FCPA Compliance and Ethics Blog

August 14, 2014

Na-Nu Na-Nu – Final Report to Ork From Mork – Information from FCPA Inquiries

Mork from OrkEd. Note: Na-Nu Na-Nu. We interrupt our daily blog post to provide this final report to the Planet Ork. Na-Nu Na-Nu 

To say that the American culture lost two prime cultural champions this week would be an understatement. The effect that Robin Williams and Lauren Bacall had on a variety of areas in this country probably cannot be measured. Over the next two blogs I will honor each of these larger than life personas and try to examine how they may impact your Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-corruption program. Today Robin Williams; tomorrow Lauren Bacall.

Where does one begin or even end with Robin Williams? His early work in standup comedy; his sitcom television performances; to his many guest appearances on TV variety shows; his incredible movie career – both live and animated; or even his well-known and very public struggles with substance abuse and depression. He was one incredible body of work. For almost any American who grew up in the 70s, we were introduced to Williams in the sitcom Mork and Mindy. His role as an alien allowed him to rift and comment on many human foibles. This was most thoroughly on display at the end of every episode when, in character as Mork, he would report back to his home planet of Ork on some aspect of terran culture. (Na-Nu Na-Nu)

This weekly communication informed both his home planet and us here on Planet Earth about ‘social norms’. I considered this form of communication when I read a recent article in the Wall Street Journal (WSJ), entitled “Venezuelan Firm Is Probed In U.S.”, by José De Córdoba and Christopher M. Matthews. They reported on a Venezuelan company, Derwick Associates (Derwick), who are under investigation by the Department of Justice (DOJ) and Manhattan District Attorney’s office. Derwick was reported to have been “awarded hundreds of millions of dollars in contracts in little more than a year to build power plants in Venezuela, shortly before the country’s power grid began to sputter in 2009”. Also under investigation is a Missouri based engineering, procurement and construction company, ProEnergy Services (ProEnergy), “that sold dozens of turbines to Derwick and helped build the plants”. The article reported that the DOJ’s “criminal fraud section are reviewing actions of Derwick and ProEnergy for possible violations of the Foreign Corrupt Practices Act”.

The article noted that this issue might have come to the attention of the DOJ and Manhattan DA through a lawyer at Derwick who voluntarily contacted federal prosecutors last year. Although it was not clear from the WSJ article if it was related to or even played a part in instigating the FCPA investigation, was information that Otto Reich, “the top State Department official for Latin America during the Administration of President George W. Bush, had filed a federal court lawsuit in 2013, alleging among other things that “Derwick and the company’s owners, among others, obtained contracts to build power stations in return for paying multimillion dollar bribes to senior Venezuelan officials.””

At least one of the basis of regulatory scrutiny was funding of a bribery scheme through overcharging for goods and services. The article reported “Federal prosecutors are scrutinizing the difference been prices ProEnergy charged Derwick for its equipment and the prices Derwick charged the Venezuelan government, a person familiar with the matter said. The person said that in some past FCPA cases, excessive margins were used to conceal bribes to pay foreign officials.”

Derwick, in a statement from its President Alejandro Betancourt, which was provided by its lawyer Adam Kaufmann, said, “Neither Derwick nor its principals have been contacted by any U.S. law enforcement agency.” Clearly this begs the question of whether the company has been contacted by any representatives of the US government who are not from a “law enforcement agency”. In a statement from ProEnergy, it declined to comment on any investigation.

Consider some of the information from this WSJ article. First is how did this case come to the attention of the DOJ? About all that can be said from the article is that Derwick did not self-disclose to the DOJ. However, given the relationship between the government of Venezuela and the US, is it really a surprise that large commercial transactions by US entities into Venezuela are scrutinized by the US government? Did the investigation come about from a whistleblower, i.e. the lawyer for Derwick? If yes, what is the legal obligation of lawyer to his or her client? What if the lawyer sees, observes or even inadvertently stumbles upon criminal activity? What if the lawyer removes documentation, which the lawyer believes demonstrates evidence of a crime?

I was also very intrigued by the information about investigators looking into pricing margins as indicia of corruption. One of the more increasing areas of FCPA scrutiny has been that of commission rates. This is because under circumstances, a high or unusual commission rate can be indicia of monies which are available by a third party, paid via commission, to use as a pot of money to pay bribes to foreign officials. If your typical commission is 5% or you have a range of 5% to 10%, but provide one third party a commission rate of 15%, this may be evidence that the unusual amount is being used as a mechanism to fund bribes.

However, simply focusing on the commission rate alone is too facile an inquiry. Even a commission rate below 5% can create quite an amount of money if the sales price is sufficiently high. In the energy industry, large service contracts or construction contracts can be huge, i.e. in excess of $1bn, and five percent of such an amount is a very large sum of money. It is, therefore, not unusual that in some contracts, the percentage commission will decrease with an increased contract price. The point is there is no one right or wrong commission rate. It will be a fact intensive inquiry.

Borrowing from a noted compliance practitioner, William Athanas, who has suggested an appropriate inquiry along the lines of the following: Where the third party requests a commission above the standard range, the policy should require a legitimate justification. Evaluating and endorsing such a justification requires three steps: (1) relevant information about the contemplated increased commission must be captured and memorialized; (2) requests for increased commissions should be evaluated in a streamlined fashion, with tiered levels of approval (higher commissions require higher ranking official approval); and (3) increased commissions are then tracked, along with the requests and authorizations, in order to facilitate auditing, testing and benchmarking. The point is there needs to be a well thought-out protocol, which is followed and well documented through the entire process.

Another insight that I gleaned from the WSJ article comes from the seller/customer relationship between Derwick and ProEnergy. ProEnergy is reported to have sold turbines to Derwick and have assisted in constructing the power plants. When your company sells a product to a customer, a compliance practitioner typically does not become involved in the negotiations over final pricing between your company’s customer and the end-user. ProEnergy may not have been concerned with the final pricing that Derwick charged their customer, the Venezuelan government. Indeed, the compliance function may not be involved with the commercial pricing between your company and its direct purchaser. This article may require you to change this posture. Was ProEnergy asked to reduce its price to Derwick so that Derwick could mark the price up enough to the Venezuelan government to create a pool of money that could be used to pay bribes? What if ProEnergy received its full listed price book rate but then Derwick charged a premium to the Venezuelan government?

Finally, what about risk? The WSJ article reported that Derwick’s President said “the company’s margins [with the Venezuelan government] were consistent with general industry practice and reflected the high financial risk taken on during a difficult time to do business in Venezuela.” If your company has a business opportunity that presents a high financial reward, is it necessarily because there is some high risk involved? That risk can be risk of getting paid, bringing the project in on time and within budget, political risk, weather-related risk or almost any other type of risk, but that risk might also be a corruption risk. While the WSJ article does not report on the size of the US Company involved in the inquiry, ProEnergy, it would seem that its commercial relationship with Derwick generated a large amount of income for the company. If your company has one of its largest contracts for work overseas, should there be compliance function review and scrutiny of the risks involved?

Are these inquiries that a compliance practitioner now needs to make? If so, how does a Chief Compliance Officer (CCO) make such an inquiries? I think Donna Boehme would say that it all begins with the compliance function ‘having a seat at the senior management table’ so that the CCO or compliance practitioner can be aware when some unusual business opportunity arises. Questions, questions, and more questions.

Na-Nu Na-Nu – this is the final report to Ork from Planet Earth. Na-Nu Na-Nu 

For a viewing of one of Mork’s reports to his home planet Ork, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 13, 2014

Thinking Through Risk Rankings of Third Parties

7K0A0014-2One question often posed to me is how to think through some of the relationships a company has with its various third parties in order to reasonably risk rank them. Initially I would break this down into sales and supply chain to begin any such analysis. Anecdotally, it is said that over 95% of all Foreign Corrupt Practices Act (FCPA) enforcement actions involve third parties so this is one area where companies need to put some thoughtful consideration. However, the key is that if you employ a “check-the-box” approach it may not only be inefficient but more importantly, ineffective. The reason for this is because each compliance program should be tailored to an organization’s specific needs, risks and challenges. The information provided below should not be considered a substitute for a company’s own assessment of the corporate compliance program most appropriate for that particular business organization. In the end, if designed carefully, implemented earnestly, and enforced fairly, a company’s compliance program—no matter how large or small the organization—will allow the company, generally, to prevent violations, detect those that do occur, and remediate them promptly and appropriately.

