The Department of Justice and Securities and Exchange Commission have stressed the need for companies to conduct FCPA due diligence before entering into transactions with third parties or buying another company. The DOJ and SEC have levied stiff fines on companies that have not heeded their advice once violations of the FCPA have been discovered. So how should a company go about conducting FCPA due diligence? In an article written at the end of 2011 and published in the State Bar of California’s Business Law News, in issue 1 of 2012, Rebekah Poston and David Saltzman provide practical guidance on how to conduct FCPA due diligence. The article is reprinted in full below.
Practical Guidance on How to Conduct FCPA Due Diligence
Rebekah J. Poston and David A. Saltzman
Numerous articles have addressed the importance of Foreign Corrupt Practices Act (“FCPA”) due diligence, but what we all want to read are constructive suggestions on how to actually conduct it. This article provides practical guidance and insights for performing your company’s FCPA due diligence, whether it be on a target in a merger and acquisition setting or verifying the background of a third party contractor.
We all know too well the sound of the Department of Justice’s (“DOJ”) and Securities and Exchange Commission’s (“SEC”) announcements that another company has fallen prey to their vigorous FCPA prosecutions. Since 2004, the number of enforcement actions brought by the DOJ and SEC has increased virtually every year, from only five in 2004 to 74 in 2010. The DOJ and SEC extracted a whopping $1.8 billion in monetary settlements in 2010 and another $490 million in the first half of 2011. The top 10 monetary settlement amounts extracted by these two agencies were obtained in the last three years, with eight of them occurring in 2010 and 2011. This increase in prosecutions and size of settlement amounts is clearly a harbinger of things to come. As Assistant Attorney General Lanny Breuer said, “I continue to believe that prosecuting individuals—and levying substantial criminal fines against corporations—are the best ways to capture the attention of the business community.”
As a quick refresher, the FCPA has two primary components: a) the anti-bribery provisions, which prohibit the offering, promising, and giving of bribes or things of value to foreign officials, and b) the accounting provisions, which require publicly traded companies to make and keep accurate books and records and to maintain a system of internal accounting controls. Companies that violate any of these provisions risk becoming targets of enforcement actions, only too often to have these actions followed by cascading stock prices and shareholders’ civil suits against the directors.
Just ask General Electric and eLandia, Inc. how important FCPA due diligence is. In 2010, GE agreed to pay $23.4 million to the SEC to settle charges that four of its subsidiaries had violated the FCPA, two of which were alleged to have committed the violations prior to their acquisition by GE. “[C]orporate acquisitions do not provide GE immunity from FCPA enforcement of the other two subsidiaries involved,” said Cheryl J. Scarboro, then Chief of the SEC’s FCPA Unit. eLandia acquired Latin Node Inc. in 2007. Soon after, eLandia discovered potential FCPA violations which eLandia self-disclosed to the DOJ. eLandia was fortunate and obtained an installment payment plan from the DOJ for the $2 million fine the DOJ imposed for violations Latin Node had committed prior to its acquisition by eLandia. But the $2 million fine was not the worst of it. Within one year of eLandia paying $20 million for Latin Node, Latin Node, as a result of its problems, entered into an assignment for the benefit of its creditors in June 2008, effectively wiping out eLandia’s investment.
We do not know if more rigorous FCPA due diligence checks would have avoided these problems for these two companies. What we do know, however, is that by performing thorough FCPA due diligence up front, a company can at least reduce its FCPA risks in these types of situations and, hopefully, provide a degree of protection for itself should the DOJ or SEC ever come calling.
How does a company go about performing due diligence? What records should be reviewed? Which personnel should be interviewed? Who should conduct the due diligence? These are good questions. Although it is impossible to set forth in just a few pages all the practical guidance available, this article will hopefully guide you down the right path.
Methods of Conducting FCPA Due Diligence
The methodology you employ will often be driven by your company’s budget and timing. In the M&A world, time is short. You want your legal staff, or outside counsel, to evaluate your FCPA risk in acquiring the target, not go searching for violations. All that your business people want to know is whether the risk is so great that you need to walk away or that it can be managed post-closing such that the deal is a go. If time is an issue, then questionnaires submitted to key personnel of the target may be your best method for gaining an understanding of the target’s FCPA exposure. Interviews of select persons knowledgeable about the target’s overall operations, sales and marketing activities, as well as its accounting procedures and financials, may be all there is time for. Interviews can be combined with the questionnaire, and in tandem they prove quite effective. These steps may be the shortest pathway to assessing the FCPA risks with limited time. You should have already done your homework on the target’s home country’s Corruption Perception Index (“CPI”) score and the corruption level of the target’s industry you are buying. Your forensic team should already be inspecting the target’s financial data.
