The Cognizant FCPA enforcement action will go down as a problematic resolution for the policy reasons mentioned in my last post.  Putting those concerns aside, there are some important lessons learned and observations that should be examined.

Credit for Pre-Existing Compliance Program: From a compliance perspective, DOJ’s declination letter explicitly credits Cognizant’s compliance program, citing “the existence and effectiveness of the Company’s pre-existing compliance program, as well as steps the Company  has taken to enhance its compliance program and financial accounting controls.”  DOJ’s credit for the “effectiveness of the company’s compliance program,” if intended, could reflect increased awareness and credit to companies that implement effective anti-corruption compliance programs.  In the past, DOJ did not explicitly award credit for a “pre-existing” compliance programs but limited such credit to enhancements made after the violations occurred.

C-Suite Risks:  The Cognizant case demonstrates – yet again – the dangerousness of C-Suite misconduct.  Last year, DOJ and the SEC brought several enforcement actions involving C-Suite misconduct (e.g. Panasonic Avionics, former CEO of Sociedad Quimica y Minera de Chile).  A company’s risk assessment and internal controls must be tailored to potential risks – a senior executive cannot have exclusive control and authority over funds.  Such accounts have to be subject to financial controls and audits in order to mitigate potential risks.

Construction Industry Risks:  While obvious, it is worth noting the nature and extent of the risks facing companies in the international construction industry (and domestic as well).  India is particularly susceptible to corruption risks given the complex labyrinth of regulatory requirements, permits and other approvals needed to complete construction projects in India.  In just the Cognizant case, a total of $3.7 million in bribes were paid for a planning permit, environmental clearance, and construction-related permits involving three significant projects.  The construction industry has significant recurring interactions with foreign government authorities relating to regulation and supervision.  As a result, companies have to devote significant attention – proactively – to design and implement appropriate monitoring and auditing protections against such risks.

Sub-Agents and Sub-Distributors: Cognizant’s third-party construction company carried out the actual bribery payments by retaining a third-party consultant to pay the Indian government official.  Cognizant and the construction company relied on a tried and true methodology – engage a third-party to carry out your dirty work.  In recognition of this fact, many third parties are themselves engaging sub-agents and sub-distributors to accomplish indirectly what they could not (or do not want) to do.  In 2018, Panasonic Avionics used this strategy to employ sub-distributors of its authorized distributors to carry out bribery schemes knowing that their sub-distributors could never pass its due diligence review system.  As anti-corruption controls become more effective in identifying third-party risks, companies have to protect themselves against sub-distributors and sub-agents as a means to avoid compliance controls and engage in bribery.

Fake and False Invoicing:  Cognizant’s reimbursement of bribery payments made by its third-party construction company was accomplished by creating and approving false invoices for change order claims.  Specifically, the approved change order contained eleven previously-rejected claims that totaled the amount of money needed to reimburse the third-party.  The mechanism for securing money for illegal purposes is nothing new – fake and false invoices are a a recurring method for criminal schemes.  Most (if not all) of these transactions do not fall within the “materiality” screen and therefore require proactive monitoring, testing and auditing strategies.

To address this issue, companies should examine the procurement to payment process – from onboarding a vendor, executing a contract, monitoring the contract performance, and paying the invoice.  In this area, it is critical to identify the functions, training relevant personnel involved in the review (e.g. accounts payable), approval and execution process, and develop effective controls to mitigate risk.