FCPA Compliance Documentation: What You Need and How to Manage It

The Foreign Corrupt Practices Act (FCPA) imposes criminal liability on US companies, US persons, and — in some cases — foreign companies with US connections that bribe foreign government officials to obtain or retain business. Violations carry substantial penalties: criminal fines up to $2 million per violation for companies (and higher in practice through disgorgement), plus individual criminal liability for executives who authorize or participate in violations.

The FCPA also imposes civil liability and — critically — affirmative obligations for record-keeping and internal controls under its accounting provisions. These accounting provisions apply to all publicly traded companies without any requirement of corrupt intent: inadequate books, records, or internal controls are violations regardless of whether any bribery occurred.

This guide covers the documentation and compliance program elements required for FCPA compliance, and how to maintain them as your business scales.

The Two Parts of the FCPA

Anti-Bribery Provisions

Prohibit offering, paying, promising, or authorizing the payment of anything of value to a foreign government official to obtain or retain business. Key elements:

• Applies to: US persons and companies (issuers and domestic concerns), and foreign companies and persons with a US nexus
• "Foreign government official": Broadly defined — includes employees of state-owned enterprises, which in many countries includes employees of banks, utilities, airlines, and hospitals
• "Anything of value": Cash, gifts, entertainment, travel, charitable donations on behalf of an official, employment of an official's family member
• Intent required: There must be corrupt intent — an intent to influence the official to use their position improperly. Bona fide gifts, legitimate travel, and reasonable entertainment are not violations.

Accounting Provisions (Books and Records)

Require publicly traded companies to:

1. Make and keep books, records, and accounts that accurately and fairly reflect transactions and dispositions of assets
2. Maintain a system of internal controls sufficient to provide reasonable assurance that transactions are executed in accordance with management's authorization

These provisions are strict liability — no intent requirement. A company can violate the accounting provisions even if no bribery occurred, simply by maintaining inaccurate books or inadequate controls.

The FCPA Compliance Program: Required Elements

A robust FCPA compliance program does not guarantee immunity from prosecution — but the DOJ and SEC's prosecution decisions explicitly consider the adequacy of a company's compliance program when determining whether to bring charges and what penalties to impose. The DOJ's Evaluation of Corporate Compliance Programs guidance identifies the key elements:

1. Policies and Procedures

Every FCPA compliance program must include written policies covering:

• Anti-bribery policy: Clear prohibition on bribing government officials, with examples relevant to your business
• Gifts, meals, and entertainment policy: What is and is not permitted, with pre-approval thresholds
• Travel and hospitality policy: Restrictions on funding government official travel
• Charitable contributions and sponsorships policy: Approval process for donations that could be used as conduit payments
• Third-party risk policy: Requirements for due diligence on agents, distributors, joint venture partners
• Facilitation payments: Many FCPA compliance programs prohibit facilitation payments entirely, even though the FCPA technically permits small payments to expedite routine government actions

Documentation requirement: Policies must be written, translated into the languages of your operating jurisdictions, and disseminated to all relevant employees. You must maintain records of policy distribution and acknowledgment.

2. Risk Assessment

A risk assessment evaluates your company's FCPA exposure based on:

• Countries where you operate (Transparency International's Corruption Perceptions Index provides a starting framework)
• Interactions with foreign government officials (customs, licensing, permitting, inspections, state-owned enterprise customers)
• Use of third parties with government access (sales agents, distributors, customs brokers)
• M&A activity that brings acquired companies' conduct history into scope

Risk assessments should be conducted initially and updated periodically — at minimum annually, and following significant business changes (new markets, acquisitions, new third-party relationships).

Documentation requirement: Document the risk assessment methodology, findings, and how the results were used to update compliance controls. The DOJ will evaluate whether your compliance program was tailored to your actual risk profile.

3. Third-Party Due Diligence

The highest-risk FCPA area for most companies is third-party intermediaries — agents, distributors, consultants, and joint venture partners who interact with foreign officials on your behalf. The FCPA holds companies liable for payments made through third parties if they knew or had reason to know the payment was for corrupt purposes.

Third-party due diligence must include:

Pre-engagement screening:

• Identity verification and business legitimacy (are they a real business with real operations?)
• Ownership structure (are any government officials or their family members owners or principals?)
• Sanctions screening (OFAC SDN list, PEPs databases, EU and UK sanctions lists)
• Reputational screening (news search for corruption allegations, regulatory actions, criminal history)
• Verification that the third party has the qualifications and resources to legitimately perform the services

Contractual protections:

• Explicit FCPA/anti-bribery representations and warranties from the third party
• Audit rights allowing you to inspect the third party's books relating to the contract
• Termination rights for breach of anti-bribery obligations
• Requirement to comply with applicable laws
• No cash payments; only payments to corporate accounts

Ongoing monitoring:

• Periodic re-screening (typically annually)
• Review of invoices and payments for red flags (payments not matching work performed, round numbers, payments to third countries)
• Review of the third party's relationship with officials they claim to have "access" to

Documentation requirement: Maintain a third-party due diligence file for every agent, distributor, and consultant that includes the screening documentation, the contractual provisions, and ongoing monitoring records.

