Tag: Compliance into the Weeds

Categories
Blog

Congress Fills a Corruption Hole: The Foreign Extortion Prevention Act (FEPA)

The compliance community has long recognized the gaping hole in the Foreign Corrupt Practices Act (FCPA). As a supply side law, it criminalizes the payment of bribes, not the demand to pay a bribe or extortion. The gap was recently filled by the Foreign Extortion Prevention Act (FEPA) which extended crucial protections to Americans working abroad and provides the Department of Justice (DOJ) with a potent new tool. By criminalizing both the giving and demanding of foreign bribes, FEPA seeks to level the playing field for American workers while fostering ethical business practices globally. FEPA represents a promising solution to protect Americans working overseas, promote fair business competition, and combat corruption on a global scale. With its potential to bring about meaningful change, FEPA is a vital step in safeguarding American values and interests in the international arena. Sam Rubenfeld, cited to Scott Greytak, the director of advocacy for Transparency International US, for the following, “FEPA is a landmark, bipartisan law that holds the potential to help root out foreign corruption at its source. It is arguably the most sweeping and consequential foreign bribery law in nearly half a century.”

This legislation fills a significant gap in anti-corruption measures and raises important questions about its implications for the enforcement of the Foreign Corrupt Practices Act (FCPA) and the cooperation expected from companies involved in bribery schemes. FEPA, part of the National Defense Authorization Act (NDAA), addresses a long-standing concern among anti-corruption advocates. While the FCPA has been effective in penalizing US companies for offering bribes to foreign officials, there has been a lack of legal mechanisms to hold foreign government officials accountable for accepting these bribes. FEPA now provides prosecutors with the means to pursue such officials.

One of the key aspects of FEPA is that it criminalizes the solicitation or acceptance of bribes by foreign government officials from US entities. This complements the FCPA, which focuses on the offering of bribes by US companies. By targeting both sides of the bribery equation, FEPA aims to create a more comprehensive and effective framework for combating corruption.

However, the implementation of FEPA is not without its challenges. One of the main challenges is the extradition of foreign officials for prosecution, particularly from countries like Russia or China. Extradition processes can be complex and time-consuming, and cooperation from foreign governments may not always be forthcoming. This poses a significant hurdle in holding foreign officials accountable under FEPA.

Another notable feature of FEPA is the introduction of a “name and shame” list. This list is intended to publicly identify, and shame foreign government officials involved in bribery schemes. While this may serve as a deterrent, it could also have unintended consequences. For instance, it may impact Transparency International’s corruption perception indexes, potentially affecting the rankings of countries and their relations with the US. Additionally, it could have implications for US companies operating in those countries, potentially straining foreign relations.

The passage of FEPA raises important considerations for compliance officers and companies. They need to assess how this new law may impact their existing controls and policies. The arrival of FEPA as a tool to combat corruption is undoubtedly a positive development. However, it is crucial to carefully evaluate the potential implications for FCPA prosecutions and the cooperation expected from companies involved in bribery cases.

Compliance officers should also consider the potential changes in the calculus for prosecutors. With FEPA in place, prosecutors may now have the legal means to pursue foreign government officials complicit in bribery schemes. This raises questions about the extent to which companies will be required to assist the DOJ in pursuing FEPA cases alongside FCPA cases. Companies may need to provide testimony and cooperate in the prosecution of foreign officials, potentially impacting the resolution of FCPA violations.

Looking ahead, it is essential for the DOJ to provide clarity on how FEPA will be utilized and what expectations companies should have when caught up in FEPA-related investigations. Transparency and guidance from the Department of Justice will help companies navigate the potential challenges and ensure compliance with the law.

The bottom line is that FEPA represents a significant step in the fight against corruption. By criminalizing the solicitation or acceptance of bribes by foreign government officials from US entities, FEPA fills a crucial gap in anti-corruption measures. However, challenges remain in extraditing foreign officials for prosecution and managing the potential consequences of the “name and shame” list. Compliance officers and companies must carefully consider the implications of FEPA on their operations and update their controls and policies accordingly. With proper guidance and cooperation, FEPA can be a powerful tool in combating corruption and promoting ethical business practices.

Penalties under FEPA include (from Transparency International)

  1. Expanding Legal Protections: FEPA amendment U.S. bribery law (18 U.S.C. § 201) to make it illegal for foreign officials to corruptly demand, seek, receive, or accept bribes under two crucial circumstances:
  • From U.S. individuals or companies.
  • From any person while within the United States, in connection with obtaining or retaining business.
  1. Stringent Penalties: Those found guilty of violating FEPA could face severe consequences, including:
  • Criminal fines of up to $250,000 or three times the value of the bribe, whichever is greater.
  • Prison sentences of up to 15 years.
  1. Transparency and Accountability: FEPA introduces a vital accountability mechanism by requiring the DOJ to publish an annual report. It will include the following:
  • It examines the scale and nature of foreign bribe demands against American companies, shedding light on the extent of the issue.
  • It evaluates the effectiveness of U.S. diplomatic efforts aimed at safeguarding American businesses from foreign bribe demands.
  • It assesses the efforts of foreign governments to prosecute individuals involved in corrupt practices against American interests.

Matt Kelly and I take a deep dive into FEPA on this week’s Compliance into the Weeds. To listen, click here.

Categories
Blog

The Importance of Tailored Policies for Compliance and Risk Management

In compliance and risk management, one size does not fit all. Generic policies and procedures may seem convenient but can lead to compliance risks and potential harm. This is why the Securities and Exchange Commission (SEC) stresses the need for well-designed, tailored policies and procedures in areas such as anti-money laundering (AML) and cybersecurity.

