In two speeches last week Department of Justice (DOJ) Acting Principal Assistant Attorney General Trevor McFadden addressed multiple topics and issues around the Foreign Corrupt Practices Act (FCPA). The first set of remarks were made in Washington DC at the Anti-Corruption, Export Controls & Sanctions (ACES) 10th Compliance Summit (the “DC speech”). The second were made at the American Conference Institute (ACI) 19th Conference on the FCPA in New York City (the “NYC speech”).

While most of the remarks echoed earlier DOJ officials, we have rarely seen such a comprehensive set of statements about the evolution in purpose for the FCPA, how businesses should comply with the FCPA and FCPA enforcement going forward into the Trump administration. I found these remarks to be so significant I will be exploring them over the next few posts. Today, I will take up the reasons for FCPA enforcement today in 2017.

The purposes of the FCPA were written into the Preamble to the original 1977 legislation. In it, Congress set out three clear policy goals for the enactment of the FCPA. First, was the public revelation that over 400 US companies had paid over $300 million to bribe foreign governments, public officials and political parties. Such payments were not only “unethical” but also “counter to the moral expectations and values of the American public”. Second was that the revelation of bribery, tended “to embarrass friendly governments, lower the esteem for the United States among the citizens of foreign nations, and lend credence to the suspicions sown by foreign opponents of the United States that American enterprises exert a corrupting influence on the political processes of their nations”. Third was by enacting such resolute legislation, US companies would be in a better position to resist demands to pay bribes made by corrupt foreign governments, their agents and representatives.

Each of the above provide mechanisms to escape liability, rather than the affirmative actions to prevent bribery and corruption. Yet early in his DC speech, McFadden brought up the concept of Corporate Social Responsibility (CSR) and articulated “at the very least it must mean that a company rejects bribery of government officials as a means to get ahead.” This is a very far cry from the business world of 1977, when the FCPA was enacted when “bribing foreign officials in order to gain business advantages abroad was often considered a routine business expense.” McFadden said that he had personally seen companies “give up potentially lucrative business opportunities or forgo entry into certain markets because they valued their brand reputations over additional profits made under dubious circumstances.” Neither CSR nor brand reputation were reasons for the original passage of the FCPA yet today they are at the forefront of corporate compliance with the law.

The harm caused by bribery and corruption has also seen a shift since 1977. The connection between bribery and corruption and terrorism has been well-documented since 9/11. However, McFadden identified several other reasons for robust enforcement of the FCPA. Corruption “impedes free competition” as it allows companies which provide substandard products and services to be awarded contracts by foreign governments and state-owned enterprises. Of course, the real losers are the citizens of those countries where contracts are awarded based on bribery and corruption. For not only do they receive suboptimal products and services under bribe-induced agreements but “these bribes actually impede economic growth, undermine democratic values and public accountability and weaken the rule of law.”

Economic growth is impeded through the diversion of funds which should be paid to a country, lining of the pockets of its officials. The country does not receive the benefit, in goods or services, that it paid for. Here one only needs to consider the words of King Abdullah of Saudi Arabia, who told then Secretary of Defense Robert Gates, he wanted to purchase arms from America, rather than from Russia or France because he did “he wanted all the Saudi money to go toward military equipment, not into Swiss bank accounts.” You might also consider how much stronger, better run and more efficient both Petrobras and Brazil would be today if the company had not allowed bribery to be the clear market differentiator, rather than quality and pricing, before Operation Car Wash.

Yet corruption damages more than the citizens of the countries where it occurs. In an area rarely discussed by the DOJ, McFadden correctly noted the damage it afflicts on businesses which engage in such behavior. The first area he highlighted was that because of the uncertainty corruption brings to a transaction, it actually increases, not decreases the cost of doing business. Simply put, once you pay a bribe, you are identified as a business which is willing to break the law and you can essentially be blackmailed into an ongoing stream of business corruption.

McFadden also pointed out the effect of companies engaging in illegal conduct on their own employees. There are not many employees, in any company anywhere in the world, who want to be known as legal scofflaws. Beyond this attitude McFadden looked at corruption from more of a Human Resource (HR) perspective when he said, “Bribery has destructive effects within businesses as well, undermining employee confidence in a company’s management.” Allowing a culture of bribery and corruption to thrive within an organization also fosters a “permissive atmosphere for other kinds of corporate misconduct, such as employee self-dealing, embezzlement, financial fraud and anti-competitive behavior.”

While McFadden laid out the above reasons that bribery and corruption is against a business’s long term interest, he added another, which the DOJ does not often discuss. Bribery and corruption is not in “the best interests” of a company’s shareholders and investors. There are two parts to the FCPA: (1) the anti-bribery provisions and (2) the accounting provisions. Companies which engage in bribery and corruption never correctly record bribes paid as bribes, at least not in their publicly available books and records. This means investors are prevented from obtaining a true and accurate picture of a company’s legal value.

