FCPA Compliance and Ethics Blog

April 2, 2014

Life Cycle of Third Party Management – Step 3 – Due Diligence

Five stepsMost companies fully understand the need to comply with the Foreign Corrupt Practices Act (FCPA) Act regarding third parties as they represent the greatest risks for an FCPA violation. However most companies are not created out of new cloth but are ongoing enterprises with a fully up and running business in place. They need to bring in resources to comply with the FCPA while continuing to do business. This can be particularly true in the area of performing due diligence on third parties. Many companies understand the need for a robust due diligence program to investigate third parties, but have struggled with how to create an inventory to define the basis of risk of each foreign business partner and, thereby, perform the requisite due diligence required under the FCPA.

Getting your arms around due diligence can sometimes seem bewildering for the compliance practitioner. However, the information that you should have developed in Steps 1 & 2 of the life cycle of third party management should provide you with the initial information to consider the level of due diligence that you should perform on third parties. This leads to today’s topic of Step 3 in the five steps of the life cycle management of third parties – Due Diligence.

Jay Martin, Chief Compliance Officer (CCO) at BakerHughes, often emphasizes, when he speaks on the topic, that a company needs to evaluate and address its risks regarding third parties. This means that an appropriate level of due diligence may vary depending on the risks arising from the particular relationship. So, for example, the appropriate level of due diligence required by a company when contracting for the performance of Information Technology (IT) services may be low, to reflect low risks of bribery on its behalf. Conversely, a business entering into the international energy market and selecting an intermediary to assist in establishing a business in such markets will typically require a much higher level of due diligence to mitigate the risks of bribery on its behalf.

Our British compliance cousins of course are subject to the UK Bribery Act. In its Principle VI of an Adequate Procedures compliance program, the UK Ministry of Justice (MOJ) stated, “The commercial organisation applies due diligence procedures, taking a proportionate and risk based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified bribery risks.” The purpose of Principle VI is to encourage businesses to put in place due diligence procedures that adequately inform the application of proportionate measures designed to prevent persons associated with a company from bribing on their behalf. The MOJ recognized that due diligence procedures act both as a procedure for anti-bribery risk assessment and as a risk mitigation technique. The MOJ said that due diligence is so important that “the role of due diligence in bribery risk mitigation justifies its inclusion here as a Principle in its own right.”

Carol Switzer, writing in Compliance Week, related that you should initially set up categories for your third parties of high, moderate and low risk. Based upon which risk category the third party falls into, you can design specific due diligence. She defined low risk screening as “trusted data source search and risk screening such as the aforementioned World Compliance”; moderate risk screening as “enhanced evaluation to include in-country public records…and research into corporate relationships”; high risk screening is basically a “deep dive assessment” where there is an audit/review of third party controls and financial records, in-country interviews and investigations “leveraging local data sources.”

A three-step approach was also discussed favorably in Opinion Release 10-02. In this Opinion Release, the Department of Justice (DOJ) discussed the due diligence that the requesting entity performed. “First, it [the requestor] conducted an initial screening of six potential grant recipients by obtaining publicly available information and information from third-party sources…Second, the Eurasian Subsidiary undertook further due diligence on the remaining three potential grant recipients. This due diligence was designed to learn about each organization’s ownership, management structure and operations; it involved requesting and reviewing key operating and assessment documents for each organization, as well as conducting interviews with representatives of each MFI to ask questions about each organization’s relationships with the government and to elicit information about potential corruption risk. As a third round of due diligence, the Eurasian Subsidiary undertook targeted due diligence on the remaining potential grant recipient, the Local MFI. This diligence was designed to identify any ties to specific government officials, determine whether the organization had faced any criminal prosecutions or investigations, and assess the organization’s reputation for integrity.”

Based upon the wisdom of the aforementioned compliance experts, Opinion Release 10-02 and others I have reviewed break due diligence down into three stages: Level I, Level II and Level III. A very good description of the three levels of due diligence was presented by Candace Tal in a guest post, entitled “Deep Level Due Diligence: What You Need to Know”.

Level I

First level due diligence typically consists of checking individual names and company names through several hundred Global Watch lists comprised of anti-money laundering (AML), anti-bribery, sanctions lists, coupled with other financial corruption & criminal databases. These global lists create a useful first-level screening tool to detect potential red flags for corrupt activities. It is also a very inexpensive first step in compliance from an investigative viewpoint. Tal believes that this basic Level I due diligence is extremely important for companies to complement their compliance policies and procedures; demonstrating a broad intent to actively comply with international regulatory requirements.

Level II

Level II due diligence encompasses supplementing these Global Watch lists with a deeper screening of international media, typically the major newspapers and periodicals, from all countries plus detailed internet searches. Such inquiries will often reveal other forms of corruption-related information and may expose undisclosed or hidden information about the company, the third party’s key executives and associated parties. I believe that Level II should also include an in-country database search regarding the third party. Some of the other types of information that you should consider obtaining are country of domicile and international government records; use of in-country sources to provide assessments of the third party; a check for international derogatory electronic and physical media searches, you should perform both English and foreign-language repositories searches on the third party, in its country of domicile, if you are in a specific industry, using technical specialists you should also obtain information from sector specific sources.

Level III

This level is the deep dive. It will require an in-country ‘boots-on-the-ground’ investigation. I agree with Tal that a Level III due diligence investigation is designed to supply your company “with a comprehensive analysis of all available public records data supplemented with detailed field intelligence to identify known and more importantly unknown conditions. Seasoned investigators who know the local language and are familiar with local politics bring an extra layer of depth assessment to an in country investigation.” Further, the “Direction of the work and analyzing the resulting data is often critical to a successful outcome; and key to understanding the results both from a technical perspective and understanding what the results mean in plain English. Investigative reports should include actionable recommendations based on clearly defined assumptions or preferably well-developed factual data points.”

But more than simply an investigation of the company, critically including a site visit and coupled with onsite interviews, Tal says that some other things you investigate include “an in-depth background check of key executives or principal players. These are not routine employment-type background checks, which are simply designed to confirm existing information; but rather executive due diligence checks designed to investigate hidden, secret or undisclosed information about that individual.” Tal believes that such “Reputational information, involvement in other businesses, direct or indirect involvement in other law suits, history of litigious and other lifestyle behaviors which can adversely affect your business, and public perceptions of impropriety, should they be disclosed publicly.”

Further, you may need to engage a foreign law firm, to investigate the third party in its home country to determine the third party’s compliance with its home country’s laws, licensing requirements and regulations. Lastly, and perhaps most importantly, you should use Level III to look the proposed third party in the eye and get a firm idea of his or her cooperation and attitude towards compliance as one of the most important inquiries is not legal but based upon the response and cooperation of the third party. More than simply trying to determine if the third party objected to any portion of the due diligence process or did they object to the scope, coverage or purpose of the FCPA; you can use Level III to determine if the third party is willing to stand up with you under the FCPA and are you willing to partner with the third party.

The Risk Advisory Group, has put together a handy chart of its Level I, II and III approaches to integrity and due diligence. I have found it useful in explaining the different scopes and focuses of the various levels of due diligence.

