.jpg)
18 December, 2016
The advice below is taken from our years of experience as a specialized risk management rm built to help clients solve the complex challenges prevalent in today’s digital, connected, and regulated business world.
1. ACT QUICKLY
FCPA investigations can be triggered in a number of ways; routine internal audits sometimes reveal anomalies, but more often the trigger will be a whistleblower report (which may in-turn lead to a speci c auditing process). Information should be gathered as quickly as possible and in the early stages at least, should be handled very discreetly; reducing the threat of evidence tampering or remedial collusion amongst those sta involved in the potential violation. Although the extent of FCPA investigations can unravel quickly, you will need to try and establish the potential scope and seriousness of the problem as best you can and based on your initial information, focusing your subsequent investigation accordingly.
2. PRELIMINARY CONSIDERATIONS
After establishing the apparent scope of the problem, you will need to ask if this actually appears to be an FCPA violation (rather than an internal fraud, con ict of interest, malfeasance or other issue). If you do determine that the issue breaches FCPA laws (and/or other laws within the jurisdiction that the violation has taken place), you will then need to consider potential disclosure obligations to the U.S. Securities and Exchange Commission (SEC). If the whistleblower is anonymous, you will need to try and establish more information on the allegation from the informant, and even to persuade the whistleblower to con rm his or her identity (which will help to potentially determine the veracity/accuracy of the information), although this will be difficult if the allegation came in without some method to remain in contact; but do remember your duty to protect the whistleblower.
3. INVESTIGATIONS
As part of the FCPA compliance program that you should already have in place, you will have pre- determined who the key internal core-team members should be for the situation at hand and who will lead the team; a specific investigation plan will then need to be written (ideally an adaptable base-plan will already be drafted as an appendix to your FCPA compliance program documents). In these types of potentially complex investigations, the investigation plan should essentially be a ‘living document’ which can be amended/updated as the situation changes or new evidence comes into the investigation leader. The internal team will most likely consist of members from the legal, compliance, risk, audit and HR departments. At this point you will need to decide whether to involve independent specialist consultants to handle the investigation and whether to engage outside legal counsel.
4. THE INVESTIGATION AND DECISION WHETHER TO INVOLVE INDEPENDENT CONSULTANTS
The range of professional skills and expertise that may be required in a complex FCPA investigation may not be available in-house: actions required would typically include digital forensics – the acquisition, preservation and review of computer evidence; eDiscovery for the review of large volumes of data; a review of books and records by forensic accountants to identify suspicious transactions etc.; discreet on-ground due diligence and intelligence inquiries into third parties identi ed as the investigation develops (which may either con rm or deny that payments have been made to foreign government o cials or entities); and appropriately handled interviews of internal sta and third parties (particularly in overseas jurisdictions where there are language and cultural considerations). At each significant stage of the investigation, all of this data will be need to be reviewed and analyzed for its significance and to chart the course of the investigation into the next phase.
As well as the above expertise, the external investigation rm will also conduct the investigation so that any pertinent information identi ed will be gathered in a legal and ethical way, in accordance with local laws, and which would be able to be used in evidence, if necessary, at a later stage. There is also some argument to suggest that should the FCPA violation come to the notice of the SEC (either through self-reporting or a whistleblower direct to them), the involvement of independent external consultants may gain some credits for your firm.
5. THE DECISION FOR OUTSIDE COUNSEL
Similarly, outside counsel can bring a higher level of legal experience and expertise, particular if the violation involves overseas operations (e.g. China), and complex legal, data-privacy and cultural issues may be at play, and where the deployment of local counsel may be appropriate. Legal communications will also be protected as privileged (to what extent will depend on the jurisdiction). If ultimately, the regulatory authorities get wind of the violations, the involvement of external counsel will help reassure the authorities that the investigation has been conducted independently of company interests.
6. INTERNAL AND EXTERNAL COMMUNICATIONS
The internal investigation team or the designated leader will need to brief the board, or an appropriate subcommittee of the board on the situation, particularly as FCPA violations will likely be a large corporate risk to your rm. Depending on your company, you may require senior buy-in if you believe it prudent to involve an external investigation firm or outside counsel. You may also need to provide recommendations to the board on whether you should self-report or not (at that stage). Other stakeholders to be noti ed will likely include selected employees of the HR, legal, compliance and communications teams.
If a whistleblower is involved, there will certainly be a possibility of public disclosure. In such a situation your communication team must be ready to act quickly and have appropriate messages already prepared for internal sta , public media, investors and regulatory authorities as may be appropriate.
7. POST INVESTIGATION – REMEDIAL ACTION
Depending on the outcome of the initial stage of the investigation, it may be (hopefully) short, or may drag on for months or even years. It will be important to determine what remedial actions need to be taken; in the case of a long investigation, there is frequently no reason why these actions should not be taken whilst the investigation remains ongoing and could include: changes to compliance policies and procedures, improvements to internal controls, and action against employees or involved third parties.
You may also wish to consider whether to self-report to the regulatory authorities at some point during the process. Although there are mixed views on the benefits or otherwise of self-reporting, some commentators argue that it is better to first conduct the investigation, then identify and fix the issues; then if the regulatory authorities come knocking on your door, be prepared to fully cooperate with a full prepared package detailing the issues, what investigations were conducted into the issues and what subsequent remedial action took place. However, your legal counsel will provide the best advice on this aspect.
WHAT ACTION SHOULD YOU NOW TAKE?
- Review your policy, does it need updating?
- Review your internal team, does everyone know and understand their role?
- Review or source your independent external experts
- When did your sta last receive training, is it time to renew this?
For further information, please contact:
Bill Sims, Managing Director, Stroz Friedberg
bsims@strozfriedberg.com
