Chapter 3

---

Bribery and Corruption

Pamela J. Parizek

The U.S. Department of Justice (DOJ) and the U.S. Securities and Exchange Commission (SEC) have vigorously enforced the U.S. Foreign Corrupt Practices Act (FCPA) since 2005, in contrast to the quiescence of the previous two-and-a-half decades. With public reports indicating that there were more than 100 active corruption investigations in 2015, nearly $2 billion in fines and penalties over the past two years,¹ and an increase of 10 DOJ prosecutors and additional FBI agents focused on FCPA, there can be little doubt that FCPA remains a top priority of the DOJ and SEC, with the DOJ predominantly focused on holding individuals culpable and the SEC the predominant corporate enforcer.

It is equally clear that multijurisdictional enforcement and global cooperation are on the rise. Five of the major FCPA cases in 2014 (Alstom S.A., Alcoa Inc., Smith & Wesson Holding Corp., Hewlett-Packard Co., and Marubeni Corp.) involved cross-border investigative efforts, including not only the United Kingdom’s Serious Fraud Office (SFO) but also enforcement agencies in Bahrain, Indonesia, Mexico, Pakistan, Poland, and Russia.¹ According to TRACE International, non-U.S. enforcement actions concerning alleged bribery of foreign officials more than doubled between 2012 and 2014.²

In 2015, that number continued to rise. Over the past decade, the fines levied for corruption have also continued to rise, as governments around the world in this new era of global anti-corruption enforcement have tightened their regulations and increased their enforcement activity and cross-border cooperation. In addition to the general cost in lost output and inefficiency (estimated by the World Bank at $1 trillion a year³), companies found to have bribed officials have paid billions of dollars in fines and penalties to the DOJ, the SEC, and foreign regulators.

The surge in regulatory enforcement around the world and the continued expansion of companies into new geographical areas have created a challenging environment in which to conduct anti-bribery and corruption (ABC) compliance. A global survey in 2015 by KPMG International found that the most difficult aspect in managing ABC programs is auditing third-party intermediaries for compliance and conducting due diligence over them.⁴ Third parties and due diligence are dealt with later in the chapter.

A corollary to this vigorous enforcement gleaned from a review of U.S. criminal and civil enforcement actions over the past five years shows a marked trend toward leniency for companies with effective compliance programs. As a result, bribery investigations and remediation efforts tend to go hand in hand. These remediation efforts are not limited to policies and procedures at U.S. corporate headquarters; they tend to span worldwide operations and to include training, risk assessments, due diligence, and compliance audits.

As the U.S. government has become more sophisticated in evaluating corporate compliance and governance, regulators are imposing higher standards on companies for implementing effective compliance programs Significantly, more than half of the top FCPA cases against corporate entities in 2014 resulted in the identification of a need to improve FCPA compliance controls (Alstom, Avon, Bio-Rad, Bruker, Marubeni, Layne Christensen Co., and Smith & Wesson). With the DOJ’s appointment of a Chief Compliance Officer in 2015, compliance programs will undergo rigorous scrutiny.

The trend toward FCPA enforcement and effective ABC compliance started in the United States and has spread to other countries. The Organization for Economic Co-operation and Development (OECD) established the Convention on Combating Bribery of Foreign Public Officials in International Business Transactions in 1997,⁵ and the United Nations (UN) approved a Convention against Corruption in 2003.⁶ The United Kingdom was one of the first countries to follow the U.S. lead and, in certain respects, the U.K. Bribery Act⁷ goes further than the FCPA, by imposing strict liability for failure to implement “adequate procedures” designed to prevent bribery. Developed countries such as Germany,⁸ France,⁹ Canada,¹⁰ and Australia¹¹ have tightened their anti-corruption regulations.

Enforcement by OECD member countries is by no means uniform. In its 2015 progress report,¹² Transparency International, a global anti-corruption watchdog, said that there was little or no enforcement of the OECD’s anti-bribery convention in 20 of the 41 member countries, including Japan and Mexico. Overall, though, evidence among more developed countries shows a strengthening in enforcement in 2014–15.

Emerging markets, such as Brazil, Russia, India, and China (the so-called BRICs), have not only stepped up their own ABC enforcement recently but also enacted compliance mandates in some cases that, at least on paper, go beyond the FCPA and the U.K. Bribery Act.

U.S. authorities have made it clear that anti-corruption enforcement is taking on an international dimension. Marshall Miller, principal deputy attorney general for the Criminal Division of the DOJ, has said that the DOJ’s recent prosecutions of multinational corporations reflect failures “in global enforcement of compliance programs” and “of any ‘culture of compliance’ to extend beyond U.S. borders,” and the rise of a culture favoring profits over compliance.¹³ As a result, anti-corruption agencies around the world are cooperating to investigate wrongdoing that crosses borders. The former U.S. Attorney General, Eric Holder, has said that companies should expect further cooperation among governments, because the United States “must harmonize our domestic regulatory scheme with its global counterparts” in order to “pursue even more criminal cases against bad-actor institutions in the future—no matter their size.”¹⁴

With the United States taking the lead over the past few years, there has been an increased focus on the prosecution of individuals. In 2013 and 2014, more than 20 individuals were prosecuted by the DOJ and SEC. In 2015, U.S. Deputy Attorney General Sally Yates issued a mandate (the “Yates Memorandum”) to all federal prosecutors to hold individual corporate officers accountable for corporate misconduct, and 8 of the 10 FCPA cases brought by the DOJ were against individual defendants. In all of the cases brought against a corporation, officers associated with that corporation were also prosecuted.¹⁵ A similar focus on individual prosecutions can be found in actions by the U.K. SFO, as well as prosecutions in Brazil, China, and other countries.¹⁶

This chapter will analyze the applicable regulations in four jurisdictions (the United States, United Kingdom, Brazil, and China), with a view toward identifying a common approach to global ABC compliance. Through a review and analysis of ABC law and compliance regimes in these countries, the chapter will identify common principles that may be more simple and more effective than customizing compliance for each country. The chapter will also consider the key aspects of an organization’s program to prevent, detect, and respond to misconduct involving bribery and corruption.

United States

The United States was the first major economy to criminalize bribery and corruption of foreign officials, enacting the FCPA in 1977 in response to the Watergate scandal, which exposed the use of slush funds to make illegal political contributions. During the SEC’s investigation of these political contributions, it learned that companies also used these slush funds to bribe foreign officials. In response to an amnesty program devised to evaluate the extent of the practice, about 400 U.S. companies admitted to paying more than $300 million in bribes to foreign officials. In an effort to restore confidence in the integrity of U.S. business practices, Congress enacted the FCPA.

The FCPA has three principal objectives:

• To prevent and deter the payment of bribes to non-U.S. government officials
• To foster greater transparency in financial reporting
• To create a level playing field for companies operating overseas

Over time, these objectives have evolved through the FCPA enforcement apparatus to include greater responsibility for corporate compliance, more accountability for subsidiaries operating overseas, and enhanced collaboration with foreign regulatory authorities.

