FCPA Compliance: A Practical Guide for Identifying and Mitigating the Risk of Violations

U.S. companies operating on the international playing field and foreign companies operating in the U.S. are both subject to the FCPA. In recent years, penalties exceeding $2 billion have been assessed against companies for FCPA violations. In 2023 alone, the SEC’s Division of Enforcement filed 784 enforcement actions, obtained nearly $5 billion in financial remedies, and awarded nearly $600 million to whistleblowers who reported their employers’ illegal activity. In this article, we provide insights into dealing with violations and offer practical ideas for mitigating risk.

Addressing FCPA Risks

The path to FCPA compliance is both proactive and reactive. 

A compliance program must align with the DOJ’s Evaluation of an Effective Compliance Program (as updated on Sept. 23, 2024), which serves as the Criminal Division’s guidance for prosecutors evaluating such programs. In addition, the DOJ has continued to enhance its expectations around effective corporate compliance by creating additional incentives for individuals to report information about criminal conduct directly to the DOJ.

Determining if your company’s compliance program is well designed, resourced, and working provides a basis for evaluating the program’s effectiveness. Strong internal controls and whistleblower hotlines can help organizations identify and address problems at the earliest stages, which may then allow the organization to self-report to the SEC and the DOJ. A robust compliance program that also includes ongoing employee training can reduce the potential for FCPA violations. 

Discovering FCPA Violations

Although effective internal controls and continuous monitoring of certain activities or transactions might catch potential acts of non-compliance, FCPA violations may come to light through various channels, including the following:  

• Whistleblower hotlines: Employees may report potentially illegal or non-compliant activities through their organization’s whistleblower hotline or other reporting mechanisms that allow them to anonymously share their concerns about potential illegal acts, including FCPA violations. Routine monitoring, triage, and escalation of these reporting channels can increase an organization’s opportunities for early identification of potentially illegal activities.
• Employee exit interviews: Some employees may feel uncomfortable discussing their observations of allegedly illicit activity while still employed or, in certain instances, may not know about the organization’s whistleblower mechanism. Others may innocently report on illegal transactions during an exit interview. Finally, some may be unaware of the appropriate whistleblower mechanism in place. Information that comes to light during employee exit interviews must be appropriately triaged and forwarded to the proper internal parties.  
• Internal audits: Companies may develop and maintain protocols designed to uncover potential regulatory violations or non-compliance, including internal controls evaluations; financial record reviews; third-party due diligence investigations; reviews of gift, travel, and entertainment expenses; and employee training opportunities. 
• Routine business activities: During the regular course of business, an organization’s employees may notice suspicious activities that require further review. In some cases, the information may pass through the normal chain of command until a reasonable explanation is offered or an internal investigation is triggered.
• SEC or DOJ notifications: Occasionally, the SEC or DOJ will have been notified of potential illegal activities through their respective whistleblower awards programs: the SEC Whistleblower Program and the DOJ’s Corporate Whistleblower Awards Pilot Program. In such instances, both agencies can initiate contact with an organization through informal means, such as phone calls or emails. More formal notifications — such as a Wells Notice, a Target Letter, a subpoena, or a civil complaint — alert an organization that an enforcement action is imminent or ongoing. 
  
  

Regrettably, an organization’s first notice of an FCPA violation may arrive as a result of a whistleblower report made directly to the SEC or DOJ or arise from another investigation implicating a different organization. Both the existing SEC and new DOJ whistleblower programs have further incentivized individuals to notify them of potential illegal activities and violations. 

Understanding SEC and DOJ Whistleblower Programs

Reports of suspicious activity received through internal channels can be evaluated through substantive internal investigative work; self-reporting may then become an option. However, possible illegal behavior can be directly reported to regulatory bodies — and updated FCPA and anti-bribery anti-corruption regulations have made the process easier and more lucrative for whistleblowers.

