We entered a new phase in the fight against corporate bribery on June 21, 2022, when the UK company Glencore admitted to bribery after an investigation by the UK's Serious Fraud Office (SFO). The company also recently pled guilty in bribery investigations of several other countries including the U.S., making this a significant case of corporate bribery with calls for staggering fines to deter others from similar actions. Check out our FCPA compliance checklist below.
According to an article by The Financial Times, the SFO’s investigation showed Glencore bribed officials in Nigeria and Cameroon between 2011 and 2016 with more than $28 million to obtain preferential delivery dates.
The sins of bribery and corruption come with great consequences. So, if your organization wants to avoid substantial fines and penalties, a bad business reputation, or possible jail time, it is important to understand the rules and regulations of the Foreign Corrupt Practices Act (FCPA) and what the government expects from you and your business. This understanding will help you operationalize your FCPA compliance.
Make FCPA Compliance a Part of Your Business Operations
Every business should care about bribery and corruption, but all too often their compliance program is not an integral part of business operations. For many, it’s an afterthought in a section of the team handbook. It isn’t enough to create policies and procedures around compliance. It must become part of your organization’s culture. More importantly, your employees need more than a list of compliance rules to follow – they need to know why it matters so that it becomes a part of how they do their jobs.
What operationalized FCPA compliance look like?
A truly operationalized FCPA compliance program will translate into action and influence behavior for the benefit of the business. As a first step, organizations must identify the things employees do to create risk and to mitigate risk. Then, they must make sure those things are done correctly.
Most companies have the fundamentals covered with annual training programs, codes of conduct, hot lines, vendor credentialing, among others. While all of these are essential, a system that brings siloed data together, analyzes it accurately, mitigates any issues, and documents everything is the best way to operationalize an FCPA compliance program. Seems simple enough, right?
The Best Way to Operationalize Your FCPA Compliance Program
Let’s break down the four “best way” elements I just mentioned above:
Step 1: Curate the financial data.
Data is stored in silos today. Expense reporting data is in the expense management system; corporate card data is with the credit card vendor; accounts payable data is in the ERP system; employee records and payroll are in a HRIS, and so on. When data is siloed, no one has a holistic and shared view. So, for complete visibility, FCPA compliance needs to be operationalized, cutting across data silos, which requires collecting data sets from disparate internal and external sources and curating them into a coherent data set.
Step 2: Analyze all the data systematically.
With so much data to monitor, it is difficult, if not impossible, to identify patterns of behavior via traditional analytical approaches. Companies often review only a “slice in time” sample, or a subset of transactions, relying too heavily on manager review and approval of activities as a control. This approach is not only ineffective, but also inefficient, making FCPA compliance nearly impossible. Manual processes are time-consuming, and they aren’t enough to effectively detect and/or prevent schemes that violate anti-bribery/corruption regulations. Patterns of inappropriate behavior just below thresholds and other suspicious activity can go undetected. Only technology can provide a systematic approach to automatically compare transactions over an extended time, using multiple analytics to identify any hidden violations.
Step 3: Determine the best way to remediate issues of T&E non-compliance.
When an expense report is submitted, it should be analyzed for potential indicators of suspicious activity such as inconsistencies between what was purchased and the type of retailer it was purchased with, use of personal cards, receipts that aren’t itemized large food & beverage and entertainment expenses. We know these types of clues can go undetected with traditional controls; therefore, every transaction needs to be analyzed.
Artificial Intelligence (AI) can bring all these clues together to identify risks in real-time with continuous monitoring. Using advanced analytics to flag potential misconduct allows operational teams to spend more time investigating, substantiating, and correcting an underlying problem rather than trying to find it. In other words, if a system can detect anomalies that are indicative of high-risk activity, operations can take immediate action to remediate the issues.
When you utilize a centralized continuous monitoring system, you have the benefit of detecting and prioritizing exceptions, as well as a wealth of relevant data for research. These solutions do not only facilitate the remediation process for operations, but they also do it efficiently.
Step 4: Document every action to demonstrate FCPA compliance efforts.
From an FCPA compliance standpoint, if something is not documented, then it did not happen. An effective operationalized compliance program should easily demonstrate to the C-suite, the board, and if necessary, to the regulatory authorities that there is consistent and proactive monitoring of all transactions for compliance risk. Documentation of any actions taken on any issues identified should also be recorded in a permanent audit log for reference.
A popular example of how an FCPA compliance program can work: In 2012, Morgan Stanley was able to avoid corporate prosecution by proving that they had a pre-existing, effective, and evolving FCPA compliance program. This proof persuaded the government to find that one of their former executives had acted on his own and against the company’s established policies. The outcome of this case demonstrates how investing in an FCPA compliance program and doing the right things when problems are found can shield an organization from enforcement action.
We Can’t Predict Employee Misconduct with a Background Check
Morals and ethics are learned behaviors, and good character is built over time. Unfortunately, as employers we can’t rely on background checks or company codes of conduct to decide if an employee is likely to commit fraud, nor can we rely on our intuition to tell us when potential misconduct is happing.
In the Glencore case, prosecutions against individuals may be forthcoming. However, the culture must have enabled such widespread activity allowing bribery and fraud. According to the Financial Times article, “Glencore said last month it has strengthened compliance procedures in recent years and that it is “not the company it was”.
The ability to identify potential violations and resolve them quickly is essential for an effective FCPA compliance monitoring program. The degree to which organizations can achieve a consistent culture of compliance is reliant on persistent training and continuous monitoring efforts. To fully adapt this culture, businesses must attack the heavy lifting with AI technology and automation.
The right solution will be able to continuously monitor 100 percent of your transactions, identify potential anti-bribery/corruption risk in the form of exceptions, and store them in a centralized system, including any actions taken to resolve them. This can mean the difference between exoneration and facing criminal and civil charges from the DOJ or SFO.