Joint ventures and mergers and acquisitions present especially complex issues relating to anti-bribery and corruption (“ABC”) risks, particularly for companies subject to either, or both, of the US Foreign Corrupt Practices Act (“FCPA”) and the UK Bribery Act 2010 (“UKBA”). Given the aggressive approach taken by law enforcement agencies in the United States, there is unfortunately no “magic bullet” solution to insulate a parent company from liability for FCPA violations by its subsidiaries, affiliates or joint ventures. The US Department of Justice (“DOJ”) and Securities and Exchange Commission (“SEC”) have pursued a variety of theories of liability to hold companies and individuals accountable for bribery, including aggressive interpretations of agency principles, and liability even for minority shareholders in certain circumstances. While this approach is mirrored by one of the UK’s main prosecutors of such offences, the Serious Fraud Office (“SFO”), in contrast, the UKBA codifies the blanket approach of creating potential liability for bribery committed by a company’s “associated persons” if the company has not adopted adequate procedures to prevent such wrongdoing.
In this article, we consider potential liability through affiliates, subsidiaries, and joint ventures and provide guidance on how strong and far-reaching anti-bribery and corruption controls should be to avoid exposure under either, or both, of the FCPA and UKBA.
1. Liability Landscape under the FCPA and UKBA
1.1 US FCPA
As a starting point, under the FCPA, direct liability may be imposed on parent companies which directly participate in their subsidiary’s bribery-related misconduct, for example, by approving improper payments made by subsidiaries. In one example, the SEC charged a parent company with violating the FCPA’s anti-bribery and accounting provisions when it made improper payments through several subsidiaries in foreign countries and falsely recorded the payments as business expenses “in some cases with the knowledge and approval of [the parent company’s founder and chairman of the board.”
But even if the parent company does not have sufficient involvement in, or knowledge of, the subsidiary’s misconduct to be charged with a violation of the FCPA’s anti-bribery provisions, it may still face liability under the statute’s “books and records” accounting provisions. For example, the SEC brought charges under the FCPA’s accounting provisions based on a parent company’s failure to maintain adequate internal controls over a subsidiary which participated in a joint venture that used consultants to bribe foreign officials. Notably, the subsidiary had attempted to avoid FCPA liability in connection with the joint venture by structuring its shareholding through minority investments and subsidiaries and by placing non-US citizens on the joint venture steering committee. Furthermore, the subsidiary had attempted to insulate its parent by concealing its true relationship with the consultants from the parent. None of these measures prevented liability; because the parent company had consolidated the subsidiary’s financial statements into its own, the parent company’s records thus reflected the subsidiary’s false characterization of the bribes as “consulting” or “services” fees, violating the FCPA’s accounting provisions.
Where the parent company has not directly participated in misconduct, but exercises control over the subsidiary or related person responsible for the wrongdoing, the DOJ and SEC have often pursued an “agency” theory to impose liability under the anti-bribery provisions of the FCPA. Indicia of control sufficient to establish the requisite agency relationship may include large ownership interests; majority representation in leadership structures; veto rights; commercial arrangements affecting control, such as operating agreements; and consolidation of operational management or of books and records. Courts examining agency principles in the context of FCPA enforcement actions against individuals have also emphasised factors such as a “right of interim control” by a principal over an agent’s actions, or “undisputed evidence of mutual assent and control over the details of the person and agency, such that the principal controls the details over the assignment.”
If an agency relationship exists and the subsidiary or related person is acting within the scope of authority conferred by the parent, their actions and knowledge are imputed to the parent and may form the basis for liability under the FCPA. In a recent example, the SEC alleged that Alcoa Inc. violated the FCPA’s anti-bribery provisions through the actions of its subsidiaries, even though no officer, director, or employee of Alcoa Inc. knowingly engaged in the subsidiaries’ bribery scheme. In that case, Alcoa Inc. exercised sufficient control over its subsidiaries to render them its agents, including by appointing the majority of seats on a council coordinating the subsidiaries’ activities; sharing and transferring personnel with its subsidiaries; setting the subsidiaries’ business and financial goals, including their audit and compliance functions; and having the subsidiaries report to it. In another example, the SEC charged a parent company with violations of both the anti-bribery and accounting provisions of the FCPA, where the parent owned majority interests in two joint ventures whose sales personnel bribed foreign officials, and the parent failed to adequately investigate red flags and implement adequate internal controls over the joint ventures.
