Trends in recent Foreign Corrupt Practice Act (FCPA) prosecutions can provide strategies for strengthening corporate compliance and audit functions. The article focuses on patterns in FCPA enforcement actions and suggests methods by which periodic audit testing could be used to detect FCPA misconduct.

The Department of Justice (DOJ) Foreign Corrupt Practices Act (FCPA) Corporate Enforcement Policy and the FCPA Evaluation of Corporate Compliance Programs make clear that inquiry into the effectiveness of a company’s compliance program guides all aspects of the government’s enforcement of FCPA violations. These aspects include its decision to investigate, criminally prosecute, and determine the criminal fines, disgorgement, and civil money penalties under the Federal Sentencing Guidelines. The FCPA Corporate Enforcement Policy was issued in November 2017 and updated in March 2019. The 2017 policy included an explicit presumption that DOJ would resolve a company’s FCPA case through declination when the company satisfied the standards of voluntary self-disclosure, full cooperation, and timely and appropriate remediation.

Some trends have emerged that are the result of the 2017 FCPA Corporate Enforcement Policy and Evaluation of Corporate Compliance Programs and their recent 2019 updates:

• The adoption of a risk-based approach is used to assess a compliance program’s effectiveness.
• Red flags identified in audit findings, the due diligence process, and other internal reviews are expected to be timely remediated. Failure to do so could potentially affect the determination whether corporate disclosures were timely and FCPA allegations of misconduct were adequately addressed.

FCPA prosecutions resulting from third-party management have expanded beyond consultants and sales representatives to greater enforcement relating to the risks associated with distributors, dealers, subcontractors, and resellers.

In both the 2017 and 2019 Evaluation of Corporate Compliance Programs, the DOJ identified third-party transactions as posing a high risk for FCPA misconduct. The 2017 and 2019 updated guidance defines three key risk areas where misconduct is likely to occur: (1) documentation of payment terms and services to be performed; (2) compensation and incentive structures; and (3) due diligence performed to identify red flags in the selection of third-party agents and remediation of compliance issues regarding those third-party relationships.

Corporations are expected to establish sufficient internal controls to mitigate those risks. A requirement that a parent corporation implement sufficient robust controls, as determined by DOJ and the SEC on a case-by-case basis, has become the new standard for measuring compliance with the FCPA accounting provisions. This diverges from the statute’s original requirement of reasonableness in the design of controls.

Internal accounting controls are defined in the statute as a system to provide reasonable assurance that transactions are authorized and recorded in accordance with generally accepted accounting principles; however the DOJ and the SEC increasingly have applied a shifting and higher standard in their settlements of enforcement actions, creating uncertainty as to the requirements for an effective compliance program, despite criteria set out in the DOJ’s Evaluation of Corporate Compliance Programs.

Knowledge by the parent corporation of the inadequacy of accounting controls is not a requirement for liability under the FCPA accounting provisions; violations of the accounting provisions are subject to strict liability. However, the parent’s knowing circumvention or failure to implement internal accounting controls can give rise to criminal liability.

Theories for civil enforcement actions have extended to cover claims that parent corporations failed to devise and implement controls robust enough to prevent or detect misconduct, a standard hard to define given the limited judicial precedent and the failure of the statute to mandate any particular kind of internal controls system.

Also, there is a trend for the SEC to require disgorgement by parent corporations with no defined nexus between the profits received and the alleged misconduct, and no explanation as to how the penalty was calculated.

The DOJ, in assessing the design and effectiveness of a compliance program, evaluates corporate monitoring by the parent corporation of third-party arrangements, including the continuous updating of third-party due diligence, training of local managers on compliance risks, and auditing of third-party books and records for suspicious payment activity. As part of their internal accounting and books and records controls analysis, the DOJ and SEC focus on the integrity of financial and operational controls implemented by the parent corporation, including the maintenance of standardized global policies and procedures regarding third-party discounts and the benchmarking of discounts against industry standards. Other accounting internal controls include the presence of accounts payable procedures to verify that expenses are within stated contract terms; payments are supported by detail and receipts; and that payment is authorized. The absence or breakdown of controls affected the resolution of FCPA enforcement actions between 2017 and 2019.

Recent enforcement actions have been directed at third-party transactions where excessive discounts, false credit notes, inflated invoices, or sham transactions were used to conceal improper payments to foreign officials.

Excessive discount rates and false credit notes

Examples of excessive discounts to distributors and the use of false credit notes were the focal point for the following recent FCPA prosecutions.

