FCPA Compliance and Ethics Blog

March 20, 2014

Something is Rotten in Denmark or Is It the Banking Industry?

Rotten Denmark“Something is rotten in the state of Denmark” is one of the signature lines from Shakespeare’s play Hamlet. I thought about that when I read a couple of recent articles in the New York Times (NYT), entitled “Questions Are Asked of Rot in Banking Culture”, by Peter Eavis and the Wall Street Journal (WSJ), entitled “Lawmakers Tell Justice Dept. to Seek Swiss Banker Extraditions”, by Joel Schectman. Eavis wrote that banks have been accused of money laundering, tax dodging, market rigging and rampant risk-taking; all of which I would add could lead to potential Foreign Corrupt Practices Act (FCPA) violations.

Banks would seem to have a different relationship with the public than energy companies. Eavis said that the “At the heart of the issue is an inviolate social contract that bankers are supposed to honor. The government agrees to protect banks from collapse, and in return, bankers are meant to uphold the highest ethics when handling other people’s money. But when law-breaking and other missteps proliferate at banks, it is a sign that the industry has stopped cleaving to the special contract, endangering taxpayers. And bad management can be a leading indicator of future financial problems at an institution.”

But more than this ‘social contract’ is regulators. The Department of Justice (DOJ) has never been shy about enforcing the FCPA against energy companies who violate the law. “Too Big To Fail” still resonates as an excuse for regulators who didn’t regulate so that they “may find it hard to convince the public that they mean business” this time around and on this issue. Eavis noted that William C. Dudley, president of the New York Fed and Thomas J. Curry, Comptroller of the Currency, have both recently spoken out about banks and their culture. But Eavis notes, “each had a reputation for being too soft on the banks.”

The regulators told Eavis that they are indeed ‘ratcheting up the pressure’ on banks. Curry was quoted as saying, “We are ratcheting up the potential consequences. This is something new.” Eavis properly asks that with some of the best legal talent money can buy for defense, who deploy strategies like refusing to turn over potential evidence to regulators” and simply having such large profits “they can easily absorb the financial penalties the government throws at them”.

Eavis notes that one continuing area of concern and an area of potential change is compensation. He states “compensation is one area where bank regulators may need to do more if they want to do more to clean up bank culture, according to critics of the industry.” This is because bank compensation practices “can reward unhealthy levels of short-term risk-taking and entice bankers into ethical lapses.”

While it is doubtful that banks would ever make changes similar to those made by GlaxoSmithKline PLC (GSK) to move away from compensation variably based upon sales to a straight salary; Eavis reports that regulators outside the US “agreed after the crisis to overhaul bankers’ pay, in part by requiring them to wait several years before they receive all of their bonuses. The hope is that bankers will behave better if they know their employers can easily take back the deferred part of their pay.”

The problem regarding compensation in US banks is that they “are still deferring much less pay than their European peers. The Fed is in charge of regulating compensation at American banks. When asked whether the pay overhaul at American banks had gone far enough, Mr. Dudley said, “There is potential to defer more compensation for longer periods of time.””

However, banks need more than simply a change in compensation to address their cultures. It really is about ethics. Interestingly this is where ‘Too Big To Fail’ comes into play. But Eavis also writes “Some banks may be so large and complex that it would be difficult for managers to maintain a clean culture across all of their operations.” Dudley was quoted as saying, “Either the firm is not too complex, you can manage it, you do know what’s going on,” he said. “Or, if you don’t know, that’s sort of raising the question whether the firm is too complex to manage.” This means “he would not allow size or complexity to be an excuse for ethical breaches.”

Although not directed at US banks and bankers, Senators Carl Levine and John McCain, who jointly lead the Senate’s Permanent Subcommittee on Investigations, channeled their inner Howard Sklar when they wrote a letter to the DOJ and urged them to “at least attempt” extradition proceedings against indicted Swiss bankers. They jointly said “Even if the extradition request is denied, it will inform both Switzerland and its citizens that the United States is ready to make full use of available legal tools to stop facilitation of U.S. tax evasion and hold alleged wrongdoers accountable.”

I felt the DOJ response was well reasoned when a spokesman said, “extradition proceedings would be a poor use of resources. Because aiding tax evasion is not considered a crime in Switzerland, the country is unlikely to honor U.S. extradition requests.” But John Carney, a former federal prosecutor who is now a partner at Baker & Hostetler LLP, believes that “an extradition request from U.S. authorities would be a powerful signal”. He was quoted as saying “It’s a shot across the bow for folks who think it could never happen,” Further, “The unsettling part for a potential defendant is the request is there and if the [Swiss] government ever changes its view, it’s one step closer to actually happening.””

I have written about Bankers Behaving Badly more than once. The litany of financial crimes they have admitted to goes on almost monthly. But when the government regulators start talking about a rotten culture; that seems to take things up a notch or two. Remember, I come from Houston, which is the epicenter of FCPA enforcement. I do not remember any government official or regulator talking about “deep-seated cultural and ethical failures” at energy companies in Houston. These public comments should certainly be a wake up call for senior management at these institutions. My advice would be to get your Chief Compliance Officer (CCO) in for a meeting ASAP and while you are at it, you may want to consider hiring a Chief Ethic’s Officer as well.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

February 26, 2014

The Alchemist of Comedy and Utility Industry Compliance

Harold Ramis as Dr. SpenglerHarold Ramis died on Monday. For a generation of comedians and fans of comedy he was one of the driving lights of that genre. He was one of the screenwriters of Animal House and wrote the screenplays for both of the Ghostbuster movies, in addition to starring in them. His New York Times (NYT) obituary called him the “Alchemist of Comedy” and quoted from Paul Weingarten, who wrote, in The Chicago Tribune Magazine in 1983, “More than anyone else, “Harold Ramis has shaped this generation’s ideas of what is funny.”” So thanks Harold Ramis for Blutto, Otter, Founder, D-Day, Dr. Spengler and all the rest.

I am currently attending the Society of Corporate Compliance & Ethics (SCCE), 2014 Utilities & Energy Conference. As usual, it is an excellent event for the compliance practitioner. One of the things that I find not only intriguing but also extremely useful about this conference is the pairing of compliance practitioners from the fields of energy and utility. I did not attend the utility focused sessions for the first couple of years but now prefer those sessions because they focus so much on the process of compliance. While the actual compliance issues are not anti-bribery or anti-corruption, the process-oriented approach utilized in the utility energy can be a great set of lessons for the energy industry compliance practitioner to consider when looking at an energy company compliance regime.

