FCPA Compliance and Ethics Blog

April 4, 2014

Life Cycle Management of Third Parties – Step 5 – Management of the Relationship

Five stepsToday ends my review of what I believe to be the five steps in the management of a third party under an anti-bribery regime such as the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. On Monday, I reviewed Step 1 – the Business Justification, which should kick off your process with any third party relationship. On Tuesday, I looked at Step 2 – the questionnaire that you should send and third party and what information you should elicit. On Wednesday, I discussed Step 3 – the due diligence that you should perform based upon the information that you have received from and ascertained on the third party. On Thursday, I examined Step 4 – how you should use the information you obtain in the due diligence process and the compliance terms and conditions which you should place in any commercial agreement with a third party. Today, I will conclude this series by reviewing how you should manage the relationship after the contract is signed.

I often say that after you complete Steps 1-4 in the life cycle management of a third party, the real work begins and that work is found in Step 5– the Management of the Relationship. While the work done in Steps 1-4 are absolutely critical, if you do not manage the relationship it can all go down hill very quickly and you might find yourself with a potential FCPA or UK Bribery Act violation. There are several different ways that you should manage your post-contract relationship. This post will explore some of the tools which you can use to help make sure that all the work you have done in Steps 1-4 will not be for naught and that you will have a compliant anti-corruption relationship with your third party going forward.

Managing third party relationships is an area that continues to give companies trouble and heartburn. The “2013 Anti-Bribery and Corruption Benchmarking Report – A joint effort between Kroll and Compliance Week” found that many companies are still struggling with ongoing anti-corruption monitoring and training for their third parties. Regarding training, 47% of the respondents said that they conduct no anti-corruption training with their third parties at all. The efforts companies do take to educate and monitor third parties are somewhat pro forma. More than 70% require certification from their third parties that they have completed anti-corruption training; 43% require in-person training and another 40% require online training. Large companies require training considerably more often than smaller ones, although when looking at all the common training methods, 100% of respondents say their company uses at least one method, if not more.

While the FCPA Guidance itself only provides that “companies should undertake some form of ongoing monitoring of third-party relationships”. Diana Lutz, writing in the White Paper by The Steele Foundation entitled “Global anti-corruption and anti-bribery program best practices”, said, “As an additional means of prevention and detection of wrongdoing, an experienced compliance and audit team must be actively engaged in home office and field activities to ensure that financial controls and policy provisions are routinely complied with and that remedial measures for violations or gaps are tracked, implemented and rechecked.”

One noted commentator has discussed techniques to provide this management and oversight any third party relationship. Carol Switzer, President of the Open Compliance and Ethics Group (OCEG), writing in the Compliance Week magazine set out a five-step process for managing corruption risks, which I have adapted for third parties.

  1. Screen - Monitor third party records against trusted data sources for red flags.
  2. Identify – Establish helplines and other open channels for reporting of issues and asking compliance related questions by third parties.
  3. Investigate - Use appropriately qualified investigative teams to obtain and assess information about suspected violations.
  4. Analyze - Evaluate data to determine “concerns and potential problems” by using data analytics, tools and reporting.
  5. Audit - Finally, your company should have regular internal audit reviews and inspections of the third party’s anti-corruption program; including testing and assessment of internal controls to determine if enhancement or modification is necessary.

Based upon the foregoing and other commentators, I believe there are several different roles in a company that play a function in the ongoing monitoring of the third party. While there is overlap, I believe that each role fulfills a critical function in any best practices compliance program.

Relationship Manager

There should be a Relationship Manager for every third party which the company does business with through the sales chain. The Relationship Manager should be a business unit employee who is responsible for monitoring, maintaining and continuously evaluating the relationship between your company and the third party. Some of the duties of the Relationship Manager may include:

  • Point of contact with the Third Party for all compliance issues;
  • Maintaining periodic contact with the Third Party;
  • Meeting annually with the Third Party to review its satisfaction of all company compliance obligations;
  • Submitting annual reports to the company’s Oversight Committee summarizing services provided by the Third Party;
  • Assisting the company’s Oversight Committee with any issues with respect to the Third Party.

Compliance Professional

Just as a company needs a subject matter expert (SME) in anti-bribery compliance to be able to work with the business folks and answer the usual questions that come up in the day-to-day routine of doing business internationally, third parties also need such access. A third party may not be large enough to have its own compliance staff so I advocate a company providing such a dedicated resource to third parties. I do not believe that this will create a conflict of interest or that there are other legal impediments to providing such services. They can also include anti-corruption training for the third party, either through onsite or remote mechanisms. The compliance practitioner should work closely with the relationship manager to provide advice, training and communications to the third party.

Oversight Committee

I advocate that a company should have an Oversight Committee review all documents relating the full panoply of a third party’s relationship with the company. It can be a formal structure or some other type of group but the key is to have the senior management put a ‘second set of eyes’ on any third parties who might represent a company in the sales side. In addition to the basic concept of process validation of your management of third parties, as third parties are recognized as the highest risk in FCPA or Bribery Act compliance, this is a manner to deliver additional management of that risk.

After the commercial relationship has begun the Oversight Committee should monitor the third party relationship on no less than an annual basis. This annual audit should include a review of remedial due diligence investigations and evaluation of any new or supplement risk associated with any negative information discovered from a review of financial audit reports on the third party. The Oversight Committee should review any reports of any material breach of contract including any breach of the requirements of the Company Code of Ethics and Compliance. In addition to the above remedial review, the Oversight Committee should review all payments requested by the third party to assure such payment is within the company guidelines and is warranted by the contractual relationship with the third party. Lastly, the Oversight Committee should review any request to provide the third party any type of non-monetary compensation and, as appropriate, approve such requests.


A key tool in managing the relationship with a third party post-contract is auditing the relationship. I hope that you will have secured audit rights, as that is an important clause in any compliance terms and conditions. Your audit should be a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which your compliance terms and conditions are followed. Noted fraud examiner expert Tracy Coenen described the process as one to (1) capture the data; (2) analyze the data; and (3) report on the data, which is also appropriate for a compliance audit. As a base line I would suggest that any audit of a third party include, at a minimum, a review of the following:

  1. the effectiveness of existing compliance programs and codes of conduct;
  2. the origin and legitimacy of any funds paid to Company;
  3. books, records and accounts, or those of any of its subsidiaries, joint ventures or affiliates, related to work performed for, or services or equipment provided to, Company;
  4. all disbursements made for or on behalf of Company; and
  5. all funds received from Company in connection with work performed for, or services or equipment provided to, Company.

If you want to engage in a deeper dive you might consider evaluation of some of the following areas:

  • Review of contracts with third parties to confirm that the appropriate FCPA compliance terms and conditions are in place.
  • Determine that actual due diligence took place on the third party.
  • Review FCPA compliance training program; both the substance of the program and attendance records.
  • Does the third party have a hotline or any other reporting mechanism for allegations of compliance violations? If so how are such reports maintained? Review any reports of compliance violations or issues that arose through anonymous reporting, hotline or any other reporting mechanism.
  • Does the third party have written employee discipline procedures? If so have any employees been disciplined for any compliance violations? If yes review all relevant files relating to any such violations to determine the process used and the outcome reached.
  • Review employee expense reports for employees in high-risk positions or high-risk countries.
  • Testing for gifts, travel and entertainment that were provided to, or for, foreign governmental officials.
  • Review the overall structure of the third party’s compliance program. If the company has a designated compliance officer to whom, and how, does that compliance officer report? How is the third party’s compliance program designed to identify risks and what has been the result of any so identified?
  • Review a sample of employee commission payments and determine if they follow the internal policy and procedure of the third party.
  • With regard to any petty cash activity in foreign locations, review a sample of activity and apply analytical procedures and testing. Analyze the general ledger for high-risk transactions and cash advances and apply analytical procedures and testing.

In addition to monitoring and oversight of your third parties, you should periodically review the health of your third party management program. Once again I turn to Diana Lutz and her colleague Marjorie Doyle, and their White Paper entitled “Third Party Essentials: A Reputation/Liability Checkup When Using Third Parties Globally”, where they gave a checklist to test companies on their relationships with their third parties.

