Article by Managing Attorney, John Joy
Whether you run a business or work in compliance, one of the most frequently asked questions on the Foreign Corrupt Practices Act (FCPA) is: Do I have to train employees on FCPA compliance?
In this article we explain when a company has to train employees on FCPA compliance and which employees need to be trained. If you’re in a hurry, here are the takeaways:
- The FCPA is a law that applies to all U.S. companies, both public and private. Fines for violating the FCPA are usually millions of dollars and can include prison time for individuals;
- Publicly traded companies are likely legally required to train certain employees on FCPA compliance. Private companies on the other hand, are much less likely to have an obligation to do so;
- Determining which employees must receive FCPA training depends on whether the employee is exposed to bribery and corruption risks. It does not matter whether they are a foreign or domestic employee;
- Regardless of whether there is a legal obligation to train employees on FCPA compliance, there at least are 5 good reasons for companies to train employees on the FCPA.
This article was prepared by FTI Law’s Managing Attorney John Joy. John is an FCPA whistleblower attorney with almost a decade of experience advising on FCPA issues. John has represented numerous Fortune 500 companies in FCPA investigations and currently represents brave FCPA whistleblowers who anonymously report FCPA violations to the U.S. authorities. If you have a question on any of the material discussed in this article, feel free to contact FTI Law here.
What is the FCPA?
The FCPA is a U.S. law that prohibits bribery of foreign government officials. The FCPA has two core principles:
- All U.S. persons and companies are forbidden from bribing foreign government officials. (This is referred to as the FCPA’s ‘anti-bribery’ provision)
- Publicly traded companies must maintain a system of ‘internal controls’ to ensure that financial misconduct (like bribery) does not take place. (This is referred to as the FCPA’s ‘internal controls’ or ‘books and records’ provisions).
Both provisions work in tandem to prevent bribery and ensure that public companies have accurate books and records that investors can rely on. For more background on these provisions, check out the Department of Justice’s (DOJ) FCPA resource guide, which functions as an FCPA Bible for compliance personnel.
What is a Bribe?
The first core principle of the FCPA is that U.S. persons and companies are forbidden from bribing foreign officials. ‘Foreign official’ is a very broad term that covers all employees of a foreign government, including government agencies and institutions. For example, even low-level employees of a hospital or university could be considered foreign officials if the institution is owned or run by a foreign government.
For the purposes of the FCPA, a bribe occurs when someone gives or promises ‘anything of value’ to the foreign official with the intention of gaining something in return. Usually this happens when a company gives the foreign official something that is personally valuable to the official in exchange for favorable business treatment. Examples of bribery prohibited by the FCPA include giving cash, gifts, travel, entertainment, job opportunities or charitable donations where the motivation is to obtain a business benefit.
An important point to remember is that bribes are not always initiated by the company, sometimes they are explicitly requested by foreign officials. Simply because a bribe is requested by a foreign official does not exempt it from the FCPA. The exceptions to the FCPA’s anti-bribery provisions are extremely limited and rarely invoked.
What is a System of Internal Controls?
The second core principle of the FCPA is that publicly traded companies must have a system of internal accounting controls that ensure that the company’s money is spent in accordance with its policies and recorded properly in the company’s accounts. This provision of the FCPA tries to ensure that public companies have internal rules and procedures designed to stop financial misconduct and ensure that a company’s accounting records are accurate.
The FCPA does not specify a particular model of ‘internal controls’ for public companies to use, and leaves it up to each company to design its own controls based on the unique risks and circumstances presented by the company’s business. However, the DOJ and the Securities and Exchange Commission (SEC) have published detailed guidelines on what they view as the principles of a modern compliance program, and these guidelines should be read as instructions for building an adequate system of internal controls.
What are the Penalties for Violating the FCPA?
The FCPA is enforced by the DOJ and the SEC. This means that both agencies can investigate and fine companies for violating the FCPA. For corporations, FCPA fines regularly cost over a hundred million dollars and, on a handful of occasions, have even surpassed a billion dollars. Individuals can also face fines as well as up to 20 years in prison for criminal violations the FCPA’s anti-bribery provisions. If you are looking for a catalogue of previous FCPA fines and offences, Stanford University has a helpful database of prior FCPA fines that can be accessed here.
What is FCPA Compliance Training?
FCPA compliance training is training to help employees understand what the FCPA is, what the FCPA prohibits and requires, and most importantly, what a company expects an employee to do when faced with FCPA issues.
FCPA compliance training should teach employees how to recognize FCPA red flags and how to deal with situations where FCPA concerns arise. This should include training on prior cases brought by the SEC and DOJ which illustrate real world examples of FCPA violations.
FCPA training should be tailored to the role or business unit that the employee works in, so that the training can address situations the employee is most likely to encounter. Training should also provide specific advice on what the employee should do in those situations and how to report potential FCPA violations.
Compliance training can take many forms, but ideally it should be conducted in-person by a compliance professional. The training should take place in small groups where the employee is separated from their supervisor to give them the confidence and freedom to ask questions without fear of embarrassment or retaliation. While video instruction and online materials are helpful, there is no substitute for in-person training from an experienced compliance professional who can answer questions in real time.
Does a Company Have to Train Employees on FCPA Compliance?
