It is a time of dramatic and unsettling change for many companies in the U.S. aerospace and defense industry. This period of great change has been characterized by a declining U.S. defense budget with continuing uncertainty over the impact of sequestration. A recent report on U.S. military spending issued by the Council on Foreign Relations noted that in calendar year 2013, U.S. military spending declined from $671 billion to $619 billion (in constant 2011 dollars), the largest decline since 1991. The report predicted a likely further decline in 2014 because of reduced U.S. operations in the Middle East and sequestration.[1] Additional decline in U.S. defense spending to $540 billion by 2020, down from $720 billion in 2011, also has been predicted.[2] The article noted the effect that budget uncertainty was having on defense contractors: With these shifts in the defense landscape, the overriding question for US defense contractors involves the future of their capability to develop and maintain exports in an increasingly competitive market. Without question, the US military will remain their dominant customer. However, with decreased domestic sales and increasingly thin margins, IHS Jane’s Defense Industry & Markets Intelligence Centre analysts see US firms having increasingly to address emerging markets and commercial adjacencies to maintain productive revenue growth and pursue needed market diversification. As noted above, this period of great budget uncertainty for the A&D industry has resulted in an increased emphasis on growing international business and diversifying into new areas — “white spaces” or “commercial adjacencies,” and an increased emphasis on emerging markets, international commercial business, international joint ventures (JVs) and teaming agreements, foreign subsidiaries, and international acquisitions. This article will consider the new and increased areas of Foreign Corrupt Practices Act and other anti-corruption law risks that companies in the A&D industry are now facing and recommend steps they should be taking to address these risks in order to prevent and detect potential FCPA violations and, hopefully, avoid enforcement actions and minimize the cost of investigations and penalties in the event problems arise. The industrywide sea change in the nature and scope of A&D companies’ international business efforts has greatly increased the FCPA risks these companies are facing. These risks include:

  • new international partners in JVs and teaming agreements (with additional risks in minority JVs where the U.S. partner lacks control);
  • new foreign subsidiaries and international acquisitions with corporate cultures that have not been committed to FCPA compliance in the past;
  • national cultures and attitudes that are less committed to compliance in countries which have not actively enforced their anti-corruption laws in the past;
  • new and unfamiliar commercial (nondefense) businesses with fewer controls and restrictions and more lavish hospitality practices than the heavily regulated A&D industry;
  • many new third parties to worry about (e.g., agents, distributors, resellers, brokers, freight forwarders, finders, and other service providers) in the A&D companies’ newly expanded international operations both directly and through their new JVs, JV partners, teammates and newly acquired companies; and
  • new and unfamiliar geographical locations and challenges, e.g., conducting a services business in high-risk countries such as Sudan and the Democratic Republic of Congo and war-zone countries such as Iraq and Afghanistan.