  1. Do you have a list or database of all your third parties and their information?
  2. Have you done a risk assessment of your third parties and prioritized them by level of risk?
  3. Do you have a due diligence process for the selection of third parties, based on the risk assessment?
  4. Once the risk categories have been determined, create a written due diligence process.
  5. Once the third party has been selected based on the due diligence process, do you have a contract with the third party stating all the expectations?
  6. Is there someone in your organization who is responsible for the management of each of your third parties?
  7. What are “red flags” regarding a third party?

Perhaps now you will understand why I say that after you prepare the Business Justification; send out, receive back and evaluate the Questionnaire; set the appropriate level of Due Diligence; evaluate the due diligence and execute a contract with appropriate Compliance Terms and Conditions; now the real work begins, as you have to manage the third party relationship.

I hope that you have found this review of the life cycle management of third parties helpful for your compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

April 3, 2014

Life Cycle Management of Third Parties – Step 4 – The Contract

Five stepsThis post continues to outline what I believe are the five steps in the life cycle of third party management. Today I will look at Step 4, the contract. However, before we get to the contracting stage a word about what to do with Steps 1-3. You cannot simply obtain the information detailed in these first three steps; you must evaluate the information and show that you have used it in your process. If it is incomplete, it must be completed. If there are Red Flags, which have appeared, these Red Flags must be cleared or you must demonstrate how you will manage the risks identified. In others words you must Document, Document and Document that you have read, synthesized and evaluated the information garnered in Steps 1-3. As the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) continually remind us, a compliance program must be a living, evolving system and not simply a ‘Check-the-Box’ exercise.

After you have completed Steps 1-3 and then evaluated and documented your evaluation, you are ready to move onto to Step 4 – the contract. Obviously any commercial relationship should be governed by the terms and conditions of a written contract. Clearly your commercial terms should be set out in the contract. In the area of commercial terms the FCPA Guidance intones “Additional considerations include payment terms and how those payment terms compare to typical terms in that industry and country, as well as the timing of the third party’s introduction to the business.” This means that you need to understand what the rate of commission is and whether it is reasonable for the services delivered. If the rate is too high, this could be indicia of corruption as high commission rates can create a pool of money to be used to pay bribes. If your company uses a distributor model in its sales side, then it needs to review the discount rates it provides to its distributors to ascertain that the discount rate it warranted.

In addition to the above analysis from the compliance perspective, you should incorporate compliance terms and conditions into your contracts with third parties. I would suggest that you begin with some type of compliance terms and conditions template, which can be used as a starting point for your negotiations. The advantages of such a template are several; they include: (1) the contract language is tested against real events; (2) the contract language assists the company in managing its compliance risks; (3) the contract language fits into a series of related contracts; (4) the contract language is straight-forward to administer and (5) the contract language helps to manage the expectations of both contracting parties regarding anti-bribery and anti-corruption.

What are the compliance terms and conditions that you should include in your commercial contracts with third parties? In the Panalpina Deferred Prosecution Agreement (DPA), Attachment C, Section 12 is found the following language, “Where necessary and appropriate, Panalpina will include standard provisions in agreements, contracts, and renewals thereof with all agents and business partners that are reasonably calculated to prevent violations of the anticorruption laws, which may, depending upon the circumstances, include: (a) anticorruption representations and undertakings relating to compliance with the anticorruption laws; (b) rights to conduct audits of the books and records of the agent or business partner to ensure compliance with the foregoing; and (c) rights to terminate an agent or business partner as a result of any breach of anti-corruption laws, and regulations or representations and undertakings related to such matters.” In the Johnson & Johnson (J&J) DPA, the same language as used in the Panalpina DPA is found in Attachment C, entitled “Corporate Compliance Program”. However, in Attachment D, entitled “Enhanced Compliance Obligations”, the following language is found: “Contracts with such third parties are to include appropriate FCPA compliance terms and conditions including; (i) representatives and undertakings of the third party to compliance; (ii) right to audit; and (iii) right to terminate.”

Mary Jones, in an article in this blog entitled “Panalpina’s World Wide Web”, suggested the following language be present in your compliance terms and conditions:

  • payment mechanisms that comply with this Manual, the FCPA [Foreign Corrupt Practices Act], the UKBA [UK Bribery Act] and other applicable anti-corruption and/or anti-bribery laws during the term of such contract;
  • the counterparty’s obligation to maintain accurate books and records in compliance with the Company’s Policy and Compliance Manual;
  • the counterparty’s obligation to certify on an annual basis that: (i) counterparty has not made, offered, or promised any payment or gift of money or anything of value, directly or indirectly, to any Government Official (or any other person or entity if UK Bribery Act applies) for the purpose of obtaining or retaining business or getting any improper business advantage; and (ii) counterparty has not engaged in any conduct or behavior prohibited by the Code of Conduct, Anti-Corruption Policy and Compliance Manual and other applicable anti-corruption and/or anti-bribery law;
  • the Company’s right to audit the counterparty’s books and records, including, without limitation, any documentation relating to the counterparty’s interaction with any governmental entity (or any entity if UK Bribery Act applies) on behalf of the Company, and the counterparty’s obligation to cooperate fully with any such audit; and
  • remedies (including termination rights) for the failure of the counterparty to comply with the terms of the contract, the Code of Conduct, the Anti-Corruption Policy and Compliance Manual and other applicable anti-corruption and/or anti-bribery law during the term of such contract.

Based on the foregoing experts and the research I have engaged in, I believe that compliance terms and conditions should be stated directly in the document, whether such document is a simple agency or consulting agreement or a joint venture (JV) with several formation documents. The compliance terms and conditions should include representations that in all undertakings the third party will make no payments of money, or anything of value, nor will such be offered, promised or paid, directly or indirectly, to any foreign officials, political parties, party officials, candidates for public or political party office, to influence the acts of such officials, political parties, party officials, or candidates in their official capacity, to induce them to use their influence with a government to obtain or retain business or gain an improper advantage in connection with any business venture or contract in which the company is a participant.

In addition to the above affirmative statements regarding conduct, a commercial contract with a third party should have the following compliance terms and conditions in it.

  • Indemnification: Full indemnification for any FCPA violation, including all costs for the underlying investigation.
  • Cooperation: Require full cooperation with any ethics and compliance investigation, specifically including the review of foreign business partner emails and bank accounts relating to your Company’s use of the foreign business partner.
  • Material Breach of Contract: Any FCPA violation is made a material breach of contract, with no notice and opportunity to cure. Further, such a finding will be the grounds for immediate cessation of all payments.
  • No Sub-Vendors (without approval): The foreign business partner must agree that it will not hire an agent, subcontractor or consultant without the Company’s prior written consent (to be based on adequate due diligence).
  • Audit Rights: An additional key element of a contract between a US Company and a foreign business partner should include the retention of audit rights. These audit rights must exceed the simple audit rights associated with the financial relationship between the parties and must allow a full review of all FCPA related compliance procedures such as those for meeting with foreign governmental officials and compliance related training.
  • Acknowledgment: The foreign business partner should specifically acknowledge the applicability of the FCPA to the business relationship as well as any country or regional anti-corruption or anti-bribery laws, which apply to either the foreign business partner or business relationship.
  • On-going Training: Require that the top management of the foreign business partner and all persons performing services on your behalf shall receive FCPA compliance training.
  • Annual Certification: Require an annual certification stating that the foreign business partner has not engaged in any conduct that violates the FCPA or any applicable laws, nor is it aware of any such conduct.
  • Re-qualification: Require the foreign business partner re-qualify as a business partner at a regular interval of no greater than every three years.