On Monday there was a presentation by David Douglass, Federal Energy Regulatory Commission (FERC) Compliance at Kansas City Power & Light Company. Initially, Douglass presented several different compliance models, which the anti-corruption compliance practitioner can use to benchmark or evaluate your company’s compliance program. The first one Douglass termed the Compliance Maturity Model – Compliance at Every Level. It included:

  • Step 1 – Reacting only and engaging in panic. The elements of this level of maturity include the admonition to “Get it done”. Typically under this step compliance is operating in isolation and can only marshal resources as necessary and where ever they might be found.
  • Step 2 – Anticipating and acceptance of compliance. This increased maturity can help to bring about some efficiency, usually through the accepted use of automation. This allows a compliance practitioner to see connections between multiple programs and take steps to plan future approaches to ongoing and ad hoc compliance challenges as they might arise.
  • Step 3 – Collaborating. Under this step, compliance moves to being seen as a collaborative partner with the business units. This allows the identification of risks, the assessment of the company’s exposure to those risks and to prioritizing actions to meet those assessed risk. Finally, the collaboration step can allow for the re-use of technological components for multiple purposes, thus reinforcing great cost savings and value.
  • Step 4 – Orchestrating through and with the rest of the company. Under this ultimate step in the model, compliance works to help set enterprise wide objectives to help to coordinate enterprise wide risk analysis and response. The corporate wide visibility to risk analysis, management and remediation as well as compliance performance.

In addition to the above Compliance Maturity Model, Dougalss discussed two of the programs were set out by federal utility regulators. The first was the FERC’s Effective Compliance Program, which has the following seven standards:

  1.  Internal standards and procedures to prevent and detect violations;
  2. High-level management knowledge and oversight of internal compliance programs;
  3. Reasonable (due diligence) efforts to screen out “poor performers”;
  4. Reasonable internal communications and training efforts;
  5. Reasonable steps to evaluate program effectiveness, including confidential reporting options for employees;
  6. Creating and enforcing compliance incentives and noncompliance sanctions;
  7. After detection of a violation, companies shall take reasonable, responsive steps.

He then cited to the North American Electric Reliability Corporation’s (NERC’s) four hallmarks of effective compliance programs, which included the following:

1.    Senior management / leadership

  • Compliance Program is established in the company.
  • Compliance Program is formally documented and widely disseminated throughout the organization.
  • The Compliance Program is supervised by a high ranking company representative.
  • The head of the compliance function has access to President / CEO and Board.
  • The Compliance Program is designed and managed with independence.
  • There are sufficient resources dedicated to implement Compliance Program.
  • The Compliance Program has the full support of all company leadership

2.    Preventive measures are in place

  • A sufficient frequency of review of compliance program occurs.
  • There is sufficient frequency of training of employees on compliance program.
  • There is sufficiency of subject matter training of employees on compliance program.

3.    Prompt detection, cessation, and self-reporting

  • There is a sustainable process to internally assess compliance with regulations.
  • There is a sufficient response to identification of wrong-doing or misconduct.

4.    Effective remediation

  • There are effective internal controls and procedures present to prevent recurrence of misconduct.

Douglass also discussed the ‘3-lines of defense concept” for a best practices compliance program. Under this concept a properly constructed compliance program has three lines of defense to prevent a compliance incident. These three lines of defense are identified as (1) the Risk Content Owners line of defense; (2) the Risk Process Owners line of defense; and (3) the Risk Content and Content Monitoring Owners line of defense.

 I.                Risk Content Owners

This first line of defense is the business owner(s) who are on the front lines for any company. Their roles include management of day-to-day business risks and to recommend actions to manage and treat that risk. This group also is tasked with complying with the company’s risk management process. Where appropriate, this group will implement risk management processes where applicable and this group will execute risk assessments and identify emerging risk.

 II.             Risk Process Owners

This second line of defense is typically the company legal and compliance departments. Not only are these the standard setters in an organization but they may also be charged with certain monitoring tasks. This group should establish policy and process for risk management. This group is the strategic link for a company in terms of risk. It should provide guidance and coordination among constituencies. It should identify enterprise trends, synergies, and opportunities for change. This group should also initiate change, integration and operationalization of new compliance best practices. Typically this group is the liaison between the third and first lines of defense. Lastly, this group will oversee certain risk areas and in terms of certain enterprise objectives such as compliance with regulations such as Foreign Corrupt Practices Act (FCPA), Export Control, etc.

III.           Risk Content and Monitoring Owners

This third, and final, line of defense is generally thought of as the Assurance Providers and consists of senior management, Internal Audit and up to the Board of Directors. Its roles include either working with or through senior management and/or the Board of Directors. This line of defense is tasked to rationalize and systematize risk assessment and governance reporting so that it is not only transparent but useful and stored in a manner that can be retrieved if a regulator comes calling. It will provide oversight on risk management content/processes, followed by the second line of defense. Finally, it will provide assurance that risk management processes are adequate and appropriate.

This tripartite model is an excellent way for a company to not only think through how to design an overall structure but as an outline to assess how well it may be doing in any one specific compliance area such as anti-corruption compliance under the FCPA. The first line of defense should be driven down to the Business Unit level. This will allow, indeed require, the Business Unit to buy into the overall compliance program. The legal and compliance departments are the key bridge that writes and leads implementation of the overall compliance program through training but also assesses whether the compliance program is effective and remains robust. The role of senior management is to provide overall leadership and deployment of resources throughout this entire process.

I have found that the anti-corruption compliance, or indeed the anti-money laundering (AML) or export-control practitioner can learn quite a bit from their peers in the utility industry. While they may not rise to the level of “Alchemist of Comedy”, as did Harold Ramis, you might want to listen to what they have to say.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

January 30, 2014

Inspector Lestrade – Does Leadership Matter?

Inspector LestradeContinuing our Sherlock Holmes homage, today we draw inspiration from the character of Inspector Lestrade as the theme of this blog post. In the original Doyle works, he appears in 13 of the stories and we are only introduced to him as Inspector G. Lestrade. In the current PBS series, we are informed his given name is Greg. Lestrade is not exactly the sharpest tack in the shed, as evidenced by Holmes comments that he is “an absolute imbecile” from the The Red-Headed League and the “best of a bad lot” from The Boscombe Valley Mystery.

I thought about Inspector Lestrade when I read some of the comments of UBS Chief Executive Officer (CEO), Sergio Ermotti, as reported in the Wall Street Journal (WSJ) article entitled “UBS Chief’s Plea: Stop ‘Lecturingto Bankers” by David Enrich and Francesco Guerrera. UBS has not exactly been a law abiding corporate citizen over the past few years. As you might recall this is from the company, which had a $2.3 billion trading loss from one individual. It is also from the company that assisted approximately 17,000 Americans clients with illegally hiding $20bn of assets to avoid paying taxes on this money. UBS paid a fine of $780MM for these actions. But there is much more, as UBS also agreed to pay another $1.5 billion fine for its criminal actions in manipulating the LIBOR. What would you say the ‘tone’ is at UBS about complying with the law?

With all of these fines, penalties and criminal pleas behind him, Ermotti does not seem to think there is any room for criticism of his company. Rather unbelievably, Ermotti was quoted as saying, “Life is hard enough, and I think this constant lecturing on ethics and on integrity by many stakeholders is probably the most frustrating part of the equation. Because I don’t think there are many people who are perfect.” For those of you who might want that translated to Texan, the equivalent phrase is a very nasal twang of “Glass houses dear”. For the more spiritual out there you could fall back on “Let he who is without sin cast the first stone.” Perhaps the most relevant question would simply be ‘How many angels dance on the head of a pin?’

