Compliance Lessons from Recent FCPA Cases

Thad McBride , Lindsey Fetzer


October 2, 2023

At its core, the Foreign Corrupt Practices Act (FCPA) is relatively simple: It prohibits U.S. individuals and entities and anyone in the United States from directly or indirectly making, offering or authorizing a payment of anything of value to a foreign official to obtain a business advantage. In addition, the law requires companies with registered securities in the United States to maintain appropriate internal controls and accounting practices to ensure transactions are properly authorized and recorded. The FCPA is administered by the U.S. Department of Justice (DOJ) and, in the case of companies with registered securities in the United States, the Securities and Exchange Commission (SEC).

While the law is generally straightforward, the government’s broad interpretation of key FCPA terms makes compliance difficult. “Anything of value” can be a gift, business courtesy, donation, offer of employment or anything else that benefits the recipient. A “foreign official” may be an employee, agent or official of any non-U.S. government, including an entity such as a national airline or national telecommunications operator. A “business advantage” could be obtaining new business or merely retaining existing business, and even includes directing business to a third party. Moreover, a violation can occur through both direct and indirect action, such as an improper payment or an offer made by a third-party representative.

So far this year, the U.S. government has enforced the FCPA in a targeted but aggressive fashion, reaching resolutions with companies in various industries, including hospitality, medical devices, oil and gas, and telecommunications. While the number of enforcement actions has been relatively small, penalties have been significant compared to prior years. Some of the more notable FCPA actions this year include:

Philips. In May 2023, Koninklijke Philips N.V. (Philips), a Dutch healthcare technology manufacturer listed on the New York Stock Exchange (NYSE), agreed to pay the SEC more than $62 million to resolve allegations of improper conduct by two of its subsidiaries in China and Hong Kong. The administrative order charged Philips with violations of the books and records and internal controls provisions; there were no anti-bribery violations charged. Philips previously paid $4.5 million to resolve a 2013 FCPA enforcement action concerning its conduct in Poland.

Regarding the 2023 resolution, the SEC asserted that the company’s China- and Hong Kong-based subsidiaries offered “special price discounts” to distributors, creating a risk that “increased margins could be used to fund improper payments to employees of government-owned hospitals.” Employees at these subsidiaries also allegedly engaged with foreign officials to influence public tenders. The SEC emphasized that Philips had not effectively implemented internal controls developed following the 2013 resolution.

The 2023 monetary penalty included a civil fine of $15 million and disgorgement of wrongfully-obtained profits and pre-judgment interest of $47.1 million. Philips agreed to a two-year probationary period, during which the company is to submit annual reports to the SEC on the company’s remedial efforts in lieu of monitorship. The reports will focus on “due diligence on prospective and existing third-party consultants and vendors, FCPA training and the testing of relevant controls, including the collection and analysis of compliance data.”

Frank’s. In April 2023, Frank’s International, a Dutch oil and gas services company listed on the NYSE, agreed to pay the SEC $8 million to resolve allegations that a sales agent paid bribes of over $550,000 to Angolan government officials in violation of the FCPA’s anti-bribery, books and records, and internal controls provisions. According to the SEC, the company did not conduct due diligence on a third-party vendor in Angola that did not have the requisite “technical background to advocate on the company’s behalf before [state-owned oil and gas company] Sonangol” but instead had “personal relationships” with Sonangol employees.

The SEC order asserts that Frank’s recorded bribes the vendor made to Sonangol officials as legitimate business expenses, including meals and entertainment. The company’s Houston-based general counsel also participated in drafting and approving certain contracts with Sonangol.

Ericsson. In March 2023, Nasdaq-listed Swedish telecommunications company Ericsson entered two guilty pleas and agreed to pay a $206 million fine for breaching a 2019 deferred prosecution agreement (DPA) it entered into with the DOJ for FCPA violations. The 2019 DPA was the centerpiece of a resolution in which the company agreed to pay the DOJ and SEC over $1 billion in connection with bribes paid to government officials in China, Djibouti, Indonesia, Kuwait and Vietnam, principally via third-party vendors and consultants.

