Hedge fund Och-Ziff has pleaded guilty and agreed to pay US$412 million to the U.S. Securities and Exchange Commission (SEC) and Department of Justice (DOJ) to settle foreign bribery charges,
Vanity Fair reports. According to the SEC, the firm paid around US$200 million in bribes to politicians, officials, and judges to obtain mining rights in Africa between 2007 and 2011.
The Wall Street Journal found an example in the Democratic Republic of Congo where Och-Ziff partnered with Israeli billionaire Dan Gertler, who allegedly sent bags of money to high-ranking government officials. A week later, mining firm Africo sold its mining interests in that country to a Gertler-controlled company.
This story provides a good opportunity to revisit what management and internal auditors should be aware of to help their organizations stay compliant with the U.S. Foreign Corrupt Practices Act (FCPA). Here are six relevant suggestions:
1. Deterrence can work — investigation, prosecution, and punishment under the FCPA is becoming more common.
This story outlines a significant case and large penalties. Ten years ago, FCPA prosecutions were rare, but since 2008, the U.S. government has had about 150 FCPA investigations in progress at any one time and has brought about 40 cases each year. In 2014 alone, 10 corporations were indicted, sentenced, or convicted, with assessed penalties of more than US$1.25 billion. About half of the cases have been against companies and half against individual company managers and employees. The DOJ has stated that individuals will not believe the FCPA has any teeth until they see business people going to jail, and increasingly this is what is happening.
2. Perform a corruption risk assessment to understand the organization's risk of being involved in international bribery.
Companies must assess the risk of FCPA violations in their international business. The FCPA's definition of "government official" is extremely broad and includes even low-level employees of government-owned companies. Auditors need to understand in which countries their organization is placed under high-risk circumstances.
Transparency International publishes an annual Corruption Perceptions Index for most countries in the world. Internal auditors also need to understand all the ways in which the business has contact with government customers or employees. If a company doesn't understand its specific risk, the company may fail to spend its compliance resources cost-effectively. For most companies, 80 percent of FCPA risk will come from less than 20 percent of their business. Some questions to consider are:
- What kind of business does the company do outside the U.S.?
- Does it conduct foreign business through its own employees; agents, distributors and intermediaries; joint ventures; or all of the above?
- Does the company need to get permits or qualify products for sale in foreign countries?
- Does the company ship through freight forwarders and use customs agents?
- Does the organization know all the third parties it uses in business outside the U.S., and has it conducted due diligence on them? Sales agents, lobbyists, and joint ventures are at the top of the risk list, along with distributors or resellers who receive variable pricing or discounts. It is important to understand who the company's intermediaries are, how many it has, why it is using them, and who in the company has authority to enter into a contract with them. These third parties create liability, accounting for 90 percent of FCPA cases brought by the U.S. government.
- Does the company deal with universities, use professors in an advisory capacity, or deal with doctors or hospitals? In many countries, education and health care are government-run and all employees, including doctors and professors, are government officials who fall under the FCPA.
- Is the company involved in litigation? In some countries, lawyers routinely bribe court officials and judges.
3. Establish a stand-alone international anti-corruption compliance program and policy.
A few paragraphs about international corruption buried in the company's general standards of business conduct are not sufficient. A member of the company's senior management team must be designated as responsible for FCPA compliance. And, in light of this story, it probably should be someone other than the president or general counsel. There also needs to be specific language placed into employment and performance contracts for
all employees regarding compliance with the organization's anti-corruption compliance program. The company's board needs to reinforce the value of FCPA compliance to the management team, and the CEO, chief financial officer, and other responsible executives must do the same with employees about the company's commitment to FCPA compliance.
Clear FCPA terms should also be included in every international contract, and should specifically mention the importance of FCPA compliance and require the company's partners to represent that they know the elements of the law and will comply with it. The company should have a clearly worded audit clause that requires the partner to provide documents and assistance in an investigation. Finally, the company must have the ability to terminate the contract if its partner violates the FCPA.
4. Train the company's board, management, employees, and third parties who distribute its products.
These individuals may or may not have had experience with "on the ground" international business, but those who have international experience will probably be out of date with FCPA compliance. Familiarize them with the actual corruption risks in the company's industry, the countries where it does business, and the business model the company is using. Employees should be able to recognize the red flags of corruption that are most likely in the business and know what to do when they see them.
Many U.S. companies do not train the third parties who facilitate their international distribution, even though these third parties represent their highest FCPA risk. Small companies may think they are safer if they use third parties that also represent major U.S. and multinational companies. They assume those companies have done appropriate vetting and provided training, but that may not be true. Major U.S. and multinational companies often have weak FCPA compliance programs and do not vet or train their third parties.
5. Establish internal controls over company expenditures and assets.
The FCPA has no threshold of materiality. Companies have been prosecuted for very small bribes, inaccurate books and records, and failure to set up systems of controls, which arguably have no monetary value. A company can comply with generally accepted accounting principles and still fail to detect bribery or false or inaccurate records. The employees who are involved in corruption, kickbacks, and creating false transactions are likely to be quite smart. Finance department employees may be involved in corrupt schemes, as well — they know how the company makes and keeps records and how it audits, so they know how to keep the books looking clean and hide evidence of corruption.
Making sure the company is keeping books and records that accurately document all transactions can help prevent and detect corrupt payments. If the company has good control over its books and records, it should be much easier to accurately control and account for gifts, meals, entertainment, and travel for government officials.
6. Plan for the likelihood that a high-quality, international internal investigation will have to be conducted.
In an FCPA investigation, a company is looking for evidence of criminal behavior and serious fraud among its employees and business associates. In many cases, internal audit may find the company's own employees working in concert with third parties and government officials. Perhaps its employees are personally receiving kickbacks. If auditors are lucky, they will "only" find private corruption — payments between commercial companies with no government officials involved. Private corruption still costs companies, and they have to deal with the FCPA issue of intentionally falsified corporate records made by employees to cover up the private corruption.
It is likely internal auditors will not be comfortable trusting anyone in the company's local country management, and auditors will not want to let local management know they have suspicions before auditors actually start their investigation. Even if they are not involved, local managers may not appreciate the danger to the parent company. They may try to conduct their own amateur investigation, or simply call a meeting of their managers and ask them what happened. In either case, they will alert the perpetrators and evidence will be destroyed, documents fabricated, or stories aligned so that an actual professional investigation will be much longer, more difficult, and expensive.