Many will exclaim, “What an order, I can’t go through with it.” By this they mean that they do not believe that they will be able to get the third party to agree to such compliance terms and conditions. I have found that while it may not be easy, it is relatively simply to get a third party to agree to these, or similar, terms and conditions. One approach to take is that they are not negotiable. When faced with such a position on non-commercial terms many third parties will not fight such a position. There is some flexibility but the DOJ will require the minimum terms and conditions that it has suggested in the various Attachment Cs to the DPAs I have discussed. But the best position I have found is that if a third party agrees with these terms and conditions, they can then use that as a market differentiator from other third parties who have not gone through the life cycle management of a third party as this series has discussed.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

April 2, 2014

Life Cycle of Third Party Management – Step 3 – Due Diligence

Five stepsMost companies fully understand the need to comply with the Foreign Corrupt Practices Act (FCPA) Act regarding third parties as they represent the greatest risks for an FCPA violation. However most companies are not created out of new cloth but are ongoing enterprises with a fully up and running business in place. They need to bring in resources to comply with the FCPA while continuing to do business. This can be particularly true in the area of performing due diligence on third parties. Many companies understand the need for a robust due diligence program to investigate third parties, but have struggled with how to create an inventory to define the basis of risk of each foreign business partner and, thereby, perform the requisite due diligence required under the FCPA.

Getting your arms around due diligence can sometimes seem bewildering for the compliance practitioner. However, the information that you should have developed in Steps 1 & 2 of the life cycle of third party management should provide you with the initial information to consider the level of due diligence that you should perform on third parties. This leads to today’s topic of Step 3 in the five steps of the life cycle management of third parties – Due Diligence.

Jay Martin, Chief Compliance Officer (CCO) at BakerHughes, often emphasizes, when he speaks on the topic, that a company needs to evaluate and address its risks regarding third parties. This means that an appropriate level of due diligence may vary depending on the risks arising from the particular relationship. So, for example, the appropriate level of due diligence required by a company when contracting for the performance of Information Technology (IT) services may be low, to reflect low risks of bribery on its behalf. Conversely, a business entering into the international energy market and selecting an intermediary to assist in establishing a business in such markets will typically require a much higher level of due diligence to mitigate the risks of bribery on its behalf.

Our British compliance cousins of course are subject to the UK Bribery Act. In its Principle VI of an Adequate Procedures compliance program, the UK Ministry of Justice (MOJ) stated, “The commercial organisation applies due diligence procedures, taking a proportionate and risk based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified bribery risks.” The purpose of Principle VI is to encourage businesses to put in place due diligence procedures that adequately inform the application of proportionate measures designed to prevent persons associated with a company from bribing on their behalf. The MOJ recognized that due diligence procedures act both as a procedure for anti-bribery risk assessment and as a risk mitigation technique. The MOJ said that due diligence is so important that “the role of due diligence in bribery risk mitigation justifies its inclusion here as a Principle in its own right.”

Carol Switzer, writing in Compliance Week, related that you should initially set up categories for your third parties of high, moderate and low risk. Based upon which risk category the third party falls into, you can design specific due diligence. She defined low risk screening as “trusted data source search and risk screening such as the aforementioned World Compliance”; moderate risk screening as “enhanced evaluation to include in-country public records…and research into corporate relationships”; high risk screening is basically a “deep dive assessment” where there is an audit/review of third party controls and financial records, in-country interviews and investigations “leveraging local data sources.”

A three-step approach was also discussed favorably in Opinion Release 10-02. In this Opinion Release, the Department of Justice (DOJ) discussed the due diligence that the requesting entity performed. “First, it [the requestor] conducted an initial screening of six potential grant recipients by obtaining publicly available information and information from third-party sources…Second, the Eurasian Subsidiary undertook further due diligence on the remaining three potential grant recipients. This due diligence was designed to learn about each organization’s ownership, management structure and operations; it involved requesting and reviewing key operating and assessment documents for each organization, as well as conducting interviews with representatives of each MFI to ask questions about each organization’s relationships with the government and to elicit information about potential corruption risk. As a third round of due diligence, the Eurasian Subsidiary undertook targeted due diligence on the remaining potential grant recipient, the Local MFI. This diligence was designed to identify any ties to specific government officials, determine whether the organization had faced any criminal prosecutions or investigations, and assess the organization’s reputation for integrity.”

Based upon the wisdom of the aforementioned compliance experts, Opinion Release 10-02 and others I have reviewed break due diligence down into three stages: Level I, Level II and Level III. A very good description of the three levels of due diligence was presented by Candace Tal in a guest post, entitled “Deep Level Due Diligence: What You Need to Know”.

Level I

First level due diligence typically consists of checking individual names and company names through several hundred Global Watch lists comprised of anti-money laundering (AML), anti-bribery, sanctions lists, coupled with other financial corruption & criminal databases. These global lists create a useful first-level screening tool to detect potential red flags for corrupt activities. It is also a very inexpensive first step in compliance from an investigative viewpoint. Tal believes that this basic Level I due diligence is extremely important for companies to complement their compliance policies and procedures; demonstrating a broad intent to actively comply with international regulatory requirements.

Level II

Level II due diligence encompasses supplementing these Global Watch lists with a deeper screening of international media, typically the major newspapers and periodicals, from all countries plus detailed internet searches. Such inquiries will often reveal other forms of corruption-related information and may expose undisclosed or hidden information about the company, the third party’s key executives and associated parties. I believe that Level II should also include an in-country database search regarding the third party. Some of the other types of information that you should consider obtaining are country of domicile and international government records; use of in-country sources to provide assessments of the third party; a check for international derogatory electronic and physical media searches, you should perform both English and foreign-language repositories searches on the third party, in its country of domicile, if you are in a specific industry, using technical specialists you should also obtain information from sector specific sources.

Level III

This level is the deep dive. It will require an in-country ‘boots-on-the-ground’ investigation. I agree with Tal that a Level III due diligence investigation is designed to supply your company “with a comprehensive analysis of all available public records data supplemented with detailed field intelligence to identify known and more importantly unknown conditions. Seasoned investigators who know the local language and are familiar with local politics bring an extra layer of depth assessment to an in country investigation.” Further, the “Direction of the work and analyzing the resulting data is often critical to a successful outcome; and key to understanding the results both from a technical perspective and understanding what the results mean in plain English. Investigative reports should include actionable recommendations based on clearly defined assumptions or preferably well-developed factual data points.”

But more than simply an investigation of the company, critically including a site visit and coupled with onsite interviews, Tal says that some other things you investigate include “an in-depth background check of key executives or principal players. These are not routine employment-type background checks, which are simply designed to confirm existing information; but rather executive due diligence checks designed to investigate hidden, secret or undisclosed information about that individual.” Tal believes that such “Reputational information, involvement in other businesses, direct or indirect involvement in other law suits, history of litigious and other lifestyle behaviors which can adversely affect your business, and public perceptions of impropriety, should they be disclosed publicly.”

Further, you may need to engage a foreign law firm, to investigate the third party in its home country to determine the third party’s compliance with its home country’s laws, licensing requirements and regulations. Lastly, and perhaps most importantly, you should use Level III to look the proposed third party in the eye and get a firm idea of his or her cooperation and attitude towards compliance as one of the most important inquiries is not legal but based upon the response and cooperation of the third party. More than simply trying to determine if the third party objected to any portion of the due diligence process or did they object to the scope, coverage or purpose of the FCPA; you can use Level III to determine if the third party is willing to stand up with you under the FCPA and are you willing to partner with the third party.

The Risk Advisory Group, has put together a handy chart of its Level I, II and III approaches to integrity and due diligence. I have found it useful in explaining the different scopes and focuses of the various levels of due diligence.

