This entry provides a wrap up on written standards, with a discussion on policies on cybersecurity. Regarding policies on cybersecurity, it has become so critical for corporation that the CCO and many compliance practitioners are now required to deal this issue.

Cybersecurity policies are the newest area to fall into the lap of the compliance professional. Fortunately, the state of New York’s Department of Financial Services has issued the first state level regulations on cyber security for financial institutions. They became effective March 1, 2017 and while they are designed to protect financial services industries and consumers, they have application to and provide guidance for, a wider variety of non-financial service companies and commercial enterprises. It mandates your overall cybersecurity policy should be designed to meet the goals to prevent, detect and remediate a cybersecurity event.

While the regulation is obviously geared towards financial services firms, there were several points that any non-financial services compliance practitioner should consider. The overall cybersecurity program should be designed to meet the three goals of any best practices compliance program: (a) preventing any cybersecurity breaches or failures; (b) detect cybersecurity events; (b) remediate through responding to identified or detected cybersecurity events to mitigate any negative effects, recovering from them and restore normal operations and services. An added requirement for cybersecurity will be notification of appropriate regulatory authorities.

Your written policy should be based on a risk assessment, taking the following factors into consideration: “(a) information security; (b) data governance and classification; (c) asset inventory and device management; (d) access controls and identity management; (e) business continuity and disaster recovery planning and resources; (f) systems operations and availability concerns; (g) systems and network security; (h) systems and network monitoring; (i) systems and application development and quality assurance; (j) physical security and environmental controls; (k) customer data privacy; (l) vendor and Third Party Service Provider management; (m) risk assessment; and (n) incident response.”

There should be a corporate officer position which reports to the Board of Directors, who should report to the Board on the following topics: (1) the confidentiality and the integrity and security of the information systems; (2) the cybersecurity policies and procedures; (3) material cybersecurity risks; (4) overall effectiveness of the cybersecurity program; and (5) any material cybersecurity events. The cyber compliance team must all show proficiency in the discipline and keep abreast of cybersecurity developments.

For ongoing monitoring, there should be annual penetration testing and biennial vulnerability assessments. Finally, there must be annual risk assessments designed to test: (1) identified cybersecurity risks and threats; (2) criteria for the assessment of the confidentiality, integrity, security, availability and adequacy of existing controls in the context of identified risks; and (3) requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the cybersecurity program will address the risks.

If a company allows a third-party provider to have access to or hold its data, it must perform an evaluation of that third-party provider in the following areas: (1) identification and risk assessment of the third-party provider; (2) minimum cybersecurity practices required to be met by third-party provider in order for them to do business; (3) due diligence processes used to evaluate the adequacy of cybersecurity practices of third-party provider; and (4) periodic assessment of third-party provider based on the risk they present and the continued adequacy of their cybersecurity practices. There should also be effective training and ongoing monitoring requirements for employees of impacted third-party providers.

All of the above should sound quite familiar to any anti-corruption compliance professional. Yet this DFS regulation should also be studied as a roadmap for the inevitable cybersecurity and InfoSec compliance which is just down the road for non-financial services industries. The third-party providers are particularly critical as many major data breaches occurred through connected third parties. One need only think of the Target data breach to the looting of the Central Bank of Bangladesh through the New York Federal Reserve Bank.

Three Key Takeaways

  1. CCOs and compliance professionals need to be ready to take on cybersecurity policies and procedures.
  2. Cybersecurity policies and procedures should strive to prevent, detect and remediate cybersecurity events and failures.
  3. Do not forget the lesson from the Target data breach; you are only as secure as your weakest third-part link.

This month’s sponsor is the Doing Compliance Master Class. In 2018, I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

The next area for policies is extortion payments, which are completely exempted out of the FCPA. Extortion payments are made for any action which threatens or demands payment for life, liberty, or health. These should be exempted out from your facilitation payments and your compliance program through specific language. You need to do this for a variety of reasons. First and foremost, your employees must understand that the company will support them if they are in any way threatened with harm, with arrest, physical detention or their health/safety is threatened.  As a compliance professional, you need to make sure employees understand they need to do whatever they must to get themselves out of such a situation.

Some of the situations your employees might face are along the lines of the following:

  • Employees are stopped by police, military or paramilitary personnel, or militia (uniformed or not) at designated or other checkpoints or other places and a payment is demanded as a condition of passage of persons or property;
  • Employees are threatened with arrest or detainment; or
  • Employees are asked by persons claiming to be security personnel, immigration control, or health inspectors to pay for an allegedly required inoculation or other similar procedure.

