The Department of Justice and Securities and Exchange Commission’s Second Edition ofA Resource Guide to the U.S. Foreign Corrupt Practices Act offers very little that is truly new or groundbreaking—but a below-the-radar clarification to its discussion of the Foreign Corrupt Practice’s Act “internal controls” accounting provisions may have signaled a shift in FCPA enforcement.
Like the original manual published in 2012, the Second Edition provides a detailed compilation of information concerning DOJ and SEC enforcement of the FCPA. It also helpfully incorporates a broad range of policy and legal developments, as well as enforcement examples from the last few years.
The FCPA has two prongs: (1) anti-bribery provisions; and (2) accounting provisions. The accounting provisions consist of two components. First, the FCPA’s so-called “books and records” provision, which requires issuers to make and keep accurate books and records. 15 U.S.C. § 78m(b)(2)(A).
Second, the FCPA’s “internal controls” provision, which requires issuers to devise and maintain a system of internal accounting controls sufficient to assure management’s control, authority, and responsibility over the firm’s assets. 15 U.S.C. § 78m(b)(2)(B).
Although the accounting provisions were originally enacted as part of the FCPA, they do not apply only to bribery-related violations. Rather, prosecutors and enforcement attorneys often invoke these provisions when they cannot establish sufficient predication for an anti-bribery prosecution. For this reason, a significant number of FCPA enforcement proceedings relate to violations of the accounting provisions.
The Key Is Differentiating Between Internal Accounting Controls and Corporate Compliance
In the recently released Second Edition, the DOJ and SEC added the word “accounting” to the resource guide’s earlier language relating to the FCPA’s “internal controls” provisions, clarifying that the FCPA only targets deficient internal accounting controls. Second Edition at 40-42.
Although the change could be read to be nothing more than an adoption of the true text of the FCPA, other language added to the Second Edition creates uncertainty about how sharply the DOJ and SEC will differentiate between internal accounting control structures and different aspects of a corporate compliance program.
One sentence illustrates this tension, stating in helpful terms that “a company’s internal accounting controls are not synonymous with a company’s compliance program[,]” but continuing to state that “an effective compliance program contains a number of components that may overlap with a critical component of an issuer’s internal accounting controls.” Second Edition at 40.
The same section adds new language discussing different ways that internal controls and compliance programs must be tailored to operational risks, but nothing within the new language clarifies how the enforcement agencies intend to treat compliance program gaps that themselves do not directly “overlap with a critical component of an issuer’s internal accounting controls.”
This area of uncertainty is significant because the DOJ and SEC have a long history of trying to tether compliance program deficiencies to enforcement of the FCPA’s accounting provisions.
One particular area that bears watching is enforcement that intersects with the recent changes to the DOJ’s compliance program guidance that set new expectations regarding the use of and access to data in corporate compliance programs.
The DOJ’s updated compliance guidance signaled the importance of “data resources and access” by asking whether “compliance and control personnel have sufficient direct or indirect access to relevant sources of data,” including whether “impediments exist that limit access to relevant sources of data.”
These updated compliance program expectations take on a greater significance when viewed against the internal accounting controls language within the Second Edition. The DOJ has made clear that it is now a baseline expectation that corporate compliance programs should have adequate and timely access to data sources that are relevant to key areas of risk.
Alongside this expectation is a parallel focus on whether impediments exist to such access and, “if so, what is the company doing to address the impediments.”
Against this backdrop, it is difficult to imagine an instance where the DOJ would fault an issuer’s compliance program for knowingly lacking access to relevant transactional data and then simultaneously conclude that the issuer’s internal accounting controls passed muster under the FCPA.
Companies should not view the compliance program expectations as strictly a matter of compliance program evaluation. Substantive legal risks may also flow from the expectations put forward in that guidance.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Eric Sitarchuk is the leader of Morgan, Lewis & Bockius LLP’s white collar practice in the Philadelphia office. With more than 30 years of experience in this area, he advises clients in a wide variety of white collar criminal matters, False Claims Act and qui tam litigation, and FCPA and other complex federal and state investigations.
Matthew Miner leads Morgan, Lewis’ & Bockus’s white collar litigation and government investigation practice in Washington, D.C., with a particular focus on matters facing the DOJ and Congress. He served as the DOJ’s deputy assistant attorney general, overseeing federal prosecutors and supervisors within the Criminal Division’s Fraud and Appellate sections.
Jaclyn Unis Whittaker defends clients in government and internal investigations, with a focus on FCPA, False Claims Act, and other bribery and corruption related matters.
Amanda Robinson focuses her practice on white collar issues, including congressional inquiries and governmental and internal corporate investigations, including those arising under the FCPA, False Claims Act, and federal antitrust laws.