Sales Side

I tend to view things in a straightforward manner when it comes to representatives on the sales side of your business. I believe that third party representatives you might have, whatever you might call them, i.e. sales reps, sales agents, sales agents, commissioned sales agents, or anything else, are high risk and therefore they should receive your highest level of scrutiny. This is also true with any party that might be called, charitably or not, ‘a partner’ whether that is a joint venture (JV) partner, plain old partner, Teaming Partner or another monickered ‘partner’. However, under this approach you should also consider the perception of corruption in the geographic area that you will use the third party. I recognize that you can overlay a financial threshold but the reality is that if a sales representative generates such a small amount of money for your business you probably do not need them as representative.

At least with distributors, I have seen merit in more sophisticated approaches such as that set out by David Simon, a partner at Foley & Lardner LLP, who advocates a risk analysis should more appropriately based on the nature of a company’s relationships with their distributors. The goal should be to determine which distributors are the most likely to qualify as agents; for whose acts the company would likely to be held responsible.  He argues that it is a continuum of risk; that is, on the low-risk end are distributors that are really nothing more than re-sellers with little actual affiliation with the supplier company. On the high-risk end are distributors who are very closely tied to the supplier company, who effectively represent the company in the market and end up looking more like a quasi-subsidiary than a customer.

Simon looks at agency principles to guide his analysis of whether a distributor qualifies as an agent for FCPA purposes. He argues that factors to consider include:

  • The volume of sales made to the distributor;
  • The percentage of total sales of the distributor’s total business the principal’s product represents;
  • Whether the distributor represents the principal in the market, including whether it can (and does) use the company trademarks and logos in its business; and

Whether the principal company is involved in the running of the distributor’s business (such as by training the distributor’s sales agents, imposing performance goals and objectives, or providing reimbursement for sales activity).

Once a company segregates out the high-risk distributors that likely qualify as agents and potentially subject the company to FCPA liability from those that are mere re-sellers and pose less FCPA risk, FCPA compliance procedures can be tailored appropriately. For those distributors that qualify as “agents” and also pose FCPA risk, full FCPA due diligence, certifications, training and contract language are imperative. For those that do not, more limited compliance measures that reflect the risk-adjusted potential liability are perfectly appropriate.

Supply Chain

This determination of the level of due diligence and categorization of a supplier should depend on a variety of factors, including, but not limited to, whether the supplier is (1) located, or will operate, in a high risk country; (2) associated with, or recommended or required by, a government official or his or her representative; (3) currently under investigation, the subject of criminal charges, or was recently convicted of criminal violations, including any form of corruption; (4) a multinational publicly traded corporation with a recognized exemplary system of compliance and internal controls, that has not been recently investigated or convicted of any corruption offense or that has taken appropriate corrective action to remedy such conduct; or (5) a provider of widely available services and products that are not industry specific, are offered to the public at large and do not fall under the definition of Minimal-Risk Supplier detailed below.

A High-Risk Supplier is an individual or an entity that is engaged to provide non-project specific goods or services to a company. It presents a higher level of compliance risk because of the presence of one or more of the following factors: (a) It is based or operates in a country (including the supply of goods or services to a company) that poses a high risk for corruption, money laundering, or commercial bribery; (b) It supplies goods or services to a company from a high-risk country; (c) It has a reputation in the business community for questionable business practices or ethics; or (d) It has been convicted of, or is alleged to have been involved in, illegal conduct and has failed to undertake effective remedial actions. Finally, it presents one or more of the following factors,: (1) It is located in a country that has inadequate regulatory oversight of its activities; (2) it is in an unregulated business; (3) its ultimate or beneficial ownership is difficult to determine; (4) the company has an annual spend of more than $100,000 with the supplier; (5) it was established or registered in a jurisdiction where ownership is not transparent or that permits ownership in the form of bearer shares; (6) it is registered or conducts business in a jurisdiction that does not have anti-corruption, anti-money laundering and anti-terrorism laws comparable to those of the United States and the United Kingdom; or (7) it lacks a discernable and substantial business history.

A Low-Risk Supplier is an individual or a non-publicly held entity that conducts business such as a sole proprietorship, partnership or privately held corporation, located in a Low-Risk Country. Some indicia include that it (1) supplies goods, equipment or services directly to a company in a Low-Risk Country; (2) a company has an annual spend of less than $100,000 with the supplier; and (3) the supplier has no involvement with any foreign government, government entity, or Government Official. However, if the supplier has other indicia of lower risk such that it is a publicly-held company, it may be considered a Low-Risk Supplier because it is subject to the highest disclosure and auditing and reporting standards such as those under the US Securities Exchange Act of 1934, including those publicly traded on a reputable and highly regulated stock exchange, such as the New York or London exchanges, and are, therefore, subject to oversight by highly regarded regulatory agencies.

Below the high and low risk categories I would add the category of ‘Minimal-Risk Suppliers’ who generally provide to a company goods and services that are non-specific to a particular project and the value of the transaction is $25,000 or less. Some examples might be for the routine purchase of fungible items and services, including, among others: Office supplies, such as paper, furniture, computers, copiers, and printers; Industrial or factory supplies, including cleaning materials, solvents, safety clothing and off-the-shelf equipment and parts; Crating and other standard materials for packing products for shipping; Leasing and rental of company cars and other equipment; and Airline or other travel tickets or services. This category would also include those third parties that provide widely available services and products that are not industry specific, are offered to the public at large. Here you might think of periodicals, florists, daily limousine and taxi, airline and food delivery (including coffee shops, pizza parlors and take out) services.

Last, but certainly not least, is the category of Government Service Providers, which includes entities that generally come into a company through the supply chain, who interact with a foreign government on behalf of your company. Examples might be customs brokers, providers who obtain and process business permits, licenses, visas, work permits and necessary clearances or waivers from government agencies; perform lobbying services; obtain regulatory approvals; negotiate with government agencies regarding the payment of taxes, tax claims, and tax audits. These third parties present some of your highest risks so they need to have not only the highest level of scrutiny but post contract-signing management as well.

The risk ranking of third parties is one of the areas that seems to continue to cause confusion, if not outright bewilderment. The manner in which the articulated risk rankings presented herein is not to be the ‘be-all and end-all’. As the FCPA Guidance reminds us, “An effective compliance program promotes “an orga­nizational culture that encourages ethical conduct and a commitment to compliance with the law.”…A well-constructed, thought­fully implemented, and consistently enforced compliance and ethics program helps prevent, detect, remediate, and report misconduct, including FCPA violations.” If you think through your risk rankings and can articulate a reasonable basis for doing so followed by documentation, I think your own risk ranking system will survive regulatory scrutiny.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 12, 2014

Does Your Company Still Allow Facilitation Payments?

IMG_3289One of the more confusing areas of the US Foreign Corrupt Practices Act (FCPA) is in that of facilitation payments. Facilitation payments are small bribes but make no mistake about it, they are bribes. For that reason many companies feel they are inconsistent with a company culture of doing business ethically and in compliance with laws prohibiting corruption and bribery. Further, the FCPA Guidance specifies, “while the payment may qualify as an exception to the FCPA’s anti-bribery provisions, it may violate other laws, both in Foreign Country and elsewhere. In addition, if the payment is not accurately recorded, it could violate the FCPA’s books and records provision.” Finally, further the FCPA Guidance states, “Whether a payment falls within the exception is not dependent on the size of the payment, though size can be telling, as a large payment is more suggestive of corrupt intent to influence a non-routine governmental action. But, like the FCPA’s anti-bribery provisions more generally, the facilitating payments exception focuses on the purpose of the payment rather than its value.” [emphasis in original text]

In recent remarks, Thomas C. Baxter, Executive Vice President and General Counsel at the Federal Reserve Bank of New York indicated a general unease with facilitation payments. Baxter was quoted in the FCPA Blog for the following, “Baxter said an organizational policy that allows some types of official corruption — including facilitating payments – “diminishes the efficacy of compliance rules that are directed toward stopping official corruption.”” Further, “While I understand that the exception is grounded in a practical reality, I feel that zero tolerance for official corruption would have been a better choice. To any public servant with an extended hand, I would say in a loud and clear voice, “pull it back and do your job.” And, let me note the OECD Working Group on Bribery recommends that all countries encourage companies to prohibit or discourage facilitating payments.”

In addition to these clear statements about whether the FCPA should continue to allow said bribes; you should also consider the administrative nightmare for any international company. The UK Bribery Act does not have any such exception, exemption or defense along the lines of the FCPA facilitation payment exception. This means that even if your company allows facilitation payments, it must exempt out every UK Company or subsidiary from the policy. Further, if your company employs any UK citizens, they are subject to the UK Bribery Act no matter who they work for and where they may work in the world so they must also be exempted. Finally, if your US Company does business with a UK or other company subject to the UK Bribery Act, you may be prevented contractually from making facilitation payments while working under that customer’s contract. As I said, an administrative nightmare.

