Forceful anti-corruption enforcement finally making bribery more bane than boon for companies

Eradicating corruption may seem like an unfathomably difficult task at times, requiring business, government, and consumers to resist a crime that in some cultures is embedded into the very nature of commerce.

Not only would eliminating corruption require companies to identify its seemingly limitless methods, like improper payments, extravagant gifts, and illicit advantages, but also to see it as an obstacle to sound and proper business practices, not an avenue for illicit financial success.

Amanda Raad, a partner in the London office of Ropes & Gray LLP, an international law firm, says that while bribery and corruption may be inevitable due to the diverse economic and cultural makeup of the commercial world, the global momentum of more forceful enforcement of anti-corruption laws is creating a new climate.

Having a compliant and clean house that frowns upon corruption is beginning to be seen as a competitive advantage, not just a burdensome onus on the company. Effective due diligence, monitoring and training strategies can not only make a company more transparent, but forge a clear path that more effectively protects the business from government penalties and gives the company additional perceived value to its customers.

Raad’s practice focuses on investigations and resolutions of cross border anti-corruption and anti-money laundering (AML) matters. Raad also develops and implements risk-based compliance programs.

She spoke with ACFCS this week to discuss what kind of anti-corruption tools and programs she recommends to the private sector, how intensified enforcement is fostering a viewpoint that bribery is bad for business, and how companies should consider a wide range of financial crime risks when building their anti-corruption programs.

ACFCS: Could you tell us about the investigative side of what you do? I know you focus a lot on cases that have to do with cross border anticorruption and AML matters.

The timing of my career just happened to line up nicely with when some of the US [Foreign Corrupt Practices Act (FCPA)] actions really got off the ground and there were several industry sweeps and lots of activity in certain industries, including the medical devices space.

It appealed to me to have the opportunity to work on cross border issues and help companies that are struggling with different cultures, different competing legislation and different regimes to investigate when something goes wrong and to develop sufficient controls that help them on the front end to deal with global operations. Increasingly, as companies become more far-reaching and more global, the challenge is that it becomes more difficult to mitigate that risk simultaneously.

ACFCS: With different regulatory agencies and regulations that address corruption, there are many ways to deal with this issue. However, there are two major pieces of legislations that are at the center of anticorruption efforts, the FCPA and the UK Bribery Act. Can you discuss how important these laws are?

I advise all the time that those are the two laws that you want to be familiar with because if you combine them, they are the most far-reaching in terms of substance and jurisdiction. In terms of the FCPA, it’s the most far-reaching in terms of enforcement. If you look at the report that just came out [from the Organisation of Economic Co-operation and Development (OECD), analyzing nearly 430 corruption cases since 1999 ], there are far more enforcement actions regarding the FCPA than any other law. What works well is to look at those two and look at them together.

The FCPA prohibits bribery of foreign public officials. It doesn’t have a provision for purely commercial bribery, whereas the UK Bribery Act, which is much more recent, effective in 2011, prohibits the bribery of foreign public officials and commercial bribery.

They both have a far jurisdictional reach and scope. When you put the two of them together with the longstanding enforcement trends for the FCPA, you know that it was a law that started in 1977 but took a while to [gain] steam in enforcement.

The UK bribery act has a little bit more teeth in the substance of the written law, but it has taken a bit of time in enforcement. If you combine the two from a substantive standpoint, then you’re really covering yourself and devising a program that will help protect you under those laws and under the laws of other countries that are a part of the OECD.

ACFCS: Let’s talk about your experience in the private sector. You advise companies on programs that they can implement to prevent any type of anticorruption investigation. Is that usually an overhaul of the existing compliance program or just reworking it to include additional barriers against corruption?

There are two ways to think about it. The first is risk assessment. A lot of companies started to do anti-corruption risk assessments, especially when the UK Bribery Act came out. Everybody takes a different approach to how you go about doing that, and it depends on the industry, the risk profile, the company, the company’s program that already exists.

Regardless I always try to think in buckets of what are the elements of an effective compliance program that you have to think about under any law, and that’s tone at the top, policies, procedures, training, monitoring and third parties.

From a risk assessment perspective, when I work with companies I try to go through all of those elements. Tone at the top is particularly important. As you see from the report that just came out, improper payments and bribes are sometimes paid at the highest level and even if they’re not paid at that level, senior people at the company are still authorizing them.

For any compliance program to actually work, it has to be more than just a piece of paper – it has to be the right tone. It’s hard to put metrics around that, it’s almost like you have to help create a culture of compliance at a company and people are at various different places along that path, depending on what their risk profile might be.

And then finding a policy that fits your company is a little bit harder than it seems. There’s really no one-size fits all. I spend a lot of time trying to get a policy that is going to make sense at a global level to people who are operating all over the world and that translates well in different languages. You need to figure out the different areas and what are the specific areas where you might have to tweak the policy and addresses particular risks that exist in one place.

For training, it’s the same thing. A one-size fits all training program is convenient because it allows you to create wonderful electronic systems that allow you to keep track of everything but it doesn’t necessarily resonate with the people {who] are taking the training if you don’t have a real life situation that they can relate to. When I first started doing this, the idea that a doctor or a nurse working in a certain market was a public official took time.

The one piece that is the hardest is the monitoring and auditing, particularly with third parties. Almost all enforcement actions deal with third parties. It’s hard enough to monitor and audit your own company, so it’s even more difficult to audit and monitor a third party.

