Regulators within the Trump administration have sent a loud message that should concern all multinational automotive companies: laws governing international activities continue to be the subject of intense enforcement activity, leading to record fines in such areas as U.S. economic sanctions administered by the Office of Foreign Assets Control (OFAC), export controls (the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR)), and the Foreign Corrupt Practices Act (FCPA).
Many multinational companies maintain operations in China and Mexico, and these countries present issues under the FCPA (frequent bribery requests), OFAC sanctions (limitations on dealings with Iran, Syria, Russia), and export controls (controls on shipments of U.S.-origin goods to embargoed countries as well as restrictions on products that have dual-use capabilities, such as being useful in chemical and biological weapons production). Further, now that President Trump has withdrawn from the Joint Comprehensive Plan of Action, which eased the sanctions on Iran, the specialty sanctions that targeted the Iranian automotive industry have “snapped back” and now once again pose compliance challenges for the automotive industry.
In light of these developments, this blog entry summarizes the most recent enforcement activity of concern to automotive-sector companies, as well as the steps that these companies can take to identify and mitigate the risk of costly enforcement actions under these international regulatory regimes.
Recent Enforcement Activity Shows U.S. Government Willingness to Impose Record Penalties for Violations of International Regulations
Under the Obama administration, enforcement of the FCPA, export controls, economic sanctions, AML, and FCPA regulations was steady and strong. Although the numbers varied year by year – mostly due to timing issues related to when large matters were settled – it was not uncommon to see large enforcement settlement that individually surpassed the $100 million level, with total penalties in many years reaching into the billions.
Any thought that the Trump administration might take a more lenient approach toward these international regulations has been laid to rest by the strong record of enforcement under the current administration, as underscored by two recent enforcement actions.
First, Panasonic agreed to pay $280 million to resolve FCPA offenses for payments to consultants of its U.S. inflight entertainment unit in the Middle East and Asia, including the payment of $143 million in disgorgement to the Securities and Exchange Commission. In both cases, the resolutions were related to activities of Panasonic’s U.S.-based subsidiary, Panasonic Avionics Corporation. According to the U.S. government, senior management of Panasonic Avionics established a bribery scheme to pay a Middle Eastern government official more than $900,000 for a “purported consulting position, which required little to no work,” allowing Panasonic Avionics to help gain over $700 million in business from a state-owned airline. The U.S. government further stated that Panasonic Avionics concealed the payment “through a third-party vendor that provided unrelated services” to Panasonic Avionics and then allegedly falsely recorded these (and other) payments in its books and records. Other payments related to Asian sales.
The Department of Justice (DOJ) gave Panasonic Avionics a 20 percent discount off the low end of the U.S. Sentencing Guidelines fine range because of the cooperation of the company and what the DOJ characterized as strong remediation efforts, including the severing of several senior executives who were either involved in or aware of the misconduct by Panasonic Avionics or Panasonic. Nonetheless, because the remediation efforts only recently had been instated, the deferred prosecution agreement provides for a two-year independent monitor, followed by an additional year of self-reporting.
Independently, the Department of Commerce’s Bureau of Industry and Security (BIS) took the unusual step of suspending an export control settlement deal with Chinese telecom equipment maker ZTE Corporation, while at the same time revoking the export privileges of the company. ZTE Corporation was operating under a settlement of claims that it had violated U.S. export control and economic sanctions regulations by engaging in 251 transactions with persons in Iran or with the Iranian government. These transactions had last year resulted in the largest-ever export controls penalty – nearly $1.2 billion, with $300 million of it being suspended during a seven-year probationary period. As a result of the export ban, the ability of ZTE to export any goods or technical data from its 14 offices and six research centers in the United States will be virtually eliminated until March 13, 2025, thereby endangering the ability of ZTE to take a leading role in the rollout of next-generation 5G wireless technology.