The SEC’s whistleblower program, created by the Dodd-Frank Act, encourages individuals to report illegal activities directly to the SEC. In return, people who divulge high-quality information that leads to an SEC enforcement action may receive between 10% and 30% of the money the SEC collects. For example, the SEC announced in August 2024 that it will be awarding two whistleblowers the sums of $4 million and $20 million, respectively, for their pivotal roles in an SEC enforcement action.

The DOJ’s Criminal Division Corporate Whistleblower Awards Pilot Program is designed to mirror and supplement other successful whistleblower programs managed by the SEC, the Commodity Futures Trading Commission (CFTC), and the Financial Crimes Enforcement Network (FinCEN) and is specifically targeted at private non-public health care programs, privately held companies and others that are not publicly traded as well as cryptocurrency businesses. Information provided by the whistleblower through this program is intended to fill the gaps in other agencies’ whistleblower programs by advancing criminal investigations and prosecutions pertaining to compliance violations by financial institutions, foreign and domestic corruption, including violations of the FCPA and Foreign Extortion Prevention Act (FEPA), as well as specific health care fraud that is not covered by the False Claims Act qui tam program. Similar to other programs, the whistleblower may receive a percentage of any civil or criminal forfeitures that result from a successful DOJ prosecution. However, certain conditions will apply. Additionally, the DOJ may decline to prosecute companies that voluntarily self-report potential violations in a timely manner.

Whether the FCPA violation is discovered through an internal or external channel, the organization’s leaders must respond in a manner that can withstand the scrutiny of investigators and be responsive to the organization’s stakeholders.

Making an Organized Response to an FCPA Violation

Reacting to a potential FCPA violation appropriately and in a defensible manner can significantly impact the outcome, the decision to self-disclose, and the resolution of the matter. In addition, amendments to the Corporate Whistleblower Awards Pilot Program give companies 120 days to self-disclose from the point of receiving a whistleblower allegation in order to benefit from the program’s presumption of declination (subject to other qualifying elements). An orderly response to any allegation often stems from plans established well before an incident occurs. Given the implications of self-disclosure, whether formal protocols are in place or not, the following eight tasks should be considered part of an organization’s course of action after learning of a potential FCPA violation: 

1. Notify the Legal Department: A company’s general counsel or outside counsel should be involved as soon as an FCPA compliance issue is suspected or identified. Not only can counsel provide legal guidance at the outset of the process, but their work is generally protected by attorney-client privilege and the work-product doctrine. Early access to the situation can also help prepare counsel for any internal investigations or litigation that may arise from the incident, as well as providing the background information needed to make an informed decision regarding self-disclosure.
2. Identify the parties involved: Although the investigation process will be fluid and expanding, it’s crucial to gain an early understanding of the parties within the organization who were involved with any suspicious payments or activities. Learning who knew of and authorized the payments in question may significantly impact the scope of any current or future investigations.
3. Capture the data: One of the first things legal counsel will typically do is issue a legal hold to anyone associated with the identified potential issue or with knowledge about any transactions. This notifies them to preserve certain items that could be evidence that is needed during an investigation. These types of litigation holds are instrumental in gathering the facts and circumstances needed to understand a potential FCPA non-compliance. 
4. Consider hiring independent expertise: Navigating potential FCPA violations requires the knowledge of complex laws and regulations that outside counsel may provide. Such expertise can assist in the investigative process and during potential interactions with the regulatory and enforcement authorities. In addition, evaluating the facts and circumstances surrounding any suspicious transactions will likely require the type of deep dive into the organization’s accounting systems and internal controls that typically is best handled by forensic accounting and investigations professionals. 
5. Perform a preliminary investigation: Forming a plan of action requires knowledge of the facts and circumstances surrounding the suspected illicit activity. Consider using internal groups, such as the audit department, to gather transactional data for review. Be mindful of the independence of the internal team(s) used to perform such a preliminary review, as this might impact the reliance on their findings.
6. Inform key stakeholders: It is critical to inform the organization’s Board of Directors and Audit Committee about the possible incident early in the process. In addition, briefing the auditor can help them understand the company’s response to the allegations, as well as the potential impact on the current or past audits and help address the auditors' obligations when such a disclosure is made. 
7. Assess the organization’s compliance programs: The strength of an organization’s compliance program may affect the outcome of an SEC or DOJ investigation. Questions regarding the effectiveness of the compliance program should include: Does the program include up-to-date training in FCPA compliance for employees? Is a whistleblower hotline in place? Has the organization engaged in due diligence for resellers and third-party vendors? Evidence of attempts to maintain good corporate governance can mitigate penalties in most cases.
8. Keep communication channels open: In situations such as this, the organization’s reputation and financial well-being are at risk. As the investigation proceeds, communicate frequently with key stakeholders, including the Audit Committee, the Board of Directors, the C-suite, the Human Resources Department, compliance leadership, and the company’s auditors. 

