FCPA Compliance and Ethics Blog

April 23, 2014

Gifts, Travel and Entertainment Under the FCPA – Part II

Travel and GiftsEd. Note – I know yesterday I said this would be a two-part series but as usual I got carried away so it has become a three part series. Today I review the Opinion Releases and Enforcement Actions dealing with gifts, travel and entertainment.

A. Opinion Releases

  1. Gifts

In the early 1980s the Department of Justice (DOJ) issued three Opinion Releases related to gifts under the Foreign Corrupt Practices Act (FCPA). While these Opinion Releases are clearly dated, they do remain instructive. In Opinion Release 82-01, the DOJ approved the gift of cheese samples made to Mexican governmental officials, made by the Department of Agriculture of the State of Missouri to promote the state of Missouri’s agricultural products. However the value of the cheese to be presented was not included. In Opinion Release 81-02, the DOJ approved a gift from the Iowa Beef Packers, Inc. to officials of the Soviet Ministry of Foreign Trade of its packaged beef products. The total value of all the samples presented was estimated to be less than $2,000 and the Iowa Beef Packers, Inc. averred that the individual sample packages would not exceed $250 in value. In Opinion Release 81-01, Bechtel sought approval to use the SGV Group to solicit business on behalf of Bechtel and Bechtel had proposed to reimburse the SGV Group for gift expenses incurred in this business solicitation. The DOJ approved gifts to be given by SGV in the amount of $500.00.

  1. Travel and Lodging for Governmental Officials

 Prior to the FCPA Guidance, the DOJ issued three Opinion Releases which offered guidance to companies considering whether, and if so how, to incur travel and lodging expenses for government officials. These facts provided strong guidance for any company that seeks to bring such governmental officials to the US for a legitimate business purpose. In Opinion Release 07-01, the Company was desired to cover the domestic expenses for a trip to the US for a six-person delegation of the government of an Asian country for an educational and promotional tour of one of the requestor’s US operations sites. In the Release the representations made to the DOJ were as follows:

  • A legal opinion from an established US law firm, with offices in the foreign country, stating that the payment of expenses by the US Company for the travel of the foreign governmental representatives did not violate the laws of the country involved;
  • The US Company did not select the foreign governmental officials who would come to the US for the training program;
  • The delegates who came to the US did not have direct authority over the decisions relating to the US Company’s products or services;
  • The US Company would not pay the expenses of anyone other than the selected officials;
  • The officials would not receive any entertainment, other than room and board from the US Company;
  • All expenses incurred by the US Company would be accurately reflected in this Company’s books and records.

In Opinion Release 07-02 the Company desired to pay certain domestic expenses for a trip within the US by approximately six junior to mid-level officials of a foreign government for an educational program at the Requestor’s US headquarters prior to the delegates attendance at an annual six-week long internship program for foreign insurance regulators sponsored by the National Association of Insurance Commissioners (NAIC). In the Release the representations made to the DOJ were as follows:

  • The US Company would not pay the travel expenses or fees for participation in the NAIC program.
  • The US Company had no “non-routine” business in front of the foreign governmental agency.
  • The routine business it did have before the foreign governmental agency was guided by administrative rules with identified standards.
  • The US Company would not select the delegates for the training program.
  • The US Company would only host the delegates and not their families.
  • The US Company would pay all costs incurred directly to the US service providers and only a modest daily minimum to the foreign governmental officials based upon a properly presented receipt.
  • Any souvenirs presented would be of modest value, with the US Company’s logo.
  • There would be one four-hour sightseeing trip in the city where the US Company is located.
  • The total expenses of the trip are reasonable for such a trip and the training which would be provided at the home offices of the US Company.

Lastly, is Opinion Release 12-02, in which the Requestors, 19 non-profit adoption agencies located in the US, asked the DOJ about bringing certain foreign governmental officials involved in the foreign country’s adoption process to the US. All the foreign governmental officials were involved in the process of allowing children from their country go through the adoption process with the US non-profits involved. The trips to the US would be for two days of meetings. The purpose of the visit would be to demonstrate the Requestors’ work to the government officials so that the officials can see how adopted children from the foreign country had adjusted to life in the US and to help the Requestors learn how they can provide that information to the foreign country’s government with appropriate information during the adoption process. The Requestors would allow the government officials to meet with the Requestors’ employees and to inspect the Requestors’ offices and case files from previous adoptions. The foreign country’s government officials would also meet with families who had adopted children from their country and learn more about the Requestors’ work.

