Actions Taken During a FCPA Enforcement Action-Lessons from Parker Drilling and Ralph Lauren

In the two most recent corporate Foreign Corrupt Practices Act (FCPA) enforcement actions, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) to communicate not only what they believe constitutes a best practices compliance program but equally importantly what actions a company can engage in which will significantly reduce a company’s overall fine and penalty. These matters involved Parker Drilling Company (Parker Drilling) and the Ralph Lauren Corporation. Parker Drilling received a Deferred Prosecution Agreement (DPA) and Ralph Lauren sustained a Non-Prosecution Agreement (NPA).

Fines and Penalties

Parker Drilling’s conduct earned it an “approximately 20 percent reduction off the bottom of the fine range” which suggested a fine of between $14.7MM to $29.4MM. The final DOJ fine was  $11,760,000. The company also agreed to pay disgorgement of $3,050MM plus pre-judgment interest of $1,040,818, to the SEC. Ralph Lauren  agreed to pay $882K to the DOJ and $593K in disgorgement and $141K in pre-judgment interest to the SEC.

Self-Disclosure

In the DOJ/SEC FCPA Guidance released last year one of the clear messages was that companies should self-disclose any potential FCPA violations. While this question is debated by the FCPA intelligentsia and in compliance/legal department across the country, one of the key takeaways is that companies should self-disclose. In the section on Declinations, which included stripped out information on six companies which received declinations to prosecute, one of the common factors was that each company self-disclosed its FCPA violation.

In the Ralph Lauren NPA, the DOJ stated that one of the factors which led to the NPA was “the Company’s timely, voluntary, and complete disclosure of the conduct”. This is contrasted with the Parker Drilling DPA, where there was no information listed regarding self-disclosure. In its Press Release announcing the resolution of the Parker Drilling matter, the DOJ stated it “stemmed from the DOJ’s Panalpina-related investigations.”

What Did You Do When You Found Out About It? Prong II – Extensive Cooperation

Both companies provided extensive cooperation to the DOJ and SEC throughout the pendency of their respective investigations. In the Ralph Lauren NPA, the DOJ detailed the company’s conduct by stating that “the Company’s extensive, thorough, and real-time cooperation with the Department, including conducting an internal investigation, voluntarily making employees available for interviews, making voluntary document disclosures, conducting a world-wide risk assessment, and making multiple presentations to the Department on the status and findings of the internal investigation and the risk assessment”. In the Parker Drilling DPA, the DOJ stated that “the Company’s cooperation, including conducting an extensive internal investigation and collecting, analyzing, and organizing voluminous evidence and information for the Department”.

What Did You Do When You Found Out About It? Prong I – Remediation

Implementing one of the prongs of McNulty’s Maxim No. 3, both companies engaged in extensive remediation during the investigations. The Ralph Lauren NPA stated that “the Company’s early and extensive remedial efforts already undertaken – including conducting extensive FCPA training for employees world-wide, enhancing the Company’s existing FCPA policy, implementing an enhanced gift policy as well as other enhanced compliance, control and anti-corruption policies and procedures, enhancing its due diligence protocol for third-party agents, terminating culpable employees and a third-party agent, instituting a whistleblower hotline, and hiring a designated corporate compliance attorney – and to be undertaken, including enhancements to its compliance program as described in Attachment B (Corporate Compliance Program);”.

Parker Drilling also engaged in extensive work to create a gold standard compliance program all the while undergoing its own internal investigation. According to the DPA, “the Company has engaged in extensive remediation, including ending its business relationships with officers, employees, or agents primarily responsible for the corrupt payments, enhancing its due diligence protocol for third-party agents and consultants, increasing training and testing requirements, and instituting heightened review of proposals and other transactional documents for all the Company’s contracts.” Parker Drilling also hired “a fulltime Chief Compliance Officer and Counsel who reports to the Chief Executive Officer and Audit Committee, as well as staff to assist the Chief Compliance Officer and Counsel.” The Company worked to strengthen its internal controls. Lastly, and I hope that you remember this from the Morgan Stanley Declination, Parker Drilling implemented “a compliance-awareness improvement initiative and program that includes issuance of periodic anti-bribery compliance alerts.”

Self-Monitoring and Reporting to the DOJ

In an area that is sometimes overlooked in both DPAs and NPAs, both companies agreed to self-monitor the effectiveness of their compliance programs and make no less than annual reports to the DOJ. In its three-year DPA, Parker Drilling agreed to monitor and “that it will report to the Department periodically, at no less than twelve-month intervals during a three-year term, regarding remediation and implementation of the compliance program and internal controls, policies, and procedures”. In its two year NPA, Ralph Lauren agreed to monitor and “report to the Department periodically, at no less than twelve-month intervals during a two-year term, regarding remediation and implementation of the compliance program and internal controls, policies, and procedures.”

Both the DOJ and SEC continue to communicate to the compliance practitioner what they expect from companies in the way of a best practices compliance program and what a company should do if they discover a potential FCPA violation. These communications, through enforcement actions, DPAs, NPAs and Declinations, are consistent with the information provided by the DOJ/SEC in the FCPA Guidance. Both of these enforcement actions demonstrate that if a company gets ahead of the curve, it can significantly lessen its overall penalty and pain.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Edgar Allen Poe and Innovation in the Compliance Function

Tomorrow, April 20 is the anniversary of a truly innovative work of literature. On April 20, 1841, Edgar Allen Poe’s story, The Murders in the Rue Morgue, first appeared in Graham’s Lady’s and Gentleman’s Magazine. The tale is generally considered to be the first detective story. The genre is distinctive from a general mystery story in that the focus is on analysis. The story describes the extraordinary analytical powers used by Monsieur C. Auguste Dupin to solve a series of murders in Paris. The character of Dupin became the prototype for many future fictional detectives, including Arthur Conan Doyle’s Sherlock Holmes and Agatha Christie’s Hercule Poirot. Like the later Sherlock Holmes stories, the tale is narrated by the detective’s roommate. Poe biographer Jeffrey Meyers sums up the significance of “The Murders in the Rue Morgue“: “[it] changed the history of world literature.” Poe’s role in the creation of the detective story is reflected in the Edgar Awards, given annually by the Mystery Writers of America. For both myself and the many worldwide fans of Sherlock Holmes, we owe a tip of the hat to Poe for inventing the genre.