Level Issues Addressed Scope of Investigation
  • That the company exists
  • Identities of directors and shareholders
  • Whether such persons are on regulators’ watch lists
  • Signs that such persons are government officials
  • Obvious signs of financial difficulty
  • Signs of involvement in litigation
  • Media reports linking the company to corruption
  • Company registration and status
  • Registered Address
  • Regulators’ watch lists
  • Credit Checks
  • Bankruptcy/Liquidation Proceedings
  • Review accounts and auditors comments
  • Litigation search
  • Negative media search
Two As above with the following additions:

  • Public Profile integrity checks
  • Signs of official investigations and/or sanctions from regulatory authorities
  • Other anti-corruption Red Flags
As above with the following additions:

  • Review and summary of all media and internet references
  • Review and summary of relevant corporate records and litigation filings, including local archives
  • Analysis and cross-referencing of all findings
Three As above with the following additions:

  • But seeking fuller answers to any questions raised by drawing on a wider range of intelligence sources and/or addressing specific issues of potential concern already identified


As above with the following additions:

  • Enquiries via local sources
  • Enquiries via industry experts
  • Enquiries via western agencies such as embassies or trade promotion bodies
  • Enquires via sources close to local regulatory agencies

As you can see from this blog post, there are many different approaches to the specifics of due diligence. By laying out some of the approaches of other experts in the field, I hope that you can craft the relevant portions into your program. The Level I, II & III trichotomy appears to have the greatest favor and one that you should be able to implement in a straightforward manner. However, as Jay Martin constantly says, you need to assess your company’s risk and manage that risk. So if you need to perform additional due diligence to answer questions or clear red flags you should do so. And do not forget to Document, Document and Document all your due diligence.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

April 1, 2014

Life Cycle of Third Party Management – Step 2 Questionnaire

Five stepsToday, I continue my five-part series on the life cycle of third party management under an anti-bribery/anti-corruption regime such the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act, reviewing Step 2, which I label as the “Questionnaire”. The term ‘questionnaire’ is mentioned several times in the FCPA Guidance. It is generally recognized as one of the tools that a company should complete in its investigation to better understand with whom it is doing business. I believe that this requirement is not only a key step but also a mandatory step for any third party that desires to do work with your company. I tell clients that if a third party does not want to fill out the questionnaire or will not fill it out completely that you should not walk but run away from doing business with such a party.

In the 2011 UK Ministry of Justice’s (MOJ), discussion of Six Principals of an Adequate Procedures compliance program, they said the following about the Questionnaire, “This means that both the business person who desires the relationship and the foreign business representative commit certain designated information in writing prior to beginning the due diligence process.” Indeed, the use of a Questionnaire was one of the key findings of Kroll’s “2012 FCPA Benchmark Report”. As reported in the FCPA Blog, in a post entitled “Compliance Officers Troubled By Third-Party Risk”:

  • 71% require third parties to complete a disclosure listing affiliations with foreign officials (65% verify that third parties adhere to the company’s code of ethics and 73% confirm that each third party is free from sanctions pertaining to compliance with anti-bribery regulation).

One of the key requirements of any successful anti-corruption compliance program is that a company must make an initial assessment of a proposed third party relationship. The size of a company does not matter as small businesses can face quite significant risks and will need more extensive procedures than other businesses facing limited risks. The level of risk that companies face will also vary with the type and nature of the third parties it may have business relationships with. For example, a company that properly assesses that there is no risk of bribery on the part of one of its associated persons will, accordingly, require nothing in the way of procedures to prevent bribery in the context of that relationship. By the same token the bribery risks associated with reliance on a third party agent representing a company in negotiations with foreign public officials may be assessed as significant and, accordingly, requires much more in the way of procedures to mitigate those risks. Businesses are likely to need to select procedures to cover a broad range of risks but any consideration by a court in an individual case of the adequacy of procedures is likely necessarily to focus on those procedures designed to prevent bribery on the part of the associated person committing the offence in question.

So what should you ask for in your questionnaire? Randy Corey, Executive Vice President (EVP), Global Compliance Officer at Edelmen Inc. said in a presentation at Compliance Week 2012, entitled “3rd Party Due Diligence Best Practices in Establishing an Effective Anti-Corruption Program”, that his company has developed a five-step approach in evaluating and managing their third parties. In Step 3 they ask What Do You Need To Know?Initially, Corley said that Scope of review depends on risk assessment, High Risk, Medium Risk or Low Risk. This risk ranking will determine the level of information collected and due diligence performed. The key element of this step is data collection. The initial step is to have the third party complete an application which should include requests for information on background and experience, scope of services to be provided, relevant experience, list of actual and beneficial owners, references and compliance expertise.

Below are some of the areas which I think you should inquire into from a proposed third party include the following:

  • Ownership Structure: Describe whether the proposed third party is a government or state-owned entity, and the nature of its relationship(s) with local, regional and governmental bodies. Are there any members of the business partner related, by blood, to governmental officials?
  • Financial Qualifications: Describe the financial stability of, and all capital to be provided by, the proposed third party. You should obtain financial records, audited for 3 to 5 years, if available. Obtain the name and contact information for their banking relationship.
  • Personnel: Determine whether the proposed agent will be providing personnel, particularly whether any of the employees are government officials. Make sure that you obtain the names and titles of those who will provide services to your company.
  • Physical Facilities: Describe what physical facilities that will be used by the third party for your work. Be sure and obtain their physical address.
  • References: Obtain names and contact information for at least three business references that can provide information on the business ethics and commercial reliability of the proposed third party.
  • PEPs: Are any of the owners, beneficial owners, officers or directors politically exposed persons (PEPs).
  • UBOs: It is imperative that you obtain the identity of the Ultimate Beneficial Owner (UBO).
  • Compliance Regime: Does the proposed third party have an anti-corruption/anti-bribery program in place? Do they have a Code of Conduct? Obtain copies of all relevant documents and training materials.
  • FCPA Training and Awareness: Has the proposed third party received FCPA training, are they TRACE certified or certified by some other recognizable entity?

One thing that you should keep in mind is that you will likely have pushback from your business team in making many of the inquiries listed above. However, my experience is that most proposed agents that have done business with US or UK companies have already gone through this process. Indeed, they understand that by providing this information on a timely basis, they can set themselves apart as more attractive to US businesses.

The questionnaire fills several key roles in your overall management of third parties. Obviously it provides key information that you need to know about who you are doing business with and whether they have the capabilities to fulfill your commercial needs. Just as importantly is what is said if the questionnaire is not completed or is only partially completed, such as the lack of awareness of the FCPA, UK Bribery Act or anti-corruption/anti-bribery programs generally. Lastly, the information provided (or not provided) in the questionnaire will assist you in determining what level of due diligence to perform. So tomorrow I will discuss due diligence.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

March 18, 2014

When to Bring in Investigative Counsel and Why

InvestigationsWhen should you bring in a true outsider to handle an internal investigation? What about specialized investigative counsel? Jim McGrath, who often writes about the need for specialized investigative counsel, has also pointed out on several occasions that having an independent eye on things is also a plus. However, rarely do we see both questions played out so publicly as is currently going on in the General Motors (G.M.) recall investigation. Indeed, Matthew Goldstein and Barry Meier discussed these  questions in Sunday New York Times (NYT) Business Section article by, entitled “G.M Calls the Lawyers”.

For those of you not familiar with G.M.’s problems, McGrath also wrote about them in his Internal Investigations Blog, in a post entitled “What Did GM Know and When Did They Know It?” McGrath describes the current issues as “the revelation that General Motors is the target of probes by Congress and by the National Highway Transportation Safety Administration over its handling of ignition switch defects in at least six of its popular automobiles. Failures in these switches may have resulted in as many as thirteen deaths and seemingly point to quality control failures at the automaker.” Others have estimated the death totals much higher for this defect. And, as McGrath notes, the key question is ‘what did GM know and when did they know it’?

Interestingly G.M. has hired two law firms to handle the investigation. One is King & Spalding, which handled much of the product liability litigation over the alleged defect and the second is Jenner & Block. In the NYT article, a prominent plaintiff’s lawyer, Lance Cooper, who fought GM and King & Spalding on this product liability litigation noted the obvious when he said, “They are part of the story.” By this he meant that “King & Spalding’s switch from a fierce defender of G.M. to a potential inquisitor into the company’s actions may also pose a conflict. For one, some of the firm’s lawyers may have to ask their own colleagues if they advised G.M. about whether to recall the vehicles at the time the Melton case was settled.”

