What is Your FCPA Investigation Protocol?

On Wednesday, at the ACI FCPA Bootcamp, there was an excellent presentation by Jay Martin, Vice President, Chief Compliance Officer (CCO) and the Senior Deputy Counsel for Baker Hughes Incorporated and Jacki Trevino, Senior Manager, Corporate Compliance at Fluor Corporation. I have heard both of them speak and I can assure you that they both know the Foreign Corrupt Practices Act (FCPA) and their compliance stuff. They both also always have a great power point presentation that you can take away from any presentation either one of them makes. Yesterday was no different on either score.

The topic of their presentation was "FCPA Compliance Best Practices: Success Stories of Robust and Effective Anti-Corruption Compliance Programs in High Risk Markets" and as you might guess from such a title, there was a significant amount of information discussed. Today, I wanted to focus on one part which dealt with investigation protocol. I think that one of the key lessons to be drawn from the ongoing Wal-Mart FCPA matter is that back in the 2006 time frame, when the corporate office was made aware of allegations of bribery and corruption regarding its Mexican subsidiary, the corporate office either did not have an investigation protocol in place, or perhaps even worse, it had one and disregarded it when the allegations bubbled up to Bentonville.

Trevino presented the Fluor investigation protocol which consists of the following five steps (1) Opening and Categorizing the Case; (2) Planning the Investigation; (3) Executing the Investigation Plan; (4) Determining Appropriate Follow-Up; and (5) Closing the Case. I recognize that if a case of significant bribery or corruption is uncovered that there may be more or additional steps that you may need to take. However if you follow this basic protocol, you should be able to work through most investigations, in a clear, concise and cost effective manner. Furthermore you should have a report at the end of the day which should stand up to later scrutiny if a regulator comes looking. Finally, you will be able to document, document, and document, not only the steps you took but why and the outcome obtained.

Step 1: Opening and Categorizing the Case. Under this first step, you should categorize the ethics and compliance violation. You should notify the relevant individuals, including those on your investigation team and any senior management members under your notification protocols. After notification, you should assemble your investigation team for preliminary meetings and assessments. This Step 1 should be accomplished in one to three days after the allegation comes into compliance, either through your reporting structure or other means.

Step 2: Planning the Investigation. After assembling your investigation team, you should determine the required investigation tasks. These would include document review and interviews. If hard drives need to be copied or documents put on hold or sequestered in any way, or relationships need to be analyzed through relationship software programs or key word search programs, this should also be planned out at this time. These tasks should be integrated into a written investigation or work plan so that the entire process going forward is documented. Also if there is a variation from the written investigation plan, such variation should be documented and an explanation provided as to why there was such a variation. Lastly, if international travel is involved this should also be considered and planned for at this step. This Step 2 should be accomplished with another one to three days.

Step 3: Executing the Investigation Plan. Under this step the investigation should be completed. I would urge that the interviews not be effected until all documents are reviewed and ready for use in any interviews. Care should be taken to ensure that an appropriate Upjohn warning is issued and that the interviewee clearly understands that whoever is performing the interview represents the company and not the person being interviewed, whether they are the target of the investigation or not. The appropriate steps should also be taken to preserve the attorney-client privilege and attorney work product assertions. This Step 3 should be accomplished in one to two weeks.

Step 4: Determining Appropriate Follow-Up. At this step the preliminary investigation should be completed and you are ready to move into the final phases. In some investigations, it is relatively easy to determine when the work is essentially complete. For example, if the allegation is both specific and narrow, and the investigation reveals a compelling and benign explanation for the conduct alleged, then the investigation typically is complete and you are ready to convene the investigation team and the relevant business unit representatives. This group would decide on the appropriate disciplinary steps or other actions to take. This Step 4 should be completed in one day to one week.

It must be cautioned that at this step, if there are findings of specific or discrete allegations of corruption and bribery, a decision must be made as how to handle such findings going forward.

Step 5: Closing the Case. Under this final step, you should communicate the investigation results to the stakeholders and complete the case report. Everything done in the above steps should be documented and stored, either electronically or in hard copy form together. The case report should be completed. This Step 5 should be completed in one day to one week.

With the growing number of reports to the Securities and Exchange Commission (SEC) Whistleblower program under Dodd-Frank, companies are under increasing pressure to get up and running quickly on any claim of bribery and corruption that is brought forward. By using the Fluor investigation protocol that Trevino has laid out, you will have a ready-made process in place to start from. If your company does not have such a protocol I would suggest that you tailor this process to fit the needs of your company. If your company does have an investigation protocol in place, I would suggest that you review it in need of the one that Trevino has presented to us.

Visit the FCPA Compliance and Ethics Blog, hosted by Thomas Fox, for more commentary on FCPA compliance, indemnities and other forms of risk management for a worldwide energy practice, tax issues faced by multi-national US companies, insurance coverage issues and protection of trade secrets.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

For more information about LexisNexis products and solutions connect with us through our corporate site.