After the onset of COVID-19, the SEC had a significant drop in the number of anticorruption cases.[1] The SEC stated publicly that this was the result of the collateral effect of the pandemic and promised they had a healthy backlog of cases that would be addressed. Fiscal Year 2023 may be proof that the SEC has not lost its resolve in policing the anticorruption laws. Indeed, it brought 12 anticorruption enforcement actions, three of which were filed in the final days of the 2023 Fiscal Year.[2] The SEC’s 2023 enforcement actions bring valuable lessons. They provide a reminder for U.S. publicly traded companies of the ever-increasing financial perils that can be avoided through vigilance against some “tried and true” methods of facilitating commercial payoffs.

What’s at stake?

Anticorruption investigations and enforcement actions are costly and time-consuming for companies that fall within the SEC’s (and/or DOJ’s) crosshairs. Enforcement agencies often spend 2-4 years investigating corruption allegations before bringing an enforcement action, and with this comes legal and accounting fees, including costly and disruptive internal investigations. Defending an enforcement action brings additional costs, increased risk of reputational harm, and often takes years to resolve. Additionally, sanctions for violations can be significant. Even with purported “cooperation credit,” the cost to the business has grown significantly in terms of the scope of disgorgement and size of the financial fines and penalties.[3] Officers, directors, shareholders, employees and others can also face criminal penalties, enforced by the DOJ, including imprisonment. Lastly, companies may also be subject to oversight by an independent monitor for several years at the company’s expense. On top of all that, it is not uncommon for corporations to face shareholder litigation.

Who should we listen to?

Corporations are complex, often with many voices throughout an organization.  But corporate management and boards need to pay special attention to, and be prepared to act on, those voices that should be ingrained in an overall compliance system: internal auditors, finance-related personnel, compliance and legal personnel, and internal whistleblowers. The SEC 2023 enforcement actions highlight the dangers if these voices are ignored. For example, in two of the three most recent filed actions, the internal audit function flagged weaknesses in the anticorruption internal controls and, in some cases, outright red flags that payments were being made with a corrupt purpose. In those cases, the concerns were documented and escalated. However, the concerns were not addressed and remediated until it was too late. In one of those cases, subsidiary management prohibited internal audit from accessing records in an area of recurring concern. Later, during an internal investigation into these issues, subsidiary management severely limited access to “consultants” suspected to be conduits for payments to government officials. In another 2023 enforcement action, finance personnel questioned the legitimacy of payments under the company’s policies and procedures. Again, the voice was lost in the corporate structure, not making its way to persons capable of taking the right remedial actions.

Last but not least, whistleblower concerns should always be taken seriously. In a recent case, the SEC flagged as a deficiency a corporate subsidiary’s failure to implement an internal hotline and lack of training to facilitate internal whistleblower concerns. For good reason, whistleblowers have been an ever-increasing source of tips to the SEC, and the SEC has been vigorously enforcing its whistleblower protection rules over the last 18 months.[4] 

Where to look?

When corporate management considers anticorruption risk, they think of the Foreign Corrupt Practices Act (FCPA). The first thought is to only look abroad and focus on areas where their business is tied to foreign government clients. Unfortunately, this approach can prove to be too myopic. As highlighted again in the 2023 SEC actions, Section 13 of the Securities Exchange Act of 1934, adopted as part of the FCPA, requires that companies maintain accurate books and records and have in place internal financial controls designed to ensure accurate financial reporting. In the anticorruption context, the SEC has liberally used the books and records and internal control provisions to address not only corrupt payments to foreign government officials, but also to domestic government officials, domestic commercial counterparties, and foreign private customers and labor officials.[5]

The 2023 SEC actions underscore the SEC’s focus on using the full FCPA arsenal to address all forms of corruption, foreign or domestic, governmental or private. In fact, one of the largest cases brought recently involved a corruption scheme whereby a company subsidiary made a series of indirect payoffs benefitting a leader in a state legislature to secure continued favorable treatment under state law. One of the subsidiary’s senior officers also stated publicly that the favorable legislative win was due to grass roots efforts and effective lobbying, rather than a series of payments funneled to associates of the legislative leader. There, the SEC charged the parent and subsidiary company, as well as the subsidiary’s senior officer, under Section 13’s books and records and internal controls provisions, as well as securities fraud for the alleged false statements. This conduct resulted in $103.6 million in disgorgement and prejudgment interest payments to the SEC, a $99 million criminal fine and an additional $16.2 million forfeiture levied by the DOJ.