  1. The Statute

When the FCPA was initially passed in 1977, the facilitating payment exception was found under the definition of foreign official. However, with the 1988 Amendments, a more explicit exception was written into the statute making it clear that the anti-bribery provisions “shall not apply to any facilitating or expediting payment to a foreign official, political party, or party official the purpose of which is to expedite or to secure the performance of a routine governmental action . . .” The statute itself provided a list of examples of facilitation payments in the definition of routine governmental actions. It included the following:

  • Obtaining permits, licenses, or other official documents;
  • Processing governmental papers such as visas and work orders;
  • Providing police protection, mail services, scheduling inspections;
  • Providing utilities, cargo handling; or
  • Actions of a similar nature.

It is important to note that the language of the FCPA makes it clear that a facilitation payment is not an affirmative defense but an exception to the general FCPA proscription against bribery and corruption. Unfortunately for the FCPA Practitioner there is no dollar limit articulated in the FCPA regarding facilitation payments. Even this limited exception has come under increasing criticism. As far back as 2009, the OECD studied the issue and recommended that member countries encourage their corporations to not allow the making of facilitating payments, “in view of the corrosive effect of small facilitation payments, particularly on sustainable economic development and the rule of law.”

Interestingly, one of the clearest statements about facilitation payments comes not from a FCPA case about facilitation payments but the case of Kay v. US, 359 F.3d 738, 750-51 (5th Cir. 2004). This case dealt with whether payment of bribes to obtain a favorable tax ruling was prohibited under the FCPA. In its opinion the Fifth Circuit commented on the limited nature of the facilitating payments exception when it said:

A brief review of the types of routine governmental actions enumerated by Congress shows how limited Congress wanted to make the grease exceptions. Routine governmental action, for instance, includes “obtaining permits, licenses, or other official documents to qualify a person to do business in a foreign country,” and “scheduling inspections associated with contract performance or inspections related to transit of goods across country.” Therefore, routine governmental action does not include the issuance of every official document or every inspection, but only (1) documentation that qualifies a party to do business and (2) scheduling an inspection—very narrow categories of largely non-discretionary, ministerial activities performed by mid- or low-level foreign functionaries.

2. Enforcement Actions

Con-way

The FCPA landscape is littered with companies who sustained FCPA violations due to payments which did not fall into the facilitation payment exception. In 2008, Con-way Inc., a global freight forwarder, paid a $300,000 penalty for making hundreds of relatively small payments to Customs Officials in the Philippines. The value of the payments Con-way was fined for making totaled $244,000 and were made to induce the officials to violate customs regulations, settle customs disputes, and reduce or not enforce otherwise legitimate fines for administrative violations.

Helmerich and Payne

In 2009, Helmerich and Payne, Inc., paid a penalty and disgorgement fee of $1.3 million for payments which were made to secure customs clearances in Argentina and Venezuela. The payments ranged from $2,000 to $5,000 but were not properly recorded and were made to import/export goods that were not within the respective country’s regulations; to import goods that could not lawfully be imported; and to evade higher duties and taxes on the goods.

Panalpina

Finally, there is the Panalpina enforcement action. As reported in the FCPA Blog, this matter was partly resolved last year with the payment by Panalpina and six of its customers of over $257 million in fines and penalties. Panalpina, acting as freight forwarder for its customers, made payments to circumvent import laws, reduce customs duties and tax assessments and to obtain preferential treatment for importing certain equipment into various countries but primarily in West Africa.

DynCorp

Then there is the DynCorp International investigation matter. As reported in various sources the matter relates to approx. $300,000 in payments made by subcontractors who wished to speed up their visa processing and expedite receipt of certain licenses on behalf of DynCorp. This investigation has been going on for several years and there is no anticipated conclusion date at this time.

3.      Some Guidance

So what does the Department of Justice (DOJ) look at when it reviews a company’s FCPA compliance program with regards to facilitation payments? Initially, if there is a pattern of such small payments, it would raise a Red Flag and cause additional investigations, but this would not be the end of the inquiry. There are several other factors which the DOJ could look towards in making a final determination on this issue. The line of inquiry the DOJ would take is as follows:

  1. Size of payment – Is there an outer limit? No, there is no outer limit but there is some line where the perception shifts. If a facilitating payment is over $100 you are arguing from a point of weakness. The presumption of good faith is against you. You might be able to persuade the government at an amount under $100. But anything over this amount and the government may well make further inquiries. So, for instance, the DOJ might say that all facilitation payments should be accumulated together and this would be a pattern and practice of bribery.
  2. What is a routine governmental action? Are we entitled to this action, have we met all of our actions or are we asking the government official to look the other way on some requirement? Are we asking the government official to give us a break? The key question here is whether you are entitled to the action otherwise.
  3. Does the seniority of the governmental official matter? This is significant because it changes the presumption of whether something is truly discretionary. The higher the level of the governmental official involved, the greater chance his decision is discretionary.
  4. Does the action have to be non-discretionary? Yes, because if it is discretionary, then a payment made will appear to be obtaining some advantage that is not available to others.
  5. What approvals should be required? A facilitation payment is something that must be done with an appropriate process. The process should have thought and the decision made by people who are the experts within the company on such matters.
  6. Risk of facilitation payments and third parties? Whatever policy you have, it must be carried over to third parties acting on your behalf or at your direction. If a third party cannot control this issue, the better compliance practice would be to end the business relationship.
  7. How should facilitation payments be recorded? Facilitation payments must be recorded accurately. You should have a category entitled “Facilitation Payments” in your company’s internal accounting system. The labeling should be quite clear and they are critical to any audit trail so recording them is quite significant.
  8. Monitoring programs? There must always be ongoing monitoring programs to review your company’s internal controls, policies and procedures regarding facilitation payments.

So we return to the question of when does a grease payment become a bribe? There is no clear line of demarcation. The test seems to turn on the amount of money involved, to whom it is paid and the frequency of the payments. Additionally, accurate books and records are a must. Finally, remember that the defense of facilitation payments is an exception to the FCPA prohibition against bribery. Any defendant which wishes to avail itself of this exception at trial would have to proffer credible evidence to support its position, but at the end of the day, it would be the trier of fact which would decide. So, much like any compliance defense, the exception is only available if you use it at trial and it would be difficult to imagine that any company will want to use the facilitation payment exception.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 10, 2014

Where to Now St. Peter? – Due Diligence Going Forward in China

Tumbleweed ConnectionWhatever you might think of where his career went, Elton John had some great early stuff. I still rank Tumbleweed Connection right up there as one of my favorite albums of all-time. And while it was packed with some great tracks, one of my most favorite was Where to Now St. Peter? It was the opening track on Side 2 and dealt with whether a dying soldier would end up in heaven or hell. While perhaps having quite the spiritual overtones, I did think about this song when I read about the convictions on Saturday of Peter William Humphrey, a 58-year-old British national, and his wife, Yu Yingzeng, a 61-year-old naturalized American, on charges of illegally purchasing personal information about Chinese nationals.

In a one day trial the couple was convicted of illegally purchasing information on Chinese citizens. In an article in the Financial Times (FT), entitled “China court hands GSK investigator jail term and orders deportation”, Gabriel Wildau and Andrew Ward reported that husband Humphreys received a two and a half year jail term which was “just short of the three-year maximum”. In an article in the Wall Street Journal (WSJ), entitled “China Convicts Two Corporate Investigators”, James T. Areddy and Laurie Burkitt reported that he was also ordered to pay a fine of approximately $32,500 and will be deported from the country when his jail term is completed. Wife Yingzeng received a two year jail term and was ordered to pay a fine of approximately $23,000 but will be allowed to remain in the country after her sentence is completed.

In a New York Times (NYT) article, entitled “In China, British Investigator Hired by Glaxo, and Wife, Sentenced to Prison”, David Barboza reported that the couple “acknowledged that from 2009 to 2013, they obtained about 250 pieces of private information about individuals, including government-issued identity documents, entry and exit travel records and mobile phone records, all apparently in violation of China’s privacy laws.” According to the NYT article, wife Yu claimed that she did not know her actions where illegal and was quoted as saying, “We did not know obtaining these pieces of information was illegal in China. If I had known I would have destroyed the evidence.” According to the WSJ, the privacy law which was the basis of the conviction, was enacted in 2009 “to make it illegal to handle certain personal medical records and telephone records” but that the law itself “remains vague” on what precisely might constitute violation.

From the court statements, however, it did appear that the couple had trafficked in personal information. As reported by the WSJ, “In separate responses over more than 10 hours, My Humphreys and Ms. Yu denied that their firm trafficked in personal information, saying they had hired others to obtain personal data when clients requested it.” From the documents presented by the prosecution, it would seem clear that the couple had obtained my items which were more personal in nature. They were alleged by prosecutors to have “used hidden cameras to gather information as well as government records on identification numbers, family members, real-estate holdings, vehicle owner, telephone logs and travel records.”

