FCPA Compliance and Ethics Blog

September 2, 2014

Spin Sucks-Communications Tips for the Compliance Professional

Spin SucksOne of my favorite social media acquaintances is Gini Dietrich, the founder and Chief Executive Officer (CEO) of Arment Dietrich Inc. Not only does she bring one of the freshest voices to what might arguably be called ‘one of the world’s oldest professions’, that being Public Relations (PR) (she identified a 1800 BCE PR campaign), she is a top notch cyclist and an über Chicago Bears fan. Earlier this year she released her book Spin Sucks. While the book is obviously aimed at the PR, it provides a wealth of information, which the compliance professional can also use.

As you might guess from the title of the book, Gini believes that if you “Lie or spin the truth you will be found out,” and that folks will “take you to task” for doing so. More than just your reputation will suffer; you will lose the ability to have credibility going forward. Her thesis is that today, “while media strategy is an important part of a communications program, there are many other tactics used in a cohesive strategy: content, email marketing, social media, crisis and reputation management, events, social advertising, investor relations, lobbying, regulatory work, and more.” That sounds like a good prescription for a compliance practitioner to consider in the communication function of a best practices compliance program.

The book is broken down into 10 chapters and for the compliance professional, I want to focus on Chapter 7 – Your Customers Control the Brand. Here Dietrich focuses on a company’s customers because they, in many ways, hold or control the brand. And, as a company, your brand is really all you have. I think this is very true for the compliance practitioner and is not something which is discussed or recognized enough of the time. Dietrich provides seven points that she believes can help shape the perception of your brand. I have adapted them for the compliance professional.

  1. Be Vigilant. Dietrich says this issue warrants “Not just repeating your brand message over and over again, but in monitoring and listening to conversations happening online about you.” While a company may not have as many employees communicating about the compliance function online, the point is nonetheless well taken. You should listen to concerns about your compliance program. Listen through the hotline, at training sessions and any other time you get the chance. I like the way Gini puts it, “Harness that information [and] be vigilant about paying attention”.
  2. Be Honest. Yes your mother, and Gini’s mother, was right, Honesty is the Best Policy. Dietrich says, “Keep people updated. Communicate the ups and downs. When you’re honest about the issues, challenges, or concerns, there isn’t a story to tell. It might be painful at first, but the pain won’t last as long as it would if you lie or attempt to sweep the problem under the rug.” Think about General Motors and its attempts to hide the ignition switch problems, where would the company be if it had been honest about the problem?
  3. Be Open. Dietrich nails the issue on this point when she start off, “This one is so hard. It’s difficult for human beings to keep open minds about many things.” As a lawyer, I would say that can be exponentially true for my juris docum But at the end of the day, the compliance program is not the legal department; it is a function designed to prevent, detect and remediate problems, not just to say NO. Paraphrasing Dietrich, if you show a willingness to talk about issues, and even change your policies based on feedback, you’ll create the most loyal employees.
  4. Be Active. Here Dietrich focuses not on the busy work of being on all types of social media but using such mechanisms to engage your customer base. For the compliance professional first and foremost is to get out of the corporate office and into the field. Let people meet you, get to know you and listen to their concerns. Incorporate their ideas and feedback into your compliance program going forward.
  5. Be Consistent. Gini talks about consistency in messaging because “if you aren’t consistent, how can you expect your customers to know who you are?” For the compliance professional, I would submit that this prong anticipates issues broader than simply communications. I often discuss the Fair Process Doctrine and how that is so important in administering your compliance program. One of the keys to this doctrine is consistency. The consistency of your actions should follow the consistency of your message.
  6. Be Creative. I often say that lawyers and compliance professionals are only limited by their imaginations. This is certainly true in the field of media relations. Here Dietrich suggests tackling a problem head on. In the compliance arena it might mean using a compliance misstep as a lesson learned. For instance, after the Walmart corruption scandal was broken in the New York Times, many companies incorporated the examples that arose of what is and, more importantly, what is not a facilitation payment into their training.
  7. Be Proud. Dietrich states, “Once you figure out your vision-what you want to achieve, who you want to be when you grow up-post it everywhere.” She suggests several mechanisms to make employees proud of your brand and I would submit that you could also do this in the compliance arena. You can create plaques or recognition awards for employees who shine through in compliance. She ends this section with the following, “Be proud of what you are doing and don’t be afraid to tell the world about it.” This is another message that I do not think gets enough play by compliance professionals. We bring real value to our companies and our work is something to be proud of. It should be celebrated.

Dietrich writes in a conversational style that is easy to read and digest. I found her book had some great pointers about communication, which could be very helpful to the compliance practitioner, in addition to the media relation specialist. You can purchase a copy by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 29, 2014

I Hope You Can Join Me

Filed under: Best Practices,compliance programs,FCPA,Hiperos,Third parties — tfoxlaw @ 12:00 pm

I’d like to extend an invitation to an upcoming event: Hiperos will be hosting an Executive Briefing on Third Party Management – a half-day event that we are holding in various cities across the US.

By way of context: in recent months, our press has been filled with reports of companies whose revenues have been directly affected by a regulatory fine or whose reputation and brand equity has taken a hit. In every case, the culprit was one of the company’s third parties – an HVAC supplier causing a massive data breach, a contract manufacturer using child labor, a consultant bribing government officials – the list goes on and on.

These briefings have been organized for you to network with other executives from Fortune 1000 companies (including Hiperos customers) and to connect with peers who face the same third party management challenges as you.  You will also have an opportunity to hear from industry experts and practitioners who will present on specific aspects of third party management.

Agenda:

8:00 AM       Networking breakfast.

8:30 AM       Keynote sessions from industry experts including:

Linda Tuck-Chapman – until very recently the Chief Procurement Officer of Bank of Montreal – BMO

Tom Fox – renowned FCPA/bribery and corruption pundit/expert

Dr. Andrea Bonime-Blanc  – former chief ethics and compliance officer at Bertelsmann, Chair Emeritus of ECIA and CEO of GEC Risk Advisory LLC

10:00 AM     Use cases from Hiperos customers including: Ingram Micro, Charles Schwab, Discover Financial, Anadarko, AstraZeneca

11:30 AM     Third Party Management – The Future
Presentation from Doug Bergeron (CEO Opus Global) and Greg Dickinson (CEO Hiperos)

12:00 PM       Networking Lunch

1:00 PM         Adjourn

If you would like to attend, or for more information, click Here

Venue:

The Executive Briefings will be held in the following locations:

Tuesday, Sept 9th – Palo Alto, CA

Rosewood Sand Hill

2825 Sand Hill Rd

Menlo Park, CA 94025

Wednesday, Sept 10th – Chicago, IL

JW Marriott

151 W Adams St

Chicago, IL 60603

Thursday, Sept 11th – Houston, TX

Hotel Sorella

800 Sorella Court

Houston, TX 77024

Wednesday, Sept 17th – New York, NY

W Union Square

201 Park Ave S,

New York, NY 10003

Thursday, Sept 18th – Princeton, NJ

Princeton Marriott at Forrestal

100 Collage Road East

Princeton, NJ 08540

I will be participating in the Palo Alto, Houston and Princeton events I hope that you can join me at one of these upcoming events!