Sanofi

In Kazakhstan, Sanofi subsidiaries gave distributors discounts of 20%–30% off the sales price of its pharmaceutical contracts from earmarked funds that enabled the distributors to pay Kazakh officials from the negotiated profit margin. In some instances, false credit notes were provided to enable Sanofi to win government tenders from both public and private institutions. The payments to Kazakh officials were tracked on internal spreadsheets and referred to as “marzipans.” The SEC opinion was critical of Sanofi’s lack of a standardized commercial policy regulating distributor discounts and its failure to centrally review the discounting of product sales prices. Additionally, the parent corporation ignored unexplained changes in tender sales during the relevant period, which rose by more than 200%. It also ignored the presence of red flags identified by internal audit regarding the lack of monitoring of outsourced distributor promotional activities. Sanofi, without admitting or denying the SEC findings, agreed to disgorge $17.5 million, pay prejudgment interest of $2.7 million, pay a civil money penalty of $5 million, and agreed to two years of self-monitoring.

Orthofix Medical Inc.

In 2014, Orthofix, a repeat FCPA offender, self-reported to the SEC and DOJ violations of the books and records and internal accounting controls FCPA provisions. Orthofix, through its subsidiaries, provided distributors discounts up to 70% off the sales price for its surgical and nonsurgical equipment. The inflated profit margin realized from significant discounts funded improper payments to publicly employed foreign physicians.

Additionally, its Brazilian subsidiary made payments to distributors on false invoices they submitted to conceal payments to foreign physicians. The payments were inaccurately recorded in the subsidiary’s books and records as consulting fees to disguise their true nature. At the time of the payments, Orthofix had no policies and procedures to centrally standardize the approval and monitoring of discounts provided to third parties. DOJ declined to prosecute criminally, although Orthofix had violated its deferred prosecution agreement. Orthofix consented to a cease-and-desist order, and agreed to disgorge to the SEC $2,928,000, pay prejudgment interest of $263,375, pay a civil money penalty of $2,928,000, and retain an independent consultant for one year.

Analogic Corporation

This case involved a complex scheme where false credit notes were issued by Analogic’s subsidiary to distributors. The subsidiary circumvented the parent corporation’s accounts receivable controls by crediting cash and making an offset against the distributor’s credit balance. The distributor would then direct the subsidiary to issue wire transfers to shell corporations in Belize, the British Virgin Islands, Cyprus, and individuals in Russia. The SEC cited no evidence that the parent knew or authorized the payments. Neither the DOJ nor the SEC could reliably account for how the distributor used the monies or whether foreign officials received the payments. In fact, the SEC stated that the monies may have been used to further an embezzlement or tax evasion scheme. Without linking the transfers made by the distributor to payments to foreign officials, the prosecution turned on the falsification of documentation and the failure to implement reasonable internal accounting controls. In settlement of separate DOJ and SEC enforcement actions, the subsidiary of Analogic agreed to enter into a non-prosecution agreement and paid a $3,402,000 criminal fine. Analogic disgorged $7,672,651 and paid $3,810,311 in prejudgment interest.

Fraudulent invoices and sham transactions

The SEC has also cited the use of fraudulent inflated invoices and sham transactions as a vehicle for the transfer of improper payments to foreign officials.

Biomet Inc.

Biomet, a medical device company and repeat FCPA offender, while under the supervision of a monitor, violated the anti-bribery, books and records, and internal accounting controls provisions of the FCPA. Its Brazilian subsidiary employed an unauthorized distributor and recorded the transactions as if they were transactions with an authorized distributor. Both the SEC and DOJ initiated enforcement actions against Biomet and Zimmer Biomet. The SEC determined there were violations of the books and records and internal accounting controls provisions resulting from the failure to stop the continued prohibited relationship with the unauthorized distributor and the concealment of those transactions. Payments were also made to custom brokers and subagents for the importation of unregistered and mislabeled products into Mexico. Biomet’s knowledge that the custom brokers and their subagents were engaged in paying bribes across the border constituted a violation of the anti-bribery FCPA provisions. The expenses submitted by custom brokers and subagents lacked sufficient detail. One-line invoices were submitted for “consulting and logistics,” “professional services,” “bridge crossing fees,” and “special or extraordinary services.” The payments were recorded in the subsidiary’s books and records as “freight costs.”

