FCPA Compliance and Ethics Blog

August 28, 2014

Risk Assessments-the Cornerstone of Your Compliance Program, Part III

7K0A0129Today, I conclude a three-part series on risk assessments in your Foreign Corrupt Practices Act (FCPA) or UK Bribery Act anti-corruption compliance program. I previously reviewed some of the risks that you need to assess and how you might go about assessing them. Today I want to consider some thoughts on how to use your risk assessment going forward.

Mike Volkov has advised that you should prepare a risk matrix detailing the specific risks you have identified and relevant mitigating controls. From this you can create a new control or prepare an enhanced control to remediate the gap between specific risk and control. Finally, through this risk matrix you should be able to assess relative remediation requirements.

A manner in which to put into practice some of Volkov’s suggestions was explored by Tammy Whitehouse, in an article entitled “Improving Risk Assessments and Audit Operations”. Her article focused on the how Timken Company, assesses and then evaluates the risks the company has assessed. Once risks are identified, they are then rated according to their significance and likelihood of occurring, and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of the audit/monitoring plan, she said. A variety of solutions and tools can be used to manage these risks going forward but the key step is to evaluate and rate these risks. 

LIKELIHOOD 

Likelihood Rating Assessment Evaluation Criteria
1 Almost Certain High likely, this event is expected to occur
2 Likely Strong possibility that an event will occur and there is sufficient historical incidence to support it
3 Possible Event may occur at some point, typically there is a history to support it
4 Unlikely Not expected but there’s a slight possibility that it may occur
5 Rare Highly unlikely, but may occur in unique circumstances

‘Likelihood’ factors to consider: The existence of controls, written policies and procedures designed to mitigate risk capable of leadership to recognize and prevent a compliance breakdown; Compliance failures or near misses; Training and awareness programs.

PRIORITY 

Priority Rating Assessment Evaluation Criteria
1-2 Severe Immediate action is required to address the risk, in addition to inclusion in training and education and audit and monitoring plans
3-4 High Should be proactively monitored and mitigated through inclusion in training and education and audit and monitoring plans
5-7 Significant
8-14 Moderate
15-1920-25 LowTrivial Risks at this level should be monitored but do not necessarily pose any serious threat to the organization at the present time.

Priority Rating: Product of ‘likelihood’ and significance ratings reflects the significance of particular risk universe. It is not a measure of compliance effectiveness or to compare efforts, controls or programs against peer groups.

At Timken, the most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These “Severe” risks become the focus of the audit monitoring plan going forward. A variety of tools can be used, such as continuous controls monitoring with tools like those provided by Visual RiskIQ, a relationship-analysis based software such as Catelas or other analytical based tools. But you should not forget the human factor. At Timken, one of the methods used by the compliance group to manage such risk is by providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. The company also produces a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it.

The key to the Timken approach is the action steps prescribed by their analysis. This is another way of saying that the risk assessment informs the compliance program, not vice versa. This is the method set forth by the DOJ in its FCPA Guidance and in the UK Bribery Act’s Adequate Procedures. I believe that the DOJ wants to see a reasoned approach with regards to the actions a company takes in the compliance arena. The model set forth by Timken certainly is a reasoned approach and can provide the articulation needed to explain which steps were taken.

In an article in Compliance Week Magazine, entitled, “Lessons on Risk Assessments from Winnie The Pooh” Jason Medford articulated that a key use of a risk assessment is to assist the internal audit function in developing their internal audit plan. He cited to the Institute of Internal Auditors (IIA) standard 2010.A1, which states “The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually.” He went on to note that “In order to have a truly integrated GRC capability it is necessary for internal auditors to work with other GRC professionals in their organization. They must align their annual audit plan with the organization’s objectives, strategies, and initiatives of the other GRC professionals. They must collaborate, coordinate, and align their audit activities with other GRC professionals to increase visibility, improve efficiency, accountability and collaboration.

Carol Saint, Vice President of Internal Audit for 7-Eleven, who was interview by OCEG President Carol Switzer for the same article said that “We start with a risk assessment, beginning with business units because this is how the organization has designed accountability.  We decompose business units into the processes and sub-processes they own and execute. We evaluate how sub-processes align to achievement of strategic objectives: How do they affect the company’s value drivers? Next, we map financial statement lines to the sub-processes to help prioritize from that lens. Finally, for each sub-process we consider specific risks that could hinder achievement of strategic objectives, as well as fraud risks, significant accounting estimates, benchmarking/ hot topics, and ERM risks. We created an “intensity rating” that measures how often a process/sub-process was mentioned in our stakeholder interviews as a risk to the company. And we also considered how cross-functional a process is so that the element of complexity—a risk accelerator—could help determine audit plan priorities. This year’s plan development process was quite intense, but I think we did a good job of creating a baseline so that future risk assessments are more efficient.”

I hope that you have found this series on risk assessments useful. If you have any questions or better yet would like me to work on a risk assessment for your organization, please contact me.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 26, 2014

Risk Assessments-the Cornerstone of Your Compliance Program, Part I

7K0A0079Yesterday, I blogged about the Desktop Risk Assessment. I received so many comments and views about the post, I was inspired to put together a longer post on the topic of risk assessments more generally. Of course I got carried away so today, I will begin a three-part series on risk assessments. In today’s post I will review the legal and conceptual underpinnings of a risk assessment. Over the next couple of days, I will review the techniques you can use to perform a risk assessment and end with a discussion of what to do with the information that you have gleaned in a risk assessment for your compliance program going forward.

One cannot really say enough about risk assessments in the context of anti-corruption programs. Since at least 1999, in the Metcalf & Eddy enforcement action, the US Department of Justice (DOJ) has said that risk assessments that measure the likelihood and severity of possible Foreign Corrupt Practices Act (FCPA) violations identifies how you should direct your resources to manage these risks. The FCPA Guidance stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” The UK Bribery Act has a similar view. In Principal I of the Six Principals of an Adequate Compliance program, it states, “The commercial organisation regularly and comprehensively assesses the nature and extent of the risks relating to bribery to which it is exposed.” In other words, risk assessments have been around and even mandated for a long time and their use has not lessened in importance. The British have a way with words, even when discussing compliance, and Principal I of the Six Principals of an Adequate Compliance program says that your risk assessment should inform your compliance program.

Jonathan Marks, a partner in the firm of Crowe Horwath LLP, said the following about risk assessments in his 13-step FCPA Compliance Action Plan, “A comprehensive assessment of the potential bribery and corruption risks – both existing and emerging risks – associated with a company’s products and services, customers, third-party business partners, and geographic locations can serve as the basis for the compliance program. The risk assessment determines the areas at greatest risk for FCPA violations among all types of international business transactions and operations, the business culture of each country in which these activities occur, and the integrity and reputation of third parties engaged on behalf of the company.”

The simple reason is straightforward; one cannot define, plan for, or design an effective compliance program to prevent bribery and corruption unless you can measure the risks you face. Both the both the US Sentencing Guidelines, the UK Bribery Act’s Consultative Guidance list Risk Assessment as the initial step in creating an effective anti-corruption and anti-bribery program.

What Should You Assess?

In 2011, the DOJ concluded three FCPA enforcement actions which specified factors which a company should review when making a Risk Assessment. The three enforcement actions, involving the companies Alcatel-Lucent SA, Maxwell Technologies Inc. and Tyson Foods Inc. all had common areas that the DOJ indicated were FCPA compliance risk areas which should be evaluated for a minimum best practices FCPA compliance program. Both the Alcatel-Lucent and Maxwell Technologies Deferred Prosecution Agreements (DPAs) listed the seven following areas of risk to be assessed.

  1. Geography-where does your Company do business.
  2. Interaction with types and levels of Governments.
  3. Industrial Sector of Operations.
  4. Involvement with Joint Ventures.
  5. Licenses and Permits in Operations.
  6. Degree of Government Oversight.
  7. Volume and Importance of Goods and Personnel Going Through Customs and Immigration.