Recognizing the verdicts under Chinese laws are usually predetermined and the entire trials are scripted affairs, there is, nonetheless, important information communicated to the outside world by this trial. First and foremost is, as reported in the NYT article is a “chilling effect on companies that engage in due diligence work for global companies, many of whom believe the couple may have been unfairly targeted.” The WSJ article went further quoting Geoffrey Sant for the following, “It impacts all attempts to do business between the U.S. and China because it will be very challenging to verify the accuracy of company or personal financial information.” In other words, things just got a lot tougher to perform, what most companies would expect to be a minimum level of due diligence.

Second is the time frame noted in the court statements as to the time of the violations, from 2009 to 2013. Many had assumed that Humphreys and Yingzeng’s arrests related to their investigation work on behalf of the British pharmaceutical giant GlaxoSmithKline PLC (GSK) which was trying to determine who had filmed a sex tape of the company’s head of Chinese operations, which was then provided to the company via an anonymous whistleblower. This would seem to beg the question of whether the couple would have been prosecuted if they not engaged in or accepted the GSK assignment.

But as Elton John asked, “Where to now St. Peter?” You should always remember that performing due diligence is but one of five steps in the management of the third party life cycle. If you cannot perform due diligence at a level that you do in other countries or that you could even have done in China before the Humphreys and Yu trial, you can beef up the other steps to help proactively manage your third parties. I often say that your real work with third parties begins when the contract is executed because then you have to manage the relationship going forward. So, if you cannot perform the level of due diligence you might like, you can put more resources into monitoring the relationship, particularly in the area of invoice review and payments going forward.

In a timely article found in this month’s issue of the SCCE magazine, Compliance and Ethics Professional, Dennis Haist and Caroline Lee published an article, entitled “China clamps down on bribery and corruption: Why third-party due diligence is a necessity” where they discussed a more robust response to the issue as well. They note that the retention of third party’s to do business in China is an established mechanism through which to conduct business. They advise “For multinationals with a Chinese presence, or plans to enter the market in the near future, now is the time to pay close attention to the changing nature of the business landscape as it relates to bribery and corruption.” Further, they suggest that “In order to ensure compliance with ABAC [anti-bribery/anti-corruption] regulatory scrutiny, multinationals must demonstrate a consistent, intentional and systematic approach to third-party compliance.” But in addition to the traditional background due diligence, they believe that companies should consider an approach that moves to proactively managing and monitoring third parties for compliance. Lastly, at the end of the day if a regulator comes knocking from the Department of Justice (DOJ) or Serious Fraud Office (SFO), you will need to demonstrate the steps you have put in place and your active management of the process.

In the FT, WSJ and NYT articles it was clearly pointed out that the invisible elephant in the room was GSK. Also it is not clear what the personal tragedy that Humphreys and Yu have endured will mean for GSK or the individuals caught up in that bribery scandal going forward. Humphreys had previously said that he would not have taken on the GSK sex tape assignment if it had been disclosed to him that the company had sustained allegations of corruption by an internal whistleblower. Perhaps one lesson may be that in the future companies will have to disclosure more to those they approach to perform such investigative services.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 7, 2014

Continuous Improvement Of Your Compliance Program, Part II

7K0A0246Yesterday, I began a two-part series on continuous monitoring of your anti-corruption compliance program. In Monday’s post, I looked at the regulatory framework for such a requirement. In today’s conclude with some thoughts on how to continually improve and update your Foreign Corrupt Practices Act (FCPA) or UK Bribery Act compliance regime and take a look again at how the regulators might view your program, in some quick, easy and pithy ways.

Anti-corruption, anti-bribery, anti-money laundering (AML) programs policies and procedures and even export control systems are seemingly in a constant state of evolution. Many companies are struggling with the challenge of implementing effective controls and monitoring risks across a spectrum that could include the three above listed compliance areas as well as others. One area that has evolved into a minimum best practices requirement for compliance is that of continuous monitoring.

While many companies will look at continuous monitoring as a software solution that can assist in managing risk, provide reporting metrics and, thereby, insights across an organization, it should be viewed more holistically. You will need to take many disparate systems, usually across a wide international geographic area, which may seem like an overwhelming process. Justin Offen, explained this in his article, entitled “Mission Impossible? Six steps to continuous monitoring”, where he detailed a six-point program to ensure that your “CM solution doesn’t become part of the problem” rather than a solution.

  1. Know your global IT footprint. It is important to understand how continuous monitoring will be incorporated into your company’s overall IT strategy as well as your compliance strategy. This advocates that this inquiry begins with understanding what your current IT structure is and what it is anticipated to be in 3 and 5 years. Once you identify your global IT footprint you can determine which system will be the best fit.
  2. Define scope and necessary resources. You should determine what your goal is, begin by identifying your needs and then prioritize them. You should perform a risk analysis and then rank the risks. Next, you need to understand the amount of talent you have in your organization, identify who can implement and work with the system and determine your budget, which may need to be increased based upon your need for outside experts and unknown contingencies.
  3. Conduct a pilot or proof of concept. A phased rollout can be used as a proof of concept, which can yield greater functioning efficiency throughout your entire program implementation. It should also allow you to chalk up an early success to present to the inevitable nay-sayers in your organization.
  4. Decrease false positives. This is important because improper or incomplete testing may well lead to a larger amount of false positives which you are required to evaluate and clear. From each test, you can further refine your continuous monitoring solution to the specific needs of your organization and increase time and efficiency in your overall continuous monitoring program.
  5. Establish your escalation protocol. You should establish a response protocol when an exception or Red Flag arises. This protocol should include an escalation protocol if the Red Flag suggests that it is warranted or additional investigation determines a wider problem exists. This protocol should include specific individuals and departments that need to be notified, the makeup of your initial and secondary triage team and the accountability for each person in the process, all the way up to the Board.
  6. Demonstrate control through case management. This demonstrates once again the maxim of Document, Document and Document. You need to be ready to “respond with appropriate documentation of any transaction that’s been reviewed, showing the level of review and any additional steps taken.”

The benefits of such a continuous monitoring program are significant; the creation of documentation that can lead to a ‘ready response’ by a company to an issue before it becomes a larger problem, coupled with the ability to recall all steps and information when a regulator comes knocking. Internally, using the pilots or proofs of concepts, the compliance department can bring in other stakeholders to see the value of continuous monitoring within the organization.

You Have a Strategic Plan – Now What Do You Do?

Have you thought about your anti-corruption through the lens of a strategic plan? If not, you might want to use the formulation proffered by Bruce Rector, in an article entitled “Strategic planning needs constant follow-up to be successful”. Recognizing that a strategic plan can serve as guide for your company going forward, it must actually be utilized to garner any use out of it. I believe that the steps he lays out translate, without difficulty, into steps a compliance officer can take to meet the suggestion laid out by Offen above.

  • Review the Goals of the Strategic Plan. This requires that you arrange a time for the Chief Compliance Officer (CCO) and team to review the goals of the Strategic Plan. To the extent possible this should be done in person. The CCO should lead a discussion of the Strategic Plan and determine how this goal in the Plan measures up to its implementation in your company.
  • Design an Execution Plan. The “Keep it Simple Sir” or KISS method is the best to move forward. This would suggest that for each compliance goal, there should be a simple and straightforward plan to ensure that the goal in question is being addressed. Any such plan must be specific with clear goals for all involved, with tasks handed out, deliverables defined and a definite timeline for delivery.
  • Put Accountabilities in Place. In any plan of execution, there must be accountabilities attached to them. Simply having a time line is not enough. This means that the persons tasked with the responsibility of performing the tasks be clearly identified, by both the individual so tasked and the actual task they are assigned to complete. Accountability requires that there be follow-up to confirm that these targets are met. This requires the CCO or other senior compliance department representative to put these in place and then mandate a report requirement on how the task assigned is being achieved.
  • Schedule the Next Review of the Plan. There should be a regular review of the process. While noting that this may seem time consuming, this means the group responsibility gets into a regularity, which will assist the process moving forward more smoothly. It also allows any problems which may arise to be detected and corrected more quickly than if meetings are held at a less frequent basis.

It is a function of the CCO to reinforce the vision and goals of the compliance function, where assessment and updating are critical to an ongoing best practices compliance program. If you follow this protocol, you will put a mechanism in place to demonstrate your company’s commitment to compliance by following through on intentions as set forth in your strategic plan.

