Introduction
This checklist provides guidance to in-house counsel and risk and compliance teams on what to include in a United States Foreign Corrupt Practices Act (FCPA) compliance program.
The checklist addresses the following steps:
- General points to consider when creating an FCPA compliance program
- Employee dealings
- Education, training and resources
- Risk assessment and due diligence
- Implementation and monitoring
- Findings, investigations and remediation
- Overall continuing good practice
- Additional provisions
The checklist is presented as a list of steps that you can check off as they are addressed. At the end of the document there are general explanatory notes, and specific notes corresponding to the relevant step in the checklist. Keep in mind there is no single approach to FCPA compliance. Compliance programs should be tailored to a company's specific circumstances.
The checklist can be used in conjunction with the following How-to-guides: How to protect your company from violations of the United States Foreign Corrupt Practices Act, How to protect your organization from third party liability under the FCPA and Checklist: Anti-bribery risk assessment.
Step 1 - General points to consider when creating an FCPA compliance program
| No. | Task |
| 1.1 | Ensure purpose of program is clearly stated |
| 1.2 | Ensure commitment from senior management |
| 1.3 | Align FCPA program to code of ethics |
Step 2 - Employee dealings
| No. | Task |
| 2.1 | Include provisions on hiring and screening practices for employees |
| 2.2 | Conduct individual conflict of interest checks |
| 2.3 | Set out discipline procedure for non-compliance with guidelines |
Step 3 - Education, training and resources
| No. | Task |
| 3.1 | Design and implement comprehensive education and training program |
| 3.2 | Establish annual education and training requirement |
| 3.3 | Secure adequate funding and resources to ensure FCPA compliance |
Step 4 - Risk assessment and due diligence
| No. | Task |
| 4.1 | Assess the organization’s corruption risk procedures |
| 4.2 | Conduct periodic review of risks |
| 4.3 | Conduct due diligence of third parties |
| 4.4 | Conduct due diligence before mergers or acquisitions |
Step 5 - Implementation and monitoring
| No. | Task |
|---|---|
| 5.1 | Establish responsibility for oversight of program |
| 5.2 | Regularly monitor efficiency of program |
| 5.3 | Regularly monitor red flags |
Step 6 - Findings, investigations and remediation
| No. | Task |
| 6.1 | Establish internal channel for confidential reporting |
| 6.2 | Conduct annual audits of policies within FCPA program |
| 6.3 | Set out process to investigate, analyse, and remediate sources of misconduct |
Step 7 - Overall continuing good practice
| No. | Task |
| 7.1 | Set out and ensure adherence to recordkeeping policy |
| 7.2 | Ensure periodic review and assessment of FCPA compliance program |
| 7.3 | Make FCPA compliance program easily accessible internally |
Step 8 - Additional provisions
| No. | Task |
| 8.1 | Consider gifts, travel, hospitality, and entertainment expenses |
| 8.2 | Consider charitable and political donations |
Explanatory notes
General notes
To minimize the risk of a FCPA violation, organizations doing business overseas should implement and adhere to a comprehensive FCPA compliance program. Good FCPA compliance programs demonstrate that an organization is making a good faith effort to prevent corrupt practices. When taking enforcement action under the FCPA, the United States Department of Justice (DOJ) and the United States Securities and Exchange Commission (SEC) consider an organization’s corporate FCPA compliance program when deciding the course that the proceedings will take and the amount of sanctions to assess for violations.
Notes on specific requirements
Step 1 - General points to consider when creating an FCPA compliance program
Step 1 provides general guidance for creating a FCPA program. A valuable resource that can be used to assist in locating resources from many other jurisdictions is the list of Anti-Corruption Sites provided by the Criminal Division of the DOJ. Your program should generally include the following.
1.1 Clear statement of program
Your program must be clearly stated and concise, so that it leaves no room for confusion. Make it clear that there is a zero-tolerance policy for bribery and corruption with severe consequences for such behaviour, including termination of the business relationship.
