FCPA Compliance and Ethics Blog

August 27, 2014

Risk Assessments-the Cornerstone of Your Compliance Program, Part II

7K0A0501Ed. Note-Today, I continue my three-part posts on risk assessments. Today I take a look at some different ideas on how you might go about assessing your risks.

One of the questions that I hear most often is how does one actually perform a risk assessment? Mike Volkov has suggested a couple of different approaches in his article “Practical Suggestions for Conducting Risk Assessments.” In it Volkov differentiates between smaller companies which might use some basic tools such as “personal or telephone interviews of key employees; surveys and questionnaires of employees; and review of historical compliance information such as due diligence files for third parties and mergers and acquisitions, as well as internal audits of key offices” from larger companies. Such larger companies may use these basic techniques but may also include a deeper dive into high risk countries or high risk business areas. If your company’s sales model uses third party representatives, you may also wish to visit with those parties or persons to help evaluate their risks for bribery and corruption that might well be attributed to your company.

Another noted compliance practitioner, William Athanas, in an article entitled “Rethinking FCPA Compliance Strategies in a New Era of Enforcement”, took a different look at risk assessments when he posited that companies assume that FCPA violations follow a “bell-curve distribution, where the majority of employees are responsible for the majority of violations.” However Athanas believed that the distribution pattern more closely follows a “hockey-stick distribution, where a select few…commit virtually all violations.” Athanas suggests assessing those individuals with the opportunity to interact with foreign officials have the greatest chance to commit FCPA violations. Diving down from that group, certain individuals also possess the necessary inclination, whether a personal financial incentive linked to the transaction or the inability to recognize the significant risks attendant to bribery.

To assess these risks, Athanas suggested an initial determination of the touch-points where the operations of manufacturing companies “intersect with foreign officials vested with discretionary authority.” This will lead to an understanding of the individuals who hold these roles within a company. This means that a simple geographic analysis is but a first step in a risk analysis. Thereafter companies should also focus on “those who authorize and record disbursements, as well as those who represent the company in situations where they may be solicited for payments.” The next step is to determine those company employees who may have the incentive “to pay bribes on the Company’s behalf.” This incentive can come from a variety of forms; such as a company compensation plan, which rewards high producers; employees who do not understand the risk they place the company (and themselves) in by engaging in tactics which violate the FCPA; and, finally, those employees who seek to place their individual interests above those of the company.

Athanas concludes by noting that this limited group of employees, or what he terms the “shaft of the hockey-stick”, is where a company should devote the majority of its compliance resources. With a proper risk assessment, a company can then focus its compliance efforts on “intensive training sessions or focused analysis of key financial transactions — on those individuals with the opportunity and potential inclination to violate the statute.” This focus will provide companies the greatest “financial value and practical worth of compliance efforts.”

Lawler suggests that you combine the scores or analysis you obtain from the corruption markers you review; whether it is the DOJ list or those markers under the UK Bribery Act. From there, create a “rudimentary risk-scoring system that ranks the things to review using risk indicators of potential bribery.” This ensures that high-risk exposures are done first and/or given more time. As with all populations of this type, there is likely to be a normal or ‘bell curve’ distribution of risks around the mean. So 10-15% of exposure falls into the relative low-risk category; the vast majority (70-80%) into the moderate-risk category; and the final 10-15% would be high risk.

Earlier this week I wrote a piece about the Desktop Risk Assessment. I will not repeat the entire blog post here but only use some of the areas you could assess as a starting point for discussion. If you do not have the time, resources or support to conduct a worldwide risk assessment annually, you can take a different approach. You might try assessing other areas annually through a more limited focused risk assessment, which a colleague of mine calls the Desktop Risk Assessment. Some of the areas that such a Desktop Risk Assessment could inquire into might be the following:

  • Are resources adequate to sustain a culture of compliance?
  • How are the risks in the C-Suite and the Boardroom being addressed?
  • What are the FCPA risks related to the supply chain?
  • How is risk being examined and due diligence performed at the vendor/agent level? How is such risk being managed?
  • Is the documentation adequate to support the program for regulatory purposes?
  • Is culture, attitude (tone from the top), and knowledge measured? If yes, can we use the information enhance the program?
  • Disciplinary guidelines – Do they exist and has anyone been terminated or disciplined for a violating policy?
  • Communication of information and findings – Are escalation protocols appropriate?
  • What are the opportunities to improve compliance?

There are a variety of materials that you can review from or at a company that can facilitate such a Desktop Risk Assessment. You can review your company’s policies and written guidelines by reviewing anti-corruption compliance policies, guidelines, and procedures to ensure that compliance programs are tailored to address specific risks such as gifts, hospitality and entertainment, travel, political and charitable donations, and promotional activities.

This list is not intended to be a complete list of items, you can pick and choose to form some type of Desktop Risk Assessment but hopefully you can see some of the things areas you can assess and deliver any remedial action which may be warranted. Further, if you aim to perform an annual Desktop Risk Assessment with a full worldwide risk assessment every two years or so, you should be in a good position to keep abreast of compliance issues that may change and need more or greater risk management. And do not forget the that the FCPA Guidance ends its section on risk with, “When assessing a company’s compliance program, DOJ and SEC take into account whether and to what degree a company analyzes and addresses the particular risks it faces.”

A completely different approach was articulated by Leonard Shen, Vice President (VP) and Chief Compliance Officer (CCO) at PayPal, in a presentation to Compliance Week. His approach is not the right approach for every company but for those initiating their compliance journey, or a company considering a significant upgrade due to some systemic issue; this approach may be a more effective approach than the traditional risk assessment where a team of lawyers, CPAs and internal auditors assess a company’s compliance environment.

In a company which is initiating its compliance program, it can be perceived as a sea change of culture. However, Shen indicated that he had used an approach which worked to alleviate those types of concerns which also provided enough information to perform a robust assessment which could be used to form the basis of an effective compliance program. He termed this type of approach as one to “engage and educate.” While the approach had a two word name, it actually had three purposes; (1) to engage the employees in what would form the basis for an enhanced compliance program; (2) to educate the employees generally in compliance and ethical behavior; and (3) through the engagement of employees, to gather information which could be used to form the basis of a risk assessment.

Shen and his compliance team traveled to multiple company locations, across the globe, to meet with as many employees as possible. A large number these meetings were town hall settings, and key employee leaders, key stakeholders and employees identified as high risk, due to interaction with foreign governmental official touch-points, were met with individually or in smaller groups. Shen and his team listened to their compliance concerns and more importantly took their compliance ideas back to the home office.

From this engagement, the team received several thousand-employee suggestions regarding enhancements to the company’s compliance program. After returning to the US, Shen and his team winnowed down this large number to a more manageable number, somewhere in the range of a couple of hundred. These formed the basis of a large core of the enhancements to the existing company compliance program. After the enhanced compliance program was rolled out formal training began. During the training, the team was able to give specific examples of how employee input led to the changes in the enhanced program. This engaged the employees and made them feel like they were a part of, and had a vested interest in, the company’s compliance program. This employee engagement led to employee buy-in.