In a recent “Compliance into the Weeds episode,” Tom Fox and Matt Kelly highlighted the importance of tailored policies for compliance, and risk management was discussed in detail. They discussed the case of Deutsche Bank, where the SEC imposed sanctions due to faulty policies. The bank had taken generic policies not specific to their mutual fund obligations and declared them their AML program. This cut-and-paste approach led to compliance risks and inconsistencies that caught the attention of regulators.

The case also serves as a reminder of the potential consequences of misleading marketing practices without proper procedures. The SEC sanctioned DWS $25 million for failures around ESG disclosures and a poor AML program. In both instances, faulty policies and procedures were identified as the root cause of the compliance failures.

The key takeaway from this case is that companies should conduct risk assessments and gap analyses to identify their specific needs and design appropriate policies. A good risk assessment is the foundation for crafting effective policies and procedures. It helps organizations understand their risks, evaluate their controls, and determine the necessary steps to mitigate them.

The impact on employees when designing policies and procedures should be considered. Simply copying and pasting language from regulations without considering the organization’s unique structure, technology, and transactions can lead to confusion and compliance risks. Employees need clear guidance on their duties and responsibilities; generic policies do not provide that clarity.

Compliance officers should create policies and procedures tailored to their organization’s needs and risks to avoid compliance risks and potential harm. Considering the organization’s specific circumstances, resources, and capabilities requires a thoughtful approach. It also requires regular risk assessments, gap analyses, and monitoring of policy effectiveness.

How to do so? The 2020 FCPA Resource Guide, 2nd edition, provided guidance. It stated, “When assessing a compliance program, DOJ and SEC will review whether the company Guiding Principles of Enforcement has taken steps to ensure that the Code of Conduct remains current and effective and whether a company has periodically reviewed and updated its Code.” [emphasis supplied] Some of the questions you should consider are:

  • When was the last time your policies and procedures were released or revised?
  • Have there been changes to your company’s internal controls since the last revision?
  • Have there been changes to relevant laws relating to a topic covered in your company’s policies and procedures?
  • Are any of the policies and procedures outdated?
  • What is the budget to create/revise your policies and procedures?

After considering these issues, you should benchmark your current policies and procedures against other companies in your industry. If you decide to move forward, I suggest a process that can be fully documented to include revisions to your compliance policies and procedures.

Get buy-in from the senior leadership of your company. Your company’s highest level must mandate revising compliance policies and procedures. The CEO, GC, CCO, or all three should demand this effort. Whoever gives the order should be consulted at every step of the revision process of the policies and procedures if it involves a change in the direction of key policies.

Establish a core policies and procedures revision committee. It would be best if you had a cross-functional working group that would be ideal to advance your effort to revise your compliance policies and procedures. This group should include representatives from the following departments: legal, compliance, communications, and HR; there should also be other functions that represent the company’s domestic and international business units. Finally, there should be functions within the company described, such as finance and accounting, IT, marketing, and sales.

From this large group, the topics can be assigned for initial drafting to functions based on their relevance or necessity. These functions would also solicit feedback from their functional peers and deliver a final, proposed draft to the Drafting Committee. You must establish a timetable for the revision process and hold representatives accountable for meeting their revisions.

Conduct a thorough technology assessment. The cornerstone of the revision process is how your company captures, collaborates, and preserves all the comments, notes, edits, and decisions during the entire project. In addition to using technology to revise your compliance policies and procedures, you should determine if they will be available in hard copy, online, or both. There must be a distribution plan, mainly if the Code and compliance policies and procedures are only available in hard copy.

Determine translations and localizations. The 2020 FCPA Resource Guide clarified that your compliance policies and procedures must be translated into the local language for your non-English speaking workforce. The key is that your employees have the same understanding of the compliance policies and procedures regardless of the language.

Develop a plan to communicate the revised policies and procedures. A rollout is always critical because the revised policies and procedures must be communicated to encourage employees to review and use the policies and procedures on an ongoing basis. Your company should use the whole armor of available tools to publicize the revised compliance policies and procedures. This can include a multi-media approach or handing out a copy to all employees at a designated time. You might consider having a company-wide compliance policies and procedures meeting where the new or revised documents are rolled out across the company all in one day. But remember, with all things compliance, the three most important aspects are “Document, Document, and Document.” However, when you deliver the new or revised policies and procedures, you must document that each employee received them.

Stay on target and budget. It would be best if you worked to set realistic expectations to stay on deadline and within your budget. This is equally applicable to your policies and procedures revision. Also, remember to keep a close watch on your budget so you do not exceed it.

These points are a valuable guide to not only thinking through how to determine if your policies and procedures need updating but also practical steps on how to tackle the problem. You should begin the process now if it has been more than five years since the last updates. It is far better to review and update if appropriate than wait for a massive FCPA investigation to go through the process.

There are tradeoffs involved in balancing different factors when designing policies and procedures. Compliance officers need to consider the organization’s staffing, technology, review processes, and the need for human intervention in automated systems. Insufficient resources and inconsistent procedures can lead to compliance gaps and backlogs, increasing the organization’s exposure to compliance risks.

In conclusion, the importance of tailored policies for compliance and risk management cannot be overstated. Generic policies may seem like a quick fix, but they can lead to significant compliance risks and harm. Compliance officers should conduct risk assessments, identify specific needs, and design policies and procedures that address those needs. Employee understanding and guidance are crucial, and policies should be regularly assessed, monitored, and updated as necessary. By taking a tailored approach to compliance and risk management, organizations can minimize their exposure to compliance risks and protect themselves from potential harm.