By Sandra D. Gonzalez , Michael X. Marinelli and Mike Piazza
All U.S. companies operating abroad need an “effective” compliance and ethics program to prevent, detect and remediate violations of the U.S. Foreign Corrupt Practices Act (FCPA), which generally prohibits bribery of foreign officials by U.S. companies. By now, lawyers and executives at multi-nationals recognize that the FCPA exists, that U.S. companies need an anticorruption compliance program and that the costs of not having such a program can be significant. Since Siemens paid $1.6 billion (the largest fine to date) to resolve charges with regulators, many other companies have been hit with multi-million dollar penalties. While the need is well-known, many companies fail to appreciate the practical difficulties of implementing an effective compliance program across multiple countries.
One all too common approach is to seek an “off-the-shelf” program that can be rolled out immediately in all locations. An instant compliance program appears to provide protection, ease of implementation and, most especially, relatively low cost. However, to be effective, an FCPA compliance program must be reasonably designed to address and mitigate the specific risks associated with a company’s business operations.
The first challenge of implementing a compliance program in multiple countries is assessing the specific risks the organization faces, which are a function of the corruption environment in the countries of operation, the legal and political environment, the nature of the company’s operations and the size of the business, among other factors. Unique features of operational life in a particular country must be taken into account. For example, in- country logistics may be a significant issue in some countries (due to taxes levied and inspections at state-border crossings) and not in others. Similarly, countries like China have a significant number of state-owned entities, which results in more frequent interaction with foreign officials and increased FCPA risk.
Once the risk analysis is complete and program design has begun, a second major challenge arises, which is finding the balance between accounting for market-specific conditions and having an appropriate level of uniformity across the enterprise. The elements of an “effective compliance program” must be present in every international operation’s program. However, the details are likely to vary from country to country. For example, procedures for conducting due diligence on third-party intermediaries (TPIs) will be required for all international operations. How that diligence is conducted will necessarily vary among countries, based on such factors as the availability of criminal records, local privacy laws and whether reference checks are commonly used. Thus, while some variations among procedures in different countries are inevitable, the amount of variation is limitless nor without consequences. U.S. regulators will view variations skeptically.