FCPA compliance has become a permanent and accepted part of international risk management. As more companies put written policies and procedures in place to address these risks, enforcement authorities are shifting their attention to the effectiveness of those compliance controls: what are companies doing to ensure their policies are followed? This year, the DOJ and SEC have flagged three areas for particular scrutiny: (i) individuals; (ii) internal monitoring; and (iii) third-party risk shifting. The SEC’s first action in 2015, brought against engineering and construction firm PBSJ Corporation (PBSJ), illustrates all three.

Individuals matter – and DOJ and SEC plan to hold them accountable

Effective compliance requires buy-in from key stakeholders throughout the business units of an organisation. It is not enough to have good paper and a competent compliance team; business leaders should own compliance as well. In November of last year, at the ACI’s International Conference on the FCPA, senior enforcement personnel from both the DOJ and SEC reasserted their interest in scrutinising the leadership of any organisation with FCPA problems.

According to Patrick Stokes, chief of the DOJ’s FCPA Unit, the DOJ is very focused on prosecuting individuals as part of a well-rounded enforcement strategy. From his perspective, it is not effective to prosecute only the company. Going after one or the other is not sufficient for deterrence purposes. The assistant attorney general for the DOJ’s Criminal Division, Leslie Caldwell, echoed this sentiment, stating that the DOJ is committed to prosecuting individuals, and that she expects this to continue. Caldwell noted that of the more than 50 convictions of individuals in FCPA and FCPA-related cases since 2009, 25 have come since 2013, and this figure includes only those cases that are public at this time.

Apr-Jun 2015 issue

Ropes & Gray