Level Issues Addressed Scope of Investigation
One
  • That the company exists
  • Identities of directors and shareholders
  • Whether such persons are on regulators’ watch lists
  • Signs that such persons are government officials
  • Obvious signs of financial difficulty
  • Signs of involvement in litigation
  • Media reports linking the company to corruption
  • Company registration and status
  • Registered Address
  • Regulators’ watch lists
  • Credit Checks
  • Bankruptcy/Liquidation Proceedings
  • Review accounts and auditors comments
  • Litigation search
  • Negative media search
Two As above with the following additions:

  • Public Profile integrity checks
  • Signs of official investigations and/or sanctions from regulatory authorities
  • Other anti-corruption Red Flags
As above with the following additions:

  • Review and summary of all media and internet references
  • Review and summary of relevant corporate records and litigation filings, including local archives
  • Analysis and cross-referencing of all findings
Three As above with the following additions:

  • But seeking fuller answers to any questions raised by drawing on a wider range of intelligence sources and/or addressing specific issues of potential concern already identified

 

As above with the following additions:

  • Enquiries via local sources
  • Enquiries via industry experts
  • Enquiries via western agencies such as embassies or trade promotion bodies
  • Enquires via sources close to local regulatory agencies

As you can see from this blog post, there are many different approaches to the specifics of due diligence. By laying out some of the approaches of other experts in the field, I hope that you can craft the relevant portions into your program. The Level I, II & III trichotomy appears to have the greatest favor and one that you should be able to implement in a straightforward manner. However, as Jay Martin constantly says, you need to assess your company’s risk and manage that risk. So if you need to perform additional due diligence to answer questions or clear red flags you should do so. And do not forget to Document, Document and Document all your due diligence.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

April 1, 2014

Life Cycle of Third Party Management – Step 2 Questionnaire

Five stepsToday, I continue my five-part series on the life cycle of third party management under an anti-bribery/anti-corruption regime such the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act, reviewing Step 2, which I label as the “Questionnaire”. The term ‘questionnaire’ is mentioned several times in the FCPA Guidance. It is generally recognized as one of the tools that a company should complete in its investigation to better understand with whom it is doing business. I believe that this requirement is not only a key step but also a mandatory step for any third party that desires to do work with your company. I tell clients that if a third party does not want to fill out the questionnaire or will not fill it out completely that you should not walk but run away from doing business with such a party.

In the 2011 UK Ministry of Justice’s (MOJ), discussion of Six Principals of an Adequate Procedures compliance program, they said the following about the Questionnaire, “This means that both the business person who desires the relationship and the foreign business representative commit certain designated information in writing prior to beginning the due diligence process.” Indeed, the use of a Questionnaire was one of the key findings of Kroll’s “2012 FCPA Benchmark Report”. As reported in the FCPA Blog, in a post entitled “Compliance Officers Troubled By Third-Party Risk”:

  • 71% require third parties to complete a disclosure listing affiliations with foreign officials (65% verify that third parties adhere to the company’s code of ethics and 73% confirm that each third party is free from sanctions pertaining to compliance with anti-bribery regulation).

One of the key requirements of any successful anti-corruption compliance program is that a company must make an initial assessment of a proposed third party relationship. The size of a company does not matter as small businesses can face quite significant risks and will need more extensive procedures than other businesses facing limited risks. The level of risk that companies face will also vary with the type and nature of the third parties it may have business relationships with. For example, a company that properly assesses that there is no risk of bribery on the part of one of its associated persons will, accordingly, require nothing in the way of procedures to prevent bribery in the context of that relationship. By the same token the bribery risks associated with reliance on a third party agent representing a company in negotiations with foreign public officials may be assessed as significant and, accordingly, requires much more in the way of procedures to mitigate those risks. Businesses are likely to need to select procedures to cover a broad range of risks but any consideration by a court in an individual case of the adequacy of procedures is likely necessarily to focus on those procedures designed to prevent bribery on the part of the associated person committing the offence in question.

So what should you ask for in your questionnaire? Randy Corey, Executive Vice President (EVP), Global Compliance Officer at Edelmen Inc. said in a presentation at Compliance Week 2012, entitled “3rd Party Due Diligence Best Practices in Establishing an Effective Anti-Corruption Program”, that his company has developed a five-step approach in evaluating and managing their third parties. In Step 3 they ask What Do You Need To Know?Initially, Corley said that Scope of review depends on risk assessment, High Risk, Medium Risk or Low Risk. This risk ranking will determine the level of information collected and due diligence performed. The key element of this step is data collection. The initial step is to have the third party complete an application which should include requests for information on background and experience, scope of services to be provided, relevant experience, list of actual and beneficial owners, references and compliance expertise.

Below are some of the areas which I think you should inquire into from a proposed third party include the following:

  • Ownership Structure: Describe whether the proposed third party is a government or state-owned entity, and the nature of its relationship(s) with local, regional and governmental bodies. Are there any members of the business partner related, by blood, to governmental officials?
  • Financial Qualifications: Describe the financial stability of, and all capital to be provided by, the proposed third party. You should obtain financial records, audited for 3 to 5 years, if available. Obtain the name and contact information for their banking relationship.
  • Personnel: Determine whether the proposed agent will be providing personnel, particularly whether any of the employees are government officials. Make sure that you obtain the names and titles of those who will provide services to your company.
  • Physical Facilities: Describe what physical facilities that will be used by the third party for your work. Be sure and obtain their physical address.
  • References: Obtain names and contact information for at least three business references that can provide information on the business ethics and commercial reliability of the proposed third party.
  • PEPs: Are any of the owners, beneficial owners, officers or directors politically exposed persons (PEPs).
  • UBOs: It is imperative that you obtain the identity of the Ultimate Beneficial Owner (UBO).
  • Compliance Regime: Does the proposed third party have an anti-corruption/anti-bribery program in place? Do they have a Code of Conduct? Obtain copies of all relevant documents and training materials.
  • FCPA Training and Awareness: Has the proposed third party received FCPA training, are they TRACE certified or certified by some other recognizable entity?

One thing that you should keep in mind is that you will likely have pushback from your business team in making many of the inquiries listed above. However, my experience is that most proposed agents that have done business with US or UK companies have already gone through this process. Indeed, they understand that by providing this information on a timely basis, they can set themselves apart as more attractive to US businesses.

The questionnaire fills several key roles in your overall management of third parties. Obviously it provides key information that you need to know about who you are doing business with and whether they have the capabilities to fulfill your commercial needs. Just as importantly is what is said if the questionnaire is not completed or is only partially completed, such as the lack of awareness of the FCPA, UK Bribery Act or anti-corruption/anti-bribery programs generally. Lastly, the information provided (or not provided) in the questionnaire will assist you in determining what level of due diligence to perform. So tomorrow I will discuss due diligence.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

March 18, 2014

When to Bring in Investigative Counsel and Why

InvestigationsWhen should you bring in a true outsider to handle an internal investigation? What about specialized investigative counsel? Jim McGrath, who often writes about the need for specialized investigative counsel, has also pointed out on several occasions that having an independent eye on things is also a plus. However, rarely do we see both questions played out so publicly as is currently going on in the General Motors (G.M.) recall investigation. Indeed, Matthew Goldstein and Barry Meier discussed these  questions in Sunday New York Times (NYT) Business Section article by, entitled “G.M Calls the Lawyers”.

For those of you not familiar with G.M.’s problems, McGrath also wrote about them in his Internal Investigations Blog, in a post entitled “What Did GM Know and When Did They Know It?” McGrath describes the current issues as “the revelation that General Motors is the target of probes by Congress and by the National Highway Transportation Safety Administration over its handling of ignition switch defects in at least six of its popular automobiles. Failures in these switches may have resulted in as many as thirteen deaths and seemingly point to quality control failures at the automaker.” Others have estimated the death totals much higher for this defect. And, as McGrath notes, the key question is ‘what did GM know and when did they know it’?