All of these factors were reiterated in the FCPA Guidance which stated, “Factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.”

These factors provide guidance into some of the key areas that the DOJ apparently believes can put a company at higher FCPA risk. These factors supplement those listed in the UK Bribery Consultative Guidance states, “Risk Assessment – The commercial organization regularly and comprehensively assesses the nature and extent of the risks relating to bribery to which it is exposed.” The Guidance points towards several key risks which should be evaluated in this process. These risk areas include:

  1. Internal Risk – this could include deficiencies in
  • employee knowledge of a company’s business profile and understanding of associated bribery and corruption risks;
  • employee training or skills sets; and
  • the company’s compensation structure or lack of clarity in the policy on gifts, entertaining and travel expenses.
  1. Country risk – this type of risk could include:

(a) perceived high levels of corruption as highlighted by corruption league tables published by reputable Non-Governmental Organizations such as Transparency International;

(b) factors such as absence of anti-bribery legislation and implementation and a perceived lack of capacity of the government, media, local business community and civil society to effectively promote transparent procurement and investment policies; and

(c) a culture which does not punish those who seeks bribes or make other extortion attempts.

  1. Transaction Risk – this could entail items such as transactions involving charitable or political contributions, the obtaining of licenses and permits, public procurement, high value or projects with many contractors or involvement of intermediaries or agents.
  2. Partnership risks – this risk could include those involving foreign business partners located in higher-risk jurisdictions, associations with prominent public office holders, insufficient knowledge or transparency of third party processes and controls.

Another approach was detailed by David Lawler, in his book “Frequently Asked Questions in Anti-Bribery and Corruption”. He broke the risk areas to evaluate down into the following categories: (1) Company Risk, (2) Country Risk, (3) Sector Risk, (4) Transaction Risk and (5) Business Partnership Risk. He further detailed these categories as follows:

  1. Company Risk-Lawyer believes this is “only to be likely to be relevant when assessing a number of different companies – either when managing a portfolio of companies from the perspective of a head office of a conglomerate or private equity house.” High risk companies involve, some of the following characteristics:
  • Private companies with a close shareholder group;
  • Large, diverse and complex groups with a decentralized management structure;
  • An autocratic top management;
  • A previous history of compliance issues; and/or
  • Poor marketplace perception.
  1. Country Risk-this area involves countries which have a high reported level or perception of corruption, have failed to enact effective anti-corruption legislation and have a failure to be transparent in procurement and investment policies. Obviously the most recent, annual Transparency International Corruption Perceptions Index can be a good starting point. Other indices you might consider are the Worldwide Governance Indicators and the Global Integrity index.
  2. Sector Risk-these involve areas which require a significant amount of government licensing or permitting to do business in a country. It includes the usual suspects of:
  • Extractive industries;
  • Oil and gas services;
  • Large scale infrastructure areas;
  • Telecoms;
  • Pharmaceutical, medical device and health care;
  • Financial services.
  1. Transaction Risk-Lawyer says that this risk “first and foremost identifies and analyses the financial aspects of a payment or deal. This means that it is necessary to think about where your money is ending up”. Indicia of transaction risk include:
  • High reward projects;
  • Involve many contractor or other third party intermediaries; and/or
  • Do not appear to have a clear legitimate object.
  1. Business Partnership Risk-this prong recognizes that certain manners of doing business present more corruption risk than others. It may include:
  • Use of third party representatives in transactions with foreign government officials;
  • A number of consortium partners or joint ventures partners; and/or
  • Relationships with politically exposed persons (PEPs).

There are a number of ways you can slice and dice your basic inquiry. As with almost all FCPA compliance, it is important that your protocol be well thought out. If you use one, some or all of the above as your basic inquiries into your risk analysis, it should be acceptable for your starting point.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 25, 2014

Trying Something Different – the Desktop Risk Assessment

IMG_0774How many among you out there are sushi fans? Conversely, how many out there consider the idea of eating raw fish right up there with going into to the dentist’s office for some long overdue remedial work? One’s love or distaste for sushi was used as an interesting metaphor for leadership in this week’s Corner Office section of the New York Times (NYT) by Adam Bryant, in an article entitled “Eat Your Sushi, and Expand Your Horizon”, where he profiled Julie Myers Wood, the Chief Executive Officer (CEO) of Guidepost Solutions, a security, compliance and risk management firm. Wood said her sushi experience relates to advice she gives college students now, “One thing I always say is “eat the sushi.” When I had just graduated from college, I went with my mom to Japan. We had a wonderful time, but I refused to eat the sushi. Later, when I moved to New York, I tried some sushi and loved it. The point is to be willing to try things that are unfamiliar.”

I thought about sushi and trying something different in the context of risk assessments recently. I think that most compliance practitioners understand the need for risk assessments. The FCPA Guidance could not have been clearer when it stated, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” Many compliance practitioners have difficulty getting their collective arms about what is required for a risk assessment and then how precisely to use it. The FCPA Guidance makes clear there is no ‘one size fits all’ for about anything in an effective compliance program.

One type of risk assessment can consist of a full-blown, worldwide exercise, where teams of lawyers and fiscal consultants travel around the globe, interviewing and auditing. However if there is one thing that I learned as a lawyer, which also applies to the compliance field, is that you are only limited by your imagination. So using the FCPA Guidance that ‘on one size fits all’ proscription, I would submit that is also true for risk assessments.

As with Wood’s admonition that you might want to try sushi even if you think you may not like it. I think that there are several different types of risk assessments that can be used to help to advance your compliance regime going forward. This means that if you do not have the time, resources or support to conduct a worldwide risk assessment annually, you can take a different approach. You might try assessing other areas annually through a more limited focused risk assessment, which a colleague of mine calls the Desktop Risk Assessment.

Some of the areas that such a Desktop Risk Assessment could inquire into might be the following:

  • Are resources adequate to sustain a culture of compliance?
  • How are the risks in the C-Suite and the Boardroom being addressed?
  • What are the FCPA risks related to the supply chain?
  • How is risk being examined and due diligence performed at the vendor/agent level? How is such risk being managed?
  • Is the documentation adequate to support the program for regulatory purposes?
  • Is culture, attitude (tone from the top), and knowledge measured? If yes, can we use the information enhance the program?
  • Disciplinary guidelines – Do they exist and has anyone been terminated or disciplined for a violating policy?
  • Communication of information and findings – Are escalation protocols appropriate?
  • What are the opportunities to improve compliance?

There are a variety of materials that you can review from or at a company that can facilitate such a Desktop Risk Assessment. You can review your company’s policies and written guidelines by reviewing anti-corruption compliance policies, guidelines, and procedures to ensure that compliance programs are tailored to address specific risks such as gifts, hospitality and entertainment, travel, political and charitable donations, and promotional activities.

You could assess your company’s senior management support for your compliance efforts through interviews of high-level personnel such as the Chief Compliance Officer (CCO), Chief Financial Officer (CFO), General Counsel (GC), Head of Sales, CEO and Board Audit or Compliance Committee members to assess “tone from the top”. You can examine resources dedicated to compliance and also seek to understand the compliance expectations that top management is communicating to its employee base. Finally, you can gauge operational responsibilities for compliance.

Such a review would lead to the next level of assessment, which would be generally labeled communications within an organization regarding compliance. You can do this by assessing compliance policy communication to company personnel but even more so by reviewing such materials as compliance training and certifications that employees might have in their files. If you did not yet do so, you should also take a look at statements by senior management regarding compliance, such as actions relating to terminating employees who do business in compliance but do not make their quarterly, semi-annual or annual numbers set in budget projections.

A key element of any best practices compliance program is internal and anonymous reporting. This means that you need to review mechanisms on reporting suspected compliance violations and then actions taken on any internal reports, including follow-ups to the reporting employees. You should also assess whether those employees who are seeking guidance on compliance for their day-to-day business dealings are receiving not only adequate but timely responses.