1.2 Commitment from senior management
There must be a commitment from senior management as this promotes a culture of ethics and compliance. To demonstrate this commitment in your FCPA compliance program, provide a provision where senior executives issue occasional communications supporting the corporate policy statement and zero tolerance position toward bribery and corruption. Senior management can also demonstrate this commitment through stimulating department communications, consistently enforcing the program through disciplinary actions, and promoting a strong ethical culture and mentality to the middle and lower managers.
It is advisable for the corporate board of directors to create a committee tasked with demonstrating corporate commitment to the program. Typically, this committee consists of top staff members from the areas of compliance, audit, finance, human resources, and legal.
1.3 Align FCPA program to code of ethics
Your FCPA compliance program should work in conjunction with your organization’s code of business conduct or ethics policy, if any. Providing specific rules and guidelines for ethics and compliance will help mitigate the chances of violations of the FCPA occurring.
Questions to ask to ensure that your code of ethics policy correlates with your overall FCPA compliance program include:
- How has your organization informed employees and third parties about this ethics code of conduct?
- Are there any language barriers for third parties?
- Is the ethics code of conduct easily accessible?
- Who is responsible for implementing the ethics code of conduct and are they doing so effectively?
Step 2 - Employee dealings
Step 2 considers provisions on employee onboarding and discipline to ensure FCPA compliance. Your FCPA program should include:
2.1 Provisions for hiring and screening practices for employees
Your FCPA compliance program should include provisions on hiring and screening individuals before employment to mitigate risk and eliminate any red flags. Examples of risk from the outset of employment and what should be screened include the following:
- an individual’s relationship with foreign officials or other countries;
- past employment and involvement in international business transactions; and
- any prior FCPA violations from previous employment.
2.2 Individual conflict of interest prevention and check
Your FCPA compliance program should include a provision preventing conflicts of interest and implementing an individual conflicts of interest check. First, your program should have a provision addressing and stating that individuals shall not engage in business that will conflict with their ability to provide services, or conflict with the interest of your organization. Second, your program should provide for a conflict-of-interest check both prior to employment and periodically throughout (for example, annually, or bi-annually). These checks should also be conducted on third parties.
Examples of individual conflicts of interest to prevent and check include:
- an employee awarding a contract to a company where they have a connection to a family member or a financial interest;
- a senior manager who is on the board of directors of another organization;
- a part-time employee who works for another organization;
- an employee’s involvement in insider trading;
- an employee planning to switch employment to a separate organization who wants to show loyalty with that organization;
- accepting gifts or hospitality from vendors that could influence business decisions;
- using company resources or confidential information for personal gain;
- undertaking outside employment or activities that compete with the organization's business; and
- having a significant financial interest in a competitor or business partner.
2.3 Discipline for non-compliance
Your FCPA compliance program should set out the organization’s disciplinary procedure for violations of the program. The most effective way to prevent future violations is to discipline past violations or risky behaviour. Ramifications for not complying should be on a scale, including the option of termination.
Consider whether discipline is applied fairly and evenly across the organisation, including for management, and identify who administers discipline and incentives in given situations. Publicizing anonymous examples of real-life violations internally has proven to help with compliance. To incentivize employees, consider tying compensation, such as promotions or bonuses, to compliance with company policies and procedures and using ongoing compensatory structures, rather than one-time or ‘upon final sale’ contingency payments.
Step 3 - Education, training, and resources
Step 3 considers education, training, and resources required within your FCPA compliance program. Your FCPA program should include:
3.1 Education and training program
When determining whether to apply sanctions and their level of severity, the DOJ and SEC will consider whether the organization has a comprehensive FCPA compliance training program that has been effectively rolled out to directors, employees, and third parties. Training should provide a basic understanding of the law, cover the key provisions of the FCPA program and be tailored to the director, employee, or third party’s area of work. Include a question and answer or conversational element in your training session to increase engagement through direct interaction.