During the town hall meetings, and the smaller more informal group meetings, Shen and his team were doing more than simply listening, they were also training. However, the training was not on specific compliance provisions; it was more generally on overall ethics and how the employees could use compliance as a business tool. Most ethical standards of a company are not found in an existing compliance program, they are found in the general anti-discrimination guidelines and ethical business practices such anti-competitiveness and use of customer confidential information prohibitions. Often these general concepts can be found in a company’s overall Code of Conduct or similar statement of business ethics; workplace anti-discrimination and anti-harassment guidelines can be found in Human Resource policies and procedures.

Concepts such as anti-competitiveness and use of customer and competitor’s illegally obtained confidential information may be found in anti-trust or other business practice focused guidelines.

Shen and his team’s aim on the education component of “engage and educate” was to have the company employee’s start thinking about doing business the ethical way. It was ethical concept based training designed to be in contrast to a rules based approach, where employees believe they are taught the rules, and then try to see how close they can get to the line of violating the compliance rule without actually stepping over the line. Moreover, by having this general ethical business training, it laid the groundwork for the enhancement of the company’s compliance program and the training that would occur when the enhancement was rolled out.

A third key component of the “engage and educate” program is the risk assessment component. Shen’s approach here was not the traditional control-testing model, where documents are pulled and tested against a standard. Shen and his team listened, listened and listened. They listened to their employees concerns and they listened to the compliance issues they raised. As they were listening they began to ask questions about what was done and why. The questioning was not in an adversarial, interrogation mode but ferreting out the employees concerns while having the employees educate the team on the actual procedures that were used in several areas identified as key high risk areas.

Shen emphasized that this was an assessment and not an audit so no detailed forensic work was needed or used. However, by listening, and gently questioning, Shen and his team were able to garner enough information to create a risk assessment profile which informed and became the basis of their compliance program enhancement. Shen and his team did not identify to the company employees that they were engaged in a formal risk assessment. He believed that in many ways, he and his team were able to garner more useful information with which to inform their compliance program enhancement.

Shen’s “engage and educate” approach worked for his company at that point in time. It may not work for other companies as a traditional risk assessment but it does provide a different model if your company is beginning to create their compliance program, or is looking into a major enhancement.

Tomorrow, I will look at how you might use a risk assessment going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

 

August 26, 2014

Risk Assessments-the Cornerstone of Your Compliance Program, Part I

7K0A0079Yesterday, I blogged about the Desktop Risk Assessment. I received so many comments and views about the post, I was inspired to put together a longer post on the topic of risk assessments more generally. Of course I got carried away so today, I will begin a three-part series on risk assessments. In today’s post I will review the legal and conceptual underpinnings of a risk assessment. Over the next couple of days, I will review the techniques you can use to perform a risk assessment and end with a discussion of what to do with the information that you have gleaned in a risk assessment for your compliance program going forward.

One cannot really say enough about risk assessments in the context of anti-corruption programs. Since at least 1999, in the Metcalf & Eddy enforcement action, the US Department of Justice (DOJ) has said that risk assessments that measure the likelihood and severity of possible Foreign Corrupt Practices Act (FCPA) violations identifies how you should direct your resources to manage these risks. The FCPA Guidance stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” The UK Bribery Act has a similar view. In Principal I of the Six Principals of an Adequate Compliance program, it states, “The commercial organisation regularly and comprehensively assesses the nature and extent of the risks relating to bribery to which it is exposed.” In other words, risk assessments have been around and even mandated for a long time and their use has not lessened in importance. The British have a way with words, even when discussing compliance, and Principal I of the Six Principals of an Adequate Compliance program says that your risk assessment should inform your compliance program.

Jonathan Marks, a partner in the firm of Crowe Horwath LLP, said the following about risk assessments in his 13-step FCPA Compliance Action Plan, “A comprehensive assessment of the potential bribery and corruption risks – both existing and emerging risks – associated with a company’s products and services, customers, third-party business partners, and geographic locations can serve as the basis for the compliance program. The risk assessment determines the areas at greatest risk for FCPA violations among all types of international business transactions and operations, the business culture of each country in which these activities occur, and the integrity and reputation of third parties engaged on behalf of the company.”

The simple reason is straightforward; one cannot define, plan for, or design an effective compliance program to prevent bribery and corruption unless you can measure the risks you face. Both the both the US Sentencing Guidelines, the UK Bribery Act’s Consultative Guidance list Risk Assessment as the initial step in creating an effective anti-corruption and anti-bribery program.

What Should You Assess?

In 2011, the DOJ concluded three FCPA enforcement actions which specified factors which a company should review when making a Risk Assessment. The three enforcement actions, involving the companies Alcatel-Lucent SA, Maxwell Technologies Inc. and Tyson Foods Inc. all had common areas that the DOJ indicated were FCPA compliance risk areas which should be evaluated for a minimum best practices FCPA compliance program. Both the Alcatel-Lucent and Maxwell Technologies Deferred Prosecution Agreements (DPAs) listed the seven following areas of risk to be assessed.

  1. Geography-where does your Company do business.
  2. Interaction with types and levels of Governments.
  3. Industrial Sector of Operations.
  4. Involvement with Joint Ventures.
  5. Licenses and Permits in Operations.
  6. Degree of Government Oversight.
  7. Volume and Importance of Goods and Personnel Going Through Customs and Immigration.

All of these factors were reiterated in the FCPA Guidance which stated, “Factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.”

These factors provide guidance into some of the key areas that the DOJ apparently believes can put a company at higher FCPA risk. These factors supplement those listed in the UK Bribery Consultative Guidance states, “Risk Assessment – The commercial organization regularly and comprehensively assesses the nature and extent of the risks relating to bribery to which it is exposed.” The Guidance points towards several key risks which should be evaluated in this process. These risk areas include:

  1. Internal Risk – this could include deficiencies in
  • employee knowledge of a company’s business profile and understanding of associated bribery and corruption risks;
  • employee training or skills sets; and
  • the company’s compensation structure or lack of clarity in the policy on gifts, entertaining and travel expenses.
  1. Country risk – this type of risk could include:

(a) perceived high levels of corruption as highlighted by corruption league tables published by reputable Non-Governmental Organizations such as Transparency International;

(b) factors such as absence of anti-bribery legislation and implementation and a perceived lack of capacity of the government, media, local business community and civil society to effectively promote transparent procurement and investment policies; and

(c) a culture which does not punish those who seeks bribes or make other extortion attempts.

  1. Transaction Risk – this could entail items such as transactions involving charitable or political contributions, the obtaining of licenses and permits, public procurement, high value or projects with many contractors or involvement of intermediaries or agents.
  2. Partnership risks – this risk could include those involving foreign business partners located in higher-risk jurisdictions, associations with prominent public office holders, insufficient knowledge or transparency of third party processes and controls.