Extraordinary Rendition and Ripples From the Chinese Corruption Investigations

Extraordinary_Renditions_CvrAs many of you know, I am a recovering trial lawyer. So I was very interested when I received a book for review by Paul Batista, entitled Extraordinary Rendition. Not only is Batista a practicing trial lawyer specializing in federal criminal defense, he also authored one of the leading treatise on the federal racketeering statute, “Civil RICO Practice Manual,” first published in 1987 by John Wiley & Sons, and now in its third edition (Wolters Kluwer 2008).

I learned long ago that there are two basic story lines: Hero Takes A Trip and Stranger Comes To Town. They both are great formats and I enjoy them equally if the writing and story-telling is good. Extraordinary Rendition falls into camp one and I found it to be the journey of discovery of a nearly burned out trial lawyer, Byron Carlos Johnson, who comes to defend Ali Hussein, a Syrian national who had lived in the US for 10 years prior to 9/11 and was accused of being a banker for Al Qaeda. The story follows twists and turns of not only the trial but the various agents and agencies of the US Government as they try to derail Johnson and his attempts to defend Ali Hussein. While it certainly could be called a legal thriller, it is a rollicking good ride and I give my hardiest recommendation to anyone interested in the legal issues involved or a thriller about a man caught up in forces far beyond his control; yet does take control of what he can.

I thought about Batista’s book when I read a recent article in the Financial Times (FT), entitled “Beijing probe touches west’s cereal bowls” by Lucy Hornby. Her basic thesis was set out in the first line of her piece, “Never before have China’s domestic politics had such ramifications for global business.” She wrote about two tangible examples of what she termed the “ripple effects” of the Chinese anti-corruption investigation, which began in earnest last summer with the revelations of corruption by the UK pharmaceutical giant GlaxoSmithKline PLC (GSK).

Hornby reported on the Canadian company, Athabasca Oil Corporation, “the partner company for major Chinese investments in Canadian oil sands – fell 13 per cent this week. They are down 24 per cent since the beginning of April, when Athabasca announced PetroChina, a listed unit of CNPC, would buy the 40 per cent of the Dover oil sands project that it did not already own. Since then, two executives from PetroChina’s Canadian operations have fallen prey to the corruption purge – and the C$1.32bn (US$1.23bn) transfer payment has not been made.” But it has also reached the British breakfast table as Chinese authorities announced they were investigating the owner of the company that makes the breakfast staple Weetabix.

Business ventures in other countries such as Cambodia and Australia have been put off due to the Chinese corruption investigation. This has been because of both corrupt payments made to Chinese officials and in some cases corrupt payments alleged to have been made by Chinese officials. For instance in Cambodia a project that was mired in such problems that the primary funding partner, The World Bank, had suspended funding has now run into such problems that Standard Chartered may lose up to $250MM in funding which it provided. Further, Hornby reported that “In Australia last year, a A$1.4bn bid for Sundance Resources – which had proposed a $A5bn iron ore mine on the border of Cameroon and the Republic of Congo – collapsed after high-flying Chinese entrepreneur Liu Han abruptly vanished. Mr Liu had built his mining business by cultivating ties with Mr Zhou while the latter governed southwestern Sichuan province. He was sentenced to death in May for organised crime. His defence was that he was carrying out orders for unnamed “leaders”.”

Things are particularly difficult at PetroChina, a major investor in Canadian oil sands, because, as Hornby noted, “dozens of senior executives have been detained or questioned in the past year. Many, including the head of its Indonesian business, played key roles in its international projects.” However Hornby believes that “capital expenditure commitments by state-owned enterprises are likely to be honoured as the investigation continues, because China’s large and growing economy has a fundamental need for resources.”

Another large Chinese energy concern CNPC has also been hard hit by the corruption scandal. Attached, as a diagram, to Hornby’s article is a graphic that shows the extent of the company’s investments of the past 10 years or so. The graphic also notes that the company “has been hardest hit by the ongoing corruption purge, with dozens of senior executives detained or questioned.” The chart below shows the “ripple effects” of CNPC investment.

Country Investment Amount
Kazakhstan $12.7bn
Peru $2.6bn
Turkmenistan $1.2bn
Scotland $1bn
Ecuador $0.7bn
Australia $4.1bn
Canada $3.3bn
Syria $0.6bn
Mozambique $4.2bn

Hornby’s article touched on another area, which has significance for the Foreign Corrupt Practices Act (FCPA) practitioner, that beg the question of whether a state-owned enterprise is an instrumentality or in any other way covered by the FCPA? She wrote that “the unusually public nature of this corruption investigation has given outsiders a clearer insight into the way money and power have become entwined, and influence dealmaking, in today’s China.” She quoted Luke Patey, author of the book The New Kings of Crude, for the following, ““For years, Chinese national oil companies have fought hard against the label that they are political instruments of the Chinese government and Communist party. That political nature is now on full display.””

Hornby’s article demonstrates not only the pervasive nature of Chinese corruption but also how many countries such corruption may have effected. For those FCPA naysayers who argue that the law brings a competitive disadvantage to US companies, they should read her article to open their eyes. Many of these Chinese investments are now on hold with no hope of completion or even funding because of the domestic turmoil inside China over corruption. Companies and countries want a reliable business partner, starting with one which does not engage in bribery and corruption to obtain a contract and then onto a company which fulfills its contractual obligations. Think about that as a selling point the next time you are oversees.

And while you are traveling overseas, read a copy of Batista’s Extraordinary Rendition on the trip over. You can purchase a copy by clicking here or here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 28, 2014

Risk Assessments-the Cornerstone of Your Compliance Program, Part III

7K0A0129Today, I conclude a three-part series on risk assessments in your Foreign Corrupt Practices Act (FCPA) or UK Bribery Act anti-corruption compliance program. I previously reviewed some of the risks that you need to assess and how you might go about assessing them. Today I want to consider some thoughts on how to use your risk assessment going forward.