Interestingly G.M. has hired two law firms to handle the investigation. One is King & Spalding, which handled much of the product liability litigation over the alleged defect and the second is Jenner & Block. In the NYT article, a prominent plaintiff’s lawyer, Lance Cooper, who fought GM and King & Spalding on this product liability litigation noted the obvious when he said, “They are part of the story.” By this he meant that “King & Spalding’s switch from a fierce defender of G.M. to a potential inquisitor into the company’s actions may also pose a conflict. For one, some of the firm’s lawyers may have to ask their own colleagues if they advised G.M. about whether to recall the vehicles at the time the Melton case was settled.”

More importantly for G.M., the retention of “outside counsel in these cases is part investigation, part public-relations gambit and part legal strategy. In most cases, the goal isn’t to publicly flog a company or its top executives, but rather to limit damage to an institution’s reputation or to contain the financial harm to shareholders of a publicly traded company. And it does so under the protection of the attorney-client privilege. From the point of view of the company, a well-done internal investigation can shape the accepted story of what happened — and produce findings that allow the company to negotiate for lower penalties from prosecutors or regulators down the road.” But, more importantly, to “achieve those ends, the law firms conducting the investigations must be viewed as forthright and uncompromised. In this respect, some critics have already questioned G.M.’s choices.”

The NYT quoted another lawyer, William McLucas, a partner at WilmerHale, who said, “If you are a firm that is generating substantial fees from a prospective corporate client, you may be able to come in and do a bang-up inquiry. But the perception is always going to be there; maybe you pulled your punches because there is a business relationship.” This is because if “companies want credibility with prosecutors and investors, it is generally not wise to use their regular law firms for internal inquiries.” Another expert, Charles Elson, a professor of finance at the University of Delaware who specializes in corporate governance, agreed, adding, “I would not have done it because of the optics. Public perception can be affected by using regular outside counsel.””

Adam G. Safwat, a former deputy chief of the fraud section in the Justice Department, said that the key is “Prosecutors expect an internal investigation to be an honest assessment of a company’s misdeeds or faults, “What you want to avoid is doing something that will make the prosecutor question the quality of integrity of the internal investigation.”” The aforementioned Jim McGrath was also interviewed for the article. He said, “A shrewd law firm that gets out in front of scandal can use that to its advantage in negotiating with authorities to lower penalties and sanctions. There is a great incentive to ferret out information so they can spin it.”

All of these concerns are equally valid in the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act investigation context. But they are layered upon the Fair Process Doctrine. This is because procedural fairness is one of the things that will bring credibility to your Compliance Program. This Doctrine generally recognizes that there are fair procedures, not arbitrary ones, in a process involving rights. Considerable research has shown that people are more willing to accept negative, unfavorable, and non-preferred outcomes when they are arrived at through processes and procedures that are perceived as fair. Adhering to the Fair Process Doctrine in your Compliance Program is critical for you, as a compliance specialist or for your Compliance Department, to have credibility with the rest of the workforce.

In internal investigations, if your employees do not believe that the investigation is fair and impartial, then it is not fair and impartial. Further, those involved must have confidence that any internal investigation is treated seriously and objectively. I have recently written about several aspects of internal investigations, in order to emphasize how to handle internal whistleblower complaints in light of the Dodd-Frank implications. One of the key reasons that employees will go outside of a company’s internal hotline process is because they do not believe that the process will be fair.

This fairness has several components. One would be the use of outside counsel, rather than in-house counsel to handle the investigation. Moreover, if a company uses a regular firm, it may be that other outside counsel should be brought in, particularly if the regular outside counsel has created or implemented key components that are being investigated. Further, if the company’s regular outside counsel has a large amount of business with the company, then that law firm may have a very vested interest in maintaining the status quo. Lastly, the investigation may require a level of specialization that in-house or regular outside counsel does not possess.

Living in Houston, this all played out in disastrous results during the Enron scandal. Near the end of Enron’s run, its regular outside counsel, Vinson & Elkins, investigated questionable accounting practices at Enron. As the NYT article noted, “The firm’s investigation is viewed as an utter failure or a corporate whitewash. The review essentially gave Enron a clean bill of health just months before it collapsed in one of the biggest accounting frauds of all time. In 2006, the law firm paid $30 million to Enron’s bankruptcy estate to resolve claims that its actions had contributed to the energy company’s demise.”

All of this means, your company needs to get it right in the hiring of outside counsel to handle an investigation. As McGrath wrote at the end of his blog, “the Jenner and King people will have to make like Howard Baker and ask what the president – or other ranking person with reporting authority to NHTSA – knew and when they knew it. Because the cover-up is usually worse than the underlying wrong and this one could cost GM $35 million and its reputation.” The NYT article ended with the following, “The best internal investigations are the ones that don’t receive much media attention. A company deals with a problem quickly, and if there’s something to report to authorities, the company tends to be treated leniently for its forthrightness.” Amen.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

February 6, 2014

The FCPA and Fight Against Terrorism

Bag of CashI admit it took me awhile to finally get it. I have long wondered what could have caused the explosion in Department of Justice (DOJ) and Securities and Exchange Commission (SEC) enforcement of the Foreign Corrupt Practices Act (FCPA). Starting in about 2004, FCPA enforcement has not only been on the increase from the previous 25 years of its previous existence but literally exploded. Of course, I had heard Dick Cassin and Dan Chapman, most prominently among others, talk and write about FCPA enforcement as an anti-terrorism security issue post 9/11, but I never quite bought into it because I did not understand the theoretical underpinnings of such an analysis.

I recently finished listening to the Teaching Company’s “Masters of War: History’s Greatest Strategic Thinkers” by Professor Andrew Wilson of the Naval War College. It is a 24 lecture series on the content and historical context of the world’s greatest war strategists. In his lecture on ‘Terrorism as Strategy” Professor Wilson explained that corruption is both a part of the strategy of terrorism and a cause of terrorism. After listening to his lecture and reflecting on some of the world events which invoked both parts of his explanation, it became clear to me why FCPA enforcement exploded and, more importantly, why the US government needs to continue aggressive enforcement of the FCPA and encourage other countries across the globe to enact and enforce strong international and domestic anti-corruption and anti-bribery laws.

Corruption as a Terrorist Strategy

One need look no further than last fall’s massacre of civilians in Kenya at the Westgate Mall to see how terrorists use bribery and corruption. Dick Cassin, who has consistently written about the connection between bribery-corruption and security did so again after the attack, in a post entitled “The Price for Impunity is Higher Than Ever”, where he pointed to the continued corruption in Kenya and how this corruption led to guns and terrorists being able to cross the border and carry out the attack. Cassin said that the border controls are so porous due to corruption in Kenya that in a prior episode involving the UK Serious Fraud Office (SFO), the UK government had banned certain Kenyan government officials from traveling to the UK, in large part because the country failed to take action against obvious cases of bribery and corruption. He said, “The visa ban followed a criminal investigation by the U.K. Serious Fraud Office into contracts between the Kenyan government and U.K. shell businesses. The contracts for passport controls and border security systems went to phantom overseas companies at prices about ten times the actual cost. Kenya refused to cooperate and in early 2009 the SFO was forced to end its investigation.”

