by Matt Morley
In the wake of continuing press reports about the role of bribery in international commerce, many corporate directors and senior executives are asking for a fresh look at their company’s exposure to the risks of violating the U.S. Foreign Corrupt Practices Act (“FCPA”), the U.K. Bribery Act, and similar laws around the world. Those risks can be mitigated, if not eliminated, by the implementation of policies, procedures and internal controls designed to assure compliance with anti-bribery requirements. Such compliance measures may be of value both in reducing the likelihood that company personnel will violate the law, but also in dealing with any government investigation of a potential violation – because prosecution may be avoided or the consequences of any violation greatly reduced where a strong compliance program is in place.
Government authorities in the U.S. and the U.K. have repeatedly called for “effective” compliance measures to be implemented and for “adequate” procedures to be put into place, but many companies find themselves frustrated by what they see as a lack of clear, practical guidance as to precisely what is expected of them in this regard. Thus a key question is what must companies do to meet the expectations of law enforcement authorities?
A report issued in March 2012 by the U.K.’s Financial Services Authority (“FSA”) provides what may be the most comprehensive explanation to date as to what regulators expect from companies in this regard. Although the FSA’s authority is limited to oversight of firms doing investment business in the U.K., its report, Anti-bribery and Corruption Systems and Controls in Investment Banks, reflects the same kind of approach that can be expected from both U.K. and U.S. law enforcement authorities.
Notably, the FSA, which issued the report following a review of anti-bribery compliance at 15 firms (including eight major global investment banks), expressed its view that, as a general matter, these companies had been “too slow and reactive” in addressing anti-bribery compliance issues. Thus the report goes to some length in elaborating what the regulators were looking to see in the course of their review.
Reducing the 55-page report to its essential elements, we have identified eight key questions that should guide the thinking of corporate directors and senior managers in evaluating their company’s anticorruption compliance measures.
- Corporate governance: How does the board of directors oversee anticorruption compliance?
- Risk assessment: What assessment has the company made of its current corruption risks?
- Due diligence: What due diligence does the company conduct with regard to agents, representatives and others who can act on its behalf?
- Internal controls: How does the company assure itself that payments are made for appropriate purposes?
- Training and education: How do corporate personnel know what is required of them?
- Disciplinary action: Are there appropriate consequences for failing to abide by the anticorruption policies and procedures?
- Whistleblowing: Do employees know what to do if they learn or suspect that there has been a violation of anticorruption policies or procedures?
- Monitoring and auditing: How does the company evaluate the adequacy and effectiveness of its anticorruption policies and procedures?
1. Corporate governance
According to the FSA report, a fundamental prerequisite to the success of any anticorruption regime is an effective corporate governance framework for addressing the company’s bribery and corruption risks. The FSA report suggests that companies designate a senior corporate officer with responsibility for the company’s anticorruption efforts and that this officer have direct access to the board of directors.
The FSA report stresses that, in order to enable senior management and the board to exercise appropriate supervision of those efforts, they should receive an ongoing flow of relevant information that will enable them to ask the kinds of questions that are directed towards assuring strong compliance efforts. That information should convey a proper understanding of:
- The specific bribery and corruption risks faced by the business;
- The corporate systems and controls in place to mitigate those risks; and
- Information about:
- the effectiveness of those systems and controls;
- relevant legal and regulatory developments; and
- the company’s use of third party representatives (who for most companies are the single greatest source of corruption risks).
U.K. authorities are not alone in this focus on the role of corporate governance in corporate risk mitigation and compliance efforts. For example, the director of the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations, which examines regulated entities such as broker-dealers, investment advisers, and investment companies, recently indicated that the Office intends to have direct discussions with corporate directors and senior managers in order to assess the extent to which risk management and legal compliance are integrated into the firm’s operations.
2. Risk assessment
What assessment has the company made of its current corruption risks?
The purpose of anticorruption policies and procedures is ultimately to mitigate the risk that the company or those acting on its behalf will make an improper payment. Nearly half of the firms examined for the FSA report had not yet made an adequate assessment of their exposure to bribery and corruption risks. The FSA report points out that a key step in that regard is to identify and assess the specific corruption risks faced by the company. The report suggests that a company would want to show that it had considered questions such as:
- What company personnel may be exposed to situations where a corrupt payment might be demanded or suggested?
- If someone were going to make an improper payment, how might they generate the funds to do so?
- How might a corrupt payment be conveyed to the recipient?
The FSA report emphasizes the value of information from both outside experts and sources inside the company. Generic external guidance alone may fail to take into account important aspects of the company’s specific circumstances, while internal business personnel may be tempted to downplay the level of bribery and corruption risks to which they are exposed. Using both sources of information can help provide a more balanced assessment.
The FSA report also notes that, given the fundamental importance of the risk assessment, it should be updated periodically. Companies examined by FSA conducted not only annual or semi-annual reviews, but also planned to re-examine their programs in light of certain “trigger events,” such as significant legal or regulatory developments, the introduction of new products or new lines of business, or the expansion into new territories or markets.