Sabrina Skeldon (firstname.lastname@example.org) is a former Assistant US Attorney for the Western District of Louisiana and a former senior counsel to the Office of the Inspector General, and is based in Dallas, Texas, USA.
The Foreign Corrupt Practices Act (FCPA) bribery investigation has concluded, and the Department of Justice (DOJ) has determined that no bribery violation has occurred; however, the Securities and Exchange Commission (SEC) subsequently notifies your client that a civil enforcement investigation has been opened into the same conduct for alleged violations of the FCPA internal accounting provisions. What can you expect to face, and how do you navigate the FCPA internal accounting controls enforcement action? What can you learn from recent FCPA enforcement actions?
The FCPA contains both anti-bribery and accounting provisions. The anti-bribery provisions prohibit US persons and businesses from making corrupt payments to foreign officials to obtain and retain business. The accounting provisions require issuers to make and keep accurate books and records and to devise and maintain an adequate system of internal accounting controls. Congress’ original test was pragmatic; it applied a reasonableness standard. The books and records provision requires business records to be maintained in reasonable detail. The internal accounting controls provision requires a control framework sufficient to provide reasonable assurances of two things: that transactions meet management’s expectations and authorization, and that financial statements are recorded in accordance with generally accepted accounting principles. There has been a shift in the requirements for evaluating the adequacy of an internal controls system. What was a flexible approach has changed to a stricter standard. How and when did the interpretation of the statutory provisions change?
There is little judicial precedent interpreting what is an internal control and what is an internal framework that provides “reasonable assurance,” but SEC vs. World-Wide Coin Investments, Ltd. made clear corporations are not required to create a fail-safe accounting control system.
The SEC, in its interpretation of Congress’ intent as to these provisions, deliberately refused to mandate specific factors that would define what is an effective internal controls system—again applying a reasonableness standard. According to the SEC, the system is only required to provide such level of detail as would satisfy prudent officials.
Even DOJ, in its Resource Guide to the U.S. Foreign Corrupt Practices Act, recognized that Congress imposed restrictions in its definition of reasonableness to avoid imposing a standard requiring “a degree of exactitude and precision which is unrealistic.” In both the 2012 and 2020 Resource Guide to the Foreign Corrupt Practices Act, DOJ agreed that the books and records reasonableness standard worked in tandem with and paralleled the reasonableness assurance standard of the internal controls provision. Specifically, it states, “the Act does not specify a particular set of controls that companies are required to implement. Rather, the internal controls provision gives companies the flexibility to maintain a system of controls that is appropriate to their particular needs and circumstances.” Despite this, the 2019 and 2020 SEC enforcement actions are at odds with the more flexible reasonableness standard and signal a widening of conduct now subject to FCPA enforcement actions.
Practitioners advising multinational corporations are faced with the problem of identifying when a controls framework is sufficient. How robust are controls required to be? The reasonableness standard is the only boundary protecting against overprosecution, and its erosion introduces increased FCPA exposure.
Emerging issues with the reasonableness standard
The focal point of recent FCPA accounting controls enforcement actions has involved compensation arrangements with distributors, resellers, and other third parties. In at least two enforcement actions based on misconduct involving third parties, the SEC found internal accounting controls violations based on a faulty root cause analysis. There was a mismatch between the alleged FCPA misconduct and the purported gaps in controls. Stryker and Polycom represent examples of that error in logic.
In Polycom, the SEC alleged Polycom’s Chinese subsidiary provided significant discounts to distributors/resellers to create enough margin from which they could make improper payments to foreign officials. The enforcement action was based solely on alleged violations of the accounting controls, with no allegations of bribery.
Polycom had in place a well-developed controls system that addressed the risks of misconduct related to excessive discounts at all relevant times.
It created transparency in its transactions by requiring all sales force deals to be input into a centralized database.
It required the approval of discounts above a certain threshold by personnel outside the Chinese subsidiary.