Mike Volkov has advised that you should prepare a risk matrix detailing the specific risks you have identified and relevant mitigating controls. From this you can create a new control or prepare an enhanced control to remediate the gap between specific risk and control. Finally, through this risk matrix you should be able to assess relative remediation requirements.

A manner in which to put into practice some of Volkov’s suggestions was explored by Tammy Whitehouse, in an article entitled “Improving Risk Assessments and Audit Operations”. Her article focused on the how Timken Company, assesses and then evaluates the risks the company has assessed. Once risks are identified, they are then rated according to their significance and likelihood of occurring, and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of the audit/monitoring plan, she said. A variety of solutions and tools can be used to manage these risks going forward but the key step is to evaluate and rate these risks. 

LIKELIHOOD 

Likelihood Rating Assessment Evaluation Criteria
1 Almost Certain High likely, this event is expected to occur
2 Likely Strong possibility that an event will occur and there is sufficient historical incidence to support it
3 Possible Event may occur at some point, typically there is a history to support it
4 Unlikely Not expected but there’s a slight possibility that it may occur
5 Rare Highly unlikely, but may occur in unique circumstances

‘Likelihood’ factors to consider: The existence of controls, written policies and procedures designed to mitigate risk capable of leadership to recognize and prevent a compliance breakdown; Compliance failures or near misses; Training and awareness programs.

PRIORITY 

Priority Rating Assessment Evaluation Criteria
1-2 Severe Immediate action is required to address the risk, in addition to inclusion in training and education and audit and monitoring plans
3-4 High Should be proactively monitored and mitigated through inclusion in training and education and audit and monitoring plans
5-7 Significant
8-14 Moderate
15-1920-25 LowTrivial Risks at this level should be monitored but do not necessarily pose any serious threat to the organization at the present time.

Priority Rating: Product of ‘likelihood’ and significance ratings reflects the significance of particular risk universe. It is not a measure of compliance effectiveness or to compare efforts, controls or programs against peer groups.

At Timken, the most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These “Severe” risks become the focus of the audit monitoring plan going forward. A variety of tools can be used, such as continuous controls monitoring with tools like those provided by Visual RiskIQ, a relationship-analysis based software such as Catelas or other analytical based tools. But you should not forget the human factor. At Timken, one of the methods used by the compliance group to manage such risk is by providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. The company also produces a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it.

The key to the Timken approach is the action steps prescribed by their analysis. This is another way of saying that the risk assessment informs the compliance program, not vice versa. This is the method set forth by the DOJ in its FCPA Guidance and in the UK Bribery Act’s Adequate Procedures. I believe that the DOJ wants to see a reasoned approach with regards to the actions a company takes in the compliance arena. The model set forth by Timken certainly is a reasoned approach and can provide the articulation needed to explain which steps were taken.

In an article in Compliance Week Magazine, entitled, “Lessons on Risk Assessments from Winnie The Pooh” Jason Medford articulated that a key use of a risk assessment is to assist the internal audit function in developing their internal audit plan. He cited to the Institute of Internal Auditors (IIA) standard 2010.A1, which states “The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually.” He went on to note that “In order to have a truly integrated GRC capability it is necessary for internal auditors to work with other GRC professionals in their organization. They must align their annual audit plan with the organization’s objectives, strategies, and initiatives of the other GRC professionals. They must collaborate, coordinate, and align their audit activities with other GRC professionals to increase visibility, improve efficiency, accountability and collaboration.

Carol Saint, Vice President of Internal Audit for 7-Eleven, who was interview by OCEG President Carol Switzer for the same article said that “We start with a risk assessment, beginning with business units because this is how the organization has designed accountability.  We decompose business units into the processes and sub-processes they own and execute. We evaluate how sub-processes align to achievement of strategic objectives: How do they affect the company’s value drivers? Next, we map financial statement lines to the sub-processes to help prioritize from that lens. Finally, for each sub-process we consider specific risks that could hinder achievement of strategic objectives, as well as fraud risks, significant accounting estimates, benchmarking/ hot topics, and ERM risks. We created an “intensity rating” that measures how often a process/sub-process was mentioned in our stakeholder interviews as a risk to the company. And we also considered how cross-functional a process is so that the element of complexity—a risk accelerator—could help determine audit plan priorities. This year’s plan development process was quite intense, but I think we did a good job of creating a baseline so that future risk assessments are more efficient.”

I hope that you have found this series on risk assessments useful. If you have any questions or better yet would like me to work on a risk assessment for your organization, please contact me.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 26, 2014

Risk Assessments-the Cornerstone of Your Compliance Program, Part I

7K0A0079Yesterday, I blogged about the Desktop Risk Assessment. I received so many comments and views about the post, I was inspired to put together a longer post on the topic of risk assessments more generally. Of course I got carried away so today, I will begin a three-part series on risk assessments. In today’s post I will review the legal and conceptual underpinnings of a risk assessment. Over the next couple of days, I will review the techniques you can use to perform a risk assessment and end with a discussion of what to do with the information that you have gleaned in a risk assessment for your compliance program going forward.

One cannot really say enough about risk assessments in the context of anti-corruption programs. Since at least 1999, in the Metcalf & Eddy enforcement action, the US Department of Justice (DOJ) has said that risk assessments that measure the likelihood and severity of possible Foreign Corrupt Practices Act (FCPA) violations identifies how you should direct your resources to manage these risks. The FCPA Guidance stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” The UK Bribery Act has a similar view. In Principal I of the Six Principals of an Adequate Compliance program, it states, “The commercial organisation regularly and comprehensively assesses the nature and extent of the risks relating to bribery to which it is exposed.” In other words, risk assessments have been around and even mandated for a long time and their use has not lessened in importance. The British have a way with words, even when discussing compliance, and Principal I of the Six Principals of an Adequate Compliance program says that your risk assessment should inform your compliance program.

Jonathan Marks, a partner in the firm of Crowe Horwath LLP, said the following about risk assessments in his 13-step FCPA Compliance Action Plan, “A comprehensive assessment of the potential bribery and corruption risks – both existing and emerging risks – associated with a company’s products and services, customers, third-party business partners, and geographic locations can serve as the basis for the compliance program. The risk assessment determines the areas at greatest risk for FCPA violations among all types of international business transactions and operations, the business culture of each country in which these activities occur, and the integrity and reputation of third parties engaged on behalf of the company.”

The simple reason is straightforward; one cannot define, plan for, or design an effective compliance program to prevent bribery and corruption unless you can measure the risks you face. Both the both the US Sentencing Guidelines, the UK Bribery Act’s Consultative Guidance list Risk Assessment as the initial step in creating an effective anti-corruption and anti-bribery program.

