On December 26, 2018, the Securities and Exchange Commission (“SEC”) announced a settlement with communications technology firm Polycom, Inc. (“Polycom” or the “Company”) for violating the books and records and internal accounting controls provisions of the Foreign Corrupt Practices Act (“FCPA”) in connection with a scheme to bribe Chinese government officials. Under the settlement, Polycom agreed to pay the SEC approximately $12.5 million in disgorgement and prejudgment interest and a civil money penalty of $3.8 million. The Polycom settlement illustrates the liability that can arise from reliance on third-party agents such as distributors, but—as explored below—also presents a missed opportunity for the SEC to provide some clarifying guidance for companies looking to avoid similar outcomes.

SEC’s Theory of Internal Control Failures

According to the SEC, from 2006 through 2014, senior managers at Polycom’s China subsidiary provided “significant discounts” to Polycom’s distributors or resellers. They did so “knowing and intending” that the distributors and resellers would use the discounts to make payments to Chinese officials in exchange for those officials’ assistance in securing business. The SEC also determined that employees and managers at the China subsidiary took extensive efforts to conceal this conduct, recording payments in an off-the-books system and instructing sales employees not to use their Company email addresses in conducting this business.

Notwithstanding the “knowing and intentional” efforts undertaken by the culpable employees in Polycom’s Chinese subsidiary to circumvent Polycom’s internal controls and make false representations to conceal their misconduct, the SEC found that Polycom lacked “adequate” controls that could have prevented, or detected, the misconduct.

The SEC’s legal theory is, in several ways, at odds with the facts set forth in the order.  For example, the fact that the culpable employees created a secret, parallel system to record the details of the improper payments suggests that Polycom’s actual centralized database was an effective control system.  The claim that Polycom’s internal controls were ineffective would be more understandable—for example—had the illicit details of the improper payments been entered into Polycom’s centralized database, but never caught due to a failure to monitor or review those entries.

Instead, the SEC’s order acknowledges that Polycom personnel outside of China were unaware of the existence of the parallel system, given that it was carefully hidden.  What’s more, the SEC’s order describes how discounts above a certain threshold were required to be approved by Polycom personnel outside of the Chinese subsidiary, and noted that, when those approvers sought information regarding the reasons for particular discounts, the culpable employees “always cited legitimate concerns” such as end-user budget constraints.  In other words, Polycom had in place an internal control by which personnel outside the Chinese subsidiary would monitor higher-threshold discounts.  And that internal control was intentionally circumvented by the culpable employees who provided a false basis for the discount requests in order to achieve approval.  In this way, the fact pattern again seems to support the conclusion that Polycom did have an effective internal control, and that the internal control was being enforced (i.e. the non-Chinese personnel were seeking information regarding the reasons for the particular discounts).  At least based on the facts provided in the SEC’s order, there appeared to be no reason why personnel outside of the Chinese subsidiary would have detected the fraudulent activity.

In terms of identifying any specific examples of how Polycom could have better detected or prevented the fraudulent activity, the order only provides three possibilities:

  • First, it notes that Polycom did not translate “certain anticorruption training materials” into the culpable employees’ local language. The order provides no further detail on this front—for example, were Polycom’s actual anticorruption policies and procedures translated into the employees’ local language?  Were some, but not all, of Polycom’s anticorruption training materials translated?  And, even if “certain” training materials were not translated into Mandarin, were the culpable employees able to comprehend English?
  • Second, the SEC order notes that Polycom “frequently” did not “follow up if Polycom China personnel did not attend anticorruption trainings.” Does this mean that the culpable Chinese employees were among the personnel who did not attend the training?  It is unclear from the order whether there is any overlap in that regard.  Furthermore, given the lengths that the culpable employees went to in order to conceal their misconduct, it seems fairly probable that the employees were aware that their activities were not permitted under Polycom’s anti-corruption policies, and proceeded in spite of that knowledge.

In this way, the SEC’s order does not provide any clear causal connection between the untranslated anti-corruption training program materials or the missed attendance at the anti-corruption trainings, and the misconduct in question from the relevant culpable employees.

  • Lastly, the order notes that, “as part of a 2013 due diligence procedure,” Polycom became aware of “allegations” that one of its Chinese distributors had “years prior” made an improper payment to a Chinese government official, but Polycom nonetheless continued using this distributor. The order does not indicate whether this distributor was among the distributors that engaged in the Polycom China bribery scheme.  It also does not provide clarity on how old the “years old” allegations pertaining to the distributor were, or whether those “allegations” were ever substantiated. 

“Reasonable Assurances” or Strict Liability?

Without more detail than that provided in the settlement order, the SEC appears to be advancing a legal theory more akin to strict liability—essentially, the fact that the culpable employees at Polycom’s Chinese subsidiary were able to circumvent Polycom’s internal controls to make improper payments means—by definition—that the internal controls were “inadequate” or “insufficient.”

This case presents a potentially aggressive expansion of the law, given that the FCPA does not actually mandate an infallible system of internal controls, but rather that issuers devise and maintain a system of internal accounting controls “sufficient to provide reasonable assurances” that transactions are executed lawfully.  The statute goes further to define “reasonable assurances” as the degree of assurance as that which “would satisfy prudent officials in the conduct of their own affairs.”

At least from an outsider’s perspective, based on the description provided in the SEC order, Polycom appears to have had in place strong internal controls that were being actively enforced and monitored during the relevant time period.  And, it is worth noting that the FCPA separately prohibits individuals from “knowingly circumvent[ing]” a system of internal accounting controls.  In Polycom’s case, the SEC order acknowledges that the company’s internal controls were knowingly circumvented by culpable employees.

DOJ Declination

Finally, it is important to note that the SEC settlement was announced along with a decision by the Department of Justice (“DOJ”) not to prosecute Polycom, contingent upon Polycom’s payment of additional disgorgement to the DOJ of approximately $20.3 million.  The DOJ’s declination in this case is consistent with the DOJ’s Corporate Enforcement Policy (“Policy”), which was announced in late 2017 and seeks to encourage voluntary disclosure of misconduct. The Policy provides for a presumption of declination if companies (1) voluntarily self-disclose the misconduct; (2) fully cooperate; and (3) timely and appropriately remediate.  In declining to prosecute Polycom, the DOJ cited the Company’s satisfaction of each requirement.

Even though Polycom met the requirements for declination under the Policy, it bears emphasizing that the DOJ still required a substantial disgorgement payment before it agreed to forgo prosecution. As a result, the Polycom settlement also serves as a reminder that even corporations not prosecuted under the Policy must pay all applicable disgorgement, forfeiture, and restitution related to the misconduct—in this case, amounting to tens of millions of dollars.