Zimmer Biomet

Zimmer, the company that acquired Biomet in 2015, was required to enter into a deferred prosecution agreement for Biomet’s violations of the internal accounting controls provisions and retain a monitor for three years. The related subsidiary of Zimmer Biomet was required to enter a guilty plea for causing books and records violations, and Zimmer Biomet agreed to pay a criminal fine of $17,460,300 in connection with the deferred prosecution agreement. In the related SEC proceeding, Zimmer Biomet agreed to a cease-and-desist order, disgorged to the SEC $6.5 million (including prejudgment interest), and paid a $6.5 million civil money penalty.

Fresenius Medical Care

Fresenius used numerous vehicles for its improper payments to foreign officials and publicly employed physicians. In Angola, to influence the award of tenders for the purchase of dialysis equipment, its subsidiary gave excessive discounts to distributors and resellers, and paid distributors on false invoices. In Saudi Arabia, a Fresenius wholly owned distributor received cash as part of a check-writing scheme to conceal payments to publicly employed physicians and foreign government officials. It also submitted false marketing and travel expense invoices with no supporting documentation to fund improper payments.

In Mexico, pass-through payments were made to a distributor, who then paid kickbacks on a per-treatment basis to officials at the state-run social insurance agency. The arrangement was retroactively documented as a commission agreement, and in its books and records the payments were identified by the subsidiary as “advice.” In addition to schemes involving payments to distributors, Fresenius subsidiaries engaged in sham consulting agreements with physicians, improper travel, entertainment payments, and gifts to physicians, all unsupported by documentation. They also granted beneficial interests in joint ventures to physicians to increase product sales. Its senior management received reports of improper payments to third parties to obtain business for Fresenius and took no action, and in some instances, personally engaged in schemes to provide improper payments to foreign government officials.

Both the SEC and DOJ pursued FCPA enforcement actions against Fresenius. The DOJ determined that bribes were paid to procure business in Saudi Arabia, Angola, and West Africa. The government further determined that violations of the books and records and internal accounting provisions occurred in Turkey, Spain, China, Serbia, Bosnia, and Mexico. The DOJ found that Fresenius did not qualify for a criminal declination under the Corporate Enforcement Policy due to its pervasive pattern of misconduct and significant corporate profit from the misconduct (more than $135 million). Fresenius failed to satisfy the threshold for any cooperation credit and timely disclosure, because it destroyed relevant documents. Fresenius was required to enter into a three-year non-prosecution agreement, engage a monitor for two years, pay a criminal fine of $84.7 million, and disgorge to the SEC a total of $147 million (including prejudgment interest).

An audit approach to detecting FCPA misconduct

Given the importance of maintaining a well-designed compliance program to avoid and mitigate FCPA liability, a proactive, forward-looking approach to auditing and monitoring foreign subsidiaries’ business operations is warranted. Recent FCPA prosecutions follow common patterns of misconduct that require the combined effort of compliance and audit to identify misconduct so that timely corrective action can be taken. A practical approach to periodic audit testing could yield significant improvements in the early detection of FCPA schemes. Periodic monitoring has been recognized as a factor that prosecutors consider in awarding credit under the US Sentencing Guidelines. “Prosecutors may reward efforts to promote improvement and sustainability… Prosecutors should … look to whether a company has taken ‘reasonable steps’ to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct, and ‘evaluate periodically the effectiveness of the organization’s program.’”

The following periodic testing of internal accounting controls can successfully detect excessive discounts and false credit notes:

• Verify a due-diligence review was conducted of all third-party vendors to identify business affiliations, market reputation, corporate structure, creditworthiness, and expertise in the area for which they are employed.
• Review the corporate product pricing list for the allowed discount range and compare it to the pricing provided to the distributor or other agent. Determine if the distributor discounts are in line with the product pricing guidelines, and if changes have been made, that they were properly approved. Compare the discounts to the market standards to determine whether they are excessive.
• Review management approvals/rejections of price changes and compare the date of the approval with the date the price change was entered into the accounting system.
• Exercise audit rights under distributor contracts and audit the distributor’s accounts payable ledger to detect unusual payments made to foreign government officials or entities in which officials hold an interest.
• Determine whether a finance debit/credit memo policy and an approval process for invoice changes has been established. Validate the final credit note against the corresponding amount reflected in the accounting system.
• Prevent violation of the principle of segregation of duties by reviewing the list of employees authorized to issue credit memos and determine whether overlap exists with employees who are able to record sales orders.
• Quantify corporate financial ratios from its financial statements. Anomalies in the form of erratic or unexplained changes or differences from industry patterns require further investigation. High-risk areas include ratios of sales versus sales commissions, sales versus returns, allowances and discounts, sales versus cost of sales, and sales versus the advertising or promotion budget. Anomalies involving cash account balances require further scrutiny. Some relationships involving cash or cash flow include cash from operations over time, cash from operations versus sales, and cash from operations versus net income.