Another approach was detailed by David Lawler, in his book “Frequently Asked Questions in Anti-Bribery and Corruption”. He broke the risk areas to evaluate down into the following categories: (1) Company Risk, (2) Country Risk, (3) Sector Risk, (4) Transaction Risk and (5) Business Partnership Risk. He further detailed these categories as follows:

  1. Company Risk-Lawyer believes this is “only to be likely to be relevant when assessing a number of different companies – either when managing a portfolio of companies from the perspective of a head office of a conglomerate or private equity house.” High risk companies involve, some of the following characteristics:
  • Private companies with a close shareholder group;
  • Large, diverse and complex groups with a decentralized management structure;
  • An autocratic top management;
  • A previous history of compliance issues; and/or
  • Poor marketplace perception.
  1. Country Risk-this area involves countries which have a high reported level or perception of corruption, have failed to enact effective anti-corruption legislation and have a failure to be transparent in procurement and investment policies. Obviously the most recent, annual Transparency International Corruption Perceptions Index can be a good starting point. Other indices you might consider are the Worldwide Governance Indicators and the Global Integrity index.
  2. Sector Risk-these involve areas which require a significant amount of government licensing or permitting to do business in a country. It includes the usual suspects of:
  • Extractive industries;
  • Oil and gas services;
  • Large scale infrastructure areas;
  • Telecoms;
  • Pharmaceutical, medical device and health care;
  • Financial services.
  1. Transaction Risk-Lawyer says that this risk “first and foremost identifies and analyses the financial aspects of a payment or deal. This means that it is necessary to think about where your money is ending up”. Indicia of transaction risk include:
  • High reward projects;
  • Involve many contractor or other third party intermediaries; and/or
  • Do not appear to have a clear legitimate object.
  1. Business Partnership Risk-this prong recognizes that certain manners of doing business present more corruption risk than others. It may include:
  • Use of third party representatives in transactions with foreign government officials;
  • A number of consortium partners or joint ventures partners; and/or
  • Relationships with politically exposed persons (PEPs).

There are a number of ways you can slice and dice your basic inquiry. As with almost all FCPA compliance, it is important that your protocol be well thought out. If you use one, some or all of the above as your basic inquiries into your risk analysis, it should be acceptable for your starting point.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 14, 2014

Na-Nu Na-Nu – Final Report to Ork From Mork – Information from FCPA Inquiries

Mork from OrkEd. Note: Na-Nu Na-Nu. We interrupt our daily blog post to provide this final report to the Planet Ork. Na-Nu Na-Nu 

To say that the American culture lost two prime cultural champions this week would be an understatement. The effect that Robin Williams and Lauren Bacall had on a variety of areas in this country probably cannot be measured. Over the next two blogs I will honor each of these larger than life personas and try to examine how they may impact your Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-corruption program. Today Robin Williams; tomorrow Lauren Bacall.

Where does one begin or even end with Robin Williams? His early work in standup comedy; his sitcom television performances; to his many guest appearances on TV variety shows; his incredible movie career – both live and animated; or even his well-known and very public struggles with substance abuse and depression. He was one incredible body of work. For almost any American who grew up in the 70s, we were introduced to Williams in the sitcom Mork and Mindy. His role as an alien allowed him to rift and comment on many human foibles. This was most thoroughly on display at the end of every episode when, in character as Mork, he would report back to his home planet of Ork on some aspect of terran culture. (Na-Nu Na-Nu)

This weekly communication informed both his home planet and us here on Planet Earth about ‘social norms’. I considered this form of communication when I read a recent article in the Wall Street Journal (WSJ), entitled “Venezuelan Firm Is Probed In U.S.”, by José De Córdoba and Christopher M. Matthews. They reported on a Venezuelan company, Derwick Associates (Derwick), who are under investigation by the Department of Justice (DOJ) and Manhattan District Attorney’s office. Derwick was reported to have been “awarded hundreds of millions of dollars in contracts in little more than a year to build power plants in Venezuela, shortly before the country’s power grid began to sputter in 2009”. Also under investigation is a Missouri based engineering, procurement and construction company, ProEnergy Services (ProEnergy), “that sold dozens of turbines to Derwick and helped build the plants”. The article reported that the DOJ’s “criminal fraud section are reviewing actions of Derwick and ProEnergy for possible violations of the Foreign Corrupt Practices Act”.

The article noted that this issue might have come to the attention of the DOJ and Manhattan DA through a lawyer at Derwick who voluntarily contacted federal prosecutors last year. Although it was not clear from the WSJ article if it was related to or even played a part in instigating the FCPA investigation, was information that Otto Reich, “the top State Department official for Latin America during the Administration of President George W. Bush, had filed a federal court lawsuit in 2013, alleging among other things that “Derwick and the company’s owners, among others, obtained contracts to build power stations in return for paying multimillion dollar bribes to senior Venezuelan officials.””

At least one of the basis of regulatory scrutiny was funding of a bribery scheme through overcharging for goods and services. The article reported “Federal prosecutors are scrutinizing the difference been prices ProEnergy charged Derwick for its equipment and the prices Derwick charged the Venezuelan government, a person familiar with the matter said. The person said that in some past FCPA cases, excessive margins were used to conceal bribes to pay foreign officials.”

Derwick, in a statement from its President Alejandro Betancourt, which was provided by its lawyer Adam Kaufmann, said, “Neither Derwick nor its principals have been contacted by any U.S. law enforcement agency.” Clearly this begs the question of whether the company has been contacted by any representatives of the US government who are not from a “law enforcement agency”. In a statement from ProEnergy, it declined to comment on any investigation.

Consider some of the information from this WSJ article. First is how did this case come to the attention of the DOJ? About all that can be said from the article is that Derwick did not self-disclose to the DOJ. However, given the relationship between the government of Venezuela and the US, is it really a surprise that large commercial transactions by US entities into Venezuela are scrutinized by the US government? Did the investigation come about from a whistleblower, i.e. the lawyer for Derwick? If yes, what is the legal obligation of lawyer to his or her client? What if the lawyer sees, observes or even inadvertently stumbles upon criminal activity? What if the lawyer removes documentation, which the lawyer believes demonstrates evidence of a crime?

I was also very intrigued by the information about investigators looking into pricing margins as indicia of corruption. One of the more increasing areas of FCPA scrutiny has been that of commission rates. This is because under circumstances, a high or unusual commission rate can be indicia of monies which are available by a third party, paid via commission, to use as a pot of money to pay bribes to foreign officials. If your typical commission is 5% or you have a range of 5% to 10%, but provide one third party a commission rate of 15%, this may be evidence that the unusual amount is being used as a mechanism to fund bribes.

However, simply focusing on the commission rate alone is too facile an inquiry. Even a commission rate below 5% can create quite an amount of money if the sales price is sufficiently high. In the energy industry, large service contracts or construction contracts can be huge, i.e. in excess of $1bn, and five percent of such an amount is a very large sum of money. It is, therefore, not unusual that in some contracts, the percentage commission will decrease with an increased contract price. The point is there is no one right or wrong commission rate. It will be a fact intensive inquiry.

Borrowing from a noted compliance practitioner, William Athanas, who has suggested an appropriate inquiry along the lines of the following: Where the third party requests a commission above the standard range, the policy should require a legitimate justification. Evaluating and endorsing such a justification requires three steps: (1) relevant information about the contemplated increased commission must be captured and memorialized; (2) requests for increased commissions should be evaluated in a streamlined fashion, with tiered levels of approval (higher commissions require higher ranking official approval); and (3) increased commissions are then tracked, along with the requests and authorizations, in order to facilitate auditing, testing and benchmarking. The point is there needs to be a well thought-out protocol, which is followed and well documented through the entire process.

Another insight that I gleaned from the WSJ article comes from the seller/customer relationship between Derwick and ProEnergy. ProEnergy is reported to have sold turbines to Derwick and have assisted in constructing the power plants. When your company sells a product to a customer, a compliance practitioner typically does not become involved in the negotiations over final pricing between your company’s customer and the end-user. ProEnergy may not have been concerned with the final pricing that Derwick charged their customer, the Venezuelan government. Indeed, the compliance function may not be involved with the commercial pricing between your company and its direct purchaser. This article may require you to change this posture. Was ProEnergy asked to reduce its price to Derwick so that Derwick could mark the price up enough to the Venezuelan government to create a pool of money that could be used to pay bribes? What if ProEnergy received its full listed price book rate but then Derwick charged a premium to the Venezuelan government?

