FCPA Compliance and Ethics Blog

August 29, 2014

I Hope You Can Join Me

Filed under: Best Practices,compliance programs,FCPA,Hiperos,Third parties — tfoxlaw @ 12:00 pm

I’d like to extend an invitation to an upcoming event: Hiperos will be hosting an Executive Briefing on Third Party Management – a half-day event that we are holding in various cities across the US.

By way of context: in recent months, our press has been filled with reports of companies whose revenues have been directly affected by a regulatory fine or whose reputation and brand equity has taken a hit. In every case, the culprit was one of the company’s third parties – an HVAC supplier causing a massive data breach, a contract manufacturer using child labor, a consultant bribing government officials – the list goes on and on.

These briefings have been organized for you to network with other executives from Fortune 1000 companies (including Hiperos customers) and to connect with peers who face the same third party management challenges as you.  You will also have an opportunity to hear from industry experts and practitioners who will present on specific aspects of third party management.

Agenda:

8:00 AM       Networking breakfast.

8:30 AM       Keynote sessions from industry experts including:

Linda Tuck-Chapman – until very recently the Chief Procurement Officer of Bank of Montreal – BMO

Tom Fox – renowned FCPA/bribery and corruption pundit/expert

Dr. Andrea Bonime-Blanc  – former chief ethics and compliance officer at Bertelsmann, Chair Emeritus of ECIA and CEO of GEC Risk Advisory LLC

10:00 AM     Use cases from Hiperos customers including: Ingram Micro, Charles Schwab, Discover Financial, Anadarko, AstraZeneca

11:30 AM     Third Party Management – The Future
Presentation from Doug Bergeron (CEO Opus Global) and Greg Dickinson (CEO Hiperos)

12:00 PM       Networking Lunch

1:00 PM         Adjourn

If you would like to attend, or for more information, click Here

Venue:

The Executive Briefings will be held in the following locations:

Tuesday, Sept 9th – Palo Alto, CA

Rosewood Sand Hill

2825 Sand Hill Rd

Menlo Park, CA 94025

Wednesday, Sept 10th – Chicago, IL

JW Marriott

151 W Adams St

Chicago, IL 60603

Thursday, Sept 11th – Houston, TX

Hotel Sorella

800 Sorella Court

Houston, TX 77024

Wednesday, Sept 17th – New York, NY

W Union Square

201 Park Ave S,

New York, NY 10003

Thursday, Sept 18th – Princeton, NJ

Princeton Marriott at Forrestal

100 Collage Road East

Princeton, NJ 08540

I will be participating in the Palo Alto, Houston and Princeton events I hope that you can join me at one of these upcoming events!

Extraordinary Rendition and Ripples From the Chinese Corruption Investigations

Extraordinary_Renditions_CvrAs many of you know, I am a recovering trial lawyer. So I was very interested when I received a book for review by Paul Batista, entitled Extraordinary Rendition. Not only is Batista a practicing trial lawyer specializing in federal criminal defense, he also authored one of the leading treatise on the federal racketeering statute, “Civil RICO Practice Manual,” first published in 1987 by John Wiley & Sons, and now in its third edition (Wolters Kluwer 2008).

I learned long ago that there are two basic story lines: Hero Takes A Trip and Stranger Comes To Town. They both are great formats and I enjoy them equally if the writing and story-telling is good. Extraordinary Rendition falls into camp one and I found it to be the journey of discovery of a nearly burned out trial lawyer, Byron Carlos Johnson, who comes to defend Ali Hussein, a Syrian national who had lived in the US for 10 years prior to 9/11 and was accused of being a banker for Al Qaeda. The story follows twists and turns of not only the trial but the various agents and agencies of the US Government as they try to derail Johnson and his attempts to defend Ali Hussein. While it certainly could be called a legal thriller, it is a rollicking good ride and I give my hardiest recommendation to anyone interested in the legal issues involved or a thriller about a man caught up in forces far beyond his control; yet does take control of what he can.

I thought about Batista’s book when I read a recent article in the Financial Times (FT), entitled “Beijing probe touches west’s cereal bowls” by Lucy Hornby. Her basic thesis was set out in the first line of her piece, “Never before have China’s domestic politics had such ramifications for global business.” She wrote about two tangible examples of what she termed the “ripple effects” of the Chinese anti-corruption investigation, which began in earnest last summer with the revelations of corruption by the UK pharmaceutical giant GlaxoSmithKline PLC (GSK).

Hornby reported on the Canadian company, Athabasca Oil Corporation, “the partner company for major Chinese investments in Canadian oil sands – fell 13 per cent this week. They are down 24 per cent since the beginning of April, when Athabasca announced PetroChina, a listed unit of CNPC, would buy the 40 per cent of the Dover oil sands project that it did not already own. Since then, two executives from PetroChina’s Canadian operations have fallen prey to the corruption purge – and the C$1.32bn (US$1.23bn) transfer payment has not been made.” But it has also reached the British breakfast table as Chinese authorities announced they were investigating the owner of the company that makes the breakfast staple Weetabix.

Business ventures in other countries such as Cambodia and Australia have been put off due to the Chinese corruption investigation. This has been because of both corrupt payments made to Chinese officials and in some cases corrupt payments alleged to have been made by Chinese officials. For instance in Cambodia a project that was mired in such problems that the primary funding partner, The World Bank, had suspended funding has now run into such problems that Standard Chartered may lose up to $250MM in funding which it provided. Further, Hornby reported that “In Australia last year, a A$1.4bn bid for Sundance Resources – which had proposed a $A5bn iron ore mine on the border of Cameroon and the Republic of Congo – collapsed after high-flying Chinese entrepreneur Liu Han abruptly vanished. Mr Liu had built his mining business by cultivating ties with Mr Zhou while the latter governed southwestern Sichuan province. He was sentenced to death in May for organised crime. His defence was that he was carrying out orders for unnamed “leaders”.”

Things are particularly difficult at PetroChina, a major investor in Canadian oil sands, because, as Hornby noted, “dozens of senior executives have been detained or questioned in the past year. Many, including the head of its Indonesian business, played key roles in its international projects.” However Hornby believes that “capital expenditure commitments by state-owned enterprises are likely to be honoured as the investigation continues, because China’s large and growing economy has a fundamental need for resources.”

Another large Chinese energy concern CNPC has also been hard hit by the corruption scandal. Attached, as a diagram, to Hornby’s article is a graphic that shows the extent of the company’s investments of the past 10 years or so. The graphic also notes that the company “has been hardest hit by the ongoing corruption purge, with dozens of senior executives detained or questioned.” The chart below shows the “ripple effects” of CNPC investment.

Country Investment Amount
Kazakhstan $12.7bn
Peru $2.6bn
Turkmenistan $1.2bn
Scotland $1bn
Ecuador $0.7bn
Australia $4.1bn
Canada $3.3bn
Syria $0.6bn
Mozambique $4.2bn

Hornby’s article touched on another area, which has significance for the Foreign Corrupt Practices Act (FCPA) practitioner, that beg the question of whether a state-owned enterprise is an instrumentality or in any other way covered by the FCPA? She wrote that “the unusually public nature of this corruption investigation has given outsiders a clearer insight into the way money and power have become entwined, and influence dealmaking, in today’s China.” She quoted Luke Patey, author of the book The New Kings of Crude, for the following, ““For years, Chinese national oil companies have fought hard against the label that they are political instruments of the Chinese government and Communist party. That political nature is now on full display.””