More importantly for G.M., the retention of “outside counsel in these cases is part investigation, part public-relations gambit and part legal strategy. In most cases, the goal isn’t to publicly flog a company or its top executives, but rather to limit damage to an institution’s reputation or to contain the financial harm to shareholders of a publicly traded company. And it does so under the protection of the attorney-client privilege. From the point of view of the company, a well-done internal investigation can shape the accepted story of what happened — and produce findings that allow the company to negotiate for lower penalties from prosecutors or regulators down the road.” But, more importantly, to “achieve those ends, the law firms conducting the investigations must be viewed as forthright and uncompromised. In this respect, some critics have already questioned G.M.’s choices.”

The NYT quoted another lawyer, William McLucas, a partner at WilmerHale, who said, “If you are a firm that is generating substantial fees from a prospective corporate client, you may be able to come in and do a bang-up inquiry. But the perception is always going to be there; maybe you pulled your punches because there is a business relationship.” This is because if “companies want credibility with prosecutors and investors, it is generally not wise to use their regular law firms for internal inquiries.” Another expert, Charles Elson, a professor of finance at the University of Delaware who specializes in corporate governance, agreed, adding, “I would not have done it because of the optics. Public perception can be affected by using regular outside counsel.””

Adam G. Safwat, a former deputy chief of the fraud section in the Justice Department, said that the key is “Prosecutors expect an internal investigation to be an honest assessment of a company’s misdeeds or faults, “What you want to avoid is doing something that will make the prosecutor question the quality of integrity of the internal investigation.”” The aforementioned Jim McGrath was also interviewed for the article. He said, “A shrewd law firm that gets out in front of scandal can use that to its advantage in negotiating with authorities to lower penalties and sanctions. There is a great incentive to ferret out information so they can spin it.”

All of these concerns are equally valid in the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act investigation context. But they are layered upon the Fair Process Doctrine. This is because procedural fairness is one of the things that will bring credibility to your Compliance Program. This Doctrine generally recognizes that there are fair procedures, not arbitrary ones, in a process involving rights. Considerable research has shown that people are more willing to accept negative, unfavorable, and non-preferred outcomes when they are arrived at through processes and procedures that are perceived as fair. Adhering to the Fair Process Doctrine in your Compliance Program is critical for you, as a compliance specialist or for your Compliance Department, to have credibility with the rest of the workforce.

In internal investigations, if your employees do not believe that the investigation is fair and impartial, then it is not fair and impartial. Further, those involved must have confidence that any internal investigation is treated seriously and objectively. I have recently written about several aspects of internal investigations, in order to emphasize how to handle internal whistleblower complaints in light of the Dodd-Frank implications. One of the key reasons that employees will go outside of a company’s internal hotline process is because they do not believe that the process will be fair.

This fairness has several components. One would be the use of outside counsel, rather than in-house counsel to handle the investigation. Moreover, if a company uses a regular firm, it may be that other outside counsel should be brought in, particularly if the regular outside counsel has created or implemented key components that are being investigated. Further, if the company’s regular outside counsel has a large amount of business with the company, then that law firm may have a very vested interest in maintaining the status quo. Lastly, the investigation may require a level of specialization that in-house or regular outside counsel does not possess.

Living in Houston, this all played out in disastrous results during the Enron scandal. Near the end of Enron’s run, its regular outside counsel, Vinson & Elkins, investigated questionable accounting practices at Enron. As the NYT article noted, “The firm’s investigation is viewed as an utter failure or a corporate whitewash. The review essentially gave Enron a clean bill of health just months before it collapsed in one of the biggest accounting frauds of all time. In 2006, the law firm paid $30 million to Enron’s bankruptcy estate to resolve claims that its actions had contributed to the energy company’s demise.”

All of this means, your company needs to get it right in the hiring of outside counsel to handle an investigation. As McGrath wrote at the end of his blog, “the Jenner and King people will have to make like Howard Baker and ask what the president – or other ranking person with reporting authority to NHTSA – knew and when they knew it. Because the cover-up is usually worse than the underlying wrong and this one could cost GM $35 million and its reputation.” The NYT article ended with the following, “The best internal investigations are the ones that don’t receive much media attention. A company deals with a problem quickly, and if there’s something to report to authorities, the company tends to be treated leniently for its forthrightness.” Amen.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

February 6, 2014

The FCPA and Fight Against Terrorism

Bag of CashI admit it took me awhile to finally get it. I have long wondered what could have caused the explosion in Department of Justice (DOJ) and Securities and Exchange Commission (SEC) enforcement of the Foreign Corrupt Practices Act (FCPA). Starting in about 2004, FCPA enforcement has not only been on the increase from the previous 25 years of its previous existence but literally exploded. Of course, I had heard Dick Cassin and Dan Chapman, most prominently among others, talk and write about FCPA enforcement as an anti-terrorism security issue post 9/11, but I never quite bought into it because I did not understand the theoretical underpinnings of such an analysis.

I recently finished listening to the Teaching Company’s “Masters of War: History’s Greatest Strategic Thinkers” by Professor Andrew Wilson of the Naval War College. It is a 24 lecture series on the content and historical context of the world’s greatest war strategists. In his lecture on ‘Terrorism as Strategy” Professor Wilson explained that corruption is both a part of the strategy of terrorism and a cause of terrorism. After listening to his lecture and reflecting on some of the world events which invoked both parts of his explanation, it became clear to me why FCPA enforcement exploded and, more importantly, why the US government needs to continue aggressive enforcement of the FCPA and encourage other countries across the globe to enact and enforce strong international and domestic anti-corruption and anti-bribery laws.

Corruption as a Terrorist Strategy

One need look no further than last fall’s massacre of civilians in Kenya at the Westgate Mall to see how terrorists use bribery and corruption. Dick Cassin, who has consistently written about the connection between bribery-corruption and security did so again after the attack, in a post entitled “The Price for Impunity is Higher Than Ever”, where he pointed to the continued corruption in Kenya and how this corruption led to guns and terrorists being able to cross the border and carry out the attack. Cassin said that the border controls are so porous due to corruption in Kenya that in a prior episode involving the UK Serious Fraud Office (SFO), the UK government had banned certain Kenyan government officials from traveling to the UK, in large part because the country failed to take action against obvious cases of bribery and corruption. He said, “The visa ban followed a criminal investigation by the U.K. Serious Fraud Office into contracts between the Kenyan government and U.K. shell businesses. The contracts for passport controls and border security systems went to phantom overseas companies at prices about ten times the actual cost. Kenya refused to cooperate and in early 2009 the SFO was forced to end its investigation.”

Giles Foden, in an article in The Guardian, entitled “Kenya: behind the terror is rampant corruption”, was even more specific about the culture of crime and corruption in Kenya, when he that corruption was one of the signature factors, which led to the massacre. He wrote, “In Kenya crime and terrorism are deeply linked, not least by the failure of successive Kenyan governments to control either. These attacks are part of a spectrum of banditry, with corruption at one end, terrorism at the other, and regular robbery in the middle. Money that should have been spent on security and other aspects of national infrastructure has been disappearing for generations.”

He concluded his piece with this warning, “You can gesture at the transnational problem of Islamist terrorism all you like, but it’s just hot air unless you invest in proper security on the ground in your own country, with the right safeguards to civil liberties. For now Kenya must mourn its dead. But unless the corruption stops, and real investment is made in the social fabric, Kenya will once again be faced with systemic shocks it is hardly able to deal with.”

Professor Wilson made it clear that terrorists incorporate these concepts into their overall strategy. If a country has strong border controls and government officials, which I believe is the situation here in the US and UK, then the terrorist will seek out a country friendly to the US or UK, where the government officials can be bribed or corrupted and use those as ports of entry. Similarly, they can directly attack civilians in a country like Kenya where the border is so porous that both terrorist and arms can flow through with impunity.

 Corruption as a Precursor to Terrorism

But, not only can corruption be used by terrorists, ironically, it can also be the cause of terrorism. One only need look at the Arab Spring and what started it. It was a lone fruit and vegetable seller, Mohammed Bourazizi, who doused himself in paint thinner and set himself on fire in front of a local municipal office because of the corruption of Tunisian government officials and police officers. Yuri Fedotov, head of the United Nations Office of Drugs and Crimes (UNODC) has said that the Arab Spring’s call for greater democracy was “an emphatic rejection of corruption and a cry for integrity” and that the international community must listen to the millions of people involved. At the center of the Arab Spring movement was a deep-seated anger at the poverty and injustice suffered by entire societies due to systemic corruption. Do you think there was any terrorism associated with the Arab Spring?