Late last year, I engaged in a dialogue with other Foreign Corrupt Practices Act (FCPA) commentators about whether motives matter in anti-corruption enforcement actions. I opined, in a post, entitled “Does Motive Matter in Anti-Bribery and Anti-Corruption Enforcement?”, that it really does not matter what the motives are for the Chinese government officials in prosecuting western companies, which violate Chinese national anti-bribery laws, if a company breaks the law, it can be subject to prosecution. The FCPA Professor, in a post, entitled “Should Motivations Matter”, said that impure motives do matter in anti-corruption enforcement actions, whether in China or the US. Others have suggested that the FCPA enforcement itself is hypocritical because the US allows gifts, entertainment, charitable donations and a wide variety of other acts to be given as a quid pro quo to US government officials, usually without criminal prosecution.

But Ermotti takes this debate to an entire new level. Now you cannot even criticize his bank unless you are ‘perfect’. Further, showcasing the obvious knowledge of his 60,000 plus employee base, Ermotti “said in the interview that most of the bad behavior that has landed UBS and others in hot water was caused by small groups of rogue employees and doesn’t reflect broader cultural problems in the industry. “It’s not because you’re a banker that you’re a criminal”.” This was in the face of criticism at the World Economic Forum in Davos (where Ermotti was interviewed and made his remarks) that “In a private meeting held between bank CEOs and central bankers and regulators Friday, several participants pointed to banks’ “conduct” issues as undermining efforts to rebuild public and investor confidence in the industry, according to executives and central bankers who were there.” This can be contrasted with Bank of England Governor Mark Carney who said at the same conference, “Whether or not [the industry] thrives will rest on the efforts of individuals and organizations to re-establish the system’s reputation for integrity”.

Yet again Ermotti doubled down when he claimed that the group, which cannot criticize, includes regulators and enforcement officials. This statement is almost the equivalent of another equally enlightened (former) CEO, Bob Diamond, who once ran Barclays and “told British lawmakers in 2011 that “there was a period of remorse and apology for banks. That period needs to be over.” The next year, Mr. Diamond was forced to resign after Barclays admitted trying to rig interest rates.” Ooops.

What does all of this say about the top of this once august organization? First and foremost, how you would like to be the person who has to ‘speak truth to power’ if your CEO says that only the ‘perfect’ can bring forward criticism? Do the words ‘career suicide’ ring any bells here? But more importantly you have a company which entered into a Deferred Prosecution Agreement (DPA) regarding its tax evasion violations and then pled guilt to criminal conduct that as reported in another WSJ article “Regulators described the alleged illegality as “epic in scale,” with dozens of traders and managers in a UBS-led ring of banks and brokers conspiring to skew interest rates to make money on trades.” What would you say about its ‘tone-at-the-top’? Are they committed to following the law? How about complying with the terms of their multiple settlement agreements with US regulators? How about changing the culture in their organization, not simply to make compliance a goal but actually obey the law? What about instituting and then following a best practices program for compliance with anti-corruption laws such as the FCPA or Bribery Act; anti-tax evasion laws such as the Foreign Account Tax Compliance Act (FACTA); relevant anti-money laundering (AML) laws; or indeed others.

Without a hint of irony, the WSJ piece on Ermotti’s remarks ends with the following quote from him, “The banking industry is an easy target.” I wonder if Ermotti has the self-awareness of Inspector Lestrade to understand the wisdom of his words?

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

January 8, 2014

Corruption in Turkey and Integrating Your Risk Assessment

One of the more public and ongoing corruption scandals in the world right now seems to be happening in Turkey. To say the events and facts are confused is an understatement. At this point there are not any international players who have been implicated but given the breadth and scope of what has come out of that country over the past month or so, it would only appear to be only a matter of time. It began in December when, according to the BBC, “The arrests were carried out as part of an inquiry into alleged bribery involving public tenders, which included controversial building projects in Istanbul. Those detained in the 17 December raids included more than 50 public officials and businessmen – all allies of the prime minister. The sons of two ex-ministers and the chief executive of the state-owned bank, Halkbank, are still in police custody.”

The Prime Minister claims that all of these arrests were simply political theater, generated by supporters of Fethullah Gulen, an influential Islamic scholar living in self-imposed exile in the US. Members of Mr. Gulen’s Hizmet movement are said to hold influential positions in institutions such as the police and the judiciary and the AK Party itself. Many believe the arrests and dismissals reflect a feud within Turkey’s ruling AK Party between those who back the Prime Minister, Recep Tayyip Erdogan. On Tuesday the Prime Minister and his supporters struck back at the police by removing approximately 350 police officers from their positions in the capital, Ankara. The Prime Minister and his supporters have also attacked the judiciary leading the investigation, claiming that it is all politically motivated.

In addition to the obvious turmoil based on the above, the country is feeling the fallout in the international monetary arena. In an article in the Financial Times (FT), entitled “Turkey warns of corruption probe risk”, reporter Daniel Dombey said that the country’s currency, the Turkish lira, had dropped 7.5% since the initial arrests back in December. He quoted the country’s Finance Minister, Mehmet Simsek, who said that there had been “some negative implications for the Turkish macro [economy].” Dombey also noted that the Turkish stock market had dropped almost 12% during the same time frame.

In the 2013 Transparency International (TI) Corruptions Perceptions Index (CPI), Turkey had a score of 50 which gave it a rank of 53 out of the 177 countries listed. It generally had better scores than other countries in southeastern Europe such as Greece and the Balkan countries. Other than Cyprus, it had better CPI scores than most other mid-eastern countries. But what about now and what does this mean for the US based multi-national who is currently doing business in Turkey or considering doing so?

One of the things that a compliance program must have is the flexibility to respond to changing events on the ground. Just as last summer’s GlaxoSmithKline PLC (GSK) corruption scandal in China brought attention to those issues in China, these very public events should bring the attention of your compliance team. My former This Week in FCPA co-host Howard Sklar said that a compliance program needed to be nimble in order to respond to such events in far-flung places. Risks change and they must be evaluated on a regular basis or in response to new facts on the ground, such as those which are present in Turkey.

There may also be more than anti-corruption risk at play in any given situation. If a company only looks at one type of risk, such as anti-corruption, rather than others such as export control or anti-money laundering (AML) it can lead to the concept of what is called the “functional trap” of labeling and compartmentalizing risk. In an article in the June issue of the Harvard Business Review (HBR), entitled “Managing Risks: A New Framework”, authors Robert Kaplan and Annette Mikes declare that good risk discussions must be integrative in order for risk interaction to be evaluated. If not, a business “can be derailed by a combination of small events that reinforce one another in unanticipated ways.”

The authors posit that it is difficult for companies to accurately and adequately discuss risk for a variety of reasons. One of these reasons is the aforementioned silo effect which can lead to a lack of discussion by a wide group regarding a number of risks, for example compliance risk; reputational risk; brand risk; credit risk; human resources risk are but a few of the types of risks mentioned in their article. The authors believe that one of the ways to knock down these silos when it comes to a more complete management of risk is to “anchor their discussions in strategic planning, one integrative process that most well-run companies already have” in place.