As Poe demonstrated, innovation can come in many forms. Earlier this week I wrote about some of the innovative ways that Joel Katz, of CA Technologies, had improved his company’s compliance function. In this post, I will discuss how Katz was able to increase the participation of business leaders into the doing of compliance. He did so by the creation of ‘Regional Business Ethics Councils.’ I found the CA Technology creation and use of these Regional Business Ethics Councils as an innovative approach to help move compliance into the company’s DNA in a robust manner.

The Regional Business Ethics Councils are designed to “largely serve as a communication vehicle between our corporate compliance team in the United States, business leaders, and employees.” These Regional Business Ethics Councils were created in the company’s three major geographic regions which consisted of the Americas, Europe and the Middle East (EMEA) and Asia-Pacific (APAC). Each Regional Business Ethics Council is comprised of six to eight senior business leaders from each part of the company’s functional business, including legal, finance, HR, sales, development, administration, and others. The Regional Business Ethics Councils meet quarterly.

Katz believes that the Regional Business Ethics Council members play a critical role with compliance messaging to employees in their respective regions. Their meetings are used to “discuss current compliance issues and internal and external trends, significant legal or regulatory changes that impact the business, and upcoming compliance initiatives.” This structure allows the company to be more nimble and be in a position to respond more quickly to different external issues that may arise and impact the compliance function.

CA Technologies also uses the Regional Business Ethics Councils as a mechanism to “solicit feedback from the business on the current business environment, any concerns the business leaders may have about our business or our compliance program, and any other issues they wish to discuss.” One of the constant challenges for employees is getting foreign employees to trust and communicate with the compliance function. The Regional Business Ethics Council can provide another route by which information and concerns can be conversed up to the compliance function.

Katz acknowledged that the level of engagement of the individual council members varies from both person to person and Regional Business Ethics Council to Regional Business Ethics Council. Nevertheless, the company has found that the Regional Business Ethics Council initiative “has succeeded in creating more visibility into the compliance function for company business leaders and more visibility into the global business for our compliance team.” Additionally, the Regional Business Ethics Councils can assist the compliance group by focusing on issue-spotting and awareness-raising within their specific region. Katz believes that this is helpful because it “is consistent with our belief that if we can get people talking about compliance and asking questions, we can address most issues long before they become compliance problems.”

Katz ended his article by explaining that at CA Technology “compliance training and communication plan is and will always be a work in progress” which he believes is appropriate for “every organization, as such organizations and legal and regulatory landscapes will undoubtedly evolve and change over time.” His article helps to drive home the message that a company “should examine its plan at least annually to ensure it is still viable and continually look for opportunities to improve it. This iterative approach to training and communication will help ensure that messages are being heard, understood, acted upon and appreciated by your employees.”

I have often written about the need for some type of management oversight above the compliance function which sits below a company’s Board of Directors. The CA Technology approach of using the Regional Business Ethics Council provides another level of engagement by corporate functions. But just as a Regional Business Ethics Council can be used to communicate from areas outside the US back to the corporate headquarters, the Council structure allows the compliance function to communicate back into the regions. I believe that this can help companies to communicate the importance of compliance more thoroughly and more effectively throughout an organization.

Lastly, one of Katz’s themes is to help the company employees understand that compliance is there to help them do work business more efficiently and at the end of the day in a manner more consistent with the company’s overall ethical values. I believe that the use of the Regional Business Ethics Council program can be a key way to demonstrate this commitment to employees. I would suggest that this type of program may be something that you should consider for your company.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Got 20 Minutes? Spicing Up Compliance Training

How can you create or revise your compliance program? One of the first steps you should take is to devise an action plan. A recent article in the March edition of the Compliance Week magazine, entitled “Putting Together an Action Plan for Compliance”, Joel Katz, the Chief Ethics and Compliance Officer (CECO) for CA Technologies, wrote about his experiences in updating the company’s compliance training program.

He said that after the company had gone through a compliance investigation, it created a “best-in-class” compliance program. However, after a few years of intensive training and continued corporate reminders about compliance, the employees began to suffer from ‘compliance fatigue’. Katz decided it was time to come up with a way to determine what was working and what was not working regarding the company’s compliance program in the “eyes of the employees”. To facilitate this Katz literally went around the CA Technology world listening to employees, both in focus groups and individually, about what they thought was working and what they thought did not work. He found that the company’s managers and employees generally had the same four critiques, which were:

1. The compliance training was ineffective; it was too long, often too esoteric, and very often not helpful to employees because it did not relate to their core job responsibilities. Employees expressed a strong desire for training that was more engaging and relevant to their jobs.
2. Employees wanted live training but in their local language. Although most employees are fluent in English, many expressed the desire to be trained in the local language to ensure that nothing was getting “lost in translation.”
3. There was a lack of understanding regarding the role of the compliance group within the company. Both employees and managers at all levels felt that the compliance organization was a bit of a mystery to them – they did not fully understand what the compliance organization did on a day-to-day basis and felt that they lacked any real visibility into the types of compliance issues that the company was encountering.
4. At times compliance seemed liked the ivory tower as employees also felt that messaging around compliance was, at times, either condescending or written in a way that made it appear that the company did not trust its employees.

I found Katz’s responses to the training critiques very interesting and had some components that you may wish to incorporate into your program. CA Technologies decided to ditch all outside vendors for training and put it on using internal resources. The company also “made a conscious choice to focus our compliance training energies on issue spotting and awareness-raising, rather than on in-depth subject matter expertise” which was done for two reasons. First, the company did not believe that employees were retaining the information being covered in courses that attempted to deliver in-depth learning. Second, by “Focusing on issue-spotting and awareness-raising is consistent with our belief that if we can get people talking about compliance and asking questions, we can address most issues long before they become compliance problems.”

To make the training more real and more entertaining, the company began to use examples of “compliance related transgressions” demonstrated by the fictional character “Griffin Peabody” in courses and awareness campaigns. The company also used this character in company training videos that its employees starred in as participants. To help with the logistics of training, the compliance department enlisted the CA Technology law and HR departments to assist in putting on the training. Interestingly, compliance did not specify to the trainers how to put on the training, instead they gave them the flexibility to put on training in variety of ways such as ‘lunch-n-learns’ or other less formal training. But here is the real kicker – Katz “issued a mandate that no compliance course would take longer than 25 minutes to complete. We would rather have two 20 minute courses than one 40 minute course. Our experience has been that even the most interested audience begins to fade after about 20 minutes.”

