The Impact of Compliance on Project Development and Financing: A New Environment
Infrastructure development is an enormously important part of the economies of Latin American countries. According to Transparency International, approximately 30 per cent of national budgets are directed towards infrastructure development. Whether involving resource extraction, water and sanitation development, transportation infrastructure, or other aspects of infrastructure development, these projects are large, long term and lucrative.
Infrastructure development also presents considerable compliance risks, especially in anti-corruption exposure. At each stage of the process, infrastructure contractors have frequent interactions with municipal, state and federal officials who control and oversee bid and tender competitions, permit and licensing applications, financing, customs entry for equipment and other material, and inspection and acceptance regimes. Additional interactions come through change orders and contract extensions, joint ventures and other combinations with state-owned enterprises, and lobbying political actors or local governments.
At the same time, the costs and risks of enforcement have increased in recent years. In the past 10 years, the United States and other countries have devoted increasing attention to anti-corruption compliance and enforcement. In the United States, eight of the top 10 anti-corruption fines in the past eight years have involved infrastructure development. And the pressure comes not only from enforcement authorities, but also from multinational partners and financing sources.
This chapter reviews the sources of anti-corruption compliance obligations that arise from national laws, international conventions and financing covenants. The chapter then discusses how an effective compliance programme can mitigate the risks – and reduce the costs – of anti-corruption compliance, allowing infrastructure companies to focus on the job at hand.
Sources of anti-corruption compliance obligations – laws, international conventions and covenants
Many jurisdictions have adopted stringent anti-corruption laws as a result of adherence to international standards and treaties. The OECD Anti-Bribery Convention establishes legally binding standards to criminalise bribery of foreign public officials in international business transactions and provides for a host of related measures designed to make this prohibition effective in practice. The 34 OECD member countries and five non-member countries – Argentina, Brazil, Bulgaria, Russia and South Africa – have adopted this Convention. The Convention requires signatory states to criminalise foreign bribery:
Each Party shall take such measures as may be necessary to establish that it is a criminal offence under its law for any person intentionally to offer, promise or give any undue pecuniary or other advantage, whether directly or through intermediaries, to a foreign public official, for that official or for a third party, in order that the official act or refrain from acting in relation to the performance of official duties, in order to obtain or retain business or other improper advantage in the conduct of international business.2
The remainder of the document details the required definitions, methods of enforcement and protocols.
In addition, in December 2005 the United Nations Convention Against Corruption entered into force. The Convention is not limited to foreign bribery, but encompasses all manner of corruption, foreign and domestic. The Convention:
- encourages states to advocate for prevention of corruption through programmes designed to prevent corrupt behaviour;
- requires states to adopt, or at a minimum propose for adoption laws criminalising bribery and corruption;
- provides a framework and incentives for international cooperation in anti-corruption enforcement; and
- gives states the power to seek asset recovery through cross-border means in cases of proven corruption.
The Organization of American States (OAS) has promulgated the Inter-American Convention Against Corruption (IACAC). Countries that have signed the IACAC participate in the Mechanism for Implementation of IACAC (MESICIC), which involves inter-state monitoring and compliance assessments. MESICIC reports are available for Antigua and Barbuda, Argentina, Bahamas, Belize, Bolivia, Brazil, Canada, Colombia, Costa Rica, Chile, Dominican Republic, Ecuador, El Salvador, Grenada, Guatemala, Guyana, Haiti, Honduras, Jamaica, Mexico, Nicaragua, Panama, Paraguay, Peru, Saint Kitts and Nevis, Saint Vincent and the Grenadines, Suriname, Trinidad and Tobago, United States, Uruguay and Venezuela, www.oas.org/juridico/english/mesicic_intro_en.htm, and the reports are useful tools for understanding the anti-corruption risks in each country.
As a result of these international agreements, a significant number of jurisdictions have enacted specific laws governing bribery and corruption involving both foreign officials and commercial entities. They are described in brief here simply to give the reader an overview of the regulatory framework.
