President Jimmy Carter signed the Foreign Corrupt Practices Act (FCPA) into law in 1977, following revelations that the Securities and Exchange Commission (SEC) had received testimony from more than 100 U.S. corporate executives that they were involved in bribery. The FCPA, which makes it unlawful for U.S. companies, individuals and third-party intermediaries to pay foreign officials to retain or obtain business, has three main components: bribery of foreign officials, books and records, and internal controls. The U.S. was the first country in the world to introduce such legislation. At the time, it caused an uproar among U.S. corporate executives, who claimed that by eliminating their ability to bribe officials in charge of purchasing decisions, the FCPA put corporate America at a competitive disadvantage and unable to successfully compete with its (primarily European) counterparts.
Although the FCPA has existed for 35 years, its effects have been most felt over the past five years, thanks to the Obama administration’s decision to make combatting corruption one of its priorities. A combination of increased regulatory oversight, new guidelines issued by the SEC and Department of Justice (DOJ) in November 2012, the promise of financial bounties for whistleblowers, advances in technology, outsourcing and increasingly global supply chains have conspired to make FCPA compliance a primary focus of C-suite legal and risk executives at many corporations.
The often-salacious specifics of corporate FCPA cases have been constant headline news and the topic of many a publication from law firms, pundits and others. Against a background of record fines, prison sentences and skyrocketing investigation costs, corporations can’t help but note the roughly 130 FCPA investigations currently open (most of them involving a company’s third parties) and recent settlements exceeding $1 billion.
While many organizations are reconsidering how they manage their FCPA programs and employ technology, most are still unclear how best to proceed. A poll of delegates attending the FCPA Conference hosted by the American Conference Institute (ACI) in Washington D.C. last November revealed that more than 60 percent have no system in place for monitoring high-risk third parties after they’ve put a contract in place with them, while the majority of delegates (almost 90 percent) further indicated that they have no technology in place to help them assess, monitor, manage and report on the FCPA risk of their third parties. At the same time, auditors require comprehensive and appropriate evidence of due diligence and relationship management efforts regarding a company’s third parties. Moreover, in the event of an FCPA violation, evidence of an effective program may change the outcome of potential prosecution.
Considering the possible costs and issues associated with FCPA compliance risk, applying yesterday’s technology and processes to today’s FCPA environment isn’t working. Similarly, addressing only a small percentage of total risk is essentially the same as ignoring it altogether. Corporate reliance on spreadsheets, limited external data and one-time due diligence on a handful of “high-risk” vendors is highly inefficient and inadequate to ensure FCPA compliance , with such approaches also failing to demonstrate the “hallmarks of effective compliance programs” identified in the November 2012 FCPA guidelines. Thankfully, technology exists that enables organizations to implement and enforce a consistent, objective and scalable FCPA program.
Many internal and external resources are involved in the FCPA compliance process: third-party relationship managers, internal line-of-business leaders, risk committee members, compliance professionals, data providers (providing high-level due diligence), investigative firms (providing deeper due diligence), training content providers, third-party team members and others. Managing all of these resources can be daunting. However, an interconnected, collaborative technology platform can enable companies to solicit information from their various resources and stakeholders, and manage the resulting data, feedback, attestations and due diligence reports consistently and objectively in one secure location. Companies should implement this process when qualifying a new third-party relationship, if the status of the relationship changes, during periodic reviews and when an event occurs that raises the level of non-compliance risk. In addition to addressing these specific triggers, a well-defined and technology-enabled process should also enable ongoing compliance management across the enterprise.
Companies struggling to create and implement a technology solution for FCPA compliance can learn from those who have gotten it right. A Global 500 company has implemented a technology-based solution that not only gives it previously inaccessible insights into all of itsthird parties and third-party risk, but has also enabled it to reduce its annual subscription fees for anti-bribery/anti-corruption data and investigations by $3.67 million. Furthermore, the company’s technology approach has allowed it to integrate training for hundreds of thousands of users into its FCPA program by understanding and communicating with individual employees within specific third-party companies for the first time ever. To handle the scope, complexity and constantly changing nature of FCPA risk, this technology platform relies heavily on intelligent automation and adaptability. By embracing a different approach to FCPA compliance, the company has been able to enforce a consistent approach throughout its global organization.
The FCPA and similar anti-bribery/anti-corruption legislation worldwide continue to affect how organizations do business. However, in the context of an increasingly regulated business environment, greater enforcement, tougher penalties and budget constraints that force organizations to do more with less, new thinking is required if organizations are serious about proactively understanding, managing and mitigating FCPA risk.