The Requestors stated that they would pay for the following:

  • Business class airfare on international portions of flights for ministers, members of the legislature, and the director of the Orphanage Agency; coach airfare for international portions of flights for all other government officials; and coach airfare for domestic portions of flights for all government officials;
  • Two or three nights hotel stay at a business-class hotel;
  • Meals during the officials’ stays; and
  • Transportation between agencies and local transportation.

What can one glean from these three Opinion Releases? Based upon them, it would seem that a US company could bring foreign officials into the US for legitimate business purposes. A key component is that the guidelines are clearly articulated in a compliance policy. Based upon these Releases the following should be incorporated into a compliance policy regarding travel and lodging:

  • Any reimbursement for air fare will be for economy class, unless it is a long haul international flight, high ranking foreign officials or those entitled to travel business class by contract.
  • Do not select the particular officials who will travel. That decision will be made solely by the foreign government.
  • Only host the designated officials and not their spouses or family members.
  • Pay all costs directly to the service providers; in the event that an expense requires reimbursement, you may do so, up to a modest daily minimum (e.g., $35), upon presentation of a written receipt.
  • Any souvenirs you provide the visiting officials should reflect the business and/or logo and would be of nominal value, e.g., shirts or tote bags.
  • Apart from the expenses identified above, do not compensate the foreign government or the officials for their visit, do not fund, organize, or host any other entertainment, side trips, or leisure activities for the officials, or provide the officials with any stipend or spending money.
  • The training costs and expenses will be only those necessary and reasonable to educate the visiting officials about the operation of your company.

Incorporation of these concepts into a compliance program is a good first step towards preventing any FCPA violations from arising, but it must be emphasized that they are only a first step. These guidelines must be coupled with active training of all personnel, not only on the compliance policy, but also on the corporate and individual consequences that may arise if the FCPA is violated regarding gifts and entertainment. Lastly, it is imperative that all such gifts and entertainment are properly recorded, as required by the books and records component of the FCPA.

B. Enforcement Actions

Mike Volkov refers to the FCPA Paparazzi when he talks about those FCPA practitioners who confuse FCPA information with FCPA scare tactics and manipulate legal reasoning and practical advice with “marketing” using fear as opposed to reliable and accurate information. In a recent blog post, entitled “The So-Called Re-Emergence of Gifts, Meals and Entertainment as a Compliance Problem” Volkov bemoaned recent FCPA Paparazzi client alerts which said that the DOJ was now gunning after companies for FCPA transgressions in this area.

But one point Volkov raised for consideration by the compliance practitioner was the overall management of these risks. He asked the following questions: “Who is responsible for approving expenditures? What controls are in place for ensuring that money is used for proper purposes? How are these expenditures monitored? Who watches the person responsible for controlling the money and what controls are in place to monitor their behavior?” All good questions, and all questions that the compliance function should be able to answer going forward.

While there were three of enforcement actions in 2013 and one in 2014 where gifts, travel and entertainment were discussed. In only one of the four such enforcement actions were gifts, travel and entertainment discussed, where over a period of 15 months these actions were the primary cause of the violation. That matter was the Diebold enforcement action. In all others, HP, Weatherford and Stryker, the gifts, travel and entertainment matters were all ancillary to the primary illegal conduct at issue. This is consistent with DOJ enforcement of the FCPA so Volkov rights notes, the FCPA Paparazzi are howling at the moon once again.

Travel and Entertainment Enforcement Expense Box Score

Company Trip Locations Trip Costs & Perks Company Facilities Present
Lucent Technologies DisneyWorld, Hawaii, Las Vegas, Grand Canyon, Niagara Falls, Universal Studios, NYC $10 million in trips for 1000 Chinese governmental officials, including $34,000 for five days of sightseeing None of the travel destinations
Ingersoll-Rand Trip to Florence after trip to company facility in Vignate, Italy $1000 ‘pocket money’ per attendee Facilities in Vignate but not in Florence
Metcaf & Eddy First trip – Boston, Washington, D.C., Chicago and Orlando. Second trip – Paris, Boston and San Diego. First Class Travel and trip expenses for Egyptian governmental official and his family. Cash payments prior to trips of 150% of estimated daily expenses. Wakefield Mass., not in Washington DC, Chicago, Paris or DisneyWorld
Titan Corporation Reference in company books and records of $20,000 for promotional travel expenses. Not clear if ever funded (Remember a promise to pay equals making a payment under the FCPA)
UTStarcom Hawaii, Las Vegas and NYC Up to $7 million on gifts and all expense paid trips to US No company offices present in any of the travel destinations
Diebold Europe, with stays in:

