisions of the FCPA and agreed to collective criminal fines of $26 million. Vetco Gray and its subsidiaries, over a three-year period, had made almost 400 relatively small payments to Nigerian customs officials to secure preferential treatment during the customs process. This is the largest criminal fine in FCPA history. Moreover, many deferred- or non-prosecution agreements with the DOJ require companies to hire an FCPA compliance monitor, typically for three years. This can result in exorbitant ongoing costs. Procedures adopted by the DOJ in March 2008 may help limit the scope of a monitor s duties, but only time will tell if they substantially decrease overall monitoring costs. Individuals Targeted Not surprisingly, the SEC and DOJ have pursued individuals directly involved in bribing foreign officials. For example, sitting U.S. Representative William Jefferson was charged in 2007 with offering bribes to Nigerian officials. Executives can also face penalties abroad, as an executive recently experienced after receiving a two-year suspended prison sentence and a 108,000 fine from a German court. However, the SEC has also shown its willingness to bring actions against individual officers or directors merely for their purported oversight failures. For example, in 2007, the SEC settled with Monty Fu, the founder and former CEO and chairman of a company that was alleged to have bribed doctors in state hospitals in Taiwan. The SEC alleged, among other things, that Mr. Fu, though not involved in the actual bribe, was liable for violating the FCPA because he did not implement proper internal controls. Risk 4: Mergers & Acquisitions While successor liability under the FCPA is largely an open question, the Act has increasingly played a role in corporate due diligence and transaction negotiations. For example, the discovery of potential FCPA issues before closing a deal has led some companies to self-report to the government, often at the insistence of the acquiring company, which has frequently led to enforcement proceedings. Other companies discovering potential FCPA issues have made use of the DOJ s opinion procedure to request non-action relief. For example, in release No. 2008-02, the DOJ provided an acquiring company with a limited safe harbor to conduct post-acquisition FCPA due diligence without fear of prosecution, provided that the acquirer adopted certain best practices, including additional investigation, training, and full disclosure to the DOJ.
Page 4 of 7 Risk 5: Potential Private Litigation In addition to government regulation, private litigation may result from FCPA violations. The FCPA itself does not provide a private right of action. But violative conduct could give rise to private shareholder litigation and RICO claims, among other actions. Private shareholder class action and derivative litigation sometimes accompanies FCPA violations. For example, FARO Technologies has the misfortune of being subject to class actions and derivative litigation, on top of a government investigation, all for the same conduct. Settlements with the government and the shareholder plaintiffs have reportedly totaled almost $10 million so far. Conduct that violates the FCPA could also give rise to RICO claims for treble damages. For example, in February 2008, BP plc and StatoilHydro ASA were sued by a co-investor in a joint venture (which had allegedly violated the FCPA) for RICO violations. Indeed, some foreign governments, alleging RICO violations, have sued companies for their attempts to corrupt foreign officials. For example, on June 27, 2008, the Republic of Iraq filed suit against numerous companies allegedly violating the FCPA in connection with the Oil for Food program. Recent proposed legislation could add a new dimension. The Foreign Business Bribery Prohibition Act of 2008 (H.R. 6188) seeks to give domestic companies a limited private right of action under the FCPA to sue a foreign company when it has violated the FCPA and the violation caused the domestic company to lose business. In other words, if a U.S. company loses a contract because a foreign company bribes a government official, the legislation would permit the U.S. company to sue the foreign company for treble damages. This bill is still early in the legislative process and has been referred to two committees for consideration. As introduced, the bill presents numerous difficulties: obtaining jurisdiction over a foreign company; the practicality of proving the foreign company violated the FCPA; and, even if a judgment is obtained, enforcing and collecting that judgment abroad. Nevertheless, while it seems H.R. 6188 would have little practical effect on the FCPA landscape, the bill reflects a growing political interest in the issues. Containing The Risks In light of the above, companies doing business abroad should assume that the FCPA is an important consideration in their business, any violations may well be discovered and prosecuted, and private litigation may follow. Implementing strong FCPA controls to help minimize risks should be a priority. Indeed, with the increased globalization of the American economy and corresponding international development, tightening FCPA
