FCPA Enforcement: Tech Companies and the Pilot Program
On September 9, 2016, Cisco Systems, Inc. (“Cisco”) announced that the U.S. Securities and Exchange Commission (“SEC”) and the Department of Justice (“DOJ”) declined to bring Foreign Corrupt Practices Act (“FCPA”) enforcement actions following the company’s internal investigation of its business dealings in Russia and various CIS (Commonwealth of Independent States) countries. The announcement and decision by the SEC and DOJ came on the heels of a three year investigation where Cisco disclosed its findings, made organizational changes to its business in Russia, and cooperated with the government agencies. While the investigation serves as yet another reminder that the government is focused on potential FCPA violations in the technology sector wherever they occur, the decision not to bring any charges is consistent with the principles enunciated in the FCPA Pilot Program (“Pilot Program”), instituted in April 2016. Consistent with the Pilot Program’s “mitigation credit” for voluntary self-disclosure, cooperation, and remediation, Cisco received the benefit the government promises.
Third Party Risks
Cisco’s internal investigation highlights the risks technology companies face from third party sales agents and the efforts expected by the government to mitigate, investigate, and remediate such risks. Technology companies routinely rely on resellers and distributors in their sales operations globally. Many companies undertake efforts to require their third party agents to maintain accurate books and records and to justify the additional discounts they seek. But the reality is that third parties may not provide truthful information or records—whether to justify the requested discount or to reflect their sales or expenses. In certain markets around the world, such business practices are not scrutinized or criminalized, causing entities which do not face liability in other jurisdictions to continue operating in a less than forthcoming manner. Or, when faced with audit requests that may uncover impropriety, third parties claim protection based on antitrust, state secrets, or data privacy laws, which help insulate the third party under a seemingly legitimate argument. Thus, technology companies operating globally must be vigilant about issues such as the booking of revenue by resellers, the business justifications used to obtain approval for discounts, and the potential falsification of records maintained by its resellers. Faced with such challenges, companies must maintain strong internal controls to monitor the behavior of their third parties (including conducting routine audits of higher-risk third parties) and to take decisive action (including terminating the business relationship) where misconduct is identified.
The Cisco investigation continues a trend of technology companies being the target of FCPA investigations and enforcement actions. For example, in 2016 alone, the SEC has initiated enforcement actions against five companies or individuals in the technology industry,
Pilot Program’s Mitigation Credit
The Cisco investigation provides some insight into the mitigation credit that companies may receive pursuant to the Pilot Program instituted by the DOJ earlier this year. The Pilot Program was intended, according to the government, to add enforcement resources, increase cooperation, and provide more transparency into the requirements for obtaining mitigation credit. With respect to mitigation credit, the program outlines three requirements: (i) voluntary self-disclosure, (ii) full cooperation, and (iii) remediation.
The Fraud Section’s FCPA Enforcement Plan and Guidance memorandum, issued on April 5, 2016 by the DOJ’s Criminal Division, sets forth the conduct necessary to satisfy each of the mitigation requirements. For example, to satisfy the “voluntary self-disclosure” requirement, the disclosure must (i) not be one that is required by law, agreement, or contract, (ii) occur prior to an imminent threat of disclosure or government investigation, (iii) be reasonably prompt, and (iv) include all known relevant facts concerning the misconduct.
The requirement of “remediation,” which the DOJ admits is “difficult to ascertain and highly case specific,” may involve implementing an effective compliance and ethics program that is tailored to the size and resources of the organization, appropriate discipline of employees (including those identified by the corporation as responsible for the misconduct), and any additional steps that demonstrate “recognition of the seriousness of the corporation’s misconduct[.]”
Since the launch of the Pilot Program approximately five months ago, the DOJ has publicly released three declination letters.