These settlement actions illustrate the ability of U.S. regulators to discover and punish violations of U.S. international regulations, as well as the willingness of the Trump administration to impose groundbreaking penalties. In light of the aggressive enforcement mentality of the U.S. government, this blog entry provides practical guidance to help multinational automotive companies to identify their risk and determine whether they are putting sufficient resources into dealing with those identified risks. For any multinational automotive-sector company that has not gone through such an exercise in the last few years, systematically working through the 12 steps is likely to lead to a significant payoff for ameliorating the organization’s risk profile through an effective compliance system.
Identifying International Regulatory Risk
As illustrated by the record export controls penalty against ZTE (almost $1.2 billion, followed by a denial of export privileges) and the Panasonic FCPA settlements, the risk of severe enforcement actions under the Trump administration for violations of international regulations continues to be high. Yet many multinational automotive-sector companies find themselves in a quandary regarding how best to identify their international regulatory risk. This section summarizes the typical steps that most multinational companies should consider when determining their unique risk profile and evaluating whether they are devoting sufficient resources to managing that risk.
Step 1: Secure Buy-In at the Top
Many automotive-sector companies looking to implement an international regulatory compliance program start by drafting a written compliance policy. But long before it comes time to draft the policy, a well-thought-out compliance strategy will look to put in place the underpinnings of the compliance program. Chief among these is the need for consistent management support for compliance initiatives.
Although the phrase “tone at the top” encapsulates management support, the concept requires more than just support from the CEO and other top management officials. When properly executed, the idea of tone at the top is a pyramid, with the concept of “doing the right thing” and respect for compliance flowing down from the CEO to personnel at all levels. Senior management ensures it is known that compliance has full support at the top, and that compliance has the resources to function properly, while also trying to ensure that respect for compliance with legal and company mandates flows through the company.
Management support is especially important for companies with international operations. The connection between the sales and operational activities of international subsidiaries, on the one hand, and regulatory risk management and adhering to the requirements of U.S. law, on the other, can appear tenuous when viewed by far-flung actors. The reality, however, is these far-off operations often represent the highest regulatory risk. This may mean that the organization must pay special attention to these foreign subsidiaries so it can reinforce the compliance message and its importance to the overall organization.
Senior management must set a strong example. It should be common knowledge that compliance rules apply across the entire organization, including for senior personnel; that the company promptly follows up on credible red flags; and that the company is willing to walk away from business that requires stepping too close to the risk threshold. People throughout the organization, whether in the United States or elsewhere, should realize there are consequences for compliance missteps. Through these means, senior management can communicate its respect for compliance throughout the organization.
Step 2: Perform a Risk Assessment
The compliance obligations of multinational corporations are more complicated than for domestic organization. A corporation that operates internationally automatically takes on additional compliance responsibilities under laws and regulations that target international conduct, as well as new sets of foreign laws, all while shedding none of its domestic compliance obligations. Multinational automotive companies tend to be larger, which increases the importance of establishing systematic compliance procedures. Multinational automotive corporations often have magnified logistical difficulties, such as coordinating compliance standards and training across disparate divisions and affiliates, dealing with employees with cultural and language differences, and dealing with general skepticism regarding the application of U.S. law outside the United States. These and other factors can increase the difficulty of creating and maintaining multinational compliance standards.
To help control these issues, the second step for multinational automotive companies should be to perform a risk assessment to determine how these factors impact their compliance obligations. A risk assessment is a survey of the company’s operations to determine the exposure of the organization to various forms of regulatory risk, considering both the likelihood and the severity of possible violations and the current enforcement priorities of the relevant authority.
The importance of the risk assessment lies in the recognition that it is not possible to eliminate all regulatory risk. Since organizations need to minimize the risk of violations, while coping with the reality that they have limited resources to put into risk mitigation, they need guidelines for allocating their scarce compliance resources. The risk assessment provides this guidance by assembling data needed to create an organization-wide risk profile.
Compliance at international organizations should be tailored to the organization, taking into account all factors that bear on the risk profile of the organization. For automotive-sector companies, items to consider include U.S. government enforcement priorities, prior compliance issues within the organization, risks and trends in the industry, and recent changes in the scope of operations of the organization. If the company is engaged in automotive extraction, all contacts with the government – whether as part of the approval process, procuring extraction rights, negotiating leases, dealing with Customs, and so forth – all need special scrutiny. Areas of the world that If the company needs to deal with foreign state-owned entities, it needs to realize that even though these companies operate in a commercial fashion, the FCPA still treats all employees of these companies as foreign officials. Such changes are frequent sources of weakness if they are not mirrored by changes in compliance oversight.
