Specifically, the U.S. Securities and Exchange Commission (SEC) and U.S. Department of Justice (DoJ) have ramped up enforcement actions against international corporate bribery under the Foreign Corrupt Practices Act (FCPA) and confirmed the assignment of additional resources directed at these types of investigations.
The law, which is enforced by the aforementioned agencies, prohibits the corrupt payment of money or anything of value to a foreign official in order to obtain or retain business, in addition to implementing certain accounting transparency requirements. Any U.S.-based company conducting business internationally, or foreign corporations trading securities in the United States, must comply with this act.
Further, the UK Bribery Act, a law enacted in 2010, has been referred to as the “the toughest anti-corruption legislation in the world.” Under the act, any organization doing business in the UK or with ties to the UK may be prosecuted, face unlimited fines and the risk of a prison sentence for individuals involved.
This regulatory landscape for corruption and bribery offenses, combined with the widely varying data privacy and protection laws of countries across the globe and differences in local culturally-acceptable business practices, bring the issue of the appropriate performance of cross-border investigations under the microscope for corporate financial executives, inside counsel and information technology professionals. Finance professionals are especially important to this process given the Sarbanes-Oxley Act and SEC requirements around accountability and reporting events.
Complying with and understanding the nuances of these laws require strategic legal and technical expertise. These issues continue to be a problem for multinational companies and often leave their executives in a reactive, defensive position.
Data Here, There and Everywhere
In the event of an investigation in response to FCPA or UK Bribery Act enforcement, or an internal investigation due to suspicion of corrupt practices, a critical first step is to gather and analyze the facts surrounding the allegation. A key part of this process is the collection and review of employee and company data such as email and accounting records. Due to the international focus of these regulations, much of the data needed is typically outside of the U.S.
A traditional domestic U.S. investigation would see the forensic team visit the site where the data resides, collect all of it and take it to be hosted from a processing and review facility off site. It would then be reviewed and analyzed by counsel and investigators as needed for the matter. A cross-border corruption and bribery investigation often is a different matter as many countries have laws in place that prohibit or limit transfer of data to countries such as the U.S. that are not deemed to have an adequate level of data protection.
When considering the global landscape, an increasing number of countries — such as Australia, Canada and those in the European Union, Asia, Central and South America — have strict data protection laws. Today, more developed countries do have this type of legislation than those that do not. This leaves a company under investigation in a precarious position: it must respond to the DoJ or SEC, but is dealing with laws that must be carefully navigated to enable it to do so.
In a survey conducted last year by FTI Technology of 114 FCPA experts, the greatest challenge for international investigations cited by the respondents was the navigation of data privacy requirements. When dealing with data that exists in a jurisdiction with data privacy regulations, any data transfer must be legitimized and appropriately handled.
Europe’s Data Protection Directive is an over-arching legislative framework that prohibits moving documents containing personally identifiable information out of European Union countries to jurisdictions that don’t provide a similar level of protection of the documents as they would in the EU. This includes transferring them to the U.S.
In addition, many European countries have additional regulations protecting individual privacy as part of, for example, employment or telecommunications laws. France and Germany are among the most stringent. Transferring data out of Asian countries can be fraught with its own challenges, including a growing body of data privacy legislation layered with the complex issue of China’s state secrecy laws, which can apply to any range of information that may exist in a data collection.
Another issue is that in global organizations it is not easy to contain the investigation to only one region. Employees, especially senior leadership, often migrate from one region to another, relocating frequently or working across multiple borders. Global corporations are also increasingly developing regional management structures, seeing all European countries reporting to a central hub before reporting back to the U.S.
The supply chain is typically multinational as well, with production touching numerous countries. When an investigation kicks off in one country, investigators commonly find themselves following a global trail of data that touches many locations, some of which are highly likely to have data privacy rules. Adding to the complexity is the consideration of company confidentiality and intellectual property, given the importance of keeping these types of highly sensitive documents closely guarded.
The Issue of Consent
A strategic and risk-limiting way to handle these challenges is to minimize the amount of data that needs to be transferred. The company’s investigatory team and counsel should go to great lengths to ensure that anything that is transferred out of the originating country is relevant to the matter.
There are some measures in place that companies can rely upon to help legitimize the data set that is transÂferred to the U.S. The U.S.-EU’s Safe Harbor scheme can provide compnies with some protection; it does not, however, provide for the onward transfer to a third party, which is often required in an investigation. Obtaining consent from the employees involved — while tricky and certainly not bulletproof — is another option that is often utilized in these matters.
Securing individual consent from each employee in question for the data transfer is a valuable step. However, companies must keep in mind the stark contrast between how consent is defined in the U.S. versus other countries. In the U.S, when a person gives consent for their data to be used, it is often provided prospectively, without providing further disclosure to the individual.
Conversely, in Europe consent must be freely given without employer duress, and involves the employee being informed of what will be done with the data and to whom it will be provided. European employees are able to withdraw their consent at any time.
Because it isn’t always clear what will be done with the data at the beginning of an investigation, these nuances around consent become problematic. In investigative situations, people may give consent under duress of their employment, which could negate the consent under EU standards. Or, if an employee refuses to give consent, the company has to find alternative solutions for obtaining the needed data.
