혁명 아닌 진화: 미국 법무부(DOJ)와 증권거래위원회(SEC)의 해외부패방지법 가이드(FCPA Resource Guide) 업데이트
By Paul Hastings Professional
In July 2020, the U.S. government released the second edition of its Resource Guide to the U.S. Foreign Corrupt Practices Act (the 2020 FCPA Guide or the Guide),
Additional Law Enforcement Partners and International Coordination. More than ever, companies are subject to investigation by multiple law enforcement agencies. In the United States, these include several FBI squads, Homeland Security Investigations, the Postal Inspection Service, the Board of Governors of the Federal Reserve System, the Financial Crimes Enforcement Network, and the Commodity Futures Trading Commission. Outside the United States, the German, U.K., Brazilian, French, Swiss, and Dutch authorities are most active.
DOJ’s Corporate Enforcement Policy. DOJ continues to provide strong incentives for companies to timely and appropriately disclose and remediate misconduct through greater transparency about the potential benefits, as well as the limit for any credit provided if a company fails to meet its requirements. However, such incentives may be insufficient for many companies to voluntarily disclose misconduct, especially in light of potential enforcement by non-US regulators.
Disgorgement and Forfeiture. The U.S. Supreme Court limited disgorgement in SEC federal court enforcement actions to a wrongdoer’s net unlawful profits provided that they are distributed for the benefit of investors, which could limit how SEC imposes monetary sanctions and cause the SEC to shift to more regular imposition of larger civil penalties.
Investigation, Analysis, and Remediation of Misconduct. DOJ and SEC expect robust internal investigation, analysis, and remediation of misconduct, which is consistent with DOJ’s recently issued Evaluation of Corporate Compliance Programs,and require appropriate funding, timely and thorough investigation, documentation of discipline and remediation, root cause analysis, and effective use of lessons learned.
Compliance Expectations and Monitors. Companies should continue to enhance their risk-based compliance programs, including through regular assessments, leveraging data analytics and technology, and addressing the root causes of any misconduct. DOJ and SEC continue to impose compliance monitors when there is pervasive misconduct and manipulation of the books and records or exploitation of an inadequate compliance program and inadequate strengthening and testing of compliance programs.
Specific Case Law Issues. Reflecting the Hoskins decision in the Second Circuit Court of Appeals, the 2020 FCPA Guide clarifies that an individual not covered by the FCPA’s anti-bribery provisions could not be held liable for conspiring to violate the FCPA’s anti-bribery provisions, or aiding and abetting an FCPA anti-bribery violation in the Second Circuit, which includes New York. However, DOJ suggests that they may pursue that agency theory outside of the Second Circuit with a reference to case law in Illinois that decided the issue differently than Hoskins.
The 2020 FCPA Guide will be a valuable resource for in-house, external and government practitioners working to apply the FCPA’s provisions to real-world situations. While the second edition does not alter the character and usefulness of the original document, or answer all of the outstanding questions or legal interpretations by the DOJ and SEC, the 2020 FCPA Guide provides a timely update incorporating eight years of enforcement history and legal development since the original was released.
I. PURPOSE AND EVOLUTION OF THE FCPA RESOURCE GUIDE
The original FCPA Resource Guide was drafted in 2012 to “provide companies, practitioners, and the public with detailed information about the statutory requirements of the FCPA while also providing insight into DOJ and SEC enforcement practices through hypotheticals, examples of enforcement actions and anonymized declinations, and summaries of applicable case law and DOJ opinion releases.”
To give some perspective, in the thirty years from the passage of the FCPA in 1977 up to 2007, there were over 45 actions initiated by DOJ and 39 by SEC against corporations, resulting in approximately USD 286 million in penalties. In the five years from 2008 to 2012, there were 142 actions initiated by DOJ and 76 by SEC and approximately USD 4.3 billion in penalties. Concerns among corporate management and Boards of Directors over the impact of the FCPA skyrocketed, resulting both in calls to limit the scope of the FCPA and to clarify the precise nature in which DOJ and SEC were enforcing the decades-old law. Following the Organisation of Economic Cooperation and Development’s Working Group on Bribery Phase 3 evaluation of the U.S.’s adherence to its international obligations, DOJ and SEC drafted the 2012 FCPA Guide to provide greater clarity on the scope and enforcement of the FCPA.
