By: Todd Steggerda & Edwin O. Childs, McGuireWoods LLP
Let’s start with the good news. Companies that do business with the government often reap substantial rewards. The bad news is that they must do so in a souped up enforcement environment most others businesses do not face. Todd Steggerda and Edwin Childs know their way around the government-contracting ecosystem. Below they discuss what it takes for companies to stay on the right side of these unique and demanding customers. Their remarks have been edited for length and style.
MCC: Anti-corruption enforcement activity seems to be ramping up in the U.S. and abroad, including actions aimed at individuals. In broad terms, how has the regulatory and compliance landscape for government contractors evolved in recent years?
Steggerda: As with most industries, government contracting has been subject to a significant increase in enforcement activity in recent years. The landscape is wrought with potential landmines that raise increasingly complex compliance concerns. Such concerns include increased anti-corruption actions generally (FCPA and the UK Bribery Act, among others) and the use of False Claims Act fraud-based enforcement mechanisms within the government contract space for what had typically been addressed previously in audit or claims-based fora. It also encompasses greater scrutiny on individuals’ actions, including requiring corporations to disclose all relevant facts about individuals involved in corporate misconduct in order to earn cooperation-related mitigation credit.
MCC: Earlier this year, the Department of Defense mandated that U.S. government contractors requiring access to classified information implement an Insider Threat Program. Tell us about this change and what it means for your clients.
Steggerda: Department of Defense (DoD) Instruction No. 8530.01 expressly requires contractors accessing classified information pursuant to the National Industrial Security Program to implement an insider threat program that employs user activity monitoring. This is but one of a hodgepodge of mechanisms that the government is attempting to implement in response to an increasingly active and hostile counterintelligence and cyber threat environment (Russia, China, Edward Snowden, Harold Martin, etc.). Indeed, just a few weeks ago, DoD finalized another rule requiring contractors and subcontractors to report certain cyber incidents on unclassified systems that maintain certain DoD data or which could affect contractor operations for DoD. All of these changes combined − and each independently − raise significant cost considerations and may require near-term reporting of contractor cyber events to the government when issues arise. These are mandatory requirements: contractors must comply with them or they risk losing government work, and contractors must be aware of the potential ramifications of their failure to comply.
MCC: Government contractors are subject to governmental audits, which adds a layer of scrutiny other industries do not have to be concerned about. Tell us about that and the intersection with FCPA and other compliance obligations.
Childs: The government generally has the right to audit contractor records and activities through the inclusion of FAR 52.215-2 in most types of government contracts. This subjects government contractors to a considerably higher degree of oversight (and, thus, risk) from government customers than is otherwise present in most commercial settings. Moreover, FAR 52.203-13 (required, with certain exceptions, in most contracts in excess of $5 million) mandates that contractors report credible evidence of violations of criminal laws relating to fraud, conflict of interest, bribery, gratuities, or the civil False Claims Act. Contractors are therefore not only subject to heightened customer oversight – they must also affirmatively report credible evidence of legal violations in many cases.
MCC: The risk of debarment clearly raises the stakes for government contractors when it comes to corrective actions and remedial measures associated with anti-corruption enforcement actions. Please discuss debarment and the impact on the compliance efforts of government contractors.
Steggerda: The FAR provides that the government may only contract with “responsible” entities, and the specter of debarment hangs over every internal compliance review, let alone every government enforcement action. Implementation of a robust compliance program will not only help identify and extinguish potential compliance issues before they reach the level which may trigger debarment concerns, but it will also be the first – and most important – step towards demonstrating the contractor’s present responsibility. The easier it is to show to the government that the contractor’s current compliance systems are effective, the easier it is to convince the government that debarment is not warranted
MCC: Are there recent examples that you can discuss of notable FCPA-related enforcement actions involving government contractors from which general counsel and other MCC readers can draw lessons?
Steggerda: A 2015 settlement involving IAP Worldwide Services is particularly illustrative as to the severe consequences that can come from even a limited FCPA violation. In that case, the company entered into a non-prosecution agreement (NPA) with the Department of Justice under which it agreed to pay a $7.1 million penalty related to kickbacks paid by one of its former officers to Kuwaiti government officials. The officer pled guilty to charges relating to his conduct. Even though the conduct had ceased years earlier and was apparently limited to one person, the NPA with the company also required it to implement a specific compliance program, tracking the elements outlined in the SEC and DOJ’s Resource Guide to the U.S. Foreign Corrupt Practices Act. The case serves as a stark example of the risks for non-compliance, and it evidences the importance of training all employees on such risks, both as to the company and to the individual personally.
