Minimizing FCPA Risk on Two Fronts: Through Corporate Policy and Corporate Culture, Contributed by Alexandre H. Rene, Stephen L. Braga, and Anthony C. Biagioli, Ropes & Gray LLP
A common and justifiable refrain met the Securities & Exchange Commission (SEC)’s new whistleblower rules providing significant incentives for employees to disclose Foreign Corrupt Practices Act (FCPA), among other, violations to the SEC—that the rules would challenge internal corporate compliance programs to prevent, detect, and remediate FCPA and other violations. The resulting advice has been to double down on implementing effective policies, not only to detect and rapidly respond to violations once they occur, but to prevent them from occurring in the first place.
The advice is well-founded. Strong FCPA compliance controls—including comprehensive and understandable policies and effective training—are indispensible prerequisites to minimizing FCPA risk. Yet by themselves, they are insufficient. This is because the whistleblower incentives promise to alter the psychology of employee reporting. In general, an employee who reports up the corporate chain may do so out of a desire to help the company root out corruption. And an employee who reports to the government instead of the company possibly does so out of concern about the seriousness of a violation management may be unable or unwilling to rectify. Yet with the promise of a reward of potentially millions or even tens of millions of dollars, the whistleblower rules risk compounding the incentives to report externally. The risk is that no corporate compliance policy, no matter how necessary and effective, can change that.
The lesson in light of the whistleblower rules is thus not simply that strong policies are critical, although they are. It is that minimizing FCPA risk is as much about corporate culture as about corporate policy. Just as important as strong policies is a business culture that encourages open communication from the bottom up—and which rewards employees for doing so. Without both defenses, companies remain at a significant risk of being swept into the net of the government’s ever-expanding FCPA enforcement.
This article accordingly offers practical advice as to how companies might foster employee loyalty to the company and at least partially counteract the incentives to report potential issues outward. It focuses specially on empirical literature addressing whistleblower incentives. To incent internal reporting, the literature suggests that companies should facilitate bottom-up communication to promote employee voice, reduce excessive employee supervision, and, to the extent possible, decentralize company decision-making.
Dodd-Frank’s Whistleblower Rules and New Incentives for Employee Reporting
The FCPA prohibits U.S. public companies from making or promising payments to foreign public officials to gain a business advantage, and the U.S. government is enforcing it. The year 2010 saw eight of the ten largest monetary settlements for FCPA violations, exceeding $1.8 billion in total;1 the SEC has a unit dedicated to FCPA matters;2 and the government has targeted companies in industry-wide sweeps, including in the oil and gas, medical device and pharmaceutical industries.3 In a recent high-profile trial—one of the few cases in which a defendant did not simply plead guilty—a court ruled in favor of the government’s broad interpretation of the law, and then the jury convicted.4 The government’s ever-widening enforcement net has ensnared not just companies, but individuals—and some are going to prison.5
For companies and their management, a growing risk is that employee incentives to report potential FCPA violations to the government materially changed with the July 2010 passage of section 922 of the Dodd-Frank Wall Street Reform and Consumer Protection Act.6 The law permits whistleblowers to receive between 10 and 30 percent of collected monetary sanctions for voluntarily provided original information leading to covered enforcement actions recovering over $1 million.7 Because FCPA penalties may exceed tens or even hundreds of millions of dollars, whistleblowers may easily recover tens of millions of dollars as a reward.8
On May 25, 2011, the SEC adopted rules implementing section 922. The rules took effect August 12, 2011.9 To be eligible for compensation, the individual must voluntarily provide original information to a governmental or self-regulatory organization relating to a possible violation of federal securities laws and leading to a successful enforcement action imposing monetary sanctions of more than $1 million.10 The rules explain in considerable depth the significance of the above terms.11
The risk to corporate compliance programs is abundantly clear: with the potential to recover tens of millions of dollars by reporting to the government, and the likelihood of receiving nothing by reporting a problem internally, employees may see no reason to utilize internal compliance policies, even those well-designed to investigate and remediate potential problems.
