Many of us scratched our head in 2010 when the Oracle FCPA enforcement action came out. We didn’t understand how a company could be prosecuted, even civilly by the SEC for internal controls or book and records violations, without evidence that bribes had been paid. But after the past few months, I think Oracle was a precursor to a strict liability standard that’s coming to FCPA enforcement.
My thinking on this issue began to change last fall with the Smith & Wesson (S&W) FCPA enforcement action.
In its administrative order, the SEC stated: “Smith & Wesson failed to devise and maintain sufficient internal controls with respect to its international sales operations. While the company had a basic corporate policy prohibiting the payment of bribes, it failed to implement a reasonable system of controls to effectuate that policy.”
(It should be noted that S&W did not ‘admit or deny’ any of the allegations made against it, the company simply consented to the entry of the order.)
All of this was laid out in the face of no evidence of the payment of bribes by S&W to obtain or retain business. This means it was as close to strict liability as it can be without using those words.
Kara Brockmeyer, chief of the SEC Enforcement Division’s FCPA Unit, said in an SEC release, “This is a wake-up call for small and medium-size businesses that want to enter into high-risk markets and expand their international sales. When a company makes the strategic decision to sell its products overseas, it must ensure that the right internal controls are in place and operating.”
The second factor is the updated COSO 2013 Framework that became effective in December 2014. For the compliance practitioner, the updated Framework also gives a precise model for the SEC to use when asking companies about their compliance internal controls.
Finally, under Sarbanes-Oxley (SOX) Section 404, public companies are required to report on the adequacy of their internal controls on financial reporting. I think where are heading under FCPA enforcement is that if your SOX 404 reporting does not detail appropriate compliance internal controls, you may well be charged with an FCPA violation in a civil proceeding by the SEC.
Does that sound far-fetched? Maybe it is but, from where I sit, that is the direction I see the issue of internal controls going in FCPA enforcement. I believe a strict liability regime is coming under SEC enforcement of the FCPA. As a chief compliance officer or compliance practitioner in a public company, you need to be ready to defend your compliance internal controls.
Thomas Fox is a contributing editor of the FCPA Blog. He’s the founder of the Houston-based boutique law firm tomfoxlaw.com. A popular speaker on compliance and risk-management topics, Fox is also the creator and writer of the widely followed FCPA Compliance and Ethics Blog. His book Lessons Learned on Compliance and Ethics topped Amazon’s bestseller list for international law. He can be contacted here.