The SEC guards the integrity of U.S. markets and protects investors by requiring issuers to disclose material information about themselves and their directors and officers. However, the SEC doesn’t tell anyone what to say or how to say it. Those decisions are left to each company. That’s why disclosures about FCPA compliance and enforcement risks are so varied, and why it can be difficult to know for sure if disclosure is adequate under the law.
Here are a couple of actual disclosures about anti-bribery compliance programs. They’re from SEC filings this year and occupy the two ends of the range of such disclosures.
Short Form: “We have limited experience in complying with these laws and in developing procedures to monitor compliance with these laws by our agents.”
Long Form: “We, in the conduct of all of our activities, are committed to maintaining the core values of our Company, as well as high safety, ethical, and quality standards as also reported in our Quality Management System (QMS). We believe such a commitment is integral to running a sound, successful, and sustainable business. We devote significant resources to maintain a comprehensive global ethics and compliance program (Compliance Program) which is designed to prevent, detect, and appropriately respond to any potential violations of the law, the Code of Conduct, and other Company policies and procedures.
Highlights of our Compliance Program include the following:
• Comprehensive internal policies over such areas as anti-bribery; travel, entertainment, gifts and charitable donations to government officials and other parties; payments to commercial sales representatives; and, the use of non-U.S. police or military organizations for security purposes. In addition, there are policies and procedures to address customs requirements, visa processing risks, export and re-export controls, economic sanctions, anti-money laundering and anti-boycott laws.
• Global and independent structure of Chief Compliance Officer and other compliance professionals providing compliance advice, customized training and governance, as well as investigating concerns across all regions and countries where we do business.
• Comprehensive employee compliance training program that combines instructor-led and web-based training modules tailored to the key risks that employees face on an ongoing basis.•Due diligence procedures for third parties who conduct business on our behalf, including channel partners (sales representatives, distributors, resellers), administrative service providers, as well as an enhanced risk-based process for classifying channel partners and suppliers.
• Due diligence procedures for merger and acquisition activities.
• Specifically tailored compliance risk assessments and audits focused on country and third party risk.
• Compliance Review Board comprised of senior officers of the Company that meets quarterly to monitor effectiveness of the Compliance Program, as well as product company and regional compliance committees that meet quarterly.
• Technology to monitor and report on compliance matters, including an internal investigations management system, a web-based anti-boycott reporting tool, global trade management systems and comprehensive watch list screening.
• Data privacy compliance policies and procedures to ensure compliance with applicable data privacy requirements.
• A compliance program designed to create an “Open Reporting Environment” where employees are encouraged to report any ethics or compliance matter without fear of retaliation, including a global network of trained employee ombudspersons, and a worldwide, 24-hour business helpline operated by a third party and available in approximately 200 languages.
• Centralized finance organization with company-wide policies.
• Anti-corruption audits of high-risk countries, as well as risk-based compliance audits of third parties.
• We have region-specific processes and procedures for management of HR related issues, including pre-hire screening of employees; a process to screen existing employees prior to promotion into select roles where they may be exposed to finance and/or corruption-related risks; and implementation of a global new hire compliance training module for all employees.”
Not all companies describe their anti-bribery compliance programs. Some never mention it. But most that do fall somewhere between these two extremes.
What can we say about the two examples? Is the Short Form too brief to meet the SEC’s standard of accurate and timely disclosure of material information? Conversely, should we conclude that the Long Form meets the SEC disclosure standard because it is comprehensive?
Maybe the Short Form is actually compliant. It sounds like an honest self-assessment and a fair warning to investors. The Short Form reminds us that not everyone is into anti-bribery compliance. The compliance profession is still a relatively small and highly specialized group. Inside a technology start-up, for example, there might not be anyone with working knowledge of anti-bribery compliance. That’s dangerous, of course. But better to admit the gap early rather than covering it up or ignoring it.
What about the Long Form? It’s a fantastic description of a compliance program. It shows how complex compliance can be, and how the company is responding with multiple layers of active protection. That should comfort existing and potential stakeholders, right?
Well . . . . .
Remember respondeat superior? It’s the doctrine in American law by which companies become strictly liable for criminal violations of employees or agents, even if the company had an effective compliance program. And in the real world, how do you monitor agents to make sure they aren’t paying or arranging bribes to foreign officials?
In other words, some anti-corruption compliance risks can’t be eliminated. They can be managed and monitored but not eliminated. It’s that ultimate risk that existing and potential stakeholders should be warned about. To describe an FCPA compliance program without talking about risk could give the wrong impression that everything is under control.
Most issuers handle this disclosure problem by using a three-part formula: (1) describe the FCPA and laws like it and what they require, (2) describe the company’s compliance efforts, and (3) describe why the company’s compliance efforts might not work and the potential results of non-compliance.
Here’s an example of an actual three-part FCPA disclosure. I’ve numbered the parts to make them easier to see:
(1) “We are subject to evolving anti-corruption laws, economic and trade sanctions, and anti-money laundering rules in several jurisdictions in which we operate, including the United States Foreign Corrupt Practices Act and the U.K. Bribery Act. . . .
(2) We have policies and procedures in place to assist us with monitoring the evolution of these laws and ensuring our ongoing compliance. We are continuously in the process of reviewing, upgrading, and enhancing these protocols.
(3) However, we cannot guarantee that our employees, consultants, or agents will not take actions that amount to a violation of these laws and regulations for which we may be ultimately responsible or that our policies and procedures will be adequate in protecting us from liability. . . If we are deemed to be in violation of any such rules, our business activities could be restricted or terminated. In addition, we could face civil and criminal penalties, including fines, which could damage our reputation and customer relationships and materially impact our results of operation or financial condition.”
Even among the many companies now using the three-part disclosure approach, there’s a lot of variation. As I said at the top, the SEC lets each issuer decide what to say and how to say it.
But as the Short Form and Long Form examples show, who knows how much disclosure about a compliance program is best (or adequate) for existing and potential stakeholders? Some companies favor less, others more. As our well-mannered English cousins might say, on the topic of compliance disclosures, opinions may differ.