If one wants to look back a little further in history, I would submit that China is the most prime example of the 20th century. For all the hand wringing about “Who Lost China”, I think a clear key was the endemic corruption of the Nationalist and their allies. Their corruption helped remove the moral authority of their government and allowed the Communists to take up that mantle in the 1940s. The Nationalists were certainly defeated on the battlefield but the groundwork was laid in large part due to the corruption of their government. It really did not matter how much money, foreign aid and material that the US government provided to Chaing Kai-Shek; his cronies and his government simply stole it, sold it or gave it away for other favors.

Moving to today’s news, the government of Thailand is currently under siege by its own citizens. While economic issues are certainly a part of the problem, so is the corruption of the government. The corruption is so bad that even China has scrapped a deal to purchase some 1.2MM tons of rice from Thailand. Michael Peel, writing in the Financial Times (FT), in an article entitled “China ditches Thai rice deal over concern on corruption”, pointed out that this “is about 14 percent of [Thailand’s] annual exports.” He said “Beijing was spooked by the Thai national anti-graft agency’s probe into the rice support programme.” One Thai government official said that the Chinese pulled out of the deal because they “lacked confidence to do business with us”. Peel also wrote that this program is “soaking up $4bn a year officially and much more by other estimates.” What does it say about a country’s government that the Chinese will not do business with because they are too corrupt?

Now I understand how terrorists use corruption both as a strategy and a tool.  Moreover, when you begin to understand these inter-related theoretical underpinnings of corruption and terrorism, you can see why aggressive enforcement of anti-corruption laws such as the FCPA and UK Bribery Act is so important and is here to stay. In another blog post entitled 9/11 and the FCPA” Cassin said, “What happened that day a decade ago changed the way the world looks at corruption. The tracks of the 9/11 perpetrators and those who helped them led back to corrupt third-world countries — Afghanistan, Sudan, Somalia, Yemen, and others. Those regimes had leaky borders, weak passport control, unreliable law enforcement agencies, poor anti-money laundering programs — just what the bad guys needed.”

I do not have any insight into the discussions of the Bush Administration after 9/11 about ways to fight terrorism. But just as governments have a role to play by being part of the solution, so do private businesses. Fedotov said that preventive action was needed by Chief Executive Officers (CEOs) in their boardrooms as much as by police on the streets or civil servants in their departments: “All of us must contribute to a culture of integrity. The eyes previously closed to corruption must become the open eyes of justice and equality.” For the DOJ and the SEC this means continued enforcement of the FCPA so that companies subject to the Act will move forward to do business in a way that does not start down the slippery slope to terrorism. Simply because the FCPA was passed in the post-Watergate era does not mean that it cannot be used for today’s problem.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

January 31, 2014

The Engineer’s Thumb and How to Bribe

The Engineer's ThumbWe conclude our week of Sherlock Holmes inspired themes with one of the few cases in which Holmes fails to bring the criminals to justice, The Adventure of the Engineer’s Thumb. In this adventure a young engineer, Victor Hatherley, arrives at Dr. Watson’s surgery with a gruesome injury, a severed thumb. He relates his tale to Watson, who then takes him to see Holmes. Hatherley was hired to inspect a hydraulic press by one Lysander Stark, who claims that it is used to compress fuller’s earth into bricks. However when Hatherley goes to Stark’s country residence to inspect the machine he discovers that it is actually a printing press used to create counterfeit money. He tries to flee and in the process, Hatherley is forced to jump from a second story window, in the process getting his thumb severed by Stark’s cleaver. Hatherley, Watson and Holmes arrive at the Stark residence as the house is on fire, and the perpetrators have fled.

Once again using the Holmes tale as a contrast I refer to the recently released white paper, published by Transparency International UK (TI-UK), entitled “How to Bribe: A typology of Bribe-Paying and How to Stop It”. It was created by TI-UK, lawyers from the London firm of Pinsent Masons and thebriberyact.com, with principal author Julia Muravska and editors Robert Barrington and Barry Vitou. Just as Stark hid the true purpose of his hydraulic press, the title of this work does not convey its true use in how to stop bribes and bribery schemes by identifying them.

 Barry Vitou, partner in Pinsent Masons and co-founder of thebriberyact.com, states in the forward that “This handbook is perfect for General Counsel, Chief Compliance Officers and anyone in any company responsible for anti-bribery compliance from the Board of Directors, down. The purpose is to show how people pay bribes in practice. The examples are based on realistic experiences or real cases. Many bribery cases receive little attention. Often the focus is on the international examples in far away places where, it is sometimes said, you have to ‘pay the man’ to get business done. The impression given is that it would never happen at home. Yet it does. While the first two sections focus on the how, why and when bribes are sometimes paid in a short final section the handbook covers some examples of more prosaic bribery, at home. Who said it could never happen here? Transparency International deserve credit, once again, for putting together a document designed to be practical and helpful for those keen to avoid falling into the trap of bribery.” The white paper has three main sections.

Section I: What is a Bribe?

In this section, the authors review what constitutes a bribe. Recognizing that cash will always be king, they also take a look at excessive gifts, entertainment and travel, charitable donations and political contributions, favors to family members or friends and even the Foreign Corrupt Practices Act (FCPA) exempted facilitation payments. I particularly found the discussion of facilitation payments interesting in light of the recent claims that Archer Daniels Midland Company (ADM) in the Ukraine and Wal-Mart in Mexico were essentially making facilitation payments.

The authors end this section with the following guidance about the specific types of bribe and how to spot them.

Section 2: How Bribes are Paid?

In this section, the white paper lays out a variety of different bribery schemes. Of course they include agents, distributors, intermediaries, introducers, sub-contractors, representatives and the like. But they also detail schemes that the compliance practitioner should acquaint his or herself on. These bribery schemes include false or inflated invoicing or products, offshore payment arrangements and off-balance sheet payments, joint ventures, training, per diems and expense reimbursement arrangements, rebates and discounts and employment agreements. Once again, the authors end this section with the guidance on how to spot and stop each of the bribery schemes they detail.

Section 3: Bribery On Your Doorstep

In this section, the authors cite to cases and examples that were derived from real cases and illustrate how bribes can be paid within the UK. They note that even though “bribery is illegal across the board in the UK, experience shows that bribery also happens in the UK” and cite several reports. The first was by TI-UK and it showed that 5% of citizens polled in the UK said they had paid a bribe at least once in the past twelve months. Further, a recent survey of the construction sector found that more than a third of the industry professionals polled stated that they had been offered a bribe or incentive on at least one occasion. Lastly, the white paper notes that the first three prosecutions under the UK Bribery Act were for bribes paid in the UK. So the authors conclude “It is fair to say that in common with many other countries, UK public officials are susceptible to bribery. Public officials are almost all, universally, paid less than their peers may be paid in the private sector but in many cases in their hands rests the power to make decisions which have huge financial consequences for others. All the ingredients for paying a bribe exist. Likewise, bribes may be paid in the private sector, and there is increasingly a grey area between public and private sector as government services are contracted out.” In this section, some of the examples are inflated invoices, bribes to local planning departments, excessive expenses for training, and even an example of bribes paid to police.

Suggested Reading

Although neither this blog nor the books I have published on anti-corruption compliance made their list, there is an excellent resource list at the end of the white paper for additional reading and research on the subject. It ranges from government guidance’s to David Lawler’s excellent text “Frequently Asked Questions in Anti-Bribery and Corruption”.  Their list is an excellent resource in and of itself.

So we finish our Sherlock Holmes themed blogs. I hope that you have enjoyed the stories and tie-ins as much as I have enjoyed revisiting them this past week.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

January 30, 2014

Inspector Lestrade – Does Leadership Matter?