Hornby’s article demonstrates not only the pervasive nature of Chinese corruption but also how many countries such corruption may have effected. For those FCPA naysayers who argue that the law brings a competitive disadvantage to US companies, they should read her article to open their eyes. Many of these Chinese investments are now on hold with no hope of completion or even funding because of the domestic turmoil inside China over corruption. Companies and countries want a reliable business partner, starting with one which does not engage in bribery and corruption to obtain a contract and then onto a company which fulfills its contractual obligations. Think about that as a selling point the next time you are oversees.

And while you are traveling overseas, read a copy of Batista’s Extraordinary Rendition on the trip over. You can purchase a copy by clicking here or here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 28, 2014

Risk Assessments-the Cornerstone of Your Compliance Program, Part III

7K0A0129Today, I conclude a three-part series on risk assessments in your Foreign Corrupt Practices Act (FCPA) or UK Bribery Act anti-corruption compliance program. I previously reviewed some of the risks that you need to assess and how you might go about assessing them. Today I want to consider some thoughts on how to use your risk assessment going forward.

Mike Volkov has advised that you should prepare a risk matrix detailing the specific risks you have identified and relevant mitigating controls. From this you can create a new control or prepare an enhanced control to remediate the gap between specific risk and control. Finally, through this risk matrix you should be able to assess relative remediation requirements.

A manner in which to put into practice some of Volkov’s suggestions was explored by Tammy Whitehouse, in an article entitled “Improving Risk Assessments and Audit Operations”. Her article focused on the how Timken Company, assesses and then evaluates the risks the company has assessed. Once risks are identified, they are then rated according to their significance and likelihood of occurring, and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of the audit/monitoring plan, she said. A variety of solutions and tools can be used to manage these risks going forward but the key step is to evaluate and rate these risks. 

LIKELIHOOD 

Likelihood Rating Assessment Evaluation Criteria
1 Almost Certain High likely, this event is expected to occur
2 Likely Strong possibility that an event will occur and there is sufficient historical incidence to support it
3 Possible Event may occur at some point, typically there is a history to support it
4 Unlikely Not expected but there’s a slight possibility that it may occur
5 Rare Highly unlikely, but may occur in unique circumstances

‘Likelihood’ factors to consider: The existence of controls, written policies and procedures designed to mitigate risk capable of leadership to recognize and prevent a compliance breakdown; Compliance failures or near misses; Training and awareness programs.

PRIORITY 

Priority Rating Assessment Evaluation Criteria
1-2 Severe Immediate action is required to address the risk, in addition to inclusion in training and education and audit and monitoring plans
3-4 High Should be proactively monitored and mitigated through inclusion in training and education and audit and monitoring plans
5-7 Significant
8-14 Moderate
15-1920-25 LowTrivial Risks at this level should be monitored but do not necessarily pose any serious threat to the organization at the present time.

Priority Rating: Product of ‘likelihood’ and significance ratings reflects the significance of particular risk universe. It is not a measure of compliance effectiveness or to compare efforts, controls or programs against peer groups.

At Timken, the most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These “Severe” risks become the focus of the audit monitoring plan going forward. A variety of tools can be used, such as continuous controls monitoring with tools like those provided by Visual RiskIQ, a relationship-analysis based software such as Catelas or other analytical based tools. But you should not forget the human factor. At Timken, one of the methods used by the compliance group to manage such risk is by providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. The company also produces a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it.

The key to the Timken approach is the action steps prescribed by their analysis. This is another way of saying that the risk assessment informs the compliance program, not vice versa. This is the method set forth by the DOJ in its FCPA Guidance and in the UK Bribery Act’s Adequate Procedures. I believe that the DOJ wants to see a reasoned approach with regards to the actions a company takes in the compliance arena. The model set forth by Timken certainly is a reasoned approach and can provide the articulation needed to explain which steps were taken.

In an article in Compliance Week Magazine, entitled, “Lessons on Risk Assessments from Winnie The Pooh” Jason Medford articulated that a key use of a risk assessment is to assist the internal audit function in developing their internal audit plan. He cited to the Institute of Internal Auditors (IIA) standard 2010.A1, which states “The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually.” He went on to note that “In order to have a truly integrated GRC capability it is necessary for internal auditors to work with other GRC professionals in their organization. They must align their annual audit plan with the organization’s objectives, strategies, and initiatives of the other GRC professionals. They must collaborate, coordinate, and align their audit activities with other GRC professionals to increase visibility, improve efficiency, accountability and collaboration.

Carol Saint, Vice President of Internal Audit for 7-Eleven, who was interview by OCEG President Carol Switzer for the same article said that “We start with a risk assessment, beginning with business units because this is how the organization has designed accountability.  We decompose business units into the processes and sub-processes they own and execute. We evaluate how sub-processes align to achievement of strategic objectives: How do they affect the company’s value drivers? Next, we map financial statement lines to the sub-processes to help prioritize from that lens. Finally, for each sub-process we consider specific risks that could hinder achievement of strategic objectives, as well as fraud risks, significant accounting estimates, benchmarking/ hot topics, and ERM risks. We created an “intensity rating” that measures how often a process/sub-process was mentioned in our stakeholder interviews as a risk to the company. And we also considered how cross-functional a process is so that the element of complexity—a risk accelerator—could help determine audit plan priorities. This year’s plan development process was quite intense, but I think we did a good job of creating a baseline so that future risk assessments are more efficient.”

I hope that you have found this series on risk assessments useful. If you have any questions or better yet would like me to work on a risk assessment for your organization, please contact me.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 27, 2014

Risk Assessments-the Cornerstone of Your Compliance Program, Part II

7K0A0501Ed. Note-Today, I continue my three-part posts on risk assessments. Today I take a look at some different ideas on how you might go about assessing your risks.

One of the questions that I hear most often is how does one actually perform a risk assessment? Mike Volkov has suggested a couple of different approaches in his article “Practical Suggestions for Conducting Risk Assessments.” In it Volkov differentiates between smaller companies which might use some basic tools such as “personal or telephone interviews of key employees; surveys and questionnaires of employees; and review of historical compliance information such as due diligence files for third parties and mergers and acquisitions, as well as internal audits of key offices” from larger companies. Such larger companies may use these basic techniques but may also include a deeper dive into high risk countries or high risk business areas. If your company’s sales model uses third party representatives, you may also wish to visit with those parties or persons to help evaluate their risks for bribery and corruption that might well be attributed to your company.

Another noted compliance practitioner, William Athanas, in an article entitled “Rethinking FCPA Compliance Strategies in a New Era of Enforcement”, took a different look at risk assessments when he posited that companies assume that FCPA violations follow a “bell-curve distribution, where the majority of employees are responsible for the majority of violations.” However Athanas believed that the distribution pattern more closely follows a “hockey-stick distribution, where a select few…commit virtually all violations.” Athanas suggests assessing those individuals with the opportunity to interact with foreign officials have the greatest chance to commit FCPA violations. Diving down from that group, certain individuals also possess the necessary inclination, whether a personal financial incentive linked to the transaction or the inability to recognize the significant risks attendant to bribery.

To assess these risks, Athanas suggested an initial determination of the touch-points where the operations of manufacturing companies “intersect with foreign officials vested with discretionary authority.” This will lead to an understanding of the individuals who hold these roles within a company. This means that a simple geographic analysis is but a first step in a risk analysis. Thereafter companies should also focus on “those who authorize and record disbursements, as well as those who represent the company in situations where they may be solicited for payments.” The next step is to determine those company employees who may have the incentive “to pay bribes on the Company’s behalf.” This incentive can come from a variety of forms; such as a company compensation plan, which rewards high producers; employees who do not understand the risk they place the company (and themselves) in by engaging in tactics which violate the FCPA; and, finally, those employees who seek to place their individual interests above those of the company.

