In 1977, the U.S. Congress enacted the Foreign Corrupt Practices Act (FPCA) to bring a halt to the bribery of foreign officials and to restore public confidence in the integrity of the American business system after government investigations found that more than 400 U.S. companies admitted making questionable or illegal payments in excess of $300 million to foreign government officials, politicians, and political parties. Today, U.S. firms seeking to do business around the world must be familiar with the FCPA.

In general, the FCPA prohibits corrupt payments to foreign officials for the purpose of obtaining or keeping business. The FCPA has had an enormous impact on the way American firms do business. Several firms that paid bribes to foreign officials have been the subject of criminal and civil enforcement actions, resulting in large fines and suspension and debarment from federal procurement contracting, and their employees and officers have gone to jail. To avoid such consequences, many firms have implemented detailed compliance programs intended to prevent and to detect any improper payments by employees and agents.

Author Philip Urofsky is special counsel in the Business Fraud & Complex Litigation Group with the law firm of Cadwalader Wickersham & Taft LLP in Washington, D.C. He was previously a prosecutor in the Fraud Section at the U.S. Department of Justice, where he was responsible for supervising and conducting investigations and prosecutions of violations of the Foreign Corrupt Practices Act.

Every action that a corporation takes, whether overseas or in the United States, is necessarily through the acts of one of its officers, employees, or agents. Under laws in certain countries, corporations can be held liable for the wrongful acts of such individuals. Corporations often are made up of thousands of officers, employees, and agents, frequently spread over a large geographic area. If one employee in a corporation engages in a corrupt activity, the entire corporation may be held liable for the act of that one person, regardless of his or her position or rank in the company.

Compliance Programs

To address these issues, many corporations in the United States have created detailed and comprehensive compliance programs to ensure that the company's officers, employees, or agents understand how to apply U.S. laws like the Foreign Corrupt Practices Act (FCPA) in everyday business dealings. Although compliance programs were originally designed to prevent legal problems for the corporation, the U.S. government has recognized the value of these programs as a form of "soft law enforcement" and encouraged their development.

A compliance program needs to address the specific risks that a corporation faces. One of these risks, both in the United States and overseas, is that a corporate officer, employee, or agent may offer, or be solicited to offer, a bribe to a government official to obtain some advantage or to avoid something negative from happening to the corporation. For U.S. corporations with international operations, this usually is referred to as FCPA risk, i.e., the risk that the corporation may be prosecuted by the U.S. government under the Foreign Corrupt Practices Act, as well as by foreign governments under foreign antibribery laws.

Best Practices

When developing a compliance program, there is no single set of best practices that will assure a company that it is safe from FCPA risk. Indeed, in many ways, the number-one best practice is to design a program that addresses the specific risks faced by a specific business organization. There are, however, procedures and controls and other business techniques that have been proven to yield results that may help a company develop its own, customized compliance program.

The number-two best practice is that the compliance program must be aligned with the type of business a company does overseas and how it does business. For example, companies whose main customers are governments, such as in the defense industry, or whose products are heavily regulated, such as insurance companies or banks, obviously have considerable interaction with government officials, and the company can target its compliance efforts at those interactions and at the employees involved in them. On the other hand, companies such as pharmaceutical companies, who sell to a broader range of customers, some of whom may be governments or government employees, must implement a compliance program that targets their entire sales force.

The number-three best practice is that the compliance program must be promoted, in a credible way, by senior management—known as "tone at the top"—as the way in which the company does business. The message that must be conveyed to all of the company's officers, employees, and agents is that the compliance program is not some form of overly bureaucratic procedure that distracts from and obstructs doing business or even that it is a "necessary evil." Instead, senior management should embrace the program as a reflection of the corporation's values and a way to ensure that the company is successful over the longer term. Management should emphasize that using improper methods to accomplish a short-term success, such as winning a specific lucrative contract, could lead to long-term failure if the company loses its reputation for honesty and integrity, is subject to enforcement actions by one or more governments, and is potentially excluded from bidding for future government business.

There are certain basic elements to an FCPA compliance program. These include:

• Training: All employees doing business overseas, even if based domestically, should be trained concerning the substance of the FCPA prohibitions and the specific procedures adopted by the corporation to address FCPA risk. Further, as both the workforce and the procedures may change over time, this training should be repeated on a regular basis, and the company should ensure that all employees attend the training.

• Customized message: Although I have referred to FCPA risk, the real risk is corruption, whether in violation of the FCPA or another country's antibribery laws. When training non-U.S. employees, a corporation should explain why the FCPA is relevant (because the parent company is a U.S. company and subject to U.S. law) but also emphasize the importance of complying with all laws. Although corporations obviously want to convey a uniform message to their employees around the world, they should also address local concerns and laws through the training.

• Due diligence on agents: Prior to hiring someone to act on the corporation's behalf, the corporation must conduct due diligence to assure itself that it is not hiring someone that will get it in trouble. Through personal interviews, questionnaires, independent research, and references, it should assure itself that the agent is qualified and has a reputation for integrity and honest business dealings.

• Due diligence on third parties: Prior to engaging in business with a third party, whether as a business partner, subcontractor, joint venture partner, supplier, or service provider, the corporation must conduct due diligence to assure itself that it is not improperly providing funds to a government official. This issue could arise when the government official is an owner of the third party or will otherwise directly benefit from the business, or when the government official will indirectly benefit because the third party is owned by or employs a close relative of the government official. In most cases, this kind of due diligence is accomplished through asking the third party to fill out a questionnaire identifying its owners, officers, and significant managers and then verifying this information through public sources and references, and, in many cases, conducting in-person interviews with potential third parties.

• Contractual terms: Companies should require in their contracts agents and third parties to agree not to make unlawful payments and, importantly, ensure that they can sever the business relationship should the agent or third party violate that agreement. Depending on the type of business and relative leverage of the parties, the company should also seek the ability to audit expenditures of funds by the agent or third party that relate to the company's business.

• Internal books and records: An important aspect of a compliance program is to ensure that employees create an auditable record that they conducted the necessary due diligence and controlled the expenditure of corporate funds. At one level, this is no more than good business; on a legal level, it ensures that should there be an allegation that the company made an improper payment, it can demonstrate either that the payment was not made or that the payment was made without its authorization and against its clear policies and procedures.

• Periodic audits: Companies with either external or internal auditors—or both—should ensure that appropriate audits are conducted both of the compliance program itself and of books and records relating to areas of the business facing FCPA risk. In a perfect world, such audits will confirm that there are no problems or issues. In the real world, they may suggest areas in which additional controls are required, areas in which the compliance program no longer tracks the business organization, and employees or groups of employees who would benefit from additional training. In the worst case, they may reveal past or ongoing violations of the law that the company will need to address quickly.

No compliance program can prevent a determined effort by a single employee, or group of employees, to evade corporate controls, nor will it be effective without the support of senior managers throughout the organization. A properly designed program, however, adopting best practices to the specific needs of the company, should help detect and deter wrongful conduct and enable a company to focus on its business.

The opinions expressed in this article do not necessarily reflect the views or policies of the U.S. government.