The Regulators Perspective

What does an effective compliance program look like? Over the years, we have heard various formulations of inquiries that regulators might use when reviewing a compliance program. While not exactly a review of a compliance protocol, one of my favorites is what I call McNulty’s Maxims or the three questions that former United States Deputy Attorney General, and Baker & McKenzie LLP partner, Paul McNulty said were three general areas of inquiry the he would assess regarding an enforcement action when he was at the DOJ. They are: first: “What did you do to stay out of trouble?” second: “What did you do when you found out?” and third: “What remedial action did you take?”

Stephen Martin said that an inquiry he might make was along the lines of the following. First he would ask someone who came in before the DOJ what the company’s annual compliance budget was for the past year. If the answer started with something like, “We did all we could with what we had ($100K, $200K, name the figure), he would then ask, “How much was the corporate budget for Post-It Notes last year?” The answer was always in the 7-figure range. His next question would then be, “Which is more business critical for your company; complying with the FCPA or Post-It Notes?” Unfortunately, it has been Martin’s experience that most companies spent far more on the Post-It Notes than they were willing to invest in compliance.

Andrew Ceresney, Director of the Division of Enforcement of the SEC, speaking at Compliance Week 2014, said that he has “found that you can predict a lot about the likelihood of an enforcement action by asking a few simple questions about the role of the company’s legal and compliance departments in the firm.” He then went on to detail some rather straightforward questions that he believes could show just how much a company is committed to having a robust compliance regime.

  • Are legal and compliance personnel included in critical meetings?
  • Are their views typically sought and followed?
  • Do legal and compliance officers report to the Chief Executive Officer (CEO) and have significant visibility with the board?
  • Are the legal and compliance departments viewed as an important partner in the business and not simply as support functions or a cost center?

Near the end of his presentation, Cerensey said that “Far too often, the answer to these questions is no, and the absence of real legal and compliance involvement in company deliberations can lead to compliance lapses, which, in turn, result in enforcement issues. When I was in private practice, I always could detect a significant difference between companies that prioritized legal and compliance and those that did not. When legal and compliance were not equal partners in the business, and were not consulted as a matter of course, problems were inevitable.”

McNulty’s Maxims, Martin’s question on budget and now Cerensey’s questions all provide significant guideposts to how regulators think about FCPA compliance programs. For me, I think the point is that companies which actually Do Compliance are easy to spot. For all the gnashing of teeth about how hard it is to comply with what the DOJ and SEC want to see in FCPA compliance, when the true focus can be distilled into whether a company actually does compliance as opposed to saying how ethical they are, I think it simplifies the inquiry and the issues senior management and a Board of Directors really needs to pay attention to.

Continuous improvement through continuous monitoring or other techniques will help key your compliance program abreast of any changes in your business model’s compliance risks and allow growth based upon new and updated best practices specified by regulators. A compliance program is in many ways a continuously evolving organism, just as your company is. You need to build in a way to keep pace with both market and regulatory changes to have a truly effective anti-corruption compliance program. The Guidance makes clear that the “DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines. Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improve­ment and sustainability.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 6, 2014

Theme from Shaft and Continuous Improvement of Your Compliance Program, Part I

Isaac HayesThe composer of what I believe to be the absolute coolest movie theme ever was born on this date in 1942, Isaac Hayes. Hayes continually succeeded in many areas. In the 1960s it was with soul music on the great label Stax. In the 90s it was as the voice of Chef on the animated TV series South Park. But for my generation it was for the theme song, and indeed entire soundtrack, to the movie Shaft that I will always remember Hayes for. The success of that soundtrack led not only to nearly four more decades in the public eye, but as I will never forget sight of Isaac Hayes, playing shirtless in heavy chains and sunglasses as he performed the #1 pop single “Theme from ‘Shaft'” on national television the night he was awarded the Academy Award for Best Score.

How Hayes continued to reinvent of himself as a performer informs my blog posts over the next two days as I look at continuous improvement in your Foreign Corrupt Practices Act (FCPA) compliance program. Today, I will review the regulators view on continuous improvement and tomorrow I will provide some specific techniques that you can engage in to help satisfy this prong of the Ten Hallmarks of an Effective Compliance Program.

You should keep track of external and internal events that may cause change to business process, policies and procedures. Some examples are new laws applicable to your business organization and internal events driving changes within a company. Such internal changes could be a company reorganization or major acquisition. This type of review appears to be similar to the Department of Justice (DOJ) advocacy of ongoing risk assessments. The FCPA Guidance (Guidance) specifies, “a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its industry. In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.”

Continuous improvement requires that you not only audit but also monitor whether employees are staying with the compliance program. In addition to the language set out in the FCPA Guidance, two of the seven compliance elements in the Federal Sentencing Guidelines (FSG) call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.

A review plan is an excellent tool for the compliance practitioner because it provides a method for the ongoing evaluation of policies and sets forth a manner to communicate and train on any changes that are implemented. More than simply staying current, this approach will help provide the dynamics that the DOJ continually talks about in keeping your program fresh. Lastly, such a review plan can also guide the compliance practitioner in creating an ongoing game plan for compliance program upgrades and updates that Stephen Martin advocates.

The Guidance makes clear that each company should assess and manage its risks and specifically notes that small and medium-size enterprises likely will have different risk profiles and therefore different attendant compliance programs than large multi-national corporations. Moreover, this is something that the DOJ and Securities and Exchange Commission (SEC) take into account when evaluating a company’s compliance program in any FCPA investigation. This is why a “Check-the-Box” approach is not only disfavored by the DOJ, but, at the end of the day, it is also ineffectual. It is because each compliance program should be tailored to the enterprise’s own specific needs, risks, and challenges.

One tool that is extremely useful in the continuous improvement cycle, yet is often misused or misunderstood, is ongoing monitoring. This can come from the confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis across a wide spectrum of data and information.

Auditing is a more limited review that targets a specific business component, region, or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. Although unique in protocol, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance, if you notice a trend of suspicious payments in recent monitoring reports from AsiaPac, it may be time to conduct an audit of those operations to further investigate the issue.

Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks, and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with local Finance departments in your foreign offices to ask if they’ve noticed any accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries in which they manage. These ongoing efforts demonstrate that your company is serious about compliance.

The DOJ emphasized again with the 2011 Pfizer Deferred Prosecution Agreement (DPA), the need for a company to establish protocols for auditing. It included the following detail on auditing protocols:

  • On-site visits by an FCPA review team comprised of qualified personnel from the Compliance, Audit and Legal functions who have received FCPA and anti-corruption training.
  • Review of a representative sample (appropriately adjusted for the risks of the market) of contracts with and payments to individual foreign government officials as well as other high-risk transactions in the market.
  • Creation of action plans resulting from issues identified during the proactive reviews; these action plans will be shared with appropriate senior management and should contain mandatory remedial steps designed to enhance anti-corruption compliance, repair process weaknesses, and deter violations.
  • A review of the books and records of a sample of third party representatives that, in the view of the FCPA proactive review team, may present corruption risk. Prior to such an investigation, however, the company should have procedures in place to make sure every investigation is thorough and authentic, including document preservation protocols, data privacy policies, and communication systems designed to manage and deliver information efficiently.

Tomorrow, I will review some specific steps you can take to meet these goals.

For your listening pleasure, close your eyes and listen to the Theme From Shaft, by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

July 30, 2014

Bringing It All Home, the Two Tough Cookies Wrap It Up For You, Part III

Tales from the CryptNote-I asked the Two Tough Cookies if they could put together a series of blog posts wrapping up the lessons they have seen and learned and written about in their series of Tales from the Crypt. They graciously put together a series of posts on the seven elements of an effective compliance program from their 10 tales of Business Conduct. Today, Part III of a Three Part Series…

Wrapping it all Up

So, now you’re ready to start your culture audit… Some key questions you want to ask before you start are:

  1. Do I have the support of Executive leadership? If not, go back to your E&C steering committee and work through the objections there first. It should be comprised of empowered executives who can understand the value of what you propose, and give you insight how to get buy-in across the organization. Give yourself MONTHS to get this accomplished, if not years. If they don’t understand the value of what you do, it will take a lot of mini-meetings to get your point across. If you don’t have an E&C steering committee, start by forming one, and include your CEO, CFO, GC, CHRO, IA, and top business line leaders. Also include global representatives if you have a global footprint. If you have an executive management council, they should be on your E&C steering committee, because they are the decision-makers. Be careful not to have overwhelming representation on the administrative side. And make sure the CEO has representation – if he or she doesn’t have time to manage for integrity, then you need to go elsewhere.
  2. Have you clearly articulated the ethical standards of your organization and the procedures to follow in order to meet those standards? If not, or if you’re not sure, start with a small sample survey of some key expectations and do a small focused study on what critical pieces are missing, and work to fix it. That’s your baseline, and you will then have metrics to measure against when you really start to change things for the better!
  3. What are the operational values – the values that define “how things really work around here”?