The 2012 FCPA Guide was generally well-received by the business and legal community, and numerous companies and law firms repeatedly turned to it for guidance regarding the government’s views on the scope of the law as well as its perspective on compliance programs. The greatest criticism of the 2012 FCPA Guide was that it appeared to focus more on broad policy concerns and detailed DOJ’s and SEC’s interpretation of the law, rather than actual court decisions interpreting the statute. Back in 2012, however, there were few cases in which courts had construed even some of the most basic of the FCPA’s terms.
After publishing the 2012 FCPA Guide, DOJ and SEC continued to aggressively pursue enforcement actions against both corporations and individuals. Between 2012 to June 2020, DOJ and SEC brought over 110 enforcement actions that resulted in a staggering USD near-14 billion in assessed penalties and disgorgement. Significantly, many of the corporate prosecutions were brought in coordination with an increasing number of law enforcement partners, both in the United States and around the world. Most importantly for the development of the law, continued legal challenges afforded U.S. courts the opportunity to provide written opinions regarding aspects of the FCPA that had previously been guided primarily by DOJ and SEC policy. For example, recent court decisions clarified the definition of an “agent” and who can be criminally charged with conspiracy to violate the FCPA or aiding and abetting an FCPA violation in United States v. Hoskins, and further defined the application of the local law affirmative defense in United States v. Ng.
II. ADDITIONAL LAW ENFORCEMENT PARTNERS AND INTERNATIONAL COORDINATION
For companies considering their risks, one of the greatest changes in the enforcement of the FCPA in recent years is the increased number of domestic law enforcement partners and growing international coordination of bribery cases.
The 2020 FCPA Guide notes that DOJ Criminal Division’s Fraud Section handles all FCPA matters for DOJ and regularly coordinates with U.S. Attorneys’ offices around the country. This is a subtle, but important, shift from the 2012 FCPA Guide, which noted that the Fraud Section “primarily handles” all FCPA cases within DOJ’s purview, suggesting that DOJ is redoubling its efforts to centralize prosecutions with the Fraud Section’s experienced FCPA prosecutors to ensure consistency in approach and treatment across the country.
The listing of domestic law enforcement and other agency partners in the 2020 FCPA Guide also expanded. In 2012, DOJ worked primarily with a single squad of the FBI, Homeland Security Investigations, as well as the IRS–Criminal Investigation, and the Departments of Commerce, State, and Treasury. The 2020 FCPA Guide identifies that there are several FBI squads focused on FCPA prosecution as well as the previous U.S. partners involved in enforcement, and new partners such as the Postal Inspection Service, the Board of Governors of the Federal Reserve System and the Financial Crimes Enforcement Network. Each of those have been involved in one or more significant FCPA cases, and their inclusion in the 2020 Guide suggests ongoing coordination on future FCPA investigations. Notably, the 2020 version also acknowledges the Commodity Futures Trading Commission as another law enforcement partner, following that agency’s announcements of its own FCPA enforcement initiatives.
The 2020 FCPA Guide identifies a number of international partners that have been involved in coordinated resolutions. In 2012, the only coordinated resolutions were with German prosecutors and the U.K. Serious Fraud Office. In the eight years leading up to the 2020 FCPA Guide, 16 resolutions involved foreign law enforcement entities, including from Brazil,
These new partners, both in the U.S. and internationally, reflect the heightened risk that defendants could be subject to multiple prosecutions with increased penalties for the same underlying crimes. The 2020 FCPA Guide attempts to addresses this concern and details DOJ and SEC’s intention to “avoid imposing duplicative penalties, forfeiture, and disgorgement for the same conduct.” This includes efforts by the enforcement authorities to coordinate resolutions with foreign governments, so as to credit companies for fines, penalties, forfeitures, or disgorgements they have faced while resolving the same factual conduct.
The 2020 FCPA Guide confirms that only the DOJ has formally recorded its policy of avoiding duplicative punishments—sometimes called “piling on”—by revising the Justice Manual (formerly called the U.S. Attorneys’ Manual) in 2018 to include an acknowledgment of the importance of coordinating with and crediting penalties paid to other U.S. agencies or local authorities. The 2020 FCPA Guide also recognizes that the SEC at least informally adopted the approach with respect to foreign authorities, and references coordinated resolutions with Brazil and Switzerland, among others, on various occasions since at least the beginning of 2016.
