Leaders in Global Risk Management
Freeh Group International Solutions graphic

Part II - Anti-Bribery and Corruption Compliance: An Effective Program

Elliott Leary, Jennifer Hammond, and Steven Szaroleta June 9, 2014


As discussed in our recent article, Anti-Bribery and Corruption Compliance: The Role of Transactional Testing in a Proactive Review,1 the importance of implementing appropriate internal controls through accounting transaction testing highlights the difference between an adequate anti-corruption program and one that could be exceptional. Transactional testing can expose gaps and identify weaknesses in the control environment of an organization. Testing will ensure that that an organization is committed to the highest levels of Anti-Bribery & Corruption (A-B&C) compliance.

While transactional testing is one very important component of an effective A-B&C program, an organization needs to draft and implement other compliance components in order to achieve an effective A-B&C program. In order to maintain an effective program, a company is required to monitor and audit specific components of the program on a periodic basis. As referenced in the article cited above, the U.S. Department of Justice (DOJ) and U.S. Securities and Exchange Commission (SEC) continue to place a high priority on the enforcement of the U.S. Foreign Corrupt Practices Act (FCPA). Therefore, it is critical that companies understand how the FCPA, as well as other relevant A-B&C regulations, impact their organizations and operations, and ensure that they have in place an effective, and tested, compliance program.


The anti-bribery provision makes it unlawful for an individual, business or employee, to offer or provide, directly or through a third party, anything of value to a foreign official to assist in obtaining or retaining business or to gain an unfair advantage.

The U.S. regulators have been aggressive in asserting jurisdiction in FCPA cases. The law has sweeping reach, and the payment prohibitions apply to both private and public organizations. Given the right set of jurisdictional facts, individuals, corporations, U.S. domestic concerns, foreign nationals and foreign businesses, and U.S. parent companies have all found themselves within the reach of this statute.

The accounting provisions apply to public companies.

An issuer must keep and maintain accurate books, records and accounts with reasonable details to accurately reflect the true nature of transactions and the dispositions of the assets of the organization. An entity could face the threat of enforcement action if enforcement authorities deem it had insufficient controls that allowed a bribe, illegal commission or improper payment to be disguised or concealed. There is no monetary materiality threshold.

2. Internal Controls3
An entity must devise and maintain a system of internal accounting controls sufficient to ensure that transactions are executed with management’s knowledge and authorization, properly recorded to ensure accurate financial recording, and to allow for the periodic review of assets.

There is one narrow exception to the FCPA for facilitating payments made in furtherance of a routine governmental action.4 A payment for a routine governmental action must be non-discretionary and could include such things as processing a visa or supplying utilities. These payments must also be “small dollar amounts.”5 While this exception may be allowed under the FCPA, depending upon the facts and circumstances of the particular case, it may not be legal in the country where the payment is made or under other countries’ A-B&C regulations that are relevant in the matter.

There are also two affirmative defenses under the FCPA.6 The “local law” defense provides an opportunity for the defendant to prove that the payment is legal under the written laws7 of the country in which it made. A “reasonable and bona fide” business expenditure provides an opportunity for the defendant to prove that the money was spent as part of a product demonstration or a contract obligation.


The UK Bribery Act8 (UK Act) is similar to the FCPA – but there are some key differences that make the UK Act more restrictive than the U.S. regulation. The UK Act includes two general offenses, one for offering and one for accepting a bribe. These include private, commercial bribery. There is also an offense for bribing a foreign public official. Like the FCPA, the UK Act has broad extra-territorial reach. Also included in the UK Act is a strict liability corporate offense for failing to prevent bribery. However, if the organization can demonstrate they had “adequate procedures” in place, they can defend against the strict liability offense for failing to prevent bribery. There is no facilitation exception allowed under the UK Bribery Act, making it very different in this regard than the U.S. regulation.


For years the FCPA was the only aggressively enforced A-B&C regulation an organization had to consider. Some may argue that because of the vigor with which the U.S. regulators enforce the statute, it is still the most important set of regulations on the international landscape. However, other countries are enforcing their own A-B&C rules and are becoming more aggressive in their approach. It is important for organizations to understand the unique differences between the U.S. rules and those in other countries, like the UK Act.

According to Kathleen Hamann, partner at White & Case and former U.S. DOJ Fraud Section, Criminal Division attorney, “Many of the new A-B&C laws, ranging from countries like the UK to Brazil, have absolute defenses when there is a good compliance program in place. The Department of Justice has also recognized in two recent cases that companies lacked liability because they could show their internal controls were deliberately evaded. High-quality programs are more important than ever before, because they can inoculate you from liability.”

The differences can present both challenges and opportunities to organizations that are trying to do the right thing and abide by numerous international laws. It can be a complex process. An effective program must consider relevant guidance from all the countries in which the organization operates. When considering, for example, the criminal liability the UK will impose for failure to prevent bribery and the Accounting Provisions required in the U.S., it becomes clear that an entity must achieve certain baseline requirements.


