Introduction
This guide will assist in-house counsel, private practice lawyers, and compliance personnel in reporting a suspected violation within an organization under the Foreign Corrupt Practices Act (FCPA). While self-reporting may be uncomfortable for an organization and for the personnel involved, admitting wrongdoing and cooperating with any further investigation will help mitigate, if not eliminate, any penalties or sanctions imposed because of the violation.
This guide covers:
- Overview of the FCPA anti-bribery provisions
- Self-reporting a suspected breach
This guide can be used in conjunction with the following How-to guides: Protect your company from violations of the United States Foreign Corrupt Practices Act, Understanding white collar crime, and Understanding corporate criminal liability, and Checklists: What to include in an FCPA compliance program, FCPA due diligence of third-party intermediaries, and Conducting an internal investigation into suspected criminal activity.
Section 1 – Overview of the FCPA anti-bribery provisions
The Foreign Corrupt Practices Act of 1977 (FCPA), 15 USC section 78dd-1, et seq, makes it unlawful for certain classes of persons and entities to make payments to foreign government officials to assist in obtaining or retaining business.
Each FCPA violation comprises four elements: (1) use of a means of interstate commerce to (2) pay or offer something of value to a (3) foreign government official for a (4) corrupt purpose, such as in the furtherance of obtaining business or otherwise advancing business purposes.
Breach of the anti-bribery provisions of the FCPA could lead to criminal penalties including fines of up to $2 million for businesses as well as hefty fines of up to $250,000 and possible imprisonment of up to five years for individuals.
For more information on the scope of the FCPA anti-bribery provisions and the possible consequences of breach, see How-to guide: How to protect your company from violations of the United States Foreign Corrupt Practices Act.
Ensuring compliance with the FCPA can seem daunting, especially to small corporations, but even in cases where there has been a breach or a suspected breach, businesses can mitigate potential criminal and civil liability through self-reporting.
Section 2 – Self-reporting a suspected breach
Suspected breaches of the FCPA may be reported either through voluntary or involuntary self-reporting. While voluntary self-reporting involves pre-emptively self-reporting without an ongoing or threatened governmental investigation, involuntary self-reporting occurs when an organization is forced to self-report because of an external force such as a whistleblower or a competitor threatening to report the organization.
2.1 Voluntary self-reporting
2.1.1 What is voluntary self-reporting?
Voluntary self-reporting is the pre-emptive reporting of violations of, or suspected violations of, the FCPA to the Department of Justice (DOJ). The DOJ encourages organizations and individuals to report their own violations of the FCPA and has issued a policy, the Criminal Division Corporate Enforcement and Voluntary Self-Disclosure Policy (the Policy), regarding the benefits that a company may obtain for self-reporting misconduct. The DOJ observed that ‘transparency concerning benefits that a company may obtain as a result of voluntary self-disclosure of misconduct can create important incentives for corporate behavior.’
The Policy provides, inter alia, that when a company has voluntarily self-disclosed misconduct to the Criminal Division of the DOJ, fully cooperated, and timely and appropriately remediated, all in accordance with the standards set forth in the Policy, there will be a presumption that the company will receive a declination to prosecute (absent aggravating circumstances involving the seriousness of the offense or the nature of the offender). Therefore, voluntary self-reporting may mitigate the penalties imposed for FCPA violations.
The effectiveness and practical application of the DOJ's voluntary self-disclosure policy have, however, been the subject of ongoing discussion and evolving guidance. While the Policy aims to provide clarity and incentives, organizations considering self-reporting must carefully assess the specifics of their situation, including the nature and extent of the potential violation, the strength of their compliance programs, and their ability to fully cooperate and remediate. The ultimate outcome of a voluntary self-disclosure, even with the presumption of a declination, is still subject to the DOJ's discretion, particularly in cases involving egregious conduct or repeat offenders.
2.1.2 What are the requirements for voluntary self-reporting?
In order for there to be a presumption of receipt of a declination, an organization must have voluntarily self-disclosed misconduct to the Criminal Division of the DOJ, fully cooperated, and timely and appropriately remediated. Each of these elements is explored in more detail below.
Note, however, that in order to qualify for mitigation of imposed penalties and a declination to prosecute, all criteria for voluntary reporting must be met. If voluntary self-reporting does not occur, the DOJ may choose to prosecute, though mitigation of fines may be recommended by the DOJ to the sentencing justice if the organization fully cooperates during the course of the investigation and appropriately remediates.
Voluntary disclosure
There is no middle ground in choosing to disclose. For the US government, voluntary disclosure must be complete and reasonably prompt. The determination of what is reasonably prompt is case-specific. For example, in one instance Albemarle Corporation waited 16 months between discovery of the conduct and reporting it. This was not considered timely, and a $218.4 million penalty was levied against the company.
