This week’s post was co-authored with Kathryn M. Rattigan, David E. Carney and Edward J. Heath We are members of Robinson+Cole’s Manufacturing Industry Team and regularly counsel clients on trade compliance, anti-corruption compliance, and other corporate compliance issues.

The recent enforcement activities of the newest federal strike force serve as a warning to U.S. manufacturers and other businesses involved in the export of products that the government is doubling down on prosecuting trade violations. The expressed mission of the multi-agency Disruptive Technology Strike Force (Strike Force) is “to counter efforts by hostile nation states to illicitly acquire sensitive U.S. technology to advance their authoritarian regimes and facilitate human rights abuses.” The latest Strike Force criminal indictments focus on technology such as:

  • Aerospace and defense source code,
  • Aircraft components,
  • Microelectronic components used in unmanned aerial vehicles (UAVs),
  • Laser welding machinery.

There is every reason to expect that the Department of Justice’s (DOJ) future targets will extend beyond the kind of individual defendants who have been the focus of the 24 criminal indictments to date and include legitimate companies whose compliance program deficiencies allow the illicit exports to occur. Ensuring that a company’s trade compliance program meets or exceeds the expressed standards of the DOJ and the Department of Commerce (DOC) is now more essential than ever.    

Compliance Keys

  • Exposure Risk for Manufacturers and Distributors. The export-diversion schemes prosecuted to date share a common element—a bad actor sought to exploit innocent U.S. manufacturers and distributors by misrepresenting their identity and end-use plans or by seeking to compromise the manufacturer’s computer systems. As U.S. export controls (particularly those aimed at Russia and China) have expanded over the past several years, schemes like those alleged in these indictments have proliferated. Failing to be alert for the warning signs of such schemes may expose a company to becoming a victim of sanctions evaders or, worse, an enforcement target for ignoring red flags. The Export Administration Regulations prohibit companies from engaging in a transaction with the knowledge that a violation has occurred or will occur. “Knowledge” is not limited to actual knowledge; it can also be inferred from turning a blind eye to red flags in a transaction. As a result, having personnel trained to identify and respond appropriately to red flags suggesting that diversion could be occurring can be crucial to avoiding export violations.
  • Precautions to Detect and Prevent Imposter Schemes.
    • First, a written risk-based export control compliance plan can be a valuable aid in detecting diversion schemes and other illicit behavior. Such plans detail procedures employees must follow for conducting diligence on new and existing customers and transactions, evaluating when export licenses are required for a transaction, and detecting and responding to red flags. They provide clear guidance on when and how to escalate potential issues. Such a compliance plan gives employees the tools to help them identify when their company may be facing a diversion scheme and how to respond appropriately before a transaction is executed.
    • Second, companies can emphasize conducting “know your customer” (KYC) diligence on transactions. The importance of such diligence is heightened when new customers are involved, when business with an existing company is expanding to new products, or to involve new product destinations. The DOC has published extensive guidance on KYC diligence (often in conjunction with other U.S. government agencies and with enforcement authorities in allied countries). This week, the DOC and export control authorities from the other G7 countries issued new guidance that identifies items most likely to be the subject of diversion efforts by Russia, lists common red flags suggesting potential export control and sanctions evasion in a transaction, and suggests some diligence best practices to prevent diversion and evasion. This new guidance echoes similar guidance issued by U.S. and allied government agencies over the last two years for detecting diversion schemes in the current environment of export controls and sanctions regarding Russia and China. (For example, our summary of the joint guidance issued last year by export-control authorities in the United States, the United Kingdom, Canada, Australia, and New Zealand addressing 45 types of goods at high risk for diversion and recommended KYC diligence steps can be found here.) Companies should be tracking and incorporating, as appropriate, these guidance updates
    • Third, companies can be knowledgeable about the potential uses of their products and technology. This knowledge informs when and where a company may face diversion risk. Products and technology with permissible uses could be a target for diversion where they can be used for purposes the U.S. government restricts. For example, in one of the recent Strike Force cases, U.S. v. Postovoy, the alleged diversion scheme targeted a company whose microelectronic components could be used in drones and UAVs. Keeping U.S.-origin components out of such vehicles used by Russia in the war with Ukraine has been a major U.S. export control policy priority. Similarly, in another Strike Force case, U.S. v. Teslenko, the alleged diversion scheme targeted a company whose laser welders had applications that could aid Russia’s nuclear weapons program. Knowing the market for illicit uses for a company’s products and technology helps a company tailor its compliance efforts by identifying what products may be attractive to bad actors and what specific red flags may be of most concern regarding the company’s products and technology.
  • Cybersecurity Vigilance to Prevent Technology Theft. Another case announced alongside the Strike Force cases, U.S. v. Wei, is a reminder that U.S. manufacturers of sensitive technology face a multifront effort by foreign malign actors to gain access to that technology. In addition to ensuring up-to-date export controls and sanctions compliance programs, U.S. manufacturers should consider measures to protect their technology from misappropriation through cyber intrusion by implementing appropriate processes and tools to prevent and detect such activity by these actors. These processes and tools can include:
    • Regularly sharing cyber hygiene tips and training on current phishing schemes and conducting phishing tests to increase employee awareness of these risks,
    • Maintaining system hygiene by regularly scanning systems for vulnerabilities and unauthorized accounts, monitoring access logs for suspicious activity, and prohibiting automatic email forwarding to external addresses to prevent data leakage,
    • Installing a secure email gateway to filter out spam, malware, and phishing attempts and employing email authentication techniques (e.g., SPF, DKIM, and DMARC),
    • Tracking and monitoring all endpoints and mobile devices to detect suspicious activities and regularly auditing access logs to identify violations or attempted violations of access policies, and
    • Restricting administrative and privileged account access to minimize potential damage and limiting remote access to critical data and functions.