What Should You Assess?

In 2011, the DOJ concluded three FCPA enforcement actions which specified factors which a company should review when making a Risk Assessment. The three enforcement actions, involving the companies Alcatel-Lucent SA, Maxwell Technologies Inc. and Tyson Foods Inc. all had common areas that the DOJ indicated were FCPA compliance risk areas which should be evaluated for a minimum best practices FCPA compliance program. Both the Alcatel-Lucent and Maxwell Technologies Deferred Prosecution Agreements (DPAs) listed the seven following areas of risk to be assessed.

  1. Geography-where does your Company do business.
  2. Interaction with types and levels of Governments.
  3. Industrial Sector of Operations.
  4. Involvement with Joint Ventures.
  5. Licenses and Permits in Operations.
  6. Degree of Government Oversight.
  7. Volume and Importance of Goods and Personnel Going Through Customs and Immigration.

All of these factors were reiterated in the FCPA Guidance which stated, “Factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.”

These factors provide guidance into some of the key areas that the DOJ apparently believes can put a company at higher FCPA risk. These factors supplement those listed in the UK Bribery Consultative Guidance states, “Risk Assessment – The commercial organization regularly and comprehensively assesses the nature and extent of the risks relating to bribery to which it is exposed.” The Guidance points towards several key risks which should be evaluated in this process. These risk areas include:

  1. Internal Risk – this could include deficiencies in
  • employee knowledge of a company’s business profile and understanding of associated bribery and corruption risks;
  • employee training or skills sets; and
  • the company’s compensation structure or lack of clarity in the policy on gifts, entertaining and travel expenses.
  1. Country risk – this type of risk could include:

(a) perceived high levels of corruption as highlighted by corruption league tables published by reputable Non-Governmental Organizations such as Transparency International;

(b) factors such as absence of anti-bribery legislation and implementation and a perceived lack of capacity of the government, media, local business community and civil society to effectively promote transparent procurement and investment policies; and

(c) a culture which does not punish those who seeks bribes or make other extortion attempts.

  1. Transaction Risk – this could entail items such as transactions involving charitable or political contributions, the obtaining of licenses and permits, public procurement, high value or projects with many contractors or involvement of intermediaries or agents.
  2. Partnership risks – this risk could include those involving foreign business partners located in higher-risk jurisdictions, associations with prominent public office holders, insufficient knowledge or transparency of third party processes and controls.

Another approach was detailed by David Lawler, in his book “Frequently Asked Questions in Anti-Bribery and Corruption”. He broke the risk areas to evaluate down into the following categories: (1) Company Risk, (2) Country Risk, (3) Sector Risk, (4) Transaction Risk and (5) Business Partnership Risk. He further detailed these categories as follows:

  1. Company Risk-Lawyer believes this is “only to be likely to be relevant when assessing a number of different companies – either when managing a portfolio of companies from the perspective of a head office of a conglomerate or private equity house.” High risk companies involve, some of the following characteristics:
  • Private companies with a close shareholder group;
  • Large, diverse and complex groups with a decentralized management structure;
  • An autocratic top management;
  • A previous history of compliance issues; and/or
  • Poor marketplace perception.
  1. Country Risk-this area involves countries which have a high reported level or perception of corruption, have failed to enact effective anti-corruption legislation and have a failure to be transparent in procurement and investment policies. Obviously the most recent, annual Transparency International Corruption Perceptions Index can be a good starting point. Other indices you might consider are the Worldwide Governance Indicators and the Global Integrity index.
  2. Sector Risk-these involve areas which require a significant amount of government licensing or permitting to do business in a country. It includes the usual suspects of:
  • Extractive industries;
  • Oil and gas services;
  • Large scale infrastructure areas;
  • Telecoms;
  • Pharmaceutical, medical device and health care;
  • Financial services.
  1. Transaction Risk-Lawyer says that this risk “first and foremost identifies and analyses the financial aspects of a payment or deal. This means that it is necessary to think about where your money is ending up”. Indicia of transaction risk include:
  • High reward projects;
  • Involve many contractor or other third party intermediaries; and/or
  • Do not appear to have a clear legitimate object.
  1. Business Partnership Risk-this prong recognizes that certain manners of doing business present more corruption risk than others. It may include:
  • Use of third party representatives in transactions with foreign government officials;
  • A number of consortium partners or joint ventures partners; and/or
  • Relationships with politically exposed persons (PEPs).

There are a number of ways you can slice and dice your basic inquiry. As with almost all FCPA compliance, it is important that your protocol be well thought out. If you use one, some or all of the above as your basic inquiries into your risk analysis, it should be acceptable for your starting point.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 25, 2014

Trying Something Different – the Desktop Risk Assessment

IMG_0774How many among you out there are sushi fans? Conversely, how many out there consider the idea of eating raw fish right up there with going into to the dentist’s office for some long overdue remedial work? One’s love or distaste for sushi was used as an interesting metaphor for leadership in this week’s Corner Office section of the New York Times (NYT) by Adam Bryant, in an article entitled “Eat Your Sushi, and Expand Your Horizon”, where he profiled Julie Myers Wood, the Chief Executive Officer (CEO) of Guidepost Solutions, a security, compliance and risk management firm. Wood said her sushi experience relates to advice she gives college students now, “One thing I always say is “eat the sushi.” When I had just graduated from college, I went with my mom to Japan. We had a wonderful time, but I refused to eat the sushi. Later, when I moved to New York, I tried some sushi and loved it. The point is to be willing to try things that are unfamiliar.”

I thought about sushi and trying something different in the context of risk assessments recently. I think that most compliance practitioners understand the need for risk assessments. The FCPA Guidance could not have been clearer when it stated, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” Many compliance practitioners have difficulty getting their collective arms about what is required for a risk assessment and then how precisely to use it. The FCPA Guidance makes clear there is no ‘one size fits all’ for about anything in an effective compliance program.

One type of risk assessment can consist of a full-blown, worldwide exercise, where teams of lawyers and fiscal consultants travel around the globe, interviewing and auditing. However if there is one thing that I learned as a lawyer, which also applies to the compliance field, is that you are only limited by your imagination. So using the FCPA Guidance that ‘on one size fits all’ proscription, I would submit that is also true for risk assessments.

As with Wood’s admonition that you might want to try sushi even if you think you may not like it. I think that there are several different types of risk assessments that can be used to help to advance your compliance regime going forward. This means that if you do not have the time, resources or support to conduct a worldwide risk assessment annually, you can take a different approach. You might try assessing other areas annually through a more limited focused risk assessment, which a colleague of mine calls the Desktop Risk Assessment.