Athanas concludes by noting that this limited group of employees, or what he terms the “shaft of the hockey-stick”, is where a company should devote the majority of its compliance resources. With a proper risk assessment, a company can then focus its compliance efforts on “intensive training sessions or focused analysis of key financial transactions — on those individuals with the opportunity and potential inclination to violate the statute.” This focus will provide companies the greatest “financial value and practical worth of compliance efforts.”

Lawler suggests that you combine the scores or analysis you obtain from the corruption markers you review; whether it is the DOJ list or those markers under the UK Bribery Act. From there, create a “rudimentary risk-scoring system that ranks the things to review using risk indicators of potential bribery.” This ensures that high-risk exposures are done first and/or given more time. As with all populations of this type, there is likely to be a normal or ‘bell curve’ distribution of risks around the mean. So 10-15% of exposure falls into the relative low-risk category; the vast majority (70-80%) into the moderate-risk category; and the final 10-15% would be high risk.

Earlier this week I wrote a piece about the Desktop Risk Assessment. I will not repeat the entire blog post here but only use some of the areas you could assess as a starting point for discussion. If you do not have the time, resources or support to conduct a worldwide risk assessment annually, you can take a different approach. You might try assessing other areas annually through a more limited focused risk assessment, which a colleague of mine calls the Desktop Risk Assessment. Some of the areas that such a Desktop Risk Assessment could inquire into might be the following:

  • Are resources adequate to sustain a culture of compliance?
  • How are the risks in the C-Suite and the Boardroom being addressed?
  • What are the FCPA risks related to the supply chain?
  • How is risk being examined and due diligence performed at the vendor/agent level? How is such risk being managed?
  • Is the documentation adequate to support the program for regulatory purposes?
  • Is culture, attitude (tone from the top), and knowledge measured? If yes, can we use the information enhance the program?
  • Disciplinary guidelines – Do they exist and has anyone been terminated or disciplined for a violating policy?
  • Communication of information and findings – Are escalation protocols appropriate?
  • What are the opportunities to improve compliance?

There are a variety of materials that you can review from or at a company that can facilitate such a Desktop Risk Assessment. You can review your company’s policies and written guidelines by reviewing anti-corruption compliance policies, guidelines, and procedures to ensure that compliance programs are tailored to address specific risks such as gifts, hospitality and entertainment, travel, political and charitable donations, and promotional activities.

This list is not intended to be a complete list of items, you can pick and choose to form some type of Desktop Risk Assessment but hopefully you can see some of the things areas you can assess and deliver any remedial action which may be warranted. Further, if you aim to perform an annual Desktop Risk Assessment with a full worldwide risk assessment every two years or so, you should be in a good position to keep abreast of compliance issues that may change and need more or greater risk management. And do not forget the that the FCPA Guidance ends its section on risk with, “When assessing a company’s compliance program, DOJ and SEC take into account whether and to what degree a company analyzes and addresses the particular risks it faces.”

A completely different approach was articulated by Leonard Shen, Vice President (VP) and Chief Compliance Officer (CCO) at PayPal, in a presentation to Compliance Week. His approach is not the right approach for every company but for those initiating their compliance journey, or a company considering a significant upgrade due to some systemic issue; this approach may be a more effective approach than the traditional risk assessment where a team of lawyers, CPAs and internal auditors assess a company’s compliance environment.

In a company which is initiating its compliance program, it can be perceived as a sea change of culture. However, Shen indicated that he had used an approach which worked to alleviate those types of concerns which also provided enough information to perform a robust assessment which could be used to form the basis of an effective compliance program. He termed this type of approach as one to “engage and educate.” While the approach had a two word name, it actually had three purposes; (1) to engage the employees in what would form the basis for an enhanced compliance program; (2) to educate the employees generally in compliance and ethical behavior; and (3) through the engagement of employees, to gather information which could be used to form the basis of a risk assessment.

Shen and his compliance team traveled to multiple company locations, across the globe, to meet with as many employees as possible. A large number these meetings were town hall settings, and key employee leaders, key stakeholders and employees identified as high risk, due to interaction with foreign governmental official touch-points, were met with individually or in smaller groups. Shen and his team listened to their compliance concerns and more importantly took their compliance ideas back to the home office.

From this engagement, the team received several thousand-employee suggestions regarding enhancements to the company’s compliance program. After returning to the US, Shen and his team winnowed down this large number to a more manageable number, somewhere in the range of a couple of hundred. These formed the basis of a large core of the enhancements to the existing company compliance program. After the enhanced compliance program was rolled out formal training began. During the training, the team was able to give specific examples of how employee input led to the changes in the enhanced program. This engaged the employees and made them feel like they were a part of, and had a vested interest in, the company’s compliance program. This employee engagement led to employee buy-in.

During the town hall meetings, and the smaller more informal group meetings, Shen and his team were doing more than simply listening, they were also training. However, the training was not on specific compliance provisions; it was more generally on overall ethics and how the employees could use compliance as a business tool. Most ethical standards of a company are not found in an existing compliance program, they are found in the general anti-discrimination guidelines and ethical business practices such anti-competitiveness and use of customer confidential information prohibitions. Often these general concepts can be found in a company’s overall Code of Conduct or similar statement of business ethics; workplace anti-discrimination and anti-harassment guidelines can be found in Human Resource policies and procedures.

Concepts such as anti-competitiveness and use of customer and competitor’s illegally obtained confidential information may be found in anti-trust or other business practice focused guidelines.

Shen and his team’s aim on the education component of “engage and educate” was to have the company employee’s start thinking about doing business the ethical way. It was ethical concept based training designed to be in contrast to a rules based approach, where employees believe they are taught the rules, and then try to see how close they can get to the line of violating the compliance rule without actually stepping over the line. Moreover, by having this general ethical business training, it laid the groundwork for the enhancement of the company’s compliance program and the training that would occur when the enhancement was rolled out.

A third key component of the “engage and educate” program is the risk assessment component. Shen’s approach here was not the traditional control-testing model, where documents are pulled and tested against a standard. Shen and his team listened, listened and listened. They listened to their employees concerns and they listened to the compliance issues they raised. As they were listening they began to ask questions about what was done and why. The questioning was not in an adversarial, interrogation mode but ferreting out the employees concerns while having the employees educate the team on the actual procedures that were used in several areas identified as key high risk areas.

Shen emphasized that this was an assessment and not an audit so no detailed forensic work was needed or used. However, by listening, and gently questioning, Shen and his team were able to garner enough information to create a risk assessment profile which informed and became the basis of their compliance program enhancement. Shen and his team did not identify to the company employees that they were engaged in a formal risk assessment. He believed that in many ways, he and his team were able to garner more useful information with which to inform their compliance program enhancement.

Shen’s “engage and educate” approach worked for his company at that point in time. It may not work for other companies as a traditional risk assessment but it does provide a different model if your company is beginning to create their compliance program, or is looking into a major enhancement.

Tomorrow, I will look at how you might use a risk assessment going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

 

August 26, 2014

Risk Assessments-the Cornerstone of Your Compliance Program, Part I

7K0A0079Yesterday, I blogged about the Desktop Risk Assessment. I received so many comments and views about the post, I was inspired to put together a longer post on the topic of risk assessments more generally. Of course I got carried away so today, I will begin a three-part series on risk assessments. In today’s post I will review the legal and conceptual underpinnings of a risk assessment. Over the next couple of days, I will review the techniques you can use to perform a risk assessment and end with a discussion of what to do with the information that you have gleaned in a risk assessment for your compliance program going forward.