I conclude today’s review of McFadden’s remarks by noting that the FCPA has made a positive impact in fighting this global scourge. Moreover, the leaders in this fight are companies and businesses which comply with anti-corruption laws such as the FCPA. McFadden stated, “we are heading in the right direction. And this is in large part thanks to our allies in the private sector –  people like you – who are leading the way in CSR and anti-corruption compliance efforts.”

The remarks by McFadden on the invidiousness of bribery and corruption demonstrate the FCPA is not captive to the underlying reasons for its passage in 1977. Application of laws evolve as businesses, society and the global community evolves. Even if the Congress which passed the law some 40 years ago did not understand, appreciate or even consider the reasons that McFadden articulated in the DC speech, they are important in today’s world.

Tomorrow I will consider the corporate response to FCPA enforcement.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2017

In this episode, Jay Rosen returns from a week’s trip to Walt Disney World. Jay and I have a wide-ranging discussion on some of the week’s top compliance related stories. We discuss:

  1. DOJ Criminal Division’s Acting Principal Deputy Assistant Attorney General remarks on the FCPA and its enforcement. – See text of speech by clicking here. See Matt Kelly’s blog post by clicking here.
  2. Whistleblowers in the news. See Tom’s article on the Barclay’s CEO and Amtrust in FCPA Blog and on KPMG in Compliance Week. Mike Volkov weighs on whistleblowing as indicia of corporate culture here.
  3. One year reports note that declinations are on the rise under the on the now one-year old FCPA Pilot Program. For Miller & Chevalier report click here (sub. req’d). For the Stanford University FCPA Clearinghouse Report in the Wall Street Journal, click here.
  4. Tribute to Kara Brockmeyer, retiring as head of the SEC’s FCPA Unit. See Tom’s article in Compliance Week.
  5. Jay details his upcoming conference schedule and weekend report on ethics and compliance observations from the Florida version of the Magic Kingdom.
  6. Listeners to this podcast can received a discount to Compliance Week 2017. Go to registration and enter discount code CW17TOMFOX.

In this episode I am joined by Ruth Steinholtz of AretéWork, Jonathan Armstrong of Cordery Compliance and Kristy Grant-Hart of Spark Compliance Consulting and author of How To Be a Wildly Effective Compliance Officer for a roundtable discussion of the recently concluded SCCE European Compliance and Ethics Institute. We discuss some of the highlights, the changes this group of compliance practitioners has seen and where compliance may be headed in 2017 and beyond.

On this day in 1970, Apollo 13 landed safely in the Pacific Ocean four days after disaster struck. 2 days into the mission, some 200,000 miles from Earth, an oxygen tank blew up and Astronaut Swigert reported to Mission Control, “Houston, we’ve had a problem.” The drama was followed by the entire world as both the three-man crew and “Mission Control were faced with enormous logistical problems in stabilizing the spacecraft and its air supply, as well as providing enough energy to the damaged fuel cells to allow successful reentry into Earth’s atmosphere. Navigation was another problem, and Apollo 13‘s course was repeatedly corrected with dramatic and untested maneuvers.” (, 2017)

If you watched the movie or read the story, who will recall it was largely the staff who developed the solutions that brought the spaceship home, not senior management. It was as fine as example of operationalizing a solution as one could hope for in an organization. The key concept from the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Program (Evaluation) is operationalization. For instance, under the query Shared Commitment is the following question – “How is information shared among different components of the company?” Under the Prong relating to Policies and Procedures the Designing Compliance Policies and Procedures asks, “What has been the company’s process for designing and implementing new policies and procedures? Who has been involved in the design of policies and procedures? Have business units/divisions been consulted prior to rolling them out?” Lastly, under the same Prong is Responsibility for Integration, with the following question “Who has been responsible for integrating policies and procedures?”

These questions point to a Chief Compliance Officer (CCO) or compliance practitioner demonstrating how compliance is being burned into the fabric of an organization. While leadership at and from the top has long been considered by both the DOJ and compliance professionals as a key element to move compliance forward, the Evaluation has also crystalized thinking around compliance leadership from the middle and the bottom. I thought about these concepts when reading a recent Financial Times (FT) article in Employment  Global Best Practice by Andrew Hill, entitled “Leadership from the bottom up”. I was particularly struck by a quote from Shlomo Ben-Hur, a professor at IMD business school, who said, “We teach the top 5 per cent — but the majority of this work is carried out by the other 95 per cent.”