A typical way for automotive-sector companies to proceed with a risk assessment is to survey business units that represent areas of high regulatory risk. Questions for an anti-corruption survey, for example, might examine whether the relevant stakeholders often deal with state-owned automotive companies, whether they have frequent interactions with government regulators, whether there is significant entertaining of non-U.S. persons, whether the organization does significant business in countries known to have a reputation for corruption, and whether the company does significant business in the United Kingdom (which can draw the UK Bribery Act into play). For export controls, the relevant topics to explore would include whether the organization deals with controlled items or controlled technologies; whether the company deals with items on the U.S. Munitions List (USML) or modifies commercial items for military use or to meet military specifications; whether the company has recently conducted a classification review; the degree to which non-U.S. nationals potentially have access to controlled technical data; whether the organization sells products that rely on encryption; and whether there are sales to known diversion points (the Middle East, Mexico, Russia, Pakistan, and so forth). For economic sanctions, relevant topics to cover would include whether there are sales by non-U.S. subsidiaries to sanctioned countries or specially designated nationals, whether there are sales to known diversion points, and whether the organization as a whole maintains adequate screening for SDNs (Specially Designated Nationals, or persons who have been sanctioned under U.S. law as being off-limits for business transactions and financial dealings). Finally, an anti-boycott risk assessment would examine the extent of dealings with Middle Eastern countries and with firms operating out of that region.
One thing to remember is that the conduct of a risk assessment can lead to the discovery of potential regulatory violations. The company accordingly should have the risk assessment process conducted in a way that stresses confidentiality with the exercise, if possible, being overseen by an attorney. This is so the exercise can be conducted under the rubric of attorney-client privilege. Doing so could be important if the investigation uncovers evidence of apparent violations.
Once the risk assessment is complete, the results should be carefully evaluated to determine where the areas of greatest compliance concern lie. The results can be distilled down to a company-wide risk profile, which can guide the allocation of compliance resources. The results can then be used for such useful exercises as determining which areas merit the greatest attention, which areas likely need additional internal controls, whether there are patterns of deficient compliance (based on geography, product lines, subsidiaries/divisions, etc.), and whether the basic knowledge of the relevant legal requirements appears to be in place. By formalizing the results in a risk profile, the corporation can determine the appropriate way to manage the identified risk.
Step 3: Survey Current Controls
Step 3 involves surveying current compliance procedures and internal controls and to determine whether these measures match with the identified risks. Most larger multinational corporations already have some kind of compliance procedures in place, whether in a formal compliance program or at least ethics provisions in the code of conduct. In determining how to proceed, these procedures are the best starting point. The company should assess the current compliance program to see if its compliance measures and internal controls line up with its risk profile.
The evaluation should consider whether the plan properly covers the following aspects of the company’s risk model:
- Does the plan reflect all of the circumstances that may put the organization at risk of a violation? Is it based upon a realistic risk assessment that is up to date and consistent with the company’s current circumstances?
- Does the program cover all aspects of the business that operate or sell overseas?
- Does the plan extend to any business units that might have dealings with non-U.S. officials, whether in a procurement, regulatory, or other role?
- Does the plan include model procedures and training for non-U.S. consultants and business partners with whom the organization does business?
- Does the compliance program reflect the nature of the firm’s foreign business operations and the extent to which they are subject to government control or influence?
- Does the compliance program contain adequate procedures to ensure that the firm can monitor disbursements and reimbursements?
- Does the plan contain adequate internal controls to help buttress the compliance procedures?
- Does the plan compare well with codes of ethics and compliance policies used by comparable businesses in the industry and in the countries where the firm operates?
In making these determinations, the company should consider the company’s general risk profile, not just those related to the specific legal regime. Problems in multiple areas may indicate a careless corporate culture toward compliance issues.
