The internal controls provisions of the FCPA have most often been used in the context of civil enforcement actions by the SEC.1 This is a sort of “catch-all” provision that gives the SEC great latitude in taking action against a company. It is a provision that has been used to address a range of questionable conduct not limited to foreign bribery. Due in large part to their esoteric nature, the internal controls provisions are seldom the focus of criminal enforcement activity.
“The main problem with the internal controls provision of the FCPA is that there are no specific standards by which to evaluate the sufficiency of controls; any evaluation is inevitably a highly subjective process in which knowledgeable individuals can arrive at totally different conclusions.”2 Yet, over time, internal controls may be the most useful means of ensuring that companies stay abreast of possible problems and address them in a timely manner. Unlike a compliance program or specific policies, internal controls are intended to be holistic in nature.
What constitutes adequate internal controls is frequently misunderstood. What they are not is simply a system of checks and balances. Further, “[a]n effective compliance program is a critical component of an issuer’s internal controls.”3 Much more is required than a compliance program or a system of checks and balances. A critical component of internal controls is the timely sharing of information so that timely adjustments may be made. A better analogy may be to the concept of command and control associated with the military.
1. The U.K. Experience
In the United Kingdom, the Financial Services Authority, the predecessor to its Financial Conduct Authority (“FCA”), used the inadequacy of internal controls as the basis for taking action against a U.K. company allegedly involved with foreign bribery.4 The FCA continues to require entities subject to its jurisdiction “to establish and maintain effective systems and controls to mitigate financial crime risk.”5 “Financial crime risk includes the risk of corruption as well as bribery, and so is wider than the [UK] Bribery Act’s scope.”6
2. The Long Term
Adequate internal controls are essential to any effectively managed company, regardless of whether it may be subject to the FCPA, the FCA, or other regulatory schemes. If information associated with compliance concerns is not shared in a timely and effective manner, a company will be unable to address issues that may undermine its operations. The essence of internal controls relates to adequate monitoring and timely sharing of critical information. If those elements are not a focal point of a company’s internal controls, its compliance program is unlikely to be effective.
From the perspective of management of a company or organization as well as anyone with fiduciary responsibilities, or their equivalent, insisting on adequate internal controls should be mandatory. If properly implemented and maintained, adequate internal controls address evolving risks to an entity, whether they be with respect to corruption or other causes, like cyber threats.7 Over the long run, truly adequate internal controls have the best prospect of ensuring the ongoing vibrancy of a company.
115 U.S.C. § 78m(b)(2)(B).
2See SEC v. World-Wide Coin Inv. Ltd., 567 F. Supp. 724, 751 (N.D. Ga. 1983).
3U.S. Dep’t of Justice & U.S. Sec. & Exch. Comm’n, A Resource Guide to the U.S. Foreign Corrupt Practices Act, at 40 (Nov. 2012).
4The Financial Services Authority fined the U.K. subsidiary of Aon Corporation for inadequate internal controls for a lack of due diligence and assessment of the risk of third parties, including a failure to monitor third parties in high risk areas, an absence of adequate training and guidance, and a failure to furnish adequate information to senior management with oversight responsibilities. Press Release, FSA/PN/004/2009, Financial Services Authority, FSA fines Aon Limited £5.25m for failings in its anti-bribery and corruption systems and controls (Jan. 8. 2009).
5Financial Conduct Authority, Financial Crime: A Guide for Firms, pt. 1, ¶ 6.2 (Apr. 2015).
6Id. It should also be noted that under the decree issued with respect to the implementation of Brazil’s Clean Company Act, the adequacy of internal controls relative record-keeping and financial reporting is a factor to be considered in reaching a leniency agreement with a company under investigation. Decreto No. 8420, de 18 de Marcha de 2015, Diáio Oficial da Uniáo [D.O.U.] de 19.3.2015 (Braz.).
7In the context of corruption, adequate internal controls require a U.S. publicly-held company, for example, to take into account the implications of the UK Bribery, like private bribery, and a host of other issues.