Some of the areas that such a Desktop Risk Assessment could inquire into might be the following:

  • Are resources adequate to sustain a culture of compliance?
  • How are the risks in the C-Suite and the Boardroom being addressed?
  • What are the FCPA risks related to the supply chain?
  • How is risk being examined and due diligence performed at the vendor/agent level? How is such risk being managed?
  • Is the documentation adequate to support the program for regulatory purposes?
  • Is culture, attitude (tone from the top), and knowledge measured? If yes, can we use the information enhance the program?
  • Disciplinary guidelines – Do they exist and has anyone been terminated or disciplined for a violating policy?
  • Communication of information and findings – Are escalation protocols appropriate?
  • What are the opportunities to improve compliance?

There are a variety of materials that you can review from or at a company that can facilitate such a Desktop Risk Assessment. You can review your company’s policies and written guidelines by reviewing anti-corruption compliance policies, guidelines, and procedures to ensure that compliance programs are tailored to address specific risks such as gifts, hospitality and entertainment, travel, political and charitable donations, and promotional activities.

You could assess your company’s senior management support for your compliance efforts through interviews of high-level personnel such as the Chief Compliance Officer (CCO), Chief Financial Officer (CFO), General Counsel (GC), Head of Sales, CEO and Board Audit or Compliance Committee members to assess “tone from the top”. You can examine resources dedicated to compliance and also seek to understand the compliance expectations that top management is communicating to its employee base. Finally, you can gauge operational responsibilities for compliance.

Such a review would lead to the next level of assessment, which would be generally labeled communications within an organization regarding compliance. You can do this by assessing compliance policy communication to company personnel but even more so by reviewing such materials as compliance training and certifications that employees might have in their files. If you did not yet do so, you should also take a look at statements by senior management regarding compliance, such as actions relating to terminating employees who do business in compliance but do not make their quarterly, semi-annual or annual numbers set in budget projections.

A key element of any best practices compliance program is internal and anonymous reporting. This means that you need to review mechanisms on reporting suspected compliance violations and then actions taken on any internal reports, including follow-ups to the reporting employees. You should also assess whether those employees who are seeking guidance on compliance for their day-to-day business dealings are receiving not only adequate but timely responses.

I do not think there is any dispute that third parties represent the highest risk to most companies under the FCPA, so a review of your due diligence program is certainly something that should be a part of any risk assessment. But more than simply a review of procedures for due diligence on third party intermediaries, you should also consider the compliance procedures in place for your company’s mergers and acquisitions (M&A) team; focusing on the pre-acquisition phase.

One area that I do not think gets enough play, whether in the FCPA Inc. commentary or in day-to-day practice is looking at what might be called employee commitment to your company’s compliance regime. So here you may want to review your compliance policies regarding employee incentives for compliance. But just as you look at the carrots to achieve compliance with your program, you should also look at the stick, in the form of disciplinary procedures for violations. This means you should see if there have been any disciplinary actions for employee compliance violations and then determine if such discipline has been applied uniformly. If you discipline top sales people in Brazil, you have to discipline your top sales folks in the US for the same or similar violations.

This list is not intended to be a complete list of items, you can pick and choose to form some type of Desktop Risk Assessment but hopefully you can see some of the things areas you can assess. In his article on Ms. Woods, Bryant quoted her for the following key trait she observed from successful leaders, “They were able to identify and focus on core things. When you go into an agency or a company, there are a million things you could fix. But you can’t fix everything, so you make a decision about your priorities, and then you act on them.” A Desktop Risk Assessment may well help you to do so.

If you aim to perform an annual Desktop Risk Assessment with a full worldwide risk assessment every two years or so, you should be in a good position to keep abreast of compliance issues that may change and need more or greater risk management. And do not forget the that the FCPA Guidance ends its section on risk with, “When assessing a company’s compliance program, DOJ and SEC take into account whether and to what degree a company analyzes and addresses the particular risks it faces.” Finally, if you never have tried sushi, I urge you to do so as it not only tastes good but its good for you as well.

==============================================================================================================================================================================================================================================

On Tuesday, August 26th I will be co-presenting with Marie Patterson VP Marketing for Hiperos on a webinar focusing on GSK in China-One Year Later. I will review the continued saga of the GSK corruption investigation in China, the Humphreys’ and Wu convictions and what it means for your compliance program going forward. The event is free and begins at 1 PM EDT. I hope that you can join us. For details and Registration, click here.

==============================================================================================================================================================================================================================================

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 21, 2014

What Can You Do When Risk Changes in a Third Party Relationship?

RiskThe GlaxoSmithKline PLC (GSK) corruption matter in China continues to reverberate throughout the international business community, inside and outside China. The more I think about the related trial of Peter Humphrey and his wife, Yu Yingzeng for violating China’s privacy laws regarding their investigation of who filmed the head of GSK’s China unit head in flagrante delicto with his Chinese girlfriend, the more I ponder the issue of risk in the management of third parties under the Foreign Corrupt Practices Act (FCPA). In an article in the Wall Street Journal (WSJ), entitled “Chinese Case Lays Business Tripwires”, reporters James T. Areddy and Laurie Burkitt explored some of the problems brought about by the investigators convictions.

They quoted Manuel Maisog, chief China representative for the law firm Hunton & Williams LLP, who summed up the problem regarding background due diligence investigations as “How can I do that in China?” Maisog went on to say, “The verdict created new uncertainties for doing business in China since the case hinged on the couple’s admissions that they purchased personal information about Chinese citizens on behalf of clients. Companies in China may need to adjust how they assess future merger partners, supplier proposals or whether employees are involved in bribery.”

I had pondered what that meant for a company that wanted to do business in China, through some type of third party relationship, from a sales representative to distributor to a joint venture (JV). What if you cannot get such information? How can you still have a best practices compliance program around third parties representatives if you cannot get information such as ultimate beneficial ownership? At a recent SCCE event, I put that question to a Department of Justice (DOJ) representative. Paraphrasing his response, he said that companies still need to ask the question in a due diligence questionnaire or other format. What if a third party refuses to answer, citing some national law against disclosure? His response was that a company needs to very closely weigh the risk of doing business with a party that refuses to identify its ownership.

The more that I thought about that answer the more I became convinced that it was not only the right answer under any type of FCPA compliance program but also the right response from a business perspective. A company must know who it is doing business with, for a wide variety of reasons. The current situation in China and even the convictions of Humphrey and Yu do not change this basic premise. You can ask the question. If a party does not want to disclose its ownership, you should consider this in any business relationship going forward.