The examples in A Resource Guide to the US Foreign Corrupt Practices Act illustrate the importance of voluntary self-reporting. In 2018, the DOJ declined prosecution of a Barbados insurance company, even though it had paid nearly $36,000 in bribes to a Barbadian government official and involved high-level employees within the organization. In that case, the DOJ declined prosecution, in part, because of the corporation’s timely cooperation, disgorgement of ill-earned proceeds, and because the DOJ was able to identify and charge the individuals involved. Furthermore, that same year, the DOJ declined prosecution of a UK company because it also voluntarily self-disclosed, fully cooperated, disgorged funds, and timely and appropriately remediated.
Full cooperation
To take advantage of the mitigation benefits of voluntarily self-reporting, the individual or business involved must fully cooperate with the DOJ. Cooperation includes proactively and timely collecting, preserving, and disclosing relevant documents and information to the DOJ. The DOJ will also look at de-confliction in determining how cooperative a business has been. De-confliction is the process of delaying corporate investigative steps, such as the organization interviewing employees, until after the DOJ has interviewed the involved employees.
Examples
On November 16, 2023, the DOJ announced that it would not prosecute Lifecore Biomedical, Inc for violations of the FCPA. The DOJ found that employees and agents of Lifecore and its former US subsidiary, Yucatan Foods LP, bribed Mexican government officials. After discovering the wrongdoing, Lifecore conducted an internal investigation and voluntarily disclosed the findings to the DOJ within hours after the internal investigation confirmed that misconduct had occurred. The DOJ stated that its decision to decline prosecution was influenced by a number of factors, including Lifecore’s prompt self-disclosure and full cooperation with the DOJ. Lifecore agreed to continue cooperating, and this cooperation includes providing information and making relevant individuals available for interviews or testimony. Lifecore also acknowledged the benefits gained from the misconduct and agreed to disgorge $406,505 for net costs it avoided as a result of the bribery.
SAP SE (SAP), a German software company, agreed to pay over $220 million to resolve investigations by the DOJ and the Securities and Exchange Commission involving bribes of South African and Indonesian government officials. The DOJ coordinated with prosecutorial authorities in South Africa and declined to prosecute the organization, in part, because of the organization’s timely cooperation and quick turnover of all relevant documents related to the bribery.
In 2019, Telefonaktiebolaget LM Ericsson entered into a deferred prosecution agreement for bribing overseas government officials in Djibouti, Kuwait, China, Indonesia, and Vietnam. Following the 2019 agreement, Ericsson failed to report and disclose evidence related to FCPA violations, and the government decided to prosecute.
Timely and appropriate remediation
In considering whether to give credit for voluntarily self-reporting an FCPA violation, the DOJ will look at whether the company timely and appropriately remediated the situation. In doing so, the DOJ will look for a demonstration of a thorough analysis of the causes of improper conduct; implementation of an effective compliance program; discipline of involved employees; record retention, prohibition of the destruction or deletion of business records; and other steps that demonstrate measures to prevent further violations. For more information on the items required for full credit for timely and appropriate remediation, see the DOJ’s Justice Manual. Remediation should not wait until governmental involvement. For example, if the organization is aware that the head of their North American division actively participated in the wrongdoing, the organization should remove that individual from the division and not allow them to stay in a position of power that could contribute to additional FCPA violations. All remedial actions should be extensively noted and produced to the DOJ proactively at the time of self-reporting.
2.1.3 How is a self-report made?
A self-report is made through either the DOJ or the Securities and Exchange Commission (SEC) or both. The DOJ has criminal FCPA enforcement authority over issuers – meaning public companies – as well as their officers, directors, employees, agents, and stockholders. In addition, the DOJ has both civil and criminal enforcement responsibility over domestic concerns, meaning US citizens and businesses. In contrast, the SEC investigates and prosecutes FCPA civil violations. The jurisdiction of the SEC is limited to activities relating to securities or investments. For example, a company that learns of an FCPA violation that involves providing inside information unlawfully would report to the SEC and may also report to the DOJ.
Although the DOJ does not currently have a standard form to self-report violations of the FCPA, the DOJ encourages those who wish to self-report to call the Fraud Unit of the DOJ on (202) 514-2000 or contact them via email at [email protected]. The DOJ encourages early reporting of FCPA violations. The self-reporting must include facts about ‘individuals substantially involved in or responsible for the ‘misconduct’.’ An organization is not expected to delay self-disclosure until it has conducted a complete investigation, or even until it determines that a violation of the FCPA occurred. Organizations that self-disclose are reporting on the relevant facts known to the organization when the disclosure is made. A disclosure may be based on a preliminary investigation if the organization discloses that the report is made on this basis. Disclosure is also required only of facts actually known to the organization. The former policy that required disclosure of evidence of which the organization ‘should be’ aware has been replaced with an expectation that an organization will report (and be able to report) only those facts of which it is aware.