Require participants to take a test at the end of the training and provide a certification showing that they have successfully completed the course. Track who has attended with a receipt or acknowledgement of attendance.
Questions to consider when designing a training program include:
- How do you determine who gets trained and on what subjects? For example, should supervisors get more, or different, training depending on their position and responsibilities? Should a supervisor of the compliance committee receive more in- depth training?
- Is the training in the appropriate language for the group?
- What is the appropriate response when an individual fails the test after the training? For example, retraining, retesting, or one-on-one discussions.
- How often should training be conducted to ensure information remains current and reinforced?
- Are real-world case studies and scenarios incorporated to make the training more relatable and impactful?
- What mechanisms are in place to gather feedback on the training program's effectiveness and make improvements?
3.2 Annual training requirement
Training and education on the organization’s FCPA program should occur at least annually to refresh employees’ knowledge and address changes in the law or compliance methods. Track and record who has completed training and set a deadline for training completion each year.
Beyond annual refreshers, organizations should consider implementing targeted micro-learnings or quick updates throughout the year as significant regulatory changes occur or new risks emerge. This ensures that employees are always equipped with the most current information relevant to their roles, rather than waiting for the next annual cycle. Leveraging technology for these smaller, more frequent updates can make them easily digestible and less disruptive to daily operations, reinforcing a culture of continuous learning and compliance vigilance.
3.3 Funding and resources for compliance
Ensure the organisation provides adequate funding and resources to facilitate FCPA compliance. A wide variety of resources, including electronic and analytical tools, can be used to implement organizational FCPA compliance procedures. Large organizations may employ forensic accountants as part of their compliance program, while smaller operations may rely on third-party software or compliance vendors in order to implement a compliance program.
Critically, adequate funding is not just about purchasing tools; it also extends to staffing the compliance function with qualified personnel. This includes hiring experienced compliance officers, providing ongoing professional development, and ensuring the team has the necessary authority and independence within the organization. A well-resourced compliance department, whether internal or augmented by external experts, is better positioned to conduct thorough due diligence, investigate potential violations, and continuously adapt the program to evolving risks, ultimately safeguarding the organization from significant legal and reputational harm.
Step 4 - Risk assessment and due diligence
Step 4 sets out provisions for risk assessment and due diligence. Your FCPA program should include:
4.1 Assessment of risk procedures
Assessment of the organization's corruption risk is vital. Knowing what kind of risks are present in any transaction or third-party interaction is crucial to helping mitigate and eliminate those risks. To the extent an organization has a legal or compliance department, it should spearhead internal efforts and take overall responsibility to ensure that the organization has made a full, well documented assessment of the risks associated with its business endeavour. Because active involvement and assessment across all divisions of an organization will play a vital role in preventing violations, it is important that the legal or compliance department consider the role of all departments and employees in assessing risk procedures and ensuring compliance.
As part of this evaluation, also review your organization’s existing risk assessment program to determine if time and resources are appropriately allocated between high and low risk mitigation.
See Checklist: Anti-bribery risk assessment for more information.
4.2 Periodic review of risks
Ensure your FCPA program contains provision for an annual or bi-annual review of risk, as well as risk assessments on an ‘as-needed’ basis. These reviews should consist of analysing all risk areas including country, business, transactions, employees, customers, and third parties. Risk ratings can change over time and depend on organization activity. Providing ongoing and periodic review of risk helps reduce the chance of a FCPA violation.
4.3 Due diligence of third parties
Conduct due diligence on all third parties. The process may be intensified based upon the level of risk associated with doing business with a given third party. Due diligence should occur at both the engagement level and any re-engagement thereafter. It is best practice to continuously monitor third parties and look out for negative news reports about them domestically and globally.
Other considerations for third parties include:
- How do you monitor third parties?
- Are audit rights contained in your contracts with third parties?
- Have you considered third party risk management?
- What measures are in place for third parties that fail due diligence to ensure you do not do business with them again?
See How-to guide: How to protect your company from violations of the United States Foreign Corrupt Practices Act for red flags and discussion of due diligence and How-to-guide: How to protect your organization from third party liability under the FCPA.