One cannot really say enough about risk assessments in the context of anti-corruption programs. Since at least 1999, in the Metcalf & Eddy enforcement action, the US Department of Justice (DOJ) has said that risk assessments that measure the likelihood and severity of possible Foreign Corrupt Practices Act (FCPA) violations identifies how you should direct your resources to manage these risks. The FCPA Guidance stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” The UK Bribery Act has a similar view. In Principal I of the Six Principals of an Adequate Compliance program, it states, “The commercial organisation regularly and comprehensively assesses the nature and extent of the risks relating to bribery to which it is exposed.” In other words, risk assessments have been around and even mandated for a long time and their use has not lessened in importance. The British have a way with words, even when discussing compliance, and Principal I of the Six Principals of an Adequate Compliance program says that your risk assessment should inform your compliance program.

Jonathan Marks, a partner in the firm of Crowe Horwath LLP, said the following about risk assessments in his 13-step FCPA Compliance Action Plan, “A comprehensive assessment of the potential bribery and corruption risks – both existing and emerging risks – associated with a company’s products and services, customers, third-party business partners, and geographic locations can serve as the basis for the compliance program. The risk assessment determines the areas at greatest risk for FCPA violations among all types of international business transactions and operations, the business culture of each country in which these activities occur, and the integrity and reputation of third parties engaged on behalf of the company.”

The simple reason is straightforward; one cannot define, plan for, or design an effective compliance program to prevent bribery and corruption unless you can measure the risks you face. Both the both the US Sentencing Guidelines, the UK Bribery Act’s Consultative Guidance list Risk Assessment as the initial step in creating an effective anti-corruption and anti-bribery program.

What Should You Assess?

In 2011, the DOJ concluded three FCPA enforcement actions which specified factors which a company should review when making a Risk Assessment. The three enforcement actions, involving the companies Alcatel-Lucent SA, Maxwell Technologies Inc. and Tyson Foods Inc. all had common areas that the DOJ indicated were FCPA compliance risk areas which should be evaluated for a minimum best practices FCPA compliance program. Both the Alcatel-Lucent and Maxwell Technologies Deferred Prosecution Agreements (DPAs) listed the seven following areas of risk to be assessed.

  1. Geography-where does your Company do business.
  2. Interaction with types and levels of Governments.
  3. Industrial Sector of Operations.
  4. Involvement with Joint Ventures.
  5. Licenses and Permits in Operations.
  6. Degree of Government Oversight.
  7. Volume and Importance of Goods and Personnel Going Through Customs and Immigration.

All of these factors were reiterated in the FCPA Guidance which stated, “Factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.”

These factors provide guidance into some of the key areas that the DOJ apparently believes can put a company at higher FCPA risk. These factors supplement those listed in the UK Bribery Consultative Guidance states, “Risk Assessment – The commercial organization regularly and comprehensively assesses the nature and extent of the risks relating to bribery to which it is exposed.” The Guidance points towards several key risks which should be evaluated in this process. These risk areas include:

  1. Internal Risk – this could include deficiencies in
  • employee knowledge of a company’s business profile and understanding of associated bribery and corruption risks;
  • employee training or skills sets; and
  • the company’s compensation structure or lack of clarity in the policy on gifts, entertaining and travel expenses.
  1. Country risk – this type of risk could include:

(a) perceived high levels of corruption as highlighted by corruption league tables published by reputable Non-Governmental Organizations such as Transparency International;

(b) factors such as absence of anti-bribery legislation and implementation and a perceived lack of capacity of the government, media, local business community and civil society to effectively promote transparent procurement and investment policies; and

(c) a culture which does not punish those who seeks bribes or make other extortion attempts.

  1. Transaction Risk – this could entail items such as transactions involving charitable or political contributions, the obtaining of licenses and permits, public procurement, high value or projects with many contractors or involvement of intermediaries or agents.
  2. Partnership risks – this risk could include those involving foreign business partners located in higher-risk jurisdictions, associations with prominent public office holders, insufficient knowledge or transparency of third party processes and controls.

Another approach was detailed by David Lawler, in his book “Frequently Asked Questions in Anti-Bribery and Corruption”. He broke the risk areas to evaluate down into the following categories: (1) Company Risk, (2) Country Risk, (3) Sector Risk, (4) Transaction Risk and (5) Business Partnership Risk. He further detailed these categories as follows:

  1. Company Risk-Lawyer believes this is “only to be likely to be relevant when assessing a number of different companies – either when managing a portfolio of companies from the perspective of a head office of a conglomerate or private equity house.” High risk companies involve, some of the following characteristics:
  • Private companies with a close shareholder group;
  • Large, diverse and complex groups with a decentralized management structure;
  • An autocratic top management;
  • A previous history of compliance issues; and/or
  • Poor marketplace perception.
  1. Country Risk-this area involves countries which have a high reported level or perception of corruption, have failed to enact effective anti-corruption legislation and have a failure to be transparent in procurement and investment policies. Obviously the most recent, annual Transparency International Corruption Perceptions Index can be a good starting point. Other indices you might consider are the Worldwide Governance Indicators and the Global Integrity index.
  2. Sector Risk-these involve areas which require a significant amount of government licensing or permitting to do business in a country. It includes the usual suspects of:
  • Extractive industries;
  • Oil and gas services;
  • Large scale infrastructure areas;
  • Telecoms;
  • Pharmaceutical, medical device and health care;
  • Financial services.
  1. Transaction Risk-Lawyer says that this risk “first and foremost identifies and analyses the financial aspects of a payment or deal. This means that it is necessary to think about where your money is ending up”. Indicia of transaction risk include:
  • High reward projects;
  • Involve many contractor or other third party intermediaries; and/or
  • Do not appear to have a clear legitimate object.
  1. Business Partnership Risk-this prong recognizes that certain manners of doing business present more corruption risk than others. It may include:
  • Use of third party representatives in transactions with foreign government officials;
  • A number of consortium partners or joint ventures partners; and/or
  • Relationships with politically exposed persons (PEPs).

There are a number of ways you can slice and dice your basic inquiry. As with almost all FCPA compliance, it is important that your protocol be well thought out. If you use one, some or all of the above as your basic inquiries into your risk analysis, it should be acceptable for your starting point.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 25, 2014

Trying Something Different – the Desktop Risk Assessment

IMG_0774How many among you out there are sushi fans? Conversely, how many out there consider the idea of eating raw fish right up there with going into to the dentist’s office for some long overdue remedial work? One’s love or distaste for sushi was used as an interesting metaphor for leadership in this week’s Corner Office section of the New York Times (NYT) by Adam Bryant, in an article entitled “Eat Your Sushi, and Expand Your Horizon”, where he profiled Julie Myers Wood, the Chief Executive Officer (CEO) of Guidepost Solutions, a security, compliance and risk management firm. Wood said her sushi experience relates to advice she gives college students now, “One thing I always say is “eat the sushi.” When I had just graduated from college, I went with my mom to Japan. We had a wonderful time, but I refused to eat the sushi. Later, when I moved to New York, I tried some sushi and loved it. The point is to be willing to try things that are unfamiliar.”

I thought about sushi and trying something different in the context of risk assessments recently. I think that most compliance practitioners understand the need for risk assessments. The FCPA Guidance could not have been clearer when it stated, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” Many compliance practitioners have difficulty getting their collective arms about what is required for a risk assessment and then how precisely to use it. The FCPA Guidance makes clear there is no ‘one size fits all’ for about anything in an effective compliance program.

One type of risk assessment can consist of a full-blown, worldwide exercise, where teams of lawyers and fiscal consultants travel around the globe, interviewing and auditing. However if there is one thing that I learned as a lawyer, which also applies to the compliance field, is that you are only limited by your imagination. So using the FCPA Guidance that ‘on one size fits all’ proscription, I would submit that is also true for risk assessments.