Even minority shareholders can face liability risks relating to their investments, particularly where the minority shareholder is found to exercise control sufficient to establish an agency relationship but fails to exercise that control to prevent a violation of the FCPA. The SEC found BellSouth Corporation liable for violating the accounting provisions of the FCPA where it owned 49% of a joint venture that engaged in bribery and exercised operational control over the subsidiary.
Where minority shareholders lack operational control, they may nevertheless have a good faith obligation to use their influence to design and maintain a system of internal controls sufficient to prevent violations of the FCPA. For example, the SEC charged Eni S.p.A, a minority stakeholder in a joint venture, with violations of the accounting provisions of the FCPA for failing to comply in good faith with its obligation to ensure that the joint venture adopted adequate internal controls to prevent bribery. In that case, Eni S.p.A. was the largest shareholder in the corporate structure and the CFO of the joint venture during the period of the misconduct later joined Eni S.p.A as its CFO.
In the UK, the UKBA takes away a lot of the uncertainty about when a parent may be prosecuted for the acts of its associates and representatives. Under section 7 of the UKBA, a company can be held liable for bribery committed by an “associated person”. An “associated person” is a person who performs services for, or on behalf of, the relevant company (section 8), which is to be determined by reference to all the relevant circumstances and not merely the nature of its relationship with the company. This includes agents, employees and subsidiaries. This statutory provision makes it easier to prosecute a company for wrongdoing than the previous common law position as it removes the need to show in such cases that the “controlling mind and will” of the company was involved in or knew of the criminal conduct; the company’s liability rests on failing to take adequate steps to prevent it in the first place. It is a full defence to a section 7 charge for companies to show they had adequate procedures in place to prevent bribery.
For example, Sweett Group Plc, a construction services company, was found guilty of failing to prevent an act of bribery when its subsidiary secured and retained a contract through bribery. The judge in the case emphasised that “The whole point of section 7 is to impose a duty on those running such companies throughout the world properly to supervise them.” We will consider in section 3 below what companies can do to ensure they have adequate procedures that are fully integrated across the group.
Corporate criminal prosecutions under the UKBA have been few and far between; however, since February 2014, deferred prosecution agreements (“DPAs”) have been available for companies suspected of certain offences (including bribery offences). DPAs provide a means for a company potentially liable for wrongdoing to agree to various sanctions and penalties with a UK prosecutor, under the supervision of a judge, in return for which the prosecutor agrees to suspend the prosecution for a defined period. At the time of writing, there have been 12 DPAs concluded by companies, all with the SFO.
In the UK, DPAs can provide obligations for both the parent and subsidiary, including, for example, the assumption of liability for fines; the implementation of compliance programs; or regular reporting to the SFO for the period of the DPA.
For example, a DPA agreed with Amec Foster Wheeler Energy Limited (“AFWEL”) relating to the use of corrupt agents in the oil and gas sector, was accompanied by an undertaking agreed by the parent (John Wood Group PLC) to “assume responsibility for the payment of the financial penalty and the SFO’s costs and agree to ongoing co-operation with the SFO and other law enforcement and regulatory authorities.” Similarly, DPAs concluded with two anonymous companies in 2021 required a parent company to “support a comprehensive compliance program and obligations to report to the SFO on compliance at regular intervals during the two-year term of the DPAs.”
The DPA agreed by Serco Geografix Limited in July 2019 included a compensation payment of £12,800,000 to the Ministry of Justice (“MOJ”), which was held already to have been paid by parent company, Serco Group, as part of an earlier compensation settlement for a scheme to hide the Group’s profits from the MOJ. The DPA further required “ongoing cooperation with the SFO and other law enforcement and regulatory authorities, reporting evidence of fraud by itself or related companies and individuals, any necessary strengthening of its Group-wide Ethics and Compliance functions, and annual reporting on its Group-wide assurance program.” Mr. Justice William Davis noted, “without the undertakings given by the parent company it is very unlikely that the goals of a DPA could have been achieved.” These undertakings create obligations for the parent company which may result in financial loss, especially when its subsidiary is dormant or cannot meet its financial obligations. Such undertakings also act as a strong reminder to corporate groups of the importance of embedding compliance programs across the whole group.