Finally, what about risk? The WSJ article reported that Derwick’s President said “the company’s margins [with the Venezuelan government] were consistent with general industry practice and reflected the high financial risk taken on during a difficult time to do business in Venezuela.” If your company has a business opportunity that presents a high financial reward, is it necessarily because there is some high risk involved? That risk can be risk of getting paid, bringing the project in on time and within budget, political risk, weather-related risk or almost any other type of risk, but that risk might also be a corruption risk. While the WSJ article does not report on the size of the US Company involved in the inquiry, ProEnergy, it would seem that its commercial relationship with Derwick generated a large amount of income for the company. If your company has one of its largest contracts for work overseas, should there be compliance function review and scrutiny of the risks involved?

Are these inquiries that a compliance practitioner now needs to make? If so, how does a Chief Compliance Officer (CCO) make such an inquiries? I think Donna Boehme would say that it all begins with the compliance function ‘having a seat at the senior management table’ so that the CCO or compliance practitioner can be aware when some unusual business opportunity arises. Questions, questions, and more questions.

Na-Nu Na-Nu – this is the final report to Ork from Planet Earth. Na-Nu Na-Nu 

For a viewing of one of Mork’s reports to his home planet Ork, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

July 31, 2014

Lessons Learned from the Beautiful Game: Compliance, FIFA and the World Cup

World Cup e-BookThe 2014 World Cup is over and in the books. It was a great tournament for probably everyone across the globe but the host nation of Brazil. While there are many lessons to be learned from this event, the lead up to and events of this year’s World Cup provide some interesting insights for the compliance practitioner. I have collected some of my writings on FIFA, the World Cup and the world of the ‘Beautiful Game’ in one volume, entitled, “Lessons Learned from the Beautiful Game: Compliance, FIFA and the World Cup”. It is now out and available from amazon.com in Kindle e-reader format.

In this short volume I take a look at some for the following topics.

  • FIFA and its selection process for the 2022 World Cup in Qatar.
  • Performing due diligence and World Cup bids.
  • Referee Professionalism as an anti-corruption tool
  • What are some of the consequences for failure to set a proper tone-at-the-top.
  • Leadership lessons from managers of some of the world’s top soccer clubs.
  • Lessons learned from both compliance successes and failures.

I am sure that you will find this e-Book gives you some ideas for your anti-corruption compliance program, no matter which FIFA country you might practice compliance in. Finally, you cannot beat the price, as it is only $3.99. You can order a copy by going to amazon.com or by simply clicking here.

July 25, 2014

Code of Conduct, Compliance Policies and Procedures-Part IV

Policies and ProceduresThis is the fourth and final installment of my series on the the importance of a Code of Conduct and anti-corruption compliance policies and procedures in your compliance program and how you should go about drafting or updating Code of Conduct and anti-corruption compliance policies and procedures. On Tuesday, I reviewed the underlying legal and statutory basis for the documents as a foundation of your overall anti-corruption regime. In subsequent posts, I looked at how to go about drafting your Code of Conduct and anti-corruption compliance policies and procedures. Today, I will end the series on how to keep all of the above vibrant and dynamic through a discussion of how to assess, review and revise them and your Code of Conduct on a timely basis.

Simply having a Code of Conduct, together with policies and procedures is not enough. As articulated by former Assistant Attorney General, for the Criminal Division of the US Department of Justice, Lanny Breuer, “Your compliance program is a living entity; it should be constantly evolving.” In an article in the SCCE Magazine, entitled “Six steps for revising your company’s Code of Conduct”, authors Anne Marie Logarta and Ruth Ward suggest considering the following issues before you take on an update of your Code of Conduct.

  • When was the last time your Code of Conduct was released or revised?
  • Have there been changes to your company’s internal policies since the last revision?
  • Have there been changes to relevant laws relating to a topic covered in your company’s Code of Conduct?
  • Are any of the guidelines outdated?
  • Is there a budget to create/revise a Code?

After considering these issues, the authors suggest that you should benchmark your current Code of Conduct against others companies in your industry. I would also add that your standards, policies and procedures should be reviewed and updated in the same manner. If you decide to move forward the authors have a six-point guide which they believe will assist you in making your revision process successful, which I have used as a basis to include revisions to your compliance policies and procedures.

  1. Get buy-in from decision makers at the highest level of the company 

The authors believe that your company’s highest level must give the mandate for a revision to a Code of Conduct and compliance polices and procedures. It should be the Chief Executive Officer (CEO), General Counsel (GC) or Chief Compliance Officer (CCO), or better yet all three to mandate this effort. Whoever gives the mandate, this person should be “consulted at every major step of the Code review process if it involves a change in the direction of key policies.”

  1. Establish a core revision committee 

You should have a cross-functional working group would be ideal to head up your effort to revise your Code of Conduct and compliance polices and procedures. This group should include representatives from the following departments: legal, compliance, communications, HR; there should also be other functions which represent the company’s domestic and international business units; finally there should be functions within the company represented such as finance and accounting, IT, marketing and sales.

From this large group, the topics can be assigned for initial drafting to functions based on “relevancy or necessity”. These different functions would also solicit feedback from their functional peers and deliver a final, proposed draft to the Drafting Committee. The authors emphasize that creation of a “timeline at the outset of the revision is critical and hold the function representatives accountable for meeting their deliverables.”

  1. Conduct a thorough technology assessment 

The cornerstone of the revision process is how your company captures, collaborates and preserves “all of the comments, notes, edits and decisions during the entire project.” They believe that technology such as SharePoint or Google Cloud can be of great assistance to accomplish this process even if you are required to train team members on their use.

In addition to this use of technology in drafting your Code of Conduct and compliance polices and procedures revisions, you should determine if they will be available in hard copy, online or both. If it will be available online, you should assess “the best application to launch your Code and whether it includes a certification process”. Lastly, there must be a distribution plan, particularly if the Code and compliance polices and procedures will only be available in hard copy.

  1. Determine translations and localizations 

The authors emphasize, “If your company does business internationally, then this step is vital to ensure you have one Code, no matter the language.” They do note that if you decide to translate your Code of Conduct be sure and hire someone who is an “approved company translation subject matter expert.” Here I would simply say to contact Jay Rosen at Merrill Brink, as those guys are the one of the top Language Service Providers and know what they are doing when it comes to translations. The key is that “your employees have the same understanding of the company’s Code-no matter the language.” 

  1. Develop a plan to communicate the Code of Conduct 

A rollout is always critical because it “is important that the new or revised Code is communicated in a manner that encourages employees to review and use the Code on an ongoing basis.” Your company should use the full panoply of tools available to it to publicize your new or revised Code of Conduct and compliance polices and procedures. This can include a multi-media approach or physically handing out a copy to all employees at a designated time. You might consider having a company-wide Code of Conduct and compliance polices and procedures meeting where the new or revised documents are rolled out across the company all in one day. But remember, with all thing compliance; the three most important aspects are ‘Document, Document and Document’. However you deliver the new or revised Code of Conduct, you must document that each employee receives it.