The Indictments

The six most recent indictments relating to the Strike Force’s efforts confirm that export control and sanctions compliance, particularly concerning Russia, China, and Iran, is a significant enforcement priority for the DOJ and other government agencies. As one Strike Force member stated, the DOJ, “through the work of the Strike Force, will continue to do all [it] can to prevent advanced technologies from falling into the hands of our adversaries and protect our national security.” These indictments and a related indictment announced simultaneously highlight the risks of manufacturers and distributors falling victim to schemes like those alleged in the indictments or becoming the focus of enforcement efforts for committing export control violations.

U.S. v. Postovoy. A Russian citizen living in the United States was indicted for conspiring to violate the Export Control Reform Act (ECRA), to smuggle, launder money, and defraud the United States. After Russia invaded Ukraine, the individual used a series of companies he owned around the world to obtain and unlawfully export microelectronic components that could be used in drones and UAVs from the United States to Russia. The individual concealed and misstated end-user and destination information in communications with U.S.-based distributors.

U.S. v. Song. A Chinese national was indicted for wire fraud and aggravated identity theft in connection with attempts to obtain software and source code from the National Aeronautics and Space Administration (NASA), research universities, and private companies. Over several years, the individual “spear phished” individuals at NASA, the Air Force, Navy, Army, and Federal Aviation Administration; research universities; and aerospace companies in an attempt to obtain code to which the individual suspected the victims had access. At all relevant times, the individual, who assumed the identities of persons known to the victims, was an employee of a Chinese state-owned aerospace and defense contractor.

U.S. v. Teslenko. A U.S. resident and a Russian national were indicted for smuggling and conspiracy to violate the ECRA, smuggle, and defraud the United States. For approximately six years, the individuals exported laser welding machines from one’s employer in the United States to a Russian company involved in Russia’s nuclear weapons program. The individuals falsified export documentation to conceal the end user.