The Humphrey and Yu conviction do not prevent you from asking the question about ownership. Their convictions mean that you may not be able to verify that information through what many people thought was publicly available information, at least publicly available in the west. I was struck by one line in the Areddy and Burkitt article, “It’s not just that the tactical business practices need to change; it’s the mind set” quoting again from Maisog.

I breakdown the management of third parties under the FCPA into five steps, which are:

  1. Business Justification and Business Sponsor;
  2. Questionnaire to Third Party;
  3. Due Diligence on Third Party;
  4. Compliance Terms and Conditions, including payment terms; and
  5. Management and Oversight of Third Parties After Contract Signing.

The due diligence step is but one of these five. Further due diligence is performed in large part to verify the information that you receive back from a proposed third party. So what if you can longer use avenues previously open to you in markets such as China? Perhaps there are other ways to manage this issue. Areddy and Burkitt also interviewed Jerry Ling, a partner at Jones Day, for the following “companies will need to analyze Chinese accounting documents themselves and conduct more in-person interviews with anyone they want to know more about in China.”

Ling’s point dovetails directly into what I heard from the DOJ representative. There is nothing about the Chinese law, or any other country’s law, which prevents you from asking some basic questions that are found in the Step 2 Questionnaire cited above. You can always ask who the owners of a company are, whether they are direct or beneficial. You can always ask if a company, its owners or its senior management have been involved in any incidents involving bribery and corruption and you can always ask if the company has a Code of Conduct and/or compliance program and whether its owners or senior management are aware of the FCPA and have had training on it.

Assuming the company will answer your questionnaire, the difficulty you may find yourself in now is verifying the information that you receive. In Ronald Reagan parlance, you may trust but you may not be able to verify it. Ling said in the WSJ article that “The challenge now for clients is that it’s hard to get good information.”

However, due diligence is but one step in the management of any third party in a FCPA compliance program. Just as when risk goes up and you increase your management around that risk, the situation is similar in here. Putting it another way, if you cannot obtain private information such as personal identification numbers during the due diligence process, you can put greater management around the other steps that you can take. Further, there has been nothing reported which would suggest that publicly filed corporate licenses or other information that might show ownership can no longer be accessed. Court records and public media searches also seem to still be available.

But what if you simply cannot determine if the information you are provided regarding ownership is accurate or even truthful? You can still work to manage the relationship through your commercial terms by setting your commission or other pay rates at a reasonable amount of scale. If you are dealing with a commissioned sales representative, you can probably manage this area of the relationship by setting the commission in the range of 5%. You can also manage the relationship by reviewing invoices to make sure there is an adequate description of the services provided so that they justify whatever compensation the third party is entitled to receive under the contract. You may also want to schedule such a third party for an audit ahead of other parties to help ensure adherence to your compliance terms and conditions.

There may be times when you cannot verify the true or ultimate beneficial owner of a third party. That does not have to be the end of the analysis. If that situation arises, you may want to see if there are other risk mitigation tools at your disposal. Put another way, if such a red flag arises, can it be cleared? Can it be managed? If your company is looking a major deal for multi-millions and your agent will receive a six or seven figure commission, the risk of not knowing with certainty may be too great because in such a case, an unknown owner could be a government official who has awarded the contract. But if your agent receives a considerably smaller commission and hence there is a considerably small amount of money to constitute a bribe, you may be able to manage that risk through a close and effective relationship management process.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 20, 2014

Voyager II Launches and The FCPA Professor’s New Book

The Foreign Corrupt Practices Act In A New EraMany readers of this blog will recall that the Foreign Corrupt Practices Act (FCPA) is 37 years old this year. Perhaps less might remember that also 37 years ago, NASA launched Voyager II, which was an unmanned spacecraft. It was the first of two such crafts to be launched that year on a “Grand Tour” of the outer planets, organized to coincide with a rare alignment of Jupiter, Saturn, Uranus and Neptune. Aboard Voyager II was a 12-inch copper phonograph record called “Sounds of Earth.” Intended as a kind of introductory time capsule, the record included greetings in 60 languages and scientific information about Earth and the human race, along with classical, jazz and rock ‘n’ roll music, nature sounds like thunder and surf, and recorded messages from then President Jimmy Carter and other world leaders. Being good engineers, NASA conveniently included instructions on how to play the record, with a cartridge and needle provided.

In light of the age of the FCPA and our celebration of reaching for the stars, today I wanted to celebrate a volume from one of the FCPA’s most prolific commentators, Mike Koehler, the FCPA Professor. The author of numerous legal and scholarly articles and his eponymous daily blog, The FCPA Professor, he joined the thin ranks of those authors with hard bound volumes concerning the FCPA with his edition, The Foreign Corrupt Practices Act In A New Era.

As you would expect from the FCPA Professor he has lengthy sections on the genesis of the FCPA and its legislative history; general legal principals as they relate to FCPA enforcement and interpretation as well as the specifics of the text of the FCPA itself; and a review of enforcement actions. He also gives his insights as to why there was such an explosion of FCPA enforcements, beginning in 2004 and continuing right up until the present. He provides some pointers on FCPA compliance programs and ends the book with a discussion of FCPA reform. Of course, as you would expect from the FCPA Professor, the entire work is chocked full of quotations, citations and endnotes.

I would like to highlight some of my favorite discussions in the book. In Chapter 5 entitled FCPA Enforcement, he identifies “Three Buckets” of FCPA financial exposure. They are “(i) pre-enforcement actions professional fees and expenses; (ii) fine, penalty and disgorgement amounts in an actual FCPA enforcement action; and (iii) post-enforcement action professional fees and expenses.” With this tripartite description he lays out what a company might reasonably expect if it finds itself embroiled in an FCPA investigation and enforcement action. The message I got from this Chapter was that you had better have a strong compliance program in place because it is going to be a long hard and costly slog going forward if you don’t.

In Chapter 6, entitled Reasons for the increase in FCPA enforcement, The Professor sets out his thoughts on why there has been such an explosion of growth in FCPA enforcement. While both the use of Non-Prosecution Agreements (NPAs) and Deferred Prosecution Agreements (DPAs) are noted along with the passage and implementation of Sarbanes-Oxley (SOX); there are other reasons cited in the section entitled (appropriately enough) ‘Provocative Reasons’. These include that FCPA enforcement is “lucrative for the US government”; “the emergence and rapid rise of a lucrative industry called FCPA Inc.” (full disclosure – I am a card carrying member of FCPA Inc.); and the revolving door of lawyers who go into government service, enforce the FCPA and then leave government service to defend clients under government scrutiny for FCPA issue.