6.   Stay on Target 

The authors end by noting that if you set realistic expectations you should be able to stay on deadline and stay within your budget. They state that “You want to set aside enough time so that you won’t feel rushed or in a hurry to get it done.” They also reiterate that to keep a close watch on your budget so that you do not exceed it.

These points are a useful guide to not only thinking through how to determine if your Code of Conduct, and compliance policies and procedure needs updating, but also practical steps on how to tackle the problem. If it has been more than five years since it was last updated, you should begin the process that the authors have laid out. It is far better to review and update if appropriate than wait for a massive FCPA investigation to go through the process.

There are numerous reasons to put some serious work into your Code of Conduct, policies and procedure. They are certainly a first line of defense when the government comes knocking. The FCPA Guidance makes clear that “Whether a company has policies and procedures that outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and documentation policies, and set forth disciplinary procedures will also be considered by DOJ and SEC.” And by considered, I think it is clear that this means the regulators will take a strong view against a company that does not have well thought out and articulated policies, procedures or Code of Conduct; all of which are systematically reviewed and updated. Moreover, as Allen emphasized, “having policies written out and signed by employees provides what some consider the most vital layer of communication.” Together with a signed acknowledgement, these documents can serve as evidentiary support if a future issue arises. In other words, the ‘Document, Document and Document’ mantra applies just as strongly to this area of anti-corruption compliance.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

July 22, 2014

Code of Conduct, Compliance Policies and Procedures-Part I

Policies and ProceduresFor the remainder of this week, I will have a four-part episode on your Code of Conduct and anti-corruption compliance policies and procedures. In today’s post I will review the underlying legal and statutory basis for the documents as a foundation of your overall anti-corruption regime. In subsequent posts, I will review how to go about drafting your Code of Conduct and anti-corruption compliance policies and procedures and how to assess, review and revise them on a timely basis.

The cornerstone of a US Foreign Corrupt Practice Act (FCPA) compliance program is its written protocols. This includes a Code of Conduct, policies and procedures. These requirements have long been memorialized in the US Federal Sentencing Guidelines (FSG), which contain seven basic compliance elements that can be tailored to fit the needs and financial realities of any given organization. From these seven compliance elements the Department of Justice (DOJ) has crafted its minimum best practices compliance program, which is now attached to every Deferred Prosecution Agreement (DPA) and Non-Prosecution Agreement (NPA). These requirements were incorporated into the 2012 FCPA Guidance. The FSG assumes that every effective compliance and ethics program begins with a written standard of conduct; i.e. a Code of Conduct. What should be in this “written standard of conduct? The starting point, as per the FSG, reads as follows:

Element 1

Standards of Conduct, Policies and Procedures (a Code of Conduct)An organization should have an established set of compliance standards and procedures. These standards should not be a “paper only” document, but a living document that promotes organizational culture that encourages “ethical conduct” and a commitment to compliance with applicable regulations and laws. 

In the FCPA Guidance, the DOJ and Securities and Exchange Commission (SEC) state, “A company’s code of conduct is often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted in its charging documents, the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.” Indeed, it would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it. When assessing a compliance program, DOJ and SEC will review whether the company chapter has taken steps to make certain that the code of conduct remains current and effective and whether a company has periodically reviewed and updated its code.”

In each DPA and NPA over the past 36 months the DOJ has said the following as item No. 1 for a minimum best practices compliance program.

  1. Code of Conduct. A Company should develop and promulgate a clearly articulated and visible corporate policy against violations of the FCPA, including its anti-bribery, books and records, and internal controls provisions, and other applicable foreign law counterparts (collectively, the “anti-corruption laws”), which policy shall be memorialized in a written compliance code. 

Stephen Martin and Paul McNulty, partners in the law firm of Baker and McKenzie, developed one of the best formulations that I have seen of these requirements in their Five Elements of an Effective Compliance Program. In this formulation, they posit that your Code of Conduct, policies and procedures should be grouped under the general classification of ‘Standards and Procedure’. They articulate that every company has three levels of standards and controls. First, every company should have a Code of Conduct, which should, most generally express its ethical principles. But simply having a Code of Conduct is not enough. So a second step mandates that very company should have standards and policies in place that build upon the foundation of the Code of Conduct and articulate Code-based policies, which should cover such issues as bribery, corruption and accounting practices. From the base of a Code of Conduct and standards and policies, every company should then ensure that enabling procedures are implemented to confirm those policies are implemented, followed and enforced.

FCPA compliance best practices now require companies to have additional standards and controls, including, for example, detailed due diligence protocols for screening third-party business partners for criminal backgrounds, financial stability and improper associations with government agencies. Ultimately, the purpose of establishing effective standards and controls is to demonstrate that your compliance program is more than just words on a piece of paper.

In an article in the Society for Corporate Compliance and Ethics (SCCE) Complete Compliance and Ethics Manual, 2nd Ed., entitled “Essential Elements of an Effective Ethics and Compliance Program”, authors Debbie Troklus, Greg Warner and Emma Wollschlager Schwartz, state that your company’s Code of Conduct “should demonstrate a complete ethical attitude and your organization’s “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” Your Code of Conduct must be aimed at all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.” This would also include all “management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.”

There are several purposes identified by the authors which should be communicated in your Code of Conduct. Of course the overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this by communicating what is required of them, to provide a process for proper decision-making and then to require that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company “upholds and supports proper compliance conduct.”

The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. To that end, suggest that your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasize it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

As I often say, the three most important things about your FCPA compliance program are ‘Document, Document and Document’. The same is true of communicating your company’s Code of Conduct. You need to do more than simply put it on your website and tell folks it is there, available and that they should read it. You need to document that all employees, or anyone else that your Code of Conduct is applicable to, has received, read, and understands the Code. For employees, it is important that a representative of the Compliance Department, or other qualified trainer, explains the standards set forth in your Code of Conduct and answers any questions that an employee may have. Your company’s employees need to attest in writing that they have received, read, and understood the Code of Conduct and this attestation must be retained and updated as appropriate.

The DOJ expects each company to begin its compliance program with a very public and very robust Code of Conduct. If your company does not have one, you need to implement one forthwith. If your company has not reviewed or assessed your Code of Conduct for five years, I would suggest that you do in short order as much has changed in the compliance world.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

July 21, 2014

World Cup Finale – Compliance Lessons to be learned from Success and Failure

World Cup 2014Over the past few weeks, I have written several articles on the lessons a compliance practitioner can draw from this year’s World Cup and the international group which runs the event, the Fédération Internationale de Football Association or more commonly know as FIFA. Over on my podcast site, the FCPA Compliance and Ethics Report, Mike Brown, the Managing Director of Infortal and myself have just concluded a 7 part World Cup Report, where we discussed issues surrounded FIFA and this year’s World Cup in the context of anti-corruption programs. Whatever else FIFA may be, it is certainly is a compliance practitioner’s dream for lessons learned on bribery and corruption.

The 2014 championship is over and Germany came through this year’s tournament as the clear victors. Over the past couple of weeks, I was lucky enough to see the current Queen/Adam Lambert Tour. They ended both concerts with We Are the Champions and I could not but help think of the German soccer team and indeed the entire German country, winning its first World Cup title since unification. And, of course, any discussion of Germany, its title and this year’s World Cup will have to include is absolute destruction of the Brazilian team and the hearts of the host country with its 7-1 uber-win in the Semi-Finals. How long will that game be remembered? My guess is as long as soccer is played.