I do not think there is any dispute that third parties represent the highest risk to most companies under the FCPA, so a review of your due diligence program is certainly something that should be a part of any risk assessment. But more than simply a review of procedures for due diligence on third party intermediaries, you should also consider the compliance procedures in place for your company’s mergers and acquisitions (M&A) team; focusing on the pre-acquisition phase.

One area that I do not think gets enough play, whether in the FCPA Inc. commentary or in day-to-day practice is looking at what might be called employee commitment to your company’s compliance regime. So here you may want to review your compliance policies regarding employee incentives for compliance. But just as you look at the carrots to achieve compliance with your program, you should also look at the stick, in the form of disciplinary procedures for violations. This means you should see if there have been any disciplinary actions for employee compliance violations and then determine if such discipline has been applied uniformly. If you discipline top sales people in Brazil, you have to discipline your top sales folks in the US for the same or similar violations.

This list is not intended to be a complete list of items, you can pick and choose to form some type of Desktop Risk Assessment but hopefully you can see some of the things areas you can assess. In his article on Ms. Woods, Bryant quoted her for the following key trait she observed from successful leaders, “They were able to identify and focus on core things. When you go into an agency or a company, there are a million things you could fix. But you can’t fix everything, so you make a decision about your priorities, and then you act on them.” A Desktop Risk Assessment may well help you to do so.

If you aim to perform an annual Desktop Risk Assessment with a full worldwide risk assessment every two years or so, you should be in a good position to keep abreast of compliance issues that may change and need more or greater risk management. And do not forget the that the FCPA Guidance ends its section on risk with, “When assessing a company’s compliance program, DOJ and SEC take into account whether and to what degree a company analyzes and addresses the particular risks it faces.” Finally, if you never have tried sushi, I urge you to do so as it not only tastes good but its good for you as well.

==============================================================================================================================================================================================================================================

On Tuesday, August 26th I will be co-presenting with Marie Patterson VP Marketing for Hiperos on a webinar focusing on GSK in China-One Year Later. I will review the continued saga of the GSK corruption investigation in China, the Humphreys’ and Wu convictions and what it means for your compliance program going forward. The event is free and begins at 1 PM EDT. I hope that you can join us. For details and Registration, click here.

==============================================================================================================================================================================================================================================

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 21, 2014

What Can You Do When Risk Changes in a Third Party Relationship?

RiskThe GlaxoSmithKline PLC (GSK) corruption matter in China continues to reverberate throughout the international business community, inside and outside China. The more I think about the related trial of Peter Humphrey and his wife, Yu Yingzeng for violating China’s privacy laws regarding their investigation of who filmed the head of GSK’s China unit head in flagrante delicto with his Chinese girlfriend, the more I ponder the issue of risk in the management of third parties under the Foreign Corrupt Practices Act (FCPA). In an article in the Wall Street Journal (WSJ), entitled “Chinese Case Lays Business Tripwires”, reporters James T. Areddy and Laurie Burkitt explored some of the problems brought about by the investigators convictions.

They quoted Manuel Maisog, chief China representative for the law firm Hunton & Williams LLP, who summed up the problem regarding background due diligence investigations as “How can I do that in China?” Maisog went on to say, “The verdict created new uncertainties for doing business in China since the case hinged on the couple’s admissions that they purchased personal information about Chinese citizens on behalf of clients. Companies in China may need to adjust how they assess future merger partners, supplier proposals or whether employees are involved in bribery.”

I had pondered what that meant for a company that wanted to do business in China, through some type of third party relationship, from a sales representative to distributor to a joint venture (JV). What if you cannot get such information? How can you still have a best practices compliance program around third parties representatives if you cannot get information such as ultimate beneficial ownership? At a recent SCCE event, I put that question to a Department of Justice (DOJ) representative. Paraphrasing his response, he said that companies still need to ask the question in a due diligence questionnaire or other format. What if a third party refuses to answer, citing some national law against disclosure? His response was that a company needs to very closely weigh the risk of doing business with a party that refuses to identify its ownership.

The more that I thought about that answer the more I became convinced that it was not only the right answer under any type of FCPA compliance program but also the right response from a business perspective. A company must know who it is doing business with, for a wide variety of reasons. The current situation in China and even the convictions of Humphrey and Yu do not change this basic premise. You can ask the question. If a party does not want to disclose its ownership, you should consider this in any business relationship going forward.

The Humphrey and Yu conviction do not prevent you from asking the question about ownership. Their convictions mean that you may not be able to verify that information through what many people thought was publicly available information, at least publicly available in the west. I was struck by one line in the Areddy and Burkitt article, “It’s not just that the tactical business practices need to change; it’s the mind set” quoting again from Maisog.

I breakdown the management of third parties under the FCPA into five steps, which are:

  1. Business Justification and Business Sponsor;
  2. Questionnaire to Third Party;
  3. Due Diligence on Third Party;
  4. Compliance Terms and Conditions, including payment terms; and
  5. Management and Oversight of Third Parties After Contract Signing.

The due diligence step is but one of these five. Further due diligence is performed in large part to verify the information that you receive back from a proposed third party. So what if you can longer use avenues previously open to you in markets such as China? Perhaps there are other ways to manage this issue. Areddy and Burkitt also interviewed Jerry Ling, a partner at Jones Day, for the following “companies will need to analyze Chinese accounting documents themselves and conduct more in-person interviews with anyone they want to know more about in China.”

Ling’s point dovetails directly into what I heard from the DOJ representative. There is nothing about the Chinese law, or any other country’s law, which prevents you from asking some basic questions that are found in the Step 2 Questionnaire cited above. You can always ask who the owners of a company are, whether they are direct or beneficial. You can always ask if a company, its owners or its senior management have been involved in any incidents involving bribery and corruption and you can always ask if the company has a Code of Conduct and/or compliance program and whether its owners or senior management are aware of the FCPA and have had training on it.

Assuming the company will answer your questionnaire, the difficulty you may find yourself in now is verifying the information that you receive. In Ronald Reagan parlance, you may trust but you may not be able to verify it. Ling said in the WSJ article that “The challenge now for clients is that it’s hard to get good information.”

However, due diligence is but one step in the management of any third party in a FCPA compliance program. Just as when risk goes up and you increase your management around that risk, the situation is similar in here. Putting it another way, if you cannot obtain private information such as personal identification numbers during the due diligence process, you can put greater management around the other steps that you can take. Further, there has been nothing reported which would suggest that publicly filed corporate licenses or other information that might show ownership can no longer be accessed. Court records and public media searches also seem to still be available.

But what if you simply cannot determine if the information you are provided regarding ownership is accurate or even truthful? You can still work to manage the relationship through your commercial terms by setting your commission or other pay rates at a reasonable amount of scale. If you are dealing with a commissioned sales representative, you can probably manage this area of the relationship by setting the commission in the range of 5%. You can also manage the relationship by reviewing invoices to make sure there is an adequate description of the services provided so that they justify whatever compensation the third party is entitled to receive under the contract. You may also want to schedule such a third party for an audit ahead of other parties to help ensure adherence to your compliance terms and conditions.

There may be times when you cannot verify the true or ultimate beneficial owner of a third party. That does not have to be the end of the analysis. If that situation arises, you may want to see if there are other risk mitigation tools at your disposal. Put another way, if such a red flag arises, can it be cleared? Can it be managed? If your company is looking a major deal for multi-millions and your agent will receive a six or seven figure commission, the risk of not knowing with certainty may be too great because in such a case, an unknown owner could be a government official who has awarded the contract. But if your agent receives a considerably smaller commission and hence there is a considerably small amount of money to constitute a bribe, you may be able to manage that risk through a close and effective relationship management process.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 20, 2014

Voyager II Launches and The FCPA Professor’s New Book

The Foreign Corrupt Practices Act In A New EraMany readers of this blog will recall that the Foreign Corrupt Practices Act (FCPA) is 37 years old this year. Perhaps less might remember that also 37 years ago, NASA launched Voyager II, which was an unmanned spacecraft. It was the first of two such crafts to be launched that year on a “Grand Tour” of the outer planets, organized to coincide with a rare alignment of Jupiter, Saturn, Uranus and Neptune. Aboard Voyager II was a 12-inch copper phonograph record called “Sounds of Earth.” Intended as a kind of introductory time capsule, the record included greetings in 60 languages and scientific information about Earth and the human race, along with classical, jazz and rock ‘n’ roll music, nature sounds like thunder and surf, and recorded messages from then President Jimmy Carter and other world leaders. Being good engineers, NASA conveniently included instructions on how to play the record, with a cartridge and needle provided.

