I was really excited to have an opportunity to learn more about the Foreign Corrupt Practices Act recently through our Resources Global Professionals’ webcasts. Not only was it an area of compliance that was relatively new to me, but it was of particular interest. I had spent a summer in Russia during college studying business practices of US companies working in the Russian business environment. At the time, many US companies were just starting to see opportunities in the emerging economy, but found themselves struggling to operate in an environment marred by organized crime, corrupt officials and poor government oversight.
What is the Foreign Corrupt Practices Act?
The FCPA is not new legislation. It has been around since 1977, but recent increases in enforcement and lawsuits have brought it back up into the spotlight for many US organizations. In a nutshell, the FCPA states that:
1.) It’s a crime to bribe non-US officials in order to obtain or continue business activity in that region.
2.) Organizations must have proper records of all transactions, and controls in place to prevent bribery of non-US officials.
(If you want a much more detailed explanation, check out the Department of Justices’ “Lay Person’s Guide”.)
I am by no means an expert, but here’s a few of the things I’ve learned recently that I found interesting:
- FCPA is enforced by both the Department of Justice and the Securities and Exchange Commission. The SEC is responsible for civil action against corporations (or individuals), while the DOJ is responsible for criminal prosecution of individuals.
- There aren’t any guidelines or standards for the internal controls (structure, documentation, etc) that US companies must keep, but many experts (including Tom Fox, RGP consultant and legal expert in the area of FCPA) seem to point to the 6 Principles in the UK Anti-Bribery Act as a good place to start.
- Violations of the FCPA can mean up to $5 million in fines and 20 years in prison.
Put your FCPA Compliance Program in policyIQ!
If you are doing business internationally, your organization is required to comply with FCPA – and you probably already have a program in place. But if you don’t have it well-documented and easily accessible, you are increasing your risk. As I see it, the keys to a successful FCPA program are the same as any compliance program:
1.) Assess the risk – where in the organization might you be at risk of violations and how significant is that risk?
2.) Document (and communicate!) controls that mitigate those risks
3.) Periodically test those controls to confirm that they are designed and operating effectively, and
4.) Keep an auditable set of documentation to prove that you’ve done all of this
If you follow these four steps, you’ll be in a great position to quickly respond to any inquiry – and avoid the high cost of lengthy, invasive investigations. This is where policyIQ shines! Not only can you retain all of your Risk, Control, and Testing documentation in one place – but using policyIQ forms, you can also have key employees review and sign-off on your FCPA controls on an annual basis. You’ll have an audit-able record of their agreement to follow the controls and policies as they are laid out by the compliance department. Any areas of concern can be documented, with mitigating action plans assigned and due dates set – all within policyIQ.
While we certainly hope that none of our policyIQ clients face an SEC or DOJ investigation for violations to FCPA, with a strong program documented in policyIQ, you can keep those investigations shorter, less expensive, and put yourself in a great position to come out the other side with no violations or findings.
Check out some of these great resources to learn more about FCPA:
- Resources Global Professionals’ “FCPA: Top Three Cases and Lessons Learned” webcast recording (Click on the “View Event Recordings” link in the upper right corner.)
- Tom Fox’s FCPA blog (Updated almost daily with incredibly useful information, case studies and news)
Get started today!
If you are already using policyIQ for another compliance program, you are just a few minutes away from getting started. You already have Risk, Control and Test Templates (or something very similar) – that can be used for FCPA or copied and altered just slightly to accommodate the new usage. Create a Folder, import or create the Risks and Controls – and make the information visible to your employees.
Don’t know where to start? Contact us. You can’t afford to wait until an audit is pending – and we’re happy to help you get moving! If you don’t have FCPA controls in place – or you aren’t sure if your program is strong enough – contact us and we’ll put you in touch with a local expert who can get you on the right path.