The FCPA prohibits the bribery of foreign government officials by U.S. persons and prescribes accounting, record-keeping practices, and implementation of internal controls. The FCPA is codified in two provisions of the 1934 Securities Exchange Act (the Exchange Act): Section 30A contains the anti-bribery provisions and Section 13 contains the accounting provisions.

Anti-Bribery Provisions (Section 30A)

The anti-bribery provisions of the FCPA contain a general rule prohibiting U.S. persons, entities, and issuers from giving anything of value to any “foreign official” in order to obtain or retain business, to influence the official, or to induce the official to act in violation of his lawful duties. The term “foreign official” is defined as any foreign government or employee of any such government or department, agency, or instrumentality; any political party, official, or candidate; any public international organization; or “any person acting in an official capacity for, or on behalf of, any such government or department, agency, or instrumentality, or . . . public international organization.”

By definition, this includes third-party agents and intermediaries who act on behalf of foreign officials. The prohibition against payments of “anything of value” is broadly construed by the U.S. government, and there is no materiality threshold. The sweeping nature of the law makes it particularly challenging for multinational enterprises with decentralized global operations to identify who may be covered and what constitutes “anything of value.” As a result, most companies have adopted a zero-tolerance policy for payments to any foreign official or intermediary.

Despite the expansive interpretation of the FCPA by U.S. government officials, there is one exception to this general rule and two affirmative defenses to an alleged FCPA violation. The exception applies to routine governmental action and appears in Section 30A (b) of the Exchange Act, which provides that Section 30A (a) shall not apply to “any facilitating or expediting payment” to a foreign official “to expedite or to secure the performance of a routine governmental action.” Routine governmental action is defined as an action that is ordinarily and commonly performed by a government official, such as: (1) obtaining licenses or permits to do business; (2) processing government papers such as visas or work orders; (3) providing police protection, mail, or cargo pickup or delivery; (4) providing telephone service; or (5) “actions of a similar nature.”

While the latter category is not clearly defined, enforcement activity has established that the action must be clearly ministerial in nature and specifically does not include any decision to award new business or to continue existing business or “to secure any improper advantage.” Accordingly, a key question is whether the foreign official or entity to which the payment is made has discretionary authority over the matter at hand.

One of the greatest challenges in qualifying for the facilitation exception is that it is often difficult to make the case that payments made to expedite routine government action really fits within the exception if the payments continue to be made over time. The government has taken the position that routine payments to expedite government action, over time, may create an improper advantage. Another complicating factor is that even where payments are truly made for facilitation purposes, they are not always described as such in the company’s books and records. As a result, a company may technically qualify for the facilitation exception but still run afoul of the books and records and internal control provisions of the FCPA. (Notable examples include IBM and Delta Pine, where very small facilitation payments were deemed to violate the books and records and internal controls provisions.)

Aside from the facilitation exception, there are two affirmative defenses to an alleged FCPA violation. To avoid liability under the FCPA, a U.S. company can show that (1) the payment was lawful under the laws of the foreign official’s country; or (2) that the payment was a reasonable expenditure for promotional activities. For the payment to be lawful, there must be something in writing to support its legality. Arguments that the activity is “traditional” or “customary” or that violations are “not enforced,” even if confirmed by local counsel, are insufficient. There must be written local authority carrying the force of law. Promotional expenses must be reasonable, bona fide, and clearly connected to the business of the company.

Accounting Provisions (Section 13)

The accounting provisions of the FCPA apply to the books and records and internal controls of corporate issuers. Section 13(b)(2)(A) of the Exchange Act requires issuers to maintain books and records and accounts, which, in reasonable detail, accurately reflect the transactions and dispositions of the issuer. Section 13(b)(2)(B) requires issuers to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurance that transactions are authorized by management and are recorded as necessary to account for assets and to permit the preparation of financial statements in conformity with GAAP. When read in conjunction with Section 30A, this means that permissible payments to foreign officials must be accurately recorded in the issuer’s financial statements. The accounting provisions of the FCPA are principally enforced by the SEC.

One of the most instructive cases on the books and records and internal control provisions of the FCPA is a case in 2007 involving Lucent Technology. While the conduct was egregious (thousands of trips for the entertainment of senior Chinese executives to Las Vegas, Disney theme parks, and Niagara Falls), the case was not brought as a bribery case. Instead, it was brought as a textbook violation of the books and records and internal control provisions, because the payments were improperly booked to accounts classified as “factory expense” and “employee lodging.” The lapse of internal controls occurred because the company did not have controls in place to prevent those violations and lacked procedures to determine whether the guests they entertained were foreign officials.

An Official Guide

In November 2012, the DOJ and SEC jointly released a guide to FCPA entitled “A Resource Guide to the U.S. Foreign Corrupt Practices Act”¹⁷ (referred to in this chapter as the Guide). The Guide was created to provide businesses and individuals with more details concerning the FCPA, its provisions, and enforcement. The stated objective of the DOJ and SEC was for the Guide to assist businesses and individuals to “abide by the law, detect and prevent FCPA violations, and implement effective compliance programs.”

The Guide is 120 pages long and provides the history of the act, the anti-bribery provisions, accounting provisions, other related U.S. laws, guiding principles of enforcement, FCPA penalties, sanctions and remedies, resolutions, whistleblower provisions and protections, and DOJ opinion procedure. While the Guide goes a long way to clarify some of the ambiguity in the statute, critics have argued the Guide is too broad and does not provide a strict enough interpretation of the law. In June 2015, the DOJ and SEC revised the Guide to provide further clarity on the accounting provisions and criminal penalties, and to bring those chapters into conformity with the language of the statute.

Penalties

The FCPA has both civil and criminal penalties for companies and individuals. The DOJ uses the U.S. Federal Sentencing Guidelines for Organizational Defendants (Guidelines) in order to establish a consistent pattern of criminal penalty assessment. The Guidelines are used to analyze the penalties for all DOJ resolutions including guilty pleas, deferred prosecution agreements (DPAs), non-prosecution agreements (NPAs), and declinations.

The DOJ reviews the facts and the severity of a case in order to determine the “offense level.” The offense level can be reduced, depending on such factors as the degree of cooperation with authorities during the investigation, acceptance of responsibility, voluntary disclosure, and preexisting compliance programs, as well as the remediation that has occurred. Liability may extend to the parent company for the misconduct of its subsidiaries. Under the Guide, the DOJ assigns “points,” depending on the severity of the violation, and grants credits against those points to reduce the overall penalty. The well-publicized NPAs of Morgan Stanley (2012) and Ralph Lauren (2013) were earned in this way, through self-disclosure, extraordinary cooperation, and timely remediation.

Figure 3.1 summarizes the monetary penalties that may be imposed per violation and the possible imprisonment periods.