Generally speaking, if a company is private, i.e. not publicly traded, it’s unlikely that the company has a legal obligation under the FCPA to provide employees with FCPA compliance training. However, if a company is publicly traded, it’s more than likely that the company is required to provide FCPA compliance training to certain employees.*
As mentioned above, publicly traded companies are legally required by the FCPA to have a reasonable ‘system of internal controls.’ There is no explicit rule stating that FCPA compliance training must form a part of this system, but if the company does business outside the U.S., it’s likely that the company has some exposure to the risk of FCPA violations. For example, any business outside the U.S. is likely to involve employees interacting with foreign officials who are customs officers, issuers of licenses or contracts, or who are in charge of purchasing goods on behalf of government institutions. These situations all present bribery and corruption risks, and therefore FCPA risks.
When there is an obvious FCPA risk, authorities such as the DOJ and SEC are likely to consider a failure to train employees on FCPA compliance, as a failure to maintain adequate internal controls. This would constitute a breach of the FCPA’s internal controls provisions.
*As companies are unique, there are various circumstances that could alter this analysis. Certain private companies without stock traded in the U.S. may in fact be legally required by contract, state or industry rules to train employees on the FCPA. Similarly, public companies may be able to avoid the obligation to train employees on the FCPA if compliance training on an equivalent foreign anti-bribery law is sufficiently similar, or if they have no functional risk exposure to FCPA violations. At base, there is no substitute for tailored legal advice on this subject and all companies should consult with experienced FCPA counsel before determining whether they have an obligation to train employees on FCPA compliance.
What Employees Must be Trained On FCPA Compliance?
If a company is required to train employees on FCPA compliance, the next logical question is: Which employees must be trained?
Training on FCPA compliance is most likely required for employees who are at risk of committing, assisting, facilitating or witnessing FCPA violations. In particular, this will include any employees who interact with foreign officials, approve discretionary payments or expenditure in foreign jurisdictions, or who are involved with obtaining licenses or contracts from foreign governments.
When looking at foreign and domestic (U.S.) employees, the analysis does not change. Whether the employee needs to be trained on FCPA compliance will depend on whether they are in a position to commit, assist, facilitate or witness an FCPA violation. For the purposes of legal training obligations, it does not matter whether the employee is foreign or domestic.
From a practical perspective however, FCPA compliance training is arguably more important for foreign employees than it is for domestic employees. This is because bribery of foreign officials usually takes place outside the U.S., meaning that foreign employees are more likely to be witness the violation.
How do I Report FCPA Violations?
For employees, reporting FCPA violations can be a daunting prospect. Reporting to the wrong person or organization can seriously affect an employee’s legal rights and could expose them to harassment, retaliation or worse. Even if a company provides a compliance hotline, which many companies do, reporting internally can mean the employee misses out on whistleblower protections or the potential to claim a whistleblower award for reporting the conduct. These legal protections can be critically important to help employees avoid retaliation and FCPA whistleblower awards can be substantial.
Any employee who has witnessed a potential FCPA violation or who is considering blowing the whistle on FCPA misconduct should speak to a qualified FCPA whistleblower attorney as soon as possible, and before reporting internally. Most whistleblower attorneys offer a free and confidential consultation which will give the employee all the information they need to make a decision on where, when and whether to report the violation. As whistleblowers often face harassment and retaliation for reporting FCPA violations, speaking with an FCPA attorney before reporting is essential to mitigate this risk.
For companies, reporting FCPA violations to authorities can also have major benefits including avoiding prosecution and reducing fines. Companies who believe they may have violated the FCPA should immediately contact outside counsel who can investigate the potential violation and advise on whether reporting is needed.
Five Reasons You Should Provide FCPA compliance training
While not all companies are required to give FCPA compliance training, all companies should strongly consider it. Here are the top 5 reasons every company should provide FCPA compliance training:
- Training prevents violations. FCPA fines regularly run over $100 million, meaning that a company could be financially devastated if even one of its employees violates the FCPA. Giving gifts and paying for entertainment can be customary when doing business in some parts of the world, and it’s possible that even well-intentioned employees can breach the FCPA without intending to. Implementing a system of FCPA compliance training can significantly reduce the chances that employees breach the FCPA, and therefore significantly reduce the chance that the company faces a multi-million dollar fine.
- Training increases reporting. Sometimes, despite the company’s best efforts, employees engage in FCPA violations. However, even if an employee violates the FCPA, if other employees in the organization have received proper FCPA compliance training, it is more likely that they will be in a position to recognize the violation and report it to the company. This increase in reporting gives the company a better chance at stopping further violations, mitigating the damage and taking appropriate action to reduce the risk of prosecution. For example, if the company identifies the violation and reports it to the authorities, the company has a good chance of avoiding prosecution.
- Training can lead to reduced fines. If a company has a robust corporate compliance program, this will be taken into account by authorities when deciding whether to prosecute an alleged FCPA violation and when determining how much a company should be fined, if a fine is appropriate. When a company has good FCPA compliance training, it increases the chances the company will avoid prosecution or receive a reduced fine.
- Training can improve productivity. FCPA violations are not only costly because of the potential for fines, they can also be an enormous waste of time and resources for a company. If business units don’t recognize FCPA red flags early, they can invest time and resources on deals and joint ventures that ultimately have to be scrapped because of compliance concerns. FCPA compliance training allows employees to recognize and avoid situations that will potentially lead to FCPA complications. By pursuing opportunities that are more compliance-friendly, employees can save the company time and resources, thereby improving business unit productivity.
- Training can enhance corporate culture. Failing to train employees on FCPA compliance can suggest that a company does not value corporate social responsibility. Corporate responsibility is increasingly being used by investors and prospective employees to select companies that they wish to invest in or work for. By investing in FCPA compliance training, a company can promote a healthy corporate culture of ethics and responsibility, which can benefit the company from an investment and employment perspective.