Print this article | Return to Article | Return to CFO.com
Why should CFOs worry? Their liability for signing off under the Sarbanes-Oxley Act is one reason. Another: their responsibility for corporate compliance.
David McCann, CFO.com | US
July 29, 2009
Driven by the mass globalization of business, the U.S. government is continuing to speed up its enforcement of the Foreign Corrupt Practices Act. Besides the greater compliance and legal risks to companies that the increased FCPA activity represents, it also presents the likelihood that CFOs will face mounting personal liabilities, experts say.
While just a few years ago there were only about 20 or 30 open cases at any one time, 19 new cases against companies were opened in the first half of this year, adding to the 100 or so under way as of the end of 2008.
That doesn't mean there are 119 companies being prosecuted. Many are being pursued both civilly by the Securities and Exchange Commission and criminally by the Department of Justice, which counts as two cases in the government's accounting of the numbers, according to Manny Alas, a partner and co-head of the FCPA practice at PricewaterhouseCoopers.
The number of FCPA actions against individual executives is also shooting up. The average number of such proceedings launched was 6 per year from 2002 to 2005, 14 annually from 2006 to 2008, and 13 in just the first six months of 2009, says PwC, which on Monday issued a report on the topic.
For their part, CFOs should be especially concerned about the stepped-up enforcement because they are "signing off on certifications saying that their financial reports are truthful and accurate," says Wendy Wysong, a partner at law firm Clifford Chance, referring to CFOs' personal liability for honest corporate reporting under the Sarbanes-Oxley Act. "And the compliance function is often within the CFO's responsibilities, which should be another huge concern."
In a case settled in 2006, the SEC held liable David M. Pillor, a former senior vice president for sales and marketing and a board member of InVision Technologies, who neither made nor approved bribes but was merely in charge of internal controls that failed to spot violations. (Without admitting or denying guilt, Pillor agreed to pay a $65,000 civil penalty.)
Judging from a recent survey by Deloitte, companies are getting the message about the need for increased vigilance on potential bribery violations. Among 216 senior executives, 75% reported increasing concern about the potential for FCPA violations in the past three years, and 42% indicated that as a result, their companies renegotiated or canceled a planned business relationship or acquisition. But almost a third of respondents said their companies don't always conduct background checks on business partners and third parties before committing to transactions outside the United States.
Such due diligence would be only one component of a rigorous FCPA compliance effort, consultants say. Others include formulating a code of conduct for employees, suppliers, and agents; conducting compliance training; developing effective internal controls; creating record-keeping systems to properly account for all overseas transactions; and providing a hotline for whistle-blowers to anonymously report possible violations. "The hardest part of all," says Alex Viall, group executive at Complinet, which advises financial-services firms on regulatory matters, "is ensuring that there is the right culture within the organization. The messaging and the energy behind an initiative like this really needs senior management to buy into it."
When possible violations are detected, a company might want to consider voluntarily disclosing them so as to avoid prosecution or mitigate penalties. More than half of the FCPA investigations from 2005 through 2008 resulted from voluntary disclosures, according to the PwC report.
Voluntary disclosure makes sense, notes Viall, because "it has been seen that these [violations] are not defensible in any way once they are detected. Also, it allows companies to distance themselves from the responsible employees and other individuals as soon as possible."
In particular, says Alas, companies should take a hard look at their global business relationships with an eye to voluntary disclosure when a competitor comes under SEC or DoJ scrutiny. The same factors that led the competitor to commit FCPA violations are likely to be present, and "once [the authorities] are on to an industry, they learn about its inner workings and business models."
Companies should also be careful to record "facilitation payments" in a fully transparent way. The FCPA provides exceptions for these payments, which basically are made to expedite something a company is entitled to, such as getting a license to do business. "But if those expenses start to become large and frequent, thousands of dollars being paid all the time, it's going to call into question the underlying reasons for the payments," says Alas.
Instead of taking a chance by characterizing questionable payments as facilitation payments, Wysong suggests, companies should either adopt a zero-tolerance policy that bars any payments to foreign officials or seek rulings from the DoJ as to whether they're permissible before making the payments.
Meanwhile, given that thousands of U.S.-based multinationals and foreign companies listed on American stock exchanges are subject to the law, is the level of enforcement activity all that onerous? Yes, say FCPA consultants and attorneys, for two reasons. One is that the number of cases and severity of penalties have not likely hit their peak. The Obama Administration, notes Alas, is "continuing the momentum" that has been built up around enforcement. "There will be no let-up."
The other reason is that the potential damage for companies that are prosecuted is so great. In the biggest settlement to date by far, Siemens AG was slammed late last year with $1.6 billion in monetary penalties and disgorgement of profits, about half going to German authorities and half to the DoJ and SEC in the United States.
The way in which the American authorities nailed Siemens suggests how vulnerable companies can be. The electronics giant allegedly had paid more than 4,000 bribes totaling $1.4 billion to foreign government officials across the globe. However, the DoJ and the SEC did not charge the company specifically with bribery, but rather with violating the FCPA's books-and-records provisions, which require companies to keep clear records of all transactions. In essence, it was similar to Al Capone being convicted of income-tax evasion rather than racketeering or murder. The books-and records provisions provide another avenue for prosecution when it is not absolutely clear whether payments were bribes, and also offer what is essentially a plea-bargaining opportunity. If Siemens had admitted to bribery, Wysong notes, it would have been ineligible for U.S. government contracts.
And companies face risks beyond the criminal or civil penalties imposed under the act. "FCPA investigations will likely trigger other actions such as shareholder litigation, tax investigations, and money-laundering probes," says the report by PwC, which earns fees for consulting with companies on FCPA risk and compliance.
Complinet's Viall agrees that those potential ancillary effects are weighty. "With the amount of press these cases are getting, there's going to be a huge cost thereafter," he says. "Anyone concerned with governance might think that if [bribery] is a problem, there may be endemic issues throughout the organization."
Indeed, PwC's Alas says, "as companies are managing through this downturn and looking at their budgets, [FCPA compliance] is one area they should take a hard look at and not cut corners, which could create a big problem down the road."
All the more so, the experts say, given the issue of personal liability. In a high-profile example, Albert "Jack" Stanley, former CEO of KBR Inc., pleaded guilty last September to one count of conspiring to violate the FCPA and one count of conspiring to commit mail and wire fraud in connection with bribes paid to Nigerian government officials. He agreed to serve seven years in prison and pay $10.9 million in restitution.
Altogether, at least 39 companies and individuals have settled FCPA cases since 2007, according to an analysis by law firm Hughes Hubbard.