The authors cautioned that beyond simply introducing a systematic process for identifying and mitigating key risks, companies should also employ a risk oversight structure. The authors discussed the experience of the Indian IT company, Infosys, which uses a dual structure. It consists of a central team that identifies general strategy risks and then establishes central policy, together with a specialized, decentralized functional team. This second team designs and monitors policies and controls in consultation with local business units. These decentralized teams have the authority and expertise to respond to changes in the company’s risk profile coupled with the nimbleness and agility of being in the field to deal with smaller issues before they become larger problems for the central team back in the corporate office.

I believe that the current political turmoil in Turkey provides an example of the diversity your compliance program and risk assessment must maintain. Just as it is important to perform due diligence on third party representatives, before execution of an appropriate contract, the real work is in managing the relationship. In risk management, you must identify and assess the risk but the real work begins in managing the risk. This is where the rubber meets the road.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

June 20, 2013

‘You Scratch My Back’ Leads to a Fine and Penalty

As the riders loped on by him he heard one call his name

If you want to save your soul from Hell a-riding on our range

Then cowboy change your ways today or with us you will ride

Trying to catch the Devil’s herd, across these endless skies

 

The above lyrics are the closing stanza to the song “Ghost Riders in the Sky”. I thought about the advice for the cowboy to change his ways to save his soul from Hell when I read in both the Financial Times (FT) and the Wall Street Journal (WSJ) reports that Deloitte LLP (Deloitte) agreed to a one-year suspension from soliciting new consulting work from financial institutions and agreed to pay a $10MM fine to the state of New York Department of Financial Services (DFS) for its role in the Standard Chartered Bank (StanChart) money laundering scandal. StanChart was fined $340MM by the DFS for allegations of money laundering and doing business with Iran, all in violation of US laws.

The FT article, entitled “Deloitte banned for StanChart ‘violations”, by Kara Scannell, reported that this suspension and fine was the first against a consulting firm by the DFS. The DFS cited Deloitte for ““misconduct, violations of law and lack of autonomy” in its review of the anti-money laundering (AML) practices of Standard Chartered.” Indeed it its settlement with Standard Chartered, it was alleged that “Deloitte “aided” the bank’s deception in hiding transactions linked to Iran.” In one instance, the FT reported that “Deloitte removed a recommendation aimed at rooting out money laundering from a report filed with the state regulator. In an email cited in the settlement, a Deloitte partner said: “‘[W]e agreed’ to [StanChart]’s request because ‘this is too much and too politically sensitive for both [StanChart] and Deloitte. That is why I drafted the watered-down version’.”

However, the real problem was probably better articulated by Ben Lawsky, superintendent of the DFS, who the FT quoted as saying, “At times, the consulting industry has been infected by an ‘I’ll scratch your back if you scratch mine’ culture and stunning lack of independence.” The WSJ article, entitled “Deloitte Unit Gets One-Year Ban”, penned by reporters Shayndi Raice and Michael Rapoport, noted that in the DFS resolution “Deloitte also agreed to overhaul its internal safeguards and create new standards to increase its independence with respect to clients.” Deloitte itself was quoted in the FT article as saying “it looks forward to working constructively with DFS to establish best practices and procedures that are ultimately intended to become the industry standard for all independent consulting engagements under DFS’s supervision”.

The WSJ also reported that the DFS has been concerned for some time “that consultants who review, and help banks with, regulatory issues are potentially subject to conflicts of interest because they are hired and paid by the same banks whose work they are supposed to assess.” Apparently the DFS is looking to use Deloitte’s remediation as a “model to govern all consultants who do work for banks under the agency’s supervision.” This comes on the heels of the US Senate’s Banking, Housing and Urban Affairs Committee, Subcommittee on Financial Institutions and Consumer Affairs’ hearing this past April on the same issue. The hearing was entitled “Outsourcing Accountability? Examining the Role of Independent Consultants”. The hearing was adjourned with no resolution of legislation introduced as yet but Massachusetts’ junior Senator Elizabeth Warren is on the Subcommittee so I would not be surprised for something to come out of this issue.

The use of external consultants was also mentioned in a recent enforcement action under the Foreign Corrupt Practices Act (FCPA); that being the Parker Drilling Deferred Prosecution Agreement (DPA). In the DPA there were the following statements about an un-named US law firm and an un-named partner at said law firm, which were listed as an agent of Parker Drilling in connection with its FCPA issues in Nigeria.

  1. The law firm was a US limited partnership, which provided legal advice to Parker Drilling for the issue involving the FCPA violation at issue. (Paragraph 10)
  2. An unidentified “outside counsel” who provided this legal advice was a partner in the unidentified law firm. (Paragraph 11)
  3. Parker Drilling entered into an agreement with a Nigerian Agent who would “act as a consultant to [Law Firm] to provide professional assistance resolving these issues in Nigeria.” (Paragraph 33)
  4. Payment to the Nigerian Agent was made through the law firm, which received the Nigerian Agent’s invoice and then forwarded on to Parker Drilling for funding.
    “When the Nigerian Agent required funds, Parker Drilling transferred funds to Law Firm by wire, and Law Firm in turn forwarded those funds to Nigerian Agent by international wire. Nigerian Agent’s funding requests typically first went by email to the Law Firm and U.S. Outside Counsel and asked for currency transfers, often $100,000 or more at a time.” (Paragraph 34)
  5. This U.S. Outside Counsel was identified as requesting money from Parker Drilling for entertainment of the Nigerian President (Paragraph 35a); requesting money for payment to the Nigerian State Security Service and Minister of Finance tied to “winning the concession” for Parker Drilling (Paragraph 35d); advised Parker Drilling that the Nigerian Agent in question “will need $100,000 in expense advances to cover various out of pocket expenses and social events” and that the Nigerian Agent’s expenses were running “about 4000 a day per person because of the entourage entertainment.” (Paragraph 35g); and, finally, he advised Parker Drilling that the Nigerian Agent “needs another $150,000 to accomplish his objective”. (Paragraph 35h)

What does all this mean for the compliance practitioner? First of all, it drives home the need to perform due diligence on all third party providers which will provide legal or regulatory services. If there is no underlying due diligence, there can be no understanding of the background of the service provider. The Deloitte StanChart actions, the US law firm and US lawyer identified in the Parker Drilling DPA set out a couple of issues for the consideration of a compliance practitioner in dealing with third party consultants. First and foremost, be on the watch for any third party who suggests anything illegal or that even comes up close to that line. It is clearly a red flag if a third party suggests any violation of the FCPA, AML regulations or the like. Similarly, any claim that ‘this is the way business is done in [fill in the country]’ should immediately raise a red flag. Anytime a required report is ‘watered down’ it is also a clear red flag. Lastly, if your US outside counsel suggests hiring a Nigerian agent to ‘facilitate’ any legal issues, remember the primary liability is on your company, even if you only accept that legal advice, or as the lyrics suggest “cowboy change your ways today or with us you will ride” into a large FCPA or AML settlement.