United States, the Foreign Corrupt Practices Act
The anti-bribery provisions of the Foreign Corrupt Practices Act (FCPA) make it unlawful for a US person, and certain foreign issuers of securities, to make a corrupt payment to a foreign official for the purpose of obtaining or retaining business for or with, or directing business to, any person. Since 1998, they also apply to foreign firms and persons who take any act in furtherance of such a corrupt payment while in the United States. The FCPA also requires companies whose securities are listed in the United States to meet its accounting provisions (see 15 USC Section 78m). These accounting provisions, which were designed to operate in tandem with the anti-bribery provisions of the FCPA, require corporations covered by the provisions to make and keep books and records that accurately and fairly reflect the transactions of the corporation and to devise and maintain an adequate system of internal accounting controls.
UK Anti-Bribery Act
The Act radically overhauled the UK's outdated and discredited corruption legislation and introduced a new regime that, in many respects, is even more stringent than the US Foreign Corrupt Practices Act. Most significantly, the Bribery Act introduces a new, strict liability offence of failure to prevent bribery by a relevant commercial organisation. Where a bribe is paid for the benefit of a company, whether by an employee, agent or subsidiary, the company will automatically be guilty of a criminal offence itself. In a reversal of the usual burden of proof, the corporate will only be able to avoid conviction if it can prove that it had adequate procedures in place to prevent bribery (i.e., that the incident was a one-off anomaly rather than the result of institutional or management failure). The jurisdictional scope of the Act is also unprecedented. It applies not only to UK individuals and companies, and to conduct that takes place in the UK, but to any foreign company that carries on business in the UK. There is no requirement for a UK listing such that the Act may give the UK authorities jurisdiction over the worldwide activities of many multinationals. In the case of the corporate offence, liability will arise even if the bribe is paid in an overseas jurisdiction by a foreign agent or subsidiary and with no connection to the UK.
Brazilian Clean Companies Act
After several years of debate and revision, Brazil passed major anti-corruption legislation on 1 August 2013. The law, which became effective on 28 January 2014, imposes direct civil liability on corporations for the bribery of local and foreign public officials, as well as making them liable under the theory of respondeat superior for the acts of their directors, officers, employees and agents. (As a civil law country, Brazil only imposes criminal liability on legal persons for environmental crimes.) Second, the proposed law provides for civil and administrative sanctions. A court could impose fines of 1 per cent to 20 per cent of a company's gross revenues in Brazil – or a maximum of 60 million reais if revenues are difficult to calculate. In addition, the company could be debarred from public tenders, have existing contracts with public entities terminated, face seizure and confiscation of its assets and gains, and be placed in compulsory dissolution as a legal entity. The legislation directs the courts to take account a company's voluntary disclosure, cooperation and compliance programme in imposing the sanction, and the court can reduce the fine significantly for these factors.
Other Latin American anti-corruption laws
Providing adequate treatment of the anti-corruption laws of the 20 countries and six dependencies that comprise Latin America would require a separate book. There are, however, common elements among these various countries' laws that are worth understanding. First, virtually every country in the region criminalises attempted corruption, active bribery (giving a bribe), and passive bribery (receiving a bribe). Moreover, in recent years, Latin American countries have enacted new laws that create corporate criminal or administrative liability for violation of anti-corruption laws and other crimes or administrative offences.
In summary, almost every country in the region, in compliance with the international agreements signed, and as a result of international pressure, particularly from the United States, has enacted anti-corruption laws and has included corporate or administrative liability in its legislation.
Multilateral development banks
In addition to actions by individual countries, a number of multilateral organisations have adopted strict anti-bribery and corruption programmes that apply to all parties doing business with the organisation. Institutions such as the World Bank, International Monetary Fund, Inter-American Development Bank and European Bank for Reconstruction and Development have policies in place that not only mandate compliance, but impose strict penalties for violations including suspension and debarment. Moreover, these institutions provide for reciprocal debarment, such that a violation with respect to one institution's rules could lead to sanctions from other financing entities. These institutions also frequently share information with criminal authorities in affected countries.
