Forensics Journal - Stevenson University 2013 | Page 56

FORENSICS JOURNAL A Sticky Wicket: Transferring Protected Data from the European Union to Comply with the Foreign Corrupt Practices Act Without Violating European Privacy Laws Kathy Kirkish, CFE those entities required to file reports with the SEC are subject to the FCPA (Queler, Wu, and Chin [Sec 27.I]). According to the Department of Justice, a, “citizen, national or resident of the United States” including sole proprietorships or U.S. legal entities formed to conduct business (known as “Domestic Concerns”) are also subject to FCPA enforcement. Both Issuers and Domestic Concerns can be prosecuted for violating the FCPA when acts that occur either within the United States or outside of the United States result in payment of bribes to, “a foreign official, a foreign political party or party official, or any candidate for foreign political office” (United States Department of Justice). American multinational companies and citizens who facilitate or acquiesce to the payment of bribes by subsidiary operations to foreign officials can be found guilty of violating the FCPA. In 1998 the FCPA was amended allowing enforcement against foreign companies or foreign persons who participate in acts promoting the payment of bribes on American soil (United States Department of Justice). INTRODUCTION The Foreign Corrupt Practices Act (FCPA) requires American multinational companies to investigate all suspected violations of the FCPA, whether they occur in the United States or on foreign soil. These companies are required to report confirmed FCPA violations to the federal government. However, when the subsidiary operation is located in Europe, the transfer of the suspect’s personal data to a U.S. corporate headquarters’ office, which is necessary to investigate the alleged crime, is in violation of European privacy laws. The infringement of European privacy rights by the transfer of data, such as information that identifies the suspect’s name, contact information, ethnicity, political and religious beliefs, exposes American multinational companies to stiff monetary fines, as well as civil and criminal prosecution. The competing interests of the FCPA and European privacy laws create a predicament for American multinational companies that must transfer protected data from its European operations to its corporate headquarters in order to investigate and report FCPA violations. It may become a compliance nightmare when the data is stored in electronic form on virtual servers throughout the globe. One method by which American multinational companies can satisfy the opposing requirements of these laws is through the U.S.-European Union Safe Harbor Framework Privacy Principals Certification Program. To avoid prosecution and penalties imposed for violating a myriad of U.S. and foreign laws, it will require a savvy team of professionals to solve complex legal, technical, accounting and forensic issues when conducting investigations on foreign soil. ACCOUNTING REQUIREMENTS The Securities and Exchange Commission (SEC) oversees a corporation’s compliance with the accounting provisions of the FCPA. The FCPA requires corporations that have issued securities registered in the United States or corporations required to file periodic reports with the SEC to establish record keeping procedures that comply with General Accepted Accounting Principles (GAAP). Accurate books and records that insure the protection and truthful reporting of the company’s assets are to be maintained. The company must retain external auditors to audit its books and records (Santangelo, Stein, and Jacobs, 36). They must also implement systems, “capable of detecting and preventing improper payments to foreign officials” (Queler, Wu, and Chin [Sec 27.II]). It is not necessary for the SEC to prove intent, i.e. that an illegal payment was made to procure an unfair business advantage. The mere failure to report a payment on the company’s books or falsely report the purpose of a payment can subject the company to penalties and prosecution under the FCPA. The failure to establish a proper, “system of internal accounting controls” as well as th K8