Keep in mind that the DOJ and SEC may eventually perform Monday morning quarterbacking on the scope of your diligence. So even though the budget may be small and your time limited, your diligence must still be thorough and at least touch upon the following risk areas:
- Countries of operation of the target and any subsidiaries.
- Industry corruption level.
- Relations and contacts with foreign officials and state-owned entities.
- Third party agents, and their contracts.
- Existence of an anticorruption compliance code, training, enforcement, and auditing of the same.
- Accuracy of books and records.
- Existence of internal controls.
- Charitable contribution policies.
- Gifts, travel, and entertainment budgets.
- Marketing and sales operations and related expense reimbursements.
If you have the luxury, the budget, and the time to assemble a multidisciplinary team to conduct the FCPA due diligence, the composition of the team is critical. The team should consist of outside lawyers familiar with the FCPA (preferably white collar, criminal defense counsel), HR and compliance personnel, finance and audit persons, and an outside forensic firm.
Due diligence specialists may be in order, particularly if they have offices overseas where the target company does business. These specialists must speak the native language and understand the local customs and business practices. If you are planning to retain such a specialist firm, be sure to interview several candidates beforehand to ascertain, among other things, how they conduct their investigations, whether they have the staff to perform the tasks assigned to them within the allotted time frame, and whether they will agree to work under the direction of your outside law firm, protected under the attorney-client and work product doctrine privileges.
Similarly, outside counsel can be indispensable and economically prudent if the firm is a global law firm with offices where the target company or third parties do business. In addition to understanding the local language and customs, they will be knowledgeable in the anticorruption laws of the foreign jurisdiction and be able to more economically perform the due diligence by utilizing their in-country resources. Forensic firms should be retained by outside counsel as well, under a written retainer agreement. The forensic firm should be working for the outside law firm to assist the latter in rendering legal advice to your company. Even though your company will be ultimately responsible for paying the forensic firm’s fees and costs, this type of written agreement protects the forensic firm’s findings and conversations under your company’s attorney-client and work product doctrine privileges. Lastly, if translation and interpretation services may be required, be sure to line up a reliable vendor. Linguistic services should utilize persons located in the target region as dialects and languages vary from region to region, even in the same country. Further, terminology may be complicated and unique to the target’s industry (e.g., environmental, chemical, aerospace). Linguists with experience in particular industries are preferable.
Formal due diligence typically begins with a request list for information and documents from the target. As noted above, there is no one-size-fits-all form of request list, but the list should include, among other things, a) the target’s code of conduct and anticorruption policies and procedures; b) the names and positions of all personnel responsible for anticorruption compliance; c) identification of the target’s past experiences with anticorruption (including previous investigations, violations, penalties and the like); d) a sampling of the target’s contracts with third parties, particularly those with agents and distributors providing, and selling the target’s products and services; and e) profit and loss statements, financials, general ledgers, expense reimbursement data, etc. A review of select financial transactions should be made by the FCPA forensic team, with a focus on travel and entertainment expense reimbursements for marketing and sales personnel, bonuses and commission payments made to third parties, and charitable and political contributions.
You should have already performed an Internet search on the target and gathered any information you can from Google, a Dun & Bradstreet Report (if one exists), a Hoovers Report, and any reports available from the U.S. Department of Commerce and local U.S. Embassies.
Interviews are often the most critical part of the due diligence. You do not want to wait for an exhaustive document collection to be completed before traveling to the target to interview key personnel at the target’s facility. Preliminary interviews will provide you with a sense of the culture of the target company, how its business works, and the personalities of the key figures within the target. As you collect documents and information, the ability to confront the target’s personnel with important evidence presents opportunities to evaluate and assess their body language and other indicators for potential dishonesty. Key interviews should include the target’s personnel who interact with foreign officials, and state-owned entities.