—————————————————————————————————————————————————————–

For the classic Johnny Cash version of the song, click here. For a more rocking version, check out this clip of The Outlaws by clicking here.

——————————————————————————————————————————————————————–

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

June 18, 2013

How to Assess Suspicious Financial Activity

The banking world is littered with institutions that have paid astronomical fines for their failures around anti-money laundering (AML) legislation. Much has been written and said about these events. However one of the areas that has received perhaps less attention is the programs that banks and other financial institutions have set up to comply with the ever-growing increase in AML regulations. But just as crooks tend to follow the money, sophisticated lawbreakers, who tend to engage in crimes such as money-laundering will try and move their operations to business and industries with less robust protections around AML. That is why I found this month’s article by Carole Switzer, President of the Open Compliance and Ethics Group (OCEG), in the June issue of Compliance Week, entitled “The Battle to Balance Vigilance and Suspicion”, to be instructive for the anti-corruption/anti-bribery practitioner who typically focuses on Foreign Corrupt Practices Act (FCPA) or UK Bribery Act compliance.

In the article Switzer makes clear that she believes that “the most effective AML programs are based on the understanding that financial institutions have an obligation to all of their stakeholders to remain vigilant about AML risks. Banks are not required to prove money laundering; rather they are required to strike the right balance in their vigilant reporting of suspicious activity.” She recognizes that “banks must file a suspicious activity report (SAR) when suspicious activity arises. What qualifies as a suspicion often is a difficult question—as is the determination of whether or not to file a SAR.” Yet Switzer also notes that “filing of too many (and/or incomplete) SARs can overwhelm regulatory agencies, reducing their ability to address genuine criminal activity” and that filing “too few SARs and a company can turn a blind eye to potential money laundering, opening itself and, in some cases, its top managers to significant penalties.” I would posit that the dynamic tension would appear for any company; whether financial institution or other commercial operation. Hence, I believe that Switzer’s thoughts can be used by a non-financial concern to help protect it from violation of US or UK AML laws.

As usual, Switzer has provided a road map to illustrate her thoughts, entitled “Suspicious Activity Investigation Lifecycle”. In the diagram Switzer notes that it is important to understand each step in the lifecycle, so that a company can exploit “opportunities for technology and automation”. Technology, coupled with the human element, which recognizes the signs of suspicious AML activity can help your company protect itself and “hear through the noise.” She counsels that the “focus is to identify suspicious activity and report it, not to prove criminality; law enforcement will take it from there, blending your information with information from other institutions before making a decision on how to proceed.” She lists the following four steps.

1.      Triage – Switzer believes that “understanding and managing your inbound alerts can be an intimidating task. High alert volume and false-positives can abound, often at a 50:1 ratio (False/True).” A company should also focus on automated solutions that allow you to invest human capital into exception cases. Finally, remember to consistently review and modify the system until your organization can hear through the noise.

2.      Investigation – As an investigation process can tax your resources, you should strive to ascertain that you are making the right inquiries documenting the process at every turn. Some of the questions that Switzer suggests you focus on include “Do you understand the context? Are your procedures applicable to the product used? How does the processing channel affect the investigation? What history does the customer or organization have with your institution? Are you truly investigating or just documenting?”

3.      Action – After you have ­finished conducting research, obtained an understanding of the suspicious activity, its context, and the implications, Switzer advocates that this is the time to react. She believes that it is important to have a protocol in place. Some of her suggestions include placing the party on a continued Watch List, or you could “kick off your Enhanced Due Diligence cycle, or offboard the customer altogether.” She notes that the key here is “expediently limiting risk and exposure and promptly notifying regulatory authorities.” To which I would add: document, document, and document.

4.      Feedback/Review – As with any process you need validation or ‘a second set of eyes.” Switzer proposes that you should review your actions and reports for accurateness. Some questions that you may wish to keep in mind are the following: “Was your investigation fruitful? What did you learn? Is our current process sound and comprehensive? Learning what you have done, how it has affected your risk profi­le, and how you have reacted is critical to ongoing success.” A rigorous system would “constantly challenge assumptions and work to refine the process. Evaluate how your customers, products, and business are changing, and develop new scenarios.”

Switzer notes some of the more common mistakes made include failure to document your compliance efforts and missing of key internal and external deadlines for reporting. She cautions against tipping off customers directly during the inquiry process or indirectly through sending questions to a third party which may convey such information. Finally, training is important so that any report which is generated is not of such poor quality, incomplete or overly vague as to be useless and miss important information.

As with other areas of compliance, there are best practices which are fairly well known. Switzer reminds us that your suspicious activity program should constantly challenge your ongoing assumptions and evaluate the accuracy of your program. You should regularly review and adjust thresholds amounts for such investigations and study new typologies. Tone at the top is key in the suspicious activity area of AML compliance so your company should create a culture of compliance, ensure the staff is aware and empowered to do the right thing. Your compliance program should incorporate ongoing monitoring and outcome analysis. Lastly, do not forget to train.

Most non-financial enterprises do not look at potential AML issues, certainly not as thoroughly as financial institutions. However, I believe that this may well be the next area that corrupt persons and parties will try to exploit from otherwise law-abiding entities. The time to prepare is sooner rather than later. Switzer has laid a protocol which you can implement and which can go a long way down the road to protecting your company.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

June 12, 2013

British PM Leads the Fight against Shell Corporations

One of the critical areas in due diligence for foreign business partners is determining who are the true owners of an entity. Unfortunately this is not always possible to determine as many countries do not require the names, addresses and other identifying information of shell company owners or limited liability partners. Many people think of the Cayman Islands or other traditional tax havens when such issues arise.

However, a surprising number of allegedly low risk countries also have this problem. New Zealand is generally recognized as one of the lowest risk countries in the annual Transparency International Corruption Perceptions Index (TI CPI), nevertheless this rating may not be all it seems. In an article by Michael Field on Stuff.co.nz, entitled “NZ firms linked to money laundering”, Field reported that one individual was listed as a Director of over 300 New Zealand formed companies. Another person, listed as the Director of the New Zealand Company alleged to have been involved with the shipment of arms to North Korea, was “convicted of 75 breaches of the Companies Act for giving false addresses on registration forms”.

New Zealand is not the only country with a low corruption perception which may not be completely accurate. In a Reuters article, entitled “Special Report: A little house of secrets on the Great Plains”, authors Kelly Carr and Brian Grow reported on one house in Cheyenne, Wyoming, which the authors claim “serves as a little Cayman Island on the Great Plains” as it is home to the registration of over 2,000 entities. The article claims that Wyoming allows “the real owners of corporations to hide behind “nominee” officers and directors with no direct role in the business, often executives of the mass incorporator.” Carr and Grow also quote Jason Sharman, a professor at Griffith University in Nathan, Australia, who states that “Somalia has slightly higher standards [for business incorporation] than Wyoming and Nevada.”

One of the anomalies in the ongoing Hewlett-Packard (HP) investigation, for alleged bribery and corruption violations in its German subsidiary, was the German authorities’ investigation of activities in and through the state of Wyoming. The article by Carr and Grow may help explain why the German authorities needed to investigate matters relating to Wyoming where the allegations were that bribes were paid by a HP German subsidiary for a sale into Russia.

