FCPA Compliance: Internal Accounting Controls and Compliance Programs

For issuers subject to FCPA compliance requirements, the SEC has determined that the failure to devise or maintain an effective system to prevent or detect violations of the anti-bribery provisions of the FCPA can constitute a violation of the internal controls provisions of the accounting and record-breaking provisions. The provisions of the FCPA relating to internal accounting controls provide an almost endless series of bases for the SEC to take action against an issue.[1] It must be kept in mind that the FCPA, and the internal control provisions in particular, will always be applied in hindsight by enforcement officials.[2] When fraud or other abuses are involved, especially relating to financial transactions, the question will always arise as to whether the internal controls were adequate. In such situations, the adequacy of the internal controls will rarely be found to be adequate.

Due in large part to their estoric nature,[3] the internal accounting control provisions are seldom the focus of criminal enforcement activity. But, in a civil enforcement context, these provisions are frequently used. The standard of proof is a preponderance of the evidence. In almost any after-the-fact analysis relating to financial irregularities, the SEC will be able to point to a breakdown of some sort associated with the internal accounting controls of an issuer.[4] Whether the issuer had knowledge of a defect in the system of controls or improperly recorded transactions or other financial activity is irrelevant in the civil enforcement context with respect to the accounting and record-keeping provisions. No proof of intent is required.[5]

An issuer’s anti-bribery compliance program should not necessarily be separate from its system of internal accounting controls. A natural interplay was intended between the anti-bribery and the accounting and record-keeping provisions. An effective system of internal accounting controls includes a range of review and approval guidelines designed to detect and deter questionable payments.[6] Indeed, whether following the criteria established under the U.S. Sentencing Guidelines, the official guidance associated with the UK Bribery Act, or other compliance standards, the planning, implementation, and monitoring of an issuer’s compliance program should be closely linked, if not intertwined, with its system of internal accounting controls.

[1]Stuart H. Deming, The Foreign Corrupt Practices Act: The Accounting and Record-Keeping Provisions, in THE FOREIGN CORRUPT PRACTICES ACT AND OECD CONVENTION: MITIGATING AND MANAGING RISKS IN THE CHANGING LEGAL ENVIRONMENT, at B-7 (ABA-CLE 2001) (citing Paul V. Gerlach, Assoc. Dir., Div. of Enforcement, Sec. & Exch. Comm’n, Remarks at the ABA’s National Institutes on the Foreign Corrupt Practices Act (Feb. 19, 1999 and Mar. 12, 1999)).


[3]See World-Wide Coin Inv. Ltd., 567 F. Supp. 724, 751 (N.D. Ga. 1983) (“The main problem with the internal controls provision of the FCPA is that there are no specific standards by which to evaluate the sufficiency of controls; any evaluation is inevitably a highly subjective process in which knowledgeable individuals can arrive at totally different conclusions.”).

[4]One such rare exception involved a cease-and-desist proceeding in 2000 with International Business Machines Corporation (IBM) and its wholly-owned subsidiary in Argentina, IBM-Argentina, S.A. (IBM-Argentina). Sec. & Exch. Comm’n v. Int’l Bus. Mach., Litig. Release NO. 16,839 (Dec. 21, 2000).  The enforcement action was premised upon violations of the books and records provisions of the FCPA for “presumed illicit payments to foreign officials.” No violations of the internal control provisions were alleged. In connection with a $250 million contract to modernize the computer system of a commercial bank owned by the Argentine government, IBM-Argentina entered into a $22 million subcontract with an Argentine subcontractor, which in turn, was alleged to have passed on $4.5 million to officials of the Argentine bank. The order, issued in the accompanying administrative proceeding, found that IBM-Argentina’s management “overrode IBM’s procurement and contracting procedures”; “hid the details of the subcontract” from the technical and financial review personnel assigned to the contract; and “fabricated documentation, including a backdated authorization letter and a document that stated incomplete and inaccurate reasons for hiring [the subcontractor].”In re In’l Bus. Mach. Corp., Exchange Act Release No. 43,761 (Dec. 21, 2000). IBM-Argentina recorded the payments as third-party subcontractors expenses which were, in turn, incorporated into IBM’s Form 10-K. The order further noted that IBM’s policies and procedure had been circumvented and that no employee of IBM in the United States was aware of what had occurred.

[5]Sec. & Exch. Comm’n v. McNulty, 137 F.3d 732, 741 (2d Cir. 1998); Sec. & Exch. Comm’n v. Softpoint, Inc., 958 F. Supp. 846, 866-67 (S.D.N.Y. 1997), aff’d on other grounds, 159 F.3d 1348 (2d Cir. 1998); Se. & Exch. Comm’n v. Sys. Software Assocs., Inc., 145 F. Supp. 2d 954, 958 (N.D. Ill. 2001); World-Wide Coin, 567 F. Supp. at 749-751. See also Ponce v. Sec. & Exch. Comm’n, 345 F.3d 722, 736 n.10 (9th Cir. 2003), However, proof of intent may be required to establish civil liability for aiding and abetting a violation of the accounting and record-keeping provisions. See id., at 737; Sec. & Exch. Comm’n v. Autocorp Equities, Inc., 292 F. Supp. 2d 1310 (D. Utah 2003) (knowledge or reckless disregard of the fact that the defendant was aiding or abetting a violation of securities law must be established).

[6]For example, in Sec. & Exch. Comm’n v. Titan, the SEC alleged that Titan failed to devise or main an effective system of internal controls. Litig. Release No. 19, 107 (Mar. 1, 2005), reprinted in 2 FCPA REP. at 699.9203.  “Despite utilizing over 120 agents and consultants in over sixty countries, Titan never had a formal company-wide FCPA policy, failed to implement an FCPA compliance program, disregarded or circumvented the limited FCPA policies and procedures in effect, failed to maintain sufficient due diligence files on its foreign agents, and failed to have meaningful oversight over its foreign agents.” Id.

Previous Post
Global Anti-Bribery Compliance: Statutes of Limitations
Next Post
UK Bribery Act: Active and Passive Private Bribery