FCPA: Internal Controls and Third Parties

In terms of global anti-bribery compliance, the U.S. Department of Justice’s resolution with Deutsche Bank Aktiengesellshaft (“Deutsche Bank”) demonstrates the degree to which the FCPA’s internal control provisions can be used as a means to address lax practices of foreign issuers and subsidiaries of issuers that may lead to the payment of bribes to foreign officials.1  Due to their esoteric nature, the internal controls provisions are rarely used as the basis of criminal charges.  However, in this instance, the internal controls provisions were central to the criminal charges brought against the Deutsch Bank.

The focus of the information filed against the Deutsch Bank involved the use of third-party consultants referred to as Business Development Consultants (BDCs) to facilitate the payment of bribes. The  inadequacy of Deutsche Bank’s internal controls included, among others:

  • Failing to conduct “meaningful due diligence” on the BDCs;2
  • Making payments to certain BDCs who were not under contract or otherwise subject to a written agreement;3
  • Making payments to certain BDCs without invoices or adequate documentation;4 and
  • Failing to implement adequate controls in response to red flags related to the BDCs.5

For example, the egregiousness of what occurred stemmed in part on the failure to abide by warnings of internal audit staff.  On more than one occasion audit staff put senior Deutsche Bank officials on notice of serious concerns as to the prospect of corrupt activities associated with the use of the BDCs.  But instead of addressing those concerns by implementing the audit staff’s recommendations, the senior officials continued to use and rely on the BDCs.  In addition, the practices in question were in complete disregard of the Deutsche Bank’s well-established policies and procedures.

In the Deutsche Bank’s resolution with the Securities and Exchange Commission (SEC), the internal controls violations are spelled out in greater detail: 6

Contrary to its internal policies and with known failures in its relevant internal accounting controls, between 2009 and 2016, Deutsche Bank engaged some BDCs: 1) with no demonstrated expertise or qualifications; 2) who simultaneously worked for a government entity from which Deutsche Bank sought business; 3) without a written agreement; 4) using form agreements with no substantive description of the services to be performed and/or provisions calling for “success fee” payments; 5) at rates that were unreasonably high as compared to the work allegedly being performed; and 6) in circumstances where either adequate due diligence was not performed or where due diligence was conducted more than a year after the BDC was retained and paid.

Deutsche Bank’s resolutions with the Justice Department and SEC involved an array of record-keeping violations.  But the particular significance of the resolutions is the role of adequate internal controls in addressing improper inducements to foreign officials.  Adequate internal controls are fundamental to deterring corrupt practices.  Moreover, the SEC has an almost unlimited ability to rely on the internal controls provisions in circumscribing the conduct of issuers and their subsidiaries.


1Information, United States v. Deutsche Bank Aktiengesellshaft, Cr. No. 20-584 (E.D.N.Y., Jan. 8, 2021, ECF No. 1.

2Id., at ¶ 8.



5Id., at ¶¶ 10-11.

6Order Instituting Cease-and-Desist Proceedings, at ¶ 10, In the Matter of Deutsche Bank AG, SEC Adm. Proceedings No. 3-18397 (Jan. 8, 2021).

Previous Post
Anti-Bribery Compliance: Multinational Investigations
Next Post
Anti-Bribery Compliance: Recipients of Bribes