MCC: There are so many sources of risk when it comes to global anti-corruption, anti-bribery and similar measures that it seems almost impossible to keep up. In assisting clients with developing compliance programs, where do you start? Is it possible to separate greater and lesser areas of concern in making decisions on how to allocate limited time and other resources? What do you advise?
Childs: It is absolutely possible to prioritize areas of concern when making decisions to allocate time and other resources. One of the first steps in any compliance review is to conduct a risk assessment of the company’s business practices, which will enable the company to focus on the development of a compliance program that appropriately emphasizes and addresses these issues.
MCC: Dealings with third parties, including contractors and consultants, are an ongoing concern for government contractors. Given that regulators are generally not sympathetic to company efforts to alleviate their own responsibility under FCPA and other anti-corruption laws, what can companies do to assure that they have a proper control environment in place?
Steggerda: There is no golden ticket that will absolve a company for the misdeeds of its subcontractors or consultants. Nonetheless, companies can limit their risk under the FCPA and other anti-corruption laws by expressly mandating compliance with the FCPA, the UK Bribery Act, and any other applicable requirements through their contracts. Similarly, companies must both reiterate the importance of compliance with these laws and demonstrate a commitment to terminate any relationship that fails to comply with such standards.
MCC: Regulators expect companies to have robust compliance programs, but defining just what that looks like is not easy. Tell us how you advise companies on developing compliance infrastructures that can help assure enforcement authorities, if and when they come calling, that the organization is invested in current best practices?
Childs: The most basic step in helping assure enforcement authorities about an organization’s investment in compliance best practices is to ensure that a robust, up-to-date compliance program is in place. Based on DOJ and SEC guidance, this program, at a minimum, should:
- evidence high-level commitment to compliant business practices
- include detailed policies and procedures specifically addressing, at a minimum, the company’s highest risk practices (e.g., gifts, hospitality, entertainment, expenses, travel, political and charitable contributions, facilitation payments, and solicitation/extortion) and appropriate financial and accounting controls and recordkeeping practices
- provide for a periodic, risk-based review of the company’s practices
- ensure proper independence from the company’s business organization and oversight;
- establish robust training and internal guidance materials
- allow for internal reporting and investigation of complaints and ensure adequate enforcement and discipline for violations of applicable policies; and
- institute mechanisms for appropriate risk-based due diligence of business partners.
Moreover, when an enforcement action ensues (e.g., upon the issuance of a subpoena), organizations are best served to immediately establish professional working relationships with any investigating agency and to conduct a thorough internal inquiry. These actions are key to establishing a cooperative working environment in which the agency is more likely to engage with and consider the company’s positions on relevant issues.
MCC: Most non-government contractors have the option to self-disclose FCPA infractions, but that does not seem to be available to government contractors given the oversight of the Defense Contract Audit Agency. Is that right? Are there alternatives available to government contractors?
Steggerda: Contractors should always consider self-disclosing violations to the government. As a purely technical matter, whether a disclosure is “mandatory” depends on whether the Contractor Code of Business Ethics clause (FAR 52.203-13) is included in the contract. If the clause is included in a contract (e.g., most contracts in excess of $5 million), then the contractor must disclose credible evidence of violations of federal criminal law involving fraud, conflict of interest, bribery, gratuities or of the civil False Claims Act, or it risks a breach of contract claim. In any event, the contractor risks debarment for a “knowing failure” by a principal to timely disclose to the government, among other things, credible evidence of a violation of those same legal requirements in connection with the award, performance or closeout of the contract or a subcontract thereunder. In our experience, disclosure under these provisions does not prohibit the contractor from receiving cooperation-based mitigation credit.
MCC: If there was a single piece of advice you could give to a company just beginning to contract with the government, what would it be?
Steggerda: Any company beginning to contract with the government should fully assess the wide range of obligations with which the company must comply when entering the federal space. Contracting with the government can bring significant opportunities, but it also raises considerable risks and requirements that commercial companies do not typically encounter in their day-to-day business. Ensuring that, upon entering the federal space, you understand these obligations and meet these requirements through the implementation of robust and effective compliance systems goes a long way to avoiding troublesome and costly enforcement proceedings in the future.
Todd Steggerda is Chair of the Government Contracts Practice and leader of the Defense and Government Contracts Industry Team in the Washington, D.C., office of McGuireWoods LLP. He can be reached at firstname.lastname@example.org. Edwin O. Childs, an Associate with the Government Contracts Practice in the Washington, D.C., office of McGuireWoods LLP, represents aerospace, defense and technology companies. He can be reached at email@example.com.