Last year, $2.5 billion in anti-bribery and corruption penalties were assessed against U.S. and foreign companies—revealing a disconnect between paper and practice for many of those companies that have established anti-bribery and corruption policies. What’s a law-abiding company to do?
Recent significant enforcement actions by U.S. authorities have shown that a company’s anti-bribery and corruption policy is simply not enough if the company doesn’t institute procedures to comply with that policy and doesn’t take steps to ensure that employees follow those procedures. Non-compliance can lead to penalties of hundreds of millions of dollars for violating the Foreign Corrupt Practices Act (FCPA).
At the end of 2016, the SEC and Department of Justice settled FCPA charges against JPMorgan Chase, which will pay a total of $264 million in penalties for its quid pro quo hiring practices in China. JPMorgan had an anti-corruption policy in place that expressly prohibited hiring relatives of clients in order to obtain business. In order to consider applicants with ties to clients or potential clients, but remain compliant with the bank’s policies, its Hong Kong subsidiary created a “Sons and Daughters” hiring program. The legal and compliance departments developed specific procedures to implement the program, including a questionnaire to be used as part of the applicant screening process. Nonetheless, the program was ultimately used to hire applicants manifestly unqualified for the jobs given to them, but whose hiring was “directly attributable” to business opportunities. As a result of the hires, the Hong Kong subsidiary secured investment banking engagements from state-owned entities and other clients on which it earned profits of “at least $35 million.”
As a result of its hiring practices, JPMorgan’s Hong Kong subsidiary secured investment banking engagements from state-owned entities and other clients on which it earned profits of “at least $35 million.”
And just a few months earlier, the SEC and Department of Justice settled charges against Och-Ziff Capital Management Group and imposed penalties of $412 million for paying bribes through agents, business partners and other intermediaries in five African countries in connection with transactions in those countries. The enforcement agencies found that Och-Ziff had “rigorous” anti-corruption policies on paper but ignored those policies in practice, ignoring negative due diligence, paying intermediaries through offshore shell companies, failing to monitor intermediary payments, and never auditing intermediary books and records.
Taking Compliance From Paper to Practice
What do these episodes have in common? Both involve a major global companies with robust anti-bribery and corruption policies in place. Yet their employees, and in many cases senior management, engaged in, facilitated or approved conduct that breached or circumvented those policies and thereby violated U.S. law.
What’s a law-abiding company to do? In short, work even harder to ensure compliance with its anti-bribery and corruption policy. It is not enough to adopt a policy, train employees to comply with the policy, or even provide them with the tools to comply.
Companies need to verify that compliance tools are really being put to use and that employees are disclosing complete and accurate information about potentially sensitive transactions and the exchange of items of value, such as gifts, dinners, employment and the like. Equally critical is keeping a close watch on compliance mechanisms and personnel. In JPMorgan Chase’s situation, for example, a number of systems put in place failed. Bankers falsified the compliance questionnaire created for use with the Sons and Daughters program. “High-level executives” in New York and Hong Kong openly discussed quid pro quo arrangements in their emails. A supervisory employee in Hong Kong maintained a spreadsheet tracking revenues attributable to the hires. Yet the bank’s legal and compliance departments failed to halt the violations – indeed, compliance employees in Hong Kong participated in the falsification of pre-employment questionnaires, including by using a template of the compliance questionnaire that had some answers pre-filled in—most notably that there was “no expected benefit” for hiring any candidate under the program.
Many of the companies suffering penalties have robust anti-bribery and corruption policies in place, and yet their employees engaged in conduct that breached or circumvented those policies and thereby violated U.S. law.
In Och-Ziff’s case, employees ignored company policies requiring legal or compliance clearance of deals with third parties, ignored policies requiring anti-corruption warranties in third party contracts, and ignored red flags that arose in due diligence. Several bribes were approved by the CEO, in some cases against the advice of his legal and compliance team, and the CFO approved and recorded in the company’s books and records numerous transactions and payments despite knowing that there was a high risk that they involved illegal bribes.
The lesson of these cases is that companies must make their anti-bribery and corruption policies effective in practice. This requires high-level commitment (“tone at the top”), periodic risk-based assessment of the policies, enforcement of the policies by senior managers with adequate resources and autonomy, communication to and training of employees, periodic certifications of compliance by employees, protected whistleblowing mechanisms, meaningful due diligence and compliance requirements for third-party intermediaries, and regular monitoring and testing of the effectiveness of the program. Otherwise, even the best anti-bribery and corruption policy becomes a dead letter.