U.S. v. Goodarzi. A dual U.S. and Iranian citizen was charged with smuggling UAV components to Iran from the United States. For four years, the individual obtained U.S.-originated parts and either transshipped them, typically through the United Arab Emirates or transported them in his own checked luggage during trips to Iran. The individual had acknowledged in numerous emails with U.S. suppliers that the parts could not be transferred to Iran because of sanctions. The individual also lacked the proper export license to send these items to a sanctioned country like Iran.

U.S. v. Nader. A dual U.S. and Iranian citizen was indicted for violating U.S. economic sanctions and other federal laws in connection with procuring U.S.-originated aircraft components for Iran’s armed forces. Customers in Iran placed orders with the individual, who, in turn, directly or through others, contacted U.S. companies for the components. The individual falsely identified himself or his U.S.-based company as the end user of the components. The individual attempted to export the components, including transshipment to Iran, on several occasions; however, DOC agents detained each export.

U.S. v. Wei. In addition to the above criminal cases brought through the work of the Strike Force, the DOJ announced the indictment of a Chinese national on charges of fraud, conspiracy, computer intrusion, and aggravated identity theft for unlawfully accessing the computer network of a U.S. telecommunications company. The individual—a member of the People’s Liberation Army—and co-conspirators accessed the company’s systems in 2017 and stole documents relating to communications devices, product development, testing plans, internal product evaluations, and competitive intelligence. The individual attempted to install malicious software to maintain access to the company’s systems; his access continued for approximately three months.

The Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI), the National Security Agency, and other international partners, issued an Alert on September 5, 2024, warning that cyber actors affiliated with the Russian military are targeting critical infrastructure, government services, financial services, transportation systems, energy, and healthcare sectors of NATO members.

The Alert warns that Unit 29155 cyber actors affiliated with the Russian military are collecting information for “espionage purposes, reputational harm caused by the theft and leakage of sensitive information, and systematic sabotage caused by the destruction of data.” The cyber actors of Unit 29155 have been assessed as officers of the GRU and are being assisted by “known cyber-criminals.” Some of the threat group names associated with these actors include Cadet Blizzard, Ember Bear, Frozenvista, UNC2589, and UAC-0056.

Unit 29155 is believed to be responsible for WhisperGate against Ukraine and is involved in attacking numerous members of NATO. “The activity includes cyber campaigns such as website defacements, infrastructure scanning, data exfiltration, and data leak operations. These actors sell or publicly release exfiltrated victim data obtained from their compromises.”

The FBI has detected more than 14,000 instances of domain scanning and “have defaced victim websites and used public website domains to post exfiltrated victim information.”

The Alert details the tactics, techniques, and procedures the threat actors use. To mitigate this, the Alert urges organizations to:

  • Prioritize routine system updates and remediate known exploited vulnerabilities.
  • Segment networks to prevent the spread of malicious activity.

Enable phishing-resistant multifactor authentication (MFA) for all externally facing account services, especially for webmail, virtual private networks (VPNs), and accounts that access critical systems.

This post was authored by Data Privacy + Cybersecurity Team chair Linn Foster Freedman and is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.

Below is an excerpt of a legal update authored by Intellectual Property + Technology Group co-chair John L. Cordani, Jr. and Business Litigation Group lawyer, Janet J. Kljyan.

Intellectual property practitioners were anticipating the Supreme Court’s decision in Warner Chappell Music v. Nealy, which raised important questions regarding the statute of limitations and availability of damages for stale copyright infringement claims. We previously wrote about how the Supreme Court’s decision could impact copyright “trolls:” entrepreneurial plaintiffs who assert copyright infringement claims based on old, allegedly infringing uses of photographs or images on the internet to extract quick settlements from unsuspecting businesses. The Court’s decision, issued earlier this month, may embolden trolls in the short term, especially in the Second Circuit. However, the hope remains that the Supreme Court will rein in the statute of limitations to discourage trolls in a future case.

Warner Chappell Music v. Nealy raised two potential issues: (1) whether the Copyright Act’s three-year statute of limitations begins to run from the plaintiff’s “discovery” of the infringement (called the “discovery” rule), and (2) whether the Copyright Act limits recoverable damages to those incurred within the three years preceding the filing of a lawsuit. Read more.