Notably, the 2020 FCPA Guide cautions that DOJ and SEC will merely “attempt” to avoid piling on, listing the factors DOJ uses to determine how much credit should be given to a cooperating company facing resolutions in other jurisdictions or before other U.S. authorities. Neither agency is committed to giving credit for resolutions in other jurisdictions, and weighing the factors guiding such decisions is a process determined by the agencies themselves, subject only to the zealous advocacy of a defendant’s counsel.
III. DOJ’S CORPORATE ENFORCEMENT POLICY
The 2020 FCPA Guide incorporates DOJ’s FCPA Corporate Enforcement Policy, first published as a pilot program in April 2016 and eventually incorporated into the Justice Manual in November 2017 (Justice Manual, Sec. 9-47.120).
Even where aggravating circumstances make a criminal resolution appropriate, if the company voluntarily self-discloses, fully cooperates and timely and appropriately remediates, DOJ will recommend a 50% reduction off the low end of the fine range, unless the company is a recidivist.
Voluntary self-disclosure and full cooperation with the DOJ, including providing information which assisted the DOJ in identifying specific individuals involved and, in at least one instance, prosecuting them.
An existing compliance program with timely and appropriate measures to remediate the misconduct.
Where senior executives were involved in the misconduct, DOJ declined to prosecute the companies, due in part to the companies’ self-reporting and cooperation.
However, just because there are benefits to voluntary disclosure, the Corporate Enforcement Policy does not mean that every company should do so. In particular, the difference in reduction in penalties from voluntarily disclosing (50% off the low end of the applicable Guidelines range) compared with not voluntarily disclosing but fully cooperating (25% off the low end of the applicable Guidelines range), may not be significant enough to encourage companies to subject themselves to an intrusive investigation by DOJ.
The Guide also incorporates the Corporate Enforcement Policy’s recognition of the potential benefits of comprehensive due diligence and self-reporting in connection with mergers and acquisitions, and notes the presumption of a declination of prosecution in instances where the acquiring company timely identifies, discloses, cooperates and remediates misconduct by the acquired entity. Overall, the Guide incorporates recent DOJ guidance designed to encourage companies to quickly and fully disclose and remediate misconduct by providing clear incentives to companies for voluntary disclosure while setting clear disincentives for not doing so. The Guide also specifically acknowledges that DOJ’s Corporate Enforcement Policy is not binding on the SEC.
IV. UPDATE ON DISGORGEMENT AND FORFEITURE
Given the staggering amount of penalties imposed by DOJ and SEC, companies often question the legal limitations of what they can be required to pay to the U.S. government for misconduct overseas. In addition to criminal and civil penalties, the 2020 FCPA Guide describes how DOJ or SEC may require companies to forfeit proceeds or disgorge profits of their or others’ misconduct. Historically, in most parallel prosecutions by DOJ and SEC, DOJ imposed criminal fines and the SEC determined not to seek a civil penalty, but rather required “disgorgement” of all profits arising from the misconduct, even if it was technically beyond the statute of limitations.
The 2020 FCPA Guide recognizes the significant legal developments in this area—that the disgorgement remedy has certain limitations, imposed on the SEC’s civil actions by the Supreme Court in Kokesh v. SEC
The 2020 FCPA Guide additionally addresses disgorgement in the context of the DOJ’s Corporate Enforcement Policy (discussed above), which provides a corporate entity with a presumption of declination (e.g., no criminal charges filed) where the entity has self-disclosed, fully cooperated, remediated, and paid all disgorgement, forfeiture, or restitution at issue from the misconduct by way of a resolution with DOJ or another “relevant regulator,” such as SEC. The DOJ website identifies several companies that received a “declination with disgorgement” under this policy.
V. INVESTIGATIONS, ANALYSIS, AND REMEDIATION OF MISCONDUCT
The 2020 FCPA Guide now includes a new section on “Investigation, Analysis, and Remediation of Misconduct,” consistent with DOJ’s recently issued Evaluation of Corporate Compliance Programs.