Giles Foden, in an article in The Guardian, entitled “Kenya: behind the terror is rampant corruption”, was even more specific about the culture of crime and corruption in Kenya, when he that corruption was one of the signature factors, which led to the massacre. He wrote, “In Kenya crime and terrorism are deeply linked, not least by the failure of successive Kenyan governments to control either. These attacks are part of a spectrum of banditry, with corruption at one end, terrorism at the other, and regular robbery in the middle. Money that should have been spent on security and other aspects of national infrastructure has been disappearing for generations.”

He concluded his piece with this warning, “You can gesture at the transnational problem of Islamist terrorism all you like, but it’s just hot air unless you invest in proper security on the ground in your own country, with the right safeguards to civil liberties. For now Kenya must mourn its dead. But unless the corruption stops, and real investment is made in the social fabric, Kenya will once again be faced with systemic shocks it is hardly able to deal with.”

Professor Wilson made it clear that terrorists incorporate these concepts into their overall strategy. If a country has strong border controls and government officials, which I believe is the situation here in the US and UK, then the terrorist will seek out a country friendly to the US or UK, where the government officials can be bribed or corrupted and use those as ports of entry. Similarly, they can directly attack civilians in a country like Kenya where the border is so porous that both terrorist and arms can flow through with impunity.

 Corruption as a Precursor to Terrorism

But, not only can corruption be used by terrorists, ironically, it can also be the cause of terrorism. One only need look at the Arab Spring and what started it. It was a lone fruit and vegetable seller, Mohammed Bourazizi, who doused himself in paint thinner and set himself on fire in front of a local municipal office because of the corruption of Tunisian government officials and police officers. Yuri Fedotov, head of the United Nations Office of Drugs and Crimes (UNODC) has said that the Arab Spring’s call for greater democracy was “an emphatic rejection of corruption and a cry for integrity” and that the international community must listen to the millions of people involved. At the center of the Arab Spring movement was a deep-seated anger at the poverty and injustice suffered by entire societies due to systemic corruption. Do you think there was any terrorism associated with the Arab Spring?

If one wants to look back a little further in history, I would submit that China is the most prime example of the 20th century. For all the hand wringing about “Who Lost China”, I think a clear key was the endemic corruption of the Nationalist and their allies. Their corruption helped remove the moral authority of their government and allowed the Communists to take up that mantle in the 1940s. The Nationalists were certainly defeated on the battlefield but the groundwork was laid in large part due to the corruption of their government. It really did not matter how much money, foreign aid and material that the US government provided to Chaing Kai-Shek; his cronies and his government simply stole it, sold it or gave it away for other favors.

Moving to today’s news, the government of Thailand is currently under siege by its own citizens. While economic issues are certainly a part of the problem, so is the corruption of the government. The corruption is so bad that even China has scrapped a deal to purchase some 1.2MM tons of rice from Thailand. Michael Peel, writing in the Financial Times (FT), in an article entitled “China ditches Thai rice deal over concern on corruption”, pointed out that this “is about 14 percent of [Thailand’s] annual exports.” He said “Beijing was spooked by the Thai national anti-graft agency’s probe into the rice support programme.” One Thai government official said that the Chinese pulled out of the deal because they “lacked confidence to do business with us”. Peel also wrote that this program is “soaking up $4bn a year officially and much more by other estimates.” What does it say about a country’s government that the Chinese will not do business with because they are too corrupt?

Now I understand how terrorists use corruption both as a strategy and a tool.  Moreover, when you begin to understand these inter-related theoretical underpinnings of corruption and terrorism, you can see why aggressive enforcement of anti-corruption laws such as the FCPA and UK Bribery Act is so important and is here to stay. In another blog post entitled 9/11 and the FCPA” Cassin said, “What happened that day a decade ago changed the way the world looks at corruption. The tracks of the 9/11 perpetrators and those who helped them led back to corrupt third-world countries — Afghanistan, Sudan, Somalia, Yemen, and others. Those regimes had leaky borders, weak passport control, unreliable law enforcement agencies, poor anti-money laundering programs — just what the bad guys needed.”

I do not have any insight into the discussions of the Bush Administration after 9/11 about ways to fight terrorism. But just as governments have a role to play by being part of the solution, so do private businesses. Fedotov said that preventive action was needed by Chief Executive Officers (CEOs) in their boardrooms as much as by police on the streets or civil servants in their departments: “All of us must contribute to a culture of integrity. The eyes previously closed to corruption must become the open eyes of justice and equality.” For the DOJ and the SEC this means continued enforcement of the FCPA so that companies subject to the Act will move forward to do business in a way that does not start down the slippery slope to terrorism. Simply because the FCPA was passed in the post-Watergate era does not mean that it cannot be used for today’s problem.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

January 31, 2014

The Engineer’s Thumb and How to Bribe

The Engineer's ThumbWe conclude our week of Sherlock Holmes inspired themes with one of the few cases in which Holmes fails to bring the criminals to justice, The Adventure of the Engineer’s Thumb. In this adventure a young engineer, Victor Hatherley, arrives at Dr. Watson’s surgery with a gruesome injury, a severed thumb. He relates his tale to Watson, who then takes him to see Holmes. Hatherley was hired to inspect a hydraulic press by one Lysander Stark, who claims that it is used to compress fuller’s earth into bricks. However when Hatherley goes to Stark’s country residence to inspect the machine he discovers that it is actually a printing press used to create counterfeit money. He tries to flee and in the process, Hatherley is forced to jump from a second story window, in the process getting his thumb severed by Stark’s cleaver. Hatherley, Watson and Holmes arrive at the Stark residence as the house is on fire, and the perpetrators have fled.

Once again using the Holmes tale as a contrast I refer to the recently released white paper, published by Transparency International UK (TI-UK), entitled “How to Bribe: A typology of Bribe-Paying and How to Stop It”. It was created by TI-UK, lawyers from the London firm of Pinsent Masons and thebriberyact.com, with principal author Julia Muravska and editors Robert Barrington and Barry Vitou. Just as Stark hid the true purpose of his hydraulic press, the title of this work does not convey its true use in how to stop bribes and bribery schemes by identifying them.

 Barry Vitou, partner in Pinsent Masons and co-founder of thebriberyact.com, states in the forward that “This handbook is perfect for General Counsel, Chief Compliance Officers and anyone in any company responsible for anti-bribery compliance from the Board of Directors, down. The purpose is to show how people pay bribes in practice. The examples are based on realistic experiences or real cases. Many bribery cases receive little attention. Often the focus is on the international examples in far away places where, it is sometimes said, you have to ‘pay the man’ to get business done. The impression given is that it would never happen at home. Yet it does. While the first two sections focus on the how, why and when bribes are sometimes paid in a short final section the handbook covers some examples of more prosaic bribery, at home. Who said it could never happen here? Transparency International deserve credit, once again, for putting together a document designed to be practical and helpful for those keen to avoid falling into the trap of bribery.” The white paper has three main sections.

Section I: What is a Bribe?

In this section, the authors review what constitutes a bribe. Recognizing that cash will always be king, they also take a look at excessive gifts, entertainment and travel, charitable donations and political contributions, favors to family members or friends and even the Foreign Corrupt Practices Act (FCPA) exempted facilitation payments. I particularly found the discussion of facilitation payments interesting in light of the recent claims that Archer Daniels Midland Company (ADM) in the Ukraine and Wal-Mart in Mexico were essentially making facilitation payments.

