Skip to content

The Integrity Agenda: Lessons from Gunvor's recent FCPA settlement

On March 1, the Swiss commodities trading house Gunvor paid $661 million to settle a Foreign Corrupt Practices Act case with U.S. authorities. This was the company’s second corruption offense in recent years, the monetary penalties were huge, and the violations were egregious — and yet, Gunvor did not get saddled with an independent compliance monitor.

Compliance officers should examine this case closely. It offers an important window into the U.S. Justice Department’s thinking about FCPA enforcement these days, and into what your own compliance program should be able to do to avoid your own compliance monitor.

As described in the plea agreement, throughout the 2010s multiple Gunvor employees conspired with third-party intermediaries to pour $97 million into two shell companies based in Panama. The money in those shell companies then went to pay bribes to executives of Petroecuador, the state-owned oil company in Ecuador.

Somehow the Justice Department opened an investigation into Gunvor. We don’t know exactly how, but the company did not voluntarily self-disclose its misconduct. Gunvor ultimately pleaded guilty to one count of violating the FCPA and paid $661 million to settle the case, including a criminal penalty of $374 million. Four individuals, including a former Gunvor employee, have also pleaded guilty in relation to the scheme.

Worse, this is Gunvor’s second corruption scheme in recent years. In 2019 the company reached a settlement with Swiss authorities, admitting to bribery payments in Africa in the early 2010s. As part of that settlement, Gunvor admitted that it had weak internal controls and failed to take “all the reasonable organizational measures” to prevent Gunvor’s employees and agents from engaging in bribery.

A long-running bribery scheme, lots of money involved, recidivist corruption offender; all those factors could lead to the appointment of a compliance monitor — but not necessarily so. So what did Gunvor do right to avoid one?

First, Lots of Remediation and Cooperation

OK, Gunvor missed its greatest opportunity to win credit with prosecutors by failing to voluntarily self-disclose its misconduct. The company still won praise by cooperating extensively in the Justice Department’s investigation and implementing numerous significant reforms to its compliance program.

Most notably, Gunvor eliminated the use of third-party agents to help it win new business, the arrangement that got Gunvor into trouble with Petroecuador in the first place. This is significant because it’s the third recent example of a company restructuring its global sales operations to win an FCPA settlement. Albemarle eliminated its use of third-party sales agents as part of its FCPA settlement last year, and SAP eliminated its third-party sales commission model globally as part of its own FCPA settlement announced in January.

In all three cases, the offending company implemented a permanent, enterprise-wide change to lower its corruption risk. Such a sweeping change requires support from the highest levels of the business.

Gunvor also implemented rigorous testing of its compliance program: testing of its overall reporting processes and its internal hotline in particular; testing of its third-party due diligence program; testing of payment controls. The company even “tested” its corporate culture by conducting an extensive review of the culture. Where necessary, Gunvor’s internal compliance team (which the company had expanded, too) engaged outside consultants to help.

That testing is crucial because it allows Gunvor to see, in a data-driven way, where its internal controls and processes are or are not working. Testing is already an expectation the Justice Department cites in its guidance on effective compliance programs; the Gunvor case helps us understand what testing looks like in practice.

Second, Lots of Reporting

In addition to all that compliance program remediation, Gunvor must also provide annual progress reports on its compliance efforts to the Justice Department for the next three years. Those reports, plus follow-up meetings to discuss each one, are supposed to substitute for the independent oversight of the compliance program that a compliance monitor would normally provide.

This might be the most important lesson of the Gunvor case. If you want to avoid the burden and expense of an independent compliance monitor, then your own company should be prepared to (1) engage in rigorous testing and management of your compliance program, so you can keep pushing improvements forward; and (2) meet with the Justice Department at regular intervals to show your work, hear prosecutors’ feedback, and incorporate their suggestions into future work.

Those steps don’t guarantee that your company could avoid a monitor; deeply flawed corporate cultures and egregious violations could still lead to that outcome — but you’re unlikely to avoid a monitor without the capabilities outlined above.

Compliance officers should also appreciate their delicate position in modern FCPA enforcement. One standard term of settlement is that the chief compliance officer must now, at the end of a plea agreement or deferred-prosecution agreement (DPA), certify that the compliance program you’ve been building is indeed effective at preventing repeat violations. If you’ve been meeting with the Justice Department for several years reviewing that work, certify the program’s effectiveness at the end of the DPA, and then suffer some repeat offense — that could leave you in a difficult position, both personally and professionally.

We haven’t yet seen that scenario since CCO certifications are still a new phenomenon in FCPA enforcement, but the possibility exists. It’s a reminder of just how strong your compliance remediation and reporting capabilities need to be in the modern age.

Matt Kelly

Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.

Implement a tailored Third-Party Risk Management solution