The Criminal Division of the U.S. Department of Justice (DOJ) and the Enforcement Division of the U.S. Securities and Exchange Commission (SEC) released the Second Edition of A Resource Guide to the U.S. Foreign Corrupt Practices Act (FCPA) on July 3, 2020 (the "2020 Resource Guide"), updating the first edition released in November 2012 (the "2012 Resource Guide"). The 2020 Resource Guide does not make fundamental changes to its predecessor, but serves as a repository of various legal and regulatory developments since 2012. This includes highlighting developments in case law such as United States v. Hoskins, as well as new sections dedicated to discussing guidance such as the DOJ FCPA Corporate Enforcement Policy, Selection of Monitors in Criminal Division Matters, Coordination of Corporate Resolution Penalties (or Anti-Piling On Policy), and the Criminal Division's Evaluation of Corporate Compliance Programs.
In this Ropes & Gray podcast, Alex Rene, co-chair of the firm's litigation & enforcement practice, moderates a conversation with the co-leaders of the firm's anti-corruption and international risk practice—María González Calvet, Amanda Raad and Ryan Rohlfsen—on the updates in the 2020 Resource Guide, as well as their implications on liabilities and responsibilities under the FCPA, including regulator views on compliance programs and culture.
Alex Rene: Hello everyone. My name is Alex Rene, and I'd like to welcome you to the ACIR 2020 Resources Guide podcast. I am here with the three co-chairs of Ropes & Gray's anti-corruption and international risk practice group, Ryan Rohlfsen, María Calvet and Amanda Raad, who are here to share some insights on the Resource Guide to the U.S. FCPA. Ryan and María, can you tell me a little bit about your experience working on the first edition of the Resource Guide to the U.S. Foreign Corrupt Practices Act?
María González Calvet: Sure, Alex. In 2012, the Department of Justice and the SEC released the first Resource Guide to the U.S. FCPA, intended at the time to try to bring together in one document all of the guidance that it had gleaned and was able to compile based on prior resolutions and prosecutions, and its interpretation, to the extent that it could make it publicly available, of the applicable statutes and the expectations of companies and individuals seeking to comply with it. At that time, the Department asked ten or so line prosecutors to assist with the drafting, to review prior cases, resolutions, to analyze statutes, legislative history, and any number of different contributing documents in order to build out the Guide, and Ryan and I were both a part of that effort.
I think, María, you were responsible for footnotes 50-75, and I had 100-120, but yes, it was obviously a very monumental undertaking at the time. Nothing like that had ever been done in the FCPA, and I think it was very much a welcome Guide to the community, both the defense bar and industry as well, to get some guidance on it. What we're seeing today in the updates that are now I guess eight years in the making, if you will, are not fundamental changes from the basic principles underlying the 2012 Guide, but really updates to things that have happened since then. For example, new policies that have come out, new cases and new approaches by the Department as well as the SEC. So in that regard, it brings this manual and the guidance around it current.
Alex Rene: That's fantastic. So María, can you give us an overview of some of the enforcement updates that have been made to the Guide?
María González Calvet: The first iteration of the Guide was written eight or so years after a real uptick in enforcement of the FCPA by DOJ and SEC. What we've seen now, as Ryan mentioned, in the following eight years is even greater growth in enforcement, not just domestically by DOJ and SEC, but by a number of other foreign regulators as well. And so what this updated Guide does, as Ryan said, it just doesn't make any fundamental changes, but it does serve as a repository of those developments since the first Guide of additional case law and guidance that's been issued since 2012. Specifically, there are additional points addressed with respect to corporate enforcement policy, monitors, coordination of corporate resolutions and penalties, the Anti-Piling On Policy, for example, and the Criminal Division's evaluation of corporate compliance programs as well.
Alex Rene: There's a lot to follow up and unpack from what you just said. Let's start with the recent cases. Can you tell us and give us an idea of what recent cases have been incorporated, and what impact those cases should have?