Your continuum looks like this depending on your ethical climate:

Aethical Compliance Emerging Ethical Integrity
Ego/Profit Rules Based Rules Plus Values Principled Performance

Organizations that are Compliance-oriented typically

  • Have a goal to prevent, detect, and punish legal violations
  • Channel behavior in lawful directions
  • Underlying model is deterrence theory
  • People are rational maximizers of self-interest, responsive to personal costs and benefits of their choices
  • May be seen as a rule-book, a constraint (especially if overemphasis on punishment)

Organizations that operate with Principled Performance (High-Integrity) typically

  • Combine a concern for law with emphasis on managerial responsibility
  • Define companies’ guiding values, aspirations and patterns of thought and conduct
  • Focus on Accountability, leveraging self-governance in accordance with a set of guiding principles and encouraging independence of thought with an introspective view on personal accountability. Each employee = Ethics Officer

Successful integration of Integrity in your organization is hard work. It takes guiding values and commitments that make sense and are clearly communicated. Company leaders are personally committed, creditable, and willing to take action on the values they adopt. The adopted values are integrated into the normal channels of management decision making and are reflected in the organization’s critical activities. It’s not enough to start every meeting talking about integrity, it has to be woven into every word and action of the leadership team, and done so authentically. The company’s systems and structures have to support and reinforce its values. Managers must be developed to ensure they have the skills, knowledge, and competencies needed to make ethically sound decisions, and resources must be made available on a non-discretionary basis to enhance those skills, knowledge and competencies. Continuing effort, investment, and integration is needed. Close enough is not good enough, and the work is never done.

 

Sample Gap Analysis of Culture Crawl Walk Run!
Organization Type Aethical Compliance Emerging Ethical Integrity
Work Climate Type Instrumental, Rules & Procedures Rules & Procedures, Law & Professional Codes Law & Professional Codes, Caring Independence
Policy Type None Code of Conduct Code of Practice Code of Ethics
Policy Control None Use of rules Seek advice, Act then disclose Use of guiding principles
Training Type None Orientation, General courses Seminars, Courses for some managers Courses for most employees, Personal interviews
Training approaches None or General Info Rules and guidelines, Lectures Decision-making frameworks, Case studies Cognitive approaches, Exemplary modeling
Top management commitment None Formal communications of legal aspects Some informal and formal means of communication Various informal and formal mechanisms, partnering
Communication None Orientation, one-time distribution, annual review Periodic distribution, Input into review Frequent distribution, Two-way communication
Enforcement Officer No one, Unimportant role Legal or HR Dept, Compliance Officer Sr. mgmt. committee, Ethics Officer, Supervisors Each employee, High-ranking employee(s)
Sanctions Ignored Arbitrarily enforced Semi-consistently enforced Consistently enforced
Rewards Keep job One-time story, award Special recognition Publicity, bonuses
Help/hot lines None 800 number, limited hours Third-party staff, feedback Follow-up, regular reports
Performance appraisal systems None Idea or suggestion only High-level managers only, Affects pay or bonuses All employees, affects pay, Affects promotions

Many thanks to the Two Tough Cookies for this great series!

This publication contains general information only and is based on the experiences and research of the authors. The authors are not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The authors, their affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Authors give their permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the authors.

July 29, 2014

Bringing It All Home, the Two Tough Cookies Wrap It Up For You, Part II

Tales from the CryptNote-I asked the Two Tough Cookies if they could put together a series of blog posts wrapping up the lessons they have seen and learned and written about in their series of Tales from the Crypt. They graciously put together a series of posts on the seven elements of an effective compliance program from their 10 tales of Business Conduct. Today, Part II of a Three Part Series…

3. Exercise Due Diligence to Avoid Delegation of Authority to Unethical Individuals

This one is tough, especially in global organizations. In many countries, you simply cannot run a background check, as criminal records are not public. In others, you can run them, but the criminal offense must be related to the job to exclude the candidate from being hired.   In yet others, you can run them, but you can’t use them due to overly strict privacy rules. Then there’s the matter of cost relating to doing all this due diligence. The best thing you can do is determine the following:

  • First, is your business subject to a potential FCPA violation? If you are not “at risk” of public corruption because you are not engaging at any level with foreign government officials, then half the battle is won. Of course, you still run the risk of commercial corruption (bribes, kick backs, etc. with trading partners), but at least the spectre of government sanctions is not looming so large over you.
  • If you are “at risk” of an FCPA violation (you have interaction with govt. officials, including customs) have you developed a robust due diligence program, based on some corruption index to determine the level of due diligence required for your staff, your trading partners?
  • Have you identified your red flags thoroughly to spot anomalies in your business that would signal a deeper view is recommended?
  • Do you have staff to conduct the due diligence, or a vendor to do it on your behalf?
  • Are background checks run on everyone, or just certain individuals, or certain risk areas?
  • Have you taken a hard look at your gift policies to determine whether or not there are glaring holes that could give rise to inappropriate influence in business dealings?
  • Have you taken cultural considerations under advisement in your gift policies? Are they more stringent, or lax, compared to the US? Are the gift policies in Russia different than the gift policies in the US, because someone convinced someone else that you just can’t get things done without greasing a palm here or there?
  • Do you have a formal committee reviewing all charitable contributions, or, are ‘charitable contributions” acceptable as “facilitation” to get non-discretionary government functions moving along? Does your organization allow “facilitation payments” – if so, you better take a second, third, fourth look….

The point I’d like to emphasize here is that even companies that make it on the “World’s Most Ethical Companies” list also make it to the DOJ’s investigation list for foreign corruption, or violation of embargoes, sanctions, and the like. People interpret rules when the rules change, depending on the country. People then make mistakes in favor of what makes business sense to them, in their country, in their environment. You just have to make sure you’ve done what’s reasonable to prevent those mistakes.

  1. Communicate and Educate Employees on Compliance and Ethics Programs

Here’s where the tone from the top, middle and bottom are key to your culture. This is probably the most important thing you want to measure. I am fond of saying 90% of a good ethics & compliance program is communication, and 10% is actions/deeds. While deeds do speak louder than words, it’s the communications – what you say, how you say it, what you mean by it, your intent – that frames up the actions of others.     So you want to measure

  • Are the messages the same, the deeper you get into the organization? Is the understanding of the messages cascading from above the same the further down you go? Easy enough to measure with post-learning survey tools. Give all top, middle, and lower management the same “meeting in a box” and see if the understanding after delivery is the same. Reminds me of that campfire game, where the story starts at one end of the circle, and is completely different by the time the last person hears the tale. Your objective, of course, is to ensure that every person in the corporate audience hears the same message, and has the same take-aways, no matter who is telling the tale.
  • What kind of audience do you have? Does everyone have access to a computer, or do you have the challenge of manufacturing workers, with multiple languages and facilities to manage, and no technical means of reaching them? Have you done what’s necessary to ensure your training and communications mechanisms address every type of audience, or are pockets left out of the mix?
  • What learning aids do you have to help with understanding the code of conduct? Are the examples you use for harassment appropriate for your audience? Do you have a team of global reviewers who will not only preview your training, but offer suggestions on how to localize it to make it appropriate, meaningful and relevant to the teams they serve? If so, do they look at all communications pieces, or only certain ones? If only certain ones, which ones? And why?
  • Are there any leaders who go above and beyond when you launch your annual or quarterly training? I had an Asian business President who made sure he took the course the first day it was launched, and then sent a message to his leadership team about what he learned from the course, and what he wanted them to take away to their teams after they took the course. All of his team had the course done within the first month. I wanted to clone the guy, I swear!

I’m also reminded of mandatory harassment training I gave in Brazil one year. I relied upon the canned on-line training to help with my meeting amongst management, who all spoke English well. I was planning on asking them to cascade the messages to their teams while I was there, but they pointed out that the training was a farce. Women, they told me, wanted wolf calls lobbed in their direction in Brazil – it was not only culturally acceptable, but encouraged. This was substantiated by the several women in the room. Check. Fortunately, I had other examples at the ready to use for a facilitated session, which I vetted with the women on the team prior to delivery. Lesson learned? Make sure your ethics & compliance steering committee has global membership, and are willing to preview your training and communications prior to launch to ensure cultural relevance. If you don’t do this, your ethics & compliance program will be perceived as a joke. Not a desirable outcome, I would say….

  1. Monitor and Audit Compliance and Ethics Programs for Effectiveness

So, how do you measure a non-event? I often ponder…. The challenge in highly ethical organizations is that you have, at first blush, very little to measure. If everyone’s doing a good job, how do you measure effectiveness. Is it because you have a great program that you have absolutely no calls on the hotline? Or is it that everyone is trembling in fear of retaliation the reason for no calls to the hotline? Hmmm.