The SEC rules, in apparent recognition of the potential to undermine effective internal compliance processes, attempt to reduce the incentives to circumvent them in two ways. First, the rules provide that, in certain circumstances, providing original information to an internal compliance entity will be treated as if the whistleblower reported directly to the government—even if the company technically discloses first—if the individual provides information to the SEC within 120 days of reporting the information internally.12 And second, when determining the size of the reward, the SEC will favorably consider that the employee first reported internally.13
Of course, given the extensive and time-consuming steps required to internally investigate a possible violation—e.g., initial interviews and planning, transaction testing and related analysis, document collection and review, and interviews with potentially significant employees—120 days is frequently insufficient to conduct a proper investigation. And even if the SEC offered only the minimum reward because the employee did not report internally first—and there is no evidence this would be the case—10 percent of a reward of millions, tens of millions, or hundreds of millions of dollars could still be sufficient to incent the employee to bypass internal procedures.
The rules accordingly may place extraordinary strain on internal corporate compliance procedures.
Minimizing Risk on Two Fronts
— Effective Policies
In light of that potential, attorneys have offered clients universal advice, centered on the importance of implementing strong and effective compliance policies. It is undeniable that, with or without whistleblower incentives, effective policies and procedures are essential to minimizing FCPA risk.14 Such policies help prevent violations from occurring in the first place; detect violations when they occur; may help convince the Department of Justice (DOJ) to refrain from prosecution, possibly on a theory that a rogue employee surreptitiously flouted stellar compliance procedures; potentially help reduce a company’s sentence in the event of a conviction by reducing its sentencing score under the U.S. Sentencing Guidelines;15 and possibly set up an “adequate procedures” defense under the U.K. Bribery Act.16
— Corporate Culture
Faced with sizeable monetary incentives to report externally, however, corporate compliance policies, standing alone, do little to address what may be powerful external incentives to report possible violations. The academic literature does not appear to have directly addressed which factors contribute to internal reporting in the face of monetary incentives to report externally. One study assessed the comparative efficacy of various legal (not internal company) mechanisms to incentivize external reporting.17 Another addressed how to maximize internal reporting and employee rule-following, although it did not assess these mechanisms when an external reward was present.18 From this and related literature, lessons might be drawn for incenting internal reporting. It may not be precisely clear whether such incentives would be sufficiently strong when pitted against an external reward. But these strategies appear to be a company’s best bet to at least partially reduce the risk that an employee will report to the government, rather than up the corporate chain.
1. Offering Money to Promote Loyalty
A potentially obvious starting point is to find ways to increase employee loyalty and commitment to the company’s success, such as by offering employees stock options.19 Of course, if the external whistleblower incentive dwarfs the potential decline in the employee’s stock value—and, after a multi-million dollar FCPA settlement, it very well might—stock options alone may be ineffective. Yet they still may serve as part of a broader corporate program to promote employee investment and loyalty.
2. Incorporating Compliance Participation into Review and Bonus Structure
So too might making internal reporting of potential compliance issues an important component of an employee’s review and even bonus.20 This is not because the size of such a bonus could approach the magnitude of a potential SEC reward, but rather because it reinforces a broader company message about the importance of compliance. In addition, regardless of the bonus amount, employees could receive compensation from the company for reporting compliance concerns in the short term—not, for example, years later as in the case of a post-litigation whistleblower reward—which may further incent internal reporting.
3. Promoting Employee Voice and Responding to Expressed Concerns
A third, and possibly critical, effort companies can make to facilitate internal reporting is to encourage bottom-up communication and promote employee voice. One recent study found that an organizational emphasis on internal compliance and employee voice increased internal, and reduced external, reporting.21 Certain factors that affected external versus internal reporting—e.g., the conduct’s possible harm to the organization or society—will exist regardless of a company’s business culture. Yet some factors appear to be in management’s control. In the study, positive reaction from management increased internal enforcement and reduced the likelihood of external reporting for certain misconduct.22 Similarly, important was communicating an expectation to report wrongdoing and that such reports would not trigger retaliation:
[O]ne of the most robust predictors of social enforcement was the perceived expectation to act. This factor was predictive of both external and internal enforcement, even when we control for all other factors. Its robustness demonstrates the importance of social and organizational norms and its independence from both organizational and social costs.23
Combining these two findings suggests practical steps businesses can take to increase internal reporting. At a minimum, companies should continuously encourage internal reporting and provide positive feedback to employees who share even speculative compliance concerns. Compliance officers should personally assure reporting employees that the company takes their concerns seriously and is committed to investigating and, where appropriate, remediating. And companies must follow through.24 Importantly, companies should not simply respond well to employee reporting (although responding well is critical). In addition, companies should seek out employees and proactively elicit employees’ suggestions on improving compliance, including even speculative compliance concerns. This may entail brief but regular one-on-one meetings between compliance officers and employees at practicable intervals.25 The goal is to integrate employees into the compliance process and acknowledge that they are trusted and essential participants.