It required supporting documentation of all transactions.
It developed a due diligence process for the selection and vetting of third-party agents, required third-party training on anti-corruption procedures, and required the inclusion of audit rights in third-party contracts.
The issue in Polycom was not the lack of an internal control framework, but rather its circumvention.
The Chinese subsidiary circumvented the controls by establishing an off-the-books parallel sales management system to conceal the activity with its distributors outside the company’s accounting system, of which the parent corporation had no knowledge.
The SEC found two isolated control gaps that were the basis for its determination that the FCPA internal accounting controls had been violated. Polycom had failed to translate certain anti-corruption training materials into the local language, Mandarin, and did not follow up when employees failed to attend those trainings. Second, the SEC alleged a deficiency in the due diligence process based on the failure to follow up on one Chinese distributor that, years prior, “on a deal unrelated to Polycom,” made an improper payment to a Chinese official. The enforcement action failed to link the gaps in the internal controls and the alleged misconduct. Polycom received a criminal declination, but as part of the DOJ’s Corporate Enforcement Policy, it was required to pay disgorgement and prejudgment interest totaling $12.5 million to the SEC and was fined a $3.8 million civil penalty.
In Juniper Networks and Stryker, the SEC found FCPA accounting controls violations, despite the fact it was unable to identify a control gap or a better set of accounting controls that would have allowed the corporations to detect the alleged FCPA misconduct. This raises the question: How robust must a corporation’s established set of internal controls be? The Polycom, Stryker, and Juniper Networks enforcement actions signal a shift in the interpretation of the reasonable assurance standard to one that requires a guarantee that no accounting misrepresentations have occurred.
Juniper Networks’ Russian subsidiary gave distributors/resellers increased discounts so they could realize a significant margin and make improper payments to foreign officials. The SEC termed the profits that the distributor held “common funds” because the subsidiary directed unauthorized payment of marketing expenses for customer trips and expensive travel from the funds generated by the excessive discounts. The common funds—the excess margin funding the unauthorized marketing expenses—were treated as off-the-books transactions, and sales employees were instructed not to use email to discuss these accounting practices. As was the case in Polycom, Juniper Networks had specific controls surrounding distributor discounts, payable procedures, and approvals of travel and entertainment expenses. Juniper Networks had accounts payable controls to review expenses to ensure they had supporting detail and necessary approvals. Next, it required preapproval by their legal department for travel and entertainment expenses to ensure they were appropriate. Juniper Networks also had in place requirements that when discounts reached a certain threshold, incremental changes required additional approval.
Again, the issue was not the failure to create a system of controls, but the circumvention of existing ones. By using discounts as the vehicle for funding marketing expenses, the subsidiary bypassed the controls surrounding the accounts payable system—the marketing expenses were not reviewed or approved by either the legal or accounting departments for their appropriateness as expenses, because the expenses were paid by the distributor from profits it generated from product sales.
Polycom, Juniper Networks, and Stryker represent the application of a stricter interpretation of the reasonable assurance standard in FCPA enforcement actions. In the negotiated remediation terms, the SEC was unable to identify controls that would have better detected FCPA misconduct. In fact, the remediation agreed upon between the SEC and Juniper Networks was that Juniper Networks would continue its exact same controls to detect and prevent misconduct, with the addition of a newly created investigations team and increased employee training.
In Stryker, there were no allegations of bribery; the action focused on alleged violations of the FCPA accounting provisions.
The allegations against Stryker concerned its payment terms that dealers in India, China, and Kuwait provided to their end-user customers. The SEC decision focused mainly on dealer misconduct in India involving an insurance fraud scheme. At the request of private Indian hospitals, the dealers would provide inflated invoices to the private Indian hospitals so that the hospitals could overbill insurers and patients.
