Five Keys to FCPA Compliance in the COVID-19 Era

This article was originally published in Bloomberg Law. Any opinions in this article are not those of Winston & Strawn or its clients. The opinions in this article are the authors’ opinions only. 

Many organizations now rely on an exclusively remote workforce. As such, conducting in-person interviews and on-site visits, as well as gaining access to original documents, is more challenging in anti-bribery and/or anti-corruption matters. Further, as companies seek to navigate a slowing economy, it may be tempting to “tap the brakes” on activities related to compliance with the Foreign Corrupt Practices Act (FCPA), believing there may be decreased regulatory enforcement or scrutiny as the result of the pandemic.

This incredibly risky strategy can have serious reputational and even criminal consequences, if organizations knowingly or unknowingly facilitate kickback payments or work with politically exposed persons (PEPs).

Procedures focused on third-party due diligence and effective internal investigations remain imperative. The good news is that robust remote inquiries and strong FCPA compliance are still possible in the post-COVID-19 era. Following are some key steps to take ensure compliance.

1. Conduct Virtual Due Diligence

One important tool in an investigator’s arsenal is the use of online databases for background research. However, online databases are useful for triage purposes only. These databases can be riddled with false positives or errors given the difference in data environments around the world.

As a result, corroborating evidence should be gathered and balanced with requirements for employee safety, establishing predication and cost.

Leveraging e-Discovery or forensic data collection and conducting thorough document reviews can help address these limitations. For example, through e-Discovery, companies can retrieve email communications to pinpoint potentially fraudulent activity.

Additionally, reviews of passports or IDs can help clearly identify relevant third parties to ensure no FCPA violations are taking place.

2. Expand the Inquiry Team

On-the-ground, extended team members often add valuable information to the inquiry or compliance process, particularly in foreign locations.

For example, because these resources better understand the nuances of the local language and business terms, they can flag certain items that might look innocuous to outsiders, but in actuality indicate misconduct is taking place. Local resources may also be able to conduct in-person site visits.

Further, in-country practitioners are generally well acquainted with applicable local laws and supporting terms of application such as secure file transfer and data-sharing protocols.

For example, Chinese state secrecy (CSS) laws are strict and a bit vague in terms of application. If Chinese government, officers, or projects are involved, the risk of CSS or data privacy law infringement is high. Usually this risk is managed by hosting documents in China (i.e., a Chinese / China geography server), or by employing legal counsel in China.

In many countries, accessing employee data comes with it a host of nuanced privacy considerations. For instance, the EU’s General Data Protection Regulation (GDPR) may require certain disclosures when accessing employee data. In the U.S., various federal and state privacy laws impose assorted limitations on the ability of a company to collect and review information about its own people, particularly those employees’ electronic communications.

Here again, companies should engage with a local expert to ensure compliance with applicable laws.

3. Obtain Sufficient and Relevant Information

Although neither internal nor external auditors are expected to be expert in document authentication, the reliability of documents and information obtained plays an important role during the due diligence process.

Especially when U.S. companies are doing business with a partner in foreign locations, original documents obtained directly from the source are more reliable than documents provided via photocopies or facsimiles, or documents that have been filmed, digitized, or otherwise converted into electronic form.

Forensic data scientists can look for conditions indicating that a document may not be authentic or that the information in the document has been manipulated, and advise if additional documents need to be provided during the due diligence process.

When seeking authentic versions of documents, it’s important to keep in mind the guidelines and rules that govern transfer of data across international borders. For example, a recent decision by Europe’s highest court has impacted those with a need to export personal data out of the European Economic Area (EEA).

Once again, companies should consider consulting with an expert or outside counsel to ensure that any remote transfer of personal data comports with applicable laws.

4. Continuously Consider Privilege

It may seem obvious, but at the outset of an internal investigation, it is important to identify the applicable laws. Doing so will help safeguard that any applicable privileges are considered.

In the era of remote-working, companies should also maintain best practices for secure-electronic storage of sensitive documents, communications and work product. Employees and those involved in the investigation should understand that if they disclose privileged communications with a third party, they run the risk of waiving the attorney-client privilege as to those communications and potentially, as to the broader investigation.

5. Continue to Evolve Procedures

Without the ability to “walk the halls,” conduct in-person interviews, and validate assumptions resulting from online research, leadership, their counsel, and the accountants and auditors who investigate FCPA matters must undertake new approaches. It is important to recognize the limitations of remote research efforts, to understand how to effectively leverage on-the-ground resources, and to focus on preserving privilege.

As new best practices continue to unfold post-pandemic, those who continue to innovate their processes and procedures are most likely to uncover wrongdoing and ensure compliance.

 

View all of our COVID-19 perspectives here. Contact a member of our COVID-19 Legal Task Force here.