Another key issue that should be covered in the compliance survey is whether the program covers the identified outside actors who can expose the organization to the risk of a regulatory violation. The U.S. government considers all affiliates, joint ventures, agents, distributors, suppliers, subcontractors, and other third parties to be extensions of the organization. The organization should evaluate whether the controls and compliance procedures extend appropriately to any person or entity with which it is affiliated and whether that entity may cause third-party liability.
Where anti-corruption is concerned, organizations operating abroad need to assess whether the current plan adequately covers the regulatory risk posed by resellers, vendors, consultants/agents, sales representatives, joint venture partners, freight companies, customs brokers, and any other third party that could be viewed as being a source of bribes while representing the interests or carrying on the business of the U.S.-based company. Where exports and sanctions are concerned, the organization must consider not only its own affiliates (joint ventures, agents, distributors, and so forth), but also the risk profile raised by its own customers who might be diversion risk points. Where anti-boycott is concerned, the organization should consider whether it has agents who might be viewed as providing information on behalf of the organization, and therefore might provide boycott-related information to countries cooperating with the Arab League boycott of Israel.
Step 4: Identify Available Resources
It does little good to identify regulatory risk if the organization is not putting resources into managing that risk. Appropriate risk management requires matching compliance promises and expectations to the available resources, and vice versa.
No compliance initiatives will work without adequate support. Once the company has identified the risk and necessary controls relating to those risks, it should develop a realistic sense of the cost of a program and the resources needed to run it. Senior management should sign off on the budgeting, with the understanding that the company will need to invest time and resources to maintain the program on an ongoing basis.
Without proper resources, a corporation risks compliance failure. Compliance can be expensive, so a company should decide at the outset that it will budget adequate funds and employ sufficient resources to follow through on its compliance initiatives. In determining whether sufficient resources are available, the company needs to consider that success in compliance efforts takes a commitment of both tangible company resources (hiring people and spending money on due diligence) and intangible ones (setting aside employee time for training). The resource identification should take a candid look at whether the company is adequately funding current compliance efforts. If the company has put in place a program that demands substantial due diligence of every foreign agent hired, for example, but has not adequately funded such activities, then the company should view this as a compliance failure. Viewed in an enforcement context, the corporation would look like it has failed to meet its own compliance standards.
In the international realm, some of the most common areas where compliance resources tend to lag include:
- Anti-corruption. Promises of systematic due diligence for vetting agents, distributors, joint ventures, and other third-party entities; adequate oversight of the activities of third-party intermediaries; resources to conduct compliance audits; adequate training of overseas actors.
- Economic Sanctions. Resources for systematically checking the SDN and other blocked lists; allocating adequate resources for “know your customer” diligence; adequate training of overseas actors; failure to reflect new rules regarding what subsidiaries of U.S. companies can and cannot do.
- Export Controls. Inadequate classification of controlled items and technical data; failure to implement “know your customer” guidelines for end-use and end-user controls; failure to take into account potential diversion risks; failure to check the SDN and other blocked lists.
- Anti-boycott. Resources for reviewing contracts, purchase orders, letters of credit, certificates of origin, bills of lading, and other commercial documents.
To avoid these and other promise-resource mismatches, the organization should, with a clear and open mind, compare its identified risk profile with the inventory of current policies and internal controls, to determine whether there are any gaps between the two. Once such gaps are identified, the organization can, using normal risk-based principles, determine the best order and way to remedy the resource misallocation, whether by reallocating existing compliance resources, finding new sources of funding, or readjusting the compliance procedures.
* * *
With the Trump administration continuing to impose hefty penalties for violations of U.S. regulations of exports and international conduct, regulatory risk management continues to be essential for all multinational companies. This is especially true for automotive-sector companies that operate abroad. Any multinational automotive company that has not conducted a risk assessment in the last two years should take the compliance lessons of the Trump administration to heart and make a fresh evaluation of its international regulatory risk.
A risk-assessment toolkit, including a detailed risk-assessment questionnaire, an International Compliance Guide, and a guide to conducting internal investigations (should compliance break down) is available by contacting the author at email@example.com or +1 202.945.6149.