In light of the age of the FCPA and our celebration of reaching for the stars, today I wanted to celebrate a volume from one of the FCPA’s most prolific commentators, Mike Koehler, the FCPA Professor. The author of numerous legal and scholarly articles and his eponymous daily blog, The FCPA Professor, he joined the thin ranks of those authors with hard bound volumes concerning the FCPA with his edition, The Foreign Corrupt Practices Act In A New Era.

As you would expect from the FCPA Professor he has lengthy sections on the genesis of the FCPA and its legislative history; general legal principals as they relate to FCPA enforcement and interpretation as well as the specifics of the text of the FCPA itself; and a review of enforcement actions. He also gives his insights as to why there was such an explosion of FCPA enforcements, beginning in 2004 and continuing right up until the present. He provides some pointers on FCPA compliance programs and ends the book with a discussion of FCPA reform. Of course, as you would expect from the FCPA Professor, the entire work is chocked full of quotations, citations and endnotes.

I would like to highlight some of my favorite discussions in the book. In Chapter 5 entitled FCPA Enforcement, he identifies “Three Buckets” of FCPA financial exposure. They are “(i) pre-enforcement actions professional fees and expenses; (ii) fine, penalty and disgorgement amounts in an actual FCPA enforcement action; and (iii) post-enforcement action professional fees and expenses.” With this tripartite description he lays out what a company might reasonably expect if it finds itself embroiled in an FCPA investigation and enforcement action. The message I got from this Chapter was that you had better have a strong compliance program in place because it is going to be a long hard and costly slog going forward if you don’t.

In Chapter 6, entitled Reasons for the increase in FCPA enforcement, The Professor sets out his thoughts on why there has been such an explosion of growth in FCPA enforcement. While both the use of Non-Prosecution Agreements (NPAs) and Deferred Prosecution Agreements (DPAs) are noted along with the passage and implementation of Sarbanes-Oxley (SOX); there are other reasons cited in the section entitled (appropriately enough) ‘Provocative Reasons’. These include that FCPA enforcement is “lucrative for the US government”; “the emergence and rapid rise of a lucrative industry called FCPA Inc.” (full disclosure – I am a card carrying member of FCPA Inc.); and the revolving door of lawyers who go into government service, enforce the FCPA and then leave government service to defend clients under government scrutiny for FCPA issue.

As the ‘Nuts and Bolts’ guy, I was very interested in Chapter 8, entitled FCPA Compliance and best practice. Fortunately he left some room for folks like me to go into the weeds of a compliance program but he did state, “While FCPA risk cannot be eliminated, it can be effectively managed and minimized when doing business in the global marketplace, and one positive result of the increase in FCPA enforcement in this new era has been the related increase in ‘soft’ enforcement of the FCPA through compliance policies and procedures.” He went on to define ‘soft enforcement’ as “a law’s ability to facilitate self-policing and compliance to a greater degree than can be accomplished through ‘hard’ enforcement alone. This was music to my ears. He also gave some practical approaches to implementing or enhancing your compliance program that I found to be quite useful for the compliance practitioner.

The Professor ends his book with a renewed call for FCPA reform. While he recognizes that, post Walmart, the impetus in Washington for amending the FCPA has all but died out; he does lay out all his reasons for the creation of a compliance defense amendment to the FCPA. Another cornerstone of his call for reform is to abolish NPAs and DPAs from the Department of Justice’s (DOJs) prosecutorial arsenal. Both of these issues bear serious weight and scrutiny and the FCPA Professor lays out his thoughts on each. Whatever your position on these issues is, you need to read up on what the Professor has to say to fully form your own internal debate.

As I have often remarked about the FCPA Professor, you may disagree with him but your FCPA knowledge and experience will be enriched by reading anything he puts out there for the rest of us to consume. However, after the publication of this book, I will have to add that it should become one of the standard texts for any FCPA compliance practitioner, law student studying the FCPA or anyone else interested in anti-bribery and anti-corruption. It should be on your FCPA library bookshelf. It certainly now sits proudly on mine.

You can purchase a copy of The Foreign Corrupt Practices Act In A New Era by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 18, 2014

How Can Global Corporations Afford (or Afford Not) To Employ Professional Language Solution Providers

Jay RosenEd Note-I recently asked Jay Rosen, Vice President, Language Solutions at Merrill Brink International, if he could help me understand how to think through the the hiring of a language service provider. He graciously wrote the following post.

It seems like a daily occurrence that news organizations and blogs (this one included) report that global corporation XYZ, Inc. has run afoul of FCPA statutes somewhere in the world. The next few paragraphs will recount the jurisdiction where the alleged infraction has occurred and if known at this juncture, the details of the bribery scheme. At this point, if you are well read on this subject, the rest of the article plays out by rote.

Let’s hit the pause button and rewind this story to the beginning. How did XYZ, Inc. get into this position and what steps could have been taken to better communicate the Company’s ethics and compliance policies and procedures to its global employee base? While this would certainly not prevent a rogue employee(s) from committing these alleged infractions, professionally translated and localized ethics and compliance communications provide a proactive solution to insulate global companies from similar situations.

The question of whether or not to engage a professional Language Solutions Provider (LSP), read translation company, usually is driven by the following factors:

  • Cost/Quality
  • Confidentially
  • Change
  1. If I can afford an LSP, how do I choose among the ones out there for quality?

The first thing to cover here is how are translations priced?

Translations are completed on an outsourced basis by professionally educated, qualified, and selected linguistic resources. It is important to note that the industry standard is to bill on a per word basis (e.g. X number of words at Y cents per word). This pricing model will become glaringly apparent when Corporations look at alternative methods to translate documents in-house with an eye to saving money.

Proposed Internal Translation Solutions

Here are several ideas that are usually considered in lieu of engaging professional translation resources:

  • Becky down the hall speaks French
  • We can use someone in our Paris Office
  • The Forensic accountant working with us in Beijing

On first blush the three suggestions above all seem like good ideas that will potentially save money and lead to quality results. Unfortunately these three courses of action fall short by:

  • Not providing the necessary quality ensured by professional translation resources
  • End up costing the client both opportunity costs and greater total translation costs and
  • Do nothing to mitigate the risk of not having an independent outsourced LSP translating (and certifying) your documents (if necessary).

Becky down the hall speaks French

Although Becky does speak French, she has other duties in the organization that must be put aside for her to work on translating documents. Should this project take 3 – 4 hours and if Becky has a bill rate of $400/hour, this solution ends up wasting precious time and costing the end client ~ $1,600 instead of the a few hundred dollars to professionally produce an accurate translation.

We can use someone in our Paris office

As in the example above, this option also creates lost opportunity cost and further taxes billable resources in another time zone. This would require the company to utilize internal resources and having to deal with colleagues not under their direct local control and working in various global markets.

The forensic accountant working with us in Beijing

In this case, we have someone working far out of their core expertise and comfort zone – forensics – and having to wear the hat of a professional translator. Price also comes into play as these forensic resources start billing around $250/hour and could be higher.

Bottom line, what initially appears to be a viable and cost effective solution, ends up sacrificing quality, escalating costs and potentially increasing risk by internally generating substandard translations.

  1. If I use an LSP, how do I ensure confidentiality of the information contained in my documents? 

Confidentiality, especially in the FCPA arena, is a valid concern and must be considered when engaging a qualified LSP. Professional LSPs will require their linguists to sign a Confidentiality or Non-Disclosure Agreement. This agreement will be on file with the LSP and a copy of the agreement can easily be shared.