In Ben-Hur’s work he found that many executives came from the middle management ranks. They tended to be persons “with a determination to “take what I have responsibility for and make it truly great.”” Anecdotally, he related “They typically said, ‘I’ve responsibility for the minibus,’ and people then asked them to drive bigger and bigger buses until one day they drove the whole business.”” Think of the military and the responsibility given to front line commanders and how that “is increasingly reflected at large companies.”

The key for companies is that senior management must “find ways to transmit leadership skills to people who do not have ‘leader’ in their job description and will probably never attend a top-level leadership program.” Hill noted, “Ben-Hur’s work has focused on ensuring that managers understand how to assign the right jobs to their team members and motivate them to perform well, using theories of behavioural change that senior executives have typically never learnt on their way to the top. Dedicated managers well below the executive board need to know how to use these tools.”

For the CCO or compliance practitioner, this provides a clear path to help in the operationalizing of compliance by providing the tools to persons far down the organization to put compliance into the operations of a business. One thing Hill writes about is a company should nuture such learning because by doing so, it will both teach practical skills around compliance but also foster a strong internal network of compliance advocates who can move initiatives up and down and organization. Moreover, as these individuals progress through the company ranks, they can take their compliance message with them at each new level.

Building on the writings of Hill and the work of Professor Ben-Hur, my suggestion is to build a Compliance Excellence Center in your company. Bring in middle-managers to focus on understanding not only their roles in compliance but also how to assign the right team members to a compliance initiative and motivate employees going forward. Hill wrote that Airbus has recently established a corporate ‘university’ to spread leadership ideas through the company. Airbus’ theory behind this push is “being a leader isn’t just about being a vice-president; it’s about being able to push the company towards new ways of doing things and executing the things we have to execute. That could [apply to] a blue-collar worker on the shop floor or a VP.”

A key is not simply to train such middle and front line managers on compliance but getting them to consider rollout, effectiveness, testing and improvement. In other words, as Jay Martin would say, it is all about execution. One way to help facilitate this is through exercises using incentives to “make leadership insights stick and change workplace behavior.” Hill also writes that concepts from entrepreneurship can assist in such learning by encouraging managers to “think and act independently” to operationalize compliance. Finally, never forget mentoring as a manner to spread good compliance practices throughout a company if a more formal approach is not possible.

Too often, strategies to move a compliance program or even an initiative come from the top of an organization and are pushed down. To fully operationalize compliance, you must have leadership in compliance further down the organization which (hopefully) has been a part of the design process and can lead the implementation throughout an organization. Do not forget the example of Apollo 13 and the operationalized engineers who developed the solution to bring the damaged spaceship home. If you put a system in place to train your middle managers in compliance it will go a long way towards taking your compliance program from good to great.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2017

In a speech before the SIFMA Compliance and Legal Society New York Regional Seminar in November 2015, then Assistant Attorney General Leslie Caldwell laid out metrics the Department of Justice would consider in evaluating a corporate compliance program around third parties. Caldwell began with the following question, “Does the institution sensitize third parties like vendors, agents or consultants to the company’s expectation that its partners are also serious about compliance?” This inquiry was brought forward into the Justice Department’s Evaluation of Corporate Compliance Programs.

Management of a Third Party Relationship

Recognizing that most Chief Compliance Officers (CCOs) and compliance practitioners understand the need for a business justification, questionnaire, due diligence and compliance terms and conditions in a contract, I was gratified to see the DOJ focusing on the final step in the lifecycle of a third party relationship as a key metric for its new Compliance Counsel to evaluate. This is because it is the management of third party relationships that continues to be a source of trouble and heartburn for many companies. As Caldwell noted in her remarks, the management of a third party relationship, “means more than including boilerplate language in a contract. It means taking action – including termination of a business relationship – if a partner demonstrates a lack of respect for laws and policies. And that attitude toward partner compliance must exist regardless of geographic location.”

While the 2012 FCPA Guidance itself only provides that “companies should undertake some form of ongoing monitoring of third-party relationships”. This means that you must have an experienced compliance and audit team, actively engaged in the corporate office and in the business units, to ensure that financial controls and compliance policies are followed and that remedial measures for violations or gaps are tracked, implemented and rechecked, as additional detection and prevention. Caldwell noted it is a more encompassing “sensitization” to anti-corruption compliance that is needed. There are several ways for you to do so. 

Relationship Manager for Third Parties

The starting point for the management of a third party, is your Relationship Manager for every third party with which your company does business. The Relationship Manager should be a business unit employee who is responsible for monitoring, maintaining and continuously evaluating the relationship between your company and the third party. Some of the duties of the Relationship Manager may include:

  • Point of contact with the Third Party for all compliance issues;
  • Maintaining periodic contact with the Third Party;
  • Meeting annually with the Third Party to review its satisfaction of all company compliance obligations;
  • Submitting annual reports to the company’s Oversight Committee summarizing services provided by the Third Party;
  • Assisting the company’s Oversight Committee with any issues with respect to the Third Party.