The program’s investigation mechanism should be well-functioning and appropriately funded.
Investigations of both allegations and suspicions of misconduct must be timely and thorough.
The company must have an established means of documenting its response, including disciplinary or remediation measures.
A root cause analysis with timely and effective remediation to prevent future violations.
In addition to responding to specific misconduct, the program should integrate lessons learned into company policies, training, and controls.
The importance of a company incorporating “lessons learned” from investigations into their compliance program is critical for enforcement authorities. DOJ prosecutors and SEC enforcement attorneys may not be fully trained in how to evaluate compliance programs, although some have significant experience in those areas. However, they do understand investigations and whether the “gaps” in the compliance program, which led to the underlying problems, have been closed during the investigation. The 2020 FCPA Guide emphasizes the importance of looking at the root causes, from an investigation point of view, to determine what the company can do better. Among other actions, SEC and DOJ often consider the communication of investigation results or other significant findings within the organization (including through anonymous case studies if appropriate) to be highly relevant when evaluating the effectiveness’ of a company’s integration of lessons learned.
VI. COMPLIANCE MONITORS
The Guide incorporates October 2018 guidance by the DOJ relating to the appointment of compliance monitors and independent consultants from the memorandum regarding “Selection of Monitors in Criminal Division Matters” (the October 2018 Memorandum). The October 2018 Memorandum specifically states that “a monitor should never be imposed for punitive purposes” and reiterates that when determining whether to impose a monitor, prosecutors should assess the potential benefits to the corporation and the public of employing a monitor against the cost of and impact on the operations of the corporation. While each of these points was available in DOJ guidance that predated the 2012 FCPA Guide, these specific points did not appear in the 2012 FCPA Guide. The 2020 FCPA Guide not only adds these concepts, but also incorporates additional guidance from the October 2018 Memorandum regarding the factors to consider when evaluating the potential benefits of a monitor:
Whether the underlying misconduct involved the manipulation of corporate books and records or the exploitation of an inadequate compliance program or internal control systems;
Whether the misconduct at issue was pervasive across the business organization or approved or facilitated by senior management;
Whether the corporation has made significant investments in, and improvements to, its corporate compliance program and internal control systems; and
Whether remedial improvements to the compliance program and internal controls have been tested to demonstrate that they would prevent or detect similar misconduct in the future.
The 2020 FCPA Guide specifically adds additional concepts, “risk profile,” “geographical reach,” “business model,” and “whether the company’s current compliance program has been fully implemented and tested,” to the list of factors considered by DOJ and SEC when determining whether a compliance monitor is appropriate. Importantly, while the more detailed guidance of the October 2018 Memorandum remains applicable only to DOJ, the 2020 FCPA Guide makes clear that SEC uses some of the same considerations.
Finally, the Guide removes the reference to when companies might be allowed to “engage in self-monitoring,” leaving out “self-monitorships” entirely. Given the increasing reliance by DOJ of compliance self-reporting in recent cases, it is unclear if this is an actual policy change or merely a change in terminology.
VII. UPDATE ON SPECIFIC CASE LAW ISSUES
The 2020 FCPA Guide references several of the recent key cases, including United State v. Hoskins, United States v. Ng, and United States v. Esquenazi.
United States v. Hoskins:
Hoskins also limited the DOJ’s expansive application of FCPA jurisdiction over foreign agents of a domestic concern. The Second Circuit established that the DOJ must prove that the domestic concern exercised control over important aspects of a transaction as well as over the foreign agent, evidenced by the power to terminate or impact the agent’s compensation.
United States v. Ng:
United States v. Esquenazi:
VIII. UNADDRESSED ISSUES
While a helpful and welcome update, the 2020 FCPA Guide leaves some important issues unaddressed and/or preserves some aggressive DOJ/SEC positions, notwithstanding recent legal developments. We highlight a few here.
Scope of “Agency” in the FCPA: Notwithstanding recent developments in the Hoskins prosecution addressing issues of agency in connection with the FCPA’s jurisdictional reach, the 2020 FCPA Guide continues to promote a contested interpretation of the circumstances in which a subsidiary corporation will be considered an “agent” of its parent and/or of an “issuer.” The Guide states that the “fundamental characteristic of agency is control,” and goes on to explain that generally the SEC and DOJ look to whether the subsidiary in question is subject to the parent’s control generally, and in connection with the facts at issue.