María González Calvet: It won't be any huge surprise that the three cases that I'd point us to are Hoskins, Esquenazi and Seng. Now the Guide does make reference to any number of other cases and resolutions, and we'll certainly talk about those, but for Hoskins, the Second Circuit determined in that case that an individual can be criminally prosecuted for conspiracy to violate the anti-bribery provision only if that individual falls under one of three categories. The Guide update notes that this is an area of jurisprudence still in flux, and so you can see where the Department isn't really willing, and the SEC isn't really willing to confine itself because of the conflicting district court decisions in other circuits. So I think we should continue to keep our eyes out for individual liability theories by the Justice Department.
Ryan Rohlfsen: I think this was a huge one, María. As you know from your time at the Department, using a conspiracy charge is a very powerful tool that can be used to charge a number of individuals beyond core conspirators or core individuals who may be involved, and to really broaden this ability to bring charges against additional companies and individuals. So, this was really a challenge to the Department. I expect them to, as you noted, not only to not concede this in other circuits, but continue fighting on this front.
María González Calvet: Right. And standing almost in the opposite position is the Esquenazi case, there the Eleventh Circuit ruled that the term "instrumentality" was broadly defined to mean "any entity that is controlled by the government of a foreign country that performs a function the controlling government treats as its own," and there's some magic language around these non-exhaustive list of factors. Now to be clear, that list of factors hasn't changed from the 2012 Guide to the 2020 Guide, but now there's an Eleventh Circuit case that bolsters the Department's position on that.
Then finally, the Seng case, just to point it out, there's a district court rejection of a request to instruct the jury regarding local law as an affirmative defense, and that reaffirms that the defense is very, very narrow and that the absence of local law prohibiting the conduct is not sufficient. Here, there's also a policy consideration regarding the Department's real hard fought effort and engagement with organizations like the OECD to continue international enforcement and the developments of legal frameworks in multiple countries. And we've certainly seen that happen, so it's not surprising that there would also be reference to this case to reiterate the point that local law is not a defense, except in narrow circumstances.
Alex Rene: Thank you, María. Let me ask about some recent enforcement actions. Can you tell us, what are some recent enforcement actions that have been added to the Guide, and what we can learn from those actions?
María González Calvet: Sure. So any updates to the resource Guide would have to make reference to the Odebrecht corruption scandal coming out of Brazil, and involving multiple countries around the globe, and in Latin America. It's just a very significant case regarding blatant bribery orchestrated at multiple levels of the company. As you may know, it's a Brazilian company that had a secret financial structure, a very robust structure, that operated to make, create and hide accounts for corrupt payments to foreign officials in multiple jurisdictions. There are related investigations in Brazil, Colombia, Peru and other jurisdictions as well, so it's not at all surprising that that would be a recent enforcement action highlighted. The SBM case is another example of criminal liability for management – so that's an individual, a former CEO of a publicly traded energy company in the Netherlands and they retained third-party sales agents to pay bribes to officials in five countries. And then, the third example I'd point to is hiring practices – hiring, promoting and retaining children of, in that case, Chinese officials, to win business with those officials. Each one of those enforcement actions that we just outlined captures a different area of significant risk and significant attention by regulators.
Alex Rene: What recent agency guidance has been incorporated, and how does the Guide incorporate the Corporate Enforcement Policy?
María González Calvet: The recent agency guidance has been incorporated. There have been multiple – the Corporate Enforcement Policy, the Anti-Piling On Policy, the Selection of Monitors in Criminal Division Matters, and the Evaluation of Corporate Compliance Programs. Again, here we see where these policies are all being brought together in one place. So the Guide incorporates the Corporate Enforcement Policy by adding a new section on the policy, and that's actually the most significant update that we see. It summarizes the sentencing reductions under that policy whereby companies that voluntarily self-disclose misconduct that they identify, cooperate fully, and make timely and appropriate remediation get a presumptive declination; where, and when there are aggravating circumstances, they get a 50% reduction. Now again, this isn't new, but the incorporation of it into the Guide is new. Companies that do not voluntarily self-disclose, but they meet any number of other requirements, get a 25% reduction.
