For many years the U.S. Foreign Corrupt Practices Act has been the dominant antibribery regulation affecting multinational companies. More recently, the UK Bribery Act of 2010 has been in the spotlight, with a broader jurisdictional reach and subject matter scope. Complying with these and other antibribery laws often requires companies with global operations to transfer data across borders.
Meanwhile, data privacy regulations have been enacted in many jurisdictions, particularly countries in the European Union. The privacy laws continue to evolve, and proposed new E.U. data protection regulations are currently under review. Complying with both antibribery laws and data protection regulations can be challenging, as they at times appear to be in conflict with each another. Failure to comply with current E.U. requirements could result in significant monetary fines, criminal penalties, and an outright ban against the transfer of personal data outside of the E.U., making it even more critical that companies correctly navigate the requirements of both sets of laws.
FCPA and UK Bribery Act Requirements
In order to comply with the U.S. governments expectations under the FCPA, companies are increasingly being required to conduct due diligence on third parties around the world, including agents, sales representatives, consultants, joint venture partners, and acquisition targets. There is no definitive checklist for conducting third-party due diligence. However, the government has provided some guidance.
For example, in 2011 the U.S. Securities and Exchange Commission resolved FCPA claims against Tenaris S.A. with a deferred prosecution agreement that recognized that the company had strengthened its policies, including enhanced due diligence procedures related to third-party agents. Also, guidance set forth by the U.S. Attorney General encourages U.S. companies to exercise due diligence and to take all necessary precautions to ensure that they have formed a business relationship with reputable and qualified partners and representatives, which may include investigating potential foreign representatives and joint venture partners . . .
In addition, the 2011 Federal Sentencing Guidelines Manual provides credit to an organization that violates the FCPA, if the organization maintains an effective compliance program, including exercis[ing] diligence to prevent and detect criminal conduct.
Third-party due diligence is also important under the UK Bribery Act. Section 7 imposes criminal liability on an organization that fails to prevent a person associated with the organization from paying a bribe on behalf of the organization. An organization has a defense if it can show that it established adequate procedures to prevent or detect bribery. Guidance provided by the U.K. Ministry of Justice explains that due diligence procedures should take a proportionate and risk-based approach, in respect of persons who perform or will perform services for or on behalf of the organization, in order to mitigate identified bribery risks, which in certain situations, may include indirect investigations, or general research on proposed associated persons.
The parameters of each due diligence investigation should be determined based upon a comprehensive risk assessment of the proposed transaction. A company conducting a due diligence review may wish to gather information that could be considered personal, and potentially transfer the data across borders for review and analysis.
Similarly, when a company conducts an internal bribery investigation or is the subject of a government investigation, relevant documents may exist in one country that the company may wish to transfer to another country for review and production. Governmental agencies urge companies under investigation to voluntarily provide information, including documents, even if they are located in a foreign jurisdiction. Such cooperation may benefit the company and be a factor in the governments decision to discount a fine below the U.S. Sentencing Guidelines.
For example, on March 14, 2012, the U.S. Department of Justice announced the resolution of an FCPA enforcement action against Bizjet International Sales and Support Inc. The monetary penalty agreed to by Bizjet reflected an approximately 30 percent reduction off the bottom of the fine range under the U.S. Sentencing Guidelines. The DOJ attributed the reduction to several factors, including BizJets extraordinary cooperation, such as providing employees (both U.S.-based and foreign) for interviews, and gathering and organizing information and evidence for the DOJ.
