Source:Deloitte Development LLC

Executives at U.S.-based companies have known for years that doing business in a foreign country runs the risk of violating key provisions of the Foreign Corrupt Practices Act (FCPA). The enforcement drumbeat has only grown louder, and for executives the need for vigilance in safeguarding their companies’ overseas operations well as relations with third parties has perhaps never been greater.

The federal statute, first enacted in 1977 and since amended, makes it a crime for certain persons or companies to make payments to foreign officials in order to obtain or retain business. Using tactics similar to sting operations for federal drug busts and crackdowns, the U.S. Department of Justice (DOJ) is enforcing the FCPA more vigorously and making proactive compliance a critical consideration for large multinationals as well as up-and-comers with global ambitions.

Meanwhile, the scope of enforcement may broaden. The DOJ has made it known that it intends to align with many of the guidelines and principles embodied in the U.K. Bribery Act of 2010. That law expands the definition of corruption to encompass not only corruption of government officials, but also commercial corruption—corrupt activities between private entities or non-governmental entities. Under the U.K. Bribery Act, companies doing any form of business in the U.K. are subject to its provisions. Thus, any U.S. company with operations in the U.K. that might have engaged in commercial- or government-related corrupt activities—anywhere in the world, including the U.S.—could be prosecuted in the U.K.

“Tighter anti-corruption statutes and enforcement practices combined with evolving business strategies make it crucial for executives to launch, monitor and in some cases update anti-corruption initiatives,” says Joe Zier, partner in the Forensic and Dispute Services practice at Deloitte Financial Advisory Services LLP. “In addition to protecting against reputational risks, other incentives for doing so include increasing penalties and compliance costs and heightened exposure through third-party arrangements and practices.”

Increasing Penalties and Compliance Costs

Penalties for corruption-based transgressions are increasing. The methods of calculating penalties are moving toward multiples based on disgorgement of profits gained from the underlying corrupt activities. For example, if an employee offers a $1 million bribe to get a $20 million contract with a 50% margin, the government might demand the company disgorge the $10 million profit on the contract and pay up to three times that amount in fines. This has resulted in penalties in excess of a billion dollars in significant matters. As a compelling source of funds for governments, such penalties may lead to more frequent and aggressive enforcement actions.

In addition to higher penalties, the costs of investigating and defending FCPA allegations are rising. It is not uncommon for investigation costs on even small matters to range from $1 million to $10 million and in large matters to exceed $50 million. As required, companies may have to establish reserves to address penalties, as well as disclose the existence of investigations in periodic Securities and Exchange Commission filings. Both are problematic and may result in derivative problems, such as premature disclosure to the DOJ and third parties, shareholder civil actions or increased fines.

Third Parties—Blindness Is Not an Excuse

In many markets, both emerging and established, companies often use third parties to help establish operations, deal with local regulators for licenses and permits or function as a sales channel. Such dealings mean that an increasing amount of corruption-related risk is now tied to third-party sales channels or other related activities. Under the law, however, if a third-party agent does something corrupt, it may adversely impact the principal company.

As shown by some recent settlements, regulators can act against the principal company even if the latter does not have direct involvement in the corrupt activity but benefits from that activity. This is based on the premise that third parties rarely act without someone’s—generally a local on-the-ground salesperson’s—knowledge. And in this age of texting and e-mail traffic, it is very likely that some evidence will be uncovered that a company employee or manager knew or suspected that a particular contract was won through corrupt activity, such as the payment of bribes. Little wonder that regulators are using “willful blindness” and “should reasonably have known or expected” legal arguments as part of their prosecutions.

In addition, there is increasing awareness around countries, cultures or business activities that might have a higher degree of corruption-related risk, making it more difficult for companies to allege that they reasonably had no knowledge. A case in point is successor liability for FCPA risk arising from merger and acquisition activity. These activities typically deserve a higher degree of targeted due diligence on third parties and service providers being inherited to help mitigate the risk of the company subsequently being charged with something that it was not involved with or did not know about.

Many companies balance their risk appetite with the costs of compliance on a regular basis. However, in setting up or updating anti-corruption initiatives, executives should consider a specific set of actions and tools to form the basis of their risk management approach to complying with the FCPA.

Internal Controls and Employee Training May Not Be Enough

Companies should not rely only on typical internal processes and controls to detect and prevent corrupt activity, since when people try to undertake illegal activities, such as paying bribes, they usually try to hide that activity. They may use false documents, “slice and dice” transactions or use third parties to keep “slush” funds. Internal controls, however, are based upon the fundamental premise of the underlying integrity of documentation and an effective approval process throughout. If this assumption proves to be inaccurate, the inappropriate activities may not be detected by normal internal controls. When executives sign 302 certifications, they should consider whether they are relying on appropriate and effective internal controls to prevent and detect corrupt activities or are they waiting for the problem to manifest itself, suspecting that it is likely there? The latter is a reactionary approach that appears to be unfortunately too common.

Similarly, anti-corruption training programs, while useful in informing employees about personal and organizational consequences of corruption, are not enough to prevent it. Not only does anti-corruption training have to be “sticky” for the general employee population, but it has to reach that small group that might circumvent company policies. Executives should consider more effective monitoring and “business reality” based approvals of transactions and third parties on a regular basis.

Surveillance and Third-Party Knowledge Are Important

Beyond internal process controls, additional monitoring may be necessary. Greater automated surveillance of e-mails, data and transactions increases the likelihood of identifying problems that can be investigated more thoroughly or prevented at an early stage. Visible, focused surveillance and investigative programs can also signal a company’s commitment to its anti-corruption efforts.

Assessing Third-Party Risk Is Crucial

It is important to conduct effective and appropriate risk assessments and due diligence on third parties acting on behalf of the company. As most large companies deal with hundreds and thousands of third parties around the world, it can be difficult to perform a uniform level of due diligence or select the appropriate parties to address on a sample basis. Differentiated risk-based assessment levels and solutions based on local contexts and cultures can help finance, internal audit and compliance staffs undertake more targeted reviews of those third-party risks. Management, however, will need to decide how to allocate scarce employee and investment compliance resources.

For multinationals, it is likely that some form of corrupt activity on behalf of the company is already occurring. Moreover, the probability of regulators finding out about that activity before the company is increasing, especially given the number of vehicles regulators use to uncover these activities, such as whistleblowers or direct research. When an executive discovers a corruption-related problem, he or she should work with their General Counsel to determine the appropriate or required response. This may call for board involvement, early voluntary disclosure to regulators, regulatory filing disclosure and external audit investigations, even though substance may not yet have been established.

If an issue is disclosed and settled, however, regulators increasingly prefer to appoint a monitor to oversee a company’s remedial compliance activities. A monitor, generally an external attorney, checks whether the company has appropriate and effective anti-corruption processes and controls throughout its organization. While the monitor reports to the government, the company bears the costs, which can easily total millions of dollars a year. No company enjoys having a monitor and the government looking over its shoulder. It is far more cost effective to implement proactive risk mitigation and remediation processes and implement anti-corruption focused surveillance and compliance processes to prevent the need for monitoring in the first place.

Continuing changes in law enforcement practices and increased regulation around global compliance make it imperative for executives to ensure compliance with the FCPA and similar anti-corruption laws. Proactive attention and investment in effective methods to prevent corrupt activity are not only prudent, but can be cost effective.