In terms of global data privacy restrictions, it is good to discuss this in advance with the LSP and depending on what jurisdiction your matter is based in, evaluate the LSP’s experience and comfort level in handling data privacy concerns.

In terms of looking at the individual linguists, a professional LSP will hire translators with the following credentials:

  • Minimum 4 year college degree
  • Subject Matter Expertise (SME)
  • Additional testing by the LSP

These three areas serve to validate the choice of an independent LSP as the translators employed will meet the minimum of a 4 year degree and quite often will have post-graduate or professional degrees such as JD’s or PhD’s. Furthermore, LSPs can provide Subject Matter Experts (SMEs) with specific sector knowledge such as IP/patents, cross-border litigation or FCPA, ethics and compliance experience. Finally the additional testing required by LSPs ensures that clients are receiving top-notch and best of breed translation solutions.

  1. How do I risk disrupting the status quo to change my current translation/localization workflow?

So far we have covered two out of three issues to consider in the choice of whether or not to engage an outsourced LSP.

  • Cost/Quality
  • Confidentiality

And finally we will look at another “C” – Change. While this may not initially be perceived as an important factor, this often affects whether an organization decides to employ an outsourced LSP. From a global perspective it is imperative that a Code of Business Conduct and a Company’s policies and procedures are accurately translated from the English source document to the multiple localized versions for global employees.

If in the past this decision has been left to local in-country resources, it may have unintentionally altered or subverted the meaning of the source English language policies and could have potentially created confusion as to the meaning and global reach of a Company’s business policies.

Additional pushback may emanate from current in-country LSPs who have provided these services in the past.   While it makes sense to encourage local buy-in to your Company’s policies and procedures, this can be ensured by asking local ethics and compliance leaders to participate in the translation review process.

By carefully considering cost/quality, confidentiality and change, a global organization can properly assess the impact that hiring a qualified LSP will have on their risk exposure and better position such organizations to quickly react to a changing global investigative and regulatory environment.

Jay Rosen (jay.rosen@merrillcorp.com) is a Vice President, Language Solutions at Merrill Brink International, based in Los Angeles. For further information, please see his article on Translation considerations for global internal investigations, ethics and compliance matters.

August 15, 2014

Lauren Bacall Whistling or How to Structure Customer Due Diligence

BacallYesterday we honored Robin Williams whom we lost earlier this week. Today we honor Lauren Bacall. She will always be a part of that great team of Bogey and Bacall. Most of us were introduced to her in the movie To Have and Have Not. I thought she was one of the most sultry and sexy icons of the 40s screen sirens. As Manohla Dargis wrote in her article for the New York Times (NYT) entitled, “That Voice and the Woman Attached,” that “When she opened her mouth in “To Have and Have Not” — taking a long drag on a cigarette while locking Humphrey Bogart in her gaze — she staked a claim on the screen and made an immortal Hollywood debut. But in 1944 at the exquisitely tender age of 19, she was also projecting an indelible screen persona: that of the tough, quick-witted American woman who could fight the good fight alongside her man.” She later married Bogart and together they were certainly Hollywood, if not American royalty, going forward. And she probably did more for the art of whistling than any person on Earth.

Yesterday I wrote about the Foreign Corrupt Practices Act (FCPA) investigation into certain transactions in Venezuela by Derwick Associates (Derwick) and a US company ProEnergy Services (ProEnergy). ProEnergy supplied turbines that Derwick resold to the Venezuelan government and then installed in that country. I wondered if US companies now need to become more concerned with not only who they do business with but how their customers might be doing business. In the parlance, you may now need to ramp up your ‘Know Your Customer’ information to continue throughout a seller-purchaser relationship.

Doug Cornelius, in a post on his Compliance Building blog, entitled “Proposed Regulations on Customer Due Diligence”, discussed “The U.S. Treasury Department’s Financial Crimes Enforcement Network has proposed revisions to its customer due diligence rules. Of course, the proposed rule would affect financial institutions that are currently subject to FinCEN’s customer identification program requirement: banks, brokers-dealers, and mutual funds.” While, investment advisers and private fund managers are not specifically mentioned in the proposed new regulation, Cornelius noted, “FinCEN suggested that it may be considering expanding these customer due diligence requirements to other types of financial institutions.” In other words, this new proposed regulation would not be directly applicable to a large number of US commercial enterprises doing business outside the United States.

However, the proposed regulation did provide some insight into how US companies, not otherwise subject to it, might think about ways to approach such an inquiry. Referencing an inquiry into anti-money laundering issues (AML) Cornelius wrote that AML programs should have four elements:

  1. Identify and verify the identity of customers;
  2. Identify and verify the identity of beneficial owners of legal entity customers;
  3. Understand the nature and purpose of customer relationships; and
  4. Conduct ongoing monitoring to maintain and update customer information and to identify and report suspicious transactions.

Clearly any FCPA based due diligence would focus on point 2. Cornelius zeroed in on it when he wrote “The definition of “beneficial owner” is proposed as have two prongs”:

  • Ownership Prong: each individual who, directly or indirectly, through any contract, arrangement, understanding, relationship or otherwise, owns 25% or more of the equity interests of a legal entity customer, and
  • Control Prong: An individual with significant responsibility to control, manage, or direct a legal entity customer, including an executive officer or senior manager (g., a Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Managing Member, General Partner, President, Vice President, or Treasurer); or (ii) any other individual who regularly performs similar functions.

He also noted, “For identifying ownership of an entity, FinCEN has proposed a form of certification.” But he found such a “certification to be overly simplistic. It only asks for individuals with ownership in the entity. This would clearly miss ownership of the account holder by other entities who could be “bad guys.” The certification also only requires one senior officer.  That makes it too easy to appoint a straw man as executive officer to hide the underlying control by a “bad guy.”” But the FinCen proposed notice itself states “these existing core requirements are already laid out in the BSA [Bank Secrecy Act] as minimum requirements”.

I was equally interested in points 3 and 4. Under point 3, an entity subject to the regulation needs to “Understand the nature and purpose of customer relationships”. The proposed regulation further explained “to gain an understanding of a customer in order to assess the risk associated with that customer to help inform when the customer’s activity might be considered “suspicious.”” Such an inquiry could help a business to “understand the relationship for purposes of identifying transactions in which the customer would not normally be expected to engage. Identifying such transactions is a critical and necessary aspect of complying with the existing requirement to report suspicious activity and maintain an effective AML (or anti-corruption compliance) program.”

The final point 4 relates to ongoing monitoring. Once again consider the position of the US Company, ProEnergy, in the referenced FCPA investigation. What can or should it have done in the way of ongoing monitoring of its customer. The proposed regulation states “industry practice generally involves using activity data to inform what types of transactions might be considered “normal” or “suspicious.”

Furthermore, FinCEN understands that information that might result from monitoring could be relevant to the assessment of risk posed by a particular customer. The proposed requirement to update a customer’s profile as a result of ongoing monitoring (including obtaining beneficial ownership information for existing customers on a risk basis), is different and distinct from a categorical requirement to update or refresh the information received from the customer at the outset of the account relationship at prescribed periods”. Lastly the proposed regulation states, “Finally, as noted above with respect to the obligation to understand the nature and purpose of customer relationships, monitoring is also a necessary element of detecting and reporting suspicious activities”.

There does not have to be a direct bribe or other corrupt payment made by a US company to have liability under the FCPA. FCPA enforcement is littered with companies that have paid bribes through third parties. However, as the Fifth Circuit said in Kay v. US, “[W]e hold that Congress intended for the FCPA to apply broadly to payments intended to assist the payor, either directly or indirectly,” [emphasis mine]. ProEnergy would seem to be at the far edge of potential FCPA liability but if it knew, had reason to know, or even perhaps should have known about some nefarious conduct by its customer, it does not take too many steps to get to some FCPA exposure. The proposed FinCEN rules on customer due diligence for financial institutions might be a good starting point for other commercial entities to consider.