I once had a situation where an employee was threatened with receiving a vaccination for yellow fever when they were departing a west African country. The employee paid some $85 to get out of that situation. I instructed him to submit it as a travel expense, writing out in a four sentence paragraph the event, attached to his expense report. The documentation proved that payment was not a facilitation payment. It was clearly an extortion payment.

The key though is that it be properly documented. But more than simply the documentation is that you must specifically list extortion payments in your books and records so you will in compliance with the books and records requirement of the FCPA to accurately record your expenses. You need to train your employees specifically on the actions to take both when they are put in the situation and what to do when they return to their office. In your policy state that if there is a threat to health safety or liberty, it is not a facilitation payment but an extortion payment. Make sure that they understand what their rights are and what their obligations are to report it when they come back to the corporate office or their office. Always remember, an extortion payment is not a FCPA violation.

Three Key Takeaways

  1. Extortion payments are not illegal under the FCPA?
  2. Was the action an extortion or some other type of situation?
  3. Document Document Documents your extortion payments both the financial component and a description of the underlying events.

This month’s sponsor is the Doing Compliance Master Class. In 2018, I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

As every compliance practitioner is well aware, third parties still present the highest risk under the Foreign Corrupt Practices Act. The Department of Justice Evaluation of Corporate Compliance Programs devotes an entire prong to third party management. It begins with the following:

Risk-Based and Integrated ProcessesHow has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes?

This first set of queries clearly specifies the DOJ expects an integrated approach that is operationalized throughout the company. This means your compliance must have a process for the full life cycle of third party risk management. There are five steps in the life cycle of third party management.

  1. Business Justification and Business Sponsor;
  2. Questionnaire to Third Party;
  3. Due Diligence on Third Party;
  4. Compliance Terms and Conditions, including payment terms; and
  5. Management and Oversight of Third Parties After Contract Signing.

Step 1 – Business Justification

The purpose of the Business Justification is to document the satisfactoriness of the business case to retain a third party. The Business Justification should be included in the compliance review file assembled on every third party at the time of initial certification and again if the third-party relationship is renewed.   The Business Justification should be completed by the Business Sponsor, who will be the company’s primary business contact with the third-party going forward.

Step 2 – Questionnaire

The term ‘questionnaire’ is mentioned several times in the 2012 FCPA Guidance. It is generally recognized as one of the tools that a company should complete in its investigation to better understand with whom it is doing business. I believe that this requirement is not only a key step but also a mandatory step for any third party that desires to do work with your company. I tell clients that if a third party does not want to fill out the questionnaire or will not fill it out completely that you should not walk but run away from doing business with such a party.

One thing that you should keep in mind is that you will likely have pushback from your business team in making many of the inquiries listed above. However, my experience is that most proposed agents that have done business with US or UK companies have already gone through this process. Indeed, they understand that by providing this information on a timely basis, they can set themselves apart as more attractive to US businesses.

Step 3 – Due Diligence

Most compliance practitioners understand the need for a robust due diligence program to investigation third parties, but have struggled with how to create an inventory to define the basis of risk of each foreign business partner and thereby perform the requisite due diligence required under the FCPA. Getting your arms around due diligence can sometimes seem bewildering for the compliance practitioner.

Our British compliance cousins of course are subject to the UK Bribery Act. In its Six Principles of an Adequate Procedures compliance program, the UK MOJ stated, “The commercial organisation applies due diligence procedures, taking a proportionate and risk based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified bribery risks.” The purpose of this principle is to encourage businesses to put in place due diligence procedures that adequately inform the application of proportionate measures designed to prevent persons associated with a company from bribing on their behalf. The MOJ recognized that due diligence procedures act both as a procedure for anti-bribery risk assessment and as a risk mitigation technique.

After you have completed Steps 1-3 and then evaluated and documented your evaluation, you are ready to move onto to Step 4 – the contract. In the area of compliance terms and conditions, the 2012 FCPA Guidance intones “Additional considerations include payment terms and how those payment terms compare to typical terms in that industry and country, as well as the timing of the third party’s introduction to the business.” This means that you need to understand what the rate of commission is and whether it is reasonable for the services delivered. If the rate is too high, this could be indicia of corruption as high commission rates can create a pool of money to be used to pay bribes. If your company uses a distributor model, then it needs to review the discount rates it provides to its distributors to ascertain that the discount rate it warranted.

