In a recent matter before the SEC, settlement of an FCPA claim with Smith & Wesson has raised some worrisome new issues for compliance officers. This settlement is noteworthy for two reasons:
- Small and mid-sized companies may now be in the SEC’s FCPA crosshairs; and
- A determination by the SEC that a company has an “inadequate compliance program” may give rise to a new SEC claim for violation of the Securities Exchange Act.
For SEC, Small and Mid-Market Companies May be the New “Large”
In recent years, the SEC and DOJ have seemed to focus on marquee enforcement actions which grabbed headlines and fines in the tens to hundreds of millions of dollars. In fact, three of the top ten largest FCPA fines occurred in the last two years.
These highly publicized settlements focused largely on large, recognizable companies with significant global operations and pervasive bribery schemes. These schemes often continued for years and involved the payments of large bribes to foreign officials to secure large contracts worth tens of millions of dollars.
In contrast, the Smith & Wesson settlement involved a few small contracts in the Middle East where the profit was barely $100,000, as well as a string of other small cash payments and gifts for equally small contracts. These contracts were subsequently cancelled or otherwise unsuccessful. Much of this activity was conducted through third parties.
These numbers are rounding errors by comparison to the multi-million contract awards in some of the higher profile settlements in recent years.
So what’s up? Was this a fluke, low hanging fruit or some other unique issue? Can we assume that the SEC will turn its attention back to slaying the giants?
Has the SEC Created a New Standard for Compliance Programs?
The Smith & Wesson settlement was described by the SEC’s chief of FCPA Enforcement, Karen Brockmeyer, as a “wake up call for small and medium businesses that want to enter into high risk markets and expand their international sales.”
If you are the compliance officer at a small to medium company, you may have thought (or wished) that the SEC was only interested in headline-worthy cases and large companies. But if this settlement is any indication, your years of being under the radar may have come to an end.
As with most FCPA cases, this case identified the failure to maintain accurate books and records. Bribes were recorded as commissions or legitimate business expenses.
However, this case went a step further. One of the more newsworthy items that arose from this otherwise ordinary FCPA allegation was a claim by the SEC for violation of the Securities Exchange Act of 1934. What made this claim unusual was that it addressed not just books and records but additionally the SEC determined that the company’s compliance program was “inadequate.”
According to the SEC press release: “While the company had a basic corporate policy prohibiting the payment of bribes, it failed to implement a reasonable system of controls to effectuate that policy…
[Its] FCPA policies and procedures, and its FCPA-related training and supervision were inadequate.”
The SEC found that this conduct violated Section 13(b)(2)(B) of the Exchange Act, “which requires reporting companies to, among other things, devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed in accordance with management’s general or specific authorization; transactions are recorded as necessary to maintain accountability for assets, and that access to assets is permitted only in accordance with management’s general or specific authorization.”
So now in addition to looking for instances of bribes of foreign officials, the SEC appears ready to weigh in on the adequacy of specific elements of a company’s compliance policy, training, supervision and internal controls.
Five Key Takeaways from the Case
- All companies: small, mid-market and large, need to be concerned about the SEC and FCPA investigations.
- Risk assessments may need to be recalibrated to put greater focus and weight on anti-bribery—even for small transactions or in geographies where sales are still small.
- Anti-bribery and FCPA training are still crucial, yet it is under-represented in compliance programs.
- The use of third party due diligence is critical to reducing risk.
- All companies should conduct compliance program assessments to evaluate not only effectiveness but also adequacy of their compliance programs.
(Read key findings from the NAVEX Global “Third Party Risk in a Global Environment” survey)
It is difficult to know if this case is an aberration or a shot across the bow of compliance programs of all companies signaling that the SEC is the “new sheriff in town” when it comes to enforcing not just bribery compliance failures, but also the adequacy or lack thereof of compliance programs ostensibly designed to prevent them.
Whatever the answer to that question, it is critical for all compliance programs to make sure that, before the SEC knocks on the door, the company has assessed and plugged any holes in their anti-bribery programs. While a policy is a good start much more care and thought must go into developing and regularly assessing a holistic program. This program needs to show that the company has a serious goal—supported with resources and controls—of reducing the risk and likelihood that the company’s employees or third parties have the opportunity and propensity to bribe foreign officials in pursuit of business goals.