Against this backdrop, British Prime Minister David Cameron has taken the lead in forcing jurisdictions who register such companies to disclose their ownership. While Cameron has come at this problem through the angle of tax evasion and compliance, it clearly has implications for the US Foreign Corrupt Practices Act (FCPA), UK Bribery Act and various anti-money laundering (AML) laws. The issue of public registers and beneficial ownership is coming to the fore on the eve of the G8 Summit which will be held in Northern Ireland starting next Monday. The Guardian has reported, in an article entitled “David Cameron under pressure to clarify owners of firms at G8”, that Cameron has also been given a political boost by the Cayman Islands agreeing to sign the OECD multilateral convention on tax transparency and information, the most important of the British overseas territories to do so.”

However, perhaps there is legislation on the way to close this loophole in the US. In another Reuters article, entitled “US House bill targets anonymous shell corporations”, Patrick Temple-West reported on prior US legislative attempts to require disclosure of corporate beneficial owners. Three such efforts have failed since the year 2000. Who might oppose such legislation? Temple-West reported that “Some state government group[s] remain opposed. In the past, resistance has also come from business groups and lawyers.” I am also somewhat chagrined to report that an organization that I belong to, the American Bar Association (ABA), has opposed prior legislation to provide greater discloser for shell companies.

Still this resistance may be changing. In an article in the New York Times (NYT), entitled “Obama Urged To Back Plan To List Owners Of Shell Firms”, Ravi Somaiya reported that “Anticorruption activists have urged President Obama to back a plan to publicly register the owners of shell companies in the United States and around the world, a move they say is essential to thwart corrupt government officials, tax evaders and money launderers who rely on an opaque financial system.” This problem has existed for several years in the US. Somaiya reported that “The Financial Crimes Enforcement Network, a bureau of the Treasury Department, estimated in 2005 that as much as $18 billion in suspicious transactions were made using international wire transfers that used shell companies in the United States.”

Somaiya also quoted Jack A. Blum, a lawyer and the chairman of Tax Justice Network USA, who said “These anonymous shell companies are used by everybody who steals money. Tens of thousands of shell corporations have been set up within the United States, he said, primarily in four states — Delaware, Montana, Nevada and Wyoming — that have loose regulations.” We know that the bad guys are selling the U.S. as a place to set up companies,” Mr. Blum said, citing its “aura of legitimacy.”

How does all of this relate to due diligence as the US problem would not seem to impact a company covered by FCPA? First of all, a company should know with whom they are doing business, and more pointedly a US company which is subject to the UK Bribery Act needs to recognize that any agent, distributor or other type of representative here in the US, is a foreign entity under the Bribery Act and needs full due diligence. While the jurisdictional scope of the Bribery Act has yet to be fully fleshed out, such a US company needs to consider its due diligence here in the US and may need to strengthen its investigations and background checks on such parties to comply with the Bribery Act.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

May 31, 2013

Climbing Everest and Your Compliance Process

What is your compliance process? I thought about that question when I read an article in this month’s National Geographic Magazine entitled “Maxed Out on Everest” by Mark Jenkins. Jenkins wrote about the more raw numbers of persons who are challenged to climb the world’s tallest peak. This has led to more-than 200 person waiting lines to get through certain pinch points, two hour waits which can become deadly, and literally tons of trash left from climbing teams which now stand testament to the environmental effects of these expeditions. Jenkins gave his list of six prescriptions to address these and other issues. They were (1) fewer climbing permits, (2) small ascent teams, (3) require certification of outfitters, (4) require experience to climb the mountain, (5) leave no trace of human waste and garbage on the mountain and (6) remove dead bodies from the mountain.

I also thought about the process question when I read two articles in yesterday’s New York Times (NYT) which spoke about the process of how decisions were made in two very different areas.

Banks Behaving Badly

The first NYT article, entitled “Documents Show Obama Officials in Tension Over British Banks”, by Ben Protess offered “a rare behind-the-scenes glimpse into the Obama administration’s decision-making as it prepared to take actions against two big British banks”, HSBC and Standard Chartered. Both banks agreed to large fines, assessed by the US government for their money-laundering operations; Standard Chartered fined $327MM (in addition to a separate fine of $340MM by the state of New York) and HSBC, fined a whopping $875MM by the feds. Apparently there were tensions between the Department of Treasury (Treasury) with the Department of Justice (DOJ) over the federal law-violation fine and also tensions between Treasury and the state of New York Department of Financial Services (DFS) over its action to fine Standard Charted separately for its violations of New York state banking regulations.

Protess reported that there were tensions by the US Treasury Department and the state of New York over its separately fining Standard Charted “In a sign that the British cases pitted authorities against one another, the Treasury Department raised concerns last year that New York’s banking regulator acted against Standard Chartered without sufficiently notifying federal authorities, the documents show. Treasury officials explained the concerns in an internal memo to Mr. Geithner. The memo, internal e-mails show, was prepared for Mr. Geithner as “talking points” ahead of an October meeting with George Osborne, Britain’s chancellor of the Exchequer. In a September letter to Mr. Geithner, Mr. Osborne had expressed significant “concerns” about New York’s action, given that the United States and Britain typically collaborate closely on such cases.”

Protess reported that an internal Treasury memo said that the DFS “notified federal authorities “only hours before its public announcement.” But Protess went on to write “But people close to the case argue that federal authorities were aware that Mr. Lawsky was poised to act. Three months before filing the case, Mr. Lawsky’s office informed Treasury and other federal officials that it planned to soon take action against Standard Chartered for illegally funneling money for Iranian banks and corporations, the people close to the case said.”

Treasury’s disagreement with DFS apparently paled in its disagreement with the DOJ as Protess wrote that “some discussions have taken a more hostile tone as the Justice Department faces scrutiny for not indicting HSBC. The Justice Department has explained that it follows guidelines requiring prosecutors to weigh indictments of businesses with “collateral consequences” like job losses and, in the case of big banks, a threat to the economy. And in a recent letter to Congress, the department explained that it has “contacted relevant government agencies to discuss such issues,” including federal regulators.”

When Treasury joined the DOJ in announcing the settlement back in December 2012 of the federal matter, “a media outlet ran an overnight article in which a professor speculated that Mr. Geithner had not criminally prosecuted HSBC to avoid putting it out of business. By dawn that day, Treasury officials e-mailed one another about the article. Shortly after, National Public Radio retracted the quote and issued a statement saying that Treasury had not been involved in the decision not to indict HSBC.”

So was Treasury a part of the process or wasn’t it?

Rutgers Still Clueless?

For those of you following the saga of the Rutgers men’s basketball team, you might have thought that the New Jersey university could not do much worse than it did in the handling of the Mike Rice scandal. However, it appears that you would be wrong as Rutgers University continues to provide the compliance practitioner with lessons to be learned. To recap, Coach Rice was videotaped physically abusing players. He was initially disciplined but after the videotape was released by ESPN, he was fired. Almost immediately thereafter, Rutgers Athletic Director (AD) and General Counsel (GC) resigned over their roles in the matter.