As with Wood’s admonition that you might want to try sushi even if you think you may not like it. I think that there are several different types of risk assessments that can be used to help to advance your compliance regime going forward. This means that if you do not have the time, resources or support to conduct a worldwide risk assessment annually, you can take a different approach. You might try assessing other areas annually through a more limited focused risk assessment, which a colleague of mine calls the Desktop Risk Assessment.

Some of the areas that such a Desktop Risk Assessment could inquire into might be the following:

  • Are resources adequate to sustain a culture of compliance?
  • How are the risks in the C-Suite and the Boardroom being addressed?
  • What are the FCPA risks related to the supply chain?
  • How is risk being examined and due diligence performed at the vendor/agent level? How is such risk being managed?
  • Is the documentation adequate to support the program for regulatory purposes?
  • Is culture, attitude (tone from the top), and knowledge measured? If yes, can we use the information enhance the program?
  • Disciplinary guidelines – Do they exist and has anyone been terminated or disciplined for a violating policy?
  • Communication of information and findings – Are escalation protocols appropriate?
  • What are the opportunities to improve compliance?

There are a variety of materials that you can review from or at a company that can facilitate such a Desktop Risk Assessment. You can review your company’s policies and written guidelines by reviewing anti-corruption compliance policies, guidelines, and procedures to ensure that compliance programs are tailored to address specific risks such as gifts, hospitality and entertainment, travel, political and charitable donations, and promotional activities.

You could assess your company’s senior management support for your compliance efforts through interviews of high-level personnel such as the Chief Compliance Officer (CCO), Chief Financial Officer (CFO), General Counsel (GC), Head of Sales, CEO and Board Audit or Compliance Committee members to assess “tone from the top”. You can examine resources dedicated to compliance and also seek to understand the compliance expectations that top management is communicating to its employee base. Finally, you can gauge operational responsibilities for compliance.

Such a review would lead to the next level of assessment, which would be generally labeled communications within an organization regarding compliance. You can do this by assessing compliance policy communication to company personnel but even more so by reviewing such materials as compliance training and certifications that employees might have in their files. If you did not yet do so, you should also take a look at statements by senior management regarding compliance, such as actions relating to terminating employees who do business in compliance but do not make their quarterly, semi-annual or annual numbers set in budget projections.

A key element of any best practices compliance program is internal and anonymous reporting. This means that you need to review mechanisms on reporting suspected compliance violations and then actions taken on any internal reports, including follow-ups to the reporting employees. You should also assess whether those employees who are seeking guidance on compliance for their day-to-day business dealings are receiving not only adequate but timely responses.

I do not think there is any dispute that third parties represent the highest risk to most companies under the FCPA, so a review of your due diligence program is certainly something that should be a part of any risk assessment. But more than simply a review of procedures for due diligence on third party intermediaries, you should also consider the compliance procedures in place for your company’s mergers and acquisitions (M&A) team; focusing on the pre-acquisition phase.

One area that I do not think gets enough play, whether in the FCPA Inc. commentary or in day-to-day practice is looking at what might be called employee commitment to your company’s compliance regime. So here you may want to review your compliance policies regarding employee incentives for compliance. But just as you look at the carrots to achieve compliance with your program, you should also look at the stick, in the form of disciplinary procedures for violations. This means you should see if there have been any disciplinary actions for employee compliance violations and then determine if such discipline has been applied uniformly. If you discipline top sales people in Brazil, you have to discipline your top sales folks in the US for the same or similar violations.

This list is not intended to be a complete list of items, you can pick and choose to form some type of Desktop Risk Assessment but hopefully you can see some of the things areas you can assess. In his article on Ms. Woods, Bryant quoted her for the following key trait she observed from successful leaders, “They were able to identify and focus on core things. When you go into an agency or a company, there are a million things you could fix. But you can’t fix everything, so you make a decision about your priorities, and then you act on them.” A Desktop Risk Assessment may well help you to do so.

If you aim to perform an annual Desktop Risk Assessment with a full worldwide risk assessment every two years or so, you should be in a good position to keep abreast of compliance issues that may change and need more or greater risk management. And do not forget the that the FCPA Guidance ends its section on risk with, “When assessing a company’s compliance program, DOJ and SEC take into account whether and to what degree a company analyzes and addresses the particular risks it faces.” Finally, if you never have tried sushi, I urge you to do so as it not only tastes good but its good for you as well.

==============================================================================================================================================================================================================================================

On Tuesday, August 26th I will be co-presenting with Marie Patterson VP Marketing for Hiperos on a webinar focusing on GSK in China-One Year Later. I will review the continued saga of the GSK corruption investigation in China, the Humphreys’ and Wu convictions and what it means for your compliance program going forward. The event is free and begins at 1 PM EDT. I hope that you can join us. For details and Registration, click here.

==============================================================================================================================================================================================================================================

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 21, 2014

What Can You Do When Risk Changes in a Third Party Relationship?

RiskThe GlaxoSmithKline PLC (GSK) corruption matter in China continues to reverberate throughout the international business community, inside and outside China. The more I think about the related trial of Peter Humphrey and his wife, Yu Yingzeng for violating China’s privacy laws regarding their investigation of who filmed the head of GSK’s China unit head in flagrante delicto with his Chinese girlfriend, the more I ponder the issue of risk in the management of third parties under the Foreign Corrupt Practices Act (FCPA). In an article in the Wall Street Journal (WSJ), entitled “Chinese Case Lays Business Tripwires”, reporters James T. Areddy and Laurie Burkitt explored some of the problems brought about by the investigators convictions.

They quoted Manuel Maisog, chief China representative for the law firm Hunton & Williams LLP, who summed up the problem regarding background due diligence investigations as “How can I do that in China?” Maisog went on to say, “The verdict created new uncertainties for doing business in China since the case hinged on the couple’s admissions that they purchased personal information about Chinese citizens on behalf of clients. Companies in China may need to adjust how they assess future merger partners, supplier proposals or whether employees are involved in bribery.”

I had pondered what that meant for a company that wanted to do business in China, through some type of third party relationship, from a sales representative to distributor to a joint venture (JV). What if you cannot get such information? How can you still have a best practices compliance program around third parties representatives if you cannot get information such as ultimate beneficial ownership? At a recent SCCE event, I put that question to a Department of Justice (DOJ) representative. Paraphrasing his response, he said that companies still need to ask the question in a due diligence questionnaire or other format. What if a third party refuses to answer, citing some national law against disclosure? His response was that a company needs to very closely weigh the risk of doing business with a party that refuses to identify its ownership.

The more that I thought about that answer the more I became convinced that it was not only the right answer under any type of FCPA compliance program but also the right response from a business perspective. A company must know who it is doing business with, for a wide variety of reasons. The current situation in China and even the convictions of Humphrey and Yu do not change this basic premise. You can ask the question. If a party does not want to disclose its ownership, you should consider this in any business relationship going forward.

The Humphrey and Yu conviction do not prevent you from asking the question about ownership. Their convictions mean that you may not be able to verify that information through what many people thought was publicly available information, at least publicly available in the west. I was struck by one line in the Areddy and Burkitt article, “It’s not just that the tactical business practices need to change; it’s the mind set” quoting again from Maisog.

I breakdown the management of third parties under the FCPA into five steps, which are:

  1. Business Justification and Business Sponsor;
  2. Questionnaire to Third Party;
  3. Due Diligence on Third Party;
  4. Compliance Terms and Conditions, including payment terms; and
  5. Management and Oversight of Third Parties After Contract Signing.