Inspector LestradeContinuing our Sherlock Holmes homage, today we draw inspiration from the character of Inspector Lestrade as the theme of this blog post. In the original Doyle works, he appears in 13 of the stories and we are only introduced to him as Inspector G. Lestrade. In the current PBS series, we are informed his given name is Greg. Lestrade is not exactly the sharpest tack in the shed, as evidenced by Holmes comments that he is “an absolute imbecile” from the The Red-Headed League and the “best of a bad lot” from The Boscombe Valley Mystery.

I thought about Inspector Lestrade when I read some of the comments of UBS Chief Executive Officer (CEO), Sergio Ermotti, as reported in the Wall Street Journal (WSJ) article entitled “UBS Chief’s Plea: Stop ‘Lecturingto Bankers” by David Enrich and Francesco Guerrera. UBS has not exactly been a law abiding corporate citizen over the past few years. As you might recall this is from the company, which had a $2.3 billion trading loss from one individual. It is also from the company that assisted approximately 17,000 Americans clients with illegally hiding $20bn of assets to avoid paying taxes on this money. UBS paid a fine of $780MM for these actions. But there is much more, as UBS also agreed to pay another $1.5 billion fine for its criminal actions in manipulating the LIBOR. What would you say the ‘tone’ is at UBS about complying with the law?

With all of these fines, penalties and criminal pleas behind him, Ermotti does not seem to think there is any room for criticism of his company. Rather unbelievably, Ermotti was quoted as saying, “Life is hard enough, and I think this constant lecturing on ethics and on integrity by many stakeholders is probably the most frustrating part of the equation. Because I don’t think there are many people who are perfect.” For those of you who might want that translated to Texan, the equivalent phrase is a very nasal twang of “Glass houses dear”. For the more spiritual out there you could fall back on “Let he who is without sin cast the first stone.” Perhaps the most relevant question would simply be ‘How many angels dance on the head of a pin?’

Late last year, I engaged in a dialogue with other Foreign Corrupt Practices Act (FCPA) commentators about whether motives matter in anti-corruption enforcement actions. I opined, in a post, entitled “Does Motive Matter in Anti-Bribery and Anti-Corruption Enforcement?”, that it really does not matter what the motives are for the Chinese government officials in prosecuting western companies, which violate Chinese national anti-bribery laws, if a company breaks the law, it can be subject to prosecution. The FCPA Professor, in a post, entitled “Should Motivations Matter”, said that impure motives do matter in anti-corruption enforcement actions, whether in China or the US. Others have suggested that the FCPA enforcement itself is hypocritical because the US allows gifts, entertainment, charitable donations and a wide variety of other acts to be given as a quid pro quo to US government officials, usually without criminal prosecution.

But Ermotti takes this debate to an entire new level. Now you cannot even criticize his bank unless you are ‘perfect’. Further, showcasing the obvious knowledge of his 60,000 plus employee base, Ermotti “said in the interview that most of the bad behavior that has landed UBS and others in hot water was caused by small groups of rogue employees and doesn’t reflect broader cultural problems in the industry. “It’s not because you’re a banker that you’re a criminal”.” This was in the face of criticism at the World Economic Forum in Davos (where Ermotti was interviewed and made his remarks) that “In a private meeting held between bank CEOs and central bankers and regulators Friday, several participants pointed to banks’ “conduct” issues as undermining efforts to rebuild public and investor confidence in the industry, according to executives and central bankers who were there.” This can be contrasted with Bank of England Governor Mark Carney who said at the same conference, “Whether or not [the industry] thrives will rest on the efforts of individuals and organizations to re-establish the system’s reputation for integrity”.

Yet again Ermotti doubled down when he claimed that the group, which cannot criticize, includes regulators and enforcement officials. This statement is almost the equivalent of another equally enlightened (former) CEO, Bob Diamond, who once ran Barclays and “told British lawmakers in 2011 that “there was a period of remorse and apology for banks. That period needs to be over.” The next year, Mr. Diamond was forced to resign after Barclays admitted trying to rig interest rates.” Ooops.

What does all of this say about the top of this once august organization? First and foremost, how you would like to be the person who has to ‘speak truth to power’ if your CEO says that only the ‘perfect’ can bring forward criticism? Do the words ‘career suicide’ ring any bells here? But more importantly you have a company which entered into a Deferred Prosecution Agreement (DPA) regarding its tax evasion violations and then pled guilt to criminal conduct that as reported in another WSJ article “Regulators described the alleged illegality as “epic in scale,” with dozens of traders and managers in a UBS-led ring of banks and brokers conspiring to skew interest rates to make money on trades.” What would you say about its ‘tone-at-the-top’? Are they committed to following the law? How about complying with the terms of their multiple settlement agreements with US regulators? How about changing the culture in their organization, not simply to make compliance a goal but actually obey the law? What about instituting and then following a best practices program for compliance with anti-corruption laws such as the FCPA or Bribery Act; anti-tax evasion laws such as the Foreign Account Tax Compliance Act (FACTA); relevant anti-money laundering (AML) laws; or indeed others.

Without a hint of irony, the WSJ piece on Ermotti’s remarks ends with the following quote from him, “The banking industry is an easy target.” I wonder if Ermotti has the self-awareness of Inspector Lestrade to understand the wisdom of his words?

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

January 28, 2014

Silver Blaze and Leadership-Find It, Fix It and Prevent It

Silver BlazeToday, we continue our Sherlock Holmes week by drawing inspiration for lessons for the compliance practitioner from the story of Silver Blaze. In this story, a star racehorse disappears, Holmes pulls out his usual deductions to determine where the horse can be found but turns to the lack of an action to deduce why the horse was stolen. The lack of a dog bark in the horse’s stable tells Holmes that the thief was known to both the dog and to Silver Blaze.

I thought about the story of Silver Blaze when reading this week’s Corner Office column in the New York Times (NYT), entitled “Want to Succeed? Be Accountable”, by Adam Bryant, where he interviewed Noreen Beaman, the Chief Executive Officer (CEO) of Brinker Capital. Beaman was the oldest of four sisters and this gave her an interesting perspective growing up. She said, “Part of it was having a feedback loop of younger sisters. We were close in age, so they were some of my best informants in high school. They would say: “Really? That wasn’t a great idea. Maybe if you stopped and listened, you would’ve heard what someone was saying.” Clearly she received feedback but it was from a source that she listened to when it provided to her.

After a flush of early success in her career as a company Chief Financial Officer (CFO) she moved into sales. She made a major mistake on a transaction that went sideways. As Beaman put it “I was in the penalty box.” But through hard work and determination, she overcame this error and learned from it. She said that the entire experience made her both more accessible and “it made me have more humility”.

One of the most interesting things that Beaman said was that one of her company’s mantras is “Find it, fix it and prevent it.” That seems to me to be a pretty good way for a compliance practitioner to look at things, particularly if you consider the FCPA Guidance formula of “prevention, detection and remediation” for a best practices anti-corruption compliance program. To facilitate this culture, Beaman said that one of the skills valued at Brinker Capital is accountability. She said, “We make sure everyone’s in a position to be successful. Then, when you’re not successful, we have to have a conversation. You need to hold up your end of the bargain. Sometimes you’re not a good culture fit because you don’t want to be held accountable, and sometimes you’re a great culture fit and we just didn’t give you the right training, so we’ll do that. Sometimes you’ll make a mistake. Life happens. But let’s not do it again.”

For the compliance practitioner, I think that Beaman’s example demonstrates the need for a Chief Compliance Officer (CCO) to take the initiative in showing how the role they play inside the organization is far more than just a legal minimum or people-based risk management. A CCO, and indeed the entire compliance function, should be seen as a partner to the business folks. This will help to create the deeper relationships that will not only make it easier for the group to do its job, but also help it to be seen as a vital part of the organization’s long-term strategy. It will also help when there is something askance in the compliance function. As noted by Mike Volkov, in his blog post entitled “Chief Compliance Officers: Under a Microscope, CCOs have to educate the Board and the C-Suite on what exactly is reasonable to expect and how the compliance program is designed to achieve these results.  Along the way, CCOs have to make sure they can show that compliance is a valuable contributor to the company’s bottom line.