Some of the things you can measure include

  • Indicators and ‘yardsticks’ – do you crawl, walk, or run to goals?
  • Do you seek periodic stakeholder feedback (including E&C council input)
  • What kind of documentation do you collect – trend analyses of HelpLine metrics, feedback on program enhancements as they are implemented, feedback on training and communications
  • Do you routinely conduct a “Lessons Learned” exercise after substantiated hotline calls?
  • Does your HR team engage in site assessments when a location, facility, or team seems to have a lot of issues that arise from a single manager or set of team leaders?
  • How often are your Code, policies, procedures updated and reviewed?   Are they tested for readability and understanding? Are they just published, or is training introduced for new policies as they are issued?
  • Do you conduct risk assessments and/or change training or communications based on perceived risk areas?
  1. Ensure Consistent Enforcement and Discipline of Violations

Does your organization allow for mistakes? Many will say they do, but when the rubber meets the road, you will find that they can be unforgiving for some transgressions, and unbelievably forgiving for others…. You will want to measure

  • Whether or not there appears to be wiggle room when folks stray. Deeds in this aspect do speak louder than words.
  • Are roles and responsibilities clearly defined, with escalation clauses when things go wrong?
  • Does your organization communicate when things go wrong as well as when things go right? I know one organization that struggled mightily when I suggested we let everyone know what actions we took for certain code violations. The attorneys were all worried that someone would sue, of course, but in the end, integrity prevailed. We were able to sanitize the situations in such a way to communicate what had been done, and what discipline was taken, without anyone learning personal details. Importantly, it drew a virtual line in the sand by publicizing transgression and discipline, so that people knew boundaries. Of course, this was after years of me observing that discipline seemed to be discretionary within the organization, and as a result, trust in management “doing right” was eroding significantly. It didn’t hurt that my observations were followed by multiple hotline calls saying the same thing… but it should never get to that point, should it?

Also measure whether or not policies and communications:

  • Encourage reporting
  • Identify resources to raise concerns
  • Prohibit retaliation for good faith concerns
  • Identifies management as the primary resource for issues or concerns
  • The average timeline to resolve complaints
  • Whether or not you benchmark reports that express fear of retaliation or unwillingness to consult with management first. This is tough to do, unless you build it in to your hotline reporting mechanism as a “customer service” function at the end of every call or report, actively soliciting this very feedback when a report is made.
  1. Respond Appropriately to Incidents and Take Steps to Prevent Future Incidents

So, you are at the point where you have confidence you have the right policies and procedures in place to keep yourselves honest. But in case someone didn’t get the memo of “expected behavior” you have to make sure you respond appropriately, and take steps to avoid future missteps. One organization I worked at realized the culture of an acquired subsidiary was so awful that it opted to sell it off rather than try to fix it. They had other issues in the larger organization, but they knew a bad deal when they saw it, and took steps to rid themselves of an untenable position. Another organization I worked at kept throwing money at a subsidiary, when it probably would have been better to toss in the towel. Different organization, different results, neither perfect, but it fit them as they saw things.

When gauging the culture of your organization, some things you want to look at are the rewards and sanctions for behavior:

Positive rewards:

  • Retention of employment
  • Recognition
  • Appreciation
  • Commendation
  • Monetary or stock reward

Negative sanctions:

  • Termination or Suspension
  • Demotion
  • Probation
  • Appraisal comments/warnings
  • Reduction in compensation or bonus

You also want to measure your Performance Appraisal Systems, and look to see whether or not they include sections on:

  • Demonstrated Ethics and values in workplace conduct
  • Good communication skills
  • Building trust with stakeholders
  • Being fair or equitable
  • Maintaining a high level of quality or integrity in decision-making
  • Reporting Concerns
  • Empowering subordinates to reporting concerns
  • Training and development initiatives for the team

Tomorrow the Two Tough Cookies sum it all up…

This publication contains general information only and is based on the experiences and research of the authors. The authors are not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The authors, their affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Authors give their permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the authors.

 

July 28, 2014

Bringing It All Home, the Two Tough Cookies Wrap It Up For You, Part I

Tales from the CryptNote-I asked the Two Tough Cookies if they could put together a series of blog posts wrapping up the lessons they have seen and learned and written about in their series of Tales from the Crypt. They graciously put together a series of posts on the seven elements of an effective compliance program from their 10 tales of Business Conduct. Today, Part I of a Three Part Series…

We’ve talked a lot in our Tales from the Crypt about the signs to watch for that indicate something’s gone wrong, from minor cultural twists to lapses of integrity that are tantamount to criminal activity. We all wish we had a crystal ball we could peer into to predict how various maneuvers will translate into the larger universe of corporate culture. One of the best tools to use to gauge the cultural baseline is an organizational ethics audit, reminding yourself that “what gets reported gets measured.”

Your first hurdle, of course, is getting executive leadership to support the initiative. If they don’t support it, then you have your first cultural indicator. After all, if you have nothing to hide, you have nothing to lose by peering under the covers, now do you? So let’s assume your leadership is supportive of developing, and/or sustaining, a “high integrity” organization. So what do you want to measure? The ‘seven elements of an effective compliance program’ is a good start, but by no means exhaustive. After all, many organizations fulfill “ethics oversight” by having a CCO in title (usually, the GC or CFO), but the day-to-day oversight and management of the program is led by staff members who are not empowered to work towards positive change. You know who you are, you know the daily frustration of knowing what should be done, and what leadership will allow. So while “oversight” is met, is it really “effective?”

So let’s remind ourselves of the seven elements once again:

1. Establish Policies, Procedures and Controls

2. Exercise Effective Compliance and Ethics Oversight

3. Exercise Due Diligence to Avoid Delegation of Authority to Unethical Individuals

4. Communicate and Educate Employees on Compliance and Ethics Programs

5. Monitor and Audit Compliance and Ethics Programs for Effectiveness

6. Ensure Consistent Enforcement and Discipline of Violations

7. Respond Appropriately to Incidents and Take Steps to Prevent Future Incidents

How do these elements translate into an organizational ethics audit? And how do our 10 rules of business conduct in the workplace (from our “Tales from the Crypt” series) fit in? Let’s break it down into manageable chunks.

1. Establish Policies, Procedures and Controls

Under this “bucket” include your Code of Conduct, your Vision and Values statements for your organization, and the various policies and procedures you rely upon to get business done. What you want to know, when conducting your audit, is not just do you have these, but

  • Does your Vision statement create an actionable description of the future? If so, what is it, and more importantly, do your people know it, and understand what role they play in achieving that future?
  • Is “Integrity” one of your Values?
  • What’s the purpose and Focus of your Code of Conduct? What kind of tone does it set, is it widely distributed, prominently displayed, easy to read? Does it have learning aids, and examples of not only wrong doing, but “right” doing behaviors? What expectation does it set? Is it universal or have you caved to various constituencies and created multiple versions (not translations, but actual versions) to “meet the needs” of various cultures. If you have, then you are net setting a single standard that all can live by, and you will have people applying their own standard to their behaviors, not yours. Ethics should not be subject to interpretation, nor external pressures such as Worker’s Councils, unions, or special interest groups.
  • Are your policies relevant to your business, or did someone just borrow something from an HR toolkit to get you started? Do you have a formal non-retaliation policy (and not just a nod towards the concept in your Code of Conduct), and formal procedures to deter retaliation. The rules in this area need to be cut and dry to make people know you “have their back” when the you know what hits the fan. You want to encourage people to step up, and the only way you can do that is a rock solid approach to non-retaliation.
  • Last, but not least, are your policies “uniformly enforced?” Much like the sentencing guidelines, organizations, large and small alike, should be dealing with transgressions with an even hand to truly have an ethical culture. People like boundaries, like to know where the line in the sand is drawn. Trust me on this. So do you know exactly where your organization’s boundaries are? Or does the line move from incident to incident?

2. Exercise Effective Compliance and Ethics Oversight

As I mentioned before, many organizations have day-to-day oversight managed by staff, with a titular CECO residing with one of the executive leaders, like the GC or the CFO. Larger organizations have dedicated compliance officers who aren’t forced to wear multiple hats, who truly have teams of dedicated compliance officials reporting up to their organization. This is particularly true in highly regulated industries, such as finance, insurance, healthcare, food and drug manufacturing, where government oversight plays a large role in day to day business.   It is fair to say that smaller organizations don’t need to have a dedicated compliance officer per se, but when you have a staff attorney, for instance, managing the day to day operations of your ethics and compliance program, you have put that person in a Catch 22. Period. You may want an attorney in that spot for attorney client privilege, but if you do that recognize that you’ve also handcuffed the person from being able to independently report wrong doing if something goes drastically wrong, as they are duty bound to keep matters confidential, even within the business.