The authors end this section with the following guidance about the specific types of bribe and how to spot them.

Section 2: How Bribes are Paid?

In this section, the white paper lays out a variety of different bribery schemes. Of course they include agents, distributors, intermediaries, introducers, sub-contractors, representatives and the like. But they also detail schemes that the compliance practitioner should acquaint his or herself on. These bribery schemes include false or inflated invoicing or products, offshore payment arrangements and off-balance sheet payments, joint ventures, training, per diems and expense reimbursement arrangements, rebates and discounts and employment agreements. Once again, the authors end this section with the guidance on how to spot and stop each of the bribery schemes they detail.

Section 3: Bribery On Your Doorstep

In this section, the authors cite to cases and examples that were derived from real cases and illustrate how bribes can be paid within the UK. They note that even though “bribery is illegal across the board in the UK, experience shows that bribery also happens in the UK” and cite several reports. The first was by TI-UK and it showed that 5% of citizens polled in the UK said they had paid a bribe at least once in the past twelve months. Further, a recent survey of the construction sector found that more than a third of the industry professionals polled stated that they had been offered a bribe or incentive on at least one occasion. Lastly, the white paper notes that the first three prosecutions under the UK Bribery Act were for bribes paid in the UK. So the authors conclude “It is fair to say that in common with many other countries, UK public officials are susceptible to bribery. Public officials are almost all, universally, paid less than their peers may be paid in the private sector but in many cases in their hands rests the power to make decisions which have huge financial consequences for others. All the ingredients for paying a bribe exist. Likewise, bribes may be paid in the private sector, and there is increasingly a grey area between public and private sector as government services are contracted out.” In this section, some of the examples are inflated invoices, bribes to local planning departments, excessive expenses for training, and even an example of bribes paid to police.

Suggested Reading

Although neither this blog nor the books I have published on anti-corruption compliance made their list, there is an excellent resource list at the end of the white paper for additional reading and research on the subject. It ranges from government guidance’s to David Lawler’s excellent text “Frequently Asked Questions in Anti-Bribery and Corruption”.  Their list is an excellent resource in and of itself.

So we finish our Sherlock Holmes themed blogs. I hope that you have enjoyed the stories and tie-ins as much as I have enjoyed revisiting them this past week.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

January 30, 2014

Inspector Lestrade – Does Leadership Matter?

Inspector LestradeContinuing our Sherlock Holmes homage, today we draw inspiration from the character of Inspector Lestrade as the theme of this blog post. In the original Doyle works, he appears in 13 of the stories and we are only introduced to him as Inspector G. Lestrade. In the current PBS series, we are informed his given name is Greg. Lestrade is not exactly the sharpest tack in the shed, as evidenced by Holmes comments that he is “an absolute imbecile” from the The Red-Headed League and the “best of a bad lot” from The Boscombe Valley Mystery.

I thought about Inspector Lestrade when I read some of the comments of UBS Chief Executive Officer (CEO), Sergio Ermotti, as reported in the Wall Street Journal (WSJ) article entitled “UBS Chief’s Plea: Stop ‘Lecturingto Bankers” by David Enrich and Francesco Guerrera. UBS has not exactly been a law abiding corporate citizen over the past few years. As you might recall this is from the company, which had a $2.3 billion trading loss from one individual. It is also from the company that assisted approximately 17,000 Americans clients with illegally hiding $20bn of assets to avoid paying taxes on this money. UBS paid a fine of $780MM for these actions. But there is much more, as UBS also agreed to pay another $1.5 billion fine for its criminal actions in manipulating the LIBOR. What would you say the ‘tone’ is at UBS about complying with the law?

With all of these fines, penalties and criminal pleas behind him, Ermotti does not seem to think there is any room for criticism of his company. Rather unbelievably, Ermotti was quoted as saying, “Life is hard enough, and I think this constant lecturing on ethics and on integrity by many stakeholders is probably the most frustrating part of the equation. Because I don’t think there are many people who are perfect.” For those of you who might want that translated to Texan, the equivalent phrase is a very nasal twang of “Glass houses dear”. For the more spiritual out there you could fall back on “Let he who is without sin cast the first stone.” Perhaps the most relevant question would simply be ‘How many angels dance on the head of a pin?’

Late last year, I engaged in a dialogue with other Foreign Corrupt Practices Act (FCPA) commentators about whether motives matter in anti-corruption enforcement actions. I opined, in a post, entitled “Does Motive Matter in Anti-Bribery and Anti-Corruption Enforcement?”, that it really does not matter what the motives are for the Chinese government officials in prosecuting western companies, which violate Chinese national anti-bribery laws, if a company breaks the law, it can be subject to prosecution. The FCPA Professor, in a post, entitled “Should Motivations Matter”, said that impure motives do matter in anti-corruption enforcement actions, whether in China or the US. Others have suggested that the FCPA enforcement itself is hypocritical because the US allows gifts, entertainment, charitable donations and a wide variety of other acts to be given as a quid pro quo to US government officials, usually without criminal prosecution.

But Ermotti takes this debate to an entire new level. Now you cannot even criticize his bank unless you are ‘perfect’. Further, showcasing the obvious knowledge of his 60,000 plus employee base, Ermotti “said in the interview that most of the bad behavior that has landed UBS and others in hot water was caused by small groups of rogue employees and doesn’t reflect broader cultural problems in the industry. “It’s not because you’re a banker that you’re a criminal”.” This was in the face of criticism at the World Economic Forum in Davos (where Ermotti was interviewed and made his remarks) that “In a private meeting held between bank CEOs and central bankers and regulators Friday, several participants pointed to banks’ “conduct” issues as undermining efforts to rebuild public and investor confidence in the industry, according to executives and central bankers who were there.” This can be contrasted with Bank of England Governor Mark Carney who said at the same conference, “Whether or not [the industry] thrives will rest on the efforts of individuals and organizations to re-establish the system’s reputation for integrity”.

Yet again Ermotti doubled down when he claimed that the group, which cannot criticize, includes regulators and enforcement officials. This statement is almost the equivalent of another equally enlightened (former) CEO, Bob Diamond, who once ran Barclays and “told British lawmakers in 2011 that “there was a period of remorse and apology for banks. That period needs to be over.” The next year, Mr. Diamond was forced to resign after Barclays admitted trying to rig interest rates.” Ooops.

What does all of this say about the top of this once august organization? First and foremost, how you would like to be the person who has to ‘speak truth to power’ if your CEO says that only the ‘perfect’ can bring forward criticism? Do the words ‘career suicide’ ring any bells here? But more importantly you have a company which entered into a Deferred Prosecution Agreement (DPA) regarding its tax evasion violations and then pled guilt to criminal conduct that as reported in another WSJ article “Regulators described the alleged illegality as “epic in scale,” with dozens of traders and managers in a UBS-led ring of banks and brokers conspiring to skew interest rates to make money on trades.” What would you say about its ‘tone-at-the-top’? Are they committed to following the law? How about complying with the terms of their multiple settlement agreements with US regulators? How about changing the culture in their organization, not simply to make compliance a goal but actually obey the law? What about instituting and then following a best practices program for compliance with anti-corruption laws such as the FCPA or Bribery Act; anti-tax evasion laws such as the Foreign Account Tax Compliance Act (FACTA); relevant anti-money laundering (AML) laws; or indeed others.

Without a hint of irony, the WSJ piece on Ermotti’s remarks ends with the following quote from him, “The banking industry is an easy target.” I wonder if Ermotti has the self-awareness of Inspector Lestrade to understand the wisdom of his words?

