Here’s a compliance plan to address the SEC’s ‘internal controls rampage’

In the prior post, I described recent FCPA enforcement actions — involving Stryker, Polycom, Microsoft, and Juniper Networks — which show that the SEC is on an ‘internal controls rampage’ involving the way issuers (public companies) establish and manage relationships with third parties, particularly distributors and resellers.

It is noteworthy from the enforcement record that the SEC does not appear to draw a distinction between distributors and resellers. There are likely several reasons for this. First, there are no universally accepted definitions for these terms. What one organization calls a distributor, another company might call a reseller. Indeed, as noted above, Juniper Networks eschewed both terms, and designated the third parties that purchased and resold its products as its channel partners.

Second, even if we can draw a distinction between distributors and resellers, that distinction is likely irrelevant under the FCPA. In many companies, a distributor is engaged under a long-term written agreement to promote the company’s products on an on-going basis. By contrast, a reseller doesn’t maintain an on-going agreement with the company. Instead, a reseller purchases products for resale on an episodic basis, without significant coordination with the company. While there are meaningful differences between these relationships from a business perspective, there is nothing in the plain language of the FCPA that suggests these relationships should be treated differently, or that they create different degrees of corruption risk.

Let’s start with the FCPA’s third-party provision. The plain language of the provision imposes liability for bribes perpetrated by “any person.” It does not draw a distinction between a distributor and a reseller.  If a company has knowledge that a reseller will engage in improper conduct in connection with the resale of the company’s products, liability will attach. Moreover, remember that knowledge is broadly defined under the FCPA, and is not limited to actual knowledge.  Indeed, according to the legislative history of 1988 amendments to the FCPA, knowledge includes “conscious disregard,” “willful blindness,” “deliberate ignorance,” and the dreaded “unwarranted obliviousness” (perhaps one of my favorite phrases of all time).

Third, the DOJ and SEC have made their views abundantly clear in the Resource Guide that both distributors and resellers create vicarious liability under the FCPA.  On page 58 of the Resource Guide, the agencies admonish companies to scrutinize the payment of “excessive discounts to resellers and distributors” without drawing a distinction between the two.

Finally, let’s return to my core premise – that the SEC is on an internal controls rampage. We can debate whether the FCPA’s third party provision creates liability for the reseller who occasionally purchases products for resale, but ultimately, that doesn’t matter. The internal controls provision on its face is subject to a strict liability standard. Read the provision, and you’ll see no mention of state of mind for civil violations. The determination of whether a company has sufficient internal controls is binary – either it does, or it does not – and the sole arbiter is the SEC.

What, then, should companies do to address the SEC’s focus on distributors and resellers?

First and foremost, understand your route to market. If multiple tiers of distributor/reseller stand between you and a government customer, ascertain their identities and conduct risk-appropriate due diligence.

Second, ensure that your organization has built a sound business justification for the size of third party discounts. Just as commissions must be reasonably commensurate with the services rendered by a sales representative, the discount offered to a distributor or reseller should reflect a reasonable profit margin for their efforts.

Third, if your organization will permit deviations from standard discount rates for individual third parties or transactions, ensure you understand and thoroughly document why that’s necessary. If the business folks say that there’s substantial competition for a particular transaction or customer, ask them to identify the competition, and explain why their pricing is better than yours. If the rationale for an increased discount is customer price sensitivity, understand where that information came from, and why their budget is particularly constrained in this instance. I acknowledge that this will require some elbow grease and demand additional compliance bandwidth, but companies have been adapting to an ever-expanding interpretation of the FCPA for more than fifteen years now.

Ultimately, the SEC is not shy about staking out an aggressive position on whether a company’s third party controls are satisfactory. Moreover, the SEC is taking an undeniable lead in FCPA enforcement against business entities. Over the last five years, only one year – 2017 – saw more DOJ enforcement actions against companies than SEC enforcement actions. In every other year over that time period, there were significantly more SEC actions. Indeed, over the last five years, SEC enforcement actions have exceeded DOJ actions by a factor of 1.5 to 1.  In the current environment, I believe that companies ignore the risks posed by its distributors, or the one-off or occasional reseller, at their own peril.