4. Training

Training must reach everyone with FCPA exposure:

• All employees in high-risk jurisdictions or roles (sales, business development, finance, operations)
• Third parties who interact with government officials on your behalf
• Senior management and board members

Training should be:

• Role-specific (the CFO needs to understand accounting provisions; the sales team needs to understand what they cannot offer government customers)
• Regular (at minimum annually for high-risk employees)
• Documented (training completion records, attendance logs, test scores if applicable)

Red flag training is particularly important: employees need to recognize warning signs like:

• Requests to pay an official's "relative" or "consultant"
• Unusual payment routing (payment to a different entity or jurisdiction than the contract counterparty)
• Requests for cash payments or gift cards
• Unusually high "commissions" relative to the work performed

5. Financial Controls and Books and Records

The accounting provisions require controls designed to ensure that:

• All transactions are properly authorized
• Transactions are accurately recorded in the accounting records
• Access to assets is controlled and assets are periodically reconciled

Specific controls relevant to FCPA:

• Payment approval thresholds and dual approval requirements for government-adjacent payments
• Expense report requirements that capture the business purpose and government official status of any government contact
• Prohibition on off-books accounts, cash funds, or unrecorded transactions
• Review process for unusual or large payments to agents and consultants

Documentation for books and records compliance:

• Expense reports with clear descriptions of business purpose (not "client entertainment" — should specify who, what position, what business discussion)
• Invoice documentation for third-party payments
• Approval records for all gifts, meals, travel, and entertainment above threshold
• Contemporaneous records of government meetings

6. Investigation and Reporting

Your compliance program must have a mechanism for employees to report potential violations — ideally anonymous — and a process for investigating reports.

Documentation requirement:

• Records of all reports received (even anonymous)
• Records of investigation steps taken and by whom
• Documentation of conclusions and remediation taken
• Consistent application of disciplinary action for violations

The DOJ evaluates whether a company actually investigates reports it receives. A company that receives a corruption tip, does not investigate it, and later suffers an FCPA violation is in a far worse position than a company that investigated, found a violation, self-reported, and remediated.

7. M&A Due Diligence and Integration

When acquiring a company, you inherit its FCPA exposure. A successor company can be liable for pre-acquisition conduct by the acquired entity.

Pre-acquisition due diligence should include:

• Review of the target's FCPA compliance program
• Investigation of high-risk third-party relationships
• Transaction and payment review for unusual patterns
• Interviews with compliance and finance personnel
• Review of any prior government investigations or inquiries

Post-acquisition integration should include:

• Rapidly bringing the acquired company under your compliance program
• Refreshing third-party due diligence on the acquired company's agent/distributor network
• FCPA training for acquired company employees
• Audit of transactions completed in the past 3-5 years

The DOJ and SEC have provided leniency to acquirers who discover pre-acquisition violations, self-report, and remediate — as long as the self-report occurs within a reasonable time after the acquisition closes.

FCPA Documentation Checklist

Policies:

• [ ] Anti-bribery and anti-corruption policy, current and distributed
• [ ] Gifts, meals, and entertainment policy with thresholds
• [ ] Travel and hospitality policy
• [ ] Charitable contributions policy
• [ ] Third-party risk management policy
• [ ] Policy acknowledgment records for all covered employees

Risk Assessment:

• [ ] Current risk assessment (dated within 12 months)
• [ ] Documentation of methodology and findings
• [ ] Evidence that controls were updated based on assessment

Third-Party Due Diligence:

• [ ] Complete due diligence file for every agent, distributor, consultant
• [ ] Sanctions and PEP screening records
• [ ] Reputational due diligence records
• [ ] FCPA-compliant contract provisions
• [ ] Annual re-screening records

Training:

• [ ] Training materials (current)
• [ ] Training completion records for all covered employees
• [ ] Third-party training records (if required by contracts)

Financial Controls:

• [ ] Payment approval and authorization records
• [ ] Expense reports with required detail
• [ ] Approval records for gifts, entertainment, travel involving government officials

Investigation:

• [ ] Records of all compliance reports received
• [ ] Investigation documentation
• [ ] Disciplinary action records

Using AI to Manage FCPA Documentation

FCPA compliance generates enormous documentation that must be maintained, searchable, and producible in any government investigation. AI document analysis tools support compliance teams by:

• Extracting and indexing FCPA provisions across hundreds of third-party contracts
• Reviewing expense reports and payment records for red flags (unusual patterns, round numbers, payments routed to unexpected jurisdictions)
• Auditing third-party due diligence files for completeness against a standard checklist
• Answering specific questions across large document collections: "Which of our distribution agreements do not include the required anti-corruption representations?"

The Compliance Gap Checker can analyze your policy documents and third-party contracts against FCPA requirements, identifying gaps before a government inquiry does.

Key FCPA and Compliance Terms

• Document Intelligence: AI systems for managing and analyzing compliance documentation at scale
• Information Extraction: Automatically identifying FCPA-relevant provisions across large contract sets
• Due Diligence: The investigation process — critical in FCPA third-party and M&A contexts

---

Upload your compliance policies or third-party contracts to the Compliance Gap Checker to identify missing FCPA-required provisions, with citations to every gap found.