Figuring out where that line is and what’s enough and how you respond to a potential red flag without chasing down any potential lead is more of an art than a science. I spent a lot of time recently tailoring testing procedures for third parties. When you know who your third parties are and you have done your due diligence and have contracts in place, what do you do on an ongoing basis?

ACFCS: You conducted post-acquisition due diligence on a pharmaceutical multinational company recently. What was it like to see all those different moving parts create a strategy or make sure that this company would move forward and prevent any acts of corruption?

It is hard because when you are coming into a new company, ideally you find out about all the problems during due diligence so you can start fixing problems on day one. However, realistically it’s hard to do that, especially if you’re buying a company that operates all over the world in an industry that’s high risk.

You get as much done ahead of time, but after acquisition it does not stop, you have to learn the company and its weak spots, you have to learn which markets are more challenging for this particular target and spend more time onboarding them to your compliance program and get them to the standard you want them to be at.

The best way to do that is to find where things aren’t happening because it’s like plugging gaps. In a country maybe they have a particular problem with distributors, whereas in another country they might be paying sponsorships that you don’t agree to. So you have a laundry list of things that you work through of checking but its’ really matching up in a substantive way what are their challenges and how do I give them the tools that they need to plug those holes.

You can’t really develop client programs to make sure the improper payments aren’t made – you won’t be able to control every situation or stop every single payment, because if someone decides to circumvent your controls, there’s really not a lot you can do about that.

However, you can make sure to put everyone in the right place to have all the tools so you are in a position where you can say ‘I did everything I could do, this person just went rogue.’

Those are the cases that are not being prosecuted; a good example is Morgan Stanley. There was an employee that clearly made an improper payment but when you go through the list of things that they had done, training, diligence, certifications, it is impressive so you say ‘ok, they’ve done everything they can do.’

ACFCS: When you defend these companies in anticorruption investigations, what are the strongest tools against those claims?

Under the UK Bribery Act, there is a strict liability for corporate bribery but the affirmative defense is that you are able to establish adequate procedures, but you could have a never-ending debate about what adequate procedures are. Same thing with the guidance from the [US Securities Exchange Commission and US Department of Justice] that ask if you have an effective compliance program. It is tough to tell what is adequate but that is certainly a standard that you want to work toward.

For some time, compliance could be seen as an unnecessary cost. It is unfortunately something you put a lot of resources into but it’s not necessarily a revenue earning tool for companies, which can be seen as a drain. It’s hard to convince people just from fear that they don’t want to pay a fine, but I think it’s getting to the point, that it’s a competitive advantage to have a really strong compliance program.

If you ever want to be sold or raise funds, the first thing a buyer is going to do is look at the compliance program because they don’t want to inherit any risk or liability. So before a company is listed, they try to get their house in order.

I think that is a good thing and a move toward putting resources [at] the front end versus only the fear of being sanctioned and the penalty at the end, which are relevant factors, but also there is the fact that it makes business sense and it is the right thing to do.

ACFCS: The private sector is making more of a push toward prevention and knowing that a strong compliance program is part of a healthy business. The public sector is also making a push for transparency.

Transparency International’s new report shows how corruption is affecting countries around the world. That ties in with the new OECD report on foreign bribery because the report showed that bribes are being paid across  all sectors and all stages of economic development.

There used to be a perception that corruption happened more often in developing nations, and these findings dismantled that. What does corruption look like in different sectors and at different levels of economic development?

I was struck by those findings as well. I spent a lot of time preaching about emerging markets too, but I think it takes different forms now in the sense of how much enforcement there has been in a particular country or industry.

In some places, it is cultural. If it is an emerging market, it is a necessity to get business done there because it’s always been done that way and it’s an expectation, so you’re at a competitive disadvantage if you’re taking a different stance. That, I think, is changing but there you see that it is easier to identify because people are not taking large steps to conceal it because it’s so prevalent.

Whereas if you look somewhere else where there has been some enforcement and the scheme tends to look a bit different and it may be harder to identify. Frankly, it makes things more complicated because it varies by industry.

For one industry, you may be looking for huge payments that happen around a government procurement contract and in another you may be looking for low-level payments made to customers to incentivize them to buy your product or where customers are your weak point. It looks different depending on how developed the country is and what the industry is. It’s something that you have to understand to face those challenges.

At ACFCS, we talk a lot about [the] convergence of financial crime and financial crime enforcement. Money laundering may also provide vulnerabilities that lead to fraud or cybercrime or corruption and how those issues are interconnected. When it comes to anticorruption efforts, is there any meaning in trying to employ a very effective anti-money laundering strategy?

I’m so glad you asked this because when I do risk assessments, we used to always say let’s do the anticorruption risk assessment. But then there’s a lot of debate about what does corruption really mean?

Does it include money-laundering risk. Yes, I think there is a lot of overlap in both where weaknesses exist and where you can tighten controls. If you look at [the issue] from an anti-money laundering perspective, due diligence and [know-your-customer] is so important and it’s the same thing on the anticorruption side.

Third parties are the biggest risk. So[employing] effective strategies that you use to mitigate money laundering risk also helps to mitigate third-party bribery and corruption risk.  People working in the financial sector have seen some of the highest challenges when there was such a focus on AML compliance and then much later in the game when everyone added the anticorruption focused unit.

There’s the challenge of how they coordinate with each other, are they sharing risk information and how they help each other. Because they came in at different times, it’s a challenge but it’s also a huge opportunity to think of those two together.