If you've read the headlines about FCPA enforcement over the last eighteen months and concluded that compliance doesn't matter anymore, you are on a path to an unpleasant conversation with your general counsel.
Yes — the Foreign Corrupt Practices Act enforcement landscape was reshaped in 2025. The February 2025 Executive Order paused new cases for a 180-day review. The Department of Justice issued revised FCPA Guidelines in June 2025 that narrowed the cases DOJ will prioritize, and the SEC has been markedly quieter. But the statute itself has not changed. Books-and-records and internal-controls exposure for public companies continues in full. Individual prosecutions — which cannot be settled away with a corporate DPA — remain active, and late 2025 produced trial convictions and the administration's first corporate resolution under the new Guidelines. International enforcers including the UK Serious Fraud Office, French PNF, and Brazilian authorities are signaling they'll fill gaps left by a quieter DOJ.
Translation: the cost of a weak FCPA compliance program went up, not down. A narrower DOJ is a more selective DOJ — and the cases it does bring will be the ones where compliance failures are visible, undisclosed, and indefensible.
This guide walks through what the FCPA actually prohibits, who it applies to, how DOJ's 2026 posture has evolved, and the seven elements of a compliance program that is genuinely defensible — not just documented.
What the FCPA Actually Prohibits
The FCPA has two distinct prongs, and most companies underweight the second one.
Anti-bribery provisions. It is unlawful to offer, promise, pay, or authorize payment of anything of value, directly or through an intermediary, to a foreign official, foreign political party, or candidate, for the purpose of obtaining or retaining business or any improper advantage. "Anything of value" is interpreted broadly: cash, gifts, travel, entertainment, internships for family members, charitable donations directed at an official's preferred cause, and discounts on unrelated transactions have all appeared in enforcement matters.
Books and records / internal controls provisions. Issuers must keep books and records that accurately and fairly reflect transactions, and must maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are authorized and properly recorded. This is a strict-liability provision. No bribe needs to be proven. A slush fund, a misclassified payment, a vendor invoice that doesn't reflect what actually happened — each can trigger liability independent of the anti-bribery prong.
The practical consequence: an FCPA compliance program is not only a front-end screening exercise. It is a financial-controls discipline that runs through every payment, every vendor, every joint-venture distribution, every expense reimbursement that touches an international operation.
What Changed in 2025 — and What Didn't
The February 2025 Executive Order directed DOJ to pause new FCPA investigations and develop revised guidance. In June 2025, Deputy Attorney General Todd Blanche issued the new Guidelines for Investigations and Enforcement of the FCPA, which prioritize cases with meaningful ties to US national security, schemes involving cartels and transnational criminal organizations, sophisticated concealment, state-owned entities, and substantial payments with clear corrupt intent.
The first corporate resolution under the new Guidelines — the November 2025 Millicom/Comcel deferred prosecution agreement involving a cash-for-votes scheme partially funded by narcotrafficking proceeds in Guatemala — ticked nearly every priority box on the list.
What did not change: the statute itself, books-and-records and internal-controls exposure, SEC civil authority, individual criminal liability, the DOJ's Corporate Enforcement Policy, the UK Bribery Act, and parallel prosecutions by foreign enforcers. The compliance program you need in 2026 is fundamentally the same program you needed in 2024 — applied more rigorously and calibrated to the risk profile DOJ now prioritizes.
The Seven Elements of a Defensible FCPA Compliance Program
The DOJ's Evaluation of Corporate Compliance Programs asks three questions: is it well-designed, is it applied earnestly and in good faith, and does it work in practice?
1. Risk assessment. Documented, refreshed, mapped to your actual exposure by country, business line, transaction type, and third-party category. Refresh annually and on material changes.
2. Senior management commitment. Board oversight minutes, CEO communications, compensation and promotion decisions, and resource allocation to compliance. Firing a high-performer for an FCPA violation is worth more than ten posters in the break room.
3. Written policies and a code of conduct. Clear, translated, aligned with how the business actually operates — covering gifts and entertainment with concrete thresholds, travel, charitable contributions, political donations, facilitation payments, third-party engagement, and joint ventures.
4. Training and communication. Risk-based, role-tailored, documented. The CFO, the sales VP in a high-risk country, the procurement lead, and the joint-venture liaison need different training. High-risk roles require live or interactive scenario-based training.
5. Third-party due diligence and management. Every agent, consultant, distributor, and joint-venture partner is a potential liability vector. Risk-tiered diligence, written contracts with FCPA reps and audit rights, payment controls matched to documented deliverables, and ongoing monitoring.
6. Internal controls and books-and-records discipline. Separation of duties, payment authorization thresholds, vendor master governance, expense reimbursement controls, petty cash discipline. A surprising amount of FCPA liability is resolved because accounting controls caught an anomaly before it became a scheme.
7. Investigation, remediation, and continuous improvement. Documented escalation path, independent investigators, privilege protocols, and a remediation-and-discipline record that prosecutors can evaluate. A policy that never changes because of what investigations find is a policy no one is actually applying.
Common Pitfalls and When to Bring In Outside Expertise
"Compliance is a corporate function, not a business function." This is the single most common and most fatal misconception. Compliance owned at headquarters but unowned in the field produces documented programs with undocumented failures.
Other pitfalls: treating the third-party questionnaire as the program; undocumented facilitation payments; ignoring books-and-records exposure; having no mechanism for voluntary self-disclosure; treating monitor avoidance as the goal.
Building, stress-testing, or remediating an FCPA compliance program benefits from professionals who have sat on the other side of the table: former federal agents, former prosecutors, Certified Fraud Examiners, and Certified Anti-Money Laundering Specialists who understand what DOJ and SEC actually look for when they open an investigation.
The Falcon Consulting Group supports corporations and law firms on FCPA risk assessment, third-party due diligence, internal investigations, forensic accounting, and remediation planning. Our associates include former federal and state law enforcement, former Inspector General personnel, CPAs, CFEs, and CAMS-certified specialists with experience investigating procurement fraud and corruption in high-threat environments, including work supporting the Special Inspector General for Iraq Reconstruction and the Special Inspector General for Afghanistan Reconstruction.