For many years, debt and loan financing agreements have contained anti-corruption and other compliance representations and warranties. These representations and warranties typically require the borrower or guarantor to attest that it maintains and enforces policies and procedures designed to ensure promote compliance with anti-corruption laws, anti-money laundering laws, and sanctions regimes, and that it has a programme in place to ensure compliance with these laws. Typical representations and warranties also extend on a best efforts or commercially reasonable basis to subsidiaries and joint ventures, and may even extend to subcontractors and other third parties. In the event of a breach, the financing agreement may allow the bondholder or lender to accelerate the bond or loan obligations, thereby placing the commercial viability of the project (and the borrower) in jeopardy. Recently, and in view of the Lava Jato corruption scandal and other investigations, bond and loan underwriters have started to pay more attention to these representations and warranties during the financing due diligence process, giving borrowers another reason to evaluate seriously their compliance programmes.
Risk mitigation in infrastructure development through compliance programmes
In almost every case where a country has adopted anti-corruption laws, those provisions provide either immunity or mitigation of penalties where the corporation has adopted a strong and effective compliance programme. The laws recognise that even in the presence of such programmes, violations of law can still exist, but seek to provide incentives for companies to adopt such programmes, rather than punish aberrational behaviour.
In the United States, the FCPA does not have a specific immunity provision. However, federal prosecutors have a considerable deal of discretion in charging decisions. Recent guidance from the United States Department of Justice (US DOJ) makes clear that prosecutors will look to determine whether the company had a compliance programme in place and whether there was a commitment by the company to make effective use of the programme.3 A strong demonstration in this regard could result in reduced charges, or perhaps allow for negotiation of an alternative resolution such as a deferred prosecution, or civil settlement. Moreover, even if a company is charged with a criminal violation of the FCPA, the United States sentencing guidelines, which have considerable influence on the ultimate penalty imposed, provide for a mitigation of penalties where a company can demonstrate that the violation occurred in spite of an effective compliance programme. These guidelines apply to all corporate criminal conduct and not just FCPA violations.
In the United Kingdom, if a company can show that an act of bribery was committed by an employee with the intent to benefit the company in some way, then liability is imposed unless the company can prove that it had put in place adequate procedures to prevent associated persons from paying bribes. In other words, the organisation can escape criminal liability if it can demonstrate that any failings were not systemic. The Act itself does not prescribe what is meant by adequate procedures. However, the Act required the Ministry of Justice to publish guidance on the issue, which it did on 30 March 2011.4
Typical components of an effective compliance programme
The most effective compliance programmes are tailor made for a company. The discussion below sets forth the key aspects of a typical compliance programme.
The role of senior management
Endorsement of the compliance programme from the highest level of management is typically a requirement of any compliance programme. The board of directors or other governing body must support such a programme and be willing to work within its confines. Moreover, senior operational management must be committed to the programme and communicate that commitment throughout the process. For this reason, the programme development should incorporate stakeholders from business operations in the process. Early buy-in and participation of operational management will generally reinforce the benefits of any programme. Moreover, regulators will often look first to the tone being set by management in deciding how to treat a company accused of a violation.
Establishment of a responsible officer
Under guidelines published by the US DOJ – which will likely serve as a model for other countries – a company is required to appoint a senior officer with responsibility for compliance. Typically, the company designates a chief compliance officer (CCO). This person may also be referred to as an ethics officer. The US DOJ recommends that the CCO report directly to the CEO or CFO and have a dotted line reporting relationship to the board of directors or an audit committee. Other structures are possible if they preserve the independence of the compliance programme.
The US DOJ and SEC, as well as the compliance literature, endorse a risk-based approach to compliance in which companies evaluate compliance risks and prioritise how they address those risks. Companies that have enterprise risk management (ERM) systems will often incorporate compliance risks – such as those involving corruption, trade controls, and trade sanctions – into their ERM process. For companies without a formal ERM system, or even for those that focus their ERM system on internal financial controls, an annual compliance risk assessment will identify risks presented by factors such as the country of operation, the areas of contact with government officials, the nature of the business, the dependence on third-party business partners, etc. The CCO can then address those risks and any gaps in the compliance programme as a priority.