  • Paris,
  • Amsterdam,
  • Florence,
  • Rome

In the US with visits to:

  • Disneyland,
  • Grand Canyon,
  • Napa Valley,
  • Las Vegas
$1.6MM to employees of Chinese state-owned banks; $175K to employees of Indonesian state-owned banks No company offices present in any of the travel destinations
  • Trip to Germany for the World Cup
  • Honeymoon for Sonatrach official’s daughter
  • Trip to Saudi Arabia for religious holiday
Payment of $24,000 in cash advance for Algerian government officials visiting Houston No legitimate business purpose for any of the business travel
Stryker NYC and Aruba $7000 for Polish gov official and wife No company offices present in any of the travel destinations
HP Las Vegas $35,000 in travel expenses paid for Polish gov official No company offices present in any of the travel destinations

Tomorrow we will tie it all together for you.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

April 22, 2014

Gifts, Travel and Entertainment under the FCPA – Part I

Travel and GiftsEd. Note-Today’s blog post will begin a two-part review of gifts, travel and entertainment under the FCPA.

One of the first thing that many companies will try to put in place is a gifts, entertainment and travel policy when looking at an overall compliance program. I find the reality to be that not only is this one of the more easier things to implement because one of the most consistent things taught at any organization, of one person or more, is to record the even and keep receipts. The base reason is not corporate or even Foreign Corrupt Practices Act (FCPA) record keeping. It is IRS Regulations. Even lawyers know you have to keep receipts. This means getting employees to document, document and document, who they may have taken to dinner or entertained, the amount, the business purpose and if they were a foreign government official, their title, this does not seem like too much of a stretch to ask.

The part that does seem different, or new, to employees is the limit. By this I mean the amount of money which can be spent on a dinner, gift or entertainment without prior approval from the compliance function. For any expenditure above those predefined limits an employee must seek pre-approval from the compliance function prior to exceeding or incurring the expense.

An on-going debate is whether to take a hard and fast line over which all employees must come to the compliance function for pre-approval regarding any gifts and entertainment. Many sales people like this approach because they want to know precisely what the line is that they can go up to. Companies may take a more values-based approach, which looks at the overall value an employee may spend over a one year or other time period but the monitoring is at the backend of the transactions.

A rules based approach is one which generally sets a dollar threshold for gifts and entertainment in two general categories; they are gifts and entertainment for foreign governmental officials and gifts and entertainment for non-foreign governmental officials. Below the threshold, employees can provide gifts and entertainment without the need for pre-approval, above the threshold; employees have to seek pre-approval from the compliance function. Limits are typically lower for foreign governmental officials than non-governmental officials. The gift or entertainment request from the employee requires a reasonably detailed business purpose and the monetary request involved should not appear to be unreasonable.

The second approach is a more values based approach. It allowed the regions to set their own top end values to gifts and entertainment, based upon the nuances and risks of the geographic area. The responsibility of the compliance department in such a values based approach would be two-fold. The first would be to engage in more training for employees on gifts and entertainment issues. The second would be greater monitoring of employee gifts and entertainment.

Values based monitoring is more extensive than for rules based monitoring. If an employee goes above the overall company limit, the matter must be investigated through an independent review of the amount spent; who it was spent on and the business purpose. This must then be written up and the independent investigator must make a determination of whether a compliance issue violation has occurred. While this post-event work seems costly and disruptive to the business, company representatives say this works for them.

One of the interesting tangents in the area of gifts and entertainment is the issue of proportionality. Proportionality in the context of gifts and entertainment in anti-corruption compliance programs generally relates to the appropriate types of gifts or entertainment to be provided to a high-level company official. One rule of thumb is if the entertainment provided was typical for a company executive and that executive could routinely pay for it, this was indicia that it was reasonable if provided from one senior level executive to another. But you must remember about how such information will be viewed in the context of a FCPA investigation, as to what is reasonable or even ‘modest’ is usually very different than the view of a sales person.

A. The Statute

Under the FCPA, the following affirmative defense regarding the payment of expenses exists:

[it] shall be an affirmative defense [that] the payment, gift, offer or promise of anything of value that was made, was a reasonable and bona fide expenditure, such as travel and lodging expenses, incurred by or on behalf of a foreign official, party, party official, or candidate and was directly related to…the promotion, demonstration, or explanation of products or services; or…the execution or performance of a contract with a foreign government or agency thereof. 15 U.S.C. § 78dd-1(c)(2)(A)-(B).