4.4 Due diligence before mergers and acquisitions
Organizations should conduct extensive due diligence prior to mergers and acquisitions to allow for proper negotiation between parties, and to establish future remediation measures based on the discovery of risk or red flags. During post-acquisition integration, organizations should conduct additional due diligence to ensure that the acquired entity has not violated any laws.
In conducting due diligence related to mergers and acquisitions, the organization should be aware of and consider the New Safe Harbor Policy for Voluntary Self-Disclosures Made in Connection with Mergers and Acquisitions announced by the Deputy Attorney General. That Policy states that when companies promptly and voluntarily disclose make a full and timely disclosure of misconduct, they may avoid being sanctioned for that particular misconduct.
Other considerations for merger and acquisition due diligence include:
- What is the process for educating newly hired or acquired employees on the organization’s compliance program?
- What anti-corruption policies does the target have in place?
- Has the target been cited for anti-corruption violations?
- What risks can you identify from the outset?
- Are there any ongoing investigations or legal proceedings against the target related to corruption or bribery?
- What is the target's culture regarding compliance, and how will it align with the acquiring organization's culture?
- What are the financial implications of any identified compliance risks, including potential fines, penalties, or remediation costs?
Checklist: What to include in a FCPA compliance program.
Step 5 - Implementation and monitoring
Step 5 sets out provisions for the implementation and monitoring of the FCPA program. Your FCPA program should include:
5.1 Oversight by responsible personnel
For any FCPA program to be successful, the proper personnel must oversee the education, implementation and function of the program and procedures. It is their role to assure that all individuals related to the organization in any capacity have proper training and education on this program. Therefore, your program must provide for specific oversight by responsible personnel. Assign someone in management or the compliance department the responsibility of reporting quarterly (or otherwise) the metrics of compliance, including associated risks, root causes, and controls.
Other compliance metrics include:
- How many violations of applicable laws and regulations have occurred?
- How many customer or employee complaints have been made?
- How many compliance investigations and audits have been initiated?
5.2 Monitoring the program’s efficiency
The program must outline how the anticorruption program is monitored. Continuous monitoring of the program’s efficiency will provide insight into areas needing improvement, greater internal controls, or more guidance. Consider how often the program should be monitored, when it should be monitored, who conducts the monitoring process, and what groups are monitored. Be sure to document your policies and procedures. It is not sufficient to say, for example, ‘Efficacy of the compliance shall be monitored on an ongoing basis.’
Consider, instead, ‘The compliance program shall be monitored on an annual basis by the Director of Compliance in conjunction with review of the Chief Executive Officer. Monitoring shall include randomized audits of at least three completed compliance investigations per business quarter and shall consider the following:
- the time between the suspected FCPA violation and the departmental red flag of the event;
- whether appropriate action was taken in a timely manner and in accordance with the policies and procedures in place at the time of the investigation;
- whether the department’s findings were consistent with the facts of the event; and
- whether existing procedures or required trainings should either be amended or created to prevent a reoccurrence of the red flag event, or to effect the proper handling of such an event should it reoccur.’
5.3 Red flag monitoring
Be aware of red flags, especially when dealing with third parties. Red flags are important indicators of potential issues and risks with regards to a certain party or activity.
The DOJ has issued compliance program guidance for organizations to follow in order to prevent and detect possible violations. See Additional resources below, and How-to guide: How to protect your company from violations of the United States Foreign Corrupt Practices Act for guidance on evaluating red flags.
Step 6 - Findings, investigations, and remediation
Step 6 considers provisions for findings, investigations, and remediation. Your FCPA program should include:
6.1 Internal channel for confidential reporting
Organizations should have a mechanism for confidential reporting and internal investigations. Provide a hotline and/or email address for employees and third parties to submit reports of FCPA violations. Always keep the complainant anonymous to promote future reporting. Additionally, add a provision to protect potential whistleblowers so the complainants do not fear retaliation.
