Do FCPA considerations come into play for customers? How should you think about your obligations under the FCPA for a group not traditionally associated with FCPA liability or even FCPA risk? These questions and perhaps others are raised by the FCPA investigation into certain transactions in Venezuela by Derwick Associates and a US company ProEnergy Services. ProEnergy Services supplied turbines that Derwick Associates resold to the Venezuelan government and then installed in that country. This investigation demonstrates why businesses need to be more concerned with not only who they do business with but how their customers might be doing business. In banking and financial services parlance, you now need to ramp up your Know Your Customer (KYC) information to continue throughout a seller-purchaser relationship, in the context of the FCPA.

A good starting point is the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) rules on customer due diligence. While they deal specifically with banks, brokers-dealers, and mutual funds, they inform the broader number of US commercial enterprises doing business outside the United States. They emphasize that AML programs should have four elements:

  1. Identify and verify the identity of customers;
  2. Identify and verify the identity of beneficial owners of legal entity customers;
  3. Understand the nature and purpose of customer relationships; and
  4. Conduct ongoing monitoring to maintain and update customer information and to identify and report suspicious transactions.

Clearly any anti-corruption compliance based due diligence would focus on point 2. A definition of “beneficial owner” should have two prongs:

  • Ownership Prong: any individual who, directly or indirectly, through any contract, arrangement, understanding, relationship or otherwise, owns 25% or more of a legal entity customer, and
  • Control Prong: An individual with significant responsibility to control, manage, or direct a customer, including an executive officer or senior manager; or (ii) any other individual who regularly performs similar functions.

Under point 3, company needs to “Understand the nature and purpose of customer relationships”. The regulation further explained “to gain an understanding of a customer in order to assess the risk associated with that customer to help inform when the customer’s activity might be considered “suspicious.”” Such an inquiry could help a business to “understand the relationship for purposes of identifying transactions in which the customer would not normally be expected to engage. Identifying such transactions is a critical and necessary aspect of complying with the existing requirement to report suspicious activity and maintain an effective AML (or anti-corruption compliance) program.”

The final point 4 relates to ongoing monitoring. Once again consider the position of the US Company, ProEnergy Services, in the Derwick Associates FCPA investigation. What can or should it have done in the way of ongoing monitoring of its customer. The regulation stated, “industry practice generally involves using activity data to inform what types of transactions might be considered “normal” or “suspicious.”” It may be that the Derwick Associates types of transactions were suspicious.

FinCEN understands that information from monitoring could be relevant to the assessment of risk posed by a customer. The requirement to update a customer’s profile because of ongoing monitoring, including obtaining beneficial ownership information for existing customers on a risk basis, is different and distinct from a categorical requirement to update or refresh the information received from the customer at the outset of the account relationship at prescribed periods. Lastly “the obligation to understand the nature and purpose of customer relationships, monitoring is also a necessary element of detecting and reporting suspicious activities”.

There does not have to be a direct bribe or other corrupt payment made by a US company to have liability under the FCPA. FCPA enforcement is littered with companies that have paid bribes through third parties. However, as the Fifth Circuit said in Kay v. US, “[W]e hold that Congress intended for the FCPA to apply broadly to payments intended to assist the payor, either directly or indirectly,” [emphasis mine]. While at first blush, ProEnergy Services may appear to be at the edge of potential FCPA liability; if it knew, had reason to know, or should have taken steps to know about some nefarious conduct by its customer, it does not take too many steps to get to some FCPA exposure. The FinCEN rules on customer due diligence for financial institutions are a good starting point for other commercial entities to base their compliance program for customers around.

Three Key Takeaways

  1. Non-banking and non-financial service entities need to consider their KYC obligations in the context of FCPA risk.
  2. FinCEN rules on customer due diligence are a good starting point for the non-financial institution.
  3. Ongoing monitoring should be used and the information incorporated into your customer risk profile going forward.

This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at or check out