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

January 28, 2014

Silver Blaze and Leadership-Find It, Fix It and Prevent It

Silver BlazeToday, we continue our Sherlock Holmes week by drawing inspiration for lessons for the compliance practitioner from the story of Silver Blaze. In this story, a star racehorse disappears, Holmes pulls out his usual deductions to determine where the horse can be found but turns to the lack of an action to deduce why the horse was stolen. The lack of a dog bark in the horse’s stable tells Holmes that the thief was known to both the dog and to Silver Blaze.

I thought about the story of Silver Blaze when reading this week’s Corner Office column in the New York Times (NYT), entitled “Want to Succeed? Be Accountable”, by Adam Bryant, where he interviewed Noreen Beaman, the Chief Executive Officer (CEO) of Brinker Capital. Beaman was the oldest of four sisters and this gave her an interesting perspective growing up. She said, “Part of it was having a feedback loop of younger sisters. We were close in age, so they were some of my best informants in high school. They would say: “Really? That wasn’t a great idea. Maybe if you stopped and listened, you would’ve heard what someone was saying.” Clearly she received feedback but it was from a source that she listened to when it provided to her.

After a flush of early success in her career as a company Chief Financial Officer (CFO) she moved into sales. She made a major mistake on a transaction that went sideways. As Beaman put it “I was in the penalty box.” But through hard work and determination, she overcame this error and learned from it. She said that the entire experience made her both more accessible and “it made me have more humility”.

One of the most interesting things that Beaman said was that one of her company’s mantras is “Find it, fix it and prevent it.” That seems to me to be a pretty good way for a compliance practitioner to look at things, particularly if you consider the FCPA Guidance formula of “prevention, detection and remediation” for a best practices anti-corruption compliance program. To facilitate this culture, Beaman said that one of the skills valued at Brinker Capital is accountability. She said, “We make sure everyone’s in a position to be successful. Then, when you’re not successful, we have to have a conversation. You need to hold up your end of the bargain. Sometimes you’re not a good culture fit because you don’t want to be held accountable, and sometimes you’re a great culture fit and we just didn’t give you the right training, so we’ll do that. Sometimes you’ll make a mistake. Life happens. But let’s not do it again.”

For the compliance practitioner, I think that Beaman’s example demonstrates the need for a Chief Compliance Officer (CCO) to take the initiative in showing how the role they play inside the organization is far more than just a legal minimum or people-based risk management. A CCO, and indeed the entire compliance function, should be seen as a partner to the business folks. This will help to create the deeper relationships that will not only make it easier for the group to do its job, but also help it to be seen as a vital part of the organization’s long-term strategy. It will also help when there is something askance in the compliance function. As noted by Mike Volkov, in his blog post entitled “Chief Compliance Officers: Under a Microscope, CCOs have to educate the Board and the C-Suite on what exactly is reasonable to expect and how the compliance program is designed to achieve these results.  Along the way, CCOs have to make sure they can show that compliance is a valuable contributor to the company’s bottom line.

Beaman also said one thing that I have heard numerous CEOs say over the years, which is that one of the most important skills they have learned is listening. Beaman related “You have to be a little more indulgent with people sharing ideas around the table, even if 25 percent of them are distractions. C.E.O.’s are usually Type A’s to begin with, and I’m a little chatty. And now I’m in this room full of smart, dynamic people who all want to be heard. So what I had to learn is to be quiet, to listen, to keep everyone committed and at the table.”

As a hard charger, she does want to make decisions and move on. So she has to consciously slow herself down, “to really slow down and be present in the moment.” Part of this turns on setting “realistic expectations and goals, and be sensitive to the tempo around you. It’s about meeting people where they are as opposed to expecting people to meet you where you are. Everyone comes from a different point of view. I have a big personality and I know that I can come on a little strong, so a lot of times I’ll slow it down.”

Beaman also had some interesting thoughts on interviewing. She is clearly engaged by potential hires that are intellectually curious. One of the things that she considers is whether the interviewee has any questions for her. She said that “One, it tells me if you’ve prepped. Two, it tells me how interested you are.” A second thing that she inquires about what books they read. If they are not a book reader, she asks about magazines and newspapers. She related that “I’m interested to know how intellectually curious you are. In our world today, if you’re not actively learning every day, you really are not competitive. There’s too much going on. I can never know everything going on around me, so I need to know that there are people around me who are learning other things, so we create a more cohesive view.”

For the compliance professional out there interviewing, I found these last couple of points quite instructive. Many times it seems that there is so much information in the compliance field that it is difficult to keep up in our profession. But here, the CEO of a major corporation wants to see intellectual curiosity in candidates because she believes this will make a better employee.

Beaman’s journey certainly has been wide-ranging. I believe that her experience can assist the compliance practitioner with ways to think about his or her position within a company and how it can be executed. And just like in Silver Blaze, sometimes when nothing is said, it speaks louder than mere words…

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

January 24, 2014

Getting Your Company Ready for M&A Compliance Due Diligence

John Bell HoodWho was the absolute worst general during the Civil War? While there are many worthy candidates for this dubious honor, on the Southern side my vote goes to General John Bell Hood. One of the prime proponents of the Southern attack and die strategy, Hood’s leadership led to the destruction of 90% of his Texas Brigade at Antietam. But Hood is most famous for his utter destruction of the Army of Tennessee. In five months, from July to November of 1864 Hood unsuccessfully attacked Union General William T. Sherman’s army three times near Atlanta, relinquished the city after a month-long siege, then took his army back to Tennessee in the fall to draw Sherman away from the Deep South. Sherman dispatched part of his army to Tennessee, and Hood lost two battles at Franklin and Nashville in November and December 1864. There were about 65,000 soldiers in the Army of Tennessee when Hood assumed command in July. By January 1, there were only 18,000 men in the army. To top it off, it was not Sherman who burned Atlanta but Hood.

My thoughts turned to General Hood when I listened to a very interesting panel on Day 2 of the ACI FCPA Boot Camp about getting your target company ready to be scrutinized from the compliance context in mergers and acquisition (M&A) due diligence. On the panel were Alberto Orozco from PricewaterhouseCoopers (PwC), Joseph Burke, from Dell Inc., and Christina Lunders from the law firm of Norton Rose Fulbright.

Building on a fundamental theme from day one of the conference, Burke said that relationship building is also important in the M&A context, from the perspective as a buyer. Representing an acquirer, the key questions from his perspective were two-fold: whether or not we trust the company we are looking at and how will they integrate into our company? He believed that trust is what gets the deal done or does not. He begins by sitting down with his counter-part, senior management and key legal department personnel in the target company and talking to them. If they can talk with authority about their compliance function he can determine how much he will dig into the documents and records.

Orozco agreed with this perception but came at it from his accounting angle. He said that if your books and records are in order, you really do not need to do anything more. The next step he looks at is if you have a compliance program and do the targets employees know about it. This is critical so that the buyer will have an understanding of what is needed from the compliance perspective from day one of the acquisition closing.

They then turned to the perspective of a target and what you should have in place for such an analysis. It all begins with a compliance focused risk assessment and this should be done first as this is a key starting point to determine not only if the target has an effective compliance program but also if the target is actually ‘doing compliance’. Of course it is important for a target to know about its relationships with foreign governments, whether as customers or representatives on the sales side or in the supply chain.