Figure 3.1. Penalties

Source: http://www.sec.gov/spotlight/fcpa/fcpa-resource-guide.pdf

Collateral Consequences

In addition to the criminal and civil penalties detailed above, individuals and companies may face collateral consequences. These include suspension or debarment from contracting with the federal government; cross-debarment from receiving loans from multilateral development banks; the suspension or revocation of export privileges; and/or the appointment of a compliance monitor, defined in the Guide as “an independent third party who assesses and monitors a company’s adherence to the compliance requirements of an agreement.”¹⁸

The goal of the monitor is to ensure the implementation of the enhanced compliance requirements placed on the company by the sentence, or by the DPA or NPA. The monitor’s aim is also to reduce the likelihood of a future violation. The Guide outlines the following factors the DOJ and SEC consider when determining whether to appoint a monitor: the seriousness of the offense; the duration of the misconduct; the pervasiveness of the misconduct (including whether the conduct cuts across geographic and/or product lines); the nature and size of the company; the quality of the company’s compliance program at the time of the misconduct; and subsequent remediation efforts.

Resolutions

Depending upon the facts of the case and how the investigation transpired, there are various considerations the DOJ or SEC may use when determining a final resolution. According to the Guide, when prosecutors assess the existence of federal interest, they weigh all relevant considerations, including:

• What is the nature and seriousness of the offense?
• What is the pervasiveness of wrongdoing within the corporation?
• What is the corporation’s history of similar misconduct, including prior criminal, civil, and regulatory enforcement actions against it?
• Was there timely and voluntary disclosure of the wrongdoing?
• Was there willingness to cooperate?
• Did the company have a preexisting compliance program?
• Did the corporation take any remedial actions, such as efforts to implement or improve upon an effective corporate compliance program?
• Did it replace the management responsible, discipline or terminate wrongdoers, pay restitution, and so on?
• Were there any collateral consequences such as disproportionate harm to shareholders?

---

Possible DOJ and SEC resolutions

DOJ

Plea Agreement. The defendant admits guilt to the charges presented and is generally convicted of the charges when the court accepts the plea agreement.

Deferred Prosecution Agreement (DPA). The DOJ files a charging document in the courts, but simultaneously defers the prosecution. Generally, the defendant will admit to the facts alleged, pay a fine, and undertake additional compliance measures associated with the resolution. In order to obtain a DPA or NPA, the company has to provide evidence of a well-constructed, efficient, well-implemented and enforced ethics program as well as evidence that the company self-policed prior to the discovery of the misconduct. DPAs are posted on the DOJ’s website.

Non-Prosecution Agreement (NPA). The DOJ does not formally file charges but retains the right to do so. NPAs differs from DPAs in that the former is not filed in court, but is similar in admission of relevant facts and ongoing compliance measures. NPAs are also posted on the DOJ’s website.

Declination. The DOJ declines to bring enforcement under the FCPA. The DOJ will not present nonpublic information on the company or individual.

SEC

Civil Injunction. The SEC seeks a court order to compel the defendant to obey the law in the future. Generally the civil injunction has two main goals: forcing compliance or compensating the injured party as a result of the violation.

Civil Administrative Actions. The SEC brings this type of action when it believes a law has been violated. It is litigated before an SEC administrative law judge. There are various sanctions that can occur as a result of this resolution such as censure, limitation on activities, suspension of up to 12 months, and/or bar from association with the Commission.

Deferred Prosecution Agreement (DPA). The SEC agrees to forgo enforcement action if the company or individual agrees to cooperate fully, waives the right to claim the litigation should be dismissed, complies with the prohibitions and other requirements, and lastly, admits to the charges presented.

Non-Prosecution Agreement (NPA). The SEC will not pursue enforcement action as long as the company or individual agrees to cooperate fully and comply with the terms of the agreement.

Declinations. Declinations and termination letters provide evidence of the SEC’s decision not to pursue enforcement action under the FCPA.

---

Enforcement Trends

Over the past decade, the number of FCPA matters brought by the DOJ and SEC has vastly outnumbered the handful of actions brought in the prior two decades. These statistics represent aggressive cross-border prosecution of individuals and corporate entities (Figures 3.2 and 3.3), and record penalties of more than $1.5 billion in 2014 (Figure 3.4).

Figure 3.2. FCPA Enforcement Actions Initiated by the U.S. Department of Justice (DOJ) and U.S. Securities and Exchange Commission (SEC)

Source: Gibson, Dunn & Crutcher, 2015 Mid-Year FCPA Update, July 6, 2015

Figure 3.3. FCPA Enforcement actions 2005–2014 (Total 336)

Source: Gibson, Dunn & Crutcher, 2014 Year-End FCPA Update, January 5, 2015

Figure 3.4. Corporate FCPA Top 10 List

Source: Gibson, Dunn & Crutcher, 2014 Year-End FCPA Update, January 5, 2015

Among the lessons learned, corporations with inadequate compliance programs were heavily penalized, whereas those with effective programs received NPAs and declinations. This disparity may be explained by the fact that aggressive enforcement by U.S. authorities, coupled with credit for good corporate citizenship, is shifting the burden from the government to corporations to prevent, detect, and respond to ABC risk.

Organizations have responded to this regulatory trend by enhancing their FCPA programs and controls. On the prevention side, companies with global operations have stepped up their FCPA policies, procedures, and training in the United States and abroad. With respect to detection, the whistleblower bounty program adopted by the SEC as part of its Dodd-Frank reforms has had a significant impact. As a result, on the response side, more companies are inclined either to self-report or to conduct an investigation as rigorous as it would have been had the company elected to self-report (for example, if a whistleblower comes forward and the company has to rationalize, explain, and document its decision not to self-report).

After 10 years of stepped-up enforcement by the DOJ and the SEC, there has been a clear shift from “reactive” FCPA investigations to “proactive” FCPA compliance, through enhanced policies and procedures, redesigned internal controls, pre- and postacquisition FCPA due diligence, more thorough scrutiny of third-party agents, and continuous monitoring and auditing of FCPA compliance. And, as anti-corruption enforcement has spread across the globe, countries are looking to the U.S. FCPA enforcement model for leading practices. To be sure, the U.S. paradigm has been replicated by other regulators, most notably the United Kingdom.

United Kingdom

Enacted in July 2011, 34 years after the FCPA, the U.K. Bribery Act is considered one of the strictest anti-bribery laws internationally.¹⁹ The act creates a modern, single piece of legislation criminalizing, for the first time, a corporation’s failure to prevent bribery in the United Kingdom or abroad by an “associated person,” which it broadly defines as a person who performs services for, or on behalf of, the corporation. This allows U.K. law enforcement to combat bribery whether committed in the United Kingdom or abroad.²⁰

The United Kingdom passed legislation in April 2013 authorizing the use of DPAs in bribery, fraud, and money laundering cases. Some of the factors the prosecutors may consider when deciding whether to enter into DPAs include the existence of a proactive corporate compliance program; the timing of self-reporting; the existence of an isolated incident; and the risk of collateral effects on the public. Organizations under DPAs are required to admit to certain facts publicly, specify the wrongdoing, and agree to comply with strict requirements such as the payment of financial penalties, implementation or enhancement of a compliance program, or disgorgement of profits in return for suspension of the criminal charges.

In June 2013, the City of London Police announced the creation of an international foreign bribery task force to enable countries with similar anti-bribery standards (including the United States, the United Kingdom, Canada, and Australia) to share knowledge, skills, and experience, and to support the OECD and UN anti-bribery conventions.