As the ‘Nuts and Bolts’ guy, I was very interested in Chapter 8, entitled FCPA Compliance and best practice. Fortunately he left some room for folks like me to go into the weeds of a compliance program but he did state, “While FCPA risk cannot be eliminated, it can be effectively managed and minimized when doing business in the global marketplace, and one positive result of the increase in FCPA enforcement in this new era has been the related increase in ‘soft’ enforcement of the FCPA through compliance policies and procedures.” He went on to define ‘soft enforcement’ as “a law’s ability to facilitate self-policing and compliance to a greater degree than can be accomplished through ‘hard’ enforcement alone. This was music to my ears. He also gave some practical approaches to implementing or enhancing your compliance program that I found to be quite useful for the compliance practitioner.

The Professor ends his book with a renewed call for FCPA reform. While he recognizes that, post Walmart, the impetus in Washington for amending the FCPA has all but died out; he does lay out all his reasons for the creation of a compliance defense amendment to the FCPA. Another cornerstone of his call for reform is to abolish NPAs and DPAs from the Department of Justice’s (DOJs) prosecutorial arsenal. Both of these issues bear serious weight and scrutiny and the FCPA Professor lays out his thoughts on each. Whatever your position on these issues is, you need to read up on what the Professor has to say to fully form your own internal debate.

As I have often remarked about the FCPA Professor, you may disagree with him but your FCPA knowledge and experience will be enriched by reading anything he puts out there for the rest of us to consume. However, after the publication of this book, I will have to add that it should become one of the standard texts for any FCPA compliance practitioner, law student studying the FCPA or anyone else interested in anti-bribery and anti-corruption. It should be on your FCPA library bookshelf. It certainly now sits proudly on mine.

You can purchase a copy of The Foreign Corrupt Practices Act In A New Era by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 18, 2014

How Can Global Corporations Afford (or Afford Not) To Employ Professional Language Solution Providers

Jay RosenEd Note-I recently asked Jay Rosen, Vice President, Language Solutions at Merrill Brink International, if he could help me understand how to think through the the hiring of a language service provider. He graciously wrote the following post.

It seems like a daily occurrence that news organizations and blogs (this one included) report that global corporation XYZ, Inc. has run afoul of FCPA statutes somewhere in the world. The next few paragraphs will recount the jurisdiction where the alleged infraction has occurred and if known at this juncture, the details of the bribery scheme. At this point, if you are well read on this subject, the rest of the article plays out by rote.

Let’s hit the pause button and rewind this story to the beginning. How did XYZ, Inc. get into this position and what steps could have been taken to better communicate the Company’s ethics and compliance policies and procedures to its global employee base? While this would certainly not prevent a rogue employee(s) from committing these alleged infractions, professionally translated and localized ethics and compliance communications provide a proactive solution to insulate global companies from similar situations.

The question of whether or not to engage a professional Language Solutions Provider (LSP), read translation company, usually is driven by the following factors:

  • Cost/Quality
  • Confidentially
  • Change
  1. If I can afford an LSP, how do I choose among the ones out there for quality?

The first thing to cover here is how are translations priced?

Translations are completed on an outsourced basis by professionally educated, qualified, and selected linguistic resources. It is important to note that the industry standard is to bill on a per word basis (e.g. X number of words at Y cents per word). This pricing model will become glaringly apparent when Corporations look at alternative methods to translate documents in-house with an eye to saving money.

Proposed Internal Translation Solutions

Here are several ideas that are usually considered in lieu of engaging professional translation resources:

  • Becky down the hall speaks French
  • We can use someone in our Paris Office
  • The Forensic accountant working with us in Beijing

On first blush the three suggestions above all seem like good ideas that will potentially save money and lead to quality results. Unfortunately these three courses of action fall short by:

  • Not providing the necessary quality ensured by professional translation resources
  • End up costing the client both opportunity costs and greater total translation costs and
  • Do nothing to mitigate the risk of not having an independent outsourced LSP translating (and certifying) your documents (if necessary).

Becky down the hall speaks French

Although Becky does speak French, she has other duties in the organization that must be put aside for her to work on translating documents. Should this project take 3 – 4 hours and if Becky has a bill rate of $400/hour, this solution ends up wasting precious time and costing the end client ~ $1,600 instead of the a few hundred dollars to professionally produce an accurate translation.

We can use someone in our Paris office

As in the example above, this option also creates lost opportunity cost and further taxes billable resources in another time zone. This would require the company to utilize internal resources and having to deal with colleagues not under their direct local control and working in various global markets.

The forensic accountant working with us in Beijing

In this case, we have someone working far out of their core expertise and comfort zone – forensics – and having to wear the hat of a professional translator. Price also comes into play as these forensic resources start billing around $250/hour and could be higher.

Bottom line, what initially appears to be a viable and cost effective solution, ends up sacrificing quality, escalating costs and potentially increasing risk by internally generating substandard translations.

  1. If I use an LSP, how do I ensure confidentiality of the information contained in my documents? 

Confidentiality, especially in the FCPA arena, is a valid concern and must be considered when engaging a qualified LSP. Professional LSPs will require their linguists to sign a Confidentiality or Non-Disclosure Agreement. This agreement will be on file with the LSP and a copy of the agreement can easily be shared.

In terms of global data privacy restrictions, it is good to discuss this in advance with the LSP and depending on what jurisdiction your matter is based in, evaluate the LSP’s experience and comfort level in handling data privacy concerns.

In terms of looking at the individual linguists, a professional LSP will hire translators with the following credentials:

  • Minimum 4 year college degree
  • Subject Matter Expertise (SME)
  • Additional testing by the LSP

These three areas serve to validate the choice of an independent LSP as the translators employed will meet the minimum of a 4 year degree and quite often will have post-graduate or professional degrees such as JD’s or PhD’s. Furthermore, LSPs can provide Subject Matter Experts (SMEs) with specific sector knowledge such as IP/patents, cross-border litigation or FCPA, ethics and compliance experience. Finally the additional testing required by LSPs ensures that clients are receiving top-notch and best of breed translation solutions.

  1. How do I risk disrupting the status quo to change my current translation/localization workflow?

So far we have covered two out of three issues to consider in the choice of whether or not to engage an outsourced LSP.

  • Cost/Quality
  • Confidentiality

And finally we will look at another “C” – Change. While this may not initially be perceived as an important factor, this often affects whether an organization decides to employ an outsourced LSP. From a global perspective it is imperative that a Code of Business Conduct and a Company’s policies and procedures are accurately translated from the English source document to the multiple localized versions for global employees.

If in the past this decision has been left to local in-country resources, it may have unintentionally altered or subverted the meaning of the source English language policies and could have potentially created confusion as to the meaning and global reach of a Company’s business policies.