If interviews can be conducted in person, that is preferable for the reason just stated. The interviewer’s body language and facial expressions can be observed when probing questions are asked which may evidence deception. Personal interviews allow for follow-up questions on answers that may allow the interviewer to probe more deeply into certain risk areas. However, when the target is on another continent and the diligence budget does not allow for extensive travel, interviews via video conferencing often can be arranged. Frequently, however, you are left with simply a telephone interview. In such cases, if the interviewee has already been given the questionnaire, it can be used as the starting point to follow up on their answers. It is recommended that a member of the FCPA forensic team participate in the interviews with counsel as their questions will address matters of fiscal importance. The combined interview will be more efficient for the team and the target’s personnel. If you are fortunate enough to have reviewed documents by then, they should be used in the interviews where appropriate.
Local counsel must be consulted in advance of any interviews to be certain the scope of your interview does not exceed the legal boundaries of that country’s personal data privacy laws. The data privacy laws of the foreign jurisdiction where the target’s personnel are located must be examined in advance of conducting any due diligence. Questions about an employee’s salary, bonus package, or commission structure may constitute personal data under that country’s data privacy laws. Extracting personal e-mails without legal consent may be a crime in the country. Written consent from a lower level employee may be required before you can ask questions that elicit personal information. In countries such as France, you may have to secure permission from the employee’s union representative to interview the employee and even allow the union representative to be present. Mirroring the accounting department’s computer hard drives to bring back for examination in the U.S. may be prohibited.
You must document your diligence. First, you will want to utilize the information when you prepare your report to your company’s board of directors. Second, if your procedures are ever questioned by the DOJ or SEC, you will need proof of what you did. Even documenting your diligence presents data privacy issues. In some countries, when investigations are conducted and no cause is found to support a reason to believe any illegal activity (e.g., bribery) has occurred, the documents gathered during the investigative process must be destroyed. If that is the local law, how do you go about documenting you actually performed the diligence? Due diligence steps can be documented through memoranda and diligence outlines, even though the underlying data may be required to be destroyed.
Areas of FCPA Due Diligence Inquiry in Acquisitions
In the context of an acquisition or an investment (henceforth referred to in this article as an “acquisition”), an acquirer should conduct due diligence on all aspects of the target’s anticorruption efforts, be it a U.S. company with a global presence or a non-U.S. target. This entails examining the target’s policies and procedures, personnel responsible for anticorruption compliance, past experiences with anticorruption, third party contracts, accounts payable procedures, and the target’s own anticorruption due diligence efforts with respect to its acquisitions and third-party contractors.
Ask for a list of the countries in which the target does business. The lower the CPI score for those countries, the more extensive your due diligence requirements will be. Ask for a list of the government agencies and foreign officials with which the target regularly does business and a list of the governmental permits and approvals that allow the target to do business overseas. Did the target enlist the help of a third party agent to obtain such permits and approvals? Too often third party agents obtain permits and approvals through bribery, so this will require particular diligence.
Find out if the target has a business code of conduct and a clear and visible policy prohibiting violations of anticorruption laws, and obtain copies. Does the policy address hospitality, travel and entertainment expenses, gifts, charitable donations and sponsorships, political contributions, facilitation payments, and solicitation and extortion? Is the policy based on an appropriate risk assessment of the target’s operations and customized for each region where the target does business? How often does the target review and update the policy?
Determine the extent to which the target provides anticorruption training. Does the target provide regular anticorruption training to its employees? Is training provided to the target’s business partners? How is the training conducted (e.g., in person, online, or other), and how often is it conducted? Are the target’s employees and/or business partners required to provide certifications to the target of FCPA compliance at least once a year? The more training that is provided, the lower the risk FCPA violations will occur.
Due diligence with respect to the target’s employees does not end with training, however. Does the target conduct background checks on its employees, and particularly its salespeople? How often—only upon hiring, or periodically thereafter, too? Does the target make any other efforts to ensure that it does not employ any individuals who have engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program?
Does the target have a system in place for employees and others to report suspected violations of law or the target’s policies and procedures, such as a whistleblower hotline? Is the system anonymous and confidential? What procedures are followed when a report is lodged? Does the target take steps to remediate harm from the misconduct, including updating its policies and procedures to prevent the same or similar misconduct in the future? Can the target give any examples of having done this? One factor in evaluating FCPA risk is how serious the target enforces compliance. Having written policies in place and training personnel is great, but what the DOJ and SEC want to see, and what your company wants to know as part of its risk assessment, is whether this FCPA (or anticorruption if in a foreign jurisdiction) policy is merely a paper policy or does it really have teeth.