Key Provisions and “Adequate Procedures” Defense

The U.K. Bribery Act covers the offering, promising, or giving of a bribe (active bribery) and the requesting, agreeing to receive, or accepting of a bribe (passive bribery). The act also sets forth two commercial bribery offenses, including a provision regarding the bribery of foreign public officials in order to obtain or retain business or gain an advantage in the normal course of business. The legislation introduces a new strict liability offense²¹ pursuant to which companies and partnerships could be charged criminally if they fail to prevent bribery. An organization could be held criminally liable for bribery in connection with its business, by those working for it or performing services on its behalf (“associated persons”).

There is a statutory defense if the organization can demonstrate it had “adequate procedures” in place to prevent bribery. The determination of the level of adequate procedures will depend on the bribery risks the organization faces, as determined during the risk assessment stage, as well as the nature, size, and complexity of the business.

The act applies to U.K. citizens and residents, as well as commercial organizations and entities headquartered, organized, or operating all or part of a business in the United Kingdom, together with any “associated persons” defined as an employee, agent, or subsidiary. Consequences of violations include unlimited corporate fines, a maximum of 10 years’ imprisonment, and disqualification from public sector work in the EU and in the United States.

Enforcement to Date

In December 2014, the SFO secured its first conviction under the U.K. Bribery Act (and its predecessor, the Prevention Against Corruption Act) against two officers and two directors of Sustainable AgroEnergy PLC, Sustainable Wealth Investments UK Ltd, and associated companies in connection with sales of bio-fuel investment products in Southeast Asia.²² In 2015, the SFO entered into its first-ever DPA with Standard Bank PLC for “failure to prevent bribery” under Section 7 of the Act, pursuant to which a company may be prosecuted for failing to have “adequate procedures” to prevent active bribery by “associated persons.” Standard Bank also settled with the SEC. The SFO brought a second Section 7 case against Sweett Group plc for its failure to prevent its Dubai subsidiary from paying bribes to win a hotel construction contract.

Outside the United Kingdom, the SFO has been collaborating with law enforcement agencies in other countries. In late 2013, the SFO²³ and DOJ opened two formal criminal investigations for allegations of bribery and corruption at U.K. aircraft engine maker Rolls-Royce in Indonesia and China.²⁴ In 2014, the SFO has been working alongside Chinese authorities in the first Anglo-Chinese investigation of alleged corruption and bribery case at the drug maker GlaxoSmithKline.²⁵ The company was accused by Chinese authorities of funnelling up to 3 billion yuan (approximately $480 million) in bribes to encourage doctors to use its medicines. And in late 2015, UK authorities arrested five Nigerians for alleged bribery and money laundering. Examples of cross-border cooperation among anti-bribery agencies are likely to grow. “The global nature of financial markets provides enormous business opportunities, but also creates opportunity for economic crime. The criminal justice response can only be effective if it is able to respond on a global level, untrammeled by physical and jurisdictional barriers,” said Dominic Grieve, the U.K. attorney general in January 2014.²⁶

Future Trends

Although it is too soon to identify a pattern of enforcement in the United Kingdom, it is safe to assume that there will be greater enforcement activity as the United Kingdom gains experience in the field. While the number of enforcement actions has been low, given that the Bribery Act applies only to conduct that occurred after July 1, 2011, this number is rising as the SFO builds its capability and commitment to bring successful large-scale prosecutions of complex cases of economic crime. In response, companies will need to develop and implement an effective compliance program to mitigate legal, reputational, and financial risk.

Bribery Act Guidance

As in the United States, the United Kingdom provides guidance to help manage compliance. The act sets forth six principles²⁷ that are intended to assist organizations in determining what anti-bribery procedures, if any, need to be implemented. The principles include:

• Proportionality. The actions the organization takes are proportionate to its size and assessed risk.
• Top-Level Commitment. The leaders of the organization demonstrate a commitment to countering bribery and to set an example for transparency and integrity, establishing a culture where bribery is never acceptable. The leadership also assigns responsibility and authority for implementing the anti-bribery program.
• Risk Assessment. Conduct regular and comprehensive risk assessment to determine the nature and extent of risks relating to bribery.
• Due Diligence. Ask the right questions and perform background checks before doing business with third parties, agents, contractors, or suppliers.
• Communication and Training. Communicate policies and procedures, and provide training to all employees and high-risk third parties including agents, intermediaries, contractors, and suppliers.
• Monitoring and Review. Internal controls are subject to regular internal review and audit, with periodic reporting to the audit committee, the board of directors, or an equivalent body. Obtain external assurance or verification of the organization’s anti-bribery program.

Brazil

Brazil has long been viewed as having a significant problem with corruption and bribery. In 2015, Brazil was ranked seventy-sixth out of 175 countries on Transparency International’s Corruption Perception Index.²⁸ In recent years, there have been some efforts to address this issue. In 2005, Brazil became a party to the UN Convention against Corruption. Then, following widespread public protests against corruption, lawmakers passed the Clean Companies Act²⁹ (the Brazilian Act), which became effective as of January 2014. The passage of the Act was timely. Two months later, the Brazilian authorities learned of a kickback schemein which senior executives in Petrobras, the government-controlled oil company, colluded with a cartel of enterprises to overcharge it for construction and service work. As of August 2015, the Brazilian authorities had issued 117 indictments, arrested five politicians, and brought criminal cases against 13 companies in its ongoing investigation, dubbed “Operation Lava Jato” (car wash). Petrobras officials estimate that the amount of bribes totaled $3 billion.³⁰

Scope and Key Provisions

The Brazilian Act establishes strict civil and administrative liability for companies found guilty of foreign or domestic bribery. Previously, there was no specific law that enabled Brazilian authorities to prosecute corporations for corrupt acts committed by their employees or agents, as the law only imposed liability on the individuals who committed the acts. The Brazilian Act covers areas broader than just corruption. The Brazilian Act includes provisions that deal with bribery, fraud in public procurement, bid rigging, and fraud in contracts signed with public bodies, impairing public officers’ investigative activities, and influencing or financing others to engage in illegal acts against the government.

The law defines bribery as “promoting, offering or giving, directly or indirectly, an improper benefit to a public agent or a third person related to him (or her).” Specifically, the Brazilian Act prohibits the following “wrongful acts”:

• Promising, offering, or giving an undue advantage, directly or indirectly, to a public official, or a third person related to the official
• Financing, sponsoring, or in any way subsidizing the performance of a wrongful act under the law
• Using another person or entity as an intermediary in order to conceal the company’s real interests or the identity of the beneficiaries of the illegal act
• Obstructing or interfering with the investigations, audits, and the general work of public agencies, entities, or officials

Furthermore, the Brazilian Act contains provisions that specifically address government tenders and contracts. The Brazilian Act prohibits defrauding the competitive nature of a public tender process; preventing, hindering, or defrauding the performance of any act of a public tender process; creating a fraudulent entity to secure a government contract; and illegally benefiting from modifications or extensions of government contracts.