Stop me if you have seen this before. You visit the website of a U.S. privately held manufacturer, and you click on the “About Us” page (if one exists) to find only generic information that could describe any manufacturing business in the United States. There often is no listing of who runs the business – let alone who owns it – and sometimes, there is no information as to how big the facility is or how many employees work there. Often, there is no information as to when the business was founded or its history. 

Contrast that with many international privately held businesses – including in Europe. The websites often have a listing of the executive team, ownership information, employee headcount, and most importantly the top line revenue of the business (and perhaps even its profitability). 

Why the difference? Why are international businesses more transparent? 

The answer to these questions is not readily obvious, but at least in part, the “secrecy” that U.S. businesses have as to the ownership and or revenue information is baked into U.S. corporate law. Up until the time of the passage of the Corporate Transparency Act, lawyers would always talk about the fact that forming in Delaware (as an example) was straightforward and that much of the company’s underlying information would not need to be disclosed. Often, our international clients are surprised by this, as the disclosure rules outside the United States can be extreme, including the disclosure of passports as an example.

I have represented a lot of privately held manufacturers and I understand why certain companies do not want to disclose information. However, I would maintain that U.S. privately held businesses should consider more disclosure – not less – for a few reasons. First, in an era where manufacturers are desperate to find employees, transparency can only help. Knowing who owns the company, who runs it, how big it is, how many employees work there, and the history (i.e., stability) of the organization can be an effective recruiting tool. Second, this information can also help potential customers as they conduct diligence on whether to do business with you. There are other reasons as well.

At the very least, U.S. privately held manufacturers should think about whether maintaining secrecy of all information is actually helping them in any way or just serving as a barrier for growth.

True to its word, the SEC released its proposed rule, The Enhancement and Standardization of Climate-Related Disclosures for Investors, last week. The rule would require companies to disclose a wide variety of climate-related information, including information about climate-related risks that are reasonably likely to have material impacts on its business and/or its consolidated financial statements, and greenhouse gas (GHG) emissions metrics that could help investors assess those risks.

Much has been made of the proposed requirements for GHG emissions reporting—not just for Scope 1 and 2 emissions (emissions from company operations and from the generation of electricity purchased and consumed by the company)—but also for Scope 3 emissions, or emissions from upstream and downstream activities in a company’s value chain. In this post, we will focus on the Scope 3 emissions requirements in the proposed rule.

First, not all companies would be required to report Scope 3 emissions. The proposed rules would require disclosure of Scope 3 emissions only if:

  • The emissions are material, or if there is a substantial likelihood that a reasonable investor would consider them important when making an investment or voting decision; or
  • The company has set a GHG emissions reduction target or goal that includes its Scope 3 emissions.

In limiting the reporting requirement, the SEC sought “[t]o balance the importance of Scope 3 emissions with the potential relative difficulty in data collection and measurement . . . .”

The SEC declined to propose a quantitative metric for the determination of materiality of Scope 3 emissions (although the proposed rule notes that some companies rely on such a metric, and it also seeks additional comment on whether such a metric should be included). Instead, it proposed to use its commonly known materiality standard, explaining that a “one-size-fits-all” approach would not capture the variability of regulatory, policy, and market conditions across companies, nor would it adequately capture the transition risk that is tied to GHG emissions and the choices that a company can make about its value chain because of them.

For companies that have set a GHG emissions reduction target or goal, the proposed rule states that disclosure is needed to help investors understand the potential costs associated with meeting such a goal and track the company’s progress along the way.

So what are Scope 3 emissions? As explained above, Scope 3 emissions are those from upstream and downstream activities in a company’s value chain. Some examples of these upstream and downstream activities include:

  • Purchased goods and services;
  • Transportation and distribution of purchased goods, raw materials, and other inputs;
  • Waste generated in operations;
  • Business travel and commuting by employees;
  • Transportation and distribution of sold products, goods, or other outputs; and
  • End-of-life treatment of a company’s sold products.