Alex Rene: Did the DOJ ever consider other factors in determining if a declination is appropriate?
María González Calvet: Absolutely. Though we know this generally from other matters, the Guide provides three specific examples of recent declinations that show the DOJ may consider other factors in determining whether a declination is appropriate – prosecution by other authorities, personal liability, and lack of prior history. They give examples of each one of those where the Department has taken a pass on pursuing a corporate resolution despite the evidence of conduct where there was either another resolution pending with another regulator abroad for the same conduct, where the company accepted responsibility before that conduct, or where the foreign regulator was able to identify and charge culpable individuals. And then finally, where the DOJ considered a company's lack of prior criminal history and the effectiveness of its compliance program to refuse to pursue the case.
Alex Rene: María, does the Guide provide any examples of the Anti-Piling On Policy in practice?
María González Calvet: It does – it points to the Braskem matter that DOJ, the SEC, Brazilian and Swiss authorities all brought action in each one of those cases and credited one another in imposing fines and disgorgement on a publicly traded company, the Brazilian petrochemical company, where they took into account the resolutions that were reached by their counterparts in reaching their own resolutions. That's not the only example – there are many others.
Alex Rene: How does the Guide incorporate recent guidance on Selection of Monitors?
María González Calvet: Here the Guide really emphasizes that monitorship is not meant to be punitive, and is likely not necessary where a corporation's compliance program and controls are effective and appropriately resourced at the time of the resolution. That's an important distinction because the evaluation of the compliance program, as we'll discuss, isn't just what was in place at the time that the alleged misconduct occurred, but also at the time of the resolution. And when the Department is deciding whether to impose a monitor, prosecutors have to weight the potential benefits of that monitor for the company and the public against the cost of the monitor and its impact on the operations to the company.
Alex Rene: Thank you for that. In following up, how does the Guide incorporate recent guidance on Evaluation of Corporate Compliance Programs?
María González Calvet: Here again it emphasizes that in assessing a compliance program, prosecutors will look at the status of the program, as I mentioned, both at the time of the offense and at the time of the charging decisions or resolutions. It lays out the three fundamental questions that a prosecutor should be asking when assessing a corporate compliance program. And of course, if the prosecutor should be asking the question, the corporate entity and its compliance professionals should be asking themselves these questions as well. First, is the company's compliance program well designed? Is it being applied in good faith (in other words, is that program resourced well enough and empowered enough to function effectively within the company)? And then, does it actually work – does it work in practice? Here, the Guide notes that internal investigations should aim to identify the root causes of any misconduct and ensure that any lessons that the investigation yields, or anything that they learn from that misconduct is integrated into the compliance program and into the fabric of the company to strengthen its efficacy.
Alex Rene: Thank you, María. Ryan, turning to you. Can you give an overview of updates as to scope and jurisdictional reach?
Ryan Rohlfsen: There were a number of clarifications in the Guide relating to scope of enforcement as well as jurisdictional reach, largely stemming from some of the cases that María discussed earlier, that have resulted in sharpening of both the SEC's and DOJ's focus on particular cases as well as timeframe for cases on that. So there have been a number of changes on that.
Alex Rene: Have there been any changes to the categories of persons and entities covered?
Ryan Rohlfsen: Sort of. There was an update where the Guide replaced a category of "shareholders" of an issue or a domestic concern with shareholders acting on behalf of an issue or domestic concern. As a practical matter, I think this was probably clarifying a point from a prior Guide because you could see the way the Guide was written originally as potentially impacting passive shareholders in terms of civil or criminal liability, at least for enforcement investigation purposes. But the reality is, is that there would never be a case against a truly passive, disinterested investor, who's not at all aware of or involved in a scheme, so I think this was clarifying some of that language around that issue.
Alex Rene: Does the Guide clarify the scope of enforcement with respect to a failed bribery?