The Brazilian Act applies to all Brazilian companies and entities operating in Brazil, which essentially means that any company with offices, branches, or agents in Brazil could be held liable under the Brazilian Act for corruption against public authorities in Brazil or abroad. Additionally, the Brazilian Act imposes successor liability in the event of mergers and acquisitions. As in the United Kingdom, sanctions imposed are not dependent on proof of criminal liability on the part of officers, directors, employees, or agents of the company. Of special note is that prosecutors are not required to establish intent on behalf of the parties involved.

Penalties

The Brazilian Act imposes severe penalties for violations that include administrative and judicial sanctions. Violations could result in fines of up to 20 percent of the company’s total gross revenue for the prior year or a maximum of 60 million reais (approximately $27 million). Additionally, the law allows government authorities to suspend the company’s operations, seize its assets, force dissolution, or prevent the company from being able to compete for government contracts. The law also gives the government the authority to ban a company from receiving any form of public lending for up to five years.

Enforcement Trends

According to Transparency International,³¹ prior to the act, Brazil had pursued only one case and two investigations of bribery in the 12 years since ratifying the OECD convention. Since the act became effective in 2014, there have been some notable developments. Soon after its enactment, there was an indictment by the Brazilian regulatory authorities against Brazilian aircraft manufacturer Embraer in connection with alleged bribes to secure a $92 million military procurement contract in the Dominican Republic. The indictment was based upon information provided in a parallel proceeding by the DOJ and SEC. More recently, Brazilian officials opened corruption investigations into Petrobras (discussed above) and Eletrobras, the state-owned electric utility company.

Compliance Credit

Similar to the U.S. and U.K. anti-bribery laws, the Brazilian Act provides less stringent treatment for companies that have an adequate anti-bribery compliance program and for companies that self-report misconduct. The Brazilian Act generally outlines compliance efforts that would enable companies to negotiate reduced penalties or be eligible for a leniency agreement. Those efforts include the existence of an effective internal compliance program, audit capabilities, reporting policies and mechanisms, and the existence and effectiveness of internal codes of ethics and conduct. Article 7 of the Brazilian Act states that “the existence of internal mechanisms, procedures of integrity . . . as well as the effective enforcement of codes of ethics will be taken into account when applying sanctions.” Other factors listed are the seriousness of the offenses, the company’s level of cooperation, and the degree of damages.

Additionally, the Brazilian Act permits local enforcement authorities to sign leniency agreements under certain conditions, such as under circumstances where companies self-report, end the alleged misconduct, and fully cooperate with the investigation. Companies who fulfill the above may be able to negotiate an agreement in which their penalties are reduced by up to two-thirds of the total potential fines (except forfeiture or restitution), and protection against the withholding of benefits as well as the confidentiality of some parts of the agreement.

Brazilian companies and foreign companies operating in Brazil that have yet to take any measures to prevent bribery and corruption should promptly consider implementing such measures. Foreign companies operating in Brazil should examine their existing policies and procedures to assure that they are in compliance with Brazilian law. Anti-corruption mechanisms, such as a code of conduct, internal controls, and compliance training, should be examined and enhanced where necessary to assure that all directors, employees, and agents are aware of the new requirements.

China

Most U.S. companies operating internationally have established systems to comply with the requirements of the FCPA. Additionally, many companies have established systems to comply with the anti-bribery laws of their host countries, such as the U.K. Bribery Act. Fewer companies have developed compliance systems designed specifically to ensure compliance with the anti-corruption laws in China, where the government, as part of its “Five-Year Anti-Corruption Plan” announced by President Xi Jinping, has been emphasizing the importance of combatting bribery since the 18th National Congress in November 2012.³² The Chinese government has stepped enforcement as a result. According to China’s Supreme People’s Procuratorate (SPP), prosecutors in 2014 probed 3,664 cases of graft, bribery, and embezzlement of public funds involving more than 1 million yuan (approximately $164,000). In addition, 7,827 bribers were prosecuted for criminal offenses in 2014, 38 percent more than the previous year.³³

2015 was a landmark year for China with respect to its focus on eradicating bribery. On May 1, 2015, the PRC enacted a new law, the Ninth Criminal Law Amendment of the PRC (effective November 1, 2015) criminalizing bribery of non-PRC government officials, officials of public international institutions, and close relatives of such officials. It also provides for monetary penalties against individual defendants. Conspicuously absent are any exceptions or affirmative defenses, as in the United States and the U.K. The new PRC legislation, coupled with an uptick in whistleblower reports and aggressive enforcement action marks a new anti-corruption regime in China.

The new criminal law supplements two existing statutes that pertain to corruption and bribery:

• The Criminal Law of the People’s Republic of China, effective 1979 (Criminal Law)³⁴
• The Anti-Unfair Competition Law (AUCL) of the People’s Republic of China, effective 1993³⁵

There are additional anti-corruption related regulations, interpretations, and other supplements to these statutes, including the Provisional Measures on the Prohibition of Commercial Bribery issued by the State Administration for Industry and Commerce. Additionally, China has been a party to the UN Convention against Corruption since 2006.

While the AUCL mainly focuses on commercial bribery, the Criminal Law covers both official bribery and commercial bribery, depending on the identity of the recipient of a bribe.

Official Bribery

Under the Criminal Law, official bribery is an offer to bribe a “state functionary.” The law defines a “state functionary” to include (1) a person who performs public services in a state-owned company or enterprise, institution, or organization; (2) a person who is assigned by a state or a state-owned company, enterprise, or institution to a company, enterprise, or institution that is not owned by the state to perform public services; and (3) any other person who performs public services. Official bribery is considered a criminal offense and is covered under the following articles:

• Acceptance of a bribe by a public official (Article 385)
• Acceptance of a bribe by a public entity, including state-owned enterprises and other public entities (Article 387)
• Active bribery of a public official by an individual (Article 389)
• Active bribery of an entity by an individual or an entity (Article 391)
• Active bribery of a public official by an entity (Article 393)
• Serving as an intermediary in the commission of an illegal bribe (Article 392)

In August 2015, China’s National People’s Congress adopted amendments to the Criminal Law that added the crime of providing bribes to state functionaries’ close relatives. They also added further monetary penalties and raise the bar for bribe-givers to be exempted from punishment.³⁶

In general, state functionaries are not allowed to receive bribes, small or large. However, Bribery Prosecution Standards issued by the Supreme People’s Procuratorate in 2000³⁷ stated that cases will be prosecuted only if the amount at stake exceeds 100,000 yuan. In cases where the amount is less than 100,000 yuan, the individual giving the bribe is likely to be prosecuted for the following reasons: if the bribe was to seek an illegal interest or given to a communist party official or government leader; if more than three individuals were bribed at the same time; and/or if the bribe negatively affected social or national interests.

Commercial Bribery

Under the Criminal Law, commercial bribery refers to unfair anticompetition acts committed by private individuals or companies. The AUCL definition for a commercial bribe is broader than the Criminal Law, and Article 8 of the AUCL defines commercial bribery as an offer of property or use of “other means” to purchase or sell products or services in a manner that excludes fair competition. The term “property” is defined as cash, assets, or kickbacks, and the term “other means” is referred to as travel or entertainment. Since the definition of commercial bribery under the AUCL is very broad, the act of giving gifts or other benefits in a commercial setting could be considered commercial bribery. Commercial bribery could result in either a criminal or a noncriminal offense, depending on the value of the bribe.

