So what is the DOJ looking for when it evaluates FCPA corporate compliance programs? Ceresny said that the best programs contain the following:
- Compliance personnel
- Extensive policies and procedures
- Vendor reviews
- Due diligence on third-party agents
- Expense controls
- Identification of red flags
- Internal audits to review compliance
Ceresny added that companies should perform FCPA risk assessments, have disciplinary measures in place to deter violations, and periodically test programs to ensure they are keeping pace with the business. He said that "such programs, properly implemented, will also help companies avoid other problems at foreign subsidiaries, like self-dealing, embezzlement and financial fraud."
And implementation is the key. Ceresny said that when he was in private practice, he saw companies "that had great paper programs but did not implement them effectively." When the business-side pushed back, he said, the company removed requirements and made exceptions. Ceresny emphasized that "the best companies would put the compliance program ahead of business interests and allow decisions to be made to ensure compliance with the law, no matter the business consequences. It is that sort of attitude that is the measure of whether such programs will be successful."
Ceresny pointed to the recent Smith & Wesson enforcement action as a "cautionary tale" of the trouble that can befall companies that fail to develop and implement a robust FCPA compliance program. In the Smith & Wesson case, Ceresny recounted, the company’s international sales staff engaged in a pervasive effort to attract new business through gifts to foreign government officials. The Vice President for International Sales had almost complete authority to conduct the company’s international business. Meanwhile, the company had performed no anti-corruption risk assessment, had virtually no due-diligence on its third-party agents, and did not have a compliance program or other internal controls in place to guard against abuses. In resolving the matter, the company disgorged the profits from the conduct, plus interest, and paid nearly $2 million in civil penalties.
Ceresny warned that the SEC currently has "a robust pipeline of investigations across the globe." Does your company want to stay out of the SEC's line of fire? If so, you should take Ceresny's advice about the importance of developing a robust FCPA corporate compliance program to heart – and ignore it at your peril.