The following audit steps are recommended to identify payment for services not rendered, inflated invoices, or sham transactions:

• Review the accounts payable ledger for payments to vendors identified either through market intelligence or the due diligence process as controlled or managed by foreign government entities or current or former government officials. Determine how the payments were characterized in the books and records.
• Trace payments through the accounts payable ledger and examine the underlying support for the payments. Determine whether there is a written contract for the services, the level of detail in the agent’s invoices, and the accuracy and clarity of the description of the services rendered.
• Identify all vendor requests for payment and payments made:
  • to other third parties (e.g., unrelated individuals/entities, shell corporations);
  • to bank accounts not located either in the country where the services were rendered or where the recipient of the funds is located;
  • as cash payments or checks made out to cash;
  • as round currency disbursements; and/or
  • as payments for invoices that do not reflect the services contracted for or payment terms not in line with industry norms.
• Examine underlying support for vendor payments and examine for irregularities in invoicing. Red flags include no detail about the goods or services provided; numerous invoices in the same amount, especially if the amount is below the particular authority approval level; and consecutive sequential invoice numbering.
• Determine the fair market value for the contracted services based on a comparison to industry standards. Identify all instances where agents received payments designated as “success fees,” “commitment fees,” or bonuses.
• Determine if the necessary approvals were obtained for payment of the expenses.

The periodic review of a compliance plan through audit testing ensures that the compliance program works in practice. The value contributed by robust audit and monitoring functions is often only realized after the fact, when the business has been ordered to retain an independent consultant or monitor at tremendous cost. Periodic audit testing could yield significant improvement with FCPA compliance and provide for the early detection of FCPA misconduct.

Takeaways

• Design a corporate risk assessment that evaluates risk related to the location of the corporation’s foreign operations, industry sector, and regulatory environment.
• Review the risk assessment and audit plan regularly to ensure that both address the corporation’s highest risks.
• Perform periodic auditing and monitoring of the global compliance program.
• Perform a root cause analysis of any FCPA misconduct detected.
• Timely address red flags identified in audit findings and legal reviews and ensure resolution of all issues is confirmed by the parent corporation.

 

---

 

Endnotes

1. 15 U.S.C. §§ 78dd-1, et seq.
2. U.S. Dep’t of Justice (DOJ), “FCPA Corporate Enforcement Policy,” USAM 9-47.120 (updated March 2019).
3. DOJ, Criminal Div., *Evaluation of Corporate Compliance Programs* (updated April 2019).
4. Karen E. Woody, “No Smoke and No Fire: The Rise of Internal Controls Absent Anti-Bribery Violations in FCPA Enforcement,” *Cardozo Law Review* 38, rev. 1727 (2017).
5. 15 U.S.C. § 78m(b)(2)(B).
6. *In the Matter of Biomet, Inc.* (SEC Admin. Proceeding File No. 3-17771, January 12, 2017)
7. *In the Matter of Fresenius Medical Care AG & Co. KGaA* (SEC Admin. Proceeding File No. 3-19126, March 29, 2019)
8. *In the Matter of Stryker Corporation* (SEC Admin. Proceeding File No. 3-188853, September 28, 2018).
9. *Fresenius*, supra.
10. *In the Matter of Sanofi* (SEC Admin. Proceeding File No. 3-18708, September 4, 2018).
11. Susanne Elvidge, “Sanofi reaches $25M settlement with SEC on bribery charges,” *BiopharmaDive*, September 5, 2018.
12. Richard L. Cassin, “SEC charges Orthofix with FCPA violations in Brazil,” *TheFCPA Blog*, January 18, 2017.
13. *In the Matter of Orthofix International N.V.* (SEC Admin. Proceeding File No. 3-17800, January 18, 2017).
14. *In the matter of Analogic Corporation and Lars Frost* (SEC Admin. Proceeding File No. 3-17305, June 21, 2016).
15. *Biomet*, supra.
16. DOJ, “Zimmer Biomet Holdings Inc. Agrees to Pay $17.4 Million to Resolve Foreign Corrupt Practices Act Charges,” news release, January 12, 2017.
17. *Fresenius*, supra.
18. *Evaluation of Corporate Compliance Programs* § 8B2.1(b)(5).

—

If you want, next I can turn this into:

1. a **clean Word doc version**,
2. a **website-ready article version**, or
3. a **short excerpt + CTA version** for the post page.