There is no de minimis provision. The presentation of a gift or business entertainment expense can constitute a violation of the FCPA if this is coupled with the corrupt intent to obtain or retain business.

B. FCPA Guidance

There was a good discussion of gifts and entertainment in the FCPA Guidance. In it the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) made clear that “A small gift or token of esteem or gratitude is often an appropriate way for business people to display respect for each other. Some hallmarks of appropriate gift-giving are when the gift is given openly and transparently, properly recorded in the giver’s books and records, provided only to reflect esteem or gratitude, and permitted under local law…”

Just as reasonably priced gifts are appropriate to give out, the FCPA Guidance specifies that “… Items of nominal value, such as cab fare, reasonable meals and entertainment expenses, or company promotional items, are unlikely to improperly influence an official, and, as a result, are not, without more, items that have resulted in enforcement action by DOJ or SEC.” However, as the costs and value begin to rise, so does the potential FCPA risk. The FCPA Guidance states, “The larger or more extravagant the gift, however, the more likely it was given with an improper purpose. DOJ and SEC enforcement cases thus have involved single instances of large, extravagant gift-giving (such as sports cars, fur coats, and other luxury items) as well as widespread gifts of smaller items as part of a pattern of bribes. For example, in one case brought by DOJ and SEC, a defendant gave a government official a country club membership fee and a generator, as well as household maintenance expenses, payment of cell phone bills, an automobile worth $20,000, and limousine services. The same official also received $250,000 through a third-party agent.”

The FCPA Guidance does specify some types of examples of improper travel and entertainment as follows:

  • $12,000 birthday trip for a government decision maker from Mexico that included visits to wineries and dinners;
  • $10,000 spent on dinners, drinks, and entertainment for a government official;
  • A trip to Italy for eight Iraqi government officials that consisted primarily of sightseeing and included $1,000 in “pocket money” for each official;
  • A trip to Paris for a government official and his wife that consisted primarily of touring activities via a chauffeur-driven vehicle.

The FCPA Guidance points out something that is rather obvious. If a company has a culture of compliance in the area of gifts, travel and entertainment that allows violations of the FCPA, it probably is lax in other areas. We recently saw this played out in the Hewlett-Packard (HP) FCPA enforcement actions where lax internal controls allowed HP-Poland to pay over $600,000 in cash to a Polish government official; pay for his travel to Las Vegas at full HP expense and also purchase him gifts valued at over $30,000. The gifts, travel and entertainment on their own could have been stand-alone FCPA violations but they were certainly symptomatic of an entire culture at HP-Poland, which allowed such conduct to occur.

Tomorrow we will review some enforcement actions and Opinion Releases.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

April 21, 2014

Nursery Rhymes, a Chinese Proverb, the HP FCPA Enforcement and the Myth of the Rogue Employee

Cow Jumping Over the MoonHey diddle diddle,

The Cat and the fiddle,

The Cow jumped over the moon.

As my friend and colleague Jay Rosen is want to remind us, he continually learns much about compliance and ethics from his Kindergarten-aged daughters. I submit that you need only look to children’s nursery rhymes in the context of the recent Hewlett-Packard (HP) Foreign Corrupt Practices Act Enforcement (FCPA) to fully appreciate the inanity of the myth of the ‘rogue employee.’ HP has been cited as the prime example of the case where a small group of evil or ‘rogue employees’ purposely mislead their ultimate US corporate parent (HP Co) by engaging in bribery and corruption for which their US corporate parent, who did not engage in the corrupt action, were forced to pay the fines and penalties (and attendant investigative costs, remediation costs and negative publicity). For the purposes of this discussion we will leave out the millions of dollars that HP potentially benefited from via the illegal actions of its alleged ‘rogue employees’; or if there has ever been a case involving ‘rogue employees’ who, intentionally or otherwise, took a company down into FCPA grief.

I. HP-Poland – the Tale of Little Jack Horner – what a good boy I am

Little Jack Horner

Sat in the corner,

Eating a Christmas pie;

He put in his thumb,

And pulled out a plum,

And said ‘What a good boy am I!’

This is the one where commentators are having a Eureka moment. After all, the settlement documents point to one man, HP’s Poland Country Manager, and his John Le Carré-esque meetings. In this bribery scheme, the Country Manager engaged in a multi-year bribery scheme to pay bribes to one Polish government official to secure a large number of contracts. These bribes were paid surreptitiously, using a variety of techniques to evade detection but they all had one thing in common which I will ask you to figure out from the Bribery Box presented below.