In civil actions, Chinese authorities have jurisdiction to investigate in cases where:

• The contract was entered into or executed in China
• The property under dispute is located in China
• The defendant has an office in China

In criminal actions, Chinese authorities have jurisdiction to investigate the following crimes:

• The crime is committed in China, or on Chinese ships or aircrafts
• The result of the criminal act occurs in China
• The act is committed by Chinese citizens outside China
• The act is committed by foreigners against China or its citizens outside China
• The act is committed under international treaties, where China is obligated to exercise its jurisdiction

Penalties

The official bribery offenses under the Chinese Criminal Law could trigger severe criminal liability and could result in criminal detention, life imprisonment, and confiscation of property. The penalties for commercial bribery include up to 10 years’ imprisonment and criminal fines. Management personnel could be held liable if found directly responsible for the matter. Chinese companies and companies operating in China should consider existing policies and procedures in place when dealing with representatives of state-owned enterprises.

Under the AUCL, penalties are less severe than under the Criminal Law and the violations do not amount to a criminal offense. Potential penalties include up to 200,000 yuan and up to 10 years’ imprisonment. Additionally, competitors are allowed to bring a civil claim for damages if they believe they were negatively affected by the commercial bribery.

Whistleblower Legislation

China has established a 24-hour corruption hotline with various Chinese authorities such as the Public Security Bureau, the Bureau of Administration for Industry and Commerce, and various court and prosecution departments.³⁸ The goal of the hotline is for the government to receive reports of corrupt practices of government officials who receive bribes. Unlike the incentives that exist for whistleblowers in the United States, in China, the financial incentives are limited, depending on the province, and are capped at 200,000 yuan.

Defenses and Mitigation Measures

Currently, there are only two defenses for noncriminal commercial bribery in China:

1. Discounts or commissions are permitted if they are properly accounted for in the company’s books and records
2. Promotional goods of small value are permitted, if they are a common practice in the particular industry

There are no specific provisions in the current Chinese anti-bribery regulation stating that the implementation of anti-bribery measures such as a compliance program would provide a defense against prosecution by the Chinese government. Nevertheless, in 2009, Chinese authorities initiated a new anti-corruption campaign targeting public officials, state-owned enterprises, and domestic and international companies operating in China. As part of the campaign, all businesses were expected to have taken measures such as establishing or modifying their code of conduct, policies and procedures, and training programs. Businesses that failed to do so are viewed unfavorably by local authorities from both a legal and political standpoint.

Although not specified in the law, companies may present their anti-bribery prevention methods as evidence that the acts under investigation were in fact contrary to the company’s policies and procedures and could potentially prevent the company from being prosecuted.

Enforcement Trends

In the past year, there has been a significant shift in regulatory enforcement activity in China. Before, enforcement activity was directed primarily at domestic organizations and individuals. But recently, multinational corporations and non-Chinese nationals have found themselves targets of Chinese investigations and enforcement actions in connection with China’s well-publicized anti-corruption campaign.³⁹ The local authorities in charge of enforcing the majority of the anti-bribery regulation in China are the police and the People’s Courts. However, given the fact that the fight against corruption has a political dimension, other agencies also have begun to play significant roles in the enforcement of anti-corruption laws.

The current climate of enforcement has shown that Chinese authorities are now taking a more active role in the fight against bribery. This has included increased cooperation with neighboring countries, the United States and United Kingdom. According to China’s Ministry of Justice,⁴⁰ China has signed more than 50 mutual legal assistance agreements for criminal matters and more than 35 bilateral extradition treaties in the past few years. In September 2014, the provincial court in Hunan ruled that the Chinese subsidiary of pharmaceutical company GlaxoSmithKline (GSK) had offered money or property to nongovernment personnel in order to obtain improper commercial gains, and was found guilty of bribing nongovernment personnel.⁴¹ The company was fined 3 billion yuan (approximately $480 million) following investigations by China’s Ministry of Public Security.

In 2013, Chinese authorities investigated several other China-based multinational pharmaceutical companies. China’s National Health and Family Planning Commission issued the Regulations on Establishment of Commercial Bribery Records for the Purchase and Sale of Medicines that blacklist healthcare companies engaging in commercial bribery.⁴² The rule took effect in March 2014 and poses significant commercial and reputational risks for companies operating in the healthcare sector in China.

Compliance Program Controls

Given all the different compliance requirements and regimes, how can organizations effectively prevent ABC risk? By all accounts, the most effective weapon is a strong compliance program. As articulated by the DOJ and SEC in the Guide, there is no “one-size-fits-all” compliance program.⁴³ Each compliance program should be tailored to the companies’ specific needs. According to the Guide, when the DOJ and SEC evaluate the effectiveness of a compliance program they rely on three questions:

• Is the company’s compliance program well designed?
• Is it being applied in good faith?
• Does it work?

To answer these questions, the Guide published 10 “Hallmarks of an Effective Compliance Program”⁴⁴ to help companies identify the necessary measures:

• Commitment from senior management against corruption and a clearly articulated policy
• Code of conduct and compliance policies and procedures
• Oversight, autonomy, and resources
• Risk assessments
• Training and continuing advice
• Incentives and disciplinary measures
• Third-party due diligence and payments
• Confidential reporting and internal investigation
• Periodic testing and review for continuous improvement
• Mergers and acquisitions: preacquisition due diligence and postacquisition integration

The Guide is similar to the Internal Control—Integrated Framework of the Committee of Sponsoring Organizations of the Treadway Commission⁴⁵ (known as the COSO Framework) and lists three main components of an effective compliance program: prevention, detection and response. When these components are implemented correctly and work in tandem, they assist in mitigating the risk of corruption. In Chapter 2, a comprehensive framework for compliance was presented. Figure 3.5 highlights the key attributes of an effective ABC compliance structure focused on the three components of prevention, detection, and response that need to be part of the larger, more comprehensive compliance framework discussed earlier.

Figure 3.5. Anti-Bribery and Corruption Compliance Framework

Within the compliance program, all components and subcomponents are interrelated. The aggregate is referred to as anti-bribery “programs and controls.” To ascertain whether an ABC compliance program is effective, it is necessary to establish, as with all compliance programs, that it is well-designed, implemented, and operating effectively. In other words, it must be well designed, it must be applied in good faith, and it must work.

Preventative Controls

An organization’s board of directors and the audit or compliance committee are ultimately responsible for providing oversight of antifraud programs and controls regarding FCPA/ABC laws and regulations. The day-to-day responsibility for these controls, however, resides with management, typically the chief compliance officer, who is also expected to ensure that an appropriate tone at the top and culture of compliance exists and is supported with appropriate resources based upon the company’s size, complexity, geographical scope, and business risk. According to the Guide, the DOJ and SEC will specifically consider the company’s staffing and resources relative to the size, structure, and risk profile of the business.⁴⁶

For companies with global operations, governance should be evaluated at the country level or, at a minimum, at the regional level. To this end, many companies have established a compliance function in each region, with direct reporting responsibility and accountability to headquarters.

