Site icon BoardAndFraud

FCPA – The Role of The Board and More!

Some Statistics

The table and graph below detail the number of FCPA enforcement actions initiated by DOJ and the SEC, the statute’s dual enforcers, during each of the past ten years.

Aggressive Internal Controls Enforcement

It has been hiding in plain sight all along. The FCPA requirement that “reporting companies to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that, among other things, transactions are executed following management’s general or specific authorizations, and access to assets is permitted only in accordance with management’s general or specific authorization.” But what if the violation of this requirement occurs in a non-foreign (IE., the U.S.) and in a non-bribery situation.

2020 brought two disparate SEC enforcement actions tied with internal control violations, making it clear that the SEC will be looking very closely at internal controls going into 2021 and beyond. In the Andeavor enforcement action, Andeavor and Marathon held months of confidential discussions in 2017 about Marathon potentially acquiring Andeavor, which were broken off. Then in late January 2018, the talks resumed.  Two days before the resumption, Andeavor initiated stock buyback, subject to a company policy prohibiting repurchases, while Andeavor had material non-public information. Andeavor failed to maintain internal accounting controls that provided reasonable assurance that the buyback complied with Andeavor’s policy. This was deemed to violate the internal control requirement.

The second matter involved Sequential Brands Group, Inc. In this enforcement action, the company failed to impair its goodwill as required by accounting principles and the federal securities laws. This was deemed an internal control violation. After several months of declining stock prices followed by a precipitous drop in early November 2016, the company failed to assess its goodwill for potential impairment properly. While any objective analysis of impairment was ignored, the company proceeded to perform “a qualitative analysis that omitted any mention of its internal calculations, as well as numerous other negative developments in the company’s business, leading it to unreasonably conclude that goodwill was not impaired. Sequential allegedly continued to account for goodwill in the next three quarters improperly before belatedly impairing all of its goodwill—totaling $304 million—in the fourth quarter of 2017.

Both of these cases demonstrate the operational internal controls are mandatory for every public company. In the Andeavor enforcement action, the SEC Order stated, “Andeavor’s legal department approved the company’s Rule 10b5-1 plan to repurchase shares on February 22, 2018. It did so after concluding, based on a poor understanding of all relevant facts and circumstances regarding the two companies’ discussions, that those discussions did not constitute material non-public information at that time. This lack of understanding was the result of Andeavor’s insufficient internal accounting controls.”

It can be tempting as Compliance Officers to focus Compliance program efforts, particularly training and educational content, on the first limb of the FCPA because the anti-bribery provisions are so egregious.  However, the lack of proof of improper influence attempts does not save a company from regulator scrutiny, as evidenced in the case examples above.  Compliance Officers should take opportunities to emphasize the importance of an accurate and complete paper trail, also known as “Document, document, document,” and test internal controls with some regularity to help identify gaps in the books and records expectations of the FCPA.

Role of the Board

Another area of significant emphasis over the past year was the apparent move towards more significant legal and regulatory scrutiny of the Board of Directors and its role in a best practices compliance program. That role has been long-existing, going back to 1992 under the U.S. Sentencing Guidelines, which mandated that a Board of Directors must be “knowledgeable about the content and operation of the compliance and ethics program,” and must “exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.” In criminal actions against a business organization, including the FCPA, the DOJ’s Justice Manual instructs prosecutors to ask and answer several questions, including:

1) Do the Directors exercise an independent review of the company’s compliance program? and

2) Are Directors provided timely and accurate information sufficient to enable the exercise of independent judgment?

In the 2020 Update to the Evaluation of Corporate Compliance Programs, the DOJ posed the following questions.

Oversight – What compliance expertise has been available on the Board of directors? Have the Board of directors and/or external auditors held executive or private sessions with the compliance and control functions? What types of information have the Board of directors and senior management examined in their exercise of oversight in the area in which the misconduct occurred?

This series of questions portend more than simply a reporting requirement or that the CCO has a direct line to the Board. It is a separate requirement for compliance expertise on the Board. Name any of the most recent corporate scandals; Wells Fargo, Uber Technologies, Volkswagen, Boeing, etc., and there was no compliance expertise on the Board. It is now enshrined as a best practice for companies to have a seasoned compliance professional on the Board.

The final development for the Board’s responsibility around compliance came from the Delaware Supreme Court in Marchand v. Barnhill (the Bluebell Creamery case). In its Opinion, the Court stated, “Under Caremark and Stone v. Ritter, a director must make a good faith effort to oversee the company’s operations. Failing to make that good faith effort breaches the duty of loyalty and can expose a director to liability. To satisfy their duty of loyalty, directors must make a good faith effort to implement an oversight system and then monitor it.”