Now Rutgers is back in the news for its hiring of a new AD, Julie Hermann. In a NYT article, entitled “Members of Rutgers Panel See Flawed Hiring Process”, reporter Steve Eder discusses the process which led Rutgers to hire someone who had been sued successfully for gender discrimination and as detailed in an article in the New Jersey Star-Ledger that former University of Tennessee volleyball players had accused Hermann of verbally abusing them while she was their coach in the 1990s. In a letter  obtained by the Star-Ledger, players alleged that Hermann called them “whores, alcoholics, and learning disabled,” and that she coached “through humiliation, fear, and emotional abuse.”

Hermann was also sued in a second lawsuit where, Mary Banker “an assistant track and field coach, claimed she was fired as retaliation for complaining to Hermann and the university’s human resources department about sexual discrimination by the head coach. Lawyers for Louisville said that Banker was fired for underperformance, not in retaliation for her complaints. A judgment in favor of Banker was overturned this year, and the case is pending before the Kentucky Supreme Court.”

Eder reported that “the leaders of the search committee sent an e-mail to the group’s members assuring them that the process that led to Hermann’s hiring had been fair and transparent.” He wrote that “Kate Sweeney and Dick Edwards, the leaders of the Rutgers search panel, wrote an e-mail Tuesday to the other committee members to defuse growing criticism of Hermann’s selection.” He quoted from their email, “You all had the opportunity to examine Julie’s credentials, to spend some time with her when she was on campus, and to provide us with your thoughts regarding her candidacy as Rutgers’s next Director of Intercollegiate Athletics.”

However this statement was contradicted when “at least two committee members claimed that the leaders had whitewashed a process that felt secretive and rushed, leaving them uncomfortable with the university’s selection of Hermann. One member said that concerns over a lawsuit an employee had filed against Hermann were not fully addressed, and that he did not spend enough time with her to feel comfortable that she was the right person to lead an athletic department still reeling from a scandal involving an abusive coach.”

Eder quoted Ken Schmidt, one of the committee members, who wrote to the group, “At this time, please do not try to rewrite the facts. I suspect you will find others that share my opinion.” Schmidt was also quoted as saying, “There was very little information about the candidates disseminated to the larger committee.” A second committee member Ron Garutti, wrote: “Please, let’s not present this as any kind of exemplary process. Subsequent events have proven otherwise.” Garutti also added, ““Please, let us not at this late date attempt to convince ourselves and the public that there was sufficient time to delve deeply” into candidates’ documents.”

So what exactly was the hiring process that Rutgers used to fill its AD position?

The NYT articles and the National Geographic article drove home what my process-analyst wife reminds me about, that being that it is all about the process. Develop a process and then follow the process but also validate the process with additional information and the ‘second set of eyes’ principle.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

May 28, 2013

Risk Assessments in an Anti-Money Laundering Compliance Program

Today we celebrate that noted British comedian who made his fame in America – Bob Hope.  He had a successful film career largely thanks to the series of seven “Road” movies he made with Bing Crosby and Dorothy Lamour, including Road to Singapore (1940), Road to Morocco (1942), Road to Utopia (1946) and Road to Rio (1947). Hope is also known for his entertainment of US military forces overseas. In 1941, after America’s entrance into World War II, Hope began performing for US troops abroad; he would play shows for more than a million American servicemen by 1953. Some 65 million people watched him perform for troops in Vietnam on Christmas Eve in 1966, in his largest broadcast. Hope also became a legend for his countless TV specials, which he would perform over the course of some five decades. He hosted the Academy Awards ceremony a total of 18 times, more than any other Oscars’ host.

What does Bob Hope have to do with compliance? First he was a comedian and second he reinvented himself several times. The anniversary of his birthday reminded me of an article written by Carole Switzer, the co-founder and President of the Open Compliance and Ethics Group (OCEG), for Compliance Week Magazine entitled “Analyze This: The Value of Business Risk Assessments.” In her article, one in a continuing of her series of GRC Illustrated articles, Switzer says that anti-money laundering (AML) compliance programs, like therapy are “difficult to define and relatively easy to avoid.” She quoted Larry David, co-creator of Seinfeld and creator of “Curb Your Enthusiasm” for the following thought on therapy, “I know enough about myself now to know that I really don’t need to know anymore.” Unfortunately, as Switzer notes, many companies have the same problem when it comes to their AML programs.

Switzer discusses a recent report by the UK Financial Services Authority (FSA) which highlighted four general reasons that UK banks failed to have effective AML programs. The same four reasons hold true for non-banking sector US companies in the area of AML.

(a) Denial. The FSA reported that one-third of the banks “failed to review their business-risk assessment program on a regular basis. Additionally, about one-third of the companies scrutinized also failed to alter their risk assessments in response to new developments and insights, such as when allegations of major corruption were levied against a customer or when a country’s risk profile spiked due to regime change.”

(b) Grandiose delusions (imagine a bank with grandiose delusions!). The FSA found that too many “customer-facing “relationship managers” could override customer risk scores produced by the risk-assessment program—without sufficient evidence to support the decision to disregard the score.”

(c) Borderline suspicious. Bank personnel did not understand how the AML risk assessment was generated and indicated that they were “confused” regarding what score indicated that a customer was a high risk.

(d) Avoidance coping. The FSA noted that institutions “inappropriately low risk weightings for high-risk factors, “sometimes overtly”; while “other banks chose to ignore well-known high-risk indicators and other adverse information from a variety of sources, “such as links to certain business activities commonly associated with higher levels of corruption.”

Fortunately Switzer laid out her thoughts on what an effective business risk assessment program should contain. From this risk assessment, you can identify where your company should focus its AML resources, determine how changes might affect your company, and where your program may need enhancement. She is quite clear that without an effective risk assessment, “your AML program will be inefficient as well as ineffective.” She sets our five steps to take.

  1. Define the Risk. Switzer says that “At the forefront of any good business risk assessment program is an executive vision. The executive sponsorship must ask themselves diffi­cult, critical questions.” This is largely because while there are certainly known risks to a business there are also risks you and your company may not be aware of so it is important to define what you know but leave it flexible enough to cover the unknown when it becomes known to you. Switzer lists some of the questions that you might begin with, which include: What are the inherent risks in our current business? What controls do we have in place? How much risk, after the business risk assessment process is instituted, remains? Should we close business locations? Should we add additional controls? Should we put spending restrictions in place? Are other industries at the same level of risk?
  2. Gather Intelligence. In this step, after executive sponsorship has set the strategy in motion, you must gather intelligence to truly understand the exposure across the organization’s products, services, and customer base. The AML team should consult local business and compliance leaders to gain key insight. The specific steps include: (1) Develop the business risk assessment questionnaire. (2) Determine what controls are currently in place. (3) Review the external risk. (4) Understand the magnitude of each risk factor. (5) Gather and normalize all data for review.
  3. Review the Findings. Once a full business assessment has been conducted and all the data collected, a full analysis of the data is performed at multiple levels. The overall picture of risk is reported to business line, regional leaders, and enterprise leaders. Switzer’s specific steps include (1) Creation of full evaluation reports of all measured data. (2) Involve AML staff, regulators, and critical business leaders in your review. (3) Utilize external, unbiased consultation to determine product and service risk for remediation.
  4. Decide How to Proceed. Switzer advises that after you come to an understanding of your exposure and risk, your vision has been set, and you have gathered data and reviewed it, you can set a course to move ahead. However, she cautions that “continual review of the plan’s impact on the business, even at this stage, is critical.”
  5. Implement the Plan. At this final step, after your company has defined its strategy, determined, by measurement, the exposure to AML risk, understood and evaluated the areas of potential risk and then “determined a path to accept, resolve and eliminate, it’s time to go to work setting the plan into motion—however, just because you are now implementing doesn’t mean you can relax. Constant scrutiny, learned best practices, and ongoing monitoring are critical.”