While Argentina did have its shots at Germany in the finals, in order to win they were required to play a near perfect game, which, unfortunately for the team and the country, it failed to do in the finals. Does this mean that Messi is not the greatest player in the game today? I really do not know but I still love watching him play and that is good enough for me.

From all of this, the lessons for the compliance practitioner can be many but I wanted to focus on two leadership lessons: What can you learn from failure? and What can your learn from success? Losing first. In an article in this week’s issue of Sports Illustrated, entitled “And Then There was Ein”, Grant Wahl wrote about how Germany turned its national soccer program around from one of its most devastating performances in Euro 2000 where it finished last in its group and did not win a single match in the tournament. From that nadir, “the national federation teamed up with German clubs to overhaul the country’s youth development.” Players from this development program were instrumental in leading the 2014 German team to the 2014 World Cup win. In other words, the German soccer federation learned from its past mistakes and grew a team that became champions.

Contrast this lesson with Wahl’s take on Brazil. He quoted Alex Bellos who said the following, “What does it mean to be the five-time champion if you let in four goals in six minutes?… The world’s biggest footballing country hosting a World Cup, in front of their own fans, and were made to look like they couldn’t play football. And against a team that was playing with artistry and sophistication and happiness, all the thing that Brazil is supposed to play with. You couldn’t have devised a more devastating epitaph for the Beautiful Game.” Bellos went on to say, “Brazil’s week from hell revealed a nation satisfied with resting on past soccer achievements and unwilling to seek new ideas abroad.”

Just as lessons can be learned from failure they can also be learned from success. In this week’s Corner Office section in the New York Times (NYT), Adam Bryant profiled Kat Cole, the President of Cinnabon, in an article entitled “Questioning Success More Than Failure”. While thinking about Germany’s success in the World Cup I was intrigued when Bryant quoted Cole for the following, “I’ve learned to question success a lot more than failure. I’ll ask more questions when sales are up than I do when they’re down. I ask more questions when things seem to be moving smoothly, because I’m thinking: “There’s got to be something I don’t know. There’s always something.” This approach means that people don’t feel beat up for failing, but they should feel very concerned if they don’t understand why they’re successful. I made mistakes over the years that taught me to ask those questions.”

Both of these perspectives can be very useful for the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act compliance practitioner. Just as it is axiom that your compliance program should not be static but dynamic and evolving, what are you learning from your compliance failures and compliance successes? Most lawyers and compliance practitioners can review root cause/analyses to help determine how a compliance failure might have arisen. But how many are looking at your compliance successes. By this I do not mean celebrating your compliance successes but performing the same type of root cause/analyses to determine how a fact pattern arose but was prevented from becoming a full-blown FCPA violation. If something came in through the hotline, did you interview the whistleblower about what caused them to have confidence to report in that manner? Did you look at the training delivered to the whistleblowing employee? How about their supervisor? Did you interview that supervisor to see how he or she got the message out to not only use the hotline but stress the message of no retaliation?

In her interview Cole put it another way when she said, “I learned to make sure I take the full authority of my role. When I haven’t, I knew it immediately. And so I keep a keen eye out for whether my young leaders are forgoing an opportunity to lead. Their intentions might be right but the action and outcome are wrong. I remind people that they were hired for their point of view: “I want 100 percent of your brain 100 percent of the time, and there is a respectful way to communicate and disagree. Please do not hold back, because I want 100 percent of my investment in you.””

For the compliance practitioner, I found Cole’s insights useful in other areas. Although given in the context of ambitious employees who might want to succeed at Cinnabon, I found them to be useful in compliance as well. “First, I talk about being incredibly coachable, because we all give each other feedback. If you want to move up, you’ve got to get as many inputs as possible to continue to develop. Second, take your development into your own hands and be curious about the entire company. If there’s something you want to learn, go learn it. The structure here is like a start-up. Then I talk about productive achievers and destructive achievers, and that I only promote and support productive achievers. And that’s about mentoring and helping others while you are delivering results.

Germany is the new king of the soccer world. Long live the King, at least until the next World Cup. The lessons that Germany took to heart in the wake of its disaster in Euro 2000 directly led to it hoisting the trophy this year. Conversely, Brazil rested on its considerable laurels and now must live with the ignominy of a 7-1 shellacking, probably for the rest of the country’s collective memory. For a compliance program to be effective it must evolve. As Wahl’s Sports Illustrated article makes clear, lessons can be learned and evolution made from failure. However, as Bryant’s Corner Office article interview of Cole makes clear as well, lessons can be learned from successes as well.

Perhaps that is the final lesson from the 2014 World Cup…

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

June 26, 2014

Coolness in Being the Bad Guy? Eli Wallach and GSK

Eli WallachEli Wallach died Tuesday. For my money, he was about the coolest bad guy out there. Not tough like Lee Marvin, just cool. My favorite Wallach roles were as Calvera in The Magnificent Seven and as Tuco in The Good, The Bad and The Ugly. An early proponent of method acting, Wallach performed on the stage and in films for over 60 years. Although originally from Brooklyn, Wallach was also a fellow Texas Longhorn, having attended the University of Texas. He served in France as a Second Lieutenant in France during World War II.

I thought about Wallach’s über coolness when considering the most decided uncool position of the UK pharmaceutical giant GlaxoSmithKline PLC (GSK) recently. Last month the Chinese government issued a most very stern warning to GSK when it accused the former head of GSK’s China business of direct involvement in bribery and corruption. But more than this direct accusation, the move was a clear warning shot across the bow of not only western pharmaceutical companies doing business in China but also all western companies. In an article in the Wall Street Journal (WSJ), entitled “Beijing Warns Sernly on Glaxo”, Laurie Birkett quoted Helen Chen, a director and partner at consultancy L.E.K., as saying “Focusing much of the blame on a foreigner sends a strong message to all. Companies will see that if authorities are willing to accuse even a foreigner, who is in senior management, the issue is being taken seriously, it’s a clear message that bribery is unacceptable in the market.” Burkitt went on to say, “Experts say China’s medical system is deeply underfunded, giving doctors, hospitals and administrators an incentive to overcharge and overprescribe. Glaxo, in the past, organized trips for doctors around China and to places such as Budapest and Greece as part of a broader effort involving perks and cash to get doctors to boost drug prescriptions, according to documents previously reviewed by The Wall Street Journal.”

Such reports of endemic corruption are not new. An article, entitled “GSK China probe flags up wider worries”, in the Wednesday edition of the Financial Times (FT) reporters Andrew Jack and Patti Waldmeir discussed not only the endemic nature of corruption in China but how, in many ways, the Chinese health care system is based on such corruption. The piece quoted George Baeder, an independent drug industry advisor, for the following, “Financial flows – both legal and illegal – tied to drug and device sales are funding perhaps 60-80 per cent of total hospital costs. Without this funding, the current system would collapse.” Further, “central and provincial Chinese governments cannot afford to pay doctors a living wage, and may patients cannot afford to pay the true cost of care.” And finally, “Up to now, Beijing has turned a blind eye as pharma companies find ways to subsidise doctor salaries and underwrite their medical education.” How about that for structural corruption?