The DOJ alleged Ericsson breached the DPA by not complying with the cooperation and disclosure requirements, including failing to disclose information related to potential current and historic FCPA violations. Ericsson agreed to plead guilty to the charges deferred by the 2019 agreement: conspiracy to violate the anti-bribery provisions of the FCPA and conspiracy to violate its internal controls provisions. The company also agreed to extend the previously imposed compliance monitor through June 2024.

Flutter. In March 2023, Flutter Entertainment, an Irish global gaming and sports betting company and the successor-in-interest to Canadian gambling company Stars Group, agreed to pay the SEC $4 million to resolve alleged violations of the FCPA’s books and records and internal controls provisions. Flutter also agreed to cease and desist from future violations. 

Stars Group, which was listed on the Nasdaq, allegedly made payments to third-party consultants for services in support of poker legalization in Russia as part of a lobbying campaign between 2015 and 2020. According to the SEC order, Stars Group “failed to both devise and maintain a sufficient system of internal accounting controls over its operations in Russia with respect to third-party consultants, and to consistently make and keep accurate books and records regarding its consultant payments in Russia.” It also failed to conduct appropriate due diligence on these consultants or maintain written contracts with them.

Flutter acquired Stars Group in May 2020. The order noted Flutter’s cooperation and implementation of remedial efforts, as well as the company’s withdrawal from the Russian market in early 2022.

Compliance Lessons from Recent Enforcement

Several key lessons emerge from these recent enforcement actions. First, the actions underscore the importance of due diligence regarding third-party representatives. This is true whether the representative is deemed an agent, consultant, distributor or given some other title. Any party acting for or on behalf of a company subject to the FCPA risks exposing the company to liability. It is essential to conduct pre-contracting diligence on third parties to identify potential risks and to address risks appropriately before moving forward with engaging a third party, including putting a written agreement in place. In addition, companies should have processes in place to monitor third parties throughout the relationship.

Second, it is critical to ensure implementation of any remedial measures agreed to in a settlement or, more commonly, as part of a compliance audit or other review. To that end, company managers are responsible for driving those corrective actions. Implementation of remedial measures is particularly imperative for repeat FCPA offenders. In both the Ericsson and Philips cases, it appears that the companies developed compliance enhancements but did not fully implement them. Charles Cain, chief of the SEC Division of Enforcement’s FCPA Unit, said of the Philips resolution, “Despite remediation done in connection with its prior violations, Philips nevertheless failed over the course of several years to implement sufficient internal accounting controls with respect to its sales of medical technology products in China.”

Third, both the Flutter and Philips cases offer a reminder that the SEC may impose penalties under the FCPA even when the DOJ does not do so. In some cases, the SEC may have jurisdiction over a particular actor or conduct even when the DOJ does not. Regardless of where they are operating and whether operations have a nexus to U.S. commerce, any company with publicly traded securities in the United States can be subject to SEC enforcement. Further, the FCPA’s books and records and internal accounting controls provisions allow the SEC to prosecute issuers even in the absence of an anti-bribery violation.

Lastly, companies need to take into account a DOJ pilot program announced in March 2023 that specifies that companies must try to claw back compensation from individual wrongdoers. Correspondingly, the DOJ will likely expect corporate compliance programs to include specific measures related to compensation.
Thad McBride is a member at Bass, Berry & Sims PLC in the firm’s Washington, D.C. office. He heads the firm’s international trade practice and counsels clients on compliance with and investigations involving the FCPA, economic sanctions and embargoes, export and import controls and other U.S. trade laws.
Lindsey Fetzer is a member at Bass, Berry & Sims PLC in the firm’s Washington, D.C., office. She focuses her practice on FCPA and other white collar and corporate compliance matters, including health care fraud and abuse issues, and representing clients in foreign and domestic matters involving the DOJ, SEC and other primary enforcement agencies.