The Federal Acquisition Regulation (FAR) requires that most contracts with the federal government include a clause mandating that the contractor have a written code of business ethics and conduct, and that the contractor conducts periodic reviews to ensure the effectiveness of that code in rooting out fraud and corruption in the business.
From a business perspective, it is easy to view this requirement as just another burden to bear, and one that will cut in on already too thin margins. But a federal contractor subject to this provision that fails to adhere faithfully to its requirements does so at its own peril. The potential consequences of such a failure may be severe.
The requirement of a written code of business ethics and conduct, as well as the related review requirements, are the regulatory execution of statutory mandates designed to lessen corruption in contracting. Specifically, the statutory mandates require that all “covered contracts” with the federal government—i.e., those in an amount greater than $5 million and more than 120 days in duration—must include “provisions that require timely notification by federal contractors of violations of federal criminal law or overpayments in connection with the award or performance of covered contracts or subcontracts.” This requirement extends to contracts performed outside the United States and those for commercial items as well.
As a policy matter, the FAR implements this requirement as to all government contractors—not just those who hold “covered contracts”:
Knowing failure to timely disclose credible evidence of any such violations remains a cause for suspension and/or debarment until three years after final payment on the contact.
The FAR also provides “guidance” applicable to all contractors relating to these responsibilities. Noting that “[g]overnment contractors must conduct themselves with the highest degree of integrity and honesty,” the FAR advises that “[c]ontractors should have a written code of business ethics and conduct.” The FAR also suggests other steps that all contractors should take in this regard:
For non-covered contracts, these policies apply only as “guidance” to contractors as to what they “should” do. Covered contracts must go a step further. A covered contract must include the clause set forth at FAR 52.203-13, which implements and enforces these policy suggestions, stating what a contractor “shall” or “must” do. That clause sets forth several obligations of note.
First, within 30 days after award of the contract, unless the contracting officer establishes a longer time period, the contractor must “[h]ave a written code of business ethics and conduct” and “[m]ake a copy of the code available to each employee engaged in performance of the contract.” The contractor is also required to “[e]xercise due diligence to prevent and detect criminal conduct” and to “[o]therwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.”
A second obligation—which does not apply to any “small business concern” or to a contract for the acquisition of commercial items—is that the contractor must establish “[a]n ongoing business ethics awareness and compliance program” within 90 days of contract award, unless the contracting officer provides for a longer period of time. Concerning the program, the clause states:
The training must be provided to the contractor’s principals and employees and, “as appropriate,” to the contractor’s agents and subcontractors, though there is no guidance as to what it means to be “appropriate” in this context.
Third, the clause sets forth detailed requirements for the contractor’s internal control system. The clause requires that the internal control system must “[e]stablish standards and procedures to facilitate timely discovery of improper conduct in connection with government contracts” and must “[e]nsure corrective measures are promptly instituted and carried out.”
There must also be an internal reporting system that provides for anonymity and confidentiality, as well as an investigation protocol that places responsibility at a sufficiently high level with sufficient resources to make it effective—and which includes “[r]easonable efforts” to exclude from responsibility for that investigation any person “whom due diligence would have exposed as having engaged in conduct that is in conflict with the contractor’s code of business ethics and conduct.”
There must also be “[d]isciplinary action for improper conduct or for failing to take reasonable steps to prevent or detect improper conduct” as well as timely written disclosure to the agency inspector general of any “credible evidence” that a principal, employee, agent, or subcontractor “has committed a violation of federal criminal law involving fraud, conflict of interest, bribery, or gratuity violations found in [Title 18 of the U.S. Code] or a violation of the civil False Claims Act.”
Further, the clause requires “[f]ull cooperation with any government agencies responsible for audits, investigations, or corrective actions,” as well as “[p]eriodic reviews of company business practices, procedures, policies, and internal controls for compliance with the…code of business ethics and conduct and the special requirements of government contracting”—including periodic assessment of the effectiveness of the internal control system and consideration of necessary changes to the program as required by the identification of criminal conduct through the system.
For too many contracting businesses, these requirements are little more than a box to be checked among many technical predicates for the award and execution of a federal contract. And, from a business perspective, there is a strong incentive—the cost—driving owners of contracting businesses to comply only moderately with these obligations, or to forego them altogether. As with many aspects of compliance, those who do not fully comply with these requirements do so at their peril.
The most severe (and perhaps most unexpected) of the consequences of failure to fulfill these requirements could be a contracting officer’s determination that the contractor is in default. These are, after all, provisions of a contract. It is easy to convince one’s self that a contracting officer would not terminate an otherwise fully performing contractor for default on this basis. On the other hand, that seems like a foolhardy risk—“penny wise and pound foolish,” if you will—to take in order to avoid the expense of a fully compliant internal control system.
If fraud is discovered in connection with a contractor’s execution of a contract, the risks attendant to noncompliance are even greater—especially if the fraud is discovered by a person or entity other than the contractor. The failure of the contractor to have an effective code and internal control system will almost certainly be blamed for the failure to detect the fraud. If the existence of the fraud would not otherwise have led to a termination for default of the contract, the contractor’s failure to comply with provisions of the contract regarding business ethics and conduct may be an alternative basis for losing the contract. Failure to report such fraud may also, in some circumstances, result in suspension and/or debarment.
But the potential consequences do not end there. If a company is found responsible for (or complicit with) fraud that occurs in the performance of its contract, it may also find itself subject to criminal prosecution. The U.S. Sentencing Guidelines—which were the source for the language in the FAR on these issues—specifically provide that a system of internal controls like the one required by FAR 54.203-13(d) may be a basis for mitigation that can lead to a less severe recommended penalty upon criminal conviction.
As with many preventative measures, compliance with the FAR’s mandated code of business ethics and conduct and the related internal control system is ultimately a cost-effective means to protect a federal contractor from the direst of consequences. Here, too, compliance is not just about checking boxes; it is about maintaining a system of organization and controls that ultimately ensures the success of the company in its performance of its contractual obligations. CM
 In this article, we use the term covered contracts to refer to contracts with these minimum characteristics.
 41 USC 3509.
 See FAR 3.1003(a)(1) (noting that “the policy at 3.1002 applies as guidance to all government contractors” (emphasis added)).
 FAR 3.1003(a)(2).
 FAR 3.1002(a).
 FAR 3.1002(b).
 See FAR 3.1003(a)(1).
 Subcontracts that meet the “covered contract” thresholds—that is, at least $5 million and a performance period of more than 120 days—must also include “the substance” of the clause set forth at FAR 52.203-13. (See FAR 52.203-13(d)(1).)
 FAR 52.203-13(b)(1).
 FAR 52.203-13(b)(2).
 As defined within FAR 2.101.
 FAR 52.203-13(d).
 FAR 52.203-13(d)(1)(i).
 FAR 52.203-13(d)(1)(ii).
 FAR 52.203-13(d)(2)(i)(A) and (B).
 FAR 52.203-13(d)(2)(ii).
 Ibid. (For the civil False Claims Act, see 31 USC 3729–3733.)
 U.S. Sentencing Guidelines § 8B2.1.