Intertwined with this structural issue is the problem of the quantity and quality of the drug supply. Many Chinese doctors do not feel that there is an acceptable alternative to foreign pharmaceutical products. This drives up the cost of prescribed medicines, as this quantity is therefore limited. But even where indigenous Chinese generic drugs are available as alternatives, many patients do not trust these medicines. This restricts the quality of drugs available.

But with this recent round of accusations against GSK it appears that the Chinese government has opened a new front. In an article in The Telegraph, entitled “GSK bribery scan could cause ‘irreparable damage’, says China”, Denise Roland reported that “Beijing has apparently issued a warning to all foreign firms, cautioning that the corruption charges against GlaxoSmithKline executives could cause “irreparable damage” to the drug maker’s Chinese operations.” She quoted from the state news agency Xinhua for the following, “GSK’s practices eroded its corporate integrity and could cause irreparable damage to the company in China and elsewhere. The case is a warning to other multinationals in China that ethics matter.”

In addition to these charges against a senior GSK executive, which could lead liability up to the GSK boardroom, Jonathan Russell, also writing in The Telegraph, in an article entitled “GlaxoSmithKline is facing more than double jeopardy”, said that “GlaxoSmithKline’s problems are multiplying fast. In China authorities have identified 46 individuals connected to the company they claim were involved in “massive and systemic bribery”. In the UK the Serious Fraud Office (SFO) marked out its pitch this week, revealing it has opened an official investigation into allegations of bribery; and an internal GSK probe is looking at potential wrongdoing in Jordan and Lebanon.” More ominously, he also noted that “Given the slew of allegations so far it seems a fair assumption that other international law enforcement agencies, notably the US Department of Justice, will be taking a long, close look at the allegations.”

While Russell points to the general UK prohibition against prosecutions, which might invoke double jeopardy, he says “As ever with the law there are exceptions to the principle. However they are limited in scope and rare in number. It may also be the case that the principle of double jeopardy may not be invoked in this case if the alleged offences the SFO is investigating are separate to those under investigation in China. They could relate to matters that took place in Jordan or Lebanon.” Russell also pointed out that “international prosecutors carving up parts of prosecutions so they can all have their pound of flesh. A very painful prospect for GSK.” It will also be interesting to see if GSK is charged under the UK Bribery Act, under the prior law or both. If charges are brought under the Bribery Act, which became effective on July 1, 2011, do you think GSK would try and raise a compliance defense based on the Six Principals of Adequate Procedures? I guess having a compliance defense is pretty useless if your company engages in bribery and corruption.

While Russell talks about the aggressiveness of US prosecutors under the Foreign Corrupt Practices Act (FCPA), he does not discuss what may be GSK’s greatest exposure in the US. GSK was under the equivalent of a Deferred Prosecution Agreement (DPA) called a Corporate Integrity Agreement (CIA) for its prior sins related to off-label marketing. This CIA not only applied to the specific pharmaceutical regulations that GSK violated but all of the GSK compliance obligations, including the FCPA. In addition to requiring a full and complete compliance program, the CIA specified that the company would have a Compliance Committee, inclusive of the Compliance Officer (CO) and other members of senior management necessary to meet the requirements of this CIA, whose job was to oversee full implementation of the CIA and all compliance functions at the company. These additional functions required Deputy Compliance Officers for each commercial business unit, Integrity Champions within each business unit and management accountability and certifications from each business unit. Training of GSK employees was specified. Further, there was detail down to specifically state that all compliance obligations applied to “contractors, subcontractors, agents and other persons (including, but not limited to, third party vendors)”.

For the compliance practitioner, one clear message from the GSK matter is to monitor, audit and continuously review your Chinese operations. I will have more to say about the China corruption crackdown in an upcoming blog post but just like Eli Wallach as Calvera in The Magnificent Seven told the gunmen hired to protect the Mexican village, you have been warned.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

June 9, 2014

GSK Faces a Bad Day at Black Rock

Bad Day at Black RockOne of my favorite movies is Bad Day at Black Rock. It is one of the few movies to combine elements of film noir into something approaching a traditional Western. It also attacks directly the prejudice and hate against Japanese-Americans in the immediate aftermath of Pearl Harbor. I thought about that eponymous title when I read a recent article in the Financial Times (FT), entitled “GSK salesmen want ‘bribes’ reimbursed”, by reporters Patti Waldmeir and Andrew Ward.

You know it is going to be a bad day when your employees line up to testify against your company in an ongoing investigation for bribery and corruption. But those rainy day sighs can go up to the Bad Day at Black Rock level when these same employees publicly announce that the company they work for owes them for the creation of fraudulent invoices used by a business unit to fund bribery and corruption which violates not only the US Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act but also domestic Chinese anti-corruption laws. This happened to the UK pharmaceutical giant GlaxoSmithKline PLC (GSK) last month when it was announced that certain current employees in its China operation were petitioning the company to reimburse them for bribes they were ordered to pay by their superiors.

In their article, Waldmeir and Ward wrote “the UK pharmaceutical company at the centre of a Chinese corruption scandal, is facing protests from junior employees who say the company is refusing to reimburse them for bribes they were ordered to pay by their superiors.” While my initial thought was that these Chinese employees had quite a bit of ‘cheek’ in raising this claim, the more I read into the story, the more I think it may portend serious problems for GSK in any attempt to defend the company going forward. Waldmeir and Ward reported “some Chinese sales staff are complaining that GSK has denied bonuses, threatened dismissal or refused to reimburse them for bribes they say were sanctioned by their superiors to boost the company’s drug sales. In some cases, managers instructed them to purchase fake receipts that were used to cover up bribes paid in cash or gifts to doctors and hospitals, according to salesmen interviewed by the Financial Times.”

The article went on to highlight just how some of these fake invoices, used to gain funds from the corporate headquarters to facilitate bribery and corruption, were generated. “In some instances, managers disguised their involvement by using their personal email address to instruct staff to pay bribes and by ordering junior staff to claim on their personal expense accounts – even if the bribe was actually paid out by the manager – according to these people.” Last March, a group of current GSK employees sent a letter to the company that said, in part, ““All the expenses were approved by the company,” the group wrote in a letter to management. “The expenses were paid with our own money, and although the receipts were not compliant, it was our managers who told us to buy the fake receipts,” said one former GSK salesman.”

The article quoted that GSK said, “We have zero tolerance for unethical or illegal behaviour and anyone who conducts such behaviour has no place in our company. We believe the vast majority of our employees uphold our values and we welcome employees speaking up if they have concerns.” Talk about a ‘Speak Up’ culture at your company. Probably not exactly what the company had in mind when it invited employees to raise their concerns.

However, as damning as this is, and it would certainly appear to be quite damning, was the following revelation, which was also reported by Waldmeir and Ward, regarding witness prep during GSK’s internal investigation. They wrote, “Some staff were warned not to implicate their supervisors, according to a former salesman: “Our manager approached each person before they were questioned and asked them not to mention his name. He even prepared a story for them to tell the investigator.””

Dissecting all of the above, it would appear that GSK has several real problems on several fronts from this article. The first is that there appears to have been clear China business unit management participation in the bribery and corruption scheme. While it is still not clear whether the corporate home office was involved in the scheme, simply knew of it or choose to bury its collective head in the sand as to what was going on in China, if your in-country business unit management is involved, it is not too many steps to the corporate home office. Conversely, the question might be that if this fraud against the corporate home office was so open and obvious, why did the corporate office not detect it going forward?

