FCPA Compliance and Ethics Blog

June 11, 2013

FCPA Enforcement as a Security Issue and Implications for the Compliance Practitioner

One of the things that has long puzzled me is what led to the significant rise in the enforcement of the Foreign Corrupt Practices Act (FCPA) beginning in the 2003-2004 time frame? One of the more consistent theories that I have heard proffered, by Dan Chapman, Dick Cassin, Alexandra Wrage and others is that after 9/11, the Bush administration viewed corruption as a security issue. I admit that I was not totally sold on this theory until last week when, the FCPA Blog, in an article entitled “NSA spying also linked to FCPA enforcement”, reported that the National Security Agency (NSA) has engaged in economic espionage for the benefit of the United States and perhaps others. The FCPA Blog quoted a story from the American Spectator, entitled “Rise of the Surveillance State”, by James Bovard. One of the items which Bovard discussed is the program monikered ‘Echelon’, which he described as “a spy satellite system run by the National Security Agency along with the United Kingdom, Australia, New Zealand, and Canada. Echelon reportedly scans millions of phone calls, e-mail messages, and faxes each hour, searching for key words.”

Apparently this program is also used for FCPA enforcement. Bovard wrote that “A February report by the European Union alleged that Echelon has been used for economic espionage. Former CIA Director James Woolsey told a German newspaper in early March that Echelon collects “economic intelligence.” One example Woolsey gave was espionage aimed at discovering when foreign companies are paying bribes to obtain contracts that might otherwise go to American companies. Woolsey elaborated on his views in a condescending March 17 Wall Street Journal oped, justifying Echelon spying on foreign companies because some foreigners do not obey the U.S. Foreign Corrupt Practices Act. To add insult to injury, Woolsey noted there’s no reason for U.S. companies to steal backward Europe’s secrets.” Isn’t that a comforting thought when the US claims the Chinese are stealing secrets through computer hacking.

But what are the implications for the compliance professional? For a more Orwellian prediction, John Batchelor, in an article entitled “ NSA Scandals: FCPA Compliance Game Changer?”, has this chilling predeiction, “Currently it takes months or years to develop a solid FCPA case and most of those end up with fines and some type of penalty. Could that change to a new way of enforcement where the government targets a company, identifies corruption, gathers evidence, and instead of going through the motions, simply calls them to schedule a meeting, slapping a fine and a series of actionable tasks for the company in question? It’s not happening now, but that is a question.” It would seem to do away completely with the concept of due process so I would discount this scenario as unlikely.

However, Batchelor does point out that such government oversight might well occur in countries which are known or perceived to be high risk for corruption. He says, “Under the FCPA we focus on anti-bribery, however, with our current emphasis on national security, I think there is a serious question to ask for any company that operates in high CPI areas where terrorist cells or money laundering outfits to terrorist cells operate.” From this premise, Batchelor poses several topical inquiries which you should consider now. They include: “How well do you know your agents? How well do you know their relationships? How well do you know the companies they are affiliated with? Are there red-flags that low-level DPL type screenings might not uncover?”

I believe that the revelations which came out last week will make the compliance professional’s job more difficult but that difficulty may well be due to the backlash against not only the massive collections of data that the US government is obtaining through its surveillance programs but also the arrogance shown in statements like former CIA Director Woolsey, in the statement quoted in the American Spectator article. I believe that there three general areas which will negatively affect US compliance professionals.

First, is in the area of data access. Edward Luce, in a Financial Times (FT) article entitled “Obama has hurt himself and business over privacy”, said that the “US is losing credibility in its goal of trying to stop the internet from balkanizing into separate national frameworks.” While Luce discussed this in terms of the US criticism of “the great firewall of China”; a US investor might think about the Securities and Exchange Commission’s (SEC’s) struggle to get China to agree to allow auditors to provide data to the US consistent with US securities laws, or laws which the SEC enforces, such as the books and records component of the FCPA.

Second, what about data privacy? I think that the acknowledgement of the US surveillance programs will lead other countries to toughen up their data privacy requirements. This means that the compliance professional will be faced with an even more bewildering set of data privacy requirements to deal with to accurately access a company’s compliance program. For the intelligence angle, Luce quoted Ira Hunt, the CIA’s chief technology officer for the following, “Since you can’t connect the dots you don’t have…we fundamentally try and collect everything and hang on to it forever.” However, we now know that this surveillance also was used for other law enforcement issues such as enforcement of the FCPA. While foreign governments cannot legislate privacy as to the data collected by the US government, they certainly can do so vis-à-vis US companies doing business in their jurisdictions or home-domiciled foreign companies which are subject to the FCPA through a US subsidiary.

Indeed this very issue is now in the forefront of EU-US trade negotiations. In another article in the FT, entitled “Data scandal clouds trade talks”, Hannes Swoboda, leader of the socialist members of the European Parliament was quoted as saying, “With all the information that we’ve found out in the recent days about how easily the US spies on people’s private data I think it will be difficult for the Americans to oppose a strong data protection agreement.” The article notes that many of the rules proposed for EU data protection are opposed by US companies because “their business models would be damaged.”

Lastly, what about jurisdiction and the FCPA? Currently if a banking transfer goes thought the US banking system, FCPA jurisdiction attaches. While it has not yet been tested, several commentators have spoken about information which might be saved on servers based in the US. So what if information appears on Google or through a Google-search or on Facebook? Now take the next step and ask, if there is data mining, which strikes pay dirt, could that create or even portend jurisdiction?

As an American, I understand the need for enhancing security protocols after 9/11. It is an irritation, but only that, similar to taking off my shoes to go through security, all courtesy of Richard Reid, ‘the Shoe Bomber’. Further, these US government surveillance programs, which have been ongoing though both a GOP and Democratic administration, were authorized by an overwhelming majority of both houses of the US Congress and has judicial oversight. But many outside the US may not see the same needs and protections that I see in place. Luce said in his article, “Washington’s reassurances are irrelevant to the 3.4bn non-Americans who are online…But foreigners might not be comforted to learn that their privacy is protected by a secret US court, which is overseen by a select group of US lawmakers who are themselves sworn to secrecy.”

I think that the job of the compliance practitioner just got a lot tougher.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Blog at WordPress.com.