The due diligence step is but one of these five. Further due diligence is performed in large part to verify the information that you receive back from a proposed third party. So what if you can longer use avenues previously open to you in markets such as China? Perhaps there are other ways to manage this issue. Areddy and Burkitt also interviewed Jerry Ling, a partner at Jones Day, for the following “companies will need to analyze Chinese accounting documents themselves and conduct more in-person interviews with anyone they want to know more about in China.”

Ling’s point dovetails directly into what I heard from the DOJ representative. There is nothing about the Chinese law, or any other country’s law, which prevents you from asking some basic questions that are found in the Step 2 Questionnaire cited above. You can always ask who the owners of a company are, whether they are direct or beneficial. You can always ask if a company, its owners or its senior management have been involved in any incidents involving bribery and corruption and you can always ask if the company has a Code of Conduct and/or compliance program and whether its owners or senior management are aware of the FCPA and have had training on it.

Assuming the company will answer your questionnaire, the difficulty you may find yourself in now is verifying the information that you receive. In Ronald Reagan parlance, you may trust but you may not be able to verify it. Ling said in the WSJ article that “The challenge now for clients is that it’s hard to get good information.”

However, due diligence is but one step in the management of any third party in a FCPA compliance program. Just as when risk goes up and you increase your management around that risk, the situation is similar in here. Putting it another way, if you cannot obtain private information such as personal identification numbers during the due diligence process, you can put greater management around the other steps that you can take. Further, there has been nothing reported which would suggest that publicly filed corporate licenses or other information that might show ownership can no longer be accessed. Court records and public media searches also seem to still be available.

But what if you simply cannot determine if the information you are provided regarding ownership is accurate or even truthful? You can still work to manage the relationship through your commercial terms by setting your commission or other pay rates at a reasonable amount of scale. If you are dealing with a commissioned sales representative, you can probably manage this area of the relationship by setting the commission in the range of 5%. You can also manage the relationship by reviewing invoices to make sure there is an adequate description of the services provided so that they justify whatever compensation the third party is entitled to receive under the contract. You may also want to schedule such a third party for an audit ahead of other parties to help ensure adherence to your compliance terms and conditions.

There may be times when you cannot verify the true or ultimate beneficial owner of a third party. That does not have to be the end of the analysis. If that situation arises, you may want to see if there are other risk mitigation tools at your disposal. Put another way, if such a red flag arises, can it be cleared? Can it be managed? If your company is looking a major deal for multi-millions and your agent will receive a six or seven figure commission, the risk of not knowing with certainty may be too great because in such a case, an unknown owner could be a government official who has awarded the contract. But if your agent receives a considerably smaller commission and hence there is a considerably small amount of money to constitute a bribe, you may be able to manage that risk through a close and effective relationship management process.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 18, 2014

How Can Global Corporations Afford (or Afford Not) To Employ Professional Language Solution Providers

Jay RosenEd Note-I recently asked Jay Rosen, Vice President, Language Solutions at Merrill Brink International, if he could help me understand how to think through the the hiring of a language service provider. He graciously wrote the following post.

It seems like a daily occurrence that news organizations and blogs (this one included) report that global corporation XYZ, Inc. has run afoul of FCPA statutes somewhere in the world. The next few paragraphs will recount the jurisdiction where the alleged infraction has occurred and if known at this juncture, the details of the bribery scheme. At this point, if you are well read on this subject, the rest of the article plays out by rote.

Let’s hit the pause button and rewind this story to the beginning. How did XYZ, Inc. get into this position and what steps could have been taken to better communicate the Company’s ethics and compliance policies and procedures to its global employee base? While this would certainly not prevent a rogue employee(s) from committing these alleged infractions, professionally translated and localized ethics and compliance communications provide a proactive solution to insulate global companies from similar situations.

The question of whether or not to engage a professional Language Solutions Provider (LSP), read translation company, usually is driven by the following factors:

  • Cost/Quality
  • Confidentially
  • Change
  1. If I can afford an LSP, how do I choose among the ones out there for quality?

The first thing to cover here is how are translations priced?

Translations are completed on an outsourced basis by professionally educated, qualified, and selected linguistic resources. It is important to note that the industry standard is to bill on a per word basis (e.g. X number of words at Y cents per word). This pricing model will become glaringly apparent when Corporations look at alternative methods to translate documents in-house with an eye to saving money.

Proposed Internal Translation Solutions

Here are several ideas that are usually considered in lieu of engaging professional translation resources:

  • Becky down the hall speaks French
  • We can use someone in our Paris Office
  • The Forensic accountant working with us in Beijing

On first blush the three suggestions above all seem like good ideas that will potentially save money and lead to quality results. Unfortunately these three courses of action fall short by:

  • Not providing the necessary quality ensured by professional translation resources
  • End up costing the client both opportunity costs and greater total translation costs and
  • Do nothing to mitigate the risk of not having an independent outsourced LSP translating (and certifying) your documents (if necessary).

Becky down the hall speaks French

Although Becky does speak French, she has other duties in the organization that must be put aside for her to work on translating documents. Should this project take 3 – 4 hours and if Becky has a bill rate of $400/hour, this solution ends up wasting precious time and costing the end client ~ $1,600 instead of the a few hundred dollars to professionally produce an accurate translation.

We can use someone in our Paris office

As in the example above, this option also creates lost opportunity cost and further taxes billable resources in another time zone. This would require the company to utilize internal resources and having to deal with colleagues not under their direct local control and working in various global markets.

The forensic accountant working with us in Beijing

In this case, we have someone working far out of their core expertise and comfort zone – forensics – and having to wear the hat of a professional translator. Price also comes into play as these forensic resources start billing around $250/hour and could be higher.

Bottom line, what initially appears to be a viable and cost effective solution, ends up sacrificing quality, escalating costs and potentially increasing risk by internally generating substandard translations.

  1. If I use an LSP, how do I ensure confidentiality of the information contained in my documents? 

Confidentiality, especially in the FCPA arena, is a valid concern and must be considered when engaging a qualified LSP. Professional LSPs will require their linguists to sign a Confidentiality or Non-Disclosure Agreement. This agreement will be on file with the LSP and a copy of the agreement can easily be shared.

In terms of global data privacy restrictions, it is good to discuss this in advance with the LSP and depending on what jurisdiction your matter is based in, evaluate the LSP’s experience and comfort level in handling data privacy concerns.

In terms of looking at the individual linguists, a professional LSP will hire translators with the following credentials:

  • Minimum 4 year college degree
  • Subject Matter Expertise (SME)
  • Additional testing by the LSP

These three areas serve to validate the choice of an independent LSP as the translators employed will meet the minimum of a 4 year degree and quite often will have post-graduate or professional degrees such as JD’s or PhD’s. Furthermore, LSPs can provide Subject Matter Experts (SMEs) with specific sector knowledge such as IP/patents, cross-border litigation or FCPA, ethics and compliance experience. Finally the additional testing required by LSPs ensures that clients are receiving top-notch and best of breed translation solutions.

  1. How do I risk disrupting the status quo to change my current translation/localization workflow?

So far we have covered two out of three issues to consider in the choice of whether or not to engage an outsourced LSP.

  • Cost/Quality
  • Confidentiality

And finally we will look at another “C” – Change. While this may not initially be perceived as an important factor, this often affects whether an organization decides to employ an outsourced LSP. From a global perspective it is imperative that a Code of Business Conduct and a Company’s policies and procedures are accurately translated from the English source document to the multiple localized versions for global employees.

