The Foreign Corrupt Practices Act ("FCPA" or "the Act") prohibits bribery of foreign public officials in order to obtain or retain business. In addition to its anti-bribery provisions, the FCPA contains accounting provisions related to bookkeeping and internal controls. Among the FCPA accounting provisions, the books and records provision requires issuers to make and maintain accurate books, records and accounts, and the internal controls provision requires that issuers devise and maintain reasonable internal accounting controls aimed at preventing and detecting FCPA violations.

In recent years, the number of FCPA enforcement actions initiated by the U.S. Department of Justice ("DOJ") and the U.S. Securities and Exchange Commission ("SEC") that include an internal controls charge have increased, and may signal a shift toward a broader application of the internal controls provision of the Act. There is real concern that the DOJ and SEC may be setting the stage to charge independent directors for knowingly failing to implement and/or maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions and assets are properly authorized and recorded.

This short article highlights the recent enforcement actions that have included an internal controls charge, discusses the threat of broader internal controls prosecutions against directors, and provides some guidance for directors in light of the potential for increased prosecution of internal controls violations.

A. The Rise of the Internal Controls Charge

With respect to internal controls, the FCPA mandates that every issuer of publicly traded securities required to file periodic reports with the SEC devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that:

1. Transactions are executed in accordance with management's general or specific authorization;
2. Transactions are recorded as necessary to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and to maintain accountability for assets;
3. Access to assets is permitted only in accordance with management's general or specific authorization;
4. The recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences.¹

Further, according to the statute, "no person shall knowingly circumvent or knowingly fail to implement a system of internal accounting controls or knowingly falsify any book, record, or account" described above.²

Although the SEC has brought civil charges against companies and individuals with internal controls violations in FCPA matters since 1996, the DOJ first brought criminal charges against a company for an internal controls violation in 2008.³ Since 2008, the DOJ has increasingly charged internal controls violations, in conjunction with the SEC. For example, in the most recent FCPA criminal enforcement action, U.S. v. Total S.A.,⁴ the DOJ alleged in its criminal information that Total "knowingly circumvented and knowingly failed to implement a system of internal accounting controls sufficient to provide reasonable assurances that transactions and dispositions of Total's assets complied with applicable law." In support of this allegation, the DOJ stated that Total:

(a) failed to implement adequate anti-bribery compliance policies and procedures; (b) failed to maintain an adequate system for the selection and approval of consultants; (c) failed to conduct adequate audits of payments to purported consultants; (d) failed to establish a sufficiently empowered and competent corporate compliance office; (e) failed to take reasonable steps to ensure the company's compliance and ethics program was followed; (f) failed to evaluate regularly the effectiveness of the company's compliance and ethics program;

(g) failed to provide appropriate incentives to perform in accordance with the compliance and ethics program; (h) concealed the consulting agreements' true nature and true participants; (i) performed no due diligence concerning the named or unnamed parties to these agreements; and (j) lacked controls sufficient to provide reasonable assurances that the consulting agreements complied with applicable laws.⁵

This list of compliance steps that Total was alleged to have failed to take provides a road map for companies looking to ensure that their compliance programs and internal controls meet the standards of the DOJ and SEC.

Another notable example of a recent internal controls enforcement action is the criminal information against Orthofix International.⁶ In that case, which was resolved with a deferred prosecution agreement, the DOJ charged Orthofix with violating the internal controls provision for having failed to maintain an effective anti-corruption compliance program and adequate financial controls. The DOJ's information alleged, among other things, that Orthofix had not translated its anti-corruption policy into Spanish, and that the company had not trained its employees on its anti-corruption policies.

Internal controls charges also have been brought against individuals. In general, because most of the individuals charged under the FCPA to date have been directly involved in bribe payments or payment falsification, internal controls violations are often charged in addition to other FCPA-related charges.⁷

In 2009, the SEC brought an enforcement action against two senior executives of Nature's Sunshine Products, Inc. for their alleged knowledge of improper payments made by their subordinates to Brazilian customs officials.⁸ The SEC charged the executives based on control person liability, alleging that they failed to (1) adequately supervise their personnel; (2) ensure accurate books and records were kept, and (3) ensure that proper internal controls were being maintained. In charging the executives under the control person liability theory, the SEC did not allege that the executives had personal knowledge of the payments, but instead alleged knowledge due to their supervisory position. The executives each agreed to pay $25,000 civil penalties. Prior to Nature's Sunshine Products, the government had not asserted control person liability in FCPA enforcement actions. The Nature's Sunshine Products case potentially marks the beginning of a shift in prosecution of those responsible with overseeing and monitoring internal controls, rather than merely those that circumvent controls or commit other violations of the Act.

B. SEC and DOJ's Next Frontier of FCPA Liability: Audit Committees and Independent Directors?

Importantly, the internal controls provisions of the Act are independent of the anti-bribery provisions. Thus, because there is no requirement that a deficient control be linked to an improper payment, a payment that does not constitute a violation of the anti-bribery provisions still may lead to prosecution if it is attributable to an internal controls deficiency. In other words, an executive or director may be exposed to an internal controls charge as a result of a corporation's violation of the anti-bribery provisions, but also in the absence of any anti-bribery provision violation.