For corporations that wish to self-report, the SEC uses an online portal found here.
2.1.4 What happens once a self-report is made?
Once a self-report is made, the government will reach out to the organization with further steps. Normally, this involves a request for information and documentation. However, there is no concrete timeline for either the DOJ or the SEC to investigate FCPA violations. The investigatory process is only limited by the five-year statute of limitations for FCPA violations.
It is crucial for organizations to be prepared for an intensive and potentially lengthy investigation after self-reporting. This readiness includes having internal investigations completed, relevant documents organized, and a dedicated team to respond to government inquiries, as the level of cooperation and the thoroughness of the internal review can significantly impact the final outcome.
2.1.5 Sentencing
There is a presumption with voluntary self-reporting that the DOJ will decline to criminally prosecute, absent aggravating circumstances. Aggravating circumstances may include executive management involvement, significant profit due to the conduct, recidivism, or the pervasiveness or egregiousness of the conduct.
If aggravating circumstances do exist and criminal prosecution is warranted, voluntary self-disclosure, full cooperation, and appropriate remediation may mitigate the sanctions imposed. It is the DOJ’s position in such a case to recommend to the sentencing court at least a 50% reduction off the low end of the US Sentencing Guidelines fine range and not require the appointment of a business monitor.
2.2 Involuntary self-reporting
The Policy favors voluntary self-disclosure, but what if you are put in the position of involuntarily self-reporting?
2.2.1 Voluntary self-disclosure not made
Involuntary self-disclosure may occur when, prior to reporting the conduct, the DOJ opens an investigation of its own accord or the threat of such an investigation is imminent, meaning that the organization is forced to self-report or have another entity report the conduct for them. Involuntary self-disclosure may be the result of the misconduct being first reported in a required securities filing or by a disgruntled employee, a whistleblower, or a competitor.
Even if your company did not voluntarily disclose its misconduct to the DOJ, but later fully cooperated and timely and appropriately remediated, it is the DOJ’s position that the company will receive – or the DOJ will recommend to a sentencing court – up to a 50% reduction off the low end of the US Sentencing Guidelines fine range. Each of these elements is briefly dealt with below.
2.2.2 Full cooperation
Upon involuntary reporting of an FCPA violation, proactive cooperation, rather than reactive, should be of utmost concern. This means that the individual or organization involved in the investigation should timely disclose to the government all facts that are relevant to the investigation, even when not specifically asked to do so and should take steps to remediate the violations, rather than allowing such conduct to continue. This provides the individual or organization involved in the involuntary self-reporting an opportunity to help frame the issue, rather than having a whistleblower or a competitor do it for them.
2.2.3 Timely and appropriate remediation
Amid an investigation, seek to timely preserve, collect, and disclose relevant documents and information. Remediate to the extent possible. If it is one employee whose conduct is the subject of the investigation, pull the employee from the affected area immediately, implement an oversight program as soon as possible, and limit any continued actions that may result in an FCPA finding. Proactive remediation and disgorgement of ill-earned funds have persuaded the DOJ to not prosecute otherwise actionable FCPA actions.
Example
In December 2024, McKinsey and Company Africa (Pty) Ltd (McKinsey Africa), a wholly owned and controlled subsidiary of international consulting firm McKinsey & Company Inc, agreed to pay over $122 million to resolve an investigation by the DOJ into a scheme to pay bribes to South African government officials between 2012 and 2016. The company received a 35% reduction off the fifth percentile of the otherwise applicable guidelines fine range for its cooperation with the DOJ’s investigation, and McKinsey and McKinsey Africa also received credit for engaging in timely remedial measures. United States of America v McKinsey and Company Africa (Pty) Ltd, No. 24Crim-669 (SDNY Dec 5, 2024)
Additional resources
Criminal Division Corporate Enforcement and Voluntary Self-Disclosure Policy, DOJ policy regarding the benefits for self-reporting misconduct
A Resource Guide to the US Foreign Corrupt Practices Act, DOJ guide to the FCPA
Related Lexology Pro content
How-to guides:
Understanding white collar crime
Understanding corporate criminal liability
Mitigating the risk of criminal activity
How to protect your company from violations of the United States Foreign Corrupt Practices Act
How to protect your organization from third party liability under the FCPA
Checklists:
Anti-bribery risk assessment
What to include in a FCPA compliance program
FCPA due diligence of third-party intermediaries
Charitable and political donations and gifts, travel, entertainment compliance
Conducting an internal investigation into suspected criminal activity
Completing criminal background investigations
Reliance on information posted:
While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.