If in the past this decision has been left to local in-country resources, it may have unintentionally altered or subverted the meaning of the source English language policies and could have potentially created confusion as to the meaning and global reach of a Company’s business policies.

Additional pushback may emanate from current in-country LSPs who have provided these services in the past.   While it makes sense to encourage local buy-in to your Company’s policies and procedures, this can be ensured by asking local ethics and compliance leaders to participate in the translation review process.

By carefully considering cost/quality, confidentiality and change, a global organization can properly assess the impact that hiring a qualified LSP will have on their risk exposure and better position such organizations to quickly react to a changing global investigative and regulatory environment.

Jay Rosen (jay.rosen@merrillcorp.com) is a Vice President, Language Solutions at Merrill Brink International, based in Los Angeles. For further information, please see his article on Translation considerations for global internal investigations, ethics and compliance matters.

August 15, 2014

Lauren Bacall Whistling or How to Structure Customer Due Diligence

BacallYesterday we honored Robin Williams whom we lost earlier this week. Today we honor Lauren Bacall. She will always be a part of that great team of Bogey and Bacall. Most of us were introduced to her in the movie To Have and Have Not. I thought she was one of the most sultry and sexy icons of the 40s screen sirens. As Manohla Dargis wrote in her article for the New York Times (NYT) entitled, “That Voice and the Woman Attached,” that “When she opened her mouth in “To Have and Have Not” — taking a long drag on a cigarette while locking Humphrey Bogart in her gaze — she staked a claim on the screen and made an immortal Hollywood debut. But in 1944 at the exquisitely tender age of 19, she was also projecting an indelible screen persona: that of the tough, quick-witted American woman who could fight the good fight alongside her man.” She later married Bogart and together they were certainly Hollywood, if not American royalty, going forward. And she probably did more for the art of whistling than any person on Earth.

Yesterday I wrote about the Foreign Corrupt Practices Act (FCPA) investigation into certain transactions in Venezuela by Derwick Associates (Derwick) and a US company ProEnergy Services (ProEnergy). ProEnergy supplied turbines that Derwick resold to the Venezuelan government and then installed in that country. I wondered if US companies now need to become more concerned with not only who they do business with but how their customers might be doing business. In the parlance, you may now need to ramp up your ‘Know Your Customer’ information to continue throughout a seller-purchaser relationship.

Doug Cornelius, in a post on his Compliance Building blog, entitled “Proposed Regulations on Customer Due Diligence”, discussed “The U.S. Treasury Department’s Financial Crimes Enforcement Network has proposed revisions to its customer due diligence rules. Of course, the proposed rule would affect financial institutions that are currently subject to FinCEN’s customer identification program requirement: banks, brokers-dealers, and mutual funds.” While, investment advisers and private fund managers are not specifically mentioned in the proposed new regulation, Cornelius noted, “FinCEN suggested that it may be considering expanding these customer due diligence requirements to other types of financial institutions.” In other words, this new proposed regulation would not be directly applicable to a large number of US commercial enterprises doing business outside the United States.

However, the proposed regulation did provide some insight into how US companies, not otherwise subject to it, might think about ways to approach such an inquiry. Referencing an inquiry into anti-money laundering issues (AML) Cornelius wrote that AML programs should have four elements:

  1. Identify and verify the identity of customers;
  2. Identify and verify the identity of beneficial owners of legal entity customers;
  3. Understand the nature and purpose of customer relationships; and
  4. Conduct ongoing monitoring to maintain and update customer information and to identify and report suspicious transactions.

Clearly any FCPA based due diligence would focus on point 2. Cornelius zeroed in on it when he wrote “The definition of “beneficial owner” is proposed as have two prongs”:

  • Ownership Prong: each individual who, directly or indirectly, through any contract, arrangement, understanding, relationship or otherwise, owns 25% or more of the equity interests of a legal entity customer, and
  • Control Prong: An individual with significant responsibility to control, manage, or direct a legal entity customer, including an executive officer or senior manager (g., a Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Managing Member, General Partner, President, Vice President, or Treasurer); or (ii) any other individual who regularly performs similar functions.

He also noted, “For identifying ownership of an entity, FinCEN has proposed a form of certification.” But he found such a “certification to be overly simplistic. It only asks for individuals with ownership in the entity. This would clearly miss ownership of the account holder by other entities who could be “bad guys.” The certification also only requires one senior officer.  That makes it too easy to appoint a straw man as executive officer to hide the underlying control by a “bad guy.”” But the FinCen proposed notice itself states “these existing core requirements are already laid out in the BSA [Bank Secrecy Act] as minimum requirements”.

I was equally interested in points 3 and 4. Under point 3, an entity subject to the regulation needs to “Understand the nature and purpose of customer relationships”. The proposed regulation further explained “to gain an understanding of a customer in order to assess the risk associated with that customer to help inform when the customer’s activity might be considered “suspicious.”” Such an inquiry could help a business to “understand the relationship for purposes of identifying transactions in which the customer would not normally be expected to engage. Identifying such transactions is a critical and necessary aspect of complying with the existing requirement to report suspicious activity and maintain an effective AML (or anti-corruption compliance) program.”

The final point 4 relates to ongoing monitoring. Once again consider the position of the US Company, ProEnergy, in the referenced FCPA investigation. What can or should it have done in the way of ongoing monitoring of its customer. The proposed regulation states “industry practice generally involves using activity data to inform what types of transactions might be considered “normal” or “suspicious.”

Furthermore, FinCEN understands that information that might result from monitoring could be relevant to the assessment of risk posed by a particular customer. The proposed requirement to update a customer’s profile as a result of ongoing monitoring (including obtaining beneficial ownership information for existing customers on a risk basis), is different and distinct from a categorical requirement to update or refresh the information received from the customer at the outset of the account relationship at prescribed periods”. Lastly the proposed regulation states, “Finally, as noted above with respect to the obligation to understand the nature and purpose of customer relationships, monitoring is also a necessary element of detecting and reporting suspicious activities”.

There does not have to be a direct bribe or other corrupt payment made by a US company to have liability under the FCPA. FCPA enforcement is littered with companies that have paid bribes through third parties. However, as the Fifth Circuit said in Kay v. US, “[W]e hold that Congress intended for the FCPA to apply broadly to payments intended to assist the payor, either directly or indirectly,” [emphasis mine]. ProEnergy would seem to be at the far edge of potential FCPA liability but if it knew, had reason to know, or even perhaps should have known about some nefarious conduct by its customer, it does not take too many steps to get to some FCPA exposure. The proposed FinCEN rules on customer due diligence for financial institutions might be a good starting point for other commercial entities to consider.

If all of the above is a bit too heavy for a Friday, well view this clip on how to whistle by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 12, 2014

Does Your Company Still Allow Facilitation Payments?

IMG_3289One of the more confusing areas of the US Foreign Corrupt Practices Act (FCPA) is in that of facilitation payments. Facilitation payments are small bribes but make no mistake about it, they are bribes. For that reason many companies feel they are inconsistent with a company culture of doing business ethically and in compliance with laws prohibiting corruption and bribery. Further, the FCPA Guidance specifies, “while the payment may qualify as an exception to the FCPA’s anti-bribery provisions, it may violate other laws, both in Foreign Country and elsewhere. In addition, if the payment is not accurately recorded, it could violate the FCPA’s books and records provision.” Finally, further the FCPA Guidance states, “Whether a payment falls within the exception is not dependent on the size of the payment, though size can be telling, as a large payment is more suggestive of corrupt intent to influence a non-routine governmental action. But, like the FCPA’s anti-bribery provisions more generally, the facilitating payments exception focuses on the purpose of the payment rather than its value.” [emphasis in original text]

In recent remarks, Thomas C. Baxter, Executive Vice President and General Counsel at the Federal Reserve Bank of New York indicated a general unease with facilitation payments. Baxter was quoted in the FCPA Blog for the following, “Baxter said an organizational policy that allows some types of official corruption — including facilitating payments – “diminishes the efficacy of compliance rules that are directed toward stopping official corruption.”” Further, “While I understand that the exception is grounded in a practical reality, I feel that zero tolerance for official corruption would have been a better choice. To any public servant with an extended hand, I would say in a loud and clear voice, “pull it back and do your job.” And, let me note the OECD Working Group on Bribery recommends that all countries encourage companies to prohibit or discourage facilitating payments.”

