Over the many years that I have been practicing law in the Middle East and Eastern Europe, I have been asked this question many times. Often repeated phrases like “… but I only do business in Romania… or Moldova… or Slovakia…” or “I really don’t have much business or activities with the government,” are a common refrain. However, in this increasingly interconnected world, it is worth reconsidering this question.
To put it plainly, if you are intending to grow your business, work with foreign entities or hope someday to sell your company, then it is important that you re-visit this issue and consider how the FCPA may affect you, your business and your foreign partners. Below, I set out some of the benefits and “upsides” for businessmen about the FCPA as well as outline some of the basic elements when developing an FCPA  compliance program. Quite simply, a compliance program can make you more attractive as a business partner and increase the value of your business to foreign investors.
The FCPA: What is it?
The U.S. Foreign Corrupt Practices Act (the “FCPA” or the “Act”) is one of the primary statutes in the U.S. for combating corruption around the world. Established in 1977, it was deemed necessary when after the Watergate scandals there were massive revelations of widespread and endemic overseas corruption and bribery by US companies. Let’s be clear, the U.S. government  found that US companies were acting corruptly. The government felt it necessary to change the business culture, level the business playing field for honest companies, prevent diplomatic scan dals and foreign embarrassment and gene rally restore confidence in the market.
There are two main aspects of the FCPA. First, the Act prohibits the offering, paying, promising to pay or authorizing the payment of money or anything of value to a foreign official in order to influence any act, omission or decision of the foreign official. Needless to say, using an “agent” (including middlemen, lawyers or third parties) or doing any of these prohibited acts indirectly is also forbidden.
Second, certain persons covered by the Act should keep accurate financial records and have appropriate financial controls in place. The first part, known as the “books and records” provisions, state that covered parties should keep books, records and accounts that, in reasonable detail, accurately and fairly reflect an “issuers”  transactions and dispositions of its assets. There is also a requirement that internal controls should be sufficient to assure that management controls, has authority over and can be responsible for its assets.
FCPA: Who and what is covered?
The FCPA covers three categories of per sons and entities. These are: (i) “issu ers;” (ii) “domestic concerns;” and (iii) other persons and entities (including foreign persons or their agents) that breach the law while on the territory of the United States. Furthermore, not only are the issuers and domestic concerns covered, but so are their officers, directors, employees, agents and shareholders.
As a general rule, “issuers” are entities that are listed on any U.S. securities exchange, are traded on any over-the-counter market or are required to file Security Exchange Commission reports. “Domestic concerns” are US citizens and residents as well as US entities (corpo rations, partnerships and so on) and entities that have their principle place of business in the United States.
It is important to remember that many of the world’s leading companies and enterprises are covered by the Act, either as issuers or domestic concerns.
It is worth knowing that the FCPA’s anti-bribery provisions only cover corrupt payments and promises to foreign officials (the UK Bribery Act is much more expan sive). However, the term “foreign official” is broadly defined and includes “any officer or employee of a foreign government or any department, agency or instrumentality thereof, or of a public international organization….”
Note the term “instrumentality.” This term covers a wide variety of entities and organizations. For instance, in many cases, state owned or state controlled enterprises  would fall under this definition and therefore their employees and officers would be considered foreign officials under the Act.
Interesting, but still, why is this important to me?
Okay, I am getting to that part. Now that we have a basic understanding of what the FCPA is and who is covered, let’s discuss some of the ramifications of the Act on corporate behaviour and how that relates to businesses in Romania and the region.
Over the last 10 years, I have experienced a substantial change in corporate behaviour, primarily in two situations. First, there has been increased awareness and review of target companies both pre-and post-acquisition. That is to say, large international companies that are looking to acquire local or regional businesses are adding to their due diligence lists and questionnaires entire sections on compliance matters, with detailed enquiries as to the target’s compliance program and its effectiveness.
As the Resource Guide to the U.S. Foreign Corrupt Practices Act (the “Resource Guide”) states, “DOJ and SEC encourage companies to conduct pre-acquisitions due diligence and improve compliance programs and internal controls after acquisitions….”