Page 5 of 7 compliance is a natural extension of the domestic compliance efforts that accelerated under Sarbanes- Oxley. Although any effective compliance program must be tailored to the specific risks and needs of the company, below are some consistent attributes of successful programs. Compliance Initiative 1: Tone At The Top You have heard it time and again: a compliance-oriented tone at the top is a necessary prerequisite for an effective controls environment throughout the company. For the FCPA, top company officials, both domestically and in the foreign offices, must support the company s anti-bribery program. Company executives should publicly encourage FCPA training and compliance, as well as make it known that activities that violate the FCPA will not be tolerated. Compliance Initiative 2: Specific Policies And Frequent Training Written policies should specifically address the unique FCPA risks and concerns that the company and its employees face. Moreover, they should be tailored to the specific areas of the world in which the company operates and the specific type of business it conducts. Certain countries are generally recognized as presenting higher risks than others. Transparency International releases a survey ranking countries according to their perceived levels of corruption (see www.transparency.org/policy_research/surveys_indices/cpi). Companies should take even greater care with their policies for countries that rank high on such lists. But lists should just be a starting point. For example, China ranks 72 of 179 on Transparency International s 2007 list (with 179 having the most perceived corruption), but China is frequently cited as today s highest-risk location. The combination of China s business structures, with many wholly or partially state-owned enterprises, and of many outsiders cursory understanding of traditional business norms, makes this country fertile ground for FCPA violations. Companies must understand and appreciate the local environment in which they do business so as to design effective training and controls to ensure that business is done lawfully. Different types of companies present different risks, and thus require different policies. For example, companies with a centralized approach to dealings with foreign government officials (such as companies bidding on large infrastructure projects) may only have a limited number of individuals who are in a position to present FCPA risks. Policies and training here can be focused on those individuals. Conversely, companies that engage in retail-type sales abroad (such as medical device companies with multiple sales people visiting local hospitals) may need customized policies and training that reaches more broadly.
Page 6 of 7 Compliance Initiative 3: Accurate Books And Records Maintaining accurate books and records not only makes good business sense, but also can provide a legal defense. Policies that require meticulous and accurate recording of all transactions, with adequate support and explanation, will go a long way to helping a company detect, identify the scope of, and remedy potential FCPA violations. Compliance Initiative 4: Oversight And Testing Policies and procedures are only useful if they are followed and enforced. Companies should institute oversight and testing procedures that are reasonably designed to detect potential FCPA issues. Keep in mind that since even a small bribe can subject a company to big liability, no international operations should be considered too insignificant for FCPA compliance efforts. Compliance Initiative 5: Do Your Due Diligence Companies should seek to be as informed as possible when doing business abroad. To begin, companies should identify any government connections of all individuals with whom they are dealing. Since individuals can be foreign government officials under the FCPA by working at an even partially state-owned business, any inquiry should probe for as much detail as possible on an individual s employment and the entity s ownership. Sometimes, a simple questionnaire can reveal what is needed. Other times, local investigatory efforts are required. Interactions with third parties, particularly consultants or agents who help with contacts and local norms, present particular compliance risks since a company may lack full information on, and control over, the third party s activities. Before hiring any third parties, companies should gather as much intelligence about them as possible through background checks and interviews of references. Consider adding to third-party contracts provisions that expressly prohibit FCPA-violative conduct. Also, consider adding provisions that would allow company personnel to audit third parties operations. Full information about potential FCPA issues should also be sought in the context of corporate merger or acquisition transactions. For these types of transactions, due diligence of companies conducting international business should include investigation of any FCPA issues. If problems are discovered, they should be addressed before closing the transaction. Conclusion If ignored, the FCPA presents colossal risks for companies, and their employees, doing business abroad. But the risks can be contained through effective and comprehensive policies and controls. Companies with international operations should update and monitor their policies in this regard. Given the complexity of the
Page 7 of 7 area, and the enormity of the potential costs, companies should additionally seek the advice of experienced counsel on these matters. --By Randy Fons and Brian Hoffman, Morrison & Foerster LLP Randy Fons is a partner, and Brian Hoffman is a senior associate, in Morrison & Foerster s Denver office, both practicing in the firm s securities litigation, enforcement and white-collar defense group. All Content 2003-2008, Portfolio Media, Inc.