So you want to measure whether or not the person with day-to-day oversight has the freedom (or mechanisms) to raise concerns.

  • If it’s a staff attorney, is the job description written so that when wearing the compliance hat, the attorney hat comes off? Tough to do, but possible.
  • Are there layers of management between the day-to-day person who is managing the ethics and compliance program, and the person with the “title” CECO?
  • Are there many people with “compliance” in their title, and do they work together, or independently? I have worked in organizations where “compliance” was part of several functions, but the right hand, and the left hand, weren’t speaking to each other. Trade Compliance reported to one division, Environmental Compliance reported to another division, product compliance reported to yet a third division, HIPAA compliance to yet a fourth, and so on. None of these units worked together, some were staffed heavily, some staffed thinly, and the actual “head” of Integrity & Compliance was ineffective at convincing senior leadership that all compliance functions should be at least working towards the same goals in the organization. It all depended on the business leader at the top of the silo and whether or not they were effective in getting the support they needed to run their business. It also depended on whether or not the business unit was a profit center or a cost center, and if a cost center, where it reported up into the business – as a G&A expense, or an administrative cost aligned with operations. Those that were part of operations were well-funded, those reporting in on the administrative side as a pure cost center (including the “head”) were poorly resourced.
  • Do you have an ethics steering committee or working group that represents all functions and business units, and is staffed by executive or senior leaders who are in a position to make decisions for the larger organization? This serves as a checks and balance that is critical if the day-to-day oversight is led by a staffer. The staffer can build consensus with a larger group that has a vested interest in the outcome by holding those critical meetings before the meeting to test run proposals, and receive important feedback on how to effectively present a proposal to the team to ensure acceptance and success. The staffer can also go to a trusted member of the committee if he or she feels that the CECO is not receptive to hearing concerns and serve as a sounding board. Hopefully, that is.

Tomorrow, elements 3-7.

Who are the Two Tough Cookies?

Tough Cookie 1 has spent the more than half of her 20+ legal career working in the Integrity and Compliance field, and has been the architect of award-winning and effective ethics and compliance programs at both publicly traded and privately held companies.  Tough Cookie 2 is a Certified Internal Auditor and CPA who has faced ethical and compliance challenges in a variety of industries and geographies and recently led a global internal audit team. Their series “Tales from the Crypt: Tough Choices for Tough Cookies” are drawn largely from real life experiences on the front line of working in Integrity & Compliance, and personal details have been scrubbed to protect, well, you know, just about everyone…

This publication contains general information only and is based on the experiences and research of the authors. The authors are not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The authors, their affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Authors give their permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the authors.

July 25, 2014

Code of Conduct, Compliance Policies and Procedures-Part IV

Policies and ProceduresThis is the fourth and final installment of my series on the the importance of a Code of Conduct and anti-corruption compliance policies and procedures in your compliance program and how you should go about drafting or updating Code of Conduct and anti-corruption compliance policies and procedures. On Tuesday, I reviewed the underlying legal and statutory basis for the documents as a foundation of your overall anti-corruption regime. In subsequent posts, I looked at how to go about drafting your Code of Conduct and anti-corruption compliance policies and procedures. Today, I will end the series on how to keep all of the above vibrant and dynamic through a discussion of how to assess, review and revise them and your Code of Conduct on a timely basis.

Simply having a Code of Conduct, together with policies and procedures is not enough. As articulated by former Assistant Attorney General, for the Criminal Division of the US Department of Justice, Lanny Breuer, “Your compliance program is a living entity; it should be constantly evolving.” In an article in the SCCE Magazine, entitled “Six steps for revising your company’s Code of Conduct”, authors Anne Marie Logarta and Ruth Ward suggest considering the following issues before you take on an update of your Code of Conduct.

  • When was the last time your Code of Conduct was released or revised?
  • Have there been changes to your company’s internal policies since the last revision?
  • Have there been changes to relevant laws relating to a topic covered in your company’s Code of Conduct?
  • Are any of the guidelines outdated?
  • Is there a budget to create/revise a Code?

After considering these issues, the authors suggest that you should benchmark your current Code of Conduct against others companies in your industry. I would also add that your standards, policies and procedures should be reviewed and updated in the same manner. If you decide to move forward the authors have a six-point guide which they believe will assist you in making your revision process successful, which I have used as a basis to include revisions to your compliance policies and procedures.

  1. Get buy-in from decision makers at the highest level of the company 

The authors believe that your company’s highest level must give the mandate for a revision to a Code of Conduct and compliance polices and procedures. It should be the Chief Executive Officer (CEO), General Counsel (GC) or Chief Compliance Officer (CCO), or better yet all three to mandate this effort. Whoever gives the mandate, this person should be “consulted at every major step of the Code review process if it involves a change in the direction of key policies.”

  1. Establish a core revision committee 

You should have a cross-functional working group would be ideal to head up your effort to revise your Code of Conduct and compliance polices and procedures. This group should include representatives from the following departments: legal, compliance, communications, HR; there should also be other functions which represent the company’s domestic and international business units; finally there should be functions within the company represented such as finance and accounting, IT, marketing and sales.

From this large group, the topics can be assigned for initial drafting to functions based on “relevancy or necessity”. These different functions would also solicit feedback from their functional peers and deliver a final, proposed draft to the Drafting Committee. The authors emphasize that creation of a “timeline at the outset of the revision is critical and hold the function representatives accountable for meeting their deliverables.”

  1. Conduct a thorough technology assessment 

The cornerstone of the revision process is how your company captures, collaborates and preserves “all of the comments, notes, edits and decisions during the entire project.” They believe that technology such as SharePoint or Google Cloud can be of great assistance to accomplish this process even if you are required to train team members on their use.

In addition to this use of technology in drafting your Code of Conduct and compliance polices and procedures revisions, you should determine if they will be available in hard copy, online or both. If it will be available online, you should assess “the best application to launch your Code and whether it includes a certification process”. Lastly, there must be a distribution plan, particularly if the Code and compliance polices and procedures will only be available in hard copy.

  1. Determine translations and localizations 

The authors emphasize, “If your company does business internationally, then this step is vital to ensure you have one Code, no matter the language.” They do note that if you decide to translate your Code of Conduct be sure and hire someone who is an “approved company translation subject matter expert.” Here I would simply say to contact Jay Rosen at Merrill Brink, as those guys are the one of the top Language Service Providers and know what they are doing when it comes to translations. The key is that “your employees have the same understanding of the company’s Code-no matter the language.” 

  1. Develop a plan to communicate the Code of Conduct 

A rollout is always critical because it “is important that the new or revised Code is communicated in a manner that encourages employees to review and use the Code on an ongoing basis.” Your company should use the full panoply of tools available to it to publicize your new or revised Code of Conduct and compliance polices and procedures. This can include a multi-media approach or physically handing out a copy to all employees at a designated time. You might consider having a company-wide Code of Conduct and compliance polices and procedures meeting where the new or revised documents are rolled out across the company all in one day. But remember, with all thing compliance; the three most important aspects are ‘Document, Document and Document’. However you deliver the new or revised Code of Conduct, you must document that each employee receives it.

6.   Stay on Target 

The authors end by noting that if you set realistic expectations you should be able to stay on deadline and stay within your budget. They state that “You want to set aside enough time so that you won’t feel rushed or in a hurry to get it done.” They also reiterate that to keep a close watch on your budget so that you do not exceed it.

These points are a useful guide to not only thinking through how to determine if your Code of Conduct, and compliance policies and procedure needs updating, but also practical steps on how to tackle the problem. If it has been more than five years since it was last updated, you should begin the process that the authors have laid out. It is far better to review and update if appropriate than wait for a massive FCPA investigation to go through the process.

There are numerous reasons to put some serious work into your Code of Conduct, policies and procedure. They are certainly a first line of defense when the government comes knocking. The FCPA Guidance makes clear that “Whether a company has policies and procedures that outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and documentation policies, and set forth disciplinary procedures will also be considered by DOJ and SEC.” And by considered, I think it is clear that this means the regulators will take a strong view against a company that does not have well thought out and articulated policies, procedures or Code of Conduct; all of which are systematically reviewed and updated. Moreover, as Allen emphasized, “having policies written out and signed by employees provides what some consider the most vital layer of communication.” Together with a signed acknowledgement, these documents can serve as evidentiary support if a future issue arises. In other words, the ‘Document, Document and Document’ mantra applies just as strongly to this area of anti-corruption compliance.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

« Previous PageNext Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 4,603 other followers