In order to address these new and greatly enhanced FCPA risks, it is highly advisable that A&D companies conduct risk assessments to determine whether their current policies, procedures and controls are adequate and, if not, where they need to be revised and strengthened.[3] Such risk assessments should be performed on a regular, periodic basis. Companies need to decide how often and by whom the risk assessments should be performed. The recommended frequency depends in part on the nature and timing of business changes and entering into new markets, which likely will give rise to new areas of risk. Some companies conduct such risk assessments annually. At a minimum, it would seem to make sense to conduct them at least every couple of years and more often in the event of significant business changes. Companies also must decide who should perform these risk assessments. While there are various potential choices — in-house legal, finance and audit departments, outside counsel and other service providers, it makes sense to consider using an outside independent and objective source, working with in-house legal, to understand and properly evaluate the risks arising from a company’s international business. Based upon the results of the risk assessment, companies need to examine and may need to revise their policies, procedures and controls to address the new risks raised by the new areas and types of international business. This should include risk-based due diligence on the many new international business partners and third parties the company is dealing with — proposed JV partners and teammates, agents, distributors, resellers, brokers, freight forwarders, sponsors and other service providers.[4] Effective FCPA compliance programs need to be put in place and monitored on an ongoing basis at the company’s JVs and in its teaming arrangements, as well as its wholly owned foreign subsidiaries and program offices around the world. To make its FCPA compliance program effective, a company’s legal and ethical requirements must be communicated to its employees, business partners and other third parties and ongoing training should be conducted.[5] The training should be risk-based and adapted to local conditions and issues. For example, training of local employees in a Chinese subsidiary or JV should be conducted in Chinese and should address frequent problem areas like meals, gifts, travel and entertainment. Training for employees in a high-risk third-world country where facilitating payments are a problem should carefully address how to deal with demands for such payments. The training preferably should be live and in the local language or in multiple languages. While live training is not feasible for all employees, it should be used whenever possible in the highest risk areas and combined with online or written training materials in lower risk situations. Training also should be conducted with third-party business partners such as JV partners and teammates and other third parties such as agents, distributors, resellers, brokers, etc. The company also should work to ensure that its foreign subsidiaries and JVs are providing adequate training for their employees and third parties. This can be accomplished by an ongoing program to monitor and track these training efforts. Companies also need to monitor and audit their compliance programs, including the programs of their international JVs and subsidiaries, on an ongoing basis to detect and correct weaknesses and to adjust for business changes.[6] Companies must decide who will perform this monitoring and auditing function as there are multiple potential choices such as in-house legal, internal audit, outside counsel, forensic accounting firms, and numerous outside vendors offering this service. The key is to make sure that the monitoring and auditing are conducted on a regular, periodic basis and that they have been designed to be effective in detecting real-life weaknesses, gaps in coverage and instances of non-compliance, rather than being a paper program akin to a good housekeeping seal of approval. To combine outside independence and perspective with an in-house understanding of the business and high-risk projects and people, some combination of in-house and outside monitoring and auditing may make sense. The company must, of course, act upon the results of its monitoring and audit efforts in a timely manner to strengthen its compliance program and correct weaknesses by revising and adapting its policies, procedures and controls, communicating and training on the changes, and then continuing to monitor and audit the revised program for weaknesses and problems. This ongoing cyclical process has become much harder in practice because of the enormous expansion of international business efforts in the A&D industry, the many new types of business — including commercial, nondefense business — in new countries, and the many new business partners and other third parties. The explosion of international business efforts in new and unfamiliar areas with new and unfamiliar people has greatly increased the FCPA compliance risk for companies in the A&D industry at a time of budget austerity because of the declining U.S. defense budget. In general, this has made it necessary for companies to attempt to address their increased risk profile with the same or fewer compliance resources, in effect making it necessary for them to try to do more with less. While the degree of increased FCPA compliance risk, of course, cannot be quantified with precision and differs for each company, the basic premise of attempting to ensure compliance in the face of greatly expanding risk in new areas of the world and unfamiliar businesses with unchanged or decreased compliance resources could be a recipe for a compliance nightmare. When you factor in that all of this is happening at a time of enormous pressure from (and on) company business units and management not to lose vital international sales in an environment of shrinking U.S. defense budgets, continued aggressive enforcement by the U.S. Department of Justice and U.S. Securities and Exchange Commission, and increased cooperation of the DOJ and SEC with, and enforcement efforts by, foreign anti-corruption authorities, you have the ingredients for a perfect FCPA compliance storm. In short, these are challenging times for companies in the A&D industry from the standpoint of FCPA compliance, putting a premium on a carefully designed and diligently implemented risk-based compliance program that actually works in the real world to prevent and detect corruption.[7] The Morgan Stanley resolution demonstrates that having an effective compliance program can make a real difference. In April 2012, when a former Morgan Stanley managing director in China pled guilty to conspiracy to avoid the bank’s internal controls, the DOJ and SEC elected not to prosecute or bring a civil enforcement action against Morgan Stanley based on the effectiveness of its pre-existing anti-corruption compliance program. The Morgan Stanley resolution highlights the importance of taking the steps recommended in this article regarding risk assessments, due diligence, training, and oversight and demonstrates how, if implemented in good faith, they can result in huge benefits by avoiding enforcement actions and minimizing the costs of FCPA investigations and penalties in the event problems arise. In order to best address the potential dangers arising from the many business changes that companies in the A&D industry are undergoing, compliance lawyers and other compliance professionals in these companies should be thinking about their biggest areas of FCPA compliance concern, i.e., the biggest challenges they are facing in protecting their companies, and making sure their compliance programs are properly focused on these highest risk areas. This can be accomplished by taking the steps outlined above — tailoring the company’s policies, procedures and controls to address these risks, communicating requirements and training employees, business partners and other third parties, and monitoring and auditing the compliance program to make sure it is working — all on an ongoing basis and with the genuine commitment of senior and middle management to compliance as a core value.[8] In going through this process, it should be recognized that no compliance program is perfect and that every compliance program can be improved and should constantly evolve with a company’s changing business and risk profile. One sign of an effective compliance program is that it is identifying red flags, issues and potential concerns that require constant and ongoing attention. A compliance program that does not identify such issues and concerns, especially in a time of such dynamic international growth and change, most probably is not working. It is the difficult, but critically important, task of the compliance lawyers and professionals in the A&D industry at this time to try to ensure that their compliance programs are working in the real world and that they can bring to bear the compliance resources necessary to address the new and changing risks their companies are facing. This article was first published on www.law360.com.



[1]               See Dinah Walker, “Trends in U.S. Military Spending,” Council on Foreign Relations (July 15, 2014).
[2]               See Tate Nurkin, “Analysis: Declining US military spending pressures defense contractors,” IHS Jane’s 360 (September 19, 2014).
[3]               As noted in “A Resource Guide to the US Foreign Corrupt Practices Act,” issued by the US Department of Justice and Securities and Exchange Commission on November 14, 2012 (FCPA Guidance), “Assessment of risk is fundamental to developing a strong compliance program and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” See FCPA Guidance at 58. The DOJ and SEC will give meaningful credit to a company that implements in good faith a comprehensive risk-based compliance program, even if that program does not prevent an infraction in a low risk area because greater attention and resources had been devoted to a higher risk area.” Id. at 59.
[4]               The FCPA Guidance notes that, “Risk-based due diligence is particularly important with third parties and will also be considered by DOJ and SEC in assessing the effectiveness of a company’s compliance program.” Id. at 60.
[5]               The FCPA Guidance states that compliance policies must be effectively communicated throughout a company to work and that the “DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.” Id. at 59.
[6]               The FCPA Guidance notes that “a good compliance program should constantly evolve” as a company’s business changes over time, including its customers and the places where it operates. The “DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” Id. at 61-62.
[7]               The FCPA Guidance notes that the DOJ and SEC use a common sense, pragmatic approach in evaluating compliance programs, asking whether a company’s compliance program is well designed, whether it is being applied in good faith, and whether it works. Id. at 56.
[8]               The FCPA Guidance notes that the “DOJ and SEC consider the commitment of corporate leaders to a ‘culture of compliance’ and look to see if this high-level commitment is also reinforced and implemented by middle managers and employees at all levels of a business. A well-designed compliance program that is not enforced in good faith…will be ineffective.” Id. at 57.