Risk Assessment. To develop an effective compliance program to detect, prevent, and respond to ABC risk, an organization must understand the types of risks it faces. All organizations face a variety of corruption risks. However, particular focus needs to be placed on the risks that third parties present. The 2014 OECD Foreign Bribery report noted that 75 percent of the cases in 2014 involved improper payments to third parties.

In conducting a risk assessment, the most critical risk factor is the extent to which the organization interacts with foreign government officials. Additional risk factors to be considered include country risk, industry risk, corporate structure, compliance maturity, and track record. An ABC risk assessment may be performed as part of an entity-wide risk assessment or it can be performed separately. An effective ABC risk assessment will consider the entity level, the business cycle, all business units or operational divisions, including international operations, and all significant accounts or classes of transactions. Additionally, ABC risk assessments should be performed annually or as circumstances warrant. Changes in operations, implementation of new technology, corporate restructurings, mergers or acquisitions, or the allegation or instance of fraud or misconduct may warrant a new corruption risk assessment.

As with any such assessment, it is critical to assess both the likelihood that a risk might occur and the significance of its occurrence. In assessing the risk of corruption, it is critical to understand the touch points with foreign governments and the reliance on third parties such as agents, brokers, vendors, attorneys, or consultants. Among other things, the Guide specifically cautions that risk assessments focusing on entertainment and gifts rather than large government bids, questionable payments to consultants, or excessive discounts to resellers and distributors “may indicate that a company’s compliance program is ineffective.”⁴⁷

The risk assessment process is critical to the development of policies, procedures, and internal controls. The Guide specifically requires compliance programs to address issues identified during the risk assessment process. Further, as an organization’s risk increases, the Guide prescribes increased compliance procedures, including due diligence and periodic audits based on country and industry sector, prospective business partners, level of government interaction, and exposure to customs and immigration officials, to name a few.

Policies and Procedures. An effective system of internal controls is a cornerstone of an organization’s ABC compliance program. In April 2014, Kara Brockmeyer, the chief of the SEC Enforcement Division’s FCPA Unit, emphasized the importance of internal controls when she said that “companies have a fundamental obligation to ensure that their internal controls are both reasonably designed and appropriately implemented across their entire business operations.”⁴⁸ However, even the most well-designed policies and procedures will fail to prevent misconduct if they are not implemented or operating effectively. Accordingly, it is critical to assess whether the policies, procedures, and associated internal controls are working.

The COSO framework provides guidance on establishing reasonable assurance that internal controls are operating effectively. The framework defines internal control as a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

In practice, an organization’s internal controls will include ABC-related policies, procedures, and other control activities to address relevant ABC risks. ABC-related policies are statements by management or the board to guide compliance with applicable laws and regulations. Policies are effectuated through procedures. Control activities are actions established by policies and procedures and undertaken by an organization’s personnel to mitigate risks of noncompliance. ABC-related policies, procedures, and control activities commonly include all processes that relate to interactions with government officials or “government touch points.”

Examples of typical ABC-related processes include controls governing payments for gifts and entertainment, licensing and permits, fines and penalties, trade and customs as well as the selection of, due diligence on, and payments to third-party intermediaries (TPIs) and business partners. As risky processes become more circumscribed, personnel predisposed to obtaining unfair advantage by paying bribes and making other corrupt payments are incentivized to devise ways to work around more loosely controlled processes to achieve their ends. For this and other reasons, internal control systems must constantly evolve through periodic iterations of risk assessment, gap analysis, control redesign, implementation, and monitoring to maintain their effectiveness.

According to global guidance issued by the Institute of Internal Auditors (IIA), the organization’s ABC standards should be clearly defined and should include protocols for third-party dealings, payment processing, expense reporting, and training. The IIA also advocates the use of the internal audit function to test whether policies and procedures are appropriately documented, approved by management, compliant with applicable laws and regulations, and implemented effectively.⁴⁹

With respect to implementation, it is essential for ABC standards of conduct to be rolled out to all company employees, third-party agents, and intermediaries where applicable, and to include mechanisms to grant waivers, document approvals, retain records, and respond to inquiries. Operating effectiveness requires periodic review by the board and executive management to address changes in the legal or operating environment. Finally, ABC policies and procedures should be updated periodically and translated into local languages for all geographic locations. They should also be provided to new employees and any third-party agents and intermediaries at the time of issuance, upon hire, and upon contract execution and/or renewal.

Contracts with TPIs should include clauses requiring compliance with ABC laws and specifically prohibiting third parties from making any illegal payments to government officials as part of their business relationship. Contracts should also include language requiring compliance with all local laws and company policy, prior approval of subagents, a right to audit clause, and a termination clause for failure to abide by the terms of the contract.

Due Diligence. In addition to general policies and procedures, many companies will risk-score all third parties and conduct FCPA-specific enhanced due diligence on those with the highest risk score; these often include agents and TPIs. Typically this is achieved via questionnaires completed by the third parties during the onboarding process and may be supplemented with background checks. It is important to note that third-party due diligence processes may vary dramatically from country to country due to privacy and data protection laws. As such, it is important to consult with local laws before undertaking due diligence in new jurisdictions. In the context of mergers and acquisitions, preacquisition due diligence alone will not suffice. U.S. regulators will also expect postacquisition integration of the acquired entity including, but not limited to, translation of, and training on, ABC policies and procedures, as well as implementation of ABC compliance controls at the acquired entity.

The Guide issued by the DOJ and SEC provides information on enhanced monitoring of TPI relationships. It recommends that “companies should undertake some form of ongoing monitoring of third-party relationships. Where appropriate, this may include updating due diligence periodically, exercising audit rights, providing periodic training, and requesting annual compliance certifications by the third party.” This level of suggested oversight increases corporate responsibility to ensure TPI relationships are operating in a compliant manner. As such, setting up a formal program to enforce audit rights and to assess and monitor the activities of TPIs is pivotal to demonstrating that a compliance program is adequate. A robust TPI assessment program should include:

• Precontract negotiations
• Pre- and postacquisition due diligence
• Continuous TPI reporting
• FCPA/ABC compliance audits

Communication and Training. Good communications and training are essential components of any compliance program, including ABC compliance. The SEC and DOJ expect that policies and procedures will be communicated throughout the organization and include training and certification to all officers, directors, employees, and as appropriate, agents and business partners. As a practical matter, training should be conducted in local business units in native language, with real-life scenarios and case studies. Training should also include information on resources available to seek advice or report potential improper payments.⁵⁰

In evaluating the design, implementation, and operating effectiveness of ABC communication and training, it is important to verify that a formal communication plan exists and includes communications by senior managers setting the correct tone, as well as ABC standards of conduct that apply to employees, third-party agents, and intermediaries. In addition, channels should be available to employees and outside parties to seek advice or report suspected misconduct.

Training should be based on the organization’s risk assessment process, and it should be periodically reassessed in response to changes in assessed FCPA/ABC risk. The IIA recommends general ABC training for all employees and customized training by function or job responsibility to address specific ABC risks. Attendance at training events should be tracked where permitted under local law, and noncompliance with training requirements should be sanctioned and reflected in performance evaluations. Finally, per the Guide, a company should establish mechanisms to provide guidance on complying with the company’s ethics and compliance program.