Scope 3 emissions data is difficult to gather and quantify, but the SEC is hoping that companies required to report will be able to influence the activities in their value chain and gather emissions data in the process:

“Although a registrant may not own or control the operational activities in its value chain that produce Scope 3 emissions, it nevertheless may influence those activities, for example, by working with its suppliers and downstream distributors to take steps to reduce those entities’ Scopes 1 and 2 emissions (and thus help reduce the registrant’s Scope 3 emissions) and any attendant risks. As such, a registrant may be able to mitigate the challenges of collecting the data required for Scope 3 disclosure.”

The proposed rule suggests that Scope 3 emissions data can be found in the following sources:

  • Emissions reported by parties in the registrant’s value chain, and whether such reports were verified by the registrant or a third party, or unverified;
  • Data concerning specific activities, as reported by parties in the registrant’s value chain; and
  • Data derived from economic studies, published databases, government statistics, industry associations, or other third-party sources outside of a registrant’s value chain, including industry averages of emissions, activities, or economic data.

Companies required to report Scope 3 emissions must do so individually (i.e., listing the emissions from each GHG), and also in the aggregate (carbon dioxide equivalent). They must also report GHG intensity, or the ratio of the impact of GHG emissions per unit of total revenue and per unit of production. The risks associated with climate change must also show up in a company’s financial statement metrics, with certain metrics (for Scope 3 emissions, think transition risk) required to be included in a note to a registrant’s audited financial statements. Lastly, if a company is required to report historic data on its income statement and cash flow statement, it should be prepared to do the same for emissions data (to the extent such emissions data is reasonably available).

The proposed rule would phase in the reporting of Scope 3 emissions, with the first reporting required for large accelerated filers in fiscal year 2024 (filed in 2025). Smaller reporting companies would be exempt from the Scope 3 emissions reporting requirements.

The SEC is seeking comment on the proposed rule. The comment period will remain open until at least May 20, 2022.

While we await the SEC’s proposed rules regarding mandatory climate change disclosures (signaled to be coming as soon as next Monday, March 21), the SEC has been digging in to company filings to scrutinize how, if at all, its registrants are addressing climate change. As we previously reported, the SEC took a number of actions last year to suggest that there would be increased attention, and perhaps enforcement, related to the depth of a company’s climate change disclosures. True to its word, the past year has seen an increase in SEC comment letters focused on climate change and the scope of disclosures being made under existing regulations, as well as the SEC’s 12-year-old guidance on disclosures related to climate change.

In September of last year, the SEC released a sample comment letter to demonstrate the types of inquiries the SEC might make if it was not satisfied with a company’s climate change disclosures. The SEC has followed up by issuing comment letters to companies in line with the sample that was released. A selection of the types of inquiries seen in the comment letters are as follows:

  • We note that you provide more expansive disclosure in your corporate social responsibility (CSR) report than you provided in your SEC filings. Please advise us what consideration you gave to providing the same type of climate-related disclosure in your SEC filings as you provided in your CSR report.
  • In your CSR report, you state that you are committed to lowering the total amount of energy that you consume in your operations and reducing your greenhouse gas emissions. Please revise your disclosure to identify any material past and/or future capital expenditures for climate-related projects related to these initiatives. If material, please quantify these expenditures.
  • Disclose the material effects of transition risks related to climate change that may affect your business, financial condition, and results of operations, such as policy and regulatory changes that could impose operational and compliance burdens, market trends that may alter business opportunities, credit risks, or technological changes.
  • We note the disclosure in your annual report and proxy statement about enhancements you made during 2020 and 2021 to your environmental initiatives. Please quantify any material capital expenditures or compliance costs related to these initiatives.
  • To the extent material, discuss the indirect consequences of climate-related regulation or business trends, such as the following:
    • decreased demand for goods and services that produce significant greenhouse gas emissions or are related to carbon-based energy sources;
    • increased demand for goods and services that result in lower emissions than competing products;
    • increased competition to develop innovative new products and services that result in lower emissions; and
    • any anticipated reputational risks resulting from operations or products that produce material greenhouse gas emissions
  • If material, discuss the significant physical effects of climate change on your operations and results. This disclosure may include quantification of material weather-related damages to your property or operations and any weather-related impacts on the cost or availability of insurance.