HP-Poland Bribery Box Score

Bribe Amount Method of Payment Year Paid Business Received
$150,000 Bag of cash, delivered to home of Polish gov official 2007 Contract valued at $15.7MM
$100,000 Bag of cash, delivered in parking lot to Polish gov official 2007
$130,000 to $140,000 Bag of cash delivered to Polish gov official 2008 Contract executed January 2008
$110,000 Bag of cash 2008 Contract executed in April 2008
$90,000 Bag of cash delivered to Polish gov official 2008 Contract executed May 2008
$30,000 Bag of cash delivered to Polish gov official 2008 Final 3 contracts totaled $32MM in value
$6,000 (offer) 2010 For contract signed in 2010 valued at $4MM
$30,000 Delivered as gifts 2007-2010 Total contracts valued at $60MM

For those of you not so quick on the draw the common element, at least until the end of the Box Score, is that all the bribes were paid in cash. For part of my in-house legal career, I did legal work for the energy industry and I have some familiarity in the amount of money that Country Manager’s made, at least the range of their salary and bonus, and it certainly was not enough to fund bribes in the amount of $600,000 in cash over a couple of years.

So let me get this straight, no one else at HP-Poland aided the Country Manager while he helped himself to the kitty? Didn’t anyone even notice, say in 2007, one of our $250,000 was missing? If not, the Country Manager had to have help in siphoning off funds from HP itself to fund these bribes? So my first question is where was HP internal audit? At the country level? At the region level? At the corporate level? Where was HP Co, when HP-Poland landed $60MM in contracts, in determining how these contracts were procured? Where were HP internal controls?

Was the Country Manager like Little Jack Horner? What a good boy I am?

II.   HP-Russia – Yes Sir, Yes Sir, Three Bags Full

Baa, baa, black sheep,

Have you any wool?

Yes, sir, yes, sir,

Three bags full.

HP-Russia seems to confuse commentators the most about the myth of the ‘rogue employee’. Here they point to the coded spreadsheets (the “Encrypted Spreadsheet”), which could only be unlocked and read by the conspirators themselves. And after all, they lied, lied, when they were asked about some of the details of the transaction in questions. I am sure Inspector Renoir is still shocked, shocked, to discover that gambling is still occurring on the premises of Rick’s Café American in Casablanca.

So why three bags full? Well, first of all, if you are from a certain university in central Texas you’ll immediately know what it means. For the less delicate among you, it would mean a large load of Col. Sherman Potter’s horse-hockey; three bags full in fact. This deal had been floating around HP for years, was well-known enough to raise multiple Red Flags inside the company and was simply internally shopped until it slid through by hook, nook or crook; or in this case, three bags full.

The initial deal was inked with the Russian government in June 2001 but as the Russian government could not fund it, they sought another foreign government to fund and that government was the US. However, to do so, it required that at least 85% of all goods and services were of US origin. To meet this requirement, the initial deal was changed to substitute a US intermediary (Intermediary 2) who replaced the Swiss intermediary on the deal (Intermediary 1). HP Co conducted due diligence on Intermediary 2 and then met with Intermediary 2 in the US to conduct additional due diligence. However, Intermediary 2 balked at answering more “pointed questions” about its expertise and financial wherewithal to handle the transaction. HP Co then told HP-Russia that they would not approve the transaction.

Not to be deterred from a good deal, the foreign government financing was switched from the US to Germany. In addition, Intermediary 2 was ditched for a one-man shop, Burwell Consulting Ltd (Burwell). Burwell and others were eventually paid nearly $21MM in bribes for the Russia government contract. There has been much discussion about how HP-Russia tricked HP-Germany’s employees through the use of “encrypted, password protected spreadsheets that tracked the deal’s financial inflows and outflows”. However, what I found more interesting was the discussion about how not only had HP-Russia shopped the deal internally and been told a resounding NO by HP Co for obvious Red Flags present but also the discussion of how HP-Russia internally funded the bribery scheme.

They did so by the classic ‘stuffing the channel’ that every software lawyer, accountant, bookkeeper, auditor, sales rep and anyone else subject to GAAP or IFSR learns on their first day of training on their first job. It goes like this: HP-Russia sold products to a channel partner; who then sold them to Intermediary 3; who then sold them back to HP with a mark-up and voila, you have a big pile of cash with which to bribe.