To help de-mystify the role that the compliance function had in CA Technology, the group published “a quarterly newsletter called “Walk the Talk.” Each newsletter includes profiles of real-life, company compliance cases and quarterly compliance statistics (including the number of compliance cases by geographic region with a comparison from the prior year, as well as a breakdown of the types of compliance issues we are addressing, such as fraud, conflicts of interest, and others).” Katz noted that the names were removed to protect the innocent and guilty but that the company did “provide comprehensive descriptions of the compliance issues and how the issues were resolved (in many instances, employees were either disciplined or dismissed).” What Katz found was that CA Technology employees said that “they particularly liked reading the real-life cases and learning about how the company resolved these cases. Not all compliance officers agree with providing this level of transparency to employees, but our experience has been, thus far, very positive.”

In the article, Katz admitted that the compliance group “might, on occasion, come off as sounding a bit “preachy” to employees when discussing certain compliance issues”. To address this issue, the compliance team worked with the company communications team and the company’s global leadership team to “help ensure that our messaging has the right tone to effectively resonate with our employees. We strive to create communications that are engaging and easily understood by all employees.” With this assistance, Katz believes that the compliance group ensures “that we take the time to focus on how we are messaging things to our employees and this has helped improve employee perception about the compliance function.”

Katz’s article had several salient points around training for the compliance practitioner. His change in focus of the company’s compliance training from the subject matter expertness to issue raising awareness is something that certainly resonates with me. Employees can be your first and, many times, best line of defense from a compliance issue becoming a full bore Foreign Corrupt Practices Act (FCPA) or other legal violation. Giving them to tools to know when and how to raise their hand when something does not make sense is more important than droning on about the elements of a FCPA violation. Also the CA Technology methods for delivering compliance training are quite innovative but in many ways very cost effective. By moving the training in-house and allowing the trainers to determine how to deliver the training, you can obtain greater buy-in and participation. Lastly, how many of you out there put on training for only 20 minutes? Do you think that would make your employees sit up and take notice, if not smile, if they could get their compliance training in 20 minute increments?

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

In the Limelight-the Theater, Lady Gaga and Compliance

What is your favorite Canadian group? For my money it is the band Rush. My favorite Rush song is probably “Limelight”. How many times have you heard about ‘being in the limelight’? The phrase comes from the British theater where lights in the theater used quicklime. Although long since replaced, lighting in the British theater is still called ‘limes’.

I thought about Rush and their hit song when I recently read a couple of articles on leadership in the theater. I found that some of the insights in these articles could be applied in a compliance program for a multi-national company. In an article in the New York Times (NYT) Corner Office Section, entitled “First, Make Sure Your Idea Works On a Small Stage”, reporter Adam Bryant interviewed Francesca Zambello who is both the general and artistic director of the Glimmerglass Festival and the artistic director of the Washington National Opera.

Think Small

Zambello had a very interesting point that I do not consider often. She said that one of the most memorable lessons that she ever learned from a mentor was to make sure that your creative idea will work on the small stage. By this she did not mean that you cannot have a big idea or large concept. Instead “The most important thing he ever taught me was that if you don’t make sure the show is right in a small room, it will never be right in a big space, on a big stage.”

I found this comment particularly insightful in the context of the Department of Justice (DOJ)/Securities and Exchange Commission (SEC) FCPA Guidance. The FCPA Guidance makes clear that a company should design a compliance program which is appropriate for its size, markets and risks. There is no one standard and the FCPA Guidance states: “DOJ and SEC have no formulaic requirements regarding compliance programs. Rather, they employ a common-sense and pragmatic approach to evaluating compliance programs, making inquiries related to three basic questions: • Is the company’s compliance program well designed? • Is it being applied in good faith? • Does it work?”

I have seen many instances where a company will try and implement a compliance regime which is appropriate for a company many times its size. It becomes a top down exercise but as noted in the Zambello interview, it does not work well in the smaller setting because it is not assessing and managing the risks appropriate to a small company. Here a bottom up approach can be much more effective. Certainly this could be accomplished through a formal risk assessment but it may also come through talking and meeting with your internal business units or partners. Such informal assessments can provide valuable information which may work on a ‘smaller stage’ than a compliance program designed for a multi-billion, multi-national company.

Learn How to Fail

Another insight I garnered from the Zambello interview for the compliance practitioner was what she termed “You have to learn how to fail.” She believes that in any position you are in, that you are going to fail. But the real key is that “if you don’t fail, you are probably not that good.” Lastly, if you fail you have to learn to pick yourself up, “The more you get knocked down, the more you learn to pick yourself up.”

In the context of the FCPA Guidance, “DOJ and SEC understand that “no compliance program can ever prevent all criminal activity by a corporation’s employees,” and they do not hold companies to a standard of perfection. An assessment of a company’s compliance program, including its design and good faith implementation and enforcement, is an important part of the government’s assessment of whether a violation occurred, and if so, what action should be taken.” Clearly how a company handles any Foreign Corrupt Practices Act (FCPA) violation is an important key to any DOJ or SEC analysis regarding enforcement.

However, the other point for the compliance practitioner is that not everything should always go right under your compliance regime. Not every third party business representative you look at should pass muster under your process for approval. If everyone does, your process may not be robust enough. Not all of your employees do everything right all the time. If you have never disciplined an employee for a violation of your company’s Code of Conduct or compliance program, you should look to determine if this area needs to be explored as not every expense report is always correct. Lastly, if there has never been a substantial tip to your anonymous reporting line, this is an area which should also be explored. You may need to conduct more, or better, training so that employees understand that they can report incidents in confidence, without fear of retribution.

Be Courteous

Another interesting topic that Zambello discussed was the following, “I think that good manners matter a lot…Some of those are old fashioned things, but manners don’t cost anything.” Think about it – when was the last time you had a discussion of manners or even courtesy? This point is not something which is discussed much in the compliance arena but I think that courtesy is something that compliance practitioners need to be aware of when involved in a multi-national compliance program. Be sensitive to cultural norms in other countries and be respectful of them. As my very southern grandmother used to say, you are never wrong being courteous. Lastly, do not forget the cost for being courteous, nothing. But the benefits can be quite great.