The increase in comment letters is one of the many ways we expect to see the SEC continue its focus on climate change, and may just be the tip of the iceberg with the potential for mandatory climate change disclosure rules on the horizon.

This post was authored by Linn Foster Freedman and is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.

Since the Colonial Pipeline and JBS meat manufacturing security incidents, attention is finally being paid to the cybersecurity vulnerabilities of critical infrastructure in the U.S. and in particular, the potential effect on day to day life and national security if large and significant manufacturers’ production are disrupted. In the wake of these recent incidents in the manufacturing sector, Unit 42 of Palo Alto Networks has published research that may be considered a warning to the manufacturing sector and is worth notice. The warning is about the activities of Prometheus, “a new player in the ransomware world that uses similar malware and tactics to ransomware veteran Thanos.”

According to the Executive Summary, Unit 42 “has spent the past four months following the activities of Prometheus” which “leverages double-extortion tactics and hosts a leak site, where it names new victims and posts stolen data available for purchase.” Prometheus claims to be part of REvil, but Unit 42 says it has “seen no indication that these two ransomware groups are related in any way.” Unit 42 further states that Prometheus claims to have victimized 30 organizations in different industries, in more than a dozen countries, including the U.S.

Prometheus came on the scene in February 2021 as a new variant of the strain Thanos. Unit 42 is unable to provide information on how the Prometheus ransomware is being delivered, but surmise that it is through typical means, such as “buying access to certain networks, brute-forcing credentials or spear phishing for initial access.” It then first kills backups and security processes and enables the encryption process. It then “drops two ransom notes” that contain the same information about the fact that the network has been hacked and important files encrypted and instructions of how to recover them. If the ransom demand is not met, the data will be published on a shaming site and publishes the “leak status” of each victim. According to Unit 42 “[M]anufacturing was the most impacted industry among the victim organizations we observed, closely followed by the transportation and logistics industry.”

What we have seen in the past is that when ransomware groups are successful in one industry, they use the information learned from initial attacks to target other companies in that sector. They leverage the knowledge from one attack to future attacks assuming that since the first one was successful, subsequent attacks will be successful as well. Since industry specific networks are similar, it is seamless to attack one victim, learn from it, then leverage that knowledge to attack similarly situated victims.

With threat attackers’ focus on the manufacturing sector right now, we anticipate seeing more attacks against manufacturers from groups such as Prometheus.

This post was authored by Linn Foster Freedman and is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.

Manufacturers of products often are not prepared for, or aware that cybersecurity incidents can disrupt production and distribution of product. A recent filing by Molson-Coors Beverage Company illustrates that manufacturers face similar cybersecurity risks as other industries.

On March 11, 2020, Molson-Coors filed a Form 8-K with the Securities and Exchange Commission stating that:

Molson  Coors  Beverage  Company  (the  “Company”)  announced  that  it  experienced  a  systems  outage  that  was  caused  by  a  cybersecurity incident. The Company has engaged leading forensic information technology firms and legal counsel to assist the Company’s investigation into the incident and the Company is working around the clock to get its systems back up as quickly as possible.

Although the Company is actively managing this cybersecurity incident, it has caused and may continue to cause a delay or disruption to parts of the Company’s business, including its brewery operations, production, and shipments. In addition to the other information set forth in this report, one should carefully consider the discussion  on  the  risks  and  uncertainties  that  cybersecurity  incidents  and  operational  disruptions  to  key  facilities  may  have  on  the  Company,  its  business  and financial results contained in Part I, “Item 1A. Risk Factors” in its 2020 Annual Report on Form 10-K, filed with the SEC on February 11, 2021.