4. Reduce Supervision and Empower Employees
A fourth possible step to promote internal reporting is to reduce excessive supervision and decentralize company decision making to permit lower-level employees to exercise discretion in their work and suggest innovations.26 This reflects the degree to which broad features of a business culture may impact specific compliance goals. Some studies have shown that excessive supervision risks fostering mistrust and reduced motivation.27 “The ‘embedded mistrust’ signaled by tight controls and commands creates an expectation of wrongdoing and cynicism about compliance.”28 “Top-down surveillance [thus] crowds out other mechanisms of compliance that are generated through ethical development and self-monitoring.”29
A tension, of course, exists between the oversight required to maintain an effective FCPA compliance policy and the reduced supervision suggested here. But just because there is an inherent degree of control and supervision required to effectively implement a strong FCPA policy, there seems no reason why such a requirement must permeate every aspect of an employee’s work life. For example, just because an FCPA policy limits the gifts and meals that can be provided to government officials, or requires due diligence as to prospective agents, there seems considerable potential for employees to otherwise exercise discretion in their day-to-day interactions.
Winning the War on Both Fronts
The ultimate lesson for businesses is that broad decisions that shape company culture—even seemingly fundamental ones, like the degree to which companies promote employee voice or supervision on a corporate reporting structure—can be relevant to the seemingly unrelated task of detecting potential FCPA violations. The reaction from businesses to the whistleblower rules should not be to simply lament the new incentives, or even to implement strong internal compliance policies and not go further. Companies must in addition think hard about how their corporate culture shapes incentives to report internally. Doing so may maximize the chances of employee reporting up the in-house ladder, so that rather than responding to government inquiries before the company knows what occurred, companies can detect and root out wrongdoing at the outset.
Steve Braga is a Washington, D.C.-based government enforcement partner with Ropes & Gray. He has been representing individual and corporate clients in grand jury and other regulatory investigations, as well as in federal and state courts at both trial and appellate levels, for thirty years. Steve also regularly conducts internal investigations into, and advises corporate clients concerning, potential Foreign Corrupt Practices Act issues. He can be reached at firstname.lastname@example.org.
Alex Rene is a Washington, D.C.-based government enforcement partner with Ropes & Gray. He has extensive experience representing corporate entities and their executives in connection with litigation and investigations arising out of white collar criminal prosecutions, grand jury investigations, criminal antitrust investigations, and corporate compliance matters. As an Assistant U.S. Attorney, Alex prosecuted matters involving mail, wire and procurement fraud, money laundering, and violations of the Travel Act and Foreign Corrupt Practices Act (FCPA), among other offenses. He can be reached at email@example.com.
Anthony C. Biagioli is an associate in the Washington, D.C. office of Ropes & Gray and a member of the firm’s government enforcement and antitrust practice groups. Anthony focuses his practice on representing corporate entities and their executives in government investigations related to the Foreign Corrupt Practices Act and federal antitrust and securities laws. He can be reached at firstname.lastname@example.org.
This document and any discussions set forth herein are for informational purposes only, and should not be construed as legal advice, which has to be addressed to particular facts and circumstances involved in any given situation. Review or use of the document and any discussions does not create an attorney-client relationship with the author or publisher. To the extent that this document may contain suggested provisions, they will require modification to suit a particular transaction, jurisdiction or situation. Please consult with an attorney with the appropriate level of experience if you have any questions. Any tax information contained in the document or discussions is not intended to be used, and cannot be used, for purposes of avoiding penalties imposed under the United States Internal Revenue Code. Any opinions expressed are those of the author. Bloomberg Finance L.P. and its affiliated entities do not take responsibility for the content in this document or discussions and do not make any representation or warranty as to their completeness or accuracy.
© 2012 Bloomberg Finance L.P. All rights reserved. Bloomberg Law Reports ® is a registered trademark and service mark of Bloomberg Finance L.P.