Step 4 – The Contract

You must evaluate the information and show that you have used it in your process. If it is incomplete, it must be completed. If there are Red Flags, which have appeared, these Red Flags must be cleared or you must demonstrate how you will manage the risks identified. In others words you must Document, Document and Document that you have read, synthesized and evaluated the information garnered in Steps 1-3. As the DOJ and SEC continually remind us, a compliance program must be a living, evolving system and not simply a ‘Check-the-Box’ exercise. 

Step 5 – Management of the Relationship

I often say that after you complete Steps 1-4 in the life cycle management of a third party, the real work begins and that work is found in Step 5– the Management of the Relationship. While the work done in Steps 1-4 are absolutely critical, if you do not manage the relationship it can all go downhill very quickly and you might find yourself with a potential FCPA or UK Bribery Act violation. There are several different ways that you should manage your post-contract relationship.

I continually give my Mantra of compliance, which is Document, Document, and Document. Each of the steps you take in the management of your third parties must be documented. Not only must they be documented but they must be stored and managed in a manner that you can retrieve them with relative ease. The management of third parties is absolutely critical in any best practices compliance program.

Three Key Takeaways 

  1. Use the full 5-step process for 3rd party management.
  2. Make sure you have BD involvement and buy-in.
  3. Operationalize all steps going forward by including business unit representatives.


This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

From the information provided by the Justice Department in Opinion Releases and in enforcement actions, there are several different insights which may be drawn on what should go into your policy on facilitation payments:

  1. Size of payment – Is there an outer limit? No, there is no outer limit but there is some line where the perception shifts. If a facilitating payment is over $100 you are arguing from a point of weakness. The presumption of good faith is against you. You might be able to persuade the government at an amount under $100. But anything over this amount and the government may well make further inquiries. So, for instance, the DOJ might say that all facilitation payments should be accumulated together and this would be a pattern and practice of bribery.
  2. What is a routine governmental action? Is the company entitled to this action, has it met all of requirements to obtain the requested permit, license or action or is it asking the government official to look the other way on some requirement? Is the company asking the government official to give us a break? The key question here is whether you are entitled to the action otherwise.
  3. Does the seniority of the governmental official matter? This is significant because it changes the presumption of whether something is truly discretionary. The higher the level of the governmental official involved, the greater chance his decision is discretionary.
  4. Does the action have to be non-discretionary? Yes, because if it is discretionary, then a payment made will appear to be obtaining some advantage that is not available to others.
  5. What approvals should be required? A facilitation payment is something that must be done with an appropriate process. The process should have thought and the decision made by people who are the experts within the company on such matters.
  6. Risk of facilitation payments and third parties? Whatever policy you have, it must be carried over to third parties acting on your behalf or at your direction. If a third party cannot control this issue, the better compliance practice would be to end the business relationship.
  7. How should facilitation payments be recorded? Facilitation payments must be recorded accurately. You should have a category entitled “Facilitation Payments” in your company’s internal accounting system. The labeling should be quite clear and they are critical to any audit trail so recording them is quite significant.
  8. Monitoring programs? There must always be ongoing monitoring programs to review your company’s internal controls, policies and procedures regarding facilitation payments.

 Also remember that the defense of facilitation payments is an exception to the FCPA prohibition against bribery. Any defendant which wishes to avail itself of this exception at trial would have to proffer credible evidence to support its position, but at the end of the day, it would be the trier of fact which would decide. So much like any compliance defense, the exception is only available if you use it at trial and it would be difficult to imagine that any company would want this matter to ever see the light of a courtroom.

After answering the above questions and your organization decides it desires to allow facilitation payments, you should draft a policy permits the company to make Facilitating Payments with (1) prior approval of the Compliance Department, (2) prior approval from Company management, and (3) proper financial recording. It may be difficult to distinguish a legal facilitation payment from a request that could be viewed as an illegal bribe or kickback; therefore, Facilitating Payments should be strictly controlled, and every effort should be made to eliminate or minimize such facilitating payments.

Do not forget that facilitation payments must be accurately shown on the books and records of your company. In all cases the employee who requested permission to make the facilitation payment must be responsible for obtaining all required approvals and forwarding a copy of the approvals and any other relevant supporting documentation as required, so that the it is recorded as a facilitation expense in the books and records maintained in a central file. Facilitation payments should not be recorded as consulting fees, entertainment expenses, or other types of expenses that may misrepresent the true nature of the payments.