Manufacturing businesses may wish to consider prioritizing cybersecurity readiness in their processes, including backup plans, contingent operations plans, and disaster recovery plans.

This week, we are pleased to have a guest post from John L. Cordani, Jr.  John is a member of Robinson+Cole’s Manufacturing Industry Team and regularly counsels clients on intellectual property issues involving patent procurement, licensing, and litigation.

For the past several years, the patent offices in the United States and Mexico have operated under a type of patent examination fast-tracking and work-sharing agreement known as a Patent Prosecution Highway (PPH). This agreement between the United States Patent and Trademark Office (USPTO) and the Mexican Institute of Industrial Property (IMPI) was set to expire in June of this year, and the status of the program going forward was uncertain.

But on January 28, the Offices announced a new agreement that promises to improve upon the PPH system by creating an even “more streamlined approach” to obtaining a Mexican patent once a corresponding U.S. patent is granted than that presently offered under the PPH. Read the full article on IPWatchdog.com

This week we are pleased to have a guest post from Edward Heath and Kevin Daly.  Attorneys Heath and Daly are members of Robinson & Cole’s Manufacturing Industry Group and regularly counsel clients on anti-corruption compliance.

A Brief Overview of the FCPA

The Foreign Corrupt Practices Act (FCPA) is a federal statute that prohibits United States companies and individuals from bribing foreign government officials in order to gain or retain business.  It is a major civil and criminal enforcement priority for the federal government.  Each year, the aggregate amount of penalties paid under the FCPA totals hundreds of millions of dollars.

Although it is well known that the FCPA applies to U.S. companies and U.S. individuals (e.g., U.S. citizens and residents) there is a common misconception that its reach ends at our borders.  However, there are some circumstances where the FCPA can reach individuals outside of the U.S.  Foreign persons who act as the agents, employees, officers, directors or shareholders of U.S. companies can be held liable under the FCPA.  Foreign persons who commit an FCPA violation while in the U.S. are also covered.

Recent Court Decision Addresses Geographic Reach 

The United States Court of Appeals for the Second Circuit’s recently issued a decision affirming this point.  United States v. Hoskins arose out of an alleged bribery scheme involving Alstom, S.A. (“Alstom”), a global company based in France that operates in the power and transportation industries.  Specifically, the government claims that Alstom and several of its subsidiaries (including UK-based and U.S.-based subsidiaries) bribed Indonesian government officials in order to obtain a $118 million power contract from the Indonesian government.  The government contends that Mr. Hoskins, while working in France for Alstom’s U.K. subsidiary, was one of the people responsible for approving and authorizing the alleged bribes.  Although parts of the alleged scheme occurred within the U.S. (e.g., payments were made from U.S. bank accounts), and some co-conspirators were based in the U.S., Mr. Hoskins never traveled to the U.S., never was employed by Alstom’s U.S. subsidiary, and is not a U.S. citizen or resident.

The government charged Mr. Hoskins with violating the FCPA, alleging that he conspired and aided and abetted in FCPA violations committed by others.  The Second Circuit, however, rejected the government’s theories.  The court held that Congress set the limits on the geographic reach of the FCPA in the statute, and that the scope cannot be expanded  through accomplice or conspiracy liability theories to reach persons, like Mr. Hoskins, who are beyond the geographic reach of the statute.

Nonetheless, the court held that he can be tried on the theory that he acted as an agent for Alstom’s U.S. subsidiary.  Agents of U.S. companies are explicitly covered by the FCPA, regardless of whether they are U.S. citizens or residents.  To convict on such a theory, the government would be required to prove that that Hoskins was an agent of Alstom’s U.S. subsidiary.

While Hoskins is only binding within the Second Circuit (Connecticut, New York, and Vermont), and the government is evaluating further appellate options, it poses an obstacle to government efforts to expand FCPA liability beyond the specific categories of foreign persons enumerated in the statute.