FCPA Liability and Best Practices for Directors and Officers

Client Advisory

June 24, 2019

View the PDF.

In our previous client advisories relating to the Foreign Corrupt Practices Act (“FCPA”), we reported on trends in enforcement and the potential for changes in policy at the dawn of a new administration. During the Trump administration, we have seen FCPA enforcement remain fairly consistent. The SEC and DOJ have continued to be aggressive in focusing on cooperation and individual liability for officers and directors, and the CFTC, which regulates U.S. derivatives markets, recently indicated that it too will begin investigating and prosecuting FCPA violations. This advisory outlines the basic principles of individual liability under the FCPA, specifically as to directors and officers, and provides guidance and best practices for avoiding liability and maximizing cooperation credit for the company in the event of an FCPA investigation.

Enforcement Policies Regarding Individual Liability

On November 29, 2018, Deputy Attorney General Rod Rosenstein announced revisions to the DOJ’s enforcement policies in a speech at the American Conference Institute’s 35th International Conference on the FCPA.[1] The revisions relating to cooperation credit and individual liability modify and expand upon policies originally announced in the well-known Yates Memo from 2015, which we discussed in our January 2017 Advisory.

While the Yates Memo indicated that the DOJ would require companies to disclose “all relevant facts about the individuals involved in corporate misconduct” in order to obtain cooperation credit in criminal cases, the DOJ’s revised policy, as articulated by Mr. Rosenstein in November 2018, requires identification of “every individual who was substantially involved in or responsible for the criminal conduct.” This modest policy shift was based on a recognition that uncovering all facts about all players, however minor, was inefficient and led to delays, and that the focus should be on identifying those individuals substantially involved in the conduct and those, specifically senior management and directors, who authorized or knew about the conduct:

We want to focus on the individuals who play significant roles in setting a company on a course of criminal conduct . . . . [or] authorized the misconduct, and what they knew about it. The most important aspect of our policy is that a company must identify all wrongdoing by senior officials, including members of senior management or the board of directors, if it wants to earn any credit for cooperating in a civil case. . . . I want to emphasize that our policy does not allow corporations to conceal wrongdoing by senior officials. To the contrary, it prohibits our attorneys from awarding any credit whatsoever to any corporation that conceals misconduct by members of senior management or the board of directors, or otherwise demonstrates a lack of good faith in its representations. [Emphasis added.]

These policy pronouncements were repeated by Mr. Rosenstein in a speech on March 7, 2019, in which he stated that the “individual accountability policy is designed to drive change, and lead more companies to implement meaningful proactive compliance programs.”[2]

Additionally, the SEC has long considered individual liability a “core principle” of FCPA enforcement, as articulated by its Co-Director of Enforcement in December 2017: “As [SEC] Chairman Clayton observed at his confirmation hearing, individual accountability drives behavior more than corporate accountability, a point which is supported by both logic and experience. The Division of Enforcement considers individual liability in every case it investigates; it is a core principle of our enforcement program.”[3]

The revised cooperation credit policy now permits companies to receive full or partial cooperation credit in exchange for providing law enforcement officials with information about individuals substantially involved in or responsible for FCPA violations. The policy no longer requires companies to perform exhaustive internal investigations in order to receive credit. However, all companies are expected to have robust, effective internal controls in place in order to gather and provide the information necessary to qualify for cooperation credit. Additionally, under the revised policy, the extent of cooperation credit awarded may be contingent on the quality of the information turned over. Officers and directors must ensure that internal controls–including record keeping and internal audits–are in place and observed in order to place the company in a position to receive cooperation credit in the event of an FCPA investigation.

Liability Under the FCPA’s Anti-Bribery and Accounting Provisions

As discussed in further detail in our October 2015 Advisory, the FCPA has two primary types of provisions: anti-bribery provisions and accounting (books-and-records) provisions.