Stryker had a well-defined internal controls framework in place at the time of the alleged misconduct that specifically addressed the type of misconduct its dealers engaged in. Stryker’s contracts with all third parties required anti-corruption and audit clauses that Stryker enforced. As to the specific conduct that formed the basis of the SEC enforcement action, Stryker exercised its audit rights against three of the dealers involved in the specific misconduct, took corrective action, and terminated one of the dealers.
The gap in controls the SEC complained of was Stryker’s failure to expand its dealer audits to test all dealer activity. However, the scheme was not tied to any transactions involving the books and records of Stryker. None of Stryker’s assets were affected by the insurance fraud. The SEC did not allege that Stryker’s product pricing or its discount practices enabled the insurance fraud scheme, nor did Stryker benefit from the scheme. The transactions were outside of Stryker’s management’s general or specific authorization. There was no showing Stryker controlled the activities of the dealers nor was it a party to the insurance fraud scheme.
While there may have been a gap in Stryker’s controls, it was unrelated to the requirements of the FCPA internal accounting controls provisions.
Additionally, the SEC cited a 27% error rate in a sample tested of Stryker’s marketing expenses; however, the SEC did not define the size of the sample. International audit standards require that the size of samples selected for testing are defined by the riskiness of the activity and its frequency. Without knowing the size of the sample, the relevance of the error rate cannot be assessed. Also, given that five years of alleged activity was involved, the sample would be required to be large—if not the entire population of transactions. For example, 27% of 100 transactions is not adequate to assess a gap in internal accounting controls. Even though the statute has no materiality requirement, a reasonableness test is to be applied. Corporations are not required to develop a fail-safe system to guarantee there are no gaps in their controls.
The remediation Stryker agreed upon with the SEC mirrored the controls it already had in place, auditing and monitoring of third parties, and strengthening of its existing due diligence process.
The Microsoft, Walmart, and Quad/Graphics enforcement actions discussed next highlight the inconsistent application of the reasonable assurance standard and the irreconcilable conflicting outcomes arising from such application.
In Microsoft, the SEC and DOJ asserted that Microsoft subsidiaries gave significant discounts to distributors to create a cushion for improper payments to government officials. Those payments were intended to enable Microsoft to win lucrative tenders. Also, the government alleged that Microsoft failed to have an adequate due diligence process in place to vet and select third-party contractors.
Microsoft had internal controls in place governing its subsidiaries’ transactions with distributors, resellers, contractors, and subcontractors, but it lacked an effective audit and monitoring system to evaluate the effectiveness of those controls. Specifically, it had numerous policies setting out its corporate requirements:
Global policies were in place that required Microsoft employees to record details of all sales transactions accurately, including price, discounts, and justifications for additional discounts beyond the approved standard.
Global policies required employees and subcontractors to accurately record the time they worked on Microsoft projects in the company’s internal timekeeping system.
Policies required discounts above a certain threshold to be independently reviewed and approved at a higher level.
There was no evidence that Microsoft’s US branch was engaged in the scheme. Microsoft’s controls were circumvented by employees of its subsidiaries. Subsidiaries provided false justifications for additional discounts to the Microsoft Business Desk. Discounts intended for end-user customers were used by subsidiaries to fund improper payments and unauthorized marketing expenses. Due diligence as to certain new contractors was inadequately performed, including one instance where the consultant was a government employee. There was a breakdown in controls due to a lack of oversight and a lack of periodic testing of the effectiveness of the controls. As part of its remediation, Microsoft enacted “new discount transparency and pass-through requirements.” Additionally, it increased transaction monitoring at the regional level and implemented the use of data analytics.
Microsoft entered into an agreement with the DOJ and SEC that required the payment of an $8.75 million criminal fine by Microsoft’s Hungarian subsidiary. The Hungarian subsidiary was required to enter into a three-year nonprosecution agreement, and the parent corporation made disgorgement payments totaling $16.6 million to the SEC. The action involved anti-bribery allegations against Microsoft Hungary and alleged accounting controls violations of the parent corporation. Because Microsoft failed to voluntarily self-disclose the conduct, it was not entitled to a presumption that a criminal declination was warranted under the DOJ Corporate Enforcement Policy.