From Lady Gaga to Compliance

For a different type of theater and how it relates to your compliance program, I recently came across an article in the Financial Times (FT), entitled “In need management tips? Try Lady Gagahttp://www.ft.com/intl/cms/s/2/da6559ce-a289-11e2-9b70-00144feabdc0.html#axzz2Qcpc6zzT”, by reporter Miles Johnson. (While some might suggest that Lady Gaga is a musician, I certainly think she is all about theater so it ties in with the above, really.) Johnson’s article reviews the work of Salvador Lopéz, a marketing and research professor at Spain’s ESADE business school. Lopéz believes that the world of business can learn quite a bit from the Lady Gaga’s of the world and I found that a couple of them apply to the compliance arena.

The first is that Lady Gaga generates emotions in her fans. Lopéz likened this to Steve Jobs who created “an entire style at Apple and made people feel things through his products.” Here I think that this applies to compliance because most employees want to do the right thing and will feel better about themselves if they conduct business in an ethical manner. The key for the compliance professional is not only to provide the processes and procedures for them to do so but to also acknowledge those employees who follow a company’s ethical business values. This can occur through financial incentives such as part of an employee’s discretionary bonus awards; promotion of employees who conduct business in accord with a company’s ethical practices or even something as simple as a companywide acknowledgement. The point is to make people feel that something positive for doing compliance the right way.

The second point that Lopéz gleans from performance artists like Lady Gaga is that they are much better in the use of technology than most companies. There are now a plethora of technological tools available to assist the compliance practitioner. I firmly believe that the DOJ and SEC have communicated that transaction monitoring will become a standard best practice quite soon, but certainly within the next 18 months. There are companies, such as Oversight Systems to name but one, which have technological tools to help move to this standard. But that is only one of many tools available to assist in your compliance program. So take a clue from Lady Gaga and ‘keep it fresh’.

These two articles demonstrate that the compliance practitioner can draw from a wide variety of sources and disciplines for inspiration to incorporate into a FCPA or UK Bribery Act compliance program. Further, the tools are out there to help you. I hope that this article has given you some ideas while drumming your fingers along to Rush or Lady Gaga for that matter.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

How To Demonstrate Ethics and Compliance – Earn It, Re-Earn It and Re-Evaluate It

What should your company do if it finds itself in a situation where some of its senior leadership has engaged in conduct which violates its own ethical standards or external legal standard such as the Foreign Corrupt Practices Act (FCPA)? Assume your company is now in McNulty Maxim No. 3 of “What did you do about it?” as you have investigated the conduct and disciplined the senior management in question. However, you want to go further and try to take steps that will detect and prevent the conduct in the future.

A current example of this is going on in the US military. In reaction to recent scandals involving lapses of personal character, the US military has instituted a series of changes to help military commanders to focus on ethical standards. In an article in the New York Times (NYT), entitled “Conduct at Issue as Military Officers Face a New Review”, Thom Shanker discussed a range of responses that the military will pursue. He reported that “The new effort is being led by Gen. Martin E. Dempsey, the chairman of the Joint Chiefs of Staff, as part of a broad overhaul of training and development programs for generals and admirals. It will include new courses to train the security detail, executive staffs and even the spouses of senior officers.” The article quoted General Dempsey as saying, “Conversely, you can have someone who is intensely competent, who is steeped in the skills of the profession, but doesn’t live a life of character. And that doesn’t do me any good.”

The military has initiated three broad responses. The first is a “regularly scheduled professional reviews would be transformed from top-down assessments to the kind of “360-degree performance evaluation” often seen in corporate settings.” A 360-degree review is one which comes from members of an employee’s immediate work circle. Most often, 360-degree feedback will include direct feedback from an employee’s subordinates, peers, and supervisor(s), as well as a self-evaluation. It can also include, in some cases, feedback from external sources, such as customers and suppliers or other interested stakeholders. The results from a 360-degree evaluation are often used by the person receiving the feedback to plan and map specific paths in their development.

While acknowledging the challenges from that comes from a subordinate review in a top-down hierarchical structure, such as the military, General Dempsey stated that “we’ve developed some bad habits” and that “It’s those bad habits we are seeking to overcome.” The article quoted Richard H. Kohn, a professor emeritus at the University of North Carolina, Chapel Hill, who specializes in military culture who said “he thought the 360-degree evaluation would have a positive effect on the leadership styles of many officers. He also stated that “It will reduce what the military calls ‘toxic leadership,’ elevating those who are highly competent but also fair and less brusque and peremptory.”

The second response was increased training on values. “General Dempsey said the demands of combat deployments in the past decade had prevented officers from attending the academic programs that historically had been integrated into an officer’s career every few years, and he pledged to rebalance that.” I found this quote very fascinating as it showed the extent that the military uses outside resources, I.E. civilian academic programs to supplement training on military values. Due to the increased deployments since 9/11, these traditional academic rotations have been less ongoing. Dr. Kohn found that these new training programs are a good enhancement to military training as “most officers need to be reminded of the rules and regulations on a routine basis.” But this training will go past simply the senior officers as “new programs will be instituted to ensure that a commander’s staff, and a spouse, are fully aware of military regulations.”

The third component will be more internal audits. The articled noted that “Under General Dempsey’s plan teams of inspectors will observe and review the procedures of commanders and their staffs. The inspections will not be punitive, but will provide a “periodic opportunity for general officers and flag officers to understand whether, from an institutional perspective, we think they are inside or outside the white lines.”” I found this component to be similar to the ‘Mock Audit’ concept that is used in the power industry that I recently wrote about in the post “In Praise of the Mock Audit”. A ‘Mock Audit’ is a mechanism by which a compliance team can go into a facility and not only try to determine what might need remediation but, equally importantly, help the employees in that facility to move towards greater compliance.

For the FCPA compliance practitioner, this response by the US military has some very interesting parallels to what the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) say should be in your FCPA compliance program. The DOJ/SEC FCPA Guidance demonstrates that a company should strengthen and supplement its compliance program on causes underlying the compliance issues which arose. The Guidance states, “An effective compliance program promotes “an organizational culture that encourages ethical conduct and a commitment to compliance with the law.” Such a program protects a company’s reputation, ensures investor value and confidence, reduces uncertainty in business transactions, and secures a company’s assets. A well-constructed, thoughtfully implemented, and consistently enforced compliance and ethics program helps prevent, detect, remediate, and report misconduct, including FCPA violations. [emphasis supplied] Further, in its section on Declinations, one of the six common elements which companies that received declinations engaged in was to make their compliance program more robust around the FCPA violation which arose. Clearly the DOJ and SEC believe that a company with a strong compliance system and culture will not only be in better position to comply with the FCPA but will be a better company.