Ryan Rohlfsen: Yes, and again, this is something that the law of course never really changed on it, but they did make clear in the revisions that you don't have to be successful with a bribe. So it's a similar concept that if I walk into a bank and I think I rob it, and instead of getting a bag of cash, I get a bag of confetti, I'm still guilty of bank robbery. I think what they're trying to clarify here is the fact that, just because you are not successful in actually bribing a foreign public official or that that doesn't work out, that doesn't mean that you're not responsible potentially under the FCPA because it's really your intent that matters. The Guide points to a case involving prosecution of an individual where the individual bribed a middle man who he thought was actually going to be delivering the cash to a foreign official, and in fact, the middle man just kept the money. This works on the flip side too, so if the government can't show intent to bribe exists, then it can't prove its case either. So it works both ways, but at least they're clarifying because this is a very common question I think we as practitioners get over the years, in terms of does a bribe have to be successful and those sort of things, really showing that intent is key.
Alex Rene: Thanks, Ryan. Does the Guide provide any additional guidance on parent-subsidiary liability?
Ryan Rohlfsen: Consistent I think to some extent with the Hoskins case, it makes clear that, in addition to establishing the agency relationship between the parent and subsidiary, that basically the subsidiary must have acted "within the scope of the authority conferred by its parent" for its actions to be imputed to the parent. So really getting to traditional agency principles and clarifying at that point that, in theory, this should help to establish that just because the fact of the matter that you're simply a subsidiary of a company, that doesn't mean automatically that the parent is going to be liable for corrupt conduct by the subsidiary.
Alex Rene: Does the Guide provide any additional guidance on successor liability in the M&A context?
Ryan Rohlfsen: Yes. So little more practical points here from the prior version, and this is something that in the last few years, companies have been very focused on. There have been a few opinion letters at the FCPA unit published in the interim, and also a lot of questions, a lot of M&A activity, and some enforcement actions involving the acquisition of one company by another, and then the acquired company had some issues on what does that mean for the acquirer. What the DOJ and SEC said was, "Look, it's really important obviously for a company to undertake pre-acquisition diligence, but recognize as a practical matter, not all companies are sold with complete access to books and records, and thorough due diligence." Sometimes it's like buying a car off the lot without being able to check under the engine – that's just how the car is sold, it's at an auction. Well, that happens in companies too, and so the DOJ and SEC are saying, "Okay, in those instances, we recognize that you can buy a company. You may not have access – there's varying levels of due diligence from zero to fully open books and records. In those instances where you did not have much access to books and records, and to do thorough diligence, there's just an expectation that within a reasonable time of closing, as is practical, you do what you need to do to really look at the books and records, and to give an inspection of the company from its anti-bribery and compliance risk perspective to try to identify if there are things that need to be fixed in the short-term as you integrate that new company into your systems."
Alex Rene: Does the Guide provide any guidance as to how to avoid successor liability when misconduct at a target company or a recently-acquired entity is discovered?
Ryan Rohlfsen: Well, yes. The government, the DOJ and SEC, they emphasize throughout the Guide and throughout the recent policies, they encourage self-disclosure on it. The concept here is that, if you promptly self-disclose an issue after acquiring a company, that there will actually be a presumption—now this is actually in writing now—a presumption of declination, where you uncover the misconduct after you've newly merged or acquired, again, through either pre- or very timely post-acquisition diligence and integration efforts, and then go ahead and voluntarily self-disclose it. Now, obviously, although this language is there, a presumption doesn't mean a guarantee, so you still have many issues here in the event a company is considering self-disclosing an issue of where does that lead the government. If it's that you're not going to be guaranteed to have a declination, in fact it may turn into a much bigger investigation down the road – then that gets into the carrot-and-stick analysis of self-disclosure that the DOJ and SEC have set out in their policies as well as in this updated Guide.
Alex Rene: Does the Guide provide any recent examples of this sort of declination?
Ryan Rohlfsen: Yes. It points to the Alstom case, where a U.S.-based multinational that acquired Alstom was not held liable because Alstom had paid bribes in the past. They declined to prosecute the acquiring company under successful liability principles and instead actually charged the seller on that, so they pointed out this is how it can work in practice.
Alex Rene: Does the Guide indicate whether the recent trend of increased coordination between enforcement agencies in different countries will continue?