The DOJ has stated countless times that U.S. companies must demonstrate a clear “tone at the top” in support of a company’s anticorruption efforts. The U.S. Federal Sentencing Guidelines, the Organisation for Economic Co-operation and Development, and the U.K. Ministry of Justice similarly call for a strong commitment by top-level personnel. Without evidence of such support from senior personnel, a company will have an uphill battle trying to persuade the government that the company actively enforces its anticorruption policies and procedures. Has the target’s senior management communicated to the target’s employees a clear and unequivocal support for the target’s anticorruption policies and procedures? How?
Does the target have a specific individual (e.g., a Chief Compliance Officer) and/or a committee responsible for overall implementation and oversight of anticorruption policies and procedures? If a specific individual, what is the job description for the individual’s position, and what is the background of such individual? Make sure he/she is qualified for the position and has never engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program. If the target has a committee, obtain a copy of the committee’s charter. What is the background of each member of the committee, and how often does the committee meet? Whether the target’s anticorruption efforts are managed by an individual or a committee, interview the individual or some of the committee members to ask about what they do, the challenges they currently face and expect to face in the future, and the amount of autonomy and resources they have to carry out their responsibilities. Find out whether the individual or committee has direct reporting obligations to the target’s governing authority or an appropriate subgroup thereof (e.g., the board of directors or an audit committee thereof). Under the U.S. Federal Sentencing Guidelines, if the individual or individuals having operational responsibility for an entity’s compliance and ethics plan were involved in a wrongdoing, the entity might still be considered to have an effective plan and be eligible for a lesser penalty if such individual(s) had a direct reporting obligation to the entity’s governing authority.
Find out whether the target’s anticorruption compliance efforts have been assessed in the past—internal assessments can be a good indicator of the target’s seriousness about anticorruption compliance—and try to leverage that for your own due diligence. Has the target ever performed an internal audit or review, or received an audit or review from a third party, of its compliance with anticorruption laws? Has the target or any of its vendors been the subject of a governmental investigation or enforcement action? Has the target ever disciplined an employee or terminated a business relationship over anticorruption violations?
Examine copies of the target’s contracts, particularly those pertaining to sales and distribution. Who are the target’s customers? If the target sells products or services to foreign government agencies and state-owned enterprises, you must thoroughly examine all aspects of the sales process, because these are high risk areas for corruption.
Most enforcement actions by the DOJ and SEC involve the use of intermediaries, so examine the target’s relationships with its third party contractors, particularly with respect to distributors and sale representatives. What is the target’s process for selecting and engaging third party contractors? Does the target have its own due diligence process it follows before engaging third parties? Determine whether such contractors were recommended by, owned by, or employ, a foreign official. Make sure that they are qualified to perform the services they were engaged to perform and that they were not paid more than market rate for their services. Is the amount of compensation to such contractors based on their success, often an incentive for bribery? Were the contractors paid more than market rate? If so, the excess may have been used to pay a bribe. How are such contractors paid? If the target’s payments to a contractor were made in a jurisdiction where the contractor was not located, that is a red flag. Do the target’s contracts contain anticorruption representations, warranties, and covenants by the contractors, as well as indemnification, audit, and termination rights in favor of the target? Do the target’s contracts require that contractors certify their compliance with anticorruption laws periodically?
To what extent does the target do its own due diligence in other facets of its business? Does the target conduct anticorruption due diligence prior to making acquisitions and hiring third party contractors? Ask for copies of the due diligence results. After all, not only do you want to make sure that the target did not violate the FCPA, you want to make sure it did not do business with anyone that violated the FCPA.
You must also examine the financial side of FCPA compliance. Does the target have a system of financial and accounting procedures, including a system of internal controls, reasonably designed to ensure the maintenance of fair and accurate books, records, and accounts to ensure they cannot be used for the purpose of bribery, corruption, or concealing such activity? Have any significant or material weaknesses been found in the internal controls? How often does the target test the effectiveness of, and make modifications to, the internal controls? Not only are the target’s internal controls important to ensuring anticorruption compliance, but they will make integration easier for your company following the acquisition, particularly if your company is publicly traded and its CEO and CFO must make certifications regarding internal controls in its SEC filings.
