Updated: Jul 4
Prashant Mara and Devina Deshpande
In February 2019, Cognizant Technology Solutions Corporation (“Cognizant”) agreed to pay USD 25 million to the US Securities and Exchange Commission (“SEC”) to settle violations of the anti-bribery, internal accounting controls and recordkeeping provisions of the US Foreign Corrupt Practices Act (“FCPA”). In addition, two former high-ranking officials of Cognizant were individually charged with authorizing USD 2.5 million in bribe payments to a government official in India. According to a subsequent filing with the SEC in September 2021, Cognizant has also committed to pay USD 95 million to investors to settle allegations of defrauding shareholders by hiding bribes to officials in India.
While the Cognizant case is a more recent example, it is far from the sole instance of FCPA enforcement action stemming from a company’s business interests and activities in India. However, it is the targeting and prosecuting of individual officers for bribery-related misconduct that is of particular interest, and the focus of this assessment.
Individual liability and overseas risks
A historic review demonstrates that FCPA and UKBA enforcement actions and penalties have largely been directed against corporations. That said, it is critical to recognize that the FCPA and the UKBA expressly contemplate individual liability, and the Cognizant case is an illustrative matter in this respect. The question this enforcement action throws up is how culpable an officer of a company should be for the action to get personal.
Very often, bribes are ‘disguised’ in accounting records as legitimate payments (such as fees or commissions to consultants). In Cognizant's case, sham change order requests (allegedly authorised by certain officers of the company) were said to have been used to conceal the payments it made to reimburse the construction firm for the bribes extended to the government officials in a construction project in India.
While this is just one example, during the course of investigations we have conducted in various similar such cases, consultancy/agency agreements, payments to vendors and sub-vendors, supply/services purchase orders, marketing services payments, HR events and even team offsite budgets have been used to disguise bribes.
In some of these cases, it may be extremely tricky, if not impossible, for officers at a senior level (sitting in India, US, UK or any other part of the world) to verify every accounting entry and check real expenses versus the paperwork that is produced on the ground. Where senior level officers have to rely on the paperwork produced, questions on whether they exercised sufficient diligence while approving those payments and whether sufficient processes were put in place to verify those expenses become key issues to consider while fixing individual responsibility.
One other important element that needs to be kept in mind is whether investigations in the US or the UK trigger investigations or reporting requirements under local regulations such as the Prevention of Corruption Act (POCA) in India. Unlike the FCPA and UKBA, the focus of POCA is to fix individual liability via criminal prosecution. Monetary settlements equivalent to the FCPA or UKBA are not available under POCA and prosecution tends to be a long and painful process for all those confirmed without reaching finality in many instances.
Officers and directors are particularly vulnerable when it comes to operations in sectors that are licensed and/or heavily regulated (such as alcohol and defence), industries with regular interface with government officials (land and infrastructure) and heavy reliance on third parties (given that the FCPA penalises indirect bribes, even in the absence of actual knowledge of the corrupt payment).
These risks are not endemic to one country, and as many high-profile prosecutions have proven, infractions tend to be across many jurisdictions with the tacit or explicit participation of various individuals and a general breakdown or bypassing of compliance and governance mechanisms.
Precautionary measures to mitigate risks to officers and directors start with three major points -
Being aware that 'knowledge' of a corrupt practice can be attributed in many different ways across various regulations. Therefore, meaningful mechanisms (whistleblower lines, reporting mechanisms via HR or factory managers, third party audits etc.) should be in place which enable the officer/s to become aware of red flags in terms of risks.
Once red flags are triggered, the next threshold requirement is how the officer/s concerned reacted and what was done to get to the bottom of the matter. Were enquiries conducted with due alacrity and gravity, were suitable actions taken to remedy gaps, were suitable disciplinary measures taken etc., become critical questions and the answers should stand the test of diligence and due process in hindsight as these are always called to question post facto.
The officer/s' behaviour and reaction to law enforcement investigations and disclosures made in good faith become critical to determine final liability.
In a perfect world, all three above work seamlessly which enables the officer/s to justify their actions (or the lack thereof) and completely avoid liability on the basis that they have always acted to comply to the best of their ability. However, we have seen time and again, that there is no perfect set of facts that can be presented in the course of an investigation which always analyses action (or omissions) in hindsight.
The goal of compliance and governance mechanisms should be to put in place procedures which make it difficult for any investigation to individually attribute liability by giving the officers sufficient tools in the forms described above to be able to resist liability.