An effective A-B&C Program will start with a robust policy and include well-developed components to support that policy. Wrong doers have long utilized weaknesses in internal controls for many nefarious purposes. An organization that cuts corners in compliance will find that they are more susceptible to rogue employee action, such as bribery and corruption, as well as general fraud and misconduct. Furthermore, an organization that attempts to employ a strictly “cookie-cutter approach” to A-B&C compliance is missing an opportunity to prevent potential violations of law or company policy, and to prepare an effective, proactive and defensible compliance program.

Most organizations can develop an effective compliance program by starting with prevailing A-B&C guidance, and adding necessary modifications based upon the specific needs of their individual organization and the risks they face. Importantly, by making the extra effort to test accounting transactions, an organization can take an important step toward meeting both the Accounting Provisions of the FCPA and the Adequate Procedures required under the UK Act.

The following chart provides a comprehensive framework for an Effective Compliance Program:
An Effective A-B&C Compliance Program
overview of an effective A-B&C compliance program This overview of an effective A-B&C compliance program is based upon information and guidance issued by the U.S. Department of Justice, the U.S. Securities and Exchange Commission, DOJ Non-Prosecution and Deferred Prosecution Agreements, DOJ Opinion Releases, OECD Guidance including Annex II, and the UK Bribery Act.

It is important for compliance professionals to remember that each component should be revisited on an ongoing basis. As new information is learned from training sessions, program audits, account transaction testing, etc., enhancements should be incorporated and made to the overall program. Issues that are identified cannot be ignored. As Gregory A. Paw, a partner in charge of Pepper Hamilton LLP’s Business Integrity practice, has noted, “an effective compliance program will be sufficiently dynamic to integrate lessons from a company’s own experiences, as well as to reflect the evolving environment of the industry and the lessons gained from enforcement actions brought by regulators.”

The links between each of the components in an effective program are important. The dynamic between (1) A-B&C internal controls and (2) periodic and ongoing monitoring and auditing cannot be overstated when considering the importance of the Accounting Provisions and Adequate Procedures. Controls must be periodically reviewed to ensure they are operating as intended. When conducting transactional testing of internal controls, the goal is to identify those controls related to A-B&C compliance and to develop a process to test the effectiveness of each control. Transactional testing involves the selection and examination of relevant, specific transactions and the associated supporting documentation for those transactions. An organization with an effective A-B&C program will periodically look at both the controls and the transactions to ensure they are operating as intended and tighten the controls as needed on a periodic basis.

According to Kathleen Hamann, “Investigating authorities will always ask about transaction testing. There simply is no way to really know if a system is working – no matter how well it is designed – without actually drilling all the way down.”

To make their program most effective, an organization will also utilize what they have learned related to each of the components to strengthen and enhance other components. The entire program works together to meet the goals of A-B&C compliance. The most effective way for an organization to undertake this effort is with a focused planned strategy that calls for specific goals to be met against targeted deadlines.

To complement the resources and experience an organization has in-house, outside expertise may be needed to fill specific gaps and to work with the organization to ensure that all compliance goals are met. “Both the SEC and DOJ remain incredibly focused on FCPA enforcement, including the books and records provisions,” says Laurence Urgenson, former chief of the Fraud Section at the DOJ and head of Mayer Brown LLP’s FCPA Practice. “A risk-based compliance program tailored to a client’s FCPA touch points is important to minimizing overall enforcement risk,” he adds.

Fellow Mayer Brown FCPA Partner Audrey Harris also cautions, “Involvement of legal counsel in directing and planning compliance and review tools, such as transaction testing, is key to getting the optimal benefit for the client. This includes counsel considering whether and how the process should move forward under the scope of attorney-client privilege and work-product doctrine protections.”


It is important for an organization to revisit their A-B&C program on a recurring basis and enhance each component as needed, based on relevant findings. Transactional testing is not only an element that helps move an organization from an adequate anti-corruption program to one that is exceptional, but it could be an important factor in building the case that an organization meets both the Accounting Provisions of the FCPA and the Adequate Procedures required under the UK Act. These efforts can help an entity build a robust internal control environment and be able to demonstrate an active risk-based compliance program, should the entity ever need to report to a regulatory authority.


  1. http://www.freehgroup.com/news/39
  2. 15 U.S.C. § 78m(b)(2)(A).
  3. 15 U.S.C. § 78m(b)(2)(B).
  4. 15 U.S.C. § 78dd-1(c)(2);
  5. A “small dollar amount” has not been clearly defined.
  6. 15 U.S.C. §§ 78dd-2(c)(2), 78dd-3(c)(2).
  7. It must be a written law and not merely customary.
  8. See http://www.legislation.gov.uk/ukpga/2010/23/contents.