International anti-corruption enforcement has never been more coordinated, aggressive or costly. Last year was a record-breaking year for global enforcement, and – simply based on the number of cases in the pipeline – business leaders can expect heightened enforcement to continue in 2017 and beyond. Already-announced 2017 resolutions, including the recent Rolls-Royce, PLC resolution lend an important lesson for executives: global anti-corruption enforcement is here to stay.
On January 17, 2017, the UK-based Rolls-Royce agreed to pay approximately $800 million to resolve UK (~ $627 million), US (~ $170 million), and Brazilian (~ $25 million) investigations related to allegations of a long-spanning scheme to bribe government officials in exchange for government contracts. In the UK, the company entered into a Deferred Prosecution Agreement (DPA) with the Serious Fraud Office (SFO) in which it agreed to pay a criminal penalty and to certain monitoring and compliance conditions. In exchange, the SFO suspended the indictment, which charged “12 counts of conspiracy to corrupt, false accounting and failure to prevent bribery.” In the US, Rolls-Royce also resolved the allegations through a DPA with the US Department of Justice (DOJ) in which it admitted to conspiring to violate the US Foreign Corrupt Practices Act (FCPA).
Rolls-Royce’s DPA with the SFO underscores just how long-standing and global the scheme was: the statement of facts cites improper conduct occurring over a period of more than three decades and includes an admission that the company agreed to make or failed to prevent improper payments in China, India, Indonesia, Malaysia, Nigeria, Russia and Thailand. The US DPA sets forth that the improper payments – all of which were facilitated by intermediaries – were made in Thailand, Brazil, Kazakhstan, Azerbaijan, Angola and Iraq.
Anti-Corruption Enforcement is more than the FCPA. It is no longer sufficient to view FCPA enforcement in a vacuum. US regulators are no longer just exchanging information with their foreign counterparts, they are engaging in parallel investigations that result in joint resolutions. The Rolls-Royce resolution was the result of a coordinated investigation involving the UK, the US and Brazil. Additionally, DOJ cited further cooperation with “colleagues” in Austria, Germany, the Netherlands, Singapore and Turkey.
The continued proliferation of sophisticated anti-corruption regulations suggests that multi-jurisdictional enforcement is likely to continue. Likewise, the recent uptick in DPAs issued pursuant to the UK Bribery Act (UKBA), including the Rolls-Royce DPA – which represents the largest UKBA corporate criminal penalty to date – further bolsters this argument. The US is not the only country actively enforcing anti-corruption laws.
Regulators are increasingly focused on accounting and internal controls. Anti-corruption regulations are most well known for their provisions prohibiting bribery. Lesser known, however, are the accounting provisions contained in most regulations. These provisions typically require that companies develop a system of internal controls designed to prevent and detect improper payments and inaccurate recordkeeping. The UKBA, however, takes it a step further and criminalizes an organization’s failure to prevent the commission of bribery. The UKBA also includes an “adequate procedures” defense: it is a complete defense if a company can prove that it had adequate procedures in place to prevent the improper conduct. The Rolls-Royce DPA includes five counts of failure to prevent bribery; the DPA makes no mention of “adequate procedures.”
The Rolls-Royce scheme spanned over three decades and reached at least four continents. What led to such a pervasive internal controls failure? Did the company’s internal audit function include an anti-corruption testing component? What processes were in place to prevent the falsification of books and records? Were there protocols requiring a uniform response to potential issues? Though the UK DPA acknowledges that Rolls-Royce did have certain pre-existing controls in place, such measures were insufficient. The story is not all bad for Rolls-Royce, however. The DOJ acknowledged the ongoing enhancements the company made to its internal controls and compliance programs and, accordingly, imposed a reduced criminal penalty and determined that “an independent compliance monitor was unnecessary.”
Third parties continue to present significant business risk. It is almost undisputed that third parties present the single greatest anti-corruption risk to companies. In fact, it is estimated that over 90 percent of FCPA enforcement actions involve conduct undertaken by third parties. The Rolls-Royce resolution is no exception: the improper payments were paid by third parties, most of whom were interacting with government officials in locations with histories of corruption (i.e., the definition of a high-risk intermediary).
Although companies cannot eliminate third-party risk, accounting for such risk is one of the hallmarks of any compliance program. Companies need more than policies and procedures to mitigate this risk. Companies need to know who they are doing business with: all third parties that could foreseeably interact with government officials should be subject to some degree of meaningful pre-contracting due diligence. Likewise, there should be contractual safeguards with appropriate anti-corruption language in all third-party contracts, and companies should implement mechanisms to periodically review third-party relationships that are designed with an eye toward spotting potential anti-corruption red flags.
Anti-corruption investigations are costly, lengthy and invasive. As reported by the Guardian, the Rolls-Royce $800 million combined corporate penalty is roughly equal to its expected 2016 profits. Of course, penalty amounts are in addition to investigative costs. Rolls-Royce will recover from this financial hit. Harder, however, will be recovering from the reputational harm the company has undoubtedly suffered. As we often opine, the best offense is a good defense: companies must create and maintain anti-corruption programs with robust internal and accounting controls. Companies need to be proactive in order to be appropriately reactive. By implementing appropriate controls, companies can best position themselves to combat aggressive anti-corruption regulations and enforcement.
Wallace W. Dietz is a member and Lindsey Brown Fetzer is an associate with Bass, Berry & Sims PLC. Both practice in the firm’s Compliance & Government Investigations Practice Group, of which Dietz is Chair. Dietz may be reached at firstname.lastname@example.org, and Fetzer may be reached at email@example.com.