Every board member’s job is to represent the shareholders, not the incumbent CEO and Chairman of the Board. To do so, the Board must oversee the risk management function of the organization. Blue Bell was and to this day is a single-product food company, and that food is ice cream. This sole source of income would mandate that the highest risk the company might face is around food. But as the underlying compliant noted, “despite the critical nature of food safety for Blue Bell’s continued success, the complaint alleges that management turned a blind eye to red and yellow flags that were waved in front of it by regulators and its own tests, and the board—by failing to implement any system to monitor the company’s food safety compliance programs—was unaware of any problems until it was too late.”

The bottom line is that the Blue Bell Board did nothing to fulfill its Caremark obligations. We now have the convergence of DOJ requirements under a best practices compliance program and Delaware law on Board responsibility for overseeing a compliance program. I would also add that the DOJ may soon expect a Compliance Committee separate and apart from the Audit Committee.

While it may be an emerging leading practice for Boards to have Compliance subject matter expertise by way of a Compliance professional holding a position on the Board and sitting at that table, there is, of course, the reality that some companies do not yet have that structure in place.  The next best thing is to ensure that the Board receives timely and relevant Compliance education and briefings about Compliance risks.  This means that the Board, just as other senior executives, should receive appropriate Compliance training throughout the year.  It is essential to give proper training and not pass on it just because the Board and executives are “senior.”  Often high-level staff members are complicit in bribery schemes or, at the very least, are aware that it is happening under their noses. This doesn’t necessarily mean you have to issue the Board members the same online training that other staff members complete.  It might be more appropriate for the Chief Compliance Officer to conduct an in-person training for the Board that is specially tailored to them and their role as Board members.   It is also essential that the Compliance function has an opportunity to brief the Board about important Compliance issues and that recommendations and suggestions of Compliance are taken seriously.

Compliance Program Updates from the DOJ and SEC

2020 saw two significant releases of information by the DOJ and SEC. The first was from the DOJ, and it was released in June, the 2020 Update to the Evaluation of Corporate Compliance Programs. This document brought up to date the original Evaluation of Corporate Compliance Programs, released in April 2019. The second was the 2020 update to the FCPA Resource Guide, 2nd edition, jointly released by the DOJ and SEC in July. This document updated the original FCPA Resource Guide, released in November 2012.

Update to the Evaluation of Corporate Compliance Programs

The 2020 Update  remained  organized around three overarching questions that prosecutors ask when evaluating compliance programs, with some revisions, are as follows:

Is the corporation’s compliance program well designed?

Is the program being applied earnestly and in good faith? In other words, is the program being implemented adequately resourced and empowered to function effectively?

Does the corporation’s compliance program work in practice?

In the introduction, the DOJ stated, “Because a corporate compliance program must be evaluated in the specific context of a criminal investigation, the Criminal Division does not use any rigid formula to assess the effectiveness of corporate compliance programs. We recognize that each company’s risk profile and solutions to reduce its risks warrant particularized evaluation. Accordingly, we make a reasonable, individualized determination in each case that considers various factors including, but not limited to, the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.” (all changes noted in italics)

This change makes clear that every policy will be evaluated on its own merits. The DOJ lays out some of the factors it will consider, but a reasonableness standard will temper such consideration. Moreover, this point is further driven home by the addition to fundamental question Number 2 that prosecutors are required to ask, “Is the program being applied earnestly and in good faith?“ In other words, is the program adequately resourced and empowered to function effectively? By tying this new language to question Number 2, companies that want to cut back to a paper program and take away a CCO’s ability to do their job effectively will lose credibility.  The language clearly references both monetary resources and headcount.

The final addition in the introduction adds the following language, “In any particular case, the topics and questions set forth below may not all be relevant, and others may be more salient given the particular facts at issue and the circumstances of the company.” If you make changes to your program, if you lose headcount, if you are not allowed to have the most current tech solution, then be prepared to explain why your company cannot do so.

For once and all time, the DOJ has stated that having a (paper) compliance program is not enough; it must be continuously evaluated and revised accordingly using business intelligence, including lessons learned!  This is a step towards Enterprise Resiliency, which can be defined as an organization’s capacity to anticipate (by monitoring), react, and adapt to changes and new or emerging risks to survive and evolve. Compliance must be proactive. This means it needs to be a dynamic, continually adaptive process.

Copyright © 2021. Jonathan T. Marks

This change is helpful to Compliance Officers struggling to establish the proper levels of authority from within their business.  It is an argument for Compliance Officers to be provided with the right and sufficient resources to be successful.  If a Compliance professional should find themselves in an environment where they have no budget, no seat at the table, aren’t taken seriously, it would be advisable to consider the risk you are personally taking and whether this company is worth your talent, expertise, and dedication.