Compliance Professional

Just as a company needs a subject matter expert (SME) in anti-bribery compliance to be able to work with the business folks and answer the usual questions that come up in the day-to-day routine of doing business internationally, third parties also need such access. A third party may not be large enough to have its own compliance staff so I advocate a company providing such a dedicated resource to third parties. I do not believe that this will create a conflict of interest or that there are other legal impediments to providing such services. They can also include anti-corruption training for the third party, either through onsite or remote mechanisms. The compliance professional should work closely with the Relationship Manager to provide advice, training and communications to the third party. 

Oversight Committee

I advocate that a company should have an Oversight Committee review all documents relating to the full panoply of a third party’s relationship with the company. It can be a formal structure or some other type of group but the key is to have the senior management put a ‘second set of eyes’ on any third parties who might represent a company in the sales side. In addition to the basic concept of process validation of your management of third parties, as third parties are recognized as the highest risk in FCPA or Bribery Act compliance, this is a manner to deliver additional management of that risk.

After the commercial relationship has begun the Oversight Committee should monitor the third party relationship on no less than an annual basis. This annual audit should include a review of remedial due diligence investigations and evaluation of any new or supplemental risk associated with any negative information discovered from a review of financial audit reports on the third party. The Oversight Committee should review any reports of any material breach of contract including any breach of the requirements of the Company Code of Ethics and Compliance. In addition to the above remedial review, the Oversight Committee should review all payments requested by the third party to assure such payment are within the company guidelines and is warranted by the contractual relationship with the third party. Lastly, the Oversight Committee should review any request to provide the third party any type of non-monetary compensation and, as appropriate, approve such requests.


A key tool in managing the affiliation with a third party post-contract execution is auditing. Audit rights are a key clause in any compliance terms and conditions and must be secured. Your compliance audit should be a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which your compliance terms and conditions are followed. Noted fraud examiner expert Tracy Coenen described the process as (1) capture the data; (2) analyze the data; and (3) report on the data, which is also appropriate for a compliance audit. As a baseline I would suggest that any audit of a third party include, at a minimum, a review of the following:

  1. the effectiveness of existing compliance programs and codes of conduct;
  2. the origin and legitimacy of any funds paid to Company;
  3. books, records and accounts, or those of any of its subsidiaries, joint ventures or affiliates, related to work performed for, or services or equipment provided to, Company;
  4. all disbursements made for or on behalf of Company; and
  5. all funds received from Company in connection with work performed for, or services or equipment provided to, Company.

If you want to engage in a deeper dive you might consider evaluation of some of the following areas:

  • Review of contracts with third parties to confirm that the appropriate FCPA compliance terms and conditions are in place.
  • Determine that actual due diligence took place on the third party.
  • Review FCPA compliance training program; both the substance of the program and attendance records.
  • Does the third party have a hotline or any other reporting mechanism for allegations of compliance violations? If so how are such reports maintained? Review any reports of compliance violations or issues that arose through anonymous reporting, hotline or any other reporting mechanism.
  • Does the third party have written employee discipline procedures? If so have any employees been disciplined for any compliance violations? If yes review all relevant files relating to any such violations to determine the process used and the outcome reached.
  • Review employee expense reports for employees in high-risk positions or high-risk countries.
  • Testing for gifts, travel and entertainment that were provided to, or for, foreign governmental officials.
  • Review the overall structure of the third party’s compliance program. If the company has a designated compliance officer to whom, and how, does that compliance officer report?
  • How is the third party’s compliance program designed to identify risks and what has been the result of any so identified?
  • Review a sample of employee commission payments and determine if they follow the internal policy and procedure of the third party.
  • With regard to any petty cash activity in foreign locations, review a sample of activity and apply analytical procedures and testing. Analyze the general ledger for high-risk transactions and cash advances and apply analytical procedures and testing. 

Tying it all Together

In addition to monitoring and oversight of your third parties, you should periodically review the health of your third party management program. The robustness of your third party management program will go a long way towards preventing, detecting and remediating any compliance issue before it becomes a full-blown FCPA violation. As with all the steps laid out herein, you need to fully document all steps you have taken so that any regulator, and most specifically the DOJ Compliance Counsel, can test your metrics. Caldwell’s remarks around the metrics portended the Evaluation and what the DOJ will be reviewing and evaluating going forward so that it is clear will be expected from your company’s compliance program. You should also use these metrics to conduct a self-assessment on the state of your compliance program. 

Three Key Takeaways

  1. It all starts with a Relationship Manager.
  2. Have company oversight of all third parties.
  3. Audit, monitor and remediate on an ongoing basis.


This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos 3PM accelerator, the leading platform for third party risk management. To learn more, go to