If all of the above is a bit too heavy for a Friday, well view this clip on how to whistle by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 14, 2014

Na-Nu Na-Nu – Final Report to Ork From Mork – Information from FCPA Inquiries

Mork from OrkEd. Note: Na-Nu Na-Nu. We interrupt our daily blog post to provide this final report to the Planet Ork. Na-Nu Na-Nu 

To say that the American culture lost two prime cultural champions this week would be an understatement. The effect that Robin Williams and Lauren Bacall had on a variety of areas in this country probably cannot be measured. Over the next two blogs I will honor each of these larger than life personas and try to examine how they may impact your Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-corruption program. Today Robin Williams; tomorrow Lauren Bacall.

Where does one begin or even end with Robin Williams? His early work in standup comedy; his sitcom television performances; to his many guest appearances on TV variety shows; his incredible movie career – both live and animated; or even his well-known and very public struggles with substance abuse and depression. He was one incredible body of work. For almost any American who grew up in the 70s, we were introduced to Williams in the sitcom Mork and Mindy. His role as an alien allowed him to rift and comment on many human foibles. This was most thoroughly on display at the end of every episode when, in character as Mork, he would report back to his home planet of Ork on some aspect of terran culture. (Na-Nu Na-Nu)

This weekly communication informed both his home planet and us here on Planet Earth about ‘social norms’. I considered this form of communication when I read a recent article in the Wall Street Journal (WSJ), entitled “Venezuelan Firm Is Probed In U.S.”, by José De Córdoba and Christopher M. Matthews. They reported on a Venezuelan company, Derwick Associates (Derwick), who are under investigation by the Department of Justice (DOJ) and Manhattan District Attorney’s office. Derwick was reported to have been “awarded hundreds of millions of dollars in contracts in little more than a year to build power plants in Venezuela, shortly before the country’s power grid began to sputter in 2009”. Also under investigation is a Missouri based engineering, procurement and construction company, ProEnergy Services (ProEnergy), “that sold dozens of turbines to Derwick and helped build the plants”. The article reported that the DOJ’s “criminal fraud section are reviewing actions of Derwick and ProEnergy for possible violations of the Foreign Corrupt Practices Act”.

The article noted that this issue might have come to the attention of the DOJ and Manhattan DA through a lawyer at Derwick who voluntarily contacted federal prosecutors last year. Although it was not clear from the WSJ article if it was related to or even played a part in instigating the FCPA investigation, was information that Otto Reich, “the top State Department official for Latin America during the Administration of President George W. Bush, had filed a federal court lawsuit in 2013, alleging among other things that “Derwick and the company’s owners, among others, obtained contracts to build power stations in return for paying multimillion dollar bribes to senior Venezuelan officials.””

At least one of the basis of regulatory scrutiny was funding of a bribery scheme through overcharging for goods and services. The article reported “Federal prosecutors are scrutinizing the difference been prices ProEnergy charged Derwick for its equipment and the prices Derwick charged the Venezuelan government, a person familiar with the matter said. The person said that in some past FCPA cases, excessive margins were used to conceal bribes to pay foreign officials.”

Derwick, in a statement from its President Alejandro Betancourt, which was provided by its lawyer Adam Kaufmann, said, “Neither Derwick nor its principals have been contacted by any U.S. law enforcement agency.” Clearly this begs the question of whether the company has been contacted by any representatives of the US government who are not from a “law enforcement agency”. In a statement from ProEnergy, it declined to comment on any investigation.

Consider some of the information from this WSJ article. First is how did this case come to the attention of the DOJ? About all that can be said from the article is that Derwick did not self-disclose to the DOJ. However, given the relationship between the government of Venezuela and the US, is it really a surprise that large commercial transactions by US entities into Venezuela are scrutinized by the US government? Did the investigation come about from a whistleblower, i.e. the lawyer for Derwick? If yes, what is the legal obligation of lawyer to his or her client? What if the lawyer sees, observes or even inadvertently stumbles upon criminal activity? What if the lawyer removes documentation, which the lawyer believes demonstrates evidence of a crime?

I was also very intrigued by the information about investigators looking into pricing margins as indicia of corruption. One of the more increasing areas of FCPA scrutiny has been that of commission rates. This is because under circumstances, a high or unusual commission rate can be indicia of monies which are available by a third party, paid via commission, to use as a pot of money to pay bribes to foreign officials. If your typical commission is 5% or you have a range of 5% to 10%, but provide one third party a commission rate of 15%, this may be evidence that the unusual amount is being used as a mechanism to fund bribes.

However, simply focusing on the commission rate alone is too facile an inquiry. Even a commission rate below 5% can create quite an amount of money if the sales price is sufficiently high. In the energy industry, large service contracts or construction contracts can be huge, i.e. in excess of $1bn, and five percent of such an amount is a very large sum of money. It is, therefore, not unusual that in some contracts, the percentage commission will decrease with an increased contract price. The point is there is no one right or wrong commission rate. It will be a fact intensive inquiry.

Borrowing from a noted compliance practitioner, William Athanas, who has suggested an appropriate inquiry along the lines of the following: Where the third party requests a commission above the standard range, the policy should require a legitimate justification. Evaluating and endorsing such a justification requires three steps: (1) relevant information about the contemplated increased commission must be captured and memorialized; (2) requests for increased commissions should be evaluated in a streamlined fashion, with tiered levels of approval (higher commissions require higher ranking official approval); and (3) increased commissions are then tracked, along with the requests and authorizations, in order to facilitate auditing, testing and benchmarking. The point is there needs to be a well thought-out protocol, which is followed and well documented through the entire process.

Another insight that I gleaned from the WSJ article comes from the seller/customer relationship between Derwick and ProEnergy. ProEnergy is reported to have sold turbines to Derwick and have assisted in constructing the power plants. When your company sells a product to a customer, a compliance practitioner typically does not become involved in the negotiations over final pricing between your company’s customer and the end-user. ProEnergy may not have been concerned with the final pricing that Derwick charged their customer, the Venezuelan government. Indeed, the compliance function may not be involved with the commercial pricing between your company and its direct purchaser. This article may require you to change this posture. Was ProEnergy asked to reduce its price to Derwick so that Derwick could mark the price up enough to the Venezuelan government to create a pool of money that could be used to pay bribes? What if ProEnergy received its full listed price book rate but then Derwick charged a premium to the Venezuelan government?

Finally, what about risk? The WSJ article reported that Derwick’s President said “the company’s margins [with the Venezuelan government] were consistent with general industry practice and reflected the high financial risk taken on during a difficult time to do business in Venezuela.” If your company has a business opportunity that presents a high financial reward, is it necessarily because there is some high risk involved? That risk can be risk of getting paid, bringing the project in on time and within budget, political risk, weather-related risk or almost any other type of risk, but that risk might also be a corruption risk. While the WSJ article does not report on the size of the US Company involved in the inquiry, ProEnergy, it would seem that its commercial relationship with Derwick generated a large amount of income for the company. If your company has one of its largest contracts for work overseas, should there be compliance function review and scrutiny of the risks involved?

Are these inquiries that a compliance practitioner now needs to make? If so, how does a Chief Compliance Officer (CCO) make such an inquiries? I think Donna Boehme would say that it all begins with the compliance function ‘having a seat at the senior management table’ so that the CCO or compliance practitioner can be aware when some unusual business opportunity arises. Questions, questions, and more questions.