The anti-bribery provisions apply to U.S. business entities and issuers of securities listed on U.S. stock exchanges (and their employees, officers, and directors), U.S. citizens and residents, and certain foreign nationals or entities engaging in prohibited acts in the U.S, and provide for criminal or civil liability.[4] The provisions prohibit the offering or providing, directly or through a third party, of anything of value to a foreign government official with corrupt intent to influence an award or continuation of business or to gain an unfair advantage. The FCPA prohibits payments to any person “while knowing that all or a portion of such money or thing of value will be offered, given, or promised . . . to any foreign official . . . for purposes of” obtaining or retaining business.[5] For criminal liability, the conduct must have been “willful.”

Officers and directors may be liable for violations of the anti-bribery provisions if they are in fact the wrongdoers (engaging in, directing others to engage in, or concealing FCPA violations), or if they turn a blind eye to a wrongful payment (or pattern thereof) under the FCPA (i.e., willful blindness, deliberate ignorance, or conscious disregard). The Second Circuit, in United States v. Kozeny, held that knowledge can be imputed to an individual where that individual has reason to know that money will change hands for a corrupt purpose and “consciously avoids confirming that fact.”[6] In that case, involving the bribery of Azerbaijani officials in order to facilitate the purchase of a state-owned oil company, the evidence established that the defendant (a director of and investor in the company involved in the bribery) had reason to know of bribes being paid to Azerbaijani officials and failed to confirm that fact. The Second Circuit held that the trial court’s conscious-avoidance jury instruction was proper, thereby permitting a criminal conviction under the FCPA for individual directors who turn a blind eye to potential wrongdoing in their company.

The accounting provisions apply only to issuers of U.S. securities, requiring them to “make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the issuer [and] devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that” transactions are recorded appropriately.[7] It provides for joint-and-several liability for “control persons” whose subordinates are alleged to have violated the FCPA “unless the controlling person acted in good faith and did not directly or indirectly induce the act or acts constituting the violation or cause of action.”[8]

While the majority of FCPA cases involve corporations and the largest monetary penalties continue to be levied against corporations (such as the recent $282 million settlement by Walmart),[9] individuals must be vigilant and recognize that the enforcement policies and statutes contemplate individual liability. Penalties for FCPA bribery violations by individuals may include a fine of up to $250,000 and five years imprisonment for a criminal conviction and up to $21,039 per violation for civil charges.[10] Penalties for violations of the books and records and internal control provisions may include a fine of up to $5 million and twenty years imprisonment for a criminal violation and fines of $9,472 to $189,427 for civil violations.[11] Additional penalties may include disgorgement of ill-gotten gains, suspension or debarment from contracting with the federal government, deferred prosecution arrangements, and for companies, additional reporting obligations and required oversight by an individual consultant or compliance monitor. Individuals may also be barred from serving as officers or directors of any SEC-registered public company. And, importantly, the FCPA prohibits employers from paying fines assessed against its employees, officers, and directors.

Two illustrative matters demonstrate how the SEC and DOJ have sought individual-director liability in books-and-records enforcement actions under the FCPA, whether under a theory that they aided and abetted an FCPA violation or that they were liable as control persons:

  • Aiding & Abetting Liability: In 2005, InVision Technologies, Inc., a manufacturer of explosive detection machines used in airports, settled FCPA charges relating to improper payments and gifts to government officials in Asia. Subsequently, in 2006, the SEC brought a civil enforcement action under the FCPA’s books-and-records provision against a Senior Vice President who was a member of the Board of InVision at the time of the corporation’s FCPA violations. He was charged with aiding and abetting InVision’s failure to devise and maintain a system of internal controls, in violation of the FCPA by, among other things, failing to act after receiving internal emails about improper bribe payments, permitting the payment of suspicious invoices and the recording of such payments as legitimate business expenses, and failing to ensure that the company had adequate internal controls and training to detect and prevent the conduct. The individual settled with the SEC and agreed to pay a $65,000 civil penalty, without admitting or denying liability.[12]
  • Control Person Liability: In 2009, the SEC brought a civil enforcement action under the FCPA against Nature’s Sunshine Products, Inc., a manufacturer of nutritional and personal care products, as well as civil enforcement actions against two executives–the CFO and the COO who was also a director–relating to cash payments made to Brazilian customs brokers by employees of the company’s subsidiary in order to effectuate the import into Brazil of its products. The SEC alleged that these “control persons” violated the FCPA’s books-and-records requirements by failing to ensure that the company had a system of internal controls relating to the registration of its products sold in Brazil and that transactions were recorded as necessary to permit accurate preparation of financial statements. The SEC alleged that these executives were control persons at the time of the violations because, in their respective positions, they individually and between them had supervisory authority over senior corporate management and corporate policies regarding product manufacture, inventory, and book keeping. Without admitting or denying the allegations against them, they individually settled with the SEC and each agreed to pay a civil penalty of $25,000.[13]