Yet the real issue for the corporate office may be the information about employees being coached to hide evidence during the investigation. If such activity was limited to the ‘managers’ in the Chinese business units only, what does it say about a corporate office, which allows such witness intimidation? Think that is an investigation best practice? However, if the corporate office was involved in any way in such witness intimidation, it will bode extremely poorly in the eyes of the Chinese regulators, the UK Serious Fraud Office (SFO), which has opened an investigation into the GSK matter and probably the US Department of Justice (DOJ) as well, since GSK is still subject to the Corporate Integrity Agreement (CIA) it signed back in July of 2012; when it pled guilty and paid $3 billion to resolve fraud allegations and failure to report safety data in what the DOJ called the “largest health care fraud settlement in U.S. history” according to its press release. Think witness tampering or hiding of evidence might garner the attention of the DOJ for a company already under the equivalent of a Deferred Prosecution Agreement (DPA)?

In addition to all of the above conduct, it will be interesting to see the effect of this ongoing investigation on the stock value of GSK. In a Wall Street Journal (WSJ) article, entitled “FCPA Hits Companies Harder if they Committed Fraud”, Sam Rubenfeld reported “A study of U.S. Foreign Corrupt Practices Act enforcement issued by the Searle Civil Justice Institute, a research division of The Law & Economics Center at George Mason University School of Law found that public companies lost an average of 2.9% of market capitalization as a result of an investigation. But, the study found, the number masks an important distinction: Companies charged with bribery only suffered an initial 1.5% loss, while those charged with bribery and financial fraud saw a initial drop of 16.3% in market cap.” It will be interesting to see the effect the apparent fraudulent activities of GSK’s China employees will have on not only the overall penalty assessed against GSK but if there is any attendant drop in shareholder value.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

 

© Thomas R. Fox, 2014

May 29, 2014

May Flowers for GSK? The Corruption Investigation Deepens

Chelsea Flower ShowApril showers bring May flowers, at least that is the old truism. One place it is decidedly correct is at the RHS Chelsea Flower Show, which began its run as one of the, if not the greatest, annual flower shows in the world in May 1862. The event draws some 157,000 people during its five-day run each May. The event has royal patronage and there is always a large contingent of royalty who visit the show.

Unfortunately one group of Englishmen and women who will not be stopping by to ‘smell the roses’ this year are those from the increasingly embattled UK company GlaxoSmithKline PLC (GSK). Yesterday the UK Serious Fraud Office (SFO) announced that it had “opened a criminal investigation into the commercial practices of GlaxoSmithKline plc and its subsidiaries.” To top off this bouquet of May flowers from the SFO, in the same Press Release the SFO said, “Whistleblowers are valuable sources of information to the SFO in its cases. We welcome approaches from anyone with inside information on all our cases including this one – we can be contacted through our secure and confidential reporting channel, which can be accessed via the SFO website.” It then proceeded to provide the SFO’s secure reporting website.

In an article in the New York Times (NYT), entitled “GlaxoSmithKline Under Investigation by Serious Fraud Office”, Chad Bray reported that the SFO “is investigating Glaxo’s business activities in “multiple jurisdictions,” according to a person familiar with the investigation who was not authorized to speak publicly.” As most readers will recall, “Chinese authorities have been investigating the drugmaker’s business practices related to payments to doctors and other health care professionals since last year and questions have been raised in recent months about the company’s practices in Iraq and Poland.”

James Titcomb, reporting in The Telegraph, in an article entitled “SFO opens criminal investigation into GlaxoSmithKline”, went further when he noted that GSK has been in contact with the SFO “in recent months in the wake of claims that it funnelled hundreds of millions of pounds to doctors and officials in countries around the globe to boost sales of its drugs.” Moreover, “Chinese police have accused the company of dispensing 3bn yuan (£285m) in bribes under the leadership Mark Reilly, the former head of its Chinese business. Authorities in the country say the bribes resulted in billions of pounds in “illegal revenue” for the company.”

On the Chinese side of the investigation, the NYT article reported that during the month of May, “Chinese authorities accused Mark Reilly, the former head of Glaxo’s operations in China, of ordering employees to bribe doctors and other hospital staff to use the drug maker’s products, resulting in more than $150 million in illegal revenue. Two other Chinese-born Glaxo executives were also charged in the matter.”

When news of the Chinese investigation broke last summer, GSK claimed that “Certain senior executives of GSK China who know our systems well, appear to have acted outside of our processes and controls which breaches Chinese law,” Glaxo said in July, after meeting with the Chinese authorities. “We have zero tolerance for any behavior of this nature.” [Read: Rogue Employees] However it appears the Chinese authorities have not fallen for this age-old attempt at corporate misdirection. But Andrew Ward, reporting in a Financial Times (FT) article entitled “SFO opens criminal inquiry into GSK, said that the Chinese authorities had engaged in a “ten-month investigation” which had identified 46 current or former GSK employees as “suspects”. Rogue indeed.

Where might the US Department of Justice (DOJ) or Securities and Exchange Commission (SEC) be on these issues? Clearly, these would seem to be areas of at least inquiry under the US Foreign Corrupt Practices Act (FCPA), but consider the following about GSK, in July of 2012 GSK pled guilty and paid $3 billion to resolve fraud allegations and failure to report safety data in what the DOJ called the “largest health care fraud settlement in U.S. history” according to its press release. The DOJ press release went on to state “GSK agreed to plead guilty and to pay $3 billion to resolve its criminal and civil liability arising from the company’s unlawful promotion of certain prescription drugs, its failure to report certain safety data, and its civil liability for alleged false price reporting practices.” The press release noted that the resolution was the largest health care fraud settlement in US history and the largest payment ever by a drug company for legal violations.

You would think that any company that has paid $3 billion in fines and penalties for fraudulent actions would take all steps possible not to engage in bribery and corruption. Indeed as part of the settlement GSK agreed to a Corporate Integrity Agreement (CIA). This CIA not only applied to the specific pharmaceutical regulations that GSK violated but all of the GSK compliance obligations, including the FCPA.

In addition to requiring a full and complete compliance program, the CIA specified that the company would have a Compliance Committee, inclusive of the Compliance Officer and other members of senior management necessary to meet the requirements of this CIA, whose job was to oversee full implementation of the CIA and all compliance functions at the company. These additional functions required Deputy Compliance Officers for each commercial business unit, Integrity Champions within each business unit and management accountability and certifications from each business unit. Training of GSK employees was specified. Further, there was detail down to specifically state that all compliance obligations applied to “contractors, subcontractors, agents and other persons (including, but not limited to, third party vendors)”. So while GSK may have separate FCPA liability to be investigated by the DOJ; it may be more of an issue that the company could be in violation of its CIA.

GSK has of course averred that it is fully cooperating with all of the various investigations into its alleged bribery and corruption. Further, as reported in Ward’s FT article, “GSK said it was “committed to operating its business to the highest ethical standards”. The company had “previously denied any systemic problem with corruption and said the latest Chinese allegations were “deeply concerning to us and contrary to the values of GSK”.”

So I guess the GSK team probably missed the Chelsea Flower Show this year. ON the other hand, maybe they might be like former BP President Tony Hayward, who during the first few of weeks of the worst oil spill in the history of the world ever, went yachting…

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

« Previous PageNext Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 4,829 other followers