On December 17, 2012, the Securities and Exchange Commission (“SEC”) announced a settlement under the U.S. Foreign Corrupt Practices Act (“FCPA”) with Allianz SE (“Allianz”), the insurance company based in Germany, resulting in $5.3 million in civil penalties and more than $7 million in disgorgement and interest.  The settlement stemmed from a two-year investigation into allegations that an Allianz subsidiary paid bribes to government officials in Indonesia over a seven-year period and violated the FCPA’s books and records and internal controls provisions.  The Department of Justice (“DOJ”) started its own investigation into potential criminal liability for Allianz, but closed its case in 2011 with a declination letter, an event that was reported in the Wall Street Journal.

According to the SEC order, Allianz had 295 insurance contracts on large government projects that it obtained by making approximately $650,000 in improper payments to Indonesian officials between 2001 and 2008. The contracts allegedly resulted in more than $5 million in profit. In addition to charging that the payments were disguised in company invoices as commission payments for third-party agents, the SEC emphasized that Allianz discovered, but did not stop, the alleged bribes.

First, payments were discovered in 2005 through an internal audit but continued to be made thereafter.  Second, in 2009, after a whistleblower’s complaint to the company’s external auditor prompted a third-party investigation Allianz failed to report the ongoing violations to the SEC.  Finally, after receiving an anonymous complaint in 2010, the Commission launched its own investigation, and Allianz cooperated.

Although the settlement amount is relatively small, it is the first major FCPA settlement since the SEC and the DOJ published “FCPA: A Resource Guide to the U.S. Foreign Corrupt Practices Act” (“the Resource Guide”).  As such, the Allianz case provides some insight into two issues addressed in the Resource Guide: the requirements for corporate mens rea and the elements of an effective compliance program.

As we have written previously, the standards of intent are different for corporate and individual criminal liability under the FCPA.  An added wrinkle highlighted by the Allianz settlement is that, in the civil context, the SEC’s books and records and internal controls provisions have no scienter requirement whatsoever.  In the Allianz case, the SEC took the unusual step of explicitly noting the lack of a scienter requirement in its order, stating “Section 13(b)(2)(A) of the Exchange Act does not require that the amounts involved be ‘material,’ nor is it necessary to prove ‘scienter’ under its provisions” or under the provisions of Section 13(b)(2)(B) (internal citations omitted).  Although the declination does not state why the DOM closed its criminal investigation, it seems possible, particularly given the wording of the SEC order, that an absence of scienter may have contributed to the declination.

And yet, the SEC settlement not only implies that Allianz had some corporate knowledge of the improper payments, but it seems that knowledge may have been a factor contributing to the SEC’s decision to bring an enforcement action and in the settlement amount.  At least as early as 2005, the company arguably was aware of payments to consultants, since the company’s own audit disclosed the payments. That knowledge was reinforced by the 2009 internal whistleblower case, which resulted in a third-party audit.  Although the SEC provisions do not contain a scienter requirement (and thus the SEC would not need to prove that the corporation had the level of knowledge required under the criminal FCPA provisions), the alleged failure to  follow through on discovery of potential issues by implementing changes to business practices forms the basis for the internal controls charge.  In the absence of an actual corporate knowledge requirement about what happens after remedial measures are taken, what is left for internal controls charges could be called an effects test: if your company has discovered a potential violation, did your compliance program fix the problem, or not?

This point brings us back to what makes an FCPA compliance program work.  The fact that Allianz conducted an audit or followed up on whistleblower allegations on two separate occasions did not extinguish its FCPA obligations.  In 2005, Allianz directed its subsidiary to stop making the newly-discovered improper payments, but “no additional steps were taken.”  In 2009, upon discovering that the subsidiary had continued to pay bribes to government officials, Allianz conducted an internal investigation.  The SEC order does not detail the outcome of that investigation beyond stating that Allianz failed to report the conduct to the SEC. But one might infer from changes Allianz made to its compliance program after the SEC began its investigation in 2010 that similar actions were not taken after the 2009 audit.

Notably, in another internal controls case filed this month against Eli Lilly and Company, the SEC stated that Eli Lilly’s reliance on assurances and information in paperwork by intermediaries that allegedly paid bribes was inadequate diligence, and Eli Lilly should have conducted its own independent verification.

The Allianz settlement thus stresses the need not only for implementing compliance programs and corrective actions, but for testing their effectiveness as well.  Ostensibly, as the Resource Guide points out, well designed measures taken in good faith to fix a discovered FCPA problem could be enough to avoid charges in some circumstances.  How close Allianz came to meeting that standard is hard to tell from details given in the SEC Order.  But follow up may make the program work better, and thus be less susceptible to second-guessing by the SEC.