FCPA Resource Guide, 2nd edition

In a most welcomed, if incredibly soft release, the DOJ/SEC updated the FCPA Resource Guide with a 2nd Edition. The reason it was needed and indeed so welcomed was set out in the Guide itself when it stated, “Although many aspects of the Guide continue to hold true today, the last eight years have also brought new cases, new law, and new policies. The Second Edition of the Guide reflects these updates, including new case law on the definition of the term “foreign official” under the FCPA, the jurisdictional reach of the FCPA, and the FCPA’s foreign written laws affirmative defense. It addresses certain legal standards, including the mens rea requirement and statute of limitations for criminal violations of the accounting provisions. It reflects updated data, statistics, and case examples. And it summarizes new policies applicable to the FCPA that have been announced in the DOJ’s and SEC’s continuing efforts to provide increased transparency, including the DOJ’s FCPA Corporate Enforcement Policy, Selection of Monitors in Criminal Division Matters, Coordination of Corporate Resolution Penalties (or Anti-Piling On Policy), and the Criminal Division’s Evaluation of Corporate Compliance Programs.”

The most significant change is the addition of a new Hallmark, entitled “Investigation, Analysis, and Remediation of Misconduct,” which reads in full:

The truest measure of an effective compliance program is how it responds to misconduct. Accordingly, for a compliance program to be truly effective, it should have a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents. An effective investigations structure will also have an established means of documenting the company’s response, including any disciplinary or remediation measures taken.

In addition to having a mechanism for responding to the specific incident of misconduct, the company’s program should also integrate lessons learned from any misconduct into the company’s policies, training, and controls. To do so, a company will need to analyze the root causes of the misconduct to timely and appropriately remediate those causes to prevent future compliance breaches. 

There are other interesting aspects to this new Hallmark, not the least that it begins with “The truest measure of an effective compliance program is how it responds to misconduct.” This builds upon the language found in the “Confidential Reporting and Internal Investigations Hallmark, which states, “once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response.”  Now beyond being properly funded, you must have a “well-functioning mechanism” for the “timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents.”

The key changes to the Second Edition reflect developments and issues that are well-known to many practitioners. Nevertheless, the updated Guide emphasizes the importance of effective (and “adequately resourced”) compliance programs, risk-based diligence efforts, and voluntary self-disclosures.  Coupled with the 2020 Update, these two documents convey the DOJ and SEC’s expectations about compliance programs and FCPA enforcement going forward.

An area where companies can struggle in this regard is ensuring that learnings and gaps identified in one area of the business after an investigation or audit are completed as suggested and then sanitized and communicated to other areas of the company to cover any control failures across the Board.

First, consider the checks in place to ensure that audit and Compliance recommendations have been completed.  It may be worth implementing tracking tools such as Smart Sheets, Jira, or Onit solutions to have sophisticated control and oversight over remediation work.  Allocate responsibility to monitoring staff in the Compliance function to set deadlines and follow up on Compliance tasks and activities the business has committed to working on in response to the remediation suggestions.

Second, think about how takeaways from investigations and audits can be applied beyond the specific instance at hand.  Controls are usually fairly universal across multi-national corporations, yet large Compliance functions can be siloed with poor communication across the Compliance team globally.  The Goldman Sachs case is an argument for better co-ordination and communication across Compliance departments, particularly in large companies with numerous Compliance professionals.

This means that Compliance Departments can often benefit from sharing information about lessons learned from audits and investigations, and centralized investigation teams should think about how they can communicate with the rest of the Compliance function to impart key learnings to improve the broader Compliance program, not just the area in which an issue has manifested.

An effective way to do this can be by preparing sanitized versions of cases and presenting them to a global Compliance audience every so often throughout the year.  These can also be used as communication tools on the company intranet or as Lunch ‘n’ Learn activities where Compliance staff offer up a scenario inspired by an issue that has occurred and anonymized it and changed the fact matrix where appropriate to preserve privacy and confidentiality where required.

COVID-19 Fraud on the Rise

It is not surprising that with the trillions of dollars released by the federal government under the PPP and PPE programs, Fraud is rising with a dramatic upswing. In December, the Association of Certified Fraud Examiners (“ACFE”) published its Fraud in the Wake of Covid-19 survey. It had been conducting surveys of its members throughout the year, and in this final survey of 2020, the trend continued from previous ACFE studies. More and more of the survey participants have observed an increase in Fraud in the wake of COVID-19. A summary of key findings from the ACFE’s Survey were:

79% of respondents said they had seen an increase in the overall level of Fraud (compared to 77% in August and 68% in May) and

38%  of respondents said that this increase has been significant (compared to 34% in August and 25% in May).

Perhaps even more troubling, looking forward into 2021, ACFE members expect this trend to persist into the next year;

90% anticipate a further increase in the overall level of Fraud over the next 12 months, and

44% saying this change will likely be significant.