Walmart represents one of the most significant accounting controls actions based on third-party payments. The DOJ and SEC brought parallel proceedings and, as part of the criminal FCPA action, alleged Walmart knowingly circumvented or failed to implement internal accounting controls. The basis for the FCPA criminal accounting controls action arose from Walmart’s fundamental lack of any internal control framework.
It had a delayed global rollout of its anti-corruption program.
There was a lack of established policies and procedures to prevent and detect criminal conduct.
Insufficient employee and third-party training was provided on anti-corruption laws.
Poor due diligence existed surrounding the selection, monitoring, and compensation arrangements of third-party agents.
There was a failure to timely remediate internal audit findings relating to third-party agents’ misconduct.
Walmart paid a criminal penalty of $137.9 million. It was required to enter into a nonprosecution agreement that acknowledged responsibility for the criminal conduct and employ an independent corporate monitor for two years to oversee the implementation of its remediation plan. Finally, it disgorged to the SEC $144.7 million in improper payments.
Quad/Graphics, a printing and digital marketing company, was engaged in a scheme involving multiple layers of sham transactions. Its outcome is significant, if for no other reason than it cannot be reconciled with the outcomes in Microsoft and Walmart. If the conduct of Microsoft, Quad/Graphics, and Walmart were put on a spectrum, the conduct of Quad/Graphics would be closer to that of Walmart. The difference between Quad/Graphics and Microsoft is that it is not the byproduct of the circumvention of an existing control framework—the SEC in the Quad/Graphics decision repeatedly stated that Quad/Graphics had no system of controls. The SEC stated that Quad/Graphics from 2011 to 2015 lacked adequate internal accounting controls. In fact, as of 2010, it had no compliance system at all. Its subsidiaries engaged in bribery schemes in Peru, Cuba, and China, funded by payments made to fictitious vendors, improper payments made to a law firm, and sham transactions with sales representatives. The SEC alleged a systemic lack of internal controls, violations of the books and records provisions and accounting controls, and a lack of due diligence.
The payment of fake invoices from fictitious vendors would have been discovered if Quad/Graphics had any kind of due diligence process in place in Peru. Though the fictitious vendors were registered corporations, none had any demonstrated business activities, and their invoices and corporate registrations indicated they officed from the same address, a red flag for the detection of fraud. Payments to these vendors were used to win government contracts. Additionally, a law firm in Peru submitted false invoices for services not rendered to conceal payments made as part of the judicial bribery scheme to influence the outcome of tax litigation. Because of the size of the bribes, US senior management was required to approve the payments, knowing their true purpose. In China, the Chinese subsidiary paid commissions on fake sales agents’ invoices for services not rendered so that the subsidiary could obtain governmental and commercial business. Despite the seriousness of the violations, the pervasiveness of the schemes, and the knowing involvement of US executives in the bribery schemes in Peru—all aggravating factors under the DOJ Corporate Enforcement Policy—DOJ issued a criminal declination to the parent corporation. It also did not pursue criminal actions against any of the subsidiaries, unlike the outcome in Microsoft. It did, however, reserve the right to prosecute individuals. A basis existed to pursue either a criminal accounting controls prosecution as done with Walmart or a bribery prosecution isolated to specific subsidiaries. Instead, Quad/Graphics was only required to pay a $6.9 million disgorgement to the SEC and a civil money penalty. The outcomes in Microsoft and Walmart, when viewed against the Quad/Graphics outcome, are difficult to reconcile. Despite the presence of significant aggravating factors, Quad/Graphics received a criminal declination as part of the 2019 DOJ Corporate Enforcement Policy, based on its voluntary self-disclosure, its cooperation with the investigation, and its remediation efforts.