Does FCPA Apply to Private Companies?

The Foreign Corrupt Practices Act is the primary anti-bribery statute in the United States, and it casts a wide net. Federal prosecutors can — and have, many times — filed criminal FCPA charges against individuals, public companies, and private companies. 

Moreover, when we talk about prosecuting corporate misconduct, FCPA violations are almost always at the top of the Justice Department’s priority list. The department will typically bring several cases against companies each year (although that’s not a firm rule; some years the government brings none), and FCPA investigations can quickly become very expensive for target companies. 

Hence all companies that do business overseas should have at least a basic familiarity with the FCPA; and if your operations include anything that might qualify as FCPA risk, you should develop a compliance program to keep that risk in check.

What Is the FCPA?

The Foreign Corrupt Practices Act (“FCPA”) has two parts. First, the law forbids any U.S. company or person to bribe foreign government officials to win business in that country. Those are the criminal provisions, enforced by the Justice Department. 

Second, the law requires publicly traded companies to maintain accurate books and records and to implement internal controls to prevent bribes from being paid. Those are the civil provisions, enforced by the Securities and Exchange Commission.  

The FCPA was originally enacted in 1977, with its anti-bribery provisions against U.S. citizens and corporations. Lawmakers amended the law in 1998 to extend the FCPA to foreign corporations and individuals who might also participate (either directly or via third-party agents) in corruption schemes.

Core Elements of the FCPA

As we noted above, the FCPA contains two main elements.

The Anti-Bribery Provisions

The anti-bribery provisions of the FCPA prohibit the bribing of foreign government officials to secure an “improper advantage” in business. For example, your company might hire an overseas reseller who bribes the education minister of a foreign country to win a contract to sell equipment to the school system there. 

It’s important to note that the bribe does not need to be cash; it could be anything of value, such as offering the education minister’s son a lucrative job, or donating to a charity run by the minister’s sibling. Nor does the improper advantage need to be a business contract; it could be an operating license or permits to construct a local factory.

The Books-and-Records Provisions

The FCPA also compels corporations with securities listed in the United States to comply with federal securities law. These accounting provisions require corporations covered by the provisions to (a) keep accurate and fair records of the corporation’s transactions and (b) devise and maintain an adequate system of internal accounting controls.

It is possible (and has happened many times) to be prosecuted for one part of the law but not the other. For example, a public company might face an enforcement action from the SEC over the books and records provisions, even when the Justice Department has declined to prosecute a criminal case for the same scheme.

Who Needs to Comply With the FCPA?

A common misperception about the Foreign Corrupt Practices Act (FCPA) is that it only applies to public companies and not private companies.

That’s wrong. The FCPA applies to any corporation, partnership, association, trust, unincorporated organization, or sole proprietorship with its principal place of business in the United States or organized under U.S. law.

Another false perception is that the FCPA applies only when companies attempt to obtain or retain business with foreign government customers. Instead, U.S. case law has held that bribing foreign officials to reduce customs duties or taxes also violates the FCPA’s anti-bribery provisions. This is because doing so gives an unfair advantage to the companies or individuals making the payments over their competitors. 

An FCPA violation can also occur where payments are made to non-government third parties acting for or on behalf of any foreign government agency — says, bribing the hospital director of a state-run healthcare system.

What Are the Consequences of Violating FCPA?

The SEC and the U.S. Department of Justice are jointly responsible for FCPA enforcement. The SEC brings civil charges for FCPA violations of the accounting provisions. In contrast, the Justice Department brings criminal charges for violations of the anti-bribery provisions. Most times, but not always, the two agencies will bring charges against a company at the same time.

The penalties for FCPA violations vary depending on the type of infraction committed and who commits it:

• Penalties for people can include fines of up to $100,000 and five years’ imprisonment per infringement. In rare situations, if the person violates the FCPA’s requirements willfully (referred to as a “willful violation”), the minimum prison sentence can reach 20 years, the fines up to $5 million.
• Penalties for businesses, including corporations, can include fines of up to $2 million per infraction. The maximum penalties for willful infractions might reach $25 million per violation.

Fines can be doubled under the Alternative Fines Act, and violators can be prevented from participating in government programs or receiving specific operational licenses.

And if that isn’t enough, always remember the costs of investigating an FCPA case, which can take years. Legal costs could easily cost two or three times as much as whatever penalty your company might end up paying.

How to Comply With the FCPA

Federal law enforcement policies strongly encourage companies to have effective compliance programs that address FCPA risks. In 2012, the SEC and the DOJ released an FCPA resource guide recommending key components that companies should include in their compliance programs. 

The Justice Department also adopted an FCPA Corporate Enforcement Policy that offers significant leniency for companies that self-disclose FCPA violations and develop effective compliance programs. The department also has guidance (last updated in 2023) on what an effective compliance program should accomplish. 

Developing an FCPA compliance program can be difficult for organizations that lack the appropriate infrastructure, but putting the proper systems in place doesn’t have to be complex or time-consuming. Here are some steps you can take so that your company has an efficient compliance program:

• Do your homework on third-party vendors before hiring them. A successful procurement process will undertake detailed risk evaluations of potential partners’ business practices and compliance with local laws and regulations.
• Display your company’s FCPA compliance policies. This will aid in the prevention of potential misbehavior by workers and third parties. Additionally, assure that you have explicit standards in place for gifts and entertainment and a reporting system for any FCPA infractions employees observe.
• Implement controls to prevent undesirable behavior. Requiring dual signatures for significant payments and performing internal audits to detect any questionable behavior are examples of valuable safeguards.
• Train employees and third parties on FCPA procedures. Tailor your FCPA compliance training to each individual’s function and hold sessions regularly to your staff informed about their duties to recognize and report any infractions.
• Evaluate and monitor your third-party providers. This involves completing due diligence assessments, implementing anti-corruption policies and processes, and conducting frequent audits and evaluations of their corporate operations.

Manage and Maintain Compliance with ZenGRC

Instead of managing your compliance needs using spreadsheets, use ZenGRC to automate evidence and audit management across all your compliance frameworks. ZenGRC’s compliance, risk, and workflow management software is simple.

ZenGRC has various compliance frameworks and standards for easy adoption, such as FCPA, HIPAA, SOC, and more. One-to-many control mapping simplifies mapping internal controls to various standards so that you may manage FCPA compliance alongside other frameworks, making compliance management more accessible than before. 

ZenGRC also acts as a single point of truth, so that your organization is constantly compliant and audit-ready. Policies and procedures are versioned and easily accessible in the document repository. Workflow management tools include simple monitoring, automatic reminders, and audit trails. Insightful data and dashboards highlight gaps and high-risk areas.

Schedule a demo today to learn how ZenGRC can help you with compliance and vulnerability management.