Moreover, a director may face an internal controls charge for failing to implement the controls necessary to prevent improper payments, even where the director himself or herself is not aware of the improper payment itself.

To date, neither the DOJ nor the SEC has brought charges against an independent director solely for an internal controls violation. Of course, both the DOJ and the SEC have prosecuted individuals for FCPA violations, but all such individuals allegedly have committed a substantive, direct violation of one or more of the Act's provisions. In other words, the government has yet to levy an internal controls charge against an individual who was not directly involved in malfeasance related to the FCPA's anti-bribery or accounting provisions but instead is merely aware of the lack of internal controls in the company for which he or she is an independent director.

To be held criminally liable, a person must "knowingly" circumvent or fail to implement a system of internal accounting controls.⁹ The government, however, has taken a broad interpretation of the knowledge requirement. For example, the government has already begun to expand liability of parent corporations for the acts of their subsidiaries, even in cases where the parent corporation has no knowledge of the subsidiaries' corrupt actions, as was made clear in a recent enforcement action against Ralph Lauren Corporation. In that case, which was resolved via non-prosecution agreements with the DOJ and SEC, there was no evidence presented that Ralph Lauren Corporation was aware of the corrupt payments made by its Argentinian subsidiary.¹⁰ The same logic applies for the link between subsidiary action and parent corporation and the link between corporate executives and independent directors. If the government is willing to expand corporate liability for its subsidiary's actions, even without clear evidence of corporate knowledge of such acts, then it stands to reason that the government is willing to expand individual liability even to audit committee members and other independent directors responsible for maintaining adequate internal controls, even in cases where directors may be unaware of illegal payments.

As manifested in Nature's Sunshine Products, the government also is able to use the theory of control person liability to hold executives liable for lack of internal controls. Directors, in addition to executives, may be targets of enforcement actions because they have a duty to "attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards."¹¹

According to Delaware case law, director liability exists if there is a "sustained or systemic failure of the board to exercise oversight - such as an utter failure to attempt to assure a reasonable information and reporting system exists."¹² This means that it is the Board's duty to ensure that a compliance program is in place, and independently monitor the effectiveness of that compliance program. In fact, the DOJ and SEC guidance for FCPA compliance explicitly states that "compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company."

It would not be any stretch for the DOJ and SEC to invoke these same requirements for independent directors and audit committee members who are charged with oversight of a compliance program.

C. Guidance

In order to protect themselves from liability for internal controls violations, independent directors and members of audit committees should take the following steps:

• actively benchmark the corporate FCPA compliance program and internal controls against the compliance programs and controls of peer corporations;
• request an independent assessment of the company's FCPA internal controls;
• make sure the company has a strong overall compliance strategy;
• carefully document the sufficiency of internal controls and be mindful of audit reports;
• follow up on any reports of misconduct and, if necessary, commence an internal investigation using counsel that is independent from management counsel;
• ensure independent directors and committees have the resources and authority to make changes if necessary;
• have candid conversations with external auditors regarding FCPA controls;
• consider whether FCPA violations could occur if more robust controls were in place and whether wrongdoers are able to take purposeful steps to circumvent those controls.

The accounting provisions of the FCPA already have an expansive reach and can create pitfalls to corporations and their employees. In addition, the internal controls provision can pose a particular risk to board members, audit committee members, and other independent directors. These risks should not be taken lightly, given the recent increase in internal controls violations charges by the DOJ, and the continued use of the internal controls charge by the SEC.

Endnotes

¹ 15 U.S.C. § 78m(b)(2)(B).
² Id. at § 78m(b)(5).
³ U.S. v. Siemens Aktiengesellschaft, No. 1:08-cr-00367-RJL (D.D.C. 2008).
⁴ No. 1:13-cr-239 (E.D. Va. 2013). Total entered a deferred prosecution agreement for its FCPA related charges.
⁵ Information, U.S. v. Total, S.A., No. 1:13-cr-239 (E.D. Va. 2013). The SEC's cease and desist order against Total included the same facts and allegations.
⁶ U.S. v. Orthofix Int'l, N.V., No. 4:12-cr-150 (E.D. Tex. 2012); SEC v. Orthofix Int'l, N.V., No. 4:12-cv-00419 (E.D. Tex. 2012).
⁷ See, e.g., U.S. v. Peterson, No. 12-cr-224 (E.D.N.Y. 2012); SEC v. Uriel Sharef et al., No. 11-cv-9073 (S.D.N.Y. 2011).
⁸ SEC v. Nature's Sunshine Products, Inc. et al., No. 09-0672 (D. Utah 2009)
⁹ 15 U.S.C. §78m(b)(5).
¹⁰ Press Release, U.S. Sec. & Exh. Comm'n, SEC Announces Non-Prosecution Agreement With Ralph Lauren Corporation Involving FCPA Misconduct (Apr. 22, 2013), available at http://www.sec.gov/news/press/2013/2013-65.htm; Press Release, U.S. Dep't of Justice, Ralph Lauren Corporation Resolves Foreign Corrupt Practices Act Investigation and Agrees to Pay $882,000 Monetary Penalty (Apr. 22, 2013), available at http://www.justice.gov/opa/pr/2013/April/13-crm-456.html.
¹¹ In Re Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Del. 1996).
¹² Stone v. Ritter, 911 A.2d 362, 370 (Del. 2006).