There may be emergency situations when it will be difficult or impossible for employees to obtain approvals from immediately before having to decide whether or not to pay a facilitation payment. If the facilitation payment is made in an emergency, the employee reports the Facilitating Payment to the Compliance Department and explain the emergency as soon as practical after making the facilitation payment.

Three Key Takeaways

  1. What was the amount of the facilitation payment?
  2. Was the action truly routine?
  3. How high up was the government official who received the facilitation payment? Was his or her decision discretionary?


This month’s sponsor is the Doing Compliance Master Class. In 2018, I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

One of the more confusing areas of the FCPA is in that of facilitation payments. Facilitation payments are small bribes but make no mistake about it, they are bribes. For that reason, many companies feel they are inconsistent with a company culture of doing business ethically and in compliance with laws prohibiting corruption and bribery.  Further, the 2012 FCPA Guidance specifies, “while the payment may qualify as an exception to the FCPA’s anti-bribery provisions, it may violate other laws, both in Foreign Country and elsewhere. In addition, if the payment is not accurately recorded, it could violate the FCPA’s books and records provision.” Finally, the 2012 FCPA Guidance states, “Whether a payment falls within the exception is not dependent on the size of the payment, though size can be telling, as a large payment is more suggestive of corrupt intent to influence a non-routine governmental action. But, like the FCPA’s anti-bribery provisions more generally, the facilitating payments exception focuses on the purpose of the payment rather than its value.” [emphasis in original text]

In addition to these clear statements about whether the FCPA should continue to allow said bribes; you should also consider the administrative nightmare for any international company. The UK Bribery Act does not have any such exception, exemption or defense along the lines of the FCPA facilitation payment exception. This means that even if your company allows facilitation payments, it must exempt out every UK Company or subsidiary from the policy. Further, if your company employs any UK citizens, they are subject to the UK Bribery Act no matter who they work for and where they may work in the world so they must also be exempted. Finally, if your US Company does business with a UK or other company subject to the UK Bribery Act, you may be prevented contractually from making facilitation payments while working under that customer’s contract. As I said, an administrative nightmare.

Interestingly, one of the clearest statements about facilitation payments comes not from a FCPA case about facilitation payments but the case of Kay v. Rice, 359 F.3d 738, 750-51 (5th Cir. 2004). This case dealt with whether payment of bribes to obtain a favorable tax ruling was prohibited under the FCPA. In its opinion, the Fifth Circuit commented on the limited nature of the facilitating payments exception when it said:

A brief review of the types of routine governmental actions enumerated by Congress shows how limited Congress wanted to make the grease exceptions. Routine governmental action, for instance, includes “obtaining permits, licenses, or other official documents to qualify a person to do business in a foreign country,” and “scheduling inspections associated with contract performance or inspections related to transit of goods across country.” Therefore, routine governmental action does not include the issuance of every official document or every inspection, but only (1) documentation that qualifies a party to do business and (2) scheduling an inspection—very narrow categories of largely non-discretionary, ministerial activities performed by mid- or low-level foreign functionaries.

Enforcement Actions


The FCPA landscape is littered with companies who sustained FCPA violations due to payments which did not fall into the facilitation payment exception. In 2008, Con-way Inc., a global freight forwarder, paid a $300,000 penalty for making hundreds of relatively small payments to Customs Officials in the Philippines. The value of the payments Con-way was fined for making totaled $244,000 and were made to induce the officials to violate customs regulations, settle customs disputes, and reduce or not enforce otherwise legitimate fines for administrative violations.

Helmerich and Payne

In 2009, Helmerich and Payne, Inc., paid a penalty and disgorgement fee of $1.3 million for payments which were made to secure customs clearances in Argentina and Venezuela. The payments ranged from $2,000 to $5,000 but were not properly recorded and were made to import/export goods that were not within the respective country’s regulations; to import goods that could not lawfully be imported; and to evade higher duties and taxes on the goods.


Finally, there is the Panalpina enforcement action. This matter was partly resolved with the payment by Panalpina and six of its customers of over $257 million in fines and penalties. Panalpina, acting as freight forwarder for its customers, made payments to circumvent import laws, reduce customs duties and tax assessments and to obtain preferential treatment for importing certain equipment into various countries but primarily in West Africa.

Three Key Takeaways

  1. Do not forget the administrative nightmare of facilitation payments for international organizations.
  2. The Kay decision made clear how narrow the ‘routine government action’ exception is.
  3. Facilitation payments will usually be an add-on as they are symptomatic of an ineffective, paper compliance program.


This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.