On August 18, the Bank of New York Mellon Corporation (BNY Mellon) agreed to pay $14.8 million to settle allegations that it had violated the U.S. Foreign Corrupt Practices Act (FCPA) by providing internships to family members of foreign officials affiliated with a Middle Eastern sovereign wealth fund the bank sought to manage.

According to the settlement order, which is available here, BNY Mellon provided the internships at the request of the foreign officials, even though the prospective interns failed to meet the bank’s hiring criteria and were less than exemplary employees. In so doing, the bank violated the FCPA’s anti-bribery provisions and demonstrated that it lacked internal controls sufficient to ensure its hiring process would not be used to improperly obtain or retain business.

This settlement highlights two essential FCPA-compliance points.

First, a payment under the FCPA can include things other than the typical cash, gifts, travel or entertainment expenses that often get companies in trouble. A prohibited payment can be anything of value, including – as in BNY Mellon’s case – relaxation of typical company standards for the benefit a foreign official.

Second, a company’s compliance policy should specifically address hiring anyone, or taking any particular action, that is a benefit to a customer – particularly a customer who happens to be a foreign official. A company that elects not to outright prohibit hiring candidates recommended by a customer should, at the very least, implement strict controls to ensure that such candidates are subject to the same evaluation criteria as all other applicants. And hiring decisions about such candidates should require specific management approval; the decision should not be left to the discretion of sales staff or relationship managers involved with the customer.

The BNY Mellon case is a useful reminder that companies should reevaluate the myriad opportunities for personnel to provide improper benefits in violation of the FCPA. An effective compliance policy must reflect and impose controls to protect against those risks.