Adoption of relevant policies and procedures
The company should adopt a single, worldwide standard for compliance and ethics, as opposed to trying to walk the fine lines between multiple jurisdictions. Thus, the blending of legal requirements and cultural constraints into a unified policy is key. The policy should be published in such a way as to assure full distribution throughout the organisation. Such policies should be clear, subject to minimal ambiguity, and be conveyed in a manner that makes their importance to the organisation known. Policies should be as specific to your business and industry as possible without becoming so specific as to render them inflexible in new or unforeseen situations. In addition, many companies establish specific guidelines and limitations for gifts, entertainment and hospitality, sponsored travel, and other specific situations that may arise with business partners or government officials. Samples of these guidelines are available if required.
Moreover, once policies are adopted the company needs to be absolutely certain that they have the procedures to allow them to be followed. By way of example, many company policies place limits on hospitality that can be provided without prior management approval. But a failure to set forth – typically in a separate document – the procedures for such approval and to create the necessary paperwork or link to existing approval systems can doom the compliance effort.
Similarly, policies must cover issues such as whistle-blower protection. Most laws around the world providing for anti-bribery sanctions have in place provisions protecting those who report such allegations. Such protections are particularly strong in the US and UK. Thus, clear anti-retaliation provisions are important.
It is critical that once policies are adopted and procedures put in place, employees receive adequate training. This is also applicable for new hires after the initial roll out. In addition, regular refresher training is a hallmark of an effective programme. A company must determine both content of such training and the best delivery methods. Today, there is a variety of training mechanisms available, ranging from live training delivered by the CCO organisation, to computer-based training and testing exercises. Training should cover substantive polices, as well as non-retaliation policies as well. The US DOJ typically looks to see what type of training is provided, how it is done, and whether the company assures full participation and understanding. Thus, certification of completion is a minimum requirement. It may also be advisable to require employees at certain levels or in certain operations to demonstrate knowledge through some sort of assessment exercise. A company must also think about what training to provide to non-employees, such as close business partners, vendors, or agents. Because these people and entities can create liability for a company, there must be allowances for them in training programmes, although often at different levels than the company employees.
Almost all anti-corruption programmes have procedures in place to require certifications of compliance with the rules and procedures of the programme. For employees, this may mean yearly certifications of general compliance. Some companies also require certifications in connection with contract approvals or expense reimbursements.
Internal financial controls
Even for companies that do not file financial statements with securities regulators, internal financial controls are a hallmark of an effective anti-corruption programme. The SEC counsels that it is important to use careful thought at the outset to how controls should be designed in light of a firm's business operations. For the SEC and many other regulators, that means an up-front assessment of financial reporting risks, designing controls that address those risks, and ensuring that the resulting controls are well documented and communicated. Many companies use the framework created by the Committee on Sponsoring Organizations of the Treadway Commission (COSO), and they integrate their internal financial controls into their Enterprise Risk Management system.
Business partner due diligence, contract terms and certifications
One of the key areas of risk for any company operating in developing or less transparent markets, and a frequent feature of enforcement cases, involves the use of third-party business partners. The US DOJ and SEC expect companies to perform due diligence on their business partners, including determining their ownership structure, contacts with government, officials and understanding of relevant anti-corruption laws. Many companies require their business partners to complete due diligence questionnaires. In addition, especially in high-risk areas, the US DOJ and SEC expect companies to have anti-corruption undertakings in their contracts with business partners, and to retain and exercise audit rights over them. Business partners should be required to certify periodically that they understand your company's policies and that they have complied with them. This can be done annually or as part of significant contract events or requests for payments. Many companies extend this process even to third-party vendors.
Note that in many countries in Latin America, distributors and other third parties may have legal protections that extend beyond what one is used to in the United States. These rights may make termination more difficult if not protected against during the formation of the agreement.
Other legal requirements apply to international transactions as well, such as trade controls, sanctions and anti-money laundering. Those requirements should be integrated into a compliance programme as well.
