Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

The SEC is on an ‘internal controls rampage’ when it comes to third-party relationships

Over the last two years, the Securities and Exchange Commission has set its sights on distributor and reseller relationships, and excoriated companies that failed to adequately manage and supervise them. The focus on these third-party relationships is part of the agency’s broader application of the FCPA’s internal controls provision in an increasingly aggressive manner. Indeed, I believe the SEC is on an internal controls rampage, using the provision to ratchet up the minimum compliance obligations that public companies must apply to their third parties.

Let’s start with the SEC’s enforcement action against Stryker from 2018.  Stryker, a publicly-traded medical technology firm based in the United States, was accused of violating the internal controls provision of the FCPA for failing to adequately manage its distributor network in China.  Like many companies operating in large territories, Stryker made use of a so-called “hub and spoke” distributor structure, in which the company engaged a single third party to act as its primary distributor for the country.  This “hub” distributor in turn engaged sub-distributors (the “spokes”) to handle the resale of Stryker products to government customers throughout China. In some instances, more than one tier of sub-distributor stood between Stryker and the ultimate government customer; in some cases, sales involved “third, fourth, and even fifth tier sub-distributors.”

The SEC asserted that Stryker failed to adhere to the FCPA’s internal controls provision because the company failed “to vet, approve, train, and monitor its distributors and sub-distributors in China,” which “increased the risk of bribery and other improper payments in connection with the sale of Stryker products.”

For companies that utilize multiple distributor tiers – which is quite common in consumer and pharmaceutical products – the message is clear. The SEC expects companies to take a hands-on approach to their routes to market, and scrutinize the third parties that stand between them and their ultimate government customers. And remember, we’re focused here on internal controls, and a finding of insufficient internal controls is not dependent on a violation of the FCPA’s anti-bribery provisions. The SEC’s assertion in the Stryker case stands for the proposition that failing to conduct due diligence on multiple tiers of distributors is on its face a violation of the internal controls provision of the FCPA.

The SEC continued to concentrate on distributor and reseller controls in its enforcement action against Polycom, the U.S. manufacturer of telecommunications equipment. Polycom’s subsidiary in China used distributors and resellers to sell its products to government customers. Personnel at the company’s affiliate in China sought and received approval to give the distributors and resellers increased discounts, with knowledge that the third parties would use their profit margins to pay bribes to government customers.  Although obviously problematic, this misconduct is not what makes the Polycom settlement so significant. What makes Polycom stand out is the SEC’s concerns with the way the company reviewed proposed distributor and reseller discount deviations. The settlement indicates that Polycom allowed its management team in China to unilaterally approve product discounts up to a certain threshold.  If they wanted to exceed that cap, they had to seek approval from “Singapore-based personnel who worked for another wholly-owned Polycom subsidiary.”

When you stop and think about it, that’s a fairly robust control in and of itself. It suggests that Polycom required independent review of a separate business entity for discount deviations, presumably to ensure objectivity. Moreover, the SEC indicates that this wasn’t just a rubber stamp review.  The SEC notes that “[w]hen these Singapore-based personnel sought information regarding the reasons for particular discounts, Polycom China’s senior managers always cited legitimate concerns such as competition with other communications products providers or end-user budget constraints.” Those justifications no doubt sound familiar to many readers.

But according to the SEC, Polycom’s steps weren’t enough. The SEC found that Polycom violated the FCPA’s internal controls provision because it “failed to devise and maintain adequate controls to detect whether any reasons for discounts … were accurate.” In other words, the SEC believes that the FCPA’s internal controls provision not only requires companies to ascertain and document the reasons for offering increased discounts to distributors and resellers in specific transactions.  To satisfy a company’s internal controls obligations, it must look beyond those justifications and independently verify that they are accurate.

In other recent enforcement actions, we’ve seen the SEC drill down further on distributor and reseller discounts. In July 2019, Microsoft reached a settlement with the Department of Justice and SEC in which it paid more than $25 million in combined fines and penalties. According to the enforcement agencies, Microsoft personnel sought and obtained approval to pay discounts above the company’s standard rates for certain distributors and resellers that were reselling software licenses to foreign government customers. The inflated discounts were unfortunately used to fund bribes paid to foreign officials. This is certainly a bad thing to do. But again, we saw the SEC stake out a very aggressive position on internal controls. In particular, the SEC said that the company had insufficient internal controls in part because there was “no evidence that the additional discount was passed along to the government customer.”

The SEC doubled down on this position in its enforcement action against Juniper Networks, a U.S. networking and cybersecurity company. Juniper used third parties (which it referred to as “channel partners”) to resell networking equipment to foreign government customers. According to the SEC, Juniper personnel requested increased discounts for distributors in certain transactions, citing factors such as increased competition.  In reality, the increased discounts were not passed along to the end-user, but were retained by the distributors to help send government officials on some lavish non-working trips. Again, SEC painted with broad strokes and asserted that Juniper’s internal controls were deficient because the company did not confirm that increased discounts were given in full to government end users.


In the next post, I’ll talk about guidance from the DOJ and SEC concerning distributor and reseller relationships, and propose some steps companies can take that should help them avoid the SEC’s “internals controls rampage.”

Share this post



  1. Bill, do you think this will lead companies to insist on fewer layers of distributors to the final customer, i.e. have more wholly owned subsidiary representatives in-country that they directly control(instead of agents) that are customer facing in foreign countries? Could this lead to more expatriate US managers, since their personal stakes would be higher for an FCPA infraction?

    • Hi Scott, that’s a great question. I think the response will vary by organization. I expect many companies will continue to rely on third parties, but will take heed of the SEC’s views and enhance monitoring, training, and the analysis of discounts. Others may see the SEC’s views as increasing the risks beyond their comfort level and migrate from third parties to their own personnel (expat or otherwise). Still others may look at the SEC’s pronouncements as far too burdensome and simply chug along with what they’re already doing.

Comments are closed for this article!