They posited that a target should make sure that it has a compliance program, which is consistent with an international standard for an anti-bribery or anti-corruption program, whether it is the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or some other recognized international standard. The target should gather and verify the completeness of the following anti-corruption policies and procedures:

  • Anti-corruption/anti-bribery;
  • Petty cash;
  • Travel, meals, and entertainment;
  • Gifts, donations, sponsorships, political contributions, lobbying;
  • Retention, use and compensation of intermediaries/third parties;
  • Disbursements;
  • Recording of intercompany transactions; and
  • Authorization for expenditure/levels of authority.

They believe that it is important for a target to gather and verify the completeness of relevant books and records. They specifically listed the following:

  • Monthly trial balances;
  • Customer lists;
  • Vendor lists;
  • General ledger accounts for the following:
  • Gifts, entertainment and hospitality;
  • Travel;
  • Donations, sponsorships, and political contributions;
  • Marketing and commissions expenses;
  • Consulting fees;
  • Petty cash; and
  • Miscellaneous expenses.

They next suggested the documents and records be readied for review from the compliance perspective, on the following topics:

  • Facilitation payments;
  • Advertising and marketing;
  • Government tenders and bidding packages;
  • Employee expense reports;
  • Procurement;
  • Licenses and permits;
  • Records management;
  • Transfer pricing; and
  • Information on how policies/procedures are distributed and compliance acknowledged within the target organization.

Lastly, they provided a list of topics for which documents should be gathered and the target should be prepared to discuss early on with the compliance representative of the acquirer on the subject of any past corruption issues which may have arisen or been identified, together with their resolution. The target should be prepared to deliver factual details, relevant documents, and information on findings and how the matters were resolved. This group of documents should include internal or external reviews, audits or investigations over the past ten years, including any outstanding compliance issues, such as whistleblower and hotline complaints.

In the area of corporate governance they suggested that the target gather Board of Directors and any management meeting minutes from the past five years and have them available for review. A target should also be prepared to make available for interview key personnel including the General Counsel (GC), Chief Financial Officer (CFO), Chief Executive Officer (CEO) and the heads of Internal Audit, International Sales and Compliance.

From the perspective of the acquiring entity, they suggested that you take a close look at the files of as many of the target’s third parties as is reasonable for the size of the acquisition and the time frame you have. These include gathering and verifying the completeness of the following third party files: due diligence; contracts/agreements; records of compensation payment for past 5 years to determine whether compensation is reasonable, especially if in a high-risk area or for business involving foreign officials and, finally, make a determination of how to address any potential red flags.

They also discussed some of the potential red flags, which might be present in these documents. Some of these red flags could include a history of corruption in country where business occurs; numerous or frequent interactions with foreign officials; unusual payment patterns or arrangements with third parties or third parties which refuse to certify compliance, demand payment in cash, provide incomplete or inaccurate information, request payment made to someone else; a bank outside of country of domicile or is close with foreign government officials.

I thought Burke’s perspective was akin to trust but verify. He reiterated several times that it is reasonably straightforward to determine if a target company takes ‘doing compliance’ seriously. From there, you can use analytics to review the numbers and try and make a determination about obvious red flags and high-risk areas. This allows him to help to make a more accurate remediation plan to begin at closing. It also allows him to advise the business unit involved on what the cost for such integration would be, how long the business would be disrupted by such integration and the complexities of acquiring company’s compliance program implementation.

As to the cost for failing to do so, just think of the loss of the Army of Tennessee from the leadership of John Bell Hood.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

January 22, 2014

Queen Victoria and Preparing for Your Risk Assessment

Queen VictoriaOn this day in 1901, Queen Victoria died, ending an era in which most of her British subjects know of no other monarch. She was born in 1819 and came to the throne after the death of her uncle, King William IV, in 1837. Her 63-year reign was the longest in British history. She oversaw the growth of the British Empire on which the sun never set. Queen Victoria restored dignity to the English monarchy and ensured its survival as a ceremonial political institution. She also brought a stability to the monarchy that has stayed with the country as well.

How can you bring stability to your compliance program? One of the most important steps that you can take is to regularly assess your risks through a risk assessment. I often hear some of the following questions posed by compliance practitioners regarding risk assessments: What should you put into your risk assessment? How should you plan it? What should be the scope of your risk assessment? These, and other, questions were explored in a recent article in the ACC Docket, entitled “Does the Hand Fit the Glove? Assessing Your Company’s Anti-Corruption Compliance Program” by a quartet of authors: Jonathan Drimmer, Vice President and Assistant General Counsel at Barrick Gold Corp.; Lauren Camilli, Director, Global Compliance Programs at CSC; Mauricio Almar, Latin American Regional Counsel at Halliburton; and Mara V.J. Senn, a partner at Arnold & Porter LLP.

The authors note that with all compliance programs, there is no ‘one-size-fits-all’ so your risk assessment should be tailored for your organization. In this article I will focus on the steps that you need to take leading up to the initiation of a risk assessment. The authors believe that the planning and layout of your risk assessment is a critical element for success by stating the importance of this issue cannot be over-estimated or over-emphasized.

To begin, the design of your risk assessment should be “guided by its scope and purpose.” So if this is your initial risk assessment to begin the implementation phase of a compliance program, one type of risk assessment may be needed. Conversely, if you have a mature compliance program, another type of risk assessment may be called for. If your company has moved into new or different geographic areas or has new product lines, it may require a different inquiry. The authors note, “knowing why you are conducting the assessment and what your goals are up front will make for a more efficient process and allow you to decide how in-depth your review should be.”

The authors next explore the gathering of information and developing a methodology for analyzing the results because “how you choose to gather information and what questions to ask will determine how useful your risk assessment will be for understanding your company’s risks and appropriately responding to them.” You will need to determine the number of employees to interview and who these interviewees should be for the risk assessment. While a questionnaire can be useful, you will need to consider in-person interviews as well. If it is difficult to make an initial identification of who should be interviewed, you can perform a preliminary assessment from a wider audience and then “streamline and tailor the in-person interviews.”

It is important to speak with employees who are generally considered to be ‘high-risk’ for Foreign Corrupt Practices Act (FCPA) purposes. This would include “people who interact with the government, either as customers or as regulators; those responsible for internal financial controls, such as accounting and finance functions; and senior management with the authority to make significant and impacting decisions, such as a primary executive in a local market.” It is also important to include those employees who are the prime interactors with third parties, both on the sales and supply side. This should include employees who have a role in the selection of such third parties for business relations and those employees involved in managing those relationships.

You will need to garner a sense of the company’s structure and goals. Additionally in FCPA enforcement actions and in the FCPA Guidance, the Department of Justice (DOJ) laid out several factors to take into account, such as “the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation, and oversight and exposure to customs and immigration in conducting business affairs.”

The authors end their section on risk assessment preparation by dividing the areas that they believe are most often visited into three categories: general corruption risks, specific commercial activity and existing corruption controls.

  • General corruption risks – this category includes the corruption perception risk in the geographic areas where the company does business, directly or indirectly, through third parties. It also includes government touch points whether as a customer or regulator. Finally, it should include the corruption and bribery-related concerns of your business personnel.
  • Specific commercial activities – this generally relates to third parties; how they are vetted, contracted with and managed. It also includes a review of travel, gifts, entertainment business courtesies, charitable donation and political contributions, mergers and acquisitions.
  • Existing corruption controls – this area looks at not only financial controls such as monitoring and auditing but also training, employee incentives and hotline.