An effective compliance programme provides a mechanism for employees or third parties to report potential violations. Reporting to an employee's manager should always be encouraged to show trust in your workforce, but it is also prudent to provide for alternative methods, including a means of providing confidential or anonymous information. Doing so allows an employee who might be concerned about retaliation to report without fear of consequences. A hotline can be set up for this purpose. There are numerous commercial vendors who provide such services.
Investigation protocol or policy
Once an allegation of misconduct has been received by the organisation, a company must have established and documented procedures for how it will review and, if necessary, investigate any allegations. Conducting a proper internal investigation can provide numerous benefits. First and foremost, it can help a company to identify and stop an employee's improper conduct (or a systemic breakdown in controls) – thereby limiting potential legal exposure. In the United States, an investigation can also reduce risks and exposure associated with potential shareholder derivative claims and limit the personal liability of officers and directors.5 By adopting uniform procedures and an investigation protocol, the company can avoid charges of a cover up or that it failed to pursue allegations with appropriate vigour. In some cases, attempts to cover up a violation could itself constitute an alleged violation of law, even if the underlying allegation was itself refuted. In other cases where there is actual wrongdoing, a failure to vigorously pursue an investigation of the allegations would limit the company's ability to seek leniency in charging or punishment decisions with prosecutors or regulators. An investigation may also put the company in a position to potentially avoid prosecution by cooperating with the government before the government discovers or investigates the conduct. Should prosecutors decide that the company has engaged in wrongdoing, an internal investigation can help demonstrate an effective compliance programme to obtain leniency under the United States Sentencing Guidelines.
Progressive discipline policy
It is often advisable to create a specific policy dealing with employee discipline. Some violations may be severe enough to require immediate termination of employment or a contractual relationship. Other violations, such as procedural breaches, may allow for scaled discipline. By setting forth a clear policy on such discipline, the company establishes the severity with which it addresses any compliance breach and also reduces the risks of discrimination or retaliation. In this regard, it is key that any discipline policy makes clear that the company will not retaliate against an employee for reporting an alleged violation.
A programme of periodic auditing of the compliance function should be established. This can often be accomplished by a company's internal audit team. Other situations may suggest that the task be delegated to an outside organisation. It is the unique characteristics of your organisation that will dictate this decision.
In addition to formal audits, an effective compliance programme should incorporate a system of interim and ongoing monitoring so that the CCO and senior management have real-time ability to monitor the programme. Such monitoring may involve measuring use of the hotline, tracking how often the exception approval systems for certain policies are used or similar reporting. It can also incorporate informal testing of individual requests or transactions. Combining such monitoring with formal audits will best allow the company to determine whether its programme is working.
Periodic assessments of effectiveness and trend analysis
One key element of any compliance programme is the ability to be proactive and forward looking, as opposed to merely reactive. The programme should be set up so that the CCO organisation is not merely enforcing polices and investigating allegations of breach, but using all the data gathered from the various components discussed above to improve upon the programme. By researching trends emerging in the operations, audits and monitoring, as well as incorporating new developments in the laws applicable to the company's operation, the CCO can anticipate new areas of concern that may not yet be dealt with in full via existing polices and training.
Infrastructure development entails handsome rewards, but also entails significant compliance risks. Establishing, and continually updating and improving, an effective anti-corruption compliance programme helps mitigate those risks. To turn an old adage on its head, compliance means that it is better to ask for permission, than to hope for forgiveness.
1 Peter Spivack is a partner in the Washington, DC office and Crispin Rapinet is a partner in the London office of Hogan Lovells.
2 Convention Article I.
3 'A Resource Guide to the U.S. Foreign Corrupt Practices Act', available at www.justice.gov/sites/default/files/criminal-fraud/legacy/2015/01/16/guide.pdf.
5 Sarbanes-Oxley Act Section 201, 15 U.S.C. Section 78j-1. See In re Caremark Int'l, Inc. Deriv. Lit., 698 A.2d 959, 968-970 (De. Ch. 1996).