Reviewing FCPA Basics as Uber Returns to the Headlines

Uber’s rough year continued in recent weeks. News first broke in The Wall Street Journal that the Justice Department was taking “preliminary steps” to determine whether company managers violated the Foreign Corrupt Practices Act (FCPA). The story continued with the ride-sharing giant reviewing its Asian operations and notifying U.S. officials about payments made by staff in Indonesia.

It’s now over to Uber’s new CEO Dara Khosrowshahi to mitigate repercussions from these potential violations, maintain the company’s growth, all while cleaning up its practices to remove all the flouting.

As The Wall Street Journal noted, Uber’s reach has spread to more than 70 countries in eight years in part because former CEO Travis Kalanick gave “regional teams authority to adapt to local markets and expand as quickly as possible, sometimes flouting local laws.” It’s now over to Uber’s new CEO Dara Khosrowshahi to mitigate repercussions from these potential violations, maintain the company’s growth, all while cleaning up its practices to remove all the flouting.

Uber has confirmed that it is cooperating in the investigation, which is the proper first step to mitigate repercussions. Khosrowshahi has also told employees that the previous way of operating wouldn’t get Uber to the “next level.” Here we see a hint to the cleaning up of practices. Now, Khosrowshahi will need to bring a systematic change to fix Uber’s pressing problems and ensure FCPA violations do not become their next popular headline.

Here are some things we’d encourage him – and other organizations – to consider about the FCPA.

FCPA 101

Under the FCPA, it’s unlawful for U.S. organizations (or third parties acting on their behalf) to give anything of value to a foreign government official to facilitate, obtain or receive business. Certainly, organizations should avoid such behavior as a matter of principle.

However, that principle doesn’t always translate into practice. Organizations with good intentions might think their responsibility ends when employees sign anti-bribery policies or when they require third parties to prove their own anti-corruption practices. Those check-the-box measures are necessary, but by themselves are not adequate to protect against investigations, civil penalties and even criminal charges.

Download Anti-Bribery and Corruption Risk Assessment Checklist

FCPA Basics

Cutting bribery issues off at the pass starts with the code of conduct. Every organization should review and assess its code – which should be an overall declaration of the company’s values, culture and ethical goals. It’s important to include standalone guidance on anti-bribery measures in the code for anyone – employees, subsidiaries and third parties – who will deal with foreign officials.

Code and policies should be paired with just-in-time compliance communication and a risk-based training approach to ensure high-exposure positions receive heighted education.

Code and policies should be paired with just-in-time compliance communication and a risk-based training approach to ensure high-exposure positions receive heighted education. Organization-wide employee training should be ongoing and span from onboarding through an individual’s entire tenure, with regular refreshers.

Certification can be the next step. The International Standards Organization (an independent, international non-governmental organization) published its “Anti-bribery management systems – Requirements with guidance for use” ISO 37001 standard last year. We’ve written about the pros and cons of getting certified under the standard. Some large multinational companies are already pursuing accreditation.

The final step – in the event a bribery incident is discovered, organizations should disclose violations to regulators and cooperate with the investigation. That might have been unthinkable in an earlier era. But in this age of aggressive enforcement – and potential jail time – cooperation can help pave the way to reduced fines and non-prosecution agreements.

Finding Traction on a Slippery Slope

Khosrowshahi, in his initial remarks as CEO, seemed to understand the challenges he faces – taking over a company that had been guided by such values as “toe-stepping” and “principled confrontation” during its meteoric rise. Internal investigations earlier this year found allegations that complaints of sexism and sexual harassment had been ignored. And that was before any mention of bribery.

Uber still plans to go public, as soon as 2019. But getting there and having a successful IPO will likely hinge on correcting the mistakes of the past. Khosrowshahi seems to be the man for the job and has been speaking a form of our language thus far as he says:

“If culture is pushed top down, then people don’t believe it. Culture is written bottom up.”

We’d modify that to note that, while culture certainly has to be present at every level of an organization, the tone at the top – and the mood in the middle – are key to making that a reality. For smart organizations, culture written bottom up can be automated and brought to life through incident reporting tied to policy management and training.

That’s the best way to have an effective compliance ecosystem.


Read More: Startup Culture Seems to Be Missing One Key Ingredient—Culture

Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.

Compliance Training Lessons From Utah, Caught on Tape

A couple weeks after the dust has settled in the arrest of the University of Utah nurse for upholding hospital policy, it’s time to investigate to see what ethics and compliance officers can learn. The lessons here include more than just having a strong policy and procedure management program, but also pairing it with an effective compliance training program that inculcates strong processes that can withstand pressure and not sacrifice core values.

Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

The Root Compliance Problem: “Shadow Process”

Shadow processes are simply processes that exist in your company without your blessing. Shadow process have always been around, but today, with cloud-based services, employees have an increasing ability to create these processes and up their complexity. This is not always malicious, but it is always an issue and something compliance officers need to be aware of.

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.