By laying out this risk assessment plan, you will have a good road map to think through not only how to work across a risk assessment but to begin to think how you can use it going forward. You will need to review and assess your highest risks first and then use that information to remediate any deficiencies going forward. I think what the DOJ wants to see is a well thought out plan for moving forward and forward movement toward the plan’s goal. These steps should help you in this journey.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

January 21, 2014

The Culinary Aspects of Homer’s Odyssey and Compliance Training

Culinary in the Odyessy

I recently came across a fascinating book entitled “The Meaning of Meat and the Structure of the Odyssey” by Egbert Bakker. In this work, Bakker looks at the culinary aspects of Odysseus’ journey home from the Trojan War. Peter Thonemann, writing in the TLS, said that “Bakker’s book is a powerful illustration of the importance of food and culinary practices to past society.” In other words, the eating habits could be used to not only understand the past but also perhaps train those in the present about the “wider moral culpability” found in Homer’s work.

I thought about this different way of learning as I was reading a recent article by the Open Compliance and Ethics Group (OCEG) President Carol Switzer in the Compliance Week magazine, entitled “Playing the Game of Risk in Workplace Education”. Her article was coupled with a roundtable discussion of the subject and another in the OCEG, GRC Illustrated Series entitled “Risk-Based Education and Training”.

In the article, Switzer reminds us “one size does not fit all in deciding the content and intensity of training needs for each role or individual”. Recognizing that it all starts with a risk-based analysis of who needs the training is just the start. Switzer believes that by engaging employees in the training, it can become more effective. She looks to the world of gaming when stating that, “Well-designed games encourage engagement, and more engagement means more reinforcement, and that leads to better recollection and application of the information. Situational decision making drives the player to think, not just act. Making wrong choices and seeing the consequences leads to desire to act the right way and gain rewards, be it advancing to the next level of the game, earning a prize for success, or understanding that in the real workplace world the reward may be achievement of personal and organizational objectives.”

In her roundtable, she posed the question, “How do you suggest companies decide on the appropriate amount of training? Earl Jones, Shareholder at Littler Mendelson PC, responded that a company needs to evaluate where its risks are, “If the company is betting on international expansion, then intensive anti-bribery and corruption intensive training is a necessity for key employees. Also design training to build and protect sources of value. If an intangible asset, like a brand, is an important source of value, thoroughly train employees to identify, understand, and react to events or behavior that could impair the brand.”

When it comes to the scope and style of training, Steve Perreault, Global Head of eLearning GRC for Thomson Reuter, suggested you should assess your training by employee groups. You should “Understand things like: How likely is a group of employees to participate in activity that is related to a particular regulatory area? How complex is that regulation? What controls are in place already? Is this employee group responsible for making sure others comply with policies and regulations? You also have to consider what you will need to provide to evidence to regulators and courts that the program exists and is effective. Once you get that figured out, you must ensure that you stay on top of changes in legislation and enforcement, and revise policy, procedures, and training accordingly.”

Switzer next turned to measuring the effectiveness of training and how a company might determine this. Alisha Lynch, Global Ethics and Compliance Education Leader at Dell Inc., said, “Determining the scope and style of training should have several input sources.  Most organizations have three- to five-year strategic plans, and training programs should be designed to support those plans and initiatives. One good analogy is that a training initiative should be like a physical fitness regime. You cannot exercise the same muscle every time to make significant improvements, and you cannot ignore the diet. A culture is like a diet. If the organization designs and delivers great training but the culture is toxic, probably no improvement will be made.”

In the GRC Illustrated Series, it suggests that companies take a risk-based approach to provide appropriate levels and types of training and education to different individuals across the organization. Some of the factors they suggest you review are the role of the individuals, geography, and their level of exposure to particular risk areas. Such an approach moves away from the ‘tick-the-box’ approach that generally renders such compliance useless. It also helps to ensure that there is a more effective use of budgetary resources by focusing training efforts to maximize the return on the investment. The piece advocates a three-pronged approach.

Define

The first step is to define what you are trying to achieve. The piece recognizes that “while some organizations limit their training programs to what is legally required, more successful ones know that there are many reasons for developing a thoughtful, well-designed approach to employee education.” It puts forward that if training is done right, it will help the organization to achieve several goals. These include: the business Objectives; managing threats and business opportunities; it will address change in positive manner; it can help to ensure integrity and the company’s reputation; it can strengthen the business’s culture and ethical conduct; and, lastly, it can provide evidence that the company has complied with legal requirements such as the US Sentencing Guidelines and the Ten Hallmark’s of an Effective Compliance Program.

Design

The next step is to design the training program, which is further broken down into three steps, which drill down into the specifics of training. By using these three steps, you can help to assure that the training will be effective for the individual but also for the nature of the risk involved.

The first is to design the training program. Steps include the development of curriculum using a risk-based model. You should set uniform methods for acquiring content, maintaining records, and reporting. This should be followed by the establishment of standards for selecting appropriate content, delivery methods, frequency, and assurance based on risk exposure. You can review any technological solutions for both e-learning delivery and documentation. Finally, you will need to consider training content revision when requirements or risk analyses change.

After the design of the training program, the next level is to design the specific training courses. Here you should establish your learning objectives and map the training to legal and competency requirements. You must always remember who is your audience and what their characteristics might be. You need to ensure that the content is timely and the instructors are effective. Finally, you will need to determine not only the most appropriate mechanism to deliver the content but also define the key performance indicators and determine methods to audit them.

The final design level is the individual’s training plan. Here you need to analyze what the person’s role is within the organization and use this to determine mandatory and risk-based training needs. You will need to consider modifying the risk profile based upon assessments given before and after the training is delivered and then adapt the training as an employee’s role and risk profile changes within an organization

Deliver

For the delivery of the training materials, they also have a tripartite scheme. They break it down into high risk exposure roles; medium risk exposure roles and low-risk exposure roles.

  • High Risk Exposure Roles – are defined as those employees whose roles in an organization can significantly impact the company. Here expert subject proficiency is demanded and individuals should be able to act with confidence in a wide range of scenarios and conditions based on a strong understanding of the risks, requirements, and penalties. Training may be repeated frequently using several methods of delivery, have greater assurance through testing and certification of course completion, and include ongoing risk profiling of individuals through assessment of behavior choices in online courses or live simulation exercises.
  • Medium Risk Exposure Roles – are defined as those employees who face risk on regular basis or present a moderate level of negative impact to a company if they mishandle the risk. These individuals should know the risks, requirements, and penalties and should be able to apply their knowledge to common scenarios using standards and tools given to them. Training should have content to make them proficient in the subject, be refreshed periodically, use a mix of modes of delivery, and have methods to prove evidence of understanding.
  • Low Risk Exposure Roles – are defined as those employees with a low likelihood of facing the attendant risk. Persons in this category should be made aware of the risks, requirements, and penalties, as well as the organization’s expectations about how to address it. They should know relevant policies and procedures and where to get assistance in addressing a risk or making a behavior decision.

As with all areas in an anti-corruption compliance program, Switzer and the OCEG suggest that you monitor and audit your program so that you can review it and improve as circumstances warrant. I would add that you should also Document, Document and Document what you are doing for the same reasons. Just as Bakker’s new look at the culinary aspects of the classics can provide new insights into interpretation, it also shows the training that was written into Homer’s Odyssey.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

« Previous PageNext Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 4,509 other followers