Like their US counterparts, UK companies are also required to maintain accurate accounts. For example, Tesco Stores Ltd accepted responsibility for false accounting practices in a DPA in 2017. The Tesco case also provides a good example of how enforcement agencies may collaborate to address separate liability arising out of misconduct. For example, when the SFO charged the subsidiary, Tesco Store Ltd, for false accounting, the Financial Conduct Authority (“FCA”) brought a market abuse charge against both the parent and the subsidiary.
Under the UKBA, it is also possible to conceive of circumstances in which a joint venture company may be a person associated with any one or more of the shareholders for the purposes of section 7. It is also possible, although less likely, that a joint venture company’s joint employees and agents are persons associated with one or more of the shareholders. For this reason, it is now market practice for UKBA compliant companies to require joint ventures in which they are involved to establish adequate anti-bribery procedures.
UK law and accompanying guidance does not specify any particular level of shareholding above which adequate procedures should be imposed on a joint venture and, as further discussed below, guidance published by the MOJ (the “Guidance”) includes a principle of proportionality. The degree of risk faced by a joint venture shareholder will differ from case to case but is higher for significant shareholders, particularly where a shareholding is accompanied by control of the board or other significant executive power.
2. Extra-territorial reach
Unsurprisingly, given that the statute is targeted at “foreign corrupt practices,” the FCPA has broad extraterritorial reach. The statute covers not only the actions of US persons (including US companies and their foreign subsidiaries), and issuers of securities on U. exchanges (such as non-US companies listed on the New York Stock Exchange), but also any non-US persons which take any action that can be construed to be “in the United States” (including by use of the means and instrumentalities of US interstate commerce) in furtherance of a corrupt payment to a foreign government official.
Federal agencies have also taken an aggressive approach to prosecuting FCPA violations, even in cases where practically all the relevant conduct occurred overseas. In some cases, they have pursued ancillary theories of liability, such as aiding and abetting and conspiracy to bring charges against parties which would otherwise be outside of the broad jurisdictional scope of the FCPA.
Accordingly, many foreign companies and individuals potentially risk FCPA exposure from business conduct that involves even a minimal connection to the United States (such as, to provide a few examples, emails to the United States, transfers routed through the US banking system, or registering American Depository Receipts). This heightens the need for global multinationals with even a minimal presence in, or connection to business activity in, the United States to consider strengthening their compliance frameworks to address FCPA risks.
A commercial organisation may commit the section 7 offence as a result of conduct carried out by an “associated person” if it is either a company incorporated in the UK or a partnership formed in the UK, or carries on a business, or part of a business, in any part of the UK, regardless of where it was incorporated or formed (section 7(5)).
In practice, this means that a company incorporated overseas, which has business operations or a subsidiary located in the UK, may be at risk of committing the corporate offence if a person “associated” with it bribes another person anywhere in the world with the intention of obtaining or retaining business or an advantage in the conduct of business for the company.
This extra-territorial reach is clearly seen in the DPAs agreed to date, which have often involved both UK and non-UK companies. In particular, despite being registered in the Netherlands, Airbus agreed to a DPA which covered conduct in five jurisdictions: Sri Lanka, Malaysia, Indonesia, Taiwan and Ghana. This was not a contested matter for the Court to determine as Airbus conceded jurisdiction such that we do not yet have a jurisprudence in the UK on how far jurisdiction may go. This has the impact of compelling organisations with a UK presence to strengthen their global compliance frameworks.