However, having signed consent does give extra coverage, and in cases where the custodian is agreeable, it helps inform him or her that the documents are being reviewed, and who will have access to them.
Another recent trend is providing disclosure of the investigatory process to the persons in question. This minimizes a lot of risk because the custodian is offered an opportunity to view what is being sent to the U.S.
Managing Risk
As stated above, an effective way to minimize the risk of violating data protection laws is to minimize the amount of data that is sent to the U.S.
Companies should equally seek to ensure the data being transferred is relevant to the investigation and requests made by the SEC or DoJ. Working under the assumption that the investigation is based on data in a country with regulations on data transfer, there are two options to consider that can aid in both minimizing the data and increasing its relevancy to the matter.
The first option is to conduct data collection and processing in the originating country. This means the raw data will be taken from hard drives, laptops, backup tapes, etc., and indexed, de-duplicated and prepared so it can be searched. The initial keyword searches should also be conducted before transferring the data to the U.S., so only potentially relevant data is being exported. The reduced set is then taken to the U.S. for eventual review by outside counsel. This method could be used in matters that have targeted data collections, a limited scope of what is needed or the presence of very specific/strong keywords.
The second option offers greater risk management, but can be more costly. With this approach, investigators do the collection, processing and initial keyword search in-country as stated above, however the data is not exported to the U.S. for review. Instead, the reviewers and all of the workflow are moved to where the data resides. The added cost of this varies by country.
In Europe there is a healthy market of experienced external counsel and investigators, but in some countries, the team must be brought in and accommodated in-country until the conclusion of the review. For any matter where the company is more concerned with risk management than overall cost, this is the default option. This allows the investigatory team to get to the facts of the matter before any data transfer actually occurs, if indeed it is required at all.
There are dozens of cases that illustrate the strain a cross-border regulatory investigation can have on an organization. And while these issues tend to be considered largely legal and IT territory, financial leaders within the company should be aware of the issues and how wide reaching the impact can really be.
A proactive mindset around company policies and governance, combined with knowledge about the most effective and low risk ways to respond to an investigation will go a long way in helping company stakeholders respond to these types of matters in the way that best serves the company’s long-term interest.
Key FCPA, Bribery Act Considerations Specific to Financial Executives
- Structured Data Cannot Be Ignored: Accounting databases and finance systems such as SAP, Oracle, etc., contain structured data; and because they house financial records, they can often fall under the microscope for the investigation. For example, in FCPA and UK Bribery Act investigations, these types of systems are looked at to determine how the funds of a bribe were recorded and transferred. In the case of fraud, investigators will look at how the books and records align with what has been externally reported. To interrogate this type of information, a special skillset, tools and an informed approach is required. The data must be extracted from its system and analyzed in an application that can make it meaningful to reviewers, while maintaining integrity — which cannot be done using traditional document review.
- Fines and Reputational Risk: Paying the large SEC and DoJ fines — which can reach into the hundreds of millions of dollars for companies that do not appropriately respond to investigations — does not end the company’s exposure. A more subtle, yet also potent penalty awaits companies after the onslaught of civil and criminal fines. Private actions by stockholders have been filed with increasing frequency following exposure of a company’s corrupt business practices. Fines for violating data protection laws in other countries come into play as well, and stringent countries such as France and Switzerland have been known to impose serious sanctions. Jail sentences are not out of the question.
- Cost of the Investigation: As discussed above, there are a couple of options companies have for conducting a cross-border investigation. Cost on this type of matter is always evaluated relative to the risk, and experts widely recommend risk management taking precedence over cost concerns as short-term cost savings could have significant future impacts on the outcome of the investigation and the company’s future health. However, it is important for financial executives to understand the options and be part of the discussion weighing the overall financial exposure. The best way to contain costs resulting from this type of investigation is to work with the company stakeholders to implement policies that help safeguard the company in advance of a violation.
- Get Your House in Order: Don’t wait for a FCPA or UK Bribery Act investigation before you prepare for this type of matter. Perform training and advocate internally for education on these issues to avoid potential problems. The UK Bribery Act has an “adequate procedures” defense to the corporate offence of “failure to prevent bribery;” however this requires that a corporation has a suitable anti-corruption and bribery program in place. For a large corporation this could include components such as tone at the top, risk assessments, policies and procedures, training and monitoring. Regular compliance audits, investigation plans and a feedback loop for the results of those investigations can be an important part of the monitoring process.
- Review data retention policies to ensure they are appropriate and being complied with across the company globally. Don’t forget to regularly audit them. In one example, a UK-based company was under investigation for bribing government officials in Asia. The investigatory team was tasked with determining who in the company arranged the bribes and who else knew about it. The IT policy, according to headquarters, was to keep back- up tapes for only 30 days, then destroy them. The Asia office confirmed it was complying with this policy, however, when the investigators arrived at that location to collect the data, they discovered years of back-up tapes that had not been destroyed. Because those tapes potentially contained information that was relevant to the investigation, they all had to be restored, processed and reviewed. This extra legwork cost the company a substantial amount — an expense that could have been avoided had the company followed its own stated policies.
This article first appeared in the November 2013 issue of Financial Executive magazine.