Page 68 - U.S. FOREIGN CORRUPT PRACTICES ACT
P. 68
A Resource Guide to the U.S. Foreign Corrupt Practices Act. Second Edition.
delegated to other specific individuals within a based compliance program, even if that program
company. 333 DOJ and SEC recognize that the does not prevent an infraction in a low risk area
reporting structure will depend on the size and because greater attention and resources had
complexity of an organization. Moreover, the been devoted to a higher risk area. Conversely, a
amount of resources devoted to compliance company that fails to prevent an FCPA violation
will depend on the company’s size, complexity, on an economically significant, high-risk
industry, geographical reach, and risks associated transaction because it failed to perform a level
with the business. In assessing whether a company of due diligence commensurate with the size and
has reasonable internal controls, DOJ and SEC risk of the transaction is likely to receive reduced
typically consider whether the company devoted credit based on the quality and effectiveness of its
adequate staffing and resources to the compliance compliance program.
program given the size, structure, and risk profile As a company’s risk for FCPA violations
of the business. increases, that business should consider
increasing its compliance procedures, including
Risk Assessment
due diligence and periodic internal audits. The
Assessment of risk is fundamental to
degree of appropriate due diligence is fact-specific
developing a strong compliance program, and
and should vary based on industry, country, size,
is another factor DOJ and SEC evaluate when
and nature of the transaction, and the method
assessing a company’s compliance program. 334
and amount of third-party compensation.
One-size-fits-all compliance programs are
Factors to consider, for instance, include risks
generally ill-conceived and ineffective because
presented by: the country and industry sector,
resources inevitably are spread too thin, with too
the business opportunity, potential business
much focus on low-risk markets and transactions
partners, level of involvement with governments,
to the detriment of high-risk areas. Devoting a
amount of government regulation and oversight,
disproportionate amount of time policing modest
and exposure to customs and immigration in
entertainment and gift-giving instead of focusing
conducting business affairs. When assessing a
on large government bids, questionable payments
company’s compliance program, DOJ and SEC
to third-party consultants, or excessive discounts
take into account whether and to what degree a
to resellers and distributors may indicate that a
company analyzes and addresses the particular
company’s compliance program is ineffective. A
risks it faces.
$50 million contract with a government agency
in a high-risk country warrants greater scrutiny Training and Continuing Advice
than modest and routine gifts and entertainment. Compliance policies cannot work unless
Similarly, performing identical due diligence on effectively communicated throughout a company.
all third-party agents, irrespective of risk factors, Accordingly, DOJ and SEC will evaluate whether a
is often counterproductive, diverting attention company has taken steps to ensure that relevant
and resources away from those third parties policies and procedures have been communicated
that pose the most significant risks. DOJ and SEC throughout the organization, including through
will give meaningful credit to a company that periodic training and certification for all directors,
implements in good faith a comprehensive, risk- officers, relevant employees, and, where
60