Independent and thorough investigation of an FCPA violation demonstrates an understanding of the importance of internal controls, compliance programs, tone at the top, and training. Additionally, an organized response aids company leaders in developing a well-documented and defensible response to inquiries from government regulatory bodies. The results of an internal investigation may also steer the company toward self-reporting the incident through proper channels.

Mitigating the Risks of Future FCPA Violations

Assessment and remediation after a regulatory investigation can enhance an organization’s compliance program and, despite the human error element, can help reduce the risk of future violations. Taking a proactive approach can result in a robust compliance program that is rigorously enforced, updated, and maintained, signaling a developed culture of compliance within the organization. While there is no guarantee of leniency, the SEC and DOJ do consider the existence and effectiveness of compliance programs when determining penalties for FCPA violations.

Organizations may focus on several key areas to mitigate potential FCPA risks, including the following:

• Compliance program maturity: An organization may begin by evaluating the maturity of its compliance program, focusing particularly on whether the program addresses its true compliance risks. Efficient allocation of limited resources hinges on a thorough review of the current compliance program to expose any existing vulnerabilities.
• Transactions monitoring: Failure to implement strategies and technology for data analytics and continuous transactions monitoring can be costly in the long run when not aligned with current regulatory expectations. 
• Reporting mechanisms: Employees need an accessible, confidential way to report potential violations. A working whistleblower program or similar mechanism is a critical part of an effective compliance program.
• Training: Up-to-date training about FCPA compliance for employees and third parties not only can decrease the risk of non-compliant behavior but also demonstrates to regulators the organization’s proactive manner of addressing these risks.
• Third-party due diligence: Organizations generally are held accountable for FCPA compliance failures that occur through third parties, including vendors and resellers. A thorough due diligence process is a must. Noncompliant and ill-trained third parties — especially when weak compliance measures are in place — can result in significant fines and legal action against the organization.

Compliance is a critical component of ethical business conduct, relying on thorough assessment of an organization’s processes to help ensure alignment with laws and regulations.

Is Your Organization Prepared To Manage FCPA Compliance?

Swift, decisive action is necessary when an organization identifies a potential FCPA violation. However, a robust compliance program can proactively address the risks associated with doing business in today’s strict regulatory landscape. 

Our Forensics team members have the experience and skill to assist in both proactive and reactive situations. Before trouble strikes, we can conduct strategic evaluations of your organization and your compliance ecosystems to address overall risk. We also can help prepare your response to government enforcement and inquiries from the DOJ, SEC, or foreign regulators. 

Our professionals come from forensic, accounting, regulatory, investigative, enforcement, litigation support and operational backgrounds, with extensive experience working with counsel and regulators. As accountants and forensic specialists, we can help you navigate highly technical and operational elements in a manner that is effective, defensible, and responsive to regulatory standards and expectations. 

Please contact our team to learn more about our Forensics and Investigations Services.