General Dempsey clearly believes that the military has high ethical values. Shanker wrote that “He said the issue of understanding the military as a profession, and not just an occupation, had fascinated him since his days as a junior officer; he would be subject to the same rules, regulations and assessments he now is championing.” Shanker ended his article with the following quote from General Dempsey, “In my 39 years in the military, I have learned that you are not a profession just because you say you are,” he said. “You have to earn it and re-earn it and re-evaluate it from time to time.”

To me that sounds something like the following-you are not an ethical company because you say you are but because you do compliance by putting in the policies and procedures to do so.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Q: Do You Tell The Central Bank What To Do? A: ‘In Which Country’?

Last weekend in the Financial Times (FT) was a report by Tim Burgis of an interview he held over a lunch meeting with the Angolan Isabel dos Santos, who Forbes magazine recently declared “the continent’s first female billionaire.” Ms. dos Santos is the daughter of José Eduardo dos Santos, who has been Angola’s president for the past 33 years. The interview was a fascinating insight into how doing business in some countries under US or UK anti-corruption and anti-bribery laws can be so challenging.

Burgis quoted an un-named expert who described Angola as a place of “corny capitalism” where those with connections to “the Futungo, as the presidential coterie is known (after Futungo de Belas, the old presidential palace) have made fortunes.” Ms. dos Santos denied that she is involved in politics, claiming that she is only interested in business. Interestingly, Burgis quoted her as stating “I’m not involved in politics and I’ve never had any political role. I’ve never been in office. I’ve never taken any public administrative jobs. So, like I said, I don’t work with the government.”

Some of her business interests “include stakes in two Portuguese banks, BIC and BPI, and a communications group called ZON Multimédia and an indirect holding in Galp, a Portuguese energy group with assets from Mozambique to Venezuela.” While admitting that the “oil industry is politically driven” she insisted that in the business sectors in which she is involved “politics don’t come into it”, she says, even if her own big moment came when she was part of a consortium that won a public tender for Angola’s second mobile telephony licence in the late 1990s.”

Burgis noted that there are believed to be many ways for the well connected to make lots of money in Angola. He wrote, “There are, however, easy ways to make money if you’re connected in Angola, particularly in the resources industries, where top officials and generals have been known to take hidden stakes in ventures led by oil majors and to enjoy titles to diamond-bearing land.” He also went on to note that these systems may be perpetuating the overall poverty in African countries such as Angola when he said that “There are those who would say that corrupt models lie at the heart of the power structures that keep most Africans poor and unable to call their rulers to account.”

He noted that Ms. dos Santos has recently become involved in the energy sector through her partnership with the Portuguese businessman, Américo Amorim and his company Amorim Enereria. Burgis wrote “I ask her to clarify how those energy interests tie in with Sonangol, the Angolan state-owned oil company with assets from Iraq to Brazil that some critics perceive as a Futungo fiefdom. She fends off my questions before fixing me with the look one might give a particularly vexing eight-year-old. “The business is relatively complex because, when you structure a business, you have to look at different aspects from legislation to taxation, to governance, issues like that.”

Near the end of their lunch Burgis asks the following question do you “call up the governor of the central bank and tell him what to do? “In which country?” she quips. We laugh merrily.” She went on to explain how she did have the reputation for extraordinary power. Burgis quoted her as saying, “Well, it’s very difficult, I would imagine, to distinguish father and daughter. And maybe some of it comes as I’m doing my thing and my father being a very strong political African figure for so many years. Whatever he does is almost like some kind of cloud on top,” she says, reaching for the right metaphor and waving a hand over her head, as though her father were some celestial phenomenon. “So maybe some of these ideas come from this cloud-over effect from his position. But, no, I don’t call the central bank and I most certainly don’t give them instructions.”

Even from the head feigns, non-responsive and jocular tone of many of these answers, one can see just how challenging doing business in Angola can be for any company subject to the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. The first issue that would seem to pop up is just who are you doing business with and are they a Politically Exposed Person (PEP). Burgis specifically states “top officials and generals have been known to take hidden stakes in ventures led by oil majors”. Whether such interests are hidden or not, it is the responsibility of any US or UK company to perform the appropriate level of due diligence to ascertain whether they are doing business with such governmental officials. I have heard more than one Chief Compliance Officer (CCO) say that they had to pull the plug on a business proposition because they could not determine the beneficial owners of an entity with which they were considering doing business.

What about a country such as Angola, where people move freely between government and business. Once again if it is later determined that your company is in a joint venture or other business relationship, and your local partner obtains a government appointment during the pendency of the business relationship, it is up to your company to find out that information. This requires ongoing monitoring through company or software which alerts you when someone moves to becoming a PEP.

This is where it is critical that compliance terms and conditions be put into a contract for any such business relationship. Initially, you should have contract protections in place which require any business partner who obtains a government appointment to notify you. This should also be included with a clause that allows the contract to be terminated if the appropriate anti-corruption/anti-bribery protections cannot be put in place if such an eventuality occurs.

Clearly there are no easy answers to the quandary of doing business in a country such as Angola. With many of the top government officials, energy company higher-ups and extractive mineral elite not only closely related to each other but moving seamlessly between all three groups; a company under the FCPA or Bribery Act must tread very carefully. Or to quote the signature line from Hill Street Blues, “Let’s be careful out there.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

March Madness and Discipline Under the FCPA

Tonight is the finals of the NCAA Men’s Basketball Tournament, known as March Madness. As I went to law school at the University of Michigan, I will be pulling for the Wolverines to win the big game. If you are not a Louisville or Big East fan I hope that you can pull for us or at least throw some good mojo UM’s way as we may need all the help we can get. Go Blue!

One of the things made clear in the FCPA Guidance is that employees who engage in violations of the Foreign Corrupt Practices Act (FCPA) must be disciplined. One of the Ten Hallmarks of an Effective Compliance Program is discipline. The Guidance says that a company’s compliance program should apply from “the board room to the supply room – no one should be beyond its reach.” There should be appropriate discipline in place and administered for any violation of the FCPA or a company’s compliance program. But what if an employee’s conduct is something less than a clear violation of the FCPA? What if an employee goes right up to the line, stands next to it and kicks dirt on that line but never (seems) to go over. What should you do?