In brief, a compliance program is a formal internal control system that sets out an organization’s rules, policies and processes (for instance, the actions to be taken if there is a violation) in order to help prevent and detect violations of laws, regulations and the corporation’s own internal specific procedures. Although I will discuss briefly below the key aspects of a compliance program, the important point to remember is that Romanian and regional enterprises need to understand the regulatory and legal environment their potential international partners are facing (like the FCPA or the UK Bribery Act) and to proactively and effectively address such issues directly. This can be done by evidencing an effective compliance program.
It is also worth remembering that one of the main drivers for having an effective compliance program (from the point of view of covered companies) is that if there is a violation of the Act, a good program can be used to reduce or limit corporate penalties and liabilities.
Second, the other major change in corporate behaviour has occurred during the selection and review process for third party vendors and partners.
The Resource Guide is very clear on this issue. It states that a “[r]isk-based due diligence is particularly important with third parties and will also be considered by DOJ and SEC in assessing the effectiveness of a company’s compliance program.” In other words, make sure that you have a proper vetting process in place for third-party business partners or the DOJ and SEC will not look kindly on entities if there is a future violation. Agents and third parties are the most common methods for making illegal payments to officials. Crucially, the DOJ and SEC know it and focus on it!
What this means for local and regional businesses’ is that anyone that wishes to do business for large internationals would do well to implement an appropriate and, importantly, effective compliance program. Doing so makes the entity nsignificantly more attractive and provides a real competitive advantage.
Ok, maybe a compliance program is a good idea. What are the basics of a compliance program?
It should be noted that a company’s compliance program needs to be effective, appropriate and tailored specifically to that company’s business. It does not have to be expensive or over burdensome. A good way to test effectiveness is to ask three questions: (i) is the program well designed; (ii) is the program applied in good faith; and (iii) does it work (with the clear understanding that no program can be 100% effective against all criminal activity).
As a general rule, a compliance program will have certain basic elements. Therefore, when demonstrating the effectiveness of your compliance program to a potential business partner, here is what the program should show:
1. Commitment from senior management. The boss needs to be on board and committed to the program. So do all senior management. Without that, the program is unlikely to be effective or succeed.
2. A written code of conduct and clearly articulated compliance policies and procedures. These need to be clear, concise and accessible and should, of course, contain a clear statement against corruption.
3. Appropriate oversight, autonomy and resources. Those in charge of the program need to have the authority, ability and autonomy to enforce the policies. They also need the budget to be able to work and do the job.
4. The program should be specifically tailored to the company, following an authentic risk assessment. That is to say, understand your company, understand the real compliance risks it faces and design the program to be effective in that particular environment (selling cookies is not the same as being a military contractor).
5. Training and advice. Everyone in the company should be informed and trained (and retrained) on the policies. Employees should also have the ability to seek advice if an issue comes up.
6. Incentives and disciplinary measures. A good program has both carrots and sticks, so that people are awarded for good behaviour (for example, as part of their annual review) and punished for bad behaviour.
7. Business partners and transactional due diligence. This includes vetting third party business partners, reviewing compliance issues in acquisitions as well as oversight and control over “red flag” transactions and contracts (like when entering into large government contracts where agents or key third parties are involved). Understand who is doing what, who is getting paid for what and where the money is going and why.
8. Confidential reporting. Although in some countries there may be some legal impediments to this, there should be a system through which employees can report issues and feel comfortable about doing so. A key issue here: there can be no retaliation against employees that make reports, which is one of the reasons that reporting should be confidential. Punishing people for coming forward is likely to kill most programs.
9. Appropriate follow-up and internal investigations. The true test of a program is that upon hearing of a possible violation, there is a real and sustained follow-up and investigation of the event/facts. Without that, there is really no program. It is also the first thing I check when reviewing programs.
10. Continuous improvement of the program. People and employees will, over time, develop “work arounds,” “bad habits” and gene rally “game” the system. Any program should be reviewed, tested and improved periodically.
So, to summarize, as enforcement of the FCPA increases and the fines and costs of doing business “corruptly” grows, many of the affected companies (that is, the largest companies in the world) are taking compliance matters very seriously. And they expect their business partners to take it equally seriously.
If those partners don’t or won’t, there will be little option but for these companies to find new partners.