Recent Enforcement Actions

In 2018, the DOJ and SEC assessed a total of nearly $3 billion in penalties against companies and individuals for FCPA violations, and brought FCPA civil and criminal charges against twelve individuals. The DOJ and SEC have demonstrated that they will continue to target and prosecute individuals for bribery-related misconduct under the FCPA and federal securities laws. Below are two recent examples:

  • In April 2018, Panasonic Avionics Corporation agreed to pay $280 million to the SEC and DOJ to settle civil and criminal FCPA charges for offering a lucrative consulting position to a government official at a state-owned airline in the Middle East in order to obtain and retain business, and falsifying records to cover it up. Subsequently, in December 2018, the SEC charged the former CEO and CFO of Panasonic Avionics with civil violations of the books and records and accounting provisions of the federal securities laws, and the individuals agreed to pay penalties of $75,000 and $50,000, respectively, without admitting or denying the charges.[14]
  • In February 2019, Cognizant Technology Solutions Corporation agreed to pay $25 million to settle FCPA charges for paying bribes to an Indian government official in connection with construction of company facilities in India. Cognizant’s President and Chief Legal Officer, who allegedly authorized the bribes and directed subordinates to conceal the bribes, were indicted on criminal charges of violating and conspiring to violate the FCPA’s anti-bribery and accounting provisions. In addition, the SEC is seeking civil penalties and officer and director bars against the individuals.[15]

Shareholder Derivative Actions

Although there is no private right of action under the FCPA, where an issuer is subject to a successful FCPA enforcement action, individual directors could potentially be subject to a shareholder derivative action based on the allegation that the Board breached its fiduciary duties and failed to exercise adequate, good-faith oversight of the issuer’s compliance and reporting obligations. In the seminal case on this subject, In re Caremark International, the Delaware Chancery Court stated that “a director’s obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards.”[16]

Applying the Caremark reasoning, if a company were found liable under the FCPA—particularly for books-and-records violations—individual directors could be liable in a shareholder derivative action if the directors had not taken reasonable steps to assure in good faith that adequate internal controls are in place (i.e., that there was no FCPA compliance policy) or if the Board consciously disregarded red flags. While these lawsuits are filed frequently, they are not often successful. The Caremark court in fact recognized that the failure-to-monitor theory is “possibly the most difficult theory in corporate law upon which a plaintiff might hope to win a judgment.”[17]

Best Practices

While there are not an abundance of examples of Board and officer liability for FCPA violations, the DOJ and SEC policies and the law itself clearly contemplate such liability. In fact, the DOJ’s April 2019 updated guidance entitled “Evaluation of Corporate Compliance Programs” emphasized the role of the company’s leaders (Board of Directors and executives) to “set the tone for the rest of the company.”[18] Accordingly, individual officers and directors should adhere to the following best practices in order to ensure FCPA compliance and limit individual and company liability, as well as to ensure that their company can, if needed, receive maximum cooperation credit:

