Earlier this year I predicted that under the Trump Administration, enforcement of the Foreign Corrupt Practices Act would take the FCPA Pilot Program to its logical conclusion. To wit: if a company with FCPA exposure met the requirements of the Pilot Program (self-disclosure, cooperation, and remediation), that company would not just receive lighter penalties—it would receive no penalties, and the department would decline to prosecute.
Six months into the Trump Administration, that pattern is emerging. Alas, compliance officers don’t have much else they learn about effective compliance beyond that basic fact.
So far we have two declinations to prosecute, both in the month of June. Linde Corp., a chemical company in Germany, confessed that one of its U.S. subsidiaries committed FCPA violations in the Republic of Georgia from 2006 until at least 2010. CDM Smith, a U.S.-based construction business, admitted that executives in its India division bribed government officials there from 2011 to 2015.
Both companies had to disgorge their ill-gotten profits ($11.2 million for Linde, $4 million for CDM Smith). Both also had the expense of conducting internal investigations and improving their compliance and internal control; and both fired all employees involved in the misconduct.
Beyond those details, however, we don’t know much about how either company improved its compliance program, or how those efforts led to a Justice Department decision not to prosecute. We only know that the Justice Department says the FCPA Pilot Program criteria were met.
That’s frustrating for compliance officers, because the cases have different patterns of misconduct, yet we arrived at the same place: no prosecution, no monitor, and no penalties beyond the costs outlined above. That’s a great destination for companies to reach, but if we don’t know the routes that other companies took to get there, we still struggle to make our own journeys more efficient.
But wait: didn’t the Obama Administration publish declination letters too? And weren’t they just as vague?
Yes. The difference is in the overall tone of the Trump Administration—the control environment, so to speak. President Trump has complained about FCPA enforcement in the past, and attorney general Jeff Sessions has given only pro forma endorsements of the FCPA while he pursues other priorities. If people wanted to be cynical about the future of FCPA enforcement (say, people on your company’s board who bless compliance budgets; or people in your enterprise whose support your need for effective compliance), they could. Your job of advocating for commitment to good conduct and effective compliance would be that much harder.
The Obama Administration gave us a greater body of decisions to study: deferred-prosecution agreements, non-prosecution agreements, speeches about FCPA enforcement, and the like. We still don’t know what a “serious” enforcement action might look like under the Trump Administration: one that ends in a DPA or a compliance monitor, or a push for trial and possible conviction. (That’s not to say that the cases against Linde and CDM Smith didn’t feel serious to them; I’m sure the cases did.)
We may still see those more serious enforcement actions in the future; FCPA probes do take time. Meanwhile, what can compliance officers say for sure about compliance today?
Foremost, if your company wants to take advantage of the FCPA Pilot Program, you need to be able to meet the criteria of the program—and that means you need the basics of an effective compliance program to be in place. Examples:
- You can’t self-report a possible violation if you don’t know you have one. So employees (and third parties) need to recognize an FCPA violation when they see it, and know that they should report it.
- You can’t do an efficient investigation without an investigations protocol: triaging the severity of an allegation, escalating it to the proper place, holding evidence, and so forth. Sure, you can do an investigation without protocols, but that’s going to be much more expensive.
- You can’t remediate a problem unless you understand how it happened and how to fix that error. That means performing a root cause analysis (mentioned in the Justice Department’s Evaluation Guidance from earlier this year, incidentally), and knowing what remediation works for what problems.
Those steps may feel like you should keep doing what you’re doing. Well, that’s a good place to start.