3. Guidance on Compliance Measures and Contractual Safeguards
Against this complex backdrop of liability risks, US and UK regulators agree on the importance of adequate compliance measures and contractual safeguards to address ABC issues. Contractual provisions can require compliance with the FCPA, UKBA and the company’s anti-bribery policy, or create obligations to report conduct, maintain accurate records and co-operate with compliance investigations. Compliance monitoring both deters and detects misconduct, which can be done proactively to refresh due diligence on a periodic basis and reactively in response to pre-defined red flags.
Conducting pre-transaction due diligence
US federal agencies have suggested pre-transaction due diligence measures to reduce FCPA liability emerging out of joint ventures, including:
- conducting risk-based due diligence on new acquisitions;
- ensuring that the acquiring company’s code of conduct and compliance policies and procedures apply as quickly as practicable post-transaction;
- conducting FCPA training for the new business and its partners and agents;
- conducting an FCPA-specific audit of the new business as quickly as practicable; and
- disclosing any corrupt payments discovered through due diligence.
Similarly, guidance from UK agencies requires UK companies to conduct pre-transaction due diligence (just like their US counterparts), which should take “a proportionate and risk based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified bribery risks.” Due diligence evaluations of third parties should consider the sector and jurisdiction in which the transaction occurs; the size and nature of the transaction; and the historical relationship with the third-party. Red flags for third parties include shell companies; limited experience with the third party; close association with foreign public officials; and involvement in offshore jurisdictions irrelevant to the joint venture.
Embedding compliance into the subsidiary or joint venture’s operations
Parent companies and controlling shareholders should also take proactive approaches to embed a culture of ABC compliance into their subsidiaries or joint ventures.
Per guidance from US regulators, even non-controlling joint venture partners can seek to demonstrate “good faith” influence by working to establish the joint venture’s obligations through the joint venture governing agreements, including through provisions on:
- membership of the board of directors or governing body;
- covenants for ongoing due diligence;
- audit rights;
- exit strategies;
- covenants on business conduct in compliance with all applicable anti-corruption laws;
- representations and warranties that improper payments have not been made in the past; and
- covenants implementing an FCPA compliance program, including (but not limited to) the provisions of training and relevant approvals pertaining to the compliance policies and procedures.
Similarly, the Guidance on the meaning of “adequate procedures” for the purposes of the UKBA details “Six Principles”: 1) Proportionate Procedures; 2) Top Level Commitment; 3) Risk Assessment; 4) Due Diligence; 5) Communication (including training); and 6) Monitoring and Review. More generally, the Guidance notes that an organisation’s anti-bribery procedures should be “proportionate to the bribery risks it faces and to the nature, scale and complexity of the commercial organisation’s activities,” and should also be “clear, practical, accessible, effectively implemented and enforced.” Critiques of the UKBA have criticized the Guidance for lacking specificity and often organisations “fill in the gaps” by looking to sectoral rules and publications (such as the FCA’s Financial Crime guide), learnings from the DPAs published to date and materials published by NGOs and industry bodies.
With respect to the UK position on joint ventures, as a rough rule of thumb, a prudent approach would be to require adequate anti-bribery procedures in all joint ventures in which a company has larger shareholdings. Conversely, where the company’s interests are minimal and it is a passive investor, the UKBA risks are much lower. Ideally, the joint venture’s procedures would at least match the shareholder’s own procedures (and should do so where the company controls the joint venture). In such cases we would expect to see similar contractual provisions to those identified in the FCPA context above. However, this is not essential provided that the procedures provide adequate protection overall for the anti-bribery risks faced by the joint venture.
It should be noted that this approach contrasts with that taken by US regulators. Companies exposed to liability under both regimes should default to requiring more stringent protections if possible.
The landscape of potential liability risks under the FCPA and UKBA is complex and nuanced. While the US and UK anti-bribery regimes operate differently in terms of enforcement and theories of liability, regulators on both sides of the Atlantic agree on the need for strong compliance measures and contractual safeguards which can ensure that ABC risks associated with subsidiaries, joint ventures and other related persons are effectively identified and addressed. Before entering into transactions, companies should adopt a thoughtful and thorough approach to managing ABC risks arising from joint ventures and mergers and acquisitions, including through appropriate compliance measures and contractual safeguards.
For further information, please contact:
Richard Smith, Partner, Linklaters