Switzer concludes by stating that “Risk assessment programs must evolve quickly as risks and crimes do. Building in a good system of correction and monitoring that can flex with your organization is critical.” So just as Bob Hope reinvented himself as the tastes of society changed, your risk assessment should be a “living, breathing process.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

May 19, 2013

The Drugstore Cowboy and Compliance

One does not have to look very far in the business world to come across the phrase “Know Your Customer.” A company certainly needs to know if an entity that it may sell products or provide services to will pay for those items. Running a Dun & Bradstreet credit check is routinely performed to ascertain if a counter-party is a good credit risk. But how much more should a company do in regards to its customers? Clearly banks, other financial institutions and even casinos need to assess a customer from the perspective of anti-money laundering (AML). Is there a reason grounded in the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act that would suggest that customers should go through background scrutiny from the anti-bribery/anti-corruption compliance perspective?

I thought about internal controls regarding due diligence requirements on customers, effective compliance programs and third party validation of credentials when reading an article in June issue of Wired Magazine, entitled “Drugstore Cowboy”, by Jake Pearson. I found this article to be a very cautionary tale for those companies which need to consider just whom they are doing business with or for. The story involved an undercover sting operation by the US government against Google. The operation involved a convicted felon, one David Whitaker, who convinced law enforcement authorities that Google had assisted him, in violation of its own internal protocols and US laws, to sell illegal “black market steroids and human growth hormones” online. Whitaker told federal officials that “Google employees had actively helped him advertise his business, even though he made no attempt to hide its illegal nature.” Based upon his experience, Whitaker believed that Google must be “helping other rogue Internet pharmacies too.”

On paper, it appeared from the article that Google has a systems designed to ferret out sites which used words or had other indicia that they were selling illegal drugs. There was an initial screening by a Google sales representative. There was an automated program which searched for key words that might indicate illegal drugs were being sold. There was a review of the website itself to see of other factors were present which might show that illegal products were being sold. Finally, Google used a third party verification service, to attest that any site selling pharmaceutical products was properly licensed.

Based upon his experiences, the government set Whitaker up with an alias, fake company, bank account and phone lines and then monitored and watched him to see if his claims were true. He was told to see if Google would actively assist him to sell advertising for a non-existent company called “SportsDrugs.net, a website that sold HGH and steroids from Mexico, with no doctor’s prescription.” The plan that Whitaker used was straightforward.

  1. Establish a fake identity. Whitaker made cold calls to representatives of Google to get set up as an account in the company’s system.
  2. Submit the site. The feds designed the sting operation so that it would be obvious the false company was selling illegal drugs. So it offered HGH and steroids, had pictures of the drugs and even had a ‘Buy Now’ button to make clear that no doctor’s prescription was required. The Google sales representative passed the fake sales site along for “policy review, an automated process that Google uses to vet all advertisers.”
  3. Scrub the site. After the fake sales company was initially rejected by the policy review process, a Google representative agreed to help “tweak it” so that it would pass through the Google approval process. The Google sales representative advised Whitaker to rename the site, remove the pictures of the illegal drugs and delete the ‘Buy Now’ button from the site.
  4. Rework the site. After the suggested changes were made by Whitaker, his fake site was approved by Google. Thereafter the items which had been removed from the website, including both the photos of illegal drugs and ‘Buy Now’ button were added back into the site, all with the assistance of the Google sale representative.
  5. Raise the stakes. In this phase, the undercover sting operation widened. After their initial success with SportsDrugs.net; the feds created other fake websites for Whitaker, all of which purported to sell illegal drugs. The other sites included one selling “RU-486, better known as the abortion pill, which is normally taken under close supervision of a doctor.”  Another site sold the psychotropic drugs Xanax and Valium, both without any need of a doctor’s prescription. In a final example the feds created a ‘Trojan Horse’ site; in which a pharmacy site that held a valid license also had sales for “three clearly disreputable online pharmacies.”

The chilling thing I found in this article was it reported that in each one of the false scenarios, Whitaker was reported to have explained to the Google representative the true nature and purpose of the site. All of the information that Whitaker conveyed made clear that these sites were designed to sell drugs which are illegal in the US, without a doctor’s prescription. In just over the span of three months, the undercover operation spent over $200,000 with Google.

Google ended up settling with the US government for a fine of $500 million. Although Pearson did not quote the US Assistant District Attorney, who headed the investigation and enforcement action, Peter Neronha, was quoted as telling the Wall Street Journal (WSJ) the “culpability went far higher than the sales reps that Whitaker worked with. Indeed, he said, some of the company’s most powerful executives were aware that illegal pharmacies were advertising on the site.” Google itself would not comment for the Pearson article.

From the account in the Pearson piece it would appear that Google had a system in place to check and make sure that it was not advertising sites which sold illegal drugs but that system, both human and automated, was worked around. For the anti-corruption compliance practitioner, I think that there are several key lessons which can be learned from this tale.

Train, Train, Train. If you sell services, which can be used to facilitate illegal conduct, you need to train your sales force to watch out for signs of that illegal activity. The initial Google sales representative who was contacted by Whitaker should have been the first line of prevention to stop the issue before it came up for the company.

Monitor, Monitor, Monitor. There should be several types of monitoring. If a business name comes through your system and it is rejected, there should be a monitoring mechanism in place to note if it reappears later or is approved through some other means, as was done in this situation. Similarly, if the name of a business owner comes up in connection with another company, there needs to a mechanism in place to perform a cross check. The sales representatives should also be monitored to determine if they are manipulating the system.

Incentives, Incentives, Incentives. While not discussed in the Pearson article, what do you want to bet that the Google sales representatives were compensated, at least in part, with a commission based upon the number of GoogleAds that they sold? If your compensation structure or other incentive structure rewards people who use shortcuts, then there will always be employees who take them.

Audit, Audit, Audit. Remember the part of the story about how the Google sales representative would advise Whitaker how to scrub his website of key words, search terms and other information which would indicate that it was selling illegal pharmaceuticals only to reinsert those on the site after the scrubbed site had been approved? You need to audit to determine if any illegal conduct has begun after the contract is signed. And if you do not have audit rights, you have a very slim chance of actually performing an audit.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Next Page »

Customized Rubric Theme Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 4,199 other followers