Beaman also said one thing that I have heard numerous CEOs say over the years, which is that one of the most important skills they have learned is listening. Beaman related “You have to be a little more indulgent with people sharing ideas around the table, even if 25 percent of them are distractions. C.E.O.’s are usually Type A’s to begin with, and I’m a little chatty. And now I’m in this room full of smart, dynamic people who all want to be heard. So what I had to learn is to be quiet, to listen, to keep everyone committed and at the table.”

As a hard charger, she does want to make decisions and move on. So she has to consciously slow herself down, “to really slow down and be present in the moment.” Part of this turns on setting “realistic expectations and goals, and be sensitive to the tempo around you. It’s about meeting people where they are as opposed to expecting people to meet you where you are. Everyone comes from a different point of view. I have a big personality and I know that I can come on a little strong, so a lot of times I’ll slow it down.”

Beaman also had some interesting thoughts on interviewing. She is clearly engaged by potential hires that are intellectually curious. One of the things that she considers is whether the interviewee has any questions for her. She said that “One, it tells me if you’ve prepped. Two, it tells me how interested you are.” A second thing that she inquires about what books they read. If they are not a book reader, she asks about magazines and newspapers. She related that “I’m interested to know how intellectually curious you are. In our world today, if you’re not actively learning every day, you really are not competitive. There’s too much going on. I can never know everything going on around me, so I need to know that there are people around me who are learning other things, so we create a more cohesive view.”

For the compliance professional out there interviewing, I found these last couple of points quite instructive. Many times it seems that there is so much information in the compliance field that it is difficult to keep up in our profession. But here, the CEO of a major corporation wants to see intellectual curiosity in candidates because she believes this will make a better employee.

Beaman’s journey certainly has been wide-ranging. I believe that her experience can assist the compliance practitioner with ways to think about his or her position within a company and how it can be executed. And just like in Silver Blaze, sometimes when nothing is said, it speaks louder than mere words…

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

January 24, 2014

Getting Your Company Ready for M&A Compliance Due Diligence

John Bell HoodWho was the absolute worst general during the Civil War? While there are many worthy candidates for this dubious honor, on the Southern side my vote goes to General John Bell Hood. One of the prime proponents of the Southern attack and die strategy, Hood’s leadership led to the destruction of 90% of his Texas Brigade at Antietam. But Hood is most famous for his utter destruction of the Army of Tennessee. In five months, from July to November of 1864 Hood unsuccessfully attacked Union General William T. Sherman’s army three times near Atlanta, relinquished the city after a month-long siege, then took his army back to Tennessee in the fall to draw Sherman away from the Deep South. Sherman dispatched part of his army to Tennessee, and Hood lost two battles at Franklin and Nashville in November and December 1864. There were about 65,000 soldiers in the Army of Tennessee when Hood assumed command in July. By January 1, there were only 18,000 men in the army. To top it off, it was not Sherman who burned Atlanta but Hood.

My thoughts turned to General Hood when I listened to a very interesting panel on Day 2 of the ACI FCPA Boot Camp about getting your target company ready to be scrutinized from the compliance context in mergers and acquisition (M&A) due diligence. On the panel were Alberto Orozco from PricewaterhouseCoopers (PwC), Joseph Burke, from Dell Inc., and Christina Lunders from the law firm of Norton Rose Fulbright.

Building on a fundamental theme from day one of the conference, Burke said that relationship building is also important in the M&A context, from the perspective as a buyer. Representing an acquirer, the key questions from his perspective were two-fold: whether or not we trust the company we are looking at and how will they integrate into our company? He believed that trust is what gets the deal done or does not. He begins by sitting down with his counter-part, senior management and key legal department personnel in the target company and talking to them. If they can talk with authority about their compliance function he can determine how much he will dig into the documents and records.

Orozco agreed with this perception but came at it from his accounting angle. He said that if your books and records are in order, you really do not need to do anything more. The next step he looks at is if you have a compliance program and do the targets employees know about it. This is critical so that the buyer will have an understanding of what is needed from the compliance perspective from day one of the acquisition closing.

They then turned to the perspective of a target and what you should have in place for such an analysis. It all begins with a compliance focused risk assessment and this should be done first as this is a key starting point to determine not only if the target has an effective compliance program but also if the target is actually ‘doing compliance’. Of course it is important for a target to know about its relationships with foreign governments, whether as customers or representatives on the sales side or in the supply chain.

They posited that a target should make sure that it has a compliance program, which is consistent with an international standard for an anti-bribery or anti-corruption program, whether it is the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or some other recognized international standard. The target should gather and verify the completeness of the following anti-corruption policies and procedures:

  • Anti-corruption/anti-bribery;
  • Petty cash;
  • Travel, meals, and entertainment;
  • Gifts, donations, sponsorships, political contributions, lobbying;
  • Retention, use and compensation of intermediaries/third parties;
  • Disbursements;
  • Recording of intercompany transactions; and
  • Authorization for expenditure/levels of authority.

They believe that it is important for a target to gather and verify the completeness of relevant books and records. They specifically listed the following:

  • Monthly trial balances;
  • Customer lists;
  • Vendor lists;
  • General ledger accounts for the following:
  • Gifts, entertainment and hospitality;
  • Travel;
  • Donations, sponsorships, and political contributions;
  • Marketing and commissions expenses;
  • Consulting fees;
  • Petty cash; and
  • Miscellaneous expenses.

They next suggested the documents and records be readied for review from the compliance perspective, on the following topics:

  • Facilitation payments;
  • Advertising and marketing;
  • Government tenders and bidding packages;
  • Employee expense reports;
  • Procurement;
  • Licenses and permits;
  • Records management;
  • Transfer pricing; and
  • Information on how policies/procedures are distributed and compliance acknowledged within the target organization.

Lastly, they provided a list of topics for which documents should be gathered and the target should be prepared to discuss early on with the compliance representative of the acquirer on the subject of any past corruption issues which may have arisen or been identified, together with their resolution. The target should be prepared to deliver factual details, relevant documents, and information on findings and how the matters were resolved. This group of documents should include internal or external reviews, audits or investigations over the past ten years, including any outstanding compliance issues, such as whistleblower and hotline complaints.

In the area of corporate governance they suggested that the target gather Board of Directors and any management meeting minutes from the past five years and have them available for review. A target should also be prepared to make available for interview key personnel including the General Counsel (GC), Chief Financial Officer (CFO), Chief Executive Officer (CEO) and the heads of Internal Audit, International Sales and Compliance.

From the perspective of the acquiring entity, they suggested that you take a close look at the files of as many of the target’s third parties as is reasonable for the size of the acquisition and the time frame you have. These include gathering and verifying the completeness of the following third party files: due diligence; contracts/agreements; records of compensation payment for past 5 years to determine whether compensation is reasonable, especially if in a high-risk area or for business involving foreign officials and, finally, make a determination of how to address any potential red flags.

They also discussed some of the potential red flags, which might be present in these documents. Some of these red flags could include a history of corruption in country where business occurs; numerous or frequent interactions with foreign officials; unusual payment patterns or arrangements with third parties or third parties which refuse to certify compliance, demand payment in cash, provide incomplete or inaccurate information, request payment made to someone else; a bank outside of country of domicile or is close with foreign government officials.

I thought Burke’s perspective was akin to trust but verify. He reiterated several times that it is reasonably straightforward to determine if a target company takes ‘doing compliance’ seriously. From there, you can use analytics to review the numbers and try and make a determination about obvious red flags and high-risk areas. This allows him to help to make a more accurate remediation plan to begin at closing. It also allows him to advise the business unit involved on what the cost for such integration would be, how long the business would be disrupted by such integration and the complexities of acquiring company’s compliance program implementation.

As to the cost for failing to do so, just think of the loss of the Army of Tennessee from the leadership of John Bell Hood.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

« Previous PageNext Page »

The Rubric Theme. Blog at WordPress.com.


Get every new post delivered to your Inbox.

Join 4,539 other followers