Na-Nu Na-Nu – this is the final report to Ork from Planet Earth. Na-Nu Na-Nu 

For a viewing of one of Mork’s reports to his home planet Ork, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 13, 2014

Thinking Through Risk Rankings of Third Parties

7K0A0014-2One question often posed to me is how to think through some of the relationships a company has with its various third parties in order to reasonably risk rank them. Initially I would break this down into sales and supply chain to begin any such analysis. Anecdotally, it is said that over 95% of all Foreign Corrupt Practices Act (FCPA) enforcement actions involve third parties so this is one area where companies need to put some thoughtful consideration. However, the key is that if you employ a “check-the-box” approach it may not only be inefficient but more importantly, ineffective. The reason for this is because each compliance program should be tailored to an organization’s specific needs, risks and challenges. The information provided below should not be considered a substitute for a company’s own assessment of the corporate compliance program most appropriate for that particular business organization. In the end, if designed carefully, implemented earnestly, and enforced fairly, a company’s compliance program—no matter how large or small the organization—will allow the company, generally, to prevent violations, detect those that do occur, and remediate them promptly and appropriately.

Sales Side

I tend to view things in a straightforward manner when it comes to representatives on the sales side of your business. I believe that third party representatives you might have, whatever you might call them, i.e. sales reps, sales agents, sales agents, commissioned sales agents, or anything else, are high risk and therefore they should receive your highest level of scrutiny. This is also true with any party that might be called, charitably or not, ‘a partner’ whether that is a joint venture (JV) partner, plain old partner, Teaming Partner or another monickered ‘partner’. However, under this approach you should also consider the perception of corruption in the geographic area that you will use the third party. I recognize that you can overlay a financial threshold but the reality is that if a sales representative generates such a small amount of money for your business you probably do not need them as representative.

At least with distributors, I have seen merit in more sophisticated approaches such as that set out by David Simon, a partner at Foley & Lardner LLP, who advocates a risk analysis should more appropriately based on the nature of a company’s relationships with their distributors. The goal should be to determine which distributors are the most likely to qualify as agents; for whose acts the company would likely to be held responsible.  He argues that it is a continuum of risk; that is, on the low-risk end are distributors that are really nothing more than re-sellers with little actual affiliation with the supplier company. On the high-risk end are distributors who are very closely tied to the supplier company, who effectively represent the company in the market and end up looking more like a quasi-subsidiary than a customer.

Simon looks at agency principles to guide his analysis of whether a distributor qualifies as an agent for FCPA purposes. He argues that factors to consider include:

  • The volume of sales made to the distributor;
  • The percentage of total sales of the distributor’s total business the principal’s product represents;
  • Whether the distributor represents the principal in the market, including whether it can (and does) use the company trademarks and logos in its business; and

Whether the principal company is involved in the running of the distributor’s business (such as by training the distributor’s sales agents, imposing performance goals and objectives, or providing reimbursement for sales activity).

Once a company segregates out the high-risk distributors that likely qualify as agents and potentially subject the company to FCPA liability from those that are mere re-sellers and pose less FCPA risk, FCPA compliance procedures can be tailored appropriately. For those distributors that qualify as “agents” and also pose FCPA risk, full FCPA due diligence, certifications, training and contract language are imperative. For those that do not, more limited compliance measures that reflect the risk-adjusted potential liability are perfectly appropriate.

Supply Chain

This determination of the level of due diligence and categorization of a supplier should depend on a variety of factors, including, but not limited to, whether the supplier is (1) located, or will operate, in a high risk country; (2) associated with, or recommended or required by, a government official or his or her representative; (3) currently under investigation, the subject of criminal charges, or was recently convicted of criminal violations, including any form of corruption; (4) a multinational publicly traded corporation with a recognized exemplary system of compliance and internal controls, that has not been recently investigated or convicted of any corruption offense or that has taken appropriate corrective action to remedy such conduct; or (5) a provider of widely available services and products that are not industry specific, are offered to the public at large and do not fall under the definition of Minimal-Risk Supplier detailed below.

A High-Risk Supplier is an individual or an entity that is engaged to provide non-project specific goods or services to a company. It presents a higher level of compliance risk because of the presence of one or more of the following factors: (a) It is based or operates in a country (including the supply of goods or services to a company) that poses a high risk for corruption, money laundering, or commercial bribery; (b) It supplies goods or services to a company from a high-risk country; (c) It has a reputation in the business community for questionable business practices or ethics; or (d) It has been convicted of, or is alleged to have been involved in, illegal conduct and has failed to undertake effective remedial actions. Finally, it presents one or more of the following factors,: (1) It is located in a country that has inadequate regulatory oversight of its activities; (2) it is in an unregulated business; (3) its ultimate or beneficial ownership is difficult to determine; (4) the company has an annual spend of more than $100,000 with the supplier; (5) it was established or registered in a jurisdiction where ownership is not transparent or that permits ownership in the form of bearer shares; (6) it is registered or conducts business in a jurisdiction that does not have anti-corruption, anti-money laundering and anti-terrorism laws comparable to those of the United States and the United Kingdom; or (7) it lacks a discernable and substantial business history.

A Low-Risk Supplier is an individual or a non-publicly held entity that conducts business such as a sole proprietorship, partnership or privately held corporation, located in a Low-Risk Country. Some indicia include that it (1) supplies goods, equipment or services directly to a company in a Low-Risk Country; (2) a company has an annual spend of less than $100,000 with the supplier; and (3) the supplier has no involvement with any foreign government, government entity, or Government Official. However, if the supplier has other indicia of lower risk such that it is a publicly-held company, it may be considered a Low-Risk Supplier because it is subject to the highest disclosure and auditing and reporting standards such as those under the US Securities Exchange Act of 1934, including those publicly traded on a reputable and highly regulated stock exchange, such as the New York or London exchanges, and are, therefore, subject to oversight by highly regarded regulatory agencies.

Below the high and low risk categories I would add the category of ‘Minimal-Risk Suppliers’ who generally provide to a company goods and services that are non-specific to a particular project and the value of the transaction is $25,000 or less. Some examples might be for the routine purchase of fungible items and services, including, among others: Office supplies, such as paper, furniture, computers, copiers, and printers; Industrial or factory supplies, including cleaning materials, solvents, safety clothing and off-the-shelf equipment and parts; Crating and other standard materials for packing products for shipping; Leasing and rental of company cars and other equipment; and Airline or other travel tickets or services. This category would also include those third parties that provide widely available services and products that are not industry specific, are offered to the public at large. Here you might think of periodicals, florists, daily limousine and taxi, airline and food delivery (including coffee shops, pizza parlors and take out) services.

Last, but certainly not least, is the category of Government Service Providers, which includes entities that generally come into a company through the supply chain, who interact with a foreign government on behalf of your company. Examples might be customs brokers, providers who obtain and process business permits, licenses, visas, work permits and necessary clearances or waivers from government agencies; perform lobbying services; obtain regulatory approvals; negotiate with government agencies regarding the payment of taxes, tax claims, and tax audits. These third parties present some of your highest risks so they need to have not only the highest level of scrutiny but post contract-signing management as well.

The risk ranking of third parties is one of the areas that seems to continue to cause confusion, if not outright bewilderment. The manner in which the articulated risk rankings presented herein is not to be the ‘be-all and end-all’. As the FCPA Guidance reminds us, “An effective compliance program promotes “an orga­nizational culture that encourages ethical conduct and a commitment to compliance with the law.”…A well-constructed, thought­fully implemented, and consistently enforced compliance and ethics program helps prevent, detect, remediate, and report misconduct, including FCPA violations.” If you think through your risk rankings and can articulate a reasonable basis for doing so followed by documentation, I think your own risk ranking system will survive regulatory scrutiny.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 12, 2014

Does Your Company Still Allow Facilitation Payments?