The U.S. Supreme Court held in 2013 that, as a general matter, neither subsidiaries nor subsidiaries’ employees are agents of their parent corporations, Kiobel v. Royal Dutch Petroleum Co.,
Successor Liability: DOJ and SEC have long warned about, and, at times, pursued “successor liability” in M&A transactions when one corporate entity acquires another entity involved in historical misconduct. However, in the 2020 FCPA Guide, the DOJ and SEC continue to speak in terms of “successors” and “predecessors,” while apparently using the terms “successor” interchangeably with “acquirer” and “predecessor” with “acquired” companies. This nomenclature obscures the legal issues and risks at play in the M&A context. True successor liability—i.e., liability of one corporation for the independent unrelated acts of another corporation—is only an issue when an acquiring company subsequently merges the acquired company out of existence. In that case, the acquirer is the true “successor” and may succeed to all the acquired company’s liabilities. Such instances are relatively rare, and yet have resulted in DOJ criminal enforcement actions in a few limited contexts.
More commonly, a company will acquire another entity and operation and allow it to continue as a separate entity and going concern. In that instance, there is no “successor” or “predecessor,” just an acquirer and acquired company, with legal liabilities—both financial and regulatory/criminal—of the acquired company remaining with that original company. In this more common situation, the Corporate Enforcement Policy’s promise (as described in the 2020 FCPA Guide) that “an acquiring company that voluntarily discloses misconduct may be eligible for a declination, even if aggravating circumstances existed as to the acquired entity” may be of limited value: if the apparent FCPA violations at the acquired company are detected and stopped, there will be no conduct implicating the new acquiring entity to disclose in the first place, making the promise of a declination of the new acquiring entity an empty one. If conduct persists for a long period of time undetected, even voluntary disclosure, full cooperation, and remediation may not save an acquiring company from an expensive investigation, resolution negotiations, forfeiture and disgorgement and often collateral litigation.
“Victims” in FCPA Cases: The 2012 FCPA Guide never mentioned who could be a “victim” of an FCPA violation, but the 2020 FCPA Guide opened the door and introduced the concept of a victim by noting that SEC v. Liu held that “disgorgement is permissible equitable relief when it does not exceed a wrongdoer’s net profits and is awarded for victims.” (emphasis added) While it is likely that the Supreme Court in Liu was using the term “victims” in the context of the relevant statutory language (i.e., that disgorgement must be “for the benefit of investors”), one of the long-standing legal disputes in the FCPA is who, precisely, could be a “victim” of an FCPA violation.
Should the penalties paid for an FCPA violation go to the benefit of the U.S. government, as is currently the case, or to the “victims,” if any, of an FCPA violation? How would you define a victim in an FCPA case? Is it the government department or state-owned entity that paid an inflated price for services, when that inflated price incorporates the amount of the bribe? Is it the people of the foreign country whose government officials misused government resources and overpaid for products or services? Is it a competitor who lost out on profits for a contract that they would have won but for the bribe paid by the defendant? Is it the shareholders of a company whose management disregarded company policy and paid bribes, resulting in hefty legal fees and large penalties to DOJ or SEC? The answer is extremely important as there are certain obligations that DOJ has under relevant statutes, such as the Crime Victim Rights Act
For years, DOJ has taken the position that there is no identifiable victim of an FCPA violation, but recent litigation in the Och-Ziff matter, United States v. OZ Africa Management GP LLC,
Additional Policy Guidance: Finally, certain policy changes and guidance issued after the 2012 FCPA Guide did not make it into the updated version. For example, data-related issues such as data privacy limitations and the need for companies to develop a policy for mobile devices and the rise in ephemeral messaging are not addressed in the document. In recent years the DOJ has vacillated on its policy regarding the use of personal mobile messaging platforms for business purposes, appearing to prohibit the use of such platforms (on the grounds that they hinder business records retention) for companies hoping to receive full remediation credit under the 2017 version of the Corporate Enforcement Policy. In March 2019, DOJ backtracked, amending the policy to allow the use of such platforms where companies provide their employees with appropriate guidance and a retention program. In addition, since 2016, with the launch of the FCPA Corporate Enforcement Policy’s predecessor pilot program, DOJ has also articulated a policy requiring that when a company claims foreign data privacy laws prevent it from producing relevant documents as part of its cooperation, it must—in order to receive full cooperation credit—identify the specific laws blocking the transfer. Neither of these examples is explicitly addressed by the 2020 FCPA Guide. Because the Guide does not subsume or supplant the prior, existing guidance, we do not see these omissions to be particularly significant, though they may perhaps betray DOJ and SEC’s views that these issues are evolving as quickly as the technology.