Imagine a scenario like the following. Your company is engaged in delicate negotiations to merge with another entity which will greatly increase the scope of your brand. You obviously do not want any negative information to leak out into the public sphere that your company does not follow its own Code of Conduct or the ethical values that it publicly espouses. You are brought information that one of your top sales people has engaged in a pattern of conduct that would appear not to meet your own company standards. Further, it turns out that there are videos showing the conduct in question. Not only do you see it but the company’s head of Human Resources (HR), Chief Financial Officer (CFO) and General Counsel (GC) see it as well. An internal investigation commences and it is determined that no laws are broken so you privately discipline the employee in question.

The merger goes through and thereafter it is decided that an outside law firm should conduct a more thorough investigation. This outside counsel interviews a full range of company employees and reviews internal company communications. Other company employees say that the employee in question is just very passionate about his job. However, it turns out that the focus of this outside law firm’s investigation was to determine if firing the employee in question would give that employee a basis to sue the company for wrongful termination. (The company in question is not located in the great state of Texas where you can fire anyone for a good reason, bad reason or no reason.) But even the outside law firm’s report does note that the employee in question did ‘cross the line.’ Yet you decide that no further discipline or even a follow up on the employee in question is warranted.

Now assume that the videos in question become public. There is outrage. Even the company President says that after reviewing the video it only took him “five minutes” to decide to fire the employee in question. The employee is fired and questions are being asked why you did not fire the President as well?

The above fictional scenario was based on the New York Times (NYT) article, entitled “Rutgers Officials Long Knew of Coach’s Actions”, by reporter Steve Eder. In his piece Eder details the long trail of evidence that Rutgers had been made aware of regarding the abusive behavior of its men’s basketball coach Mike Rice. Even after two investigations and presentation of a video showing Rice throwing basketballs at players, kicking them and taunting them with “homophobic slurs” Rice was not fired. Rice was reprimanded, fined and the University assigned its “sports psychologist to work with the team”. It was not until this video went viral and the whole world saw the abuse that Rice meted out to his team at practices did the outrage become sufficient enough for Rice’s termination. The Athletic Director, who had been made aware of all of the above, had requested the internal and external law firm investigations,  yet did not terminate Rice, was required to resign from all the fallout.

So just how much does it take for an entity to follow its own values? What about the employee who does ‘cross the line’ and does business in an unethical manner? Is that someone who can be trusted to follow the rules and laws like the FCPA? The FCPA Guidance makes clear that appropriate discipline should be “fairly and consistently applied across the organization. No executive should be above compliance, no employee below compliance, and no person within an organization deemed too valuable to be disciplined, if warranted. Rewarding good behavior and sanctioning bad behavior reinforces a culture of compliance and ethics throughout an organization.”

I often talk about the Fair Process Doctrine and how it behooves company’s to treat employees fairly. However, there is also a responsibility for a company to act appropriately when its employees engage in conduct that is not illegal but is so far outside the acceptable norms that it cannot be condoned. Remember what is true for Rutgers is also true for businesses in the private sector.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

What is Risk? Compliance Lessons from the Senate Hearing On the Whale

What is risk? Under the Foreign Corrupt Practices Act (FCPA) and UK Bribery Act risk is generally doing business in a non-compliant manner under these laws, where such action can increase the possibility of engaging in or facilitating a corrupt payment or bribe. However, risk can involve other areas. If you are an investment bank, one of the risks which requires management is losses around trading.  This was painfully put on in public display last week in the US Senate Permanent Subcommittee on Investigations hearings into the JP Morgan trading losses and the trader who has come to be known as the “London Whale”.

The London Whale involved trading losses which eventually hit $6.2bn for certain credit trades. In the FT Lex Column, an article entitled “Whale fail” stated that either the “bank leadership actively circumvented risk controls and misled the regulator and investors [the Senate’s take] or the affair was an exercise in systematic incompetence [JPMorgan’s]”. Either version is not a good one for JPMorgan. The Senate report identified a list of failings at JPMorgan, accused the Chief Investment Officer (CIO) of putting into place a risky investment strategy and then trying to hide the losses. It alleged the bank hid its trading losses and finally lied to regulators. The Senate Subcommittee report and hearings provide many valuable lessons for the compliance practitioner.

Change in Business May Increase Risk

As reported by the Financial Times (FT), in an article entitled, “Harpooning The Whale-Dimon and his lieutenants caught in spotlight over risk management” showed how this trading desk morphed over the years. While the trades were initially set up as derivative positions meant to be used as a hedge by JPMorgan, at some point they morphed into something very different so that by the first quarter of 2012, “the portfolio exploded in size, complexity and risk, with little or no notice to the bank’s senior risk managers or its regulators.” The trading program went from a “notational size of $51bn in 2011” to a value of $157bn in the Q1 2012.

When you have program that goes from a financial hedging operation to a program which generates profits, you have a very different risk profile. If your risk profile increases through such a change, you need better management of that risk. While the extent to which JPMorgan senior management were aware of the additional risk is unclear, it is clear that JPMorgan’s risk management program was sorely lacking by failing to bring this trading desk into its overall risk management structure.

When Employees Call (Internal) 911

One of the things made clear at the Senate hearings was that JPMorgan executives tried to blame those big, bad traders in London for the whole debacle. In an article in the New York Times (NYT) Dealb%k, entitled, “Withering Questions at Senate Hearing on JPMorgan Loss”, reporter Jessica Silver-Greenberg wrote, “Ina Drew, who resigned in May as the head of JPMorgan’s chief investment office, the group at the center of the problems… directed virtually all of the blame at lower-level traders in London and other subordinates.” However, the reporting by the FT would suggest otherwise. In “Harpooning the Whale” it said that the trader nicknamed the “London Whale” sent “panicked emails to his superiors” in late January 2012. Among other emails quoted in the FT piece it was stated that he said, “We need to discuss the synthetic book. The current strategy doesn’t seem to work out.” In another email he wrote, “The financial [p]erformance is worrisome.” Finally he wrote that the derivatives trades were “huge” and “scary”. Indeed.