In addition to these clear statements about whether the FCPA should continue to allow said bribes; you should also consider the administrative nightmare for any international company. The UK Bribery Act does not have any such exception, exemption or defense along the lines of the FCPA facilitation payment exception. This means that even if your company allows facilitation payments, it must exempt out every UK Company or subsidiary from the policy. Further, if your company employs any UK citizens, they are subject to the UK Bribery Act no matter who they work for and where they may work in the world so they must also be exempted. Finally, if your US Company does business with a UK or other company subject to the UK Bribery Act, you may be prevented contractually from making facilitation payments while working under that customer’s contract. As I said, an administrative nightmare.

  1. The Statute

When the FCPA was initially passed in 1977, the facilitating payment exception was found under the definition of foreign official. However, with the 1988 Amendments, a more explicit exception was written into the statute making it clear that the anti-bribery provisions “shall not apply to any facilitating or expediting payment to a foreign official, political party, or party official the purpose of which is to expedite or to secure the performance of a routine governmental action . . .” The statute itself provided a list of examples of facilitation payments in the definition of routine governmental actions. It included the following:

  • Obtaining permits, licenses, or other official documents;
  • Processing governmental papers such as visas and work orders;
  • Providing police protection, mail services, scheduling inspections;
  • Providing utilities, cargo handling; or
  • Actions of a similar nature.

It is important to note that the language of the FCPA makes it clear that a facilitation payment is not an affirmative defense but an exception to the general FCPA proscription against bribery and corruption. Unfortunately for the FCPA Practitioner there is no dollar limit articulated in the FCPA regarding facilitation payments. Even this limited exception has come under increasing criticism. As far back as 2009, the OECD studied the issue and recommended that member countries encourage their corporations to not allow the making of facilitating payments, “in view of the corrosive effect of small facilitation payments, particularly on sustainable economic development and the rule of law.”

Interestingly, one of the clearest statements about facilitation payments comes not from a FCPA case about facilitation payments but the case of Kay v. US, 359 F.3d 738, 750-51 (5th Cir. 2004). This case dealt with whether payment of bribes to obtain a favorable tax ruling was prohibited under the FCPA. In its opinion the Fifth Circuit commented on the limited nature of the facilitating payments exception when it said:

A brief review of the types of routine governmental actions enumerated by Congress shows how limited Congress wanted to make the grease exceptions. Routine governmental action, for instance, includes “obtaining permits, licenses, or other official documents to qualify a person to do business in a foreign country,” and “scheduling inspections associated with contract performance or inspections related to transit of goods across country.” Therefore, routine governmental action does not include the issuance of every official document or every inspection, but only (1) documentation that qualifies a party to do business and (2) scheduling an inspection—very narrow categories of largely non-discretionary, ministerial activities performed by mid- or low-level foreign functionaries.

2. Enforcement Actions

Con-way

The FCPA landscape is littered with companies who sustained FCPA violations due to payments which did not fall into the facilitation payment exception. In 2008, Con-way Inc., a global freight forwarder, paid a $300,000 penalty for making hundreds of relatively small payments to Customs Officials in the Philippines. The value of the payments Con-way was fined for making totaled $244,000 and were made to induce the officials to violate customs regulations, settle customs disputes, and reduce or not enforce otherwise legitimate fines for administrative violations.

Helmerich and Payne

In 2009, Helmerich and Payne, Inc., paid a penalty and disgorgement fee of $1.3 million for payments which were made to secure customs clearances in Argentina and Venezuela. The payments ranged from $2,000 to $5,000 but were not properly recorded and were made to import/export goods that were not within the respective country’s regulations; to import goods that could not lawfully be imported; and to evade higher duties and taxes on the goods.

Panalpina

Finally, there is the Panalpina enforcement action. As reported in the FCPA Blog, this matter was partly resolved last year with the payment by Panalpina and six of its customers of over $257 million in fines and penalties. Panalpina, acting as freight forwarder for its customers, made payments to circumvent import laws, reduce customs duties and tax assessments and to obtain preferential treatment for importing certain equipment into various countries but primarily in West Africa.

DynCorp

Then there is the DynCorp International investigation matter. As reported in various sources the matter relates to approx. $300,000 in payments made by subcontractors who wished to speed up their visa processing and expedite receipt of certain licenses on behalf of DynCorp. This investigation has been going on for several years and there is no anticipated conclusion date at this time.

3.      Some Guidance

So what does the Department of Justice (DOJ) look at when it reviews a company’s FCPA compliance program with regards to facilitation payments? Initially, if there is a pattern of such small payments, it would raise a Red Flag and cause additional investigations, but this would not be the end of the inquiry. There are several other factors which the DOJ could look towards in making a final determination on this issue. The line of inquiry the DOJ would take is as follows:

  1. Size of payment – Is there an outer limit? No, there is no outer limit but there is some line where the perception shifts. If a facilitating payment is over $100 you are arguing from a point of weakness. The presumption of good faith is against you. You might be able to persuade the government at an amount under $100. But anything over this amount and the government may well make further inquiries. So, for instance, the DOJ might say that all facilitation payments should be accumulated together and this would be a pattern and practice of bribery.
  2. What is a routine governmental action? Are we entitled to this action, have we met all of our actions or are we asking the government official to look the other way on some requirement? Are we asking the government official to give us a break? The key question here is whether you are entitled to the action otherwise.
  3. Does the seniority of the governmental official matter? This is significant because it changes the presumption of whether something is truly discretionary. The higher the level of the governmental official involved, the greater chance his decision is discretionary.
  4. Does the action have to be non-discretionary? Yes, because if it is discretionary, then a payment made will appear to be obtaining some advantage that is not available to others.
  5. What approvals should be required? A facilitation payment is something that must be done with an appropriate process. The process should have thought and the decision made by people who are the experts within the company on such matters.
  6. Risk of facilitation payments and third parties? Whatever policy you have, it must be carried over to third parties acting on your behalf or at your direction. If a third party cannot control this issue, the better compliance practice would be to end the business relationship.
  7. How should facilitation payments be recorded? Facilitation payments must be recorded accurately. You should have a category entitled “Facilitation Payments” in your company’s internal accounting system. The labeling should be quite clear and they are critical to any audit trail so recording them is quite significant.
  8. Monitoring programs? There must always be ongoing monitoring programs to review your company’s internal controls, policies and procedures regarding facilitation payments.

So we return to the question of when does a grease payment become a bribe? There is no clear line of demarcation. The test seems to turn on the amount of money involved, to whom it is paid and the frequency of the payments. Additionally, accurate books and records are a must. Finally, remember that the defense of facilitation payments is an exception to the FCPA prohibition against bribery. Any defendant which wishes to avail itself of this exception at trial would have to proffer credible evidence to support its position, but at the end of the day, it would be the trier of fact which would decide. So, much like any compliance defense, the exception is only available if you use it at trial and it would be difficult to imagine that any company will want to use the facilitation payment exception.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 4,601 other followers