When the topic of information management arises, it is often in relation to electronic discovery, potential litigation, document retention or establishing policies to manage all the above. However, there is another, lesser discussed, but highly relevant motivator for thorough planning: Compliance. We will be exploring different aspects of compliance in a variety of articles, starting with some cautionary tales from the world of the Foreign Corrupt Practices Act.
Image from All Things D
The Foreign Corrupt Practices Act, or FCPA, is a law that was originally enacted in 1977 in the wake of various corporate shenanigans. Best known amongst its provisions are those prohibiting bribery (payment to a foreign official with corrupt intent for a business purpose) as well as those for ensuring accounting transparency.
In recent years, the FCPA has grabbed headlines as one large company after another has been wrapped up in alleged or admitted bribery scandals. Huge penalties and fines have been collected in recent years as companies settle claims rather than risk open court. The assessed penalties are often levied to mitigate any possible economic gain. As such, these cases can be quite costly; the top ten cases alone account for over a billion dollars. Those numbers don’t reflect the lawyer fees which add millions more.
Compliance failures are listed as a key factor in determining fault in these cases. Siemens, for example, was cited (amongst other egregious violations) for “failure to supervise” and “failing to develop and enforce an effective compliance program“. All in all, Siemens paid over $1.6 billion in penalties and disgorgements in settlements with the German and United States governments.
The fine could have been significantly worse (the U.S. portion alone could have been $2.7 billion), but Siemens was given credit for their cooperation in the investigation including launching their own investigation, engaging third party forensic analysis, and “exemplary efforts with respect to preservation, collection, testing, and analysis of evidence.”
Companies doing business in the U.S. are not the only ones that fall under the purview of the law. A recent settlement with Deutsche Telekom and Magyar Telekom is interesting for many reasons. Chief among them, from an information management perspective, is that these foreign issuers fell under FCPA jurisdiction because “two e-mails that passed through, were stored on, and transmitted to servers located in the U.S.” Given the penalties in this case were $95 million, that is very expensive email storage indeed!
Looking at the FCPA violations, it is clear that standard compliance failed in a number of areas. Many of the cases begin with whistleblowers or voluntary self-reporting. Yet, for companies under the purview of this law, the price of compliance failure is higher than most.
The first lesson is that violations are not cheap. The fines and penalties are bad enough, but even litigating a successful defense or conducting an in-depth internal investigation can cost millions of dollars. And that doesn’t take into account the public relations nightmare that occurs when a company is targeted for a probe.
Effective compliance programs can only be successful if they have full support of all stakeholders for risk mitigation policies and procedures. Internal enforcement must be prioritized with a clear chain of command and effective tools to facilitate the process. Employees must be trained and compliance must be audited to ensure company standards are followed. In addition, recent cases prove that due diligence should be done with all partners to make sure that they too are following FCPA guidelines.
If investigations do occur, the procedures should already be in place for the examinations to proceed smoothly. This should include an integration of in-house software, or external partners, which can collect, preserve search and review data. If need be, decryption, translation, data mapping and other services should be available, as well.
While there are many complaints about the FCPA and how it handles investigation, one thing becomes clear. In the worst offenders, compliance was not made a priority and in each case, the reputation and finances of the defendants suffered as a result.