So what does the HP-Russia deal tell us about HP as a company? As with HP-Poland, you would have to question where was internal controls while this was playing out, at the country level, at the region level, at the anywhere level? But there is far more than simply internal controls going on here. Based on what was publicly announced in the settlement documents, HP Co had actual knowledge that the deal was rife with Red Flags as it was presented. It was so bad they shut it down. Of course, the business guys simply resurrected it in another place, in another guise. What does that say about the overall effectiveness of the compliance function at the time if HP-Russia could bring a Red Flagged deal to HP Co only to have it stopped, then to shove it through HP-Germany due to weak controls? What about the internal controls on how HP-Russia was able to generate $21MM in scammed money to pay the bribes in the first place? Think anyone else might have thought about running that scam through those robust internal controls? After all, its only three bags full…

III.   HP-Mexico – Fool Me Once…

Fool Me Once,

Shame on You;

Fool me twice,

Shame on Me.

The above did not come from George Bush (The Younger) but is purported to be an old Chinese proverb. I like that thought anyway and it certainly informs our look the claim of ‘rogue employee’ in Mexico. Here, for reasons far beyond my comprehension, HP was able to secure a Non-Prosecution Agreement (NPA) from the Department of Justice (DOJ) for the actions of its subsidiary in Mexico in paying a bribe of $1.6MM to facilitate the winning of a contract worth $6MM. But the lesson learned from the ancient Chinese proverb certainly informs our look at the allegation of the ‘rogue employee’ down Mexico way.

HP-Mexico wanted to use a certain agent involving a deal with Pemex because he had a very close relationship with the Pemex official who would be making the decision on the contract. HP-Mexico even signed a contract with this agent where his description of services was an “influencer fee” for which he would receive a 25% commission. This agent could apparently neither meet HP Co’s due diligence requirements, accept HP Co’s mandatory commission rate or both but whatever the reason, they were not approved as an agent on the Pemex deal. But like all good HP business folks (beginning to see a pattern here?) HP-Mexico simply subcontracted this agent to an existing, approved HP channel partner. HP-Mexico then amazingly (or perhaps not) said that they needed to raise the commission rate of this channel partner from 1.5% to 26.5% because this channel partner was now “managing discounts with Pemex” which coincidentally, this channel partner had never done. Because this channel partner was previously approved by compliance, the request for increase in commission rate was never submitted to compliance for approval. Think an internal control or two might have been appropriate in this situation?

What do the nursery rhymes and Chinese proverb tell us about HP and the Myth of the Rogue Employee? All three of the bribery schemes involved showed that there were multiple failures of numerous systems that allowed the schemes to run rampant. But perhaps the thing that they speak to the most is the culture that existed at the company during the time frames in question. While the FCPA Professor and others have noted that some of the conduct in question began in Russia as long ago as 1999, the settlement documents speak to conduct in Poland as recently as 2010. Certainly, the NPA for HP-Mexico’s conduct was for actions in 2009. What was the tone set that not only allowed employees to think that they could get away with subverting the law but that they had to do so. That, perhaps, is the most troubling questions unanswered by the Myth of the Rogue Employee.

Whatever the answer to HP’s culture of compliance may have been at the time of the conduct which led to the enforcement action, the claim that the company does not bear responsibility for either setting that tone, facilitating the conduct by looking the other way when convenient or not having appropriate internal prevention and detection controls in place to prevent massive fraud by its own employees; the reality is that when a employees of a company can evade controls to generate multi-millions of dollars to generate pools of money to pay bribes, there is no ‘rogue employee’ or even small group of rogue employees. Or there is about as much chance as a cow jumping over the moon.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

April 15, 2014

Implementing Compliance Incentives In Your Company

IncentiveSeveral readers have asked why I have not written anything about the Houston Astros this year. The answer is two-fold. The first is that I really do not care. However, the more I thought about it, the real reason is that they are not relevant. Just how not relevant are the bumbling hometown (former) loveables? Last week they achieved the noteworthy accomplishment of obtaining a Nielson rating of 0.00 for a second consecutive season. I am not aware of any other major league team, which has been on television for a game where no one was recorded as watching for the entire game, for two straight seasons. Pretty amazing when you think about it.

However, one thing that is relevant in the context of any best practices anti-bribery compliance program is incentives. The Department Of Justice (DOJ) and Securities Exchange Commission (SEC) could not have been clearer in the FCPA Guidance about their views on the need