A company certain wants its employees to notify upper management if something goes awry and a company’s risk significantly increases. In the safety part of any company it is now standard procedure that ‘safety is everyone’s responsibility’ and if any employee sees an unsafe operation occurring, you have the right to shut it down immediately, with no fear of retaliation. However the key lesson to be learned from this experience is that if an employee notifies his or her superiors of a high risk activity, that risk needs to be identified and the conduct which led to the risk stopped.

Do Not Raise/Exceed the Risk Bar

When these emails from the London Whale and other information came back to JPMorgan about the potential size of these losses, did it try and call off its position? No. It continued, but tried to contain the losses by changing the risk parameters so that the losses did not appear as losses and the trades were made to appear to be within the bank’s risk restrictions. Gretchen Morgenson, writing in the NYT, in an article entitled, “JPMorgan’s Follies, For All To See” explained the bank did so by changing its normal practice in valuing these types of derivatives. She said that “Normal practice at the bank and across the industry is to value these kinds of derivatives at the midpoint between the bid and offer prices available in the market. But in early 2012, as it became apparent that JPMorgan’s big trades at the chief investment office were going bad, the bank began valuing the portfolio well outside the midpoint. This reduced its losses.

For example, in January 2012, the portfolio valuations hewed closely to the midpoint on all but 2 of the 18 measures, the Senate investigators found. A month later, 5 of the 18 valuation measures deviated from the midpoint. In March, however, all 18 deviated, and 16 were at the outer bounds of price ranges. In every case, the prices used by the bank understated its losses. While these valuation shifts were taking place in the chief investment office, JPMorgan’s investment bank officials continued to mark their identical positions using the midpoint value.

In addition to changing its risk parameters, the Senate reported noted that JPMorgan did not follow its own guidelines regarding risk boundaries for such trades. Morgenson writes that “Risk limits, intended to protect the bank from losses, were also routinely breached at JPMorgan Chase. […] From late 2011 to the first quarter of 2012, Senate investigators saw a huge jump in the number of risk-limit breaches — to more than 170, from 6. Then, in April 2012 alone, risk limits were exceeded 160 times.” Morgenson concluded that the bank’s risk limits “were either ignored or modified to make the portfolio look better”.

Risk parameters are put in place for a reason. It is to manage a company’s risk, whether that be in an investment strategy or relating to bribery and corruption under the FCPA. Once a protocol is in place, it should not be changed in the absence of careful analysis and documentation of that analysis. When it all hits the fan it is not the time to change your risk protocols. It is equally important that a company follows its risk parameters and does not exceed them on a routine basis. While it is important that you have a compliance and risk management program, if you have one and do not follow it the consequences can be even more severe.

What Did You Do About It?

In thinking about any risk breach, whether it be safety, FCPA or credit trading; I always conclude my thoughts with Paul McNulty’s Third Maxim, “What did you do when you found out about it?” JPMorgan did launch its own internal investigation into the trading losses but Morgenson noted that report produced was criticized by the Senate Subcommittee for its lack of rigor. She also reported that JPMorgan “has repeatedly said it made mistakes and has changed its policies.” What about discipline for those involved? In an article in the Wall Street Journal, entitled, “Senate Puts ‘Whale’ On the Grill”, it was reported that Douglas Braunstein, J.P. Morgan’s former chief financial officer, testified “that his annual pay had been cut to $5 million from $9.5 million.” Other senior executives at the bank, including Mr. Dimon, [JPMorgan Chief Executive] also saw large pay cuts.

Conclusion

For most companies which face a FCPA issue, they will not have to go through such a thorough and very public Senate investigation and hearing. However, because it was such a public event, there were many public lessons which can be learned by the compliance practitioner. As a publicly listed institution, it is the shareholders who will ultimately bear the losses sustained by the bank. The Lex Column of the FT stated that “Until Mr. Dimon has shown over a series of reporting periods that the “whale” was an aberration rather than a reflection of rotten corporate culture, investors should tread cautiously.” In the FCPA world, if you have such a breach of your risk parameters, you may well have this same question posed to you.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Three Compliance Interviews on April 3

I attended the Dow Jones Global Compliance Symposium over the past couple of days. It was a great conference and kudos to the entire Dow Jones team for putting on a truly memorable event. Day 2 had some interesting speakers and I thought that I might highlight some of the note-worthy things that they said. I should initially note that they did not present prepared remarks but were interviewed by Wall Street Journal (WSJ) reporters. Frustratingly, all three were very good at not answering some of the more pointed questions they were posed but they did have some thought-provoking answers to some of the questions posed to them.

Jeff Benjamin

Benjamin was retired and living in Cape Cod, when he was lured out of retirement to take over as the Senior Vice President (SVP) and General Counsel (GC) for Avon Products, Inc., in September of last year. He used this late entry into the company as a way not to answer questions about the ongoing investigation or the company’s amount of legal and investigative fees incurred to-date. He did answer a question generally around the company using two law firms which I found fascinating. He said that more law firms do not necessarily mean more lawyers working on an assignment or project. He said that by using two law firms, he can use “the best people in the best roles” rather than simply the best people. For all you Chief Compliance Officers (CCO’s) or GC’s out there you might want to think about that concept.

I was a bit frustrated that he was cut off when answering the question of his thoughts on what differentiated an elite compliance program from merely a functional one. The first point was that the compliance program seeks continual improvement. The second is that each of a company’s employees takes personal responsibility for establishing and retaining a culture of compliance and ethics in a company. I wish he had been able to give us the final two but he got side-tracked on another point.

I asked Benjamin the role that compliance plays in reconstituting employee morale after a catastrophic compliance failure that (apparently) occurred at Avon. Benjamin initially noted that he believes that the compliance function has a large role to play in rebuilding employee morale. He said a key for Avon was to look at the compliance failures and to use those as teaching moments for the work force. He coupled this with a very intensive construction of the compliance architecture for the company, communicated thoroughly to all employees. He ended with some out of the box thinking like bringing in Cynthia Cooper, the employee who blew the whistle at WorldCom, to speak to company employees on the need to ‘Speak Up and Speak Out’.

Gerson Zweifach

Zweifach is the General Counsel and Chief Compliance Officer for News Corp. He is former federal prosecutor and holds himself very much with that bearing and demeanor. He was asked about his dual roles as GC and CCO and he said that given where the company is, in the middle of a multi-jurisdiction, multi-law investigation, he believed that combining both roles was appropriate, at least for the next couple of years. He also noted that he was told by the News Corp’s Chief Executive Officer (CEO) that “I don’t want this to happen again” and he took that as another reason that the roles should be combined, at least for the foreseeable future.