Detective Controls

The best-designed ABC compliance programs, even if implemented and operating effectively, will not eliminate ABC risk. The question then becomes, how can organizations most effectively detect potential violations? The two most common methods for detecting potential corruption issues are reporting channels and ongoing auditing and monitoring.

Hotlines and Whistleblower Mechanisms. Reporting channels include hotlines and whistleblower mechanisms for employees or third parties to seek guidance and report concerns or violations of ABC laws, regulations, or organizational standards. Local law may govern protocols for reporting potential misconduct and should be carefully considered in each jurisdiction where the company does business. Germany and France, for example, have very strict laws that govern the reporting of potential misconduct.

Where hotlines exist, it is important that they be manned by qualified operators, trained in identifying potential issues relating to ABC policies and able to provide real-time guidance on those policies. Training should also be provided for appropriate company personnel to identify and classify ABC concerns that may trigger financial reporting risk, as well as protocols to escalate ABC allegations to the audit committee. Finally, reporting channels should be prominently publicized, and include communications with not only employees, but also external and third-party entities such as agents, vendors, and consultants. Implementation audits should be performed to ensure that these reporting channels are operational.

Auditing and Monitoring. Auditing and monitoring in the ABC context are the responsibility of internal audit and management, respectively. According to the International Professional Practices Framework Practice Guide published by the IIA, the role of internal audit is to establish auditing and monitoring activities to provide management and the board adequate and timely information, and to test ABC controls to ensure that those controls are operating effectively. This retrospective testing is distinct from the real-time monitoring responsibilities expected of management. However, both activities are expected to be conducted in accordance with the company’s risk assessment, with attention to any specific concerns identified in the risk-assessment process.

Data Analytics. The use of data analytics is important for ongoing auditing and monitoring activities, including monitoring transactions with third parties for indications of potentially problematic payments. Many companies have developed a suite of ABC tests that assess all transactions against known characteristics of bribery to develop a risk score for each transaction. The advantages are twofold. While individual tests can highlight specific instances of bribery on a continuous or near-real-time basis, the risk scores form the foundation of the sample methodology for periodic audits and controls testing. The development of these tests is often closely linked to the risk assessment performed in earlier stages, and the tests may vary from country to country, depending on the particular risk factor.

A well-functioning data analytics component often includes dynamic dashboards and interactive visualizations to permit individualized access to the underlying data sets. Additionally, incorporating text analysis capabilities to evaluate payment description fields against a library of suspicious terms and phrases is particularly helpful in identifying novel bribery schemes. By proactively analyzing the vast quantities of transactional and other data, a company can not only detect possible bribery in near real time, but also demonstrate a good-faith effort to implement an effective compliance program.

To illustrate, technology can help to demonstrate an effective compliance program by providing ongoing monitoring of three key process-specific antifraud controls: authorization controls, segregation of duties, and automated exception reporting. By way of example, one significant authorization control pertaining to FCPA/ABC compliance relates to facilitation payments. Specifically, approval of facilitation payments should be made in accordance with management’s general or specific ABC policies and procedures. For instance, facilitation payments should be reviewed by a senior manager, as well as individuals in the compliance and/or legal function, to ensure that the proposed disbursement does not constitute an improper payment.

By leveraging technology, it is possible to monitor authorizations, or to reject reimbursement requests that lack such authorizations. Similar programs may be used to monitor “preapproval” of gifts, hospitality, and entertainment expenses of sales and marketing personnel and any other individuals that interact with foreign officials. Other examples include the review and approval of political and charitable contributions, payments to third parties, and payments to offshore accounts for services performed locally, payments inconsistent with vendor authorization or contract terms, and payments processed without proper segregation of duties.

Responsive Controls

A review of DOJ prosecutions and SEC enforcement proceedings over the past decade reveals a willingness to exercise leniency toward companies with effective response protocols. Response protocols include internal investigations, remediation, accountability, and disclosure protocols. In recent years, there has been a tendency to conduct internal investigations and remedial measures simultaneously. Those companies that have done so effectively, in accordance with the Guide, have been recognized for their efforts. With that background, how can organizations effectively respond to ABC risk?

Internal Investigations. Once an organization has knowledge of a potential ABC violation, it must conduct a comprehensive, objective, and professional internal investigation. The purpose of the investigation is to gather facts leading to a credible assessment of suspected violations. If ABC policies, guidelines, or procedures have been violated, an effective investigation will help the organization to ascertain the reason for the violation and design appropriate remedial measures. Whenever there are investigations conducted in connection with DOJ and SEC proceedings, it is often necessary to retain independent external counsel.

Enforcement, Disclosure, and Remediation. The reality today is that investigations and remediation are often conducted simultaneously. Disclosure may occur at the same time or subsequent to the conclusion of the investigation or regulatory matter. Those companies that determine to self-report a potential ABC violation to the government tend to make a public disclosure at the same time.

Enforcement and accountability protocols, which are as important as investigation and remediation protocols, are designed to enforce disciplinary actions within the organization and to hold both management and employees accountable for their actions and the actions of their subordinates. Disclosure protocols govern the extent to which communications are made inside and outside the company. In most cases, management’s voluntary and public disclosure of misconduct can preempt negative publicity, demonstrate good faith, and help an organization avoid or mitigate the consequences of a government enforcement action when ABC violations occur.

Conclusion

The compliance framework outlined in the preceding pages is largely U.S.-centric, given the prominence of U.S. regulation in the ABC enforcement arena. The compliance paradigm reflects a predominantly principles-based approach to ABC prevention, detection, and response that arguably has universal application. Certainly the ABC compliance requirements in the United States and the United Kingdom have much in common, while ABC compliance in the BRICs is in its infancy.

Yet all jurisdictions provide some form of credit for establishing an ABC compliance program. In the United Kingdom, an adequate compliance program is recognized as a defense to an allegation of ABC noncompliance. Although it is not a defense in the United States, Brazil, and China, an adequate compliance program may reduce penalties for ABC noncompliance.

The conclusion is that, as a general rule, it is possible to adopt a principles-based approach to the design, implementation, and operating effectiveness of ABC compliance programs on a global basis. The adoption of different standards in different jurisdictions is generally unnecessary except where there are anomalies in the law, in the compliance culture, or in the economy that require a deviation from the general rule (Figure 3.6) and implementation of rule-based controls. As companies expand their ABC compliance regimes around the world, these common principles will promote consistency and transparency.

Figure 3.6. Comparison of Country Anti-Bribery and Corruption Laws

________________

Einar B. Gitterman was a major contributor to the content of this chapter. Ms. Gitterman is a senior associate in KPMG’s Forensic practice in Washington, DC. Additional contributions were made by Brian J. McCann, Karen A. Lynch, Nicholas D’Ambrosio and Jonathan Meyer. Mr. McCann is a managing director based in Philadelphia specializing in Investigations. Ms. Lynch, based in Philadelphia, and Mr. D’Ambrosio, based in Houston, are both directors specializing in Investigations. Mr. Meyer, based in Chicago, specializes in Forensic Technology.