  • Take reasonable steps to ensure compliance with the company’s record keeping obligations. Ensure that there is a person or department that is fulfilling the obligations.
  • Ensure that the company has a robust and effective FCPA compliance program and internal controls that, at a minimum, include compliance training and written policies relating to gifts and entertainment, payment authorizations, and accounting for payments and expenses. The program should be adequately communicated to directors, officers, and employees.
  • Ensure that the company’s compliance program is tailored to its specific industry, business practices, and unique risks. Conduct an internal risk assessment in order to understand the company’s unique risk profile, and receive and review reports on such assessments. Risk is not static, so there should be periodic reassessment and review in order to ensure that a compliance program stays current with the business’s evolution and future shifts in enforcement priorities.
  • Conduct regular compliance audits to ensure that internal controls and policies are properly implemented, and receive and review reports on such audits. Ensure that remedial actions are taken.
  • Ensure that there are mechanisms for thoroughly investigating allegations of misconduct, and policies for discipline and remediation. There should be disincentives for lack of compliance with policies and programs.
  • Ensure that the company has instituted written policies and procedures for reporting potential FCPA violations internally and, when necessary, externally to authorities.
  • Ensure that the company performs meaningful due diligence prior to entering into agreements with or rendering payments to third parties, understands such third parties’ relationships with foreign affiliates, investigates any red flags, and addresses potential wrongdoing.
  • Follow up on suspected wrongdoing and, if evidence of wrongdoing is found, report it to the company’s compliance officer, designated official, or the Board. Do not ignore red flags.
  • Create a top-down corporate culture of ethics in which all directors and employees understand the importance of operating within lawful boundaries and that bribery will not be tolerated. Set the example.


In view of the enforcement community’s focus on individual liability, particularly in respect of senior corporate officials, it is important that individual officers and directors understand their potential liabilities, meet their obligations under the FCPA, and minimize risks to themselves and their companies. Officers and Boards are encouraged to educate themselves on the FCPA, and to consult counsel regarding FCPA compliance matters and the above-listed best practices.

* * *

For more information concerning the matters discussed in this publication, please contact the authors Matthew D. Dunn (212-238-8706,, Theodore Y. McDonough (212-238-8788,, Steven J. Glusband (212-238-8605,, or your regular Carter Ledyard attorney.


[1] The full text of the speech is available at



[4] 15 U.S.C. §§ 78dd-1, 78dd-2, 78dd-3.

[5] 15 U.S.C. § 78dd-2(a)(3).

[6] United States v. Kozeny, 667 F.3d 122, 132-135 (2d Cir. 2011).

[7] Section 13(b)(2) of the Securities Exchange Act of 1934, 15 U.S.C. § 78m(b)(2).

[8] 15 U.S.C. § 78t(a). To make out a prima facie case of control-person liability, the plaintiff must show (1) a primary violation by the controlled person; (2) control of the primary violator by the target defendant; and (3) that the target defendant was “in some meaningful sense a culpable participant in the fraud perpetrated by the controlled person.” SEC v. First Jersey Sec., Inc., 101 F.3d 1450, 1472 (2d Cir. 1996) (internal citations omitted). Control over a primary violator is shown by demonstrating “the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a person, whether through the ownership of voting securities, by contract, or otherwise.” 17 CFR § 240.12b-2.

[9] On June 20, 2019, Walmart agreed to pay over $282 million to settle SEC and DOJ charges that it violated the FCPA for failing to have a sufficient anti-corruption program and allowing improper payments by foreign subsidiaries to foreign officials in Mexico, India, Brazil, and China. In March 2019, there were FCPA-related settlements of $231 million by a German medical products company and $850 million by a Russian-based telecommunications provider.

[10] 15 U.S.C. §§ 78dd-2(g)(2), 78dd-3(e)(2), 78ff(c)(2); 18 U.S.C. § 3571(b)(3); 17 C.F.R. § 201.1001 and (2019 inflationary adjustments).

[11] 15 U.S.C. § 78ff(a); 15 U.S.C. § 78u(d)(3); 17 C.F.R. § 201.1001 and (2019 inflationary adjustments).





[16] In re Caremark Int’l, 698 A.2d 959, 970 (Del. Ch. Ct. 1996).

[17] Id. at 967.


Carter Ledyard & Milburn LLP uses Client Advisories to inform clients and other interested parties of noteworthy issues, decisions and legislation which may affect them or their businesses. A Client Advisory does not constitute legal advice or an opinion. This document was not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. © 2020 Carter Ledyard & Milburn LLP.
© Copyright 2019

Related practice area:

© Copyright 2020 Carter Ledyard & Milburn LLP