Examine the target’s payment history. Has the target recorded any transactions as cash? If so, that raises a red flag. Has the target made any unusual payments to employees or contractors? Have any payments been booked with an unusual designation, such as a “cultural fee” or a “miscellaneous fee,” both red flags for disguising a bribe? Ask for copies of the target’s records and receipts pertaining to payments made by the target during the last five years for hospitality, travel and entertainment expenses, gifts, charitable donations and sponsorships, political contributions, and facilitation payments. Have the forensic members of your due diligence team examine such payments to confirm that they were legitimate and did not violate the FCPA (e.g., that no payments were made directly to a foreign official or a family member or affiliate of a foreign official, that no payments were made for the benefit of a foreign official’s family member or affiliate, that payments were not for lavish hospitality, that gifts had only a nominal value, etc.).
Third Party Contractors
When considering the engagement of a third party contractor, the line of inquiry in FCPA due diligence is different than in the context of an acquisition. Although you will need to obtain information about the contractor’s ownership structure and business operations, you will not have the same concern about “buying” the contractor’s liabilities as you would with a target in an acquisition. Instead, your concern will be in making sure that the services the contractor will perform for your company and the payments that your company will make to the contractor will not violate the FCPA.
You should inquire about whether the contractor has its own code of conduct and anticorruption policies and procedures, as well as the type of training it provides to its employees. Similarly, you should find out whether the contractor utilizes subcontractors. Examine the contractor’s relationships with its subcontractors and whether the contractor conducted due diligence before retaining the subcontractors. See “Areas of FCPA Due Diligence Inquiring in Acquisitions” above, regarding these lines of inquiry.
Determine the ownership and governance structure of the third party contractor. Is there a foreign official among the ownership group or serving as an officer or director of the target? Is a foreign official employed by the contractor? If the answer to any of these questions is “yes,” a payment to this contractor could come under scrutiny as violating the FCPA, even if intended to be compensation for legitimate services. Often these questions can be answered by means of a questionnaire distributed prior to personally interviewing the candidate.
Visit, or have your investigator visit, the contractor’s office, to be certain it actually exists and that the contractor has the requisite staff and qualifications to perform the services for which your company will contract.
If, after conducting due diligence, your company decides to retain a third party contractor, make sure that your company’s contract with the contractor has representations, warranties and covenants by the contractor regarding compliance with the FCPA and the anticorruption laws of all the jurisdictions within which the services will be performed (including a requirement that the contractor provide periodic certifications of such compliance at least once a year), as well as indemnification, audit, and termination rights in your company’s favor. Make certain that your legal department is required to review and approve all third party contracts and that the negotiation and execution of such contracts are not left solely to the business and sales managers. In addition, give the contractor a copy of your company’s own code of conduct and FCPA policy, as well as an admonition that the contractor must comply with them. If you have sufficient resources, provide your FCPA and anticorruption training to the contractor.
After performing your due diligence on the third party and entering into a contract, your work is still not over. The DOJ has made it quite clear that companies have an obligation to not only document their third party contractor due diligence, but also to monitor their performance. Be prepared to prove that you do so. In other words, the DOJ expects your company to monitor that the services your company is paying for are actually being provided, and not being secured by a pay-off to a foreign official.
The results of your FCPA/anticorruption due diligence on your U.S. or foreign targets and third party contractors will have a significant bearing on your company’s decisions. Is the risk of bribery and corruption so great that you should walk away from the deal? Is the risk tolerable, where post-closing you can implement and roll out your company’s stronger FCPA compliance program on the target and contractors? Have you factored in the costs of rolling out a stronger compliance program and the time that may take if you are purchasing a global company? How does that cost factor into the purchase price? How do you document that roll-out plan so if it takes a couple years, you can substantiate your compliance efforts and roll-out plan, should a bribe occur during the roll-out and be discovered by the DOJ or SEC? If you need to terminate certain third party contracts, or excise a division of the target from the acquisition, because they present too great a corruption risk, does eliminating them cause a loss in market share, or effect the overall value of the target such that the purchase price should be reduced? If you need to continue your FCPA/anticorruption diligence post-closing due to time constraints, should you escrow a portion of the purchase price funds subject to completion of your post-closing due diligence findings?
If, as a result of the due diligence findings, you decide not to pursue a transaction, you should still maintain copies of your due diligence findings (at least, to the extent permitted by the non-disclosure agreement you entered into and the applicable data privacy laws) for a reasonable period of time. If you ever have to deal with the DOJ or SEC in the future on a different FCPA matter, the fact that you performed thorough FCPA due diligence in a prior transaction and decided to walk away based on your findings of corruption can serve to your advantage. It will demonstrate to the DOJ and SEC that your company does not tolerate high risks when it comes to FCPA and anticorruption violations.
