The corporate compliance community glimpsed a rare event in August: a federal court decision, U.S. v. Hoskins, tried to define the limits of individual liability under the Foreign Corrupt Practices Act.
Court rulings about the scope of the FCPA are rare. This decision is even more important because of its potential reach, as it came from the Second Circuit Court of Appeals in New York, the jurisdiction that’s home to a large number of global corporations.
In this case, the defendant Lawrence Hoskins worked for Alstom S.A., a French construction conglomerate that doesn’t trade on U.S. stock exchanges. Hoskins is a British citizen who was employed by Alstom’s UK subsidiary and also worked for another Alstom subsidiary in Paris — where, U.S. prosecutors alleged, he helped to arrange bribes that an American subsidiary of Alstom paid to government officials in Indonesia.
Hoskins was charged with conspiracy to violate the FCPA for his role in the bribery scheme. Ultimately, the question on appeal became: Can a foreign national, working for a foreign company and never setting foot in the United States, be held liable for aiding and abetting others to violate the FCPA based on theories of conspiracy and complicity?
The Second Circuit said no; that such an extra-territorial reach extended beyond what lawmakers originally intended for the FCPA.
The appellate court, however, left open the question of whether Hoskins was acting as an agent of the U.S.-based Alstom subsidiary, and remanded this back to the trial court in Connecticut.
Based on the Hoskins ruling, what are the implications for a company’s compliance program?
First, Hoskins increases the importance of monitoring a company’s third parties, beyond initial onboarding. The ruling creates different standards of liability for intermediaries who are ultimately deemed “agents” and those who aren’t, so an individual who moves between those two categories may change the amount of corruption risk he or she brings to an organization. A compliance function needs to know when that happens.
For example, some intermediaries who believe they are agents might try to change their relationship with the company to some lesser status — under the logic that they would then be beyond the reach of the FCPA, giving them more discretion to pay bribes.
Compliance officers may want to revisit their policies for third-party governance: Who has permission to change the status of an intermediary, such as the services that party performs? What approvals are necessary? What new due diligence checks are required, if any?
An organization may also want to ensure that its analytics of intermediaries’ activity (transactions done, payments received, and so forth) stays sharp enough to provide the monitoring assurance needed.
Second, compliance officers will also need to police against opportunists inside and outside the organization. The Hoskins ruling created a class of at least some (possibly many) foreign intermediaries beyond the reach of the FCPA. So some employees and third parties might try to exploit that distinction, where those foreign nationals beyond reach do the dirty work of operating a bribery scheme.
Compliance officers will need to prevent that bad practice from taking root with clear training and attestations from employees and third parties. For example, compliance programs may want to acknowledge that the Hoskins limit exists, and then still demand high ethical standards for all individuals working in its orbit regardless.
What are the limits of the Hoskins ruling?
Hoskins determined that there are limits to the liability a company’s overseas intermediaries might face under the FCPA, but didn’t specify exactly where that line falls. Some foreign nationals may no longer be liable under conspiracy or aiding and abetting theories of FCPA prosecution. However, what Hoskins did leave open was potential agency liability; Hoskins could be prosecuted for FCPA violations if the government could establish that he was acting as an agent of Alstom’s U.S. subsidiary.
What does “agent” in this context mean? Lower courts will need to answer that question.
Moreover, the Hoskins ruling only applies to cases in the Second Circuit. The Justice Department may still argue its expansive theories of personal liability in other jurisdictions. Courts in other parts of the country might reach different conclusions than the Second Circuit did.
Finally, corporate liability under the FCPA remains unchanged. Many foreign nationals will still be personally liable under other theories of prosecution the Justice Department can still pursue, as the Hoskins ruling applies only to a small subset of potential defendants. Those foreign nationals may also face prosecution under their home country’s anti-bribery laws — and drag a company’s liability along with them.
In the practical challenges of running a modern compliance department, the Hoskins ruling reinforces the importance of strong third-party governance: thoughtful policies, implemented comprehensively; effective due diligence programs; monitoring of third parties, with analytics capability up to that task; and training for employees and intermediaries alike.
That was all true before the Hoskins ruling. It’s still true today.
Eric Lochner, pictured above, @ELochner1 is the President and CEO of global intelligence and software firm Steele Compliance Solutions, Inc. | @SteeleGlobal. Steele provides comprehensive third-party due diligence, software-as-a-service (SaaS) solutions that help organizations comply with regulatory third-party compliance requirements, and engaging compliance training, and integrated risk management. Eric has more than two decades of experience building successful global technology companies.
Please download Steele’s whitepaper, Managing Third-Party Risk in a World of Changing Compliance, to learn more.