Additional pushback may emanate from current in-country LSPs who have provided these services in the past.   While it makes sense to encourage local buy-in to your Company’s policies and procedures, this can be ensured by asking local ethics and compliance leaders to participate in the translation review process.

By carefully considering cost/quality, confidentiality and change, a global organization can properly assess the impact that hiring a qualified LSP will have on their risk exposure and better position such organizations to quickly react to a changing global investigative and regulatory environment.

Jay Rosen (jay.rosen@merrillcorp.com) is a Vice President, Language Solutions at Merrill Brink International, based in Los Angeles. For further information, please see his article on Translation considerations for global internal investigations, ethics and compliance matters.

August 15, 2014

Lauren Bacall Whistling or How to Structure Customer Due Diligence

BacallYesterday we honored Robin Williams whom we lost earlier this week. Today we honor Lauren Bacall. She will always be a part of that great team of Bogey and Bacall. Most of us were introduced to her in the movie To Have and Have Not. I thought she was one of the most sultry and sexy icons of the 40s screen sirens. As Manohla Dargis wrote in her article for the New York Times (NYT) entitled, “That Voice and the Woman Attached,” that “When she opened her mouth in “To Have and Have Not” — taking a long drag on a cigarette while locking Humphrey Bogart in her gaze — she staked a claim on the screen and made an immortal Hollywood debut. But in 1944 at the exquisitely tender age of 19, she was also projecting an indelible screen persona: that of the tough, quick-witted American woman who could fight the good fight alongside her man.” She later married Bogart and together they were certainly Hollywood, if not American royalty, going forward. And she probably did more for the art of whistling than any person on Earth.

Yesterday I wrote about the Foreign Corrupt Practices Act (FCPA) investigation into certain transactions in Venezuela by Derwick Associates (Derwick) and a US company ProEnergy Services (ProEnergy). ProEnergy supplied turbines that Derwick resold to the Venezuelan government and then installed in that country. I wondered if US companies now need to become more concerned with not only who they do business with but how their customers might be doing business. In the parlance, you may now need to ramp up your ‘Know Your Customer’ information to continue throughout a seller-purchaser relationship.

Doug Cornelius, in a post on his Compliance Building blog, entitled “Proposed Regulations on Customer Due Diligence”, discussed “The U.S. Treasury Department’s Financial Crimes Enforcement Network has proposed revisions to its customer due diligence rules. Of course, the proposed rule would affect financial institutions that are currently subject to FinCEN’s customer identification program requirement: banks, brokers-dealers, and mutual funds.” While, investment advisers and private fund managers are not specifically mentioned in the proposed new regulation, Cornelius noted, “FinCEN suggested that it may be considering expanding these customer due diligence requirements to other types of financial institutions.” In other words, this new proposed regulation would not be directly applicable to a large number of US commercial enterprises doing business outside the United States.

However, the proposed regulation did provide some insight into how US companies, not otherwise subject to it, might think about ways to approach such an inquiry. Referencing an inquiry into anti-money laundering issues (AML) Cornelius wrote that AML programs should have four elements:

  1. Identify and verify the identity of customers;
  2. Identify and verify the identity of beneficial owners of legal entity customers;
  3. Understand the nature and purpose of customer relationships; and
  4. Conduct ongoing monitoring to maintain and update customer information and to identify and report suspicious transactions.

Clearly any FCPA based due diligence would focus on point 2. Cornelius zeroed in on it when he wrote “The definition of “beneficial owner” is proposed as have two prongs”:

  • Ownership Prong: each individual who, directly or indirectly, through any contract, arrangement, understanding, relationship or otherwise, owns 25% or more of the equity interests of a legal entity customer, and
  • Control Prong: An individual with significant responsibility to control, manage, or direct a legal entity customer, including an executive officer or senior manager (g., a Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Managing Member, General Partner, President, Vice President, or Treasurer); or (ii) any other individual who regularly performs similar functions.

He also noted, “For identifying ownership of an entity, FinCEN has proposed a form of certification.” But he found such a “certification to be overly simplistic. It only asks for individuals with ownership in the entity. This would clearly miss ownership of the account holder by other entities who could be “bad guys.” The certification also only requires one senior officer.  That makes it too easy to appoint a straw man as executive officer to hide the underlying control by a “bad guy.”” But the FinCen proposed notice itself states “these existing core requirements are already laid out in the BSA [Bank Secrecy Act] as minimum requirements”.

I was equally interested in points 3 and 4. Under point 3, an entity subject to the regulation needs to “Understand the nature and purpose of customer relationships”. The proposed regulation further explained “to gain an understanding of a customer in order to assess the risk associated with that customer to help inform when the customer’s activity might be considered “suspicious.”” Such an inquiry could help a business to “understand the relationship for purposes of identifying transactions in which the customer would not normally be expected to engage. Identifying such transactions is a critical and necessary aspect of complying with the existing requirement to report suspicious activity and maintain an effective AML (or anti-corruption compliance) program.”

The final point 4 relates to ongoing monitoring. Once again consider the position of the US Company, ProEnergy, in the referenced FCPA investigation. What can or should it have done in the way of ongoing monitoring of its customer. The proposed regulation states “industry practice generally involves using activity data to inform what types of transactions might be considered “normal” or “suspicious.”

Furthermore, FinCEN understands that information that might result from monitoring could be relevant to the assessment of risk posed by a particular customer. The proposed requirement to update a customer’s profile as a result of ongoing monitoring (including obtaining beneficial ownership information for existing customers on a risk basis), is different and distinct from a categorical requirement to update or refresh the information received from the customer at the outset of the account relationship at prescribed periods”. Lastly the proposed regulation states, “Finally, as noted above with respect to the obligation to understand the nature and purpose of customer relationships, monitoring is also a necessary element of detecting and reporting suspicious activities”.

There does not have to be a direct bribe or other corrupt payment made by a US company to have liability under the FCPA. FCPA enforcement is littered with companies that have paid bribes through third parties. However, as the Fifth Circuit said in Kay v. US, “[W]e hold that Congress intended for the FCPA to apply broadly to payments intended to assist the payor, either directly or indirectly,” [emphasis mine]. ProEnergy would seem to be at the far edge of potential FCPA liability but if it knew, had reason to know, or even perhaps should have known about some nefarious conduct by its customer, it does not take too many steps to get to some FCPA exposure. The proposed FinCEN rules on customer due diligence for financial institutions might be a good starting point for other commercial entities to consider.

If all of the above is a bit too heavy for a Friday, well view this clip on how to whistle by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 4,602 other followers