Kara Brockmeyer, the SEC’s Chief of the Foreign Corrupt Practice Act Unit, spoke during the recent “SEC Speaks” conference held in Washington, D.C., Feb. 21 and 22. Based on her remarks, practitioners can, we submit, arrive at some useful conclusions about the Government’s current views as to what companies need to do to comply with the Foreign Corrupt Practice Act and, by implication, what companies and their lawyers are currently failing to do. Smart companies and their lawyers can choose to benefit from these new and higher FCPA expectations by the government, or they can ignore the warning signs and eventually pay the price.
The SEC’s Brockmeyer began by stating that companies need to customize their FCPA compliance programs and policies to their own specific and particular circumstances. We believe that this is a direct response to the regrettable and continuing practice by many companies to simply adopt “cookie cutter” FCPA compliance policies and programs found in any number of sources (e.g., the internet, copied from competitors). To be effective both in helping a company avoid FCPA violations and in appropriately impressing the SEC and the DOJ should they ever come around asking FCPA compliance questions, a company must make sure that its policy is one which is specifically designed to address its own particular business structure and practices, its industry, and its geographic areas of operation. When it comes to FCPA compliance policies and practices, one size simply does not fit all.
The SEC’s FCPA Chief also made it clear that the SEC is strongly encouraging, if not insisting, that companies use the hypotheticals found in the November 2012 FCPA Guidance Publication from the Department of Justice in their internal FCPA compliance training. What this suggests is that the SEC and DOJ are essentially providing to companies a particular “test” that they expect the companies to use to train their personnel. The unavoidable implication of this is that any companies in the future having FCPA problems will, when confronted by the SEC and the DOJ, receive low marks, and harsher treatment, if they are unable to show that they incorporated the FCPA November 2012 Guidance hypotheticals into their compliance training. It seems that the SEC and the DOJ are attempting to, more and more, guide and direct the type of FCPA compliance training in which companies engage. Any lawyer representing any company for whom the FCPA is relevant will be doing a disservice to their client if they fail to recognize these signals as they advise their clients in designing their FCPA training programs.
Ms. Brockmeyer also made a point of noting that companies need to exercise sufficient “thought and analysis” in designing their FCPA internal controls. This suggests that companies will not only have to tailor their FCPA compliance policies to their particular circumstances, but that in designing internal controls; including but not limited to auditing practices to keep track of company money and procedures to allow employees to raise internal concerns or questions regarding the FCPA (“whistleblowers”); companies must be in a position to show that the particular procedures adopted were the result of not simply copying practices of some other company, possibly in some other industry, but are, in fact, policies designed to reflect the particular realities of that company and its activities. Again, a reasonable conclusion to draw from this very deliberate and public statement by the SEC is that the government views many of the past practices of some companies and their counsel in simply putting together more or less “boilerplate” internal FCPA controls as insufficient. All companies and their attorneys are now on notice that such efforts will no longer provide protection from the most serious consequences of an FCPA violation.
Finally, Ms. Brockmeyer observed that companies engaged in activities falling under the FCPA must take the seemingly obvious, yet surprisingly often ignored, step of having all of their FCPA compliance materials properly translated into all relevant languages for all of their employees, agents, partners, etc. wherever located. It will not be enough to create compliance programs that only many, or even most, of a company’s FCPA relevant personnel and connections can understand in their first language. It would also seem risky, after this statement to rely upon representations that FCPA relevant employees, agents and partners, etc. have some English language capability or will otherwise find a way to understand the policies and compliance procedures. The SEC’s recent statements make clear that the SEC and the DOJ have found such claims to be insufficient to show real, sincere commitment to FCPA compliance. Going forward, failure to establish sufficient translation of FCPA policies and procedures will create significant problems in dealing with the SEC or the DOJ in the event of an alleged FCPA violation.
These recent statements by the SEC through its representative serve to put all companies and individuals whose activities bring them under the purview of the FCPA on notice that the government is expecting more from companies than they are currently seeing. Off-the-shelf types of FCPA policies, internal controls, auditing procedures and training will no longer achieve for companies the more lenient treatment by the government in cases of an FCPA violation they once did. Put simply, the SEC and the DOJ are making it known that they will in the future require FCPA covered companies to “step up their game” with more thoughtful, customized FCPA compliance policies and procedures.
While this heightened level of scrutiny can be seen as placing additional burdens on FCPA affected companies, it is suggested that companies and attorneys should, instead, see this shift by the government as an opportunity to create FCPA compliance policies and procedures which better address the companies’ unique situations, and thereby better avoid the most likely FCPA violations each particular company is prone to. If approached in this way, the heightened SEC and DOJ requirements can be the impetus for creating compliance structures for companies that in the long run will better protect them from FCPA violations in the first place, while also providing significantly more protection from the worst consequences of any FCPA violations that may nonetheless occur.