As mentioned in the beginning of this article, FCPA due diligence on a potential target and its third party contractors is no longer an option—it is a mandate. The diligence scope will be governed by the assessed risk and driven by your budget and timeframe. Whether the proposed transaction is small or large, and whether the third parties are few or many, due diligence regarding FCPA compliance (and compliance with other anticorruption laws, if applicable) must play an integral role in your company’s decision making when it comes to acquisitions, investments, and retention of contractors.
 15 U.S.C. 78dd-1 et seq.
 Melissa Aguilar, “2010 FCPA Enforcement Shatters Records” (January 4, 2011), Compliance Weed at http://www.complianceweek.com/2010-fcpa-enforcement-shatters-records/article/193665/.
 “Aggressive FCPA Enforcement, a DOJ/SEC Priority” (August 18, 2011) at http://www.prnewswire.com/news-releases/aggressive-fcpa-enforcement-a-dojsec-priority-127995108.html; Bethany Hengsbach, “FCPA: A Mid-Year Update” at www.boardmember.com/Article_Details.aspx?id=6346.
 “J&J Joins New Top Ten” (April 8, 2011) at http://fcpablog.squarespace.com/blog/2011/4/8/jj-joins-new-top-ten.html.
 Assistant A.G. Breuer’s speech at the 24th National Conference on the FCPA in National Harbor, Maryland, November 16, 2010 (http://www.justice.gov/criminal/pr/speeches/2010/crm-speech-101116.html).
 SEC Litigation Release No. 21602 (July 27, 2010) at http://www.sec.gov/litigation/litreleases/2010/lr21602.htm.
 SEC Press Release No. 2010-133 (July 27, 2010) at http://sec.gov/news/press/2010/2010-133.htm.
 DOJ Press Release 09-318 (April 7, 2009) at http://www.justice.gov/opa/pr/2009/April/09-crm-318.html.
 eLandia’s 10-K, filed with the SEC on April 18, 2007 at pages 7-8.
 eLandia’s 10-K, filed with the SEC on April 18, 2011 at page 67.
 The FCPA is only one subject on which due diligence should be conducted. FCPA due diligence is frequently intertwined with issues involving imports and exports, customs duties, and anti-trust. This article focuses only on the FCPA.
 Current and older versions of the CPI can be found on Transparency International’s website at http://www.transparency.org/policy_research/surveys_indices/cpi.
 Industries historically targeted by the DOJ or SEC include telecom, oil and gas, defense, pharma, and medical devices.
 Note that while the FCPA permits facilitation payments (assuming that strict criteria are satisfied), the anticorruption laws of most other countries, most notably the UK’s Bribery Act, do not.
 See Federal Sentencing Guidelines § 8B2.1, Application Note 3 (“High-level personnel and substantial authority personnel of the organization shall be knowledgeable about the content and operation of the compliance and ethics program, shall perform their assigned duties consistent with the exercise of due diligence, and shall promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.”); OECD, “Good Practice Guidance on Internal Controls, Ethics, and Compliance,” adopted 18 February 2010, Annex II (“Companies should consider, inter alia, the following good practices for ensuring effective internal controls, ethics, and compliance programmes or measures for the purpose of preventing and detecting foreign bribery: 1. strong, explicit and visible support and commitment from senior management to the company’s internal controls, ethics and compliance programmes or measures for preventing and detecting foreign bribery….”); Ministry of Justice, “The Bribery Act 2010 – Guidance” at page 23 (Principle 2 is top-level commitment: “The top-level management of a commercial organisation (be it a board of directors, the owners or any other equivalent body or person) are committed to preventing bribery by persons associated with it. They foster a culture within the organisation in which bribery is never acceptable.”).
 Federal Sentencing Guidelines § 8C2.5(f)(3)(c)(i). Under Application Note 10 to § 8C2.5, “[A]n individual has ‘direct reporting obligations’ to the governing authority or an appropriate subgroup thereof if the individual has express authority to communicate personally to the governing authority or appropriate subgroup thereof (A) promptly on any matter involving criminal conduct or potential criminal conduct, and (B) no less than annually on the implementation and effectiveness of the compliance and ethics program.”