Who should we look at?

It is a rare case where a company or subsidiary employee directly makes and improper payment and then seeks reimbursement with a reimbursement justification of “payment/gift to person to get or keep work.” The attempts to create an end run of company anticorruption policies and procedures are more often nuanced and indirect. The typical scheme requires the use of a third-party person or entity. As reflected in the 2023 SEC actions, this still holds true. The payments in these cases were funneled through consultants, sales agents, distributors, vendor companies and even law firms. Bad actors often attempt to create a colorable legitimate payment to the third party who will then, in turn, pay some or all of the payment to the targeted recipients.

Given this, attention to the policies and procedures concerning the onboarding and payment of third-party vendors and service providers needs to be ever-vigilant. While the focus needs to be in areas of operation with high risks of corruption, one recent SEC case underscores that companies cannot neglect third parties in the U.S.

What to look for?

Company or subsidiary employees often use third parties to hide improper payments. Responsible corporations seeking to limit this risk can look at the recent 2023 SEC actions for guidance. Often, the indicia of an improper third-party arrangement are available at the outset. For example, proper due diligence before hiring the third-party would reveal that the third-party had a close family or business connection with those responsible for awarding work.[6] Likewise, requests by potential customers to inject their own connections into a vendor role should raise concerns.  Moreover, there may be no written agreement between the third party and the company. Where those agreements do exist, they often fail to clearly define a scope of work, deliverables or project milestones that tie to the contractual right to receive payment. And even where they do, the amount of compensation, whether in terms of the commission, sales discount or hourly rate may be so high as to be outside the typical arms-length commercially reasonable context. The SEC considers these examples clear “red flags.”

Likewise, there may be activity within a subsidiary’s own systems that may be abused. The most commonly misused area is the review of third-party payment invoices.  The SEC 2023 cases are replete with examples where there is little to no detail provided in the invoices that tie to the contract or justify payment. Also, the use of gifts, entertainment and luxury travel continue to be recurring themes.[7]

Companies must also be on the lookout for less common routes of corrupt payments. Subsidiaries have routed improper third-party payments through sister subsidiaries, with no relation to the “services” being provided, where they anticipate less oversight. Subsidiaries have also created and maintained reserves without clear guardrails around their creation and use (commonly referred to as “slush funds”). This creates a pool from which potential improper expenses may be incurred and charged against to avoid parent company oversight.  Also, payment channels at the subsidiary level may be exploited. While these channels may have limits on the size of the payments, those limits may be overridden or there may be a series of payments designed to comply with the cap. As a result, companies need to have systems in place to flag any aberrational payments or to make these areas the target of risk-based internal audit planning and review.

What can we do?

There is no easy answer here. Every system of policies, procedures and internal controls can be circumvented at some level. The SEC 2023 actions highlight areas where the SEC felt companies missed the mark. Prophylactically, companies should consider implementing the following practices:

• Require and ensure that all third parties are vetted before they commence any services, have written agreements in place that clearly define the deliverables and payments, and pass through to the third-party the obligations to comply with company anticorruption policies and procedures, including representations and warranties that the company policies have been and will be complied with. Additionally, third-party agreements should provide for rights to audit and inspect third party records relevant to their work with the company.
• Implement an effective policy regarding how employee concerns are to be reported and how they need to be elevated once received. These policies need to be advertised in each geographic location and implementation needs to be verified and tested. An anonymous whistleblower/complaint hotline should be implemented, internally advertised, and routinely monitored.
• Require mandatory anticorruption training, on a recurring basis, for subsidiary employees. The training should cover not only existing policies and ramifications (both to the company and the employee), but also potential “red flags” that may be an indication of potential violations. The trainings should be verified, and proper records of the trainings should be kept. All advertising, training and resources should also be available in the language of the specific subsidiary’s location. There is only one thing worse than having no written policy in place: having one in place but nevertheless violating it because of a lack of informing, training and testing the policy, particularly in foreign subsidiaries or operations.
• Revisit the company’s policies and procedures regarding the use and oversight of third-party travel agents and the reimbursement of sales related travel, gifts and entertainment expenses.
• Engage the company’s internal audit function. Internal audit is trained in testing the effectiveness of financial controls in the field. They are also a highly effective resource in testing the existence and operation of the entire control environment around the avoidance of corruption.
• Consider conducting periodic review and testing from outside professionals of operations located in high-risk areas.