Other questions to contemplate regarding confidential reporting include:
- Is the proper channel to report potential violations clearly accessible for employees?
- How do you evaluate the allegation?
- Do you have someone responsible for conducting investigations of the reports?
- Do you have an appropriate time limit to report findings and respond to a complaint?
- Do you have measures for periodic review of reports to identify trends?
6.2 Annual audits of policies within FCPA program
Audits are crucial to ensuring FCPA compliance improvement through periodic testing and review of the policies. Audits should be conducted both internally and with respect to third parties. See How-to guide: How to protect your company from violations of the United States Foreign Corrupt Practices Act for more information. Gather the results of the audit and address issues that can be fixed. Provide reports of the audits to senior management and any board of directors committee responsible for oversight of the organization’s compliance with laws.
6.3 Process to investigate, analyse, and remediate sources of misconduct
Include in your program procedures to investigate, analyse and remediate complaints, tips, and other sources of information when you learn of potential misconduct. Evaluate the steps taken to review the seriousness of the misconduct and to remediate the problems identified to prevent future risk. Ensure there are procedures to track and analyse responses, including discipline or remediation. Keep a record of these responses in case a question is ever raised as to whether the program was applied fairly and according to its terms in all situations involving bribery concerns.
Other considerations for investigation and remediation include:
- Have you identified the issues within the investigation?
- Have you evaluated the process for responding?
- How far up the chain of the company does the investigation go and when?
- In the event of a failure, which controls failed and what needs to be changed to prevent it from happening again?
Step 7 - Overall continuing good practice
Step 7 consists of overall areas of continuing good practice. Your FCPA program should include:
7.1 Recordkeeping
Having a recordkeeping policy in place is important. At each stage of relationships, policy implementation, action, transactions, and process within your company, everything should be recorded and retained according to a records management schedule. Recordkeeping also includes keeping track of actions taken when misconduct is identified and to serve as an educational tool to understand how and why misconduct occurred. Having a proper recordkeeping policy within your FCPA compliance program provides a ‘paper trail’ of actions and responsibility for those actions and may lessen penalties or sanctions for violations.
7.2 Periodic review and assessment
Add a provision that provides for periodic review and assessment of the entire program itself. Circumstances and parties change and adapting in a swift and effective manner is crucial to maintaining compliance within your company. The DOJ and SEC see this sort of provision as being proactive. These reviews should occur annually or bi-annually, and should at a minimum, be updated when a violation occurs or a law changes.
7.3 Accessibility to content of internal FCPA compliance program
To ensure greater compliance to the FCPA, ensure easy access to the contents of the FCPA Compliance program. Place the program components on your company website and ensure that new employees receive a copy. Ease of access will encourage use of this resource when guidance is needed.
Step 8 - Additional provisions
Step 8 sets out additional provisions that your program should include. These additional provisions are discussed in more detail in other checklists. Your FCPA program should address:
8.1 Gifts, Travel, hospitality, and entertainment expenses
See Checklist: Charitable and political donations and gifts, travel, entertainment compliance.
8.2 Charitable and political donations
See Checklist: Charitable and political donations and gifts, travel, entertainment compliance.
Additional resources
A Resource Guide to the US Foreign Corrupt Practices Act – a DOJ and SEC guide that sets out Hallmarks of Effective Compliance Programs
Evaluation of Corporate Compliance Programs (Updated September 2024) – published by the DOJ
Business Ethics: A Manual for Managing a Responsible Business Enterprise in Emerging Market Economies – published by the Department of Commerce
Fighting Global Corruption: Business Risk Management – published by the Department of State
Related Lexology Pro content
How-to guides:
How to protect your company from violations of the United States Foreign Corrupt Practices Act
How to protect your organization from third party liability under the FCPA
Checklists:
Anti-bribery risk assessment
FCPA due diligence of third-party intermediaries
Charitable and political donations and gifts, travel, entertainment compliance
Reliance on information posted:
While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.