Ryan Rohlfsen: Yes. It talks a lot about what we see and the trends we've seen in the last ten years around global enforcement and coordination. Coronavirus aside, because I think that's put a bit of a damper on everyone's international coordination, that what we have seen on the long arc has been in the last ten years some fairly dramatic increase in coordination due in part to the fact that a number of countries, major economies, have not only passed laws, stringent anti-bribery and fair competition laws that are consistent with the goals of the FCPA on that, but as well as putting in place enforcement mechanisms that have real teeth. Prosecutors actively investigating matters, coordinating with the U.S. and other authorities, and trying to bring their own cases, but at the same time obviously, on coordinating with the U.S. and others. So you've definitely seen a dramatic increase in that in the last several years, and so the Guide recognizes that. But of course, that gets back to the whole issue of this Anti-Piling On Policy because now all of a sudden, whereas in 2012 when the Guide first came out, if you're a company and you're being investigated by the SEC and DOJ, that might be it. Whereas now, you could also be looking at inquiries from the SFO in the UK, the MPF in Brazil, a number of other regulators in a host of countries that have been active in the last few years, including Germany, France, the Netherlands, Sweden, Singapore – you name it, there's just been a lot more activity on it. So now you're faced potentially with having to pay multiple fines to multiple governments in multiple countries, and so DOJ is also recognizing this factor as well, to say the goal here is not to be duplicative of fines and overly punitive on it. But again, the coordination works both ways and it allows the cases to move more swiftly and perhaps more impactful, but also to hopefully cut down on the likelihood not to eliminate of course, but to cut down on the duplication of fines and penalties.
Alex Rene: Thank you, Ryan. Amanda, turning to you. Can you give an overview of what the Guide says about how to use company culture and technology to strengthen a compliance program?
Amanda Raad: I think the most interesting thing maybe is that the Guide is speaking about company culture and technology, and that that is kind of front and center in the approach. So culture has been a huge focus, particularly of foreign regulators as well. So the FCA in the UK has been very, very focused on culture, but to see it so explicitly referenced here in the Guide is fairly new. It's not really a new concept in the sense that for a long time we've understood that effective compliance means that you have to have more than a paper policy and it has to be more than just lip service to this – it really has to be embedded into an organization. But the statements and the proactive nature of these statements really put a highlight on assessing culture, measuring culture and acting upon it in a continuous way, and also using technology and using data to do this.
Alex Rene: What does the Guide say about how to successfully create a compliance culture?
Amanda Raad: I know we like to look to regulators for the solution, but of course, it's different and has to be tailored to all of our organizations, but it does talk about a few areas. One area that it talks about is making sure that the compliance program is really empowered to function effectively. And so, how do you do that? Part of that is making sure that compliance is not just viewed as some kind of support function, but is integrated into the culture of an organization and is really part of the business, so that those two are able to work together and be aligned to achieve the goals and the culture that the organization sets out to set. Also looking at resources – so is the compliance program effectively resourced so that it can drive the culture that it seeks to drive, both from a legal and regulatory perspective, but also just from a pure culture and risk perspective? And there's also a fair amount, as we talked about earlier, I think María mentioned earlier, that expectation to really understand the root cause of particular issues. In order to make real change and to make real movement to make sure our programs are functioning effectively, that we really have to focus on understanding the root cause of why something happened– making changes that are really designed around targeting what actually caused the issue that we're trying to fix.
Alex Rene: What are the consequences of not cultivating a compliance culture?
Amanda Raad: I like to turn things on their head, so instead of looking at consequences, I would maybe rephrase it to say, what's the opportunity for creating an effective compliance culture? I mean, certainly, some of the consequences are that you may not qualify for the protections that come under the evaluation of corporate compliance programs guidance. You may not be able to secure a declination, and of course, you may have more stringent sanctions put in place, for example, perhaps having a monitor appointed. But really, designing the effective compliance culture and focusing on that as a starting point allows you to make sure that you're really mitigating risk across your organization. So again, it helps from a legal and regulatory perspective, but it also helps just from a good business organization perspective in making sure that you're achieving the outcomes that you're seeking to achieve in an organization.