Always remember that Fraud can occur in many forms. It can be theft of monies or wrongfully obtaining government loans. However, Fraud can occur in financial reporting as well. Our final example of Fraud in the era of COVID-19 comes from an SEC enforcement action involving the well-known restaurant, The Cheesecake Factory, and its material miss-statements around the impact of the Coronavirus health crisis on the company.  In this matter, The Cheesecake Factory was publicly saying all was well when in reality, the company was in dire financial straits. The Cheesecake Factory stated that its restaurants were “operating sustainably” during the COVID-19 pandemic. Yet, at the time, the company was losing approximately $6 million in cash per week. It projected that it had only 16 weeks of cash remaining and was actively seeking potential private equity investors or lenders to obtain additional liquidity. To top it off,  The Cheesecake Factory had already informed its landlords that it would not pay rent in April due to the impacts that COVID-19 inflicted on its business. These public statements did not comport with internal control requirements, in addition to other violations.

According to a recent Forbes article, with remote working, travel bans, and social distancing rules, internet use has spiked by more than 50%.  So it should be no surprise that reliance on online platforms, which for some could induce physiological symptoms. Research results have shown that emotional distress is positively correlated with functional impairment. Also, emotional and social distress has been pointed to as a significant threat to self-regulation. Being in a negative mood increases the likelihood of self-regulation failure. Remember that fraudsters are cunning and profile too,  so now white-collar and cybercriminals have more opportunities to exploit users in various creative ways.

FBI Deputy Assistant Director Tonya Ugoretz said the number of cybercrime reports has quadrupled compared to months before the pandemic.

Cybercrime can disrupt services, financial loss, data breaches, and individual and institutional anxieties.  This means we need to heighten our awareness, monitor behaviors, and educate the appropriate people on key risks and the common tactics or schemes that criminals are currently deploying.

Books and Records

2020 was filled with books and records violations.  If you read the Resource Guide, there appears to be an emerging focus by the DOJ to pursue criminal violations of the FCPA’s accounting provisions.

While it has not been uncommon for DOJ to pursue enforcement actions based on accounting violations in settled matters, historically, DOJ focused more on alleged violations of the FCPA’s anti-bribery provisions, which are often perceived as being more egregious, while deferring to the SEC to enforce the accounting provisions.

The books and records provision was enacted in 1977 as part of the Foreign Corrupt Practices Act (“FCPA”). It requires issuers—companies that are required to file reports with the SEC or that have securities registered with the SEC—to “make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the issuer.”

In one of the few reported decisions discussing the books and records provision, a federal district court described the provision’s three goals:

(1) assure that an issuer’s books and records accurately and fairly reflect its transactions and the disposition of assets,

(2) protect the integrity of the independent audit of issuer financial statements that are required under the Exchange Act, and

(3) promote the reliability and completeness of financial information that issuers are required to file with the Commission or disseminate to investors under the Exchange Act.

The books and records provision was enacted as part of the FCPA but is deceiving. The provision covers practices that may be neither foreign nor corrupt.

In recent years, the SEC has brought enforcement actions for books and records violations in circumstances that had nothing to do with bribery and related to purely domestic transactions—for example, records relating to the value of mortgage-backed securities; round-tripping transactions that led to overstated revenue; options backdating; and miscalculation of tax liabilities.

The SEC generally imposes strict liability for inaccurate or insufficiently detailed books and records because the statute does not explicitly require materiality or scienter. In other words, a company may be held liable for sloppy entries in its books and records, no matter how small and regardless of whether there was any intent to deceive.

The FCPA accounting provisions should be viewed as more than just a requirement. Instead, the provisions are highly effective tools that businesses can use to prevent and detect Fraud.  Sound accounting practices and internal controls often are the best defense against theft and embezzlement, especially in certain foreign jurisdictions, where regulators take a less rigorous approach in enforcing rules related to financial reporting.  Accordingly, domestic companies with operations outside the U.S. are well-advised to make FCPA and recordkeeping compliance a high priority in their global business strategies, or you may wind up on the list below.

2020 – Partial list of SEC Enforcement Actions: FCPA Cases


What does all this mean? Your compliance program must be “adequately resourced.” This is more than having the appropriate number of professionals assigned to the function. It means filling these roles with professionals that possess the right experience and skills to deter, detect, and investigate Fraud.  Also, become more business intelligent using feedback from employees and your data, with the goal to be Enterprise Resilient.  Ugly equates to having the regulators use your own data against you!

I hope you find this useful. I also wanted to thank Tom Fox and Mary Shirley for their contributions to this writing. Listen to Tom, Mary, and me on the Compliance Podcast Network.


Phorensically Speaking

Jonathan T. Marks, CPA, CFF, CFE

Compliance e book 2 3 guidance memos marks it






Gibson Dunn

Please follow and like us:
Skip to toolbar