The FCPA and How to Protect Your MSP from Litigation

For this article, I’m handing over to guest blogger Robert Baugh. Robert is the Founder and CEO of Keepabl, a Powerful Compliance-as-a-Service for MSPs. Here, Robert explains the Foreign Corrupt Practices Act (FCPA) and its impact on Managed Service Providers (MSPs).

Recently, Richard explained to me that MSPs and IT providers often ask him, “What is the FCPA?” and “’when I’m answering RFPs, do I just tick ‘yes’ to FCPA and move on?”.

Well, if you’re wondering the same things, there are some immediate points your questions raise:

• Saying ‘yes’ when you know the answer is ‘no’ is not a good strategy. It opens you up to loss of business and legal liability. The good news is it’s pretty straightforward to be able to stand behind your answer

• Don’t forget the UK has its own Bribery Act, which will apply to you if you’re in the UK – and possibly even if you’re not. Every UK MSP should look at this and have documented their position

• Covering off your anti-bribery obligations shows you’ve thought about your compliance issues – and issues relevant for your customers – and can win business

• If you’re still not convinced, directors and officers can have personal liability

We’re clearly talking about laws here, so the standard disclaimer applies to this blog: it was written in December 2020, it’s information only, not legal advice, and you should always consult your legal advisor!

OK, with that caveat said, let’s crack on and demystify this key compliance area.

Bribery

The FCPA is very well-known, probably better-known in the UK than the country’s own Bribery Act.  Both target bribery, although slightly differently. We’ll summarise ‘bribery’ as:

• offering or accepting
• a payment or some other non-money advantage (even just behaving in a particular way)
• to get an advantage for yourself or your entity.

Key differences between the laws include that the FCPA applies mainly to bribing foreign officials, although it also covers accounting practices; the UK Act extends to B2B bribes; and their extra-territoriality rules are different.

But you don’t bribe anyone do you? OK, so far, so good!

Now, there are some simple steps you can take not only to manage that risk further but that you should take to comply with the law applicable to you.

The larger you are, the more you’ll need and want to do to ensure that your staff, near and far, comply with your legal, ethical and moral obligations.

These steps can also give you a full defence to certain offences under the UK Bribery Act.

Does the FCPA Apply to You?

Like most laws in a particular country, the US FCPA applies directly to residents and legal entities of the US.

So, US MSPs should look carefully at their FCPA obligations – it’s definitely not a simple tick-box exercise.

However, the US FCPA can also apply to non-US residents and legal entities (such as UK MSPs) if:

• Your shares are listed in the US, which is perhaps rare for a UK MSP, or
• You cause a corrupt payment to be made in the US, directly or indirectly

A quick look at the SEC’s FCPA page shows recent fines for Barclays Bank. They recruited relatives of foreign officials in the Asia-Pacific to win or retain business.

For example, the Italian energy company, Eni, was also fined for making improper payments in Algeria (and before in Nigeria to win state contracts).

However, it would be rare for the FCPA to apply to the typical UK MSP: a private UK company not listed in the US, only based in the UK, and with no customers or activity outside the UK.

But if, for example, you’ve got US customers, then you should look at the FCPA in more detail and document your approach.

Don’t Forget the UK Bribery Act!

The UK Act’s been around 10 years already, and directly applies to all UK residents and entities such as UK MSPs.

As we said, it also applies to B2B situations, not just bribery involving public officials. And like the FCPA, it has its own extra-territorial application rules – it can also apply to:-

• You wherever you are if you carry on a business in the UK
• Your actions globally if you’ve a ‘close connection’ with the UK (eg, you’re a British national, resident, or entity)
• You wherever you are if the covered activity takes place in the UK

Gifts and Hospitality

The topic of gifts and hospitality is a big subject, outside the scope of this blog!

However, as you can imagine, that there’s room for transparent, smaller gifts and hospitality, not intended to influence decisions, and that over-size generosity given with a wink is likely an attempted bribe.

But, do remember that the US is more litigious and you’ll want to review all the FCPA guidance carefully.

Helpfully, the UK Government’s Guidance is very clear that genuine hospitality isn’t prohibited by the UK Act.

What You can do now

You’ll want to:

• Document whether the FCPA or UK Bribery Act applies to you
• Carry out a risk assessment
• Create an Anti-Bribery Policy and a Gifts & Hospitality Policy – there are plenty of examples online to start from, and you’ll want to give examples of what falls into ‘hospitality’ and what falls into ‘bribery’
• Train your staff and those acting on your behalf
• Keep it all under periodic review

A nice aspect of the UK Act, as the UK Government Guidance notes, is: ‘There is a full defence if you can show you had adequate procedures in place to prevent bribery. But you do not need to put bribery prevention procedures in place if there is no risk of bribery on your behalf.‘

Remember that having a policy that you’ve carefully created, trained your staff on and keep up to date can also be a very good sales tool.

To help, there are official resources online, such as the UK Government Guidance we mentioned above, and the DOJ Guidance and SEC Guidance on the FCPA, and plenty of publications from private firms, such as PwC.

Good luck and take heart – it’s very satisfying to crack a compliance area and this is a straightforward one to do. Now, did we mention modern slavery…

So, what are your thoughts on the FCPA? Have you had any problems around compliance or the GDPR legislation? Leave a comment below and let us know!

Author Bio

Robert is the Founder and CEO of Keepabl, a SaaS company which makes your GDPR life easier.

Keepabl helps clients identify privacy risks and conduct gap analysis, and spot security breaches.

You can connect with Robert Baugh on LinkedIn or follow @RJBaugh on Twitter.

You Might Also be Interested in

• Compliance as a Service for MSPs
• Brave – Secure, Fast & Private Web Browser
• Have I Been Pwned – Check if Your Email Address is in a Data Breach

You might like: