The corporate compliance community glimpsed a rare event in August: a federal court decision, U.S. v. Hoskins, that tried to define the limits of individual liability under the Foreign Corrupt Practices Act (FCPA).

Court rulings about the scope of the FCPA are few and far between. This decision is even more important because of its potential reach, as it came from the 2nd Circuit Court of Appeals in New York, the jurisdiction for a large number of global corporations.

In this case, the defendant Lawrence Hoskins worked for Alstom S.A., a French construction conglomerate that doesn’t trade on U.S. stock exchanges. Hoskins is a British citizen, who was employed by Alstom’s UK subsidiary and also worked for another Alstom subsidiary in Paris — where, U.S. prosecutors alleged, he helped to arrange bribes that an American subsidiary of Alstom paid to government officials in Indonesia.

Hoskins was charged with conspiracy to violate the FCPA for his role in the bribery scheme.  Ultimately, the question on appeal became:  could a foreign national, working for a foreign company and never setting foot in the United States, be held liable for aiding and abetting others to violate the FCPA based on theories of conspiracy and complicity?  The 2^nd Circuit court said no; that extra-territorial reach extended beyond what lawmakers originally intended for the FCPA.   The 2^nd Circuit, however, left open the question of whether Hoskins was acting as an agent of the US-based Alstom subsidiary, and remanded this back to the District Court of Connecticut.

Limitations of the Hoskins Decision

The Hoskins ruling is also, however, a bit frustrating. It determined that there are limits to the liability a company’s overseas intermediaries might face under the FCPA, but didn’t specify exactly where that line falls. Some foreign nationals may no longer be liable under conspiracy or aiding and abetting theories of FCPA prosecution. However, what Hoskins did leave open was potential agency liability; Hoskins could be prosecuted for FCPA violations if the government could establish that he was acting as an agent of Alstom’s US subsidiary.  What does “agent” is this context mean?  Lower courts will need to answer that question.

Moreover, the Hoskins ruling only applies to cases in the 2nd Circuit. The Justice Department may still argue its expansive theories of third-party liability in other jurisdictions. Courts in other parts of the country might reach different conclusions than the 2nd Circuit did.

Implications for Third Parties

Based on the Hoskins ruling, what are the implications for a company’s compliance program?

First, the Hoskins ruling increases the importance of monitoring a company’s third parties, beyond initial onboarding. The ruling creates different standards of liability for intermediaries who are ultimately deemed “agents” and those who aren’t, so an individual who moves between those two categories may change the amount of corruption risk he or she brings to an organization. A compliance function needs to know when that happens.

For example, some intermediaries who believe they are agents might try to change their relationship with the company to some lesser status — under the logic that they would then be beyond the reach of the FCPA, giving them more discretion to pay bribes.

Compliance officers may want to revisit their policies for third-party governance: Who has permission to change the status of an intermediary, such as the services that party performs? What approvals are necessary? What new due diligence checks are required, if any?

An organization may also want to ensure that its analytics of intermediaries’ activity (transactions done, payments received, and so forth) stays sharp enough to provide the monitoring assurance needed.

Secondly, compliance officers will also need to police against opportunists inside and outside the organization. The Hoskins ruling created a class of at least some (possibly many) foreign intermediaries beyond the reach of the FCPA. So some employees and third parties might try to exploit that distinction, where those foreign nationals beyond reach do the dirty work of operating a bribery scheme.

Compliance officers will need to prevent that bad practice from taking root with clear training and attestations from employees and third parties. For example, compliance programs may want to acknowledge that the Hoskins limit exists, and then still demand high ethical standards for all individuals working in its orbit regardless.

After all, the Hoskins decision does not apply to corporations. If they want to win maximum favor with regulators investigating an FCPA issue, they still need to demonstrate an effective compliance program. That should include a strong anti-bribery tone at the top and clear training that improper payments are forbidden — even for intermediaries who might be beyond the reach of individual prosecution.

Impact on Compliance Officers

While the Hoskins ruling may be welcome news for some individual defendants, the most important question for compliance officers is: Who cares?

Corporate liability under the FCPA remains unchanged by this ruling. Many foreign nationals will still be personally liable under other theories of prosecution the Justice Department can still pursue, as the Hoskins ruling applies only to a small subset of potential defendants. Those foreign nationals may also face prosecution under their home country’s anti-bribery laws — and drag a company’s liability along with them.

In the practical challenges of running a modern compliance department, the Hoskins ruling only reinforces the importance of strong third-party governance: thoughtful policies, implemented comprehensively; effective due diligence programs; monitoring of third parties, with analytics capability up to that task; and training for employees and intermediaries alike.

That was all true before the Hoskins ruling. It’s still true today.