While we view the 2020 FCPA Guide as evolution and not revolution, it presents several key takeaways for companies:
Risk Assessments. The 2020 FCPA Guide has maintained and refined the 2012 FCPA Guide’s focus on risk assessments. This suggests the DOJ and SEC continue to emphasize a view that companies must deploy their limited compliance resources consistent with a thoughtful, planned risk-based methodology. Those that do so effectively, and can demonstrate it, are more likely to receive mitigation credit and less likely to get a monitor in an enforcement cycle—and are more likely to avoid violations in the first place. Companies must also specifically incorporate lessons learned from their own compliance program, industry trends, and ever-evolving best practices.
Data Analytics. Also consistent with the DOJ’s and SEC’s focus on risk-based compliance measures, the 2020 FCPA Guide reflects the agencies’ clear expectations that compliance data will be available to legal and compliance departments in ways not contemplated in 2012, and that they must be used effectively. Consistent with our recent experiences with DOJ and SEC, there is a greater expectation that companies have enhanced their methods to detect and prevent misconduct, including through centralized data analytics and other technological tools, self-learning, and ongoing risk assessment.
Mergers & Acquisitions. The 2020 FCPA Guide reflects continued emphasis on acquirer compliance measures in M&A transactions, and the formalization of an incentive structure to cause acquirers to voluntarily disclose wrongdoing uncovered at subsidiaries in return for presumed declinations for the acquirer. Timely and comprehensive risk-based due diligence remains critical to prevent the continuation of any improper conduct, mitigate any liability for the past conduct of acquired entities or assets, and—perhaps most importantly—to ensuring proper training and integration.
Enforcement Partners. Given recent enforcement history involving multiple countries’ authorities, cooperation and evidence sharing with other investigators unsurprisingly features prominently in the update. While the DOJ and SEC clearly recognize—at least in their policy pronouncements—the potential for “piling on,” as a practical matter companies still may be subject to multiple competing investigations, different legal standards, and the discretion of disparate regulators each with different interests, practices, and expectations. DOJ and SEC leave themselves discretion to continue to bring the charges they deem warranted, anti-”piling on” policy notwithstanding. Companies should remain aware of enforcement “hot spots” and the potential for multiple settlements and penalties, and prepare a comprehensive strategy to navigate these challenges as the start of any investigation.
Self-Reporting, Cooperation, and Remediation. The 2020 FCPA Guide reflects the significant policy evolution by DOJ from 2015 forward to provide much greater and clearer incentives for companies to self-report, cooperate with U.S. authorities, and remediate any wrongdoing. As a result, companies often face the decision whether to self-report, even in the initial investigation stages, earlier than they historically would have been confronted with the issue. With the incorporation of the Corporate Enforcement Policy standards and the addition of several examples of declinations, including in some instances when there are aggravating circumstances, DOJ reiterated its expectations and the potential consequences for those involved in misconduct. However, voluntary disclosure should not be automatic, but instead carefully considered especially in light of the growing cooperation with other international enforcement authorities and the potential for investigations to expand beyond the initial report.
Investigative Capabilities. DOJ and SEC clearly communicate that their expectations for companies’ investigation functions have changed, and that investigation capabilities must necessarily be more robust than in the past. Moreover, the agencies advance their belief that the use of lessons learned—whether from internal investigations, external enforcement actions or other public sources like industry benchmarking, trends, or evolving best practices—to inform compliance efforts and address root causes of wrongdoing are essential to compliance programs and the manner in which investigations can be conducted in ways unforeseen in 2012.