The recent news that Ralph Lauren Corp (RLC) will pay about $1.6 million to resolve Foreign Corrupt Practices Act (FCPA) violations may at first blush look like another example of a company getting caught in a bribery scandal. In fact, RLC found the $568,000 bribes paid to an Argentinian customs official as a result of their own internal FCPA compliance program. RLC reported the violation to the Securities and Exchange Commission and, as a result, incurred relatively minor penalties. The SEC’s acting enforcement director George Canellos made the following statement:
“When they found a problem, Ralph Lauren Corporation did the right thing by immediately reporting it to the SEC and providing exceptional assistance in our investigation.” The settlement “makes clear that we will confer substantial and tangible benefits on companies that respond appropriately to violations and cooperate fully.”
Compared to the scale of penalties paid by some organizations in recent years that did not take an effective proactive approach to FCPA compliance, $1.6 million is small. The fines levied against companies, such as Siemens, ran into many hundreds of millions of dollars. One way to mitigate the significant risk of financial and reputational damage public companies face by failing to comply with the FCPA is to invest in a strong FCPA compliance program.
What Makes an Effective Compliance Program?
Below are some of the key elements of an effective FCPA compliance program, as determined by the Organization for Economic Co-operation and Development’s “Good Practice Guidance on Internal Controls, Ethics, and Compliance”:
- A culture of compliance with the appropriate “tone at the top.”
- Clearly articulated and visible policy against bribery and corruption.
- One or more senior officers in charge of the compliance program who must report directly to the Board or appropriate Board Committee.
- Have a system of internal financial controls in place to ensure that bribery and corruption cannot be hidden.
- Have periodic communications and training on the compliance program.
- Consistently discipline employees for violations of the compliance program.
- Provide guidance and advice for employees on the compliance program.
- Periodically re-assess and re-evaluate the compliance program to take into account new developments.
Implementing policies and controls is clearly essential, but the challenge is in knowing whether or not the policies and controls are actually working. Technology, in the form of automated transaction monitoring, could potentially play a critical role in making an FCPA compliance program truly effective.
Automating Transaction Monitoring
The principle of automated transaction monitoring is simple:
Examine all of the payment transactions that occur within an organization to determine if there are indications of a corrupt payment or bribe.
In organizations with many millions of transactions and billions of dollars in expenditures, this makes looking for a needle in a haystack a comparatively simple task. However, today’s specialized data analysis technology allows millions of transactions, from multiple sources, to be tested on a daily basis to identify indicators—the important “red flags”—of bribery and corrupt payments.
Automated transaction monitoring may also serve as an important preventive measure. For example, if the very fact that transaction monitoring is performed on all payments is communicated within an organization, the chances are that affected employees are going to be a lot more compliant—particularly if they do not know exactly what types of tests are being performed.
An organization may also attempt to implement stringent controls to ensure all payments are properly approved and authorized. However, almost no system of internal control is bulletproof. If controls become too restrictive and time-consuming, they are likely to be circumvented at some point. This is where independent and automated transaction monitoring can play a crucial role. Not only can it find instances where FCPA compliance controls have been circumvented, but it can also find indications of violation risks in instances where no specific controls were established.
Integrating FCPA Compliance into Enterprise Risk Management
The use of technology in an FCPA compliance program is not restricted to data analysis and transaction testing alone. An important component of an automated program is to effectively and efficiently deal with the “red flags” that the system produces. This is where the use of workflow systems and dashboards play an important role in making sure that actual instances of FCPA violations are identified and escalated appropriately. Increasingly, this information should be integrated into an organization’s overall systems for managing and reporting on risks.
In some organizations, this integration may fall under the purview of a chief risk or compliance officer – or it may be part of the mandate of the CFO. The risks of FCPA violations are centered on the effectiveness of financial system controls, clearly part of the CFO mandate. And, in practice, the use of automated monitoring for FCPA compliance may be an extension of other forms of automated financial control monitoring designed to detect risks and control violations across the purchase and payments cycles within an organization.
John Verver is Vice President, Strategy at ACL. He is a Chartered Accountant, Certified Management Consultant and Certified Information System Auditor, as well as a member of the Center for Continuous Auditing’s advisory board.