Zweifach said the biggest change that he had to effect on the company was to elevate problems to the corporate headquarters, if they involved “the core integrity” of the company. News Corp is a very decentralized business with assets all over the world. Prior to their current legal imbroglio, they did not handle such problems in the US but Zweifach has learned that this must be done to help ensure that the company gets a full picture of the facts as soon as possible. Further, any core integrity issue can become global very quickly so there needs to be central management of this issue as soon as possible.

As a former prosecutor and white collar defense lawyer, he was not too familiar with the concept of risk assessments as a corporate tool, so he had a fair amount to learn on the subject. But he learned something very interesting and that was simply because a business is located in a high-risk country it may not be high risk. Conversely, simply because a business is in a perceived low risk country, such as the UK, the business may be high risk. I found this to be a very interesting insight and  something that Foreign Corrupt Practices Act (FCPA) compliance practitioners could consider when doing their overall risk assessments.

Alberto Gonzales

Gonzales is the former Attorney General of the United States and is currently Of Counsel to the law firm of Waller Lansden Dortch & Davis LLP. Gonzales spoke about the FCPA and potential change of the law. Initially he noted that reform of the FCPA in Congress is dead, although he tried to blame it on the Democratic administration, forgetting perhaps that the greatest increase in FCPA enforcement occurred while he was Attorney General (oops!). But he did say that perhaps there could be some different interpretations by regulators, such as the Department of Justice (DOJ) and Securities and Exchange Commission (SEC). Leaving aside the subtle distinction that the DOJ are prosecutors and not regulators (oops again!) he said that he believed business groups were right to continue to clamor for additional FCPA guidance, as he clearly demeaned the November-released FCPA Guidance as “so-called guidance”.

He also said that greater transparency would be of assistance to the compliance practitioner and here he talked about further information on declinations. He said that he believed the DOJ could strip out the indemnity markers but the key information would be for the DOJ to itemize the information which went into their decision making calculus as to why a declination was granted as opposed to an enforcement action. This is certainly something that I do agree with Gonzales on.

The Dow Jones Global Compliance Symposium continues to be one of the premier compliance events annually. If you did not attend this year and can do so next year, I urge you to try and get yourself up to DC for the conference.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

M*A*S*H and Triage in Your FCPA Investigation Protocol

One of the things that I learned from the television series M*A*S*H was the need for triage. In the hospital setting, triage is the process of determining the priority of patients’ treatments based on the severity of their condition. At the Dow Jones Global Compliance Symposium, there were a couple of panels which discussed the need for triage in your compliance program around issues that are reported through a company’s internal reporting mechanism.

Given the number of ways that information about violations or potential violations of the Foreign Corrupt Practices Act (FCPA) can be communicated to the Department of Justice (DOJ) having a robust triage system is an important way that a company can separate the wheat from the chaff and bring the right number of resources to bear on a FCPA problem. Kevin O’Connor, Vice President (VP) for Global Compliance, United Technologies Corp, said that one of the things that this is important in making an initial determination of whether to bring in outside counsel to head up an investigation. It is also important in a determination of the resources that you may want or need to commit to a problem. Ty Cobb, a partner at Hogan Lovells, put it this way “How much information do you need to know before you go to outside counsel? Quite a bit.” Another panelist, Jamie Gorelick, partner at WilmerHale, put it in a different manner when she said “you have to kick the tires” so that you know the circumstances in front of you before you make the decision to go to outside counsel.

But even if you kick the tires and determine that you do need to involve outside counsel, there are still ways in which a corporation can work to control the costs of a FCPA investigation. O’Conner said that United Technologies is able to keep the costs down by having a very robust team of investigators embedded in many departments across the company, outside of the compliance function. O’Connor said that these employees come from employment and professional backgrounds which trained them in the basics of investigations. Many of these United Technologies employees come from law enforcement but there are other professions such as national security, foreign service, the intelligence community, human resources and others.

O’Connor said that the key is to hire people with a background and prior training investigations. These investigators receive FCPA and other compliance training while at United Technologies so that if a major incident arises they can be used to supplement outside counsel personnel who may lead an investigation. In this way, United Technologies is able to keep outside counsel from sending lawyers all over the world and thereby run up the costs of a FCPA investigation. This concept was put another way by another panelist, David Yawman, Senior Vice President & Chief Compliance and Ethics Officer, PepsiCo Inc., who said that he “wants to be building sprinkler systems and not fighting fires”. He explained this meant that he wants to have trained personnel available to him, who can have their primary function outside the compliance group but can be called upon as needed in such a FCPA investigation.

On another panel Paul McNutly, partner at Baker & McKenzie LLP, explained that he believed it would be important for a company’s regular outside counsel to partner more with the entity as a way to help hold down costs. McNulty explained that a law firm could work to help put on the additional FCPA and compliance focused training that O’Connor discussed on a more regular and ongoing training. This partnership relationship would allow the law firm to have confidence that the company’s investigators could handle a large or wide-ranging FCPA investigation. This confidence would help outside counsel in any discussions they might have with the DOJ during the pendency of a FCPA investigation.

McNulty was asked how do you help keep costs from reaching the ‘ridiculous’ level? He also mentioned that a company needs to initially scope any FCPA allegation which may arise through a company’s internal reporting mechanism or other manner. But said another step is to develop a reasonable investigation plan. This can be particularly important if you self-disclose to the DOJ. You will need to go into the DOJ and present your investigation plan so McNulty suggested an early discussion with the government on the scope of the investigation is critical.

Panelist Gorelick stressed that you should engage the DOJ to show not only the scope of your investigation but that it can be limited so that you do not face the dreaded ‘where else’ question. You should develop a logical plan with the nexus to the facts. However, she emphasized that you must have credibility with the government that not only will your investigation will be robust but that facts you have determined in your initial triage are a reasonable interpretation.

I found it very useful that there was a discussion relating to costs of a FCPA investigation that extended over two panels at the conference. Both in-house and outside counsel presented concrete and achievable solutions that can be implemented to help contain costs. But the key is to be prepared, not only in terms of having your investigation and notification protocols in place before the FCPA allegation comes in but also doing the proper triage so that you have an initial understanding of what you may be facing.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013