This past week, I was on a webinar with Mark Mendelsohn (the replay can be found here: http://bit.ly/gTAeKB ). One of the things we spoke about was what companies need to do now to comply. I was a little more sanguine than Mark was; I thought that we should wait and see whether the UK actually enforces the Act before people spend a lot of money.
Mark made an excellent point right then. Can a company have “adequate procedures” if their compliance program doesn’t include anything about preventing private-sector bribery?
It’s a fair point. Let me think out loud for a minute about it. My first thought is that no one ever got very far disagreeing with Mark Mendelsohn about the FCPA or the UK Bribery Act. It might be a question of life not being fair, and companies just have to adjust to something that may turn out to be a theoretical risk. The difficulty is that it’s going to be a significant change.
Let me be Devil’s Advocate here for a moment. Can a company have adequate procedures without measures to prevent or detect private-sector bribery? Let’s play it out. A company has issues with a third party in Bribe-istan regarding a public-sector contract. The UK government comes in. Are they going to be looking at the private-sector pieces of your program? Now, if you have an issue with private-sector bribery, that’ll be problematic. The company, its officers and directors, and employees involved will all be in trouble. The difficulty here is that while I don’t believe the UK government will be looking for private-sector bribery cases, it’s often the fact that cases come to the regulator. This will become more true once the whistleblowing provsions of Dodd-Frank come into effect. So maybe not so theoretical at that.
Let’s pause for a second and talk about the cost. The cost of changing your program to include private-sector bribery. First, your training costs go up. It’s currently the case that programs spend time identifying who their public-sector-related employees are, and train them to a higher level. That effort involves cost as well. So those costs will go away, but training your entire sales force will cost you also. More. It’s time, and money. And just because the UK government passes an Act doesn’t make your company any more willing to donate time and money to compliance. One useful thing about the prescriptive rules the US puts into place is that you can go to your business and say “Reg C says we have to do x, y, or z.” This principle-based paradigm is harder to sell. Convincing your business to let you take every single sales and marketing employee out of commission for two or more hours is going to be tough. It’s ridiculous that it’s tough, but that’s reality. There’s also a monitoring aspect to it. Here’s a truth that you need to internalize: if you have a rule, you must—absolutely must—monitor compliance and punish recalcitrant employees. This is why I’m a fan of fewer rules, more stringently enforced. If you don’t, you have what regulators call a “paper program.” Disaster, if you’re ever challenged.
But training costs aren’t the biggest problem you have. The biggest problem is your third-party due diligence program. Unless you’ve spent considerable money on your DD program, you will likely have just a few employees involved, at minimal cost. That’s gone. Most programs were predicated on doing diligence on a small number of third parties. Almost all programs lack scalability. What might work for a 100 third parties won’t work for 1,000. Most compliance programs are working on shoestring budgets as it is. If you have to adjust to massively increased volumes, that Excel spreadsheet you have just won’t cut it.
You’re going to have to retool, not just readjust.
So you’re left with, on the one hand, a somewhat theoretical risk of having to justify your lack of a private-sector bribery program. One quick digression: I’d hate to make the argument to the UK authorities that the reason you don’t have a private-sector bribery piece to your program is that your program is geared to FCPA compliance. Somehow, I don’t think the SFO will be too receptive to that. Anyway, it’s that cost, versus the certain cost of completely restructuring your due diligence and training programs.
I hate to disagree with Mark, but I’m going to. I think you still don’t do anything too drastic to your FCPA compliance program (except enhance it…you know it needs it). Wait and see what the UK does. I said on the webinar that it would be bold of the UK if their first case was a private-sector case. That would certainly change the playing field, and give the UK enforcement regime a much needed boost.
Anyway, just something to think about.
I sometimes give this disclaimer, which I think might be needed here: I’m a lawyer, but I’m not your lawyer. This post is not legal advice, and you should not take it as directed at you. If you do, frankly, you need your head examined. This is a blog. If you want legal advice, there are quite a few lawyers who’d just love to help you. I’m offering informed commentary, not legal advice.
Just a couple of extra points.
There will be two compliance drivers. The SFO is only half of one of them. The other half of enforcement will be the FSA. The FSA has the luxury of not needing to prove any bribery at all and as in the case of AON can bring enforcement action for failure to have procedures in place to prevent bribery commercial or governmental. So for an FSA regulated firm there is another stick beating them toward full compliance.
The other compliance driver will be commercial pressure resulting from the increased awareness of the Bribery Act. This is already generating requests for reps, warranties, information and details of compliance policies. Failure to deliver the goods can mean no deal in extreme cases, or indemnities etc. in say M&A transactions. Of course if the purchaser or other party turn up a problem in diligence that will be even more problematic in light of the reporting obligations under the UK money laundering laws.
Worth bearing in mind when considering what to do when building or augmenting a compliance program.
Howard,
A good discussion of private sector bribery, an issue too many ignore.
From my experience, private “commercial” corruption is fairly widespread. In many industries kickbacks to and from suppliers, distributors ad service providers are common. Your company’s employees may also be getting or giving payoffs to divide markets and customers with your competitors – combining commercial corruption and competition law violations. In some countries, Russia for example, commercial bribes seem to be natural and expected. When you are conducting investigations, your company may discover it has managers and sales people who are making more money from kickbacks than they make in salary. In most cases your employees will be intentionally falsifying the records of transactions to conceal or mischaracterize these payments, or to create slush funds, giving rise to real FCPA liability.
It should not be difficult or expensive to tune an existing, adequate FCPA government corruption compliance program so that it can also address your major commercial corruption risks. Your company may have already prohibited commercial kickbacks in some other part of its programs. The additional training to alert your managers and employees of commercial corruption issues and describe the major Red Flags they may see will not cost much or take much additional time. It is very important to recognize the risk and tune your audit program to look for evidence – at least you can make commercial corruption more difficult.
I got weary of having to explain the rules for determining who was a government official to managers in China, and changed the program to treat employees of public and private entities the same in China. It put the training focus on the real issue – don’t pay bribes.
As you point out, one of the biggest problems is so few US companies have existing, adequate FCPA compliance programs. Programs that do exist are usually underfunded so there is no budget for any changes or additions.
Commercial corruption involves your company’s corrupt employees defrauding your company and engaging in self-dealing. Those same employees are likely to be predisposed to also be involved in government corruption. It is in your company’s interest to have good compliance processes so that those employees are not hired in the first place. If they are already employed, your compliance processes should make it difficult for them to engage in private or public corruption, and make it likely their activities will be detected. You can create an environment that makes it difficult for them to prosper.
A company should modify its FCPA compliance program to cover private corruption to protect the company. It does not need to be motivated by the UK Bribery Act.