IMG_3289One of the more confusing areas of the US Foreign Corrupt Practices Act (FCPA) is in that of facilitation payments. Facilitation payments are small bribes but make no mistake about it, they are bribes. For that reason many companies feel they are inconsistent with a company culture of doing business ethically and in compliance with laws prohibiting corruption and bribery. Further, the FCPA Guidance specifies, “while the payment may qualify as an exception to the FCPA’s anti-bribery provisions, it may violate other laws, both in Foreign Country and elsewhere. In addition, if the payment is not accurately recorded, it could violate the FCPA’s books and records provision.” Finally, further the FCPA Guidance states, “Whether a payment falls within the exception is not dependent on the size of the payment, though size can be telling, as a large payment is more suggestive of corrupt intent to influence a non-routine governmental action. But, like the FCPA’s anti-bribery provisions more generally, the facilitating payments exception focuses on the purpose of the payment rather than its value.” [emphasis in original text]

In recent remarks, Thomas C. Baxter, Executive Vice President and General Counsel at the Federal Reserve Bank of New York indicated a general unease with facilitation payments. Baxter was quoted in the FCPA Blog for the following, “Baxter said an organizational policy that allows some types of official corruption — including facilitating payments – “diminishes the efficacy of compliance rules that are directed toward stopping official corruption.”” Further, “While I understand that the exception is grounded in a practical reality, I feel that zero tolerance for official corruption would have been a better choice. To any public servant with an extended hand, I would say in a loud and clear voice, “pull it back and do your job.” And, let me note the OECD Working Group on Bribery recommends that all countries encourage companies to prohibit or discourage facilitating payments.”

In addition to these clear statements about whether the FCPA should continue to allow said bribes; you should also consider the administrative nightmare for any international company. The UK Bribery Act does not have any such exception, exemption or defense along the lines of the FCPA facilitation payment exception. This means that even if your company allows facilitation payments, it must exempt out every UK Company or subsidiary from the policy. Further, if your company employs any UK citizens, they are subject to the UK Bribery Act no matter who they work for and where they may work in the world so they must also be exempted. Finally, if your US Company does business with a UK or other company subject to the UK Bribery Act, you may be prevented contractually from making facilitation payments while working under that customer’s contract. As I said, an administrative nightmare.

  1. The Statute

When the FCPA was initially passed in 1977, the facilitating payment exception was found under the definition of foreign official. However, with the 1988 Amendments, a more explicit exception was written into the statute making it clear that the anti-bribery provisions “shall not apply to any facilitating or expediting payment to a foreign official, political party, or party official the purpose of which is to expedite or to secure the performance of a routine governmental action . . .” The statute itself provided a list of examples of facilitation payments in the definition of routine governmental actions. It included the following:

  • Obtaining permits, licenses, or other official documents;
  • Processing governmental papers such as visas and work orders;
  • Providing police protection, mail services, scheduling inspections;
  • Providing utilities, cargo handling; or
  • Actions of a similar nature.

It is important to note that the language of the FCPA makes it clear that a facilitation payment is not an affirmative defense but an exception to the general FCPA proscription against bribery and corruption. Unfortunately for the FCPA Practitioner there is no dollar limit articulated in the FCPA regarding facilitation payments. Even this limited exception has come under increasing criticism. As far back as 2009, the OECD studied the issue and recommended that member countries encourage their corporations to not allow the making of facilitating payments, “in view of the corrosive effect of small facilitation payments, particularly on sustainable economic development and the rule of law.”

Interestingly, one of the clearest statements about facilitation payments comes not from a FCPA case about facilitation payments but the case of Kay v. US, 359 F.3d 738, 750-51 (5th Cir. 2004). This case dealt with whether payment of bribes to obtain a favorable tax ruling was prohibited under the FCPA. In its opinion the Fifth Circuit commented on the limited nature of the facilitating payments exception when it said:

A brief review of the types of routine governmental actions enumerated by Congress shows how limited Congress wanted to make the grease exceptions. Routine governmental action, for instance, includes “obtaining permits, licenses, or other official documents to qualify a person to do business in a foreign country,” and “scheduling inspections associated with contract performance or inspections related to transit of goods across country.” Therefore, routine governmental action does not include the issuance of every official document or every inspection, but only (1) documentation that qualifies a party to do business and (2) scheduling an inspection—very narrow categories of largely non-discretionary, ministerial activities performed by mid- or low-level foreign functionaries.

2. Enforcement Actions

Con-way

The FCPA landscape is littered with companies who sustained FCPA violations due to payments which did not fall into the facilitation payment exception. In 2008, Con-way Inc., a global freight forwarder, paid a $300,000 penalty for making hundreds of relatively small payments to Customs Officials in the Philippines. The value of the payments Con-way was fined for making totaled $244,000 and were made to induce the officials to violate customs regulations, settle customs disputes, and reduce or not enforce otherwise legitimate fines for administrative violations.

Helmerich and Payne

In 2009, Helmerich and Payne, Inc., paid a penalty and disgorgement fee of $1.3 million for payments which were made to secure customs clearances in Argentina and Venezuela. The payments ranged from $2,000 to $5,000 but were not properly recorded and were made to import/export goods that were not within the respective country’s regulations; to import goods that could not lawfully be imported; and to evade higher duties and taxes on the goods.

Panalpina

Finally, there is the Panalpina enforcement action. As reported in the FCPA Blog, this matter was partly resolved last year with the payment by Panalpina and six of its customers of over $257 million in fines and penalties. Panalpina, acting as freight forwarder for its customers, made payments to circumvent import laws, reduce customs duties and tax assessments and to obtain preferential treatment for importing certain equipment into various countries but primarily in West Africa.

DynCorp

Then there is the DynCorp International investigation matter. As reported in various sources the matter relates to approx. $300,000 in payments made by subcontractors who wished to speed up their visa processing and expedite receipt of certain licenses on behalf of DynCorp. This investigation has been going on for several years and there is no anticipated conclusion date at this time.

3.      Some Guidance

So what does the Department of Justice (DOJ) look at when it reviews a company’s FCPA compliance program with regards to facilitation payments? Initially, if there is a pattern of such small payments, it would raise a Red Flag and cause additional investigations, but this would not be the end of the inquiry. There are several other factors which the DOJ could look towards in making a final determination on this issue. The line of inquiry the DOJ would take is as follows:

  1. Size of payment – Is there an outer limit? No, there is no outer limit but there is some line where the perception shifts. If a facilitating payment is over $100 you are arguing from a point of weakness. The presumption of good faith is against you. You might be able to persuade the government at an amount under $100. But anything over this amount and the government may well make further inquiries. So, for instance, the DOJ might say that all facilitation payments should be accumulated together and this would be a pattern and practice of bribery.
  2. What is a routine governmental action? Are we entitled to this action, have we met all of our actions or are we asking the government official to look the other way on some requirement? Are we asking the government official to give us a break? The key question here is whether you are entitled to the action otherwise.
  3. Does the seniority of the governmental official matter? This is significant because it changes the presumption of whether something is truly discretionary. The higher the level of the governmental official involved, the greater chance his decision is discretionary.
  4. Does the action have to be non-discretionary? Yes, because if it is discretionary, then a payment made will appear to be obtaining some advantage that is not available to others.
  5. What approvals should be required? A facilitation payment is something that must be done with an appropriate process. The process should have thought and the decision made by people who are the experts within the company on such matters.
  6. Risk of facilitation payments and third parties? Whatever policy you have, it must be carried over to third parties acting on your behalf or at your direction. If a third party cannot control this issue, the better compliance practice would be to end the business relationship.
  7. How should facilitation payments be recorded? Facilitation payments must be recorded accurately. You should have a category entitled “Facilitation Payments” in your company’s internal accounting system. The labeling should be quite clear and they are critical to any audit trail so recording them is quite significant.
  8. Monitoring programs? There must always be ongoing monitoring programs to review your company’s internal controls, policies and procedures regarding facilitation payments.

So we return to the question of when does a grease payment become a bribe? There is no clear line of demarcation. The test seems to turn on the amount of money involved, to whom it is paid and the frequency of the payments. Additionally, accurate books and records are a must. Finally, remember that the defense of facilitation payments is an exception to the FCPA prohibition against bribery. Any defendant which wishes to avail itself of this exception at trial would have to proffer credible evidence to support its position, but at the end of the day, it would be the trier of fact which would decide. So, much like any compliance defense, the exception is only available if you use it at trial and it would be difficult to imagine that any company will want to use the facilitation payment exception.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

« Previous PageNext Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 4,636 other followers