Alex Rene: What does the Guide say about the importance of incorporating technology into a compliance program?
Amanda Raad: So I think you can take that question and maybe pair it up a little bit with the focus from the recent guidance on the use of data, and using data to measure risk and measure culture. There is a greater emphasis for sure on effectively using data, making sure that compliance and the business are working together to understand data, and to use it to test what's happening and monitor what's happening on an ongoing basis, so that you can make effective decisions. And of course, data is big. It's hard to identify what is the right data set that we should be looking at? What's the right universe of data? What are the right analytics that we should be running? But the point is, there's a real emphasis here that the data exists, and we have to start to work with it and really understand it. And with that, you can't meet that challenge without using technology.. You think about the crisis that we've been in, and everybody working in different locations and being remote – that has only emphasized the need to be able to rely on technology to access data to continue to run our organizations, but also continue to mitigate risk and continue to run our compliance programs. I think the crisis has really highlighted the importance of technology in an effective compliance program. And honestly, for any global organization, whether we're in crisis or not, you're always going to need to reach data that is all over the world and in several locations. Technology is just a critical piece of making it all work and making sure you're able to really test the effectiveness of your program.
Alex Rene: What sorts of practical steps can a company take to incorporate technology into its compliance program?
Amanda Raad: Circling back to the data point, I think practically one of the first steps, and it sounds pretty obvious, is understanding what data exists and what technology exists because once you understand what's out there, you can start to make a plan on how to incorporate it and how to use it. Again, there's no easy answer on this and no one-size-fits-all, but really mapping out where are the various pieces of information, what exactly are the risks that I'm trying to mitigate against, and what data should I be trying to use to tell me that story? For example, if you're trying to understand if your compliance hotline is working correctly, you're going to need to understand of course how often the hotline is being used, where the information is coming from, and all kinds of information and pieces of data that will be important for you to track because they're all pieces of information that you can then analyze. And so, once you do that mapping, it's both the risk analysis mapping as well as data mapping, you can then think about what technology and what resources you can best leverage to most efficiently and effectively use the data.
Alex Rene: Taking into account all of the updates we've discussed today, Amanda, what are some of the key takeaways?
Amanda Raad: I think one of the biggest takeaways that we should think about is that we have to continue to think about how to make sure compliance programs are actually working. I mean, the guidance comes right out and says, "Is the compliance program working?" Does that mean that there will never be any issues? No – it means that we have to be able to see are issues being identified, where issues are being identified, and is the program able to effectively find solutions and adapt and change over time so that you have an evolving program that can really mitigate risk. And so more than anything, I think one of the biggest takeaways and reminders is, this is a constant process. Once you have a program, it can't stay static – you have to keep working on risk assessment and modification. The focus on culture really highlights all of this and brings it together. I think one of the other things that Ryan pointed out is, there is an increased focus on investments and acquisitions, and if you think it's hard enough for an organization to really understand their culture, it's even harder when you have an organization that has one culture being combined with an organization with another culture. And trying to merge the cultures, merge the compliance infrastructures, merge the businesses – those are all really challenging things that need to happen. It's not just at the time of the investment or the acquisition that has to happen – that's going to have to keep happening over time and be refreshed and be ready to change. This is a continuous job. There isn't an easy way to do this, but we have to recognize that the overall tone and culture is critical, and we have to remember how important data is to really making sure that we're doing more than just looking at the policies and procedures that we have in place to see whether they're actually working.
Alex Rene: Amanda, Ryan, María, thank you very much for your valuable insights to the updates associated with the FCPA Resource Guide. If you'd like more information on the topics we discussed, or if there are other topics of interest to you in the anti-corruption and international risk field, please feel free to visit our website at www.ropesgray.com. And of course, feel free to reach out to any of us if you have any questions about these topics. You can also subscribe and listen to this series wherever you regularly listen to podcasts, including on Apple, Google and Spotify. Thank you for listening.
Originally published by Ropes & Gray, July 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.