The FCPA crystal ball is constantly shifting. Sometimes patterns emerge and trends become evident.   FCPA enforcement is fairly consistent with occasional blips.  What becomes trend setting often becomes the new norm.  Just look at the changes in Schedule C, and the compliance program requirements.  Look at the Schedule Cs from five years ago, and compare them to the Schedule Cs used now.  There have been changes.

The current year, 2015 (and even into 2016), will be important years because of DOJ’s and the SEC’s common interest in prosecuting FCPA internal controls violations without evidence of bribery in appropriate cases. The difficult part of this equation is the definition of “appropriate cases.”

What made Oracle an appropriate case?  How will DOJ and the SEC draw lines in cases where they are unable to prove bribery but have enough evidence of surrounding circumstances that suggest bribery could have occurred?  This is a very dangerous slippery slope.  Prosecutors have to be careful to send a consistent message.  If the cases and the standards become muddled so does the FCPA enforcement program.

FCPA prosecutors are extremely dedicated and committed to enforcement. They are hard-working professionals. Within the bounds of the law and prosecutorial discretion, they have created a successful record of FCPA prosecutions. They are likely to continue this effort and apply aggressive strategies within the bounds of the law and with sensitivity to these issues.

Prosecutors have  to be careful because businesses could face conflicting incentives.  On the one hand, the SEC has promoted the concept of robust internal controls to prevent bribery , fraud and other accounting misconduct.  In response, companies have bolstered their internal controls, adopting detailed and comprehensive controls.

If prosecutors turn around and start prosecuting companies and individuals for violation of these internal controls, companies will have a countervailing incentive not to adopt detailed and robust internal controls.  That would be a bad outcome and prosecutors have to walk this tightrope.

Adding to this difficult equation and balancing of incentives, companies  have to meet the new 2013 COSO framework governing internal controls. In May 2013, the Integrated Framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued its updated framework, which was originally released in 1992. As of December 15, 2014, the new 2013 framework superseded the 1992 COSO version. Every company now faces a difficult and important transition to a new framework.

The 2013 COSO Framework retained the five core concepts of internal controls: (1) control environment; (2) risk assessment; (3) control activities; (4) information and communication; and (5) monitoring activities.

The significant change in the 2013 COSO Framework is seventeen separate principles against which every company has to assess its internal controls. I will examine these principles in the future.

The 2013 COSO Framework recognizes that (1) internal controls apply to more than simply accounting controls, it applies to compliance controls and operational controls; and (2) while compliance begins with the company’s tone-at-the-top, “the responsibility for the implementation of effective internal controls resides with everyone in the organization.”

The compliance and enforcement paradox for companies could become real. At the same time that companies face new challenges in the design and implementation of internal controls, the government is heightening its scrutiny of company internal controls and raising the risks of civil, and even criminal prosecution, of internal controls violations.

The 2013 COSO framework raises the stakes and potential conflict even further.   Companies are being asked to design and implement more robust and targeted internal controls. That is a positive development. Companies will have to comply with this requirement.  On the other side of the scale, companies and individuals will face increased prosecution s risks, even criminal for failing to implement, or circumventing more robust internal controls.

A company may avoid a specific control for fear that it and its executives could be prosecuted for violating a more definitive and specific control. That specific control may be a positive factor from a compliance standpoint but the government’s willingness to enforce that specific control under criminal law may deter the company from enacting the control.

My concern may be overblown given the reasonableness of prosecutor’s discretion but the law is the law, and a violation of the law raises the risk of prosecution. Companies have to take note of this situation and they have to make important decisions on the tradeoffs.