Contact Us Login
Third Party Management Insights

FCPA Compliance and the Energy Industry

Tom Fox, Principal at Advanced Compliance Solutions By Tom Fox, Principal at Advanced Compliance Solutions

FCPA Compliance and the Energy Industry

With increasing regulation, the energy industry has been required to become one of the leaders in creating, implementing and maintaining an effective anti-bribery/anti-corruption compliance program. Among the many factors included in FCPA compliance are single source, extractive minerals in countries where there has traditionally been strongman rule or countries with limited long-term democratic institutions. This paper explores some of the reasons and responses by the energy industry.

I. Panalpina and its fallout

Houston is the epicenter of Foreign Corrupt Practices Act (FCPA) enforcement and has been for quite some time. There are more companies who have gone through FCPA enforcement efforts in Houston than in any other city across the globe. If you look at the Top Ten FCPA settlements of all time, you will see five companies in the energy space. While these companies may be headquartered outside of Houston or even Texas, they have significant operations in the United States, significant operations here in Houston and they operate in the energy space which is scrutinized by the DOJ.

The most significant action around energy companies came through the freight forwarder Panalpina and related enforcement actions. In November, 2010,on Panalpina settlement day,  the Department of Justice (DOJ) announced \$230MM in FCPA fines and penalties). Many companies had to pay substantial dollars because of information that the DOJ was able to obtain through the Panalpina investigation.

 The significance cannot be underestimated because Panalpina had multiple bribery schemes and a complete breakdown in internal controls around anti-corruption compliance, specifically the FCPA. The UK Bribery Act was not in effect at the time and here we had one company engaging in bribery and corruption across a wide number of places for a large number of customers. But equally important to the Panalpina case, and related actions, was that the DOJ figured out the road map to use in prosecutions going forward. In the energy industry, it was to use a vendor who worked for multiple energy companies. The DOJ would simply obtainthat vendor’s  customer list and then investigate the companies. They also investigated third parties on the sales side. If an agent or distributor engaged in bribery and corruption for one energy company it may well have done so for several.

II. Accessing Your Cash

If you want to access the cash from your own company, you will most probably be required to have a best practices compliance program in place. If you seek funding through a traditional bank loan you may well be required to demonstrate proof of your ongoing and effective compliance program. Moreover, the requirement to maintain an effective compliance program throughout the term of the loan is now being written into the loan covenants. This could require an annual assessment by an independent third party of your compliance program.

Clearly if you want to take your business public through an Initial Public Offering (IPO) you will have to put a compliance program in place, in addition to all the Sarbanes Oxley (SOX) reporting requirements that you will sustain going forward. One thing not to be overlooked is that an officer of your organization will be required to personally attest that there has not been any FCPA violation(s) in the past. This certification is signed under the penalties of perjury, which means that any officer so signing will need to satisfy him or herself as to the accuracy of the signed certification.

Finally if the funding mechanism is private equity, it needs to have a best practices program in placeand to  maintainone during the time of private equity involvement with your entity. A private equity company has another set of issues around compliance.

Most folks learn in elementary school the concept of the ‘lowest common denominator’. A non-mathematical definition might be the most basic or lowest of something among a group. Conversely, there exists the concept of ‘highest common denominator’ that might have the opposite definition, or the uppermost or maximum of something among a group. The concept of highest common denominator may now by applicable to private equity companies and the FCPA.

What are some ways liability can attach itself to a private equity company for the actions of a Portfolio Company? The Nature’s Sunshine case and the theory of ‘control person liability’ could certainly be one way. Under this theory, if a person has the “power to direct or cause the direction of the management and policies to a person whether through the ownership of voting securities, by contract or otherwise’, under that theory, it would not take much of a leap  to get to a private equity owner of a Portfolio Company. However, there may be a more direct route where FCPA liability can attach to a private equity company, through one or more of the following: actual knowledge, willful blindness, conscious disregard or deliberate ignorance. It is through these mechanisms that the ‘highest common denominator’ comes into play. Typically private equity entities have a variety of portfolio companies. There may be several portfolio companies across several industries. The private equity owners may reach down to exercise a large amount of control over each portfolio company which could result in   actual knowledge of each portfolio company’s compliance program.

Nevertheless, a private equity company may allow its individual portfolio companies to develop their own compliance programs. However through the ‘highest common denominator’, this could lead, to a charge of willful blindness, conscious disregard or deliberate ignorance as to the private equity owner. If a private equity entity had 10 portfolio companies and one had a best practices compliance program and the others had something less than best practices, I believe that the private equity entity would be held to the standard of the highest or best compliance program of any entity in its portfolio. This would mean the private equity entity has actual knowledge of a best practices compliance program and the private equity owner would be consciously disregarding or deliberately ignoring such best practices for the remainder of its portfolio.

This does not mean that if the private equity had one multi-billion dollar entity and several others in the range of $250 to $750 MM in value, that it would be held to the standard of the compliance program in the multi-billion entity. However, if there are several in the lesser range, it could well be held to the highest standard of the companies in that lesser range. That means that if the private equity entity allows the portfolio companies to implement their own compliance solutions, it may be setting itself up for liability.

So what is the answer? The first thing that the private equity owner must do is assess each portfolio company’s compliance program. If one has a best practices compliance program, such a program may need to be implemented across the spectrum of portfolio companies. If that is not done, there may be an action based upon the highest common denominator.

III. Business Solutions to Legal Problems

More than any other industry, the energy industry is leading the way in requiring all businesses, up and down the chain, to institute a best practices compliance program. In the energy industry, the exploration and production companies (E&P) are usually thought of as existing at the top of the food chain (i.e. Mega-Big). Below them are the service companies, which actually do the work of exploration (i.e. Very-Big). The next level down are companies who work with the service companies, from the multi-billion chemical production firm down to the $15MM company which has a piece of software that does something useful. Each of these companies are required to have a compliance program.

In practice it works something like this. A service company needs a product or service. As part of the regular contracting process, the service company will inquire into the contractor’s compliance function and policy. If the contractor provides a service which deals with a foreign government in any way or has foreign government touch points, the service company may well come and audit the contractor’s compliance program prior to executing the contract. Thereafter, the contractor is subject to being audited not onlyfor execution of the contract but also for the continued maintenance of its compliance program. All of this is done to ensure compliance with the FCPA.

But last week I received a copy of a paper by Scott Killingsworth, in his white paper entitled “The Privatization of Compliance”, he sets out the legal and theoretical underpinnings of the business solution to FCPA compliance. In his introduction he states, “Embodied in contract clauses and codes of conduct for business partners, these obligations often go beyond mere compliance with law and address the methods by which compliance is assured. They create new compliance obligations and enforcement mechanisms and touch upon the structure, design, priorities, functions and administration of corporate ethics and compliance programs. And these obligations are contagious: increasingly accountable not only for their own compliance but also that of their supply chains, companies must seek corresponding contractual assurances upstream. Compliance is becoming privatized, and privatization is going viral.” And he calls this “private-to-private or P2P compliance.”

Killingsworth says this is a change from a “vertical, state-imposed” mandate to “an integral adoption of best practices both as a cultural norm and critically, as a path to profit”. [Italics mine] He notes that when such obligations come from a business partner, “This message has the potential to re-orient some attitudes and remove some ethical blinders. As more businesses are forced by their counterparties to examine their compliance processes and routinely accept business and legal consequences for them, we can expect increases in overall investment in compliance, in the scope and robustness of the average compliance program, and in ambient awareness of compliance issues outside the compliance, audit, and legal staffs. The viral nature of the process, in which each participant can exert pressure on a large number of direct and indirect upstream or downstream parties, while simultaneously fielding demands from other members of its value chain, suggests that the trend will continue and its influence will grow.”

Specifically in the area of anti-bribery/anti-corruption compliance programs, he writes “The debates about best practices are settled, save for skirmishes over when they can be practically applied.” Such best practices can be seen in the area of third-party due diligence and anti-bribery provisions, which are written into contracts with “domino-style flow-down requirements.” These obligations can arise by directly incorporating anti-corruption compliance obligations or by reference to one party’s compliance regime, or both. Such contractual provisions can cover a variety of issues, such as “ethical rules governing relationship issues such as conflicts of interest and gifts and entertainment; requirements to obey specific laws of concern and laws generally; and procedural rules such as the right to audit the partner’s records or train its personnel. Process and structural rules may be imposed on the partner’s compliance activities, such as requirements to establish management accountability, develop appropriate policies and procedures, maintain an anonymous reporting system and an anti-retaliation policy, train employees, conduct periodic audits, risk assessments and remediation, and of course, sometimes to cascade these program elements to downstream associates.”

All of these concepts work for any third party with whom your company does business, whether on the sales side of your business or a vendor in the supply chain. The key is to risk rank those entities for FCPA risk and then manage them using the five-step process for management of third parties. This includes: 

  1. Business Justification
  2. Questionnaire
  3. Due Diligence and its evaluation
  4. Contracting, including compliance terms and conditions
  5. Managing the relationship thereafter.

Putting this third party management lifecycle into a technological solution is something that will not only give you a more effective compliance program but also allow you to move more quickly to prevent and detect any FCPA issues before they become full violations.

The energy industry has faced a unique set of challenges regarding the FCPA. However the difficulties the industry has faced has led to greater awareness of the FCPA and what it requires; greater knowledge of what constitutes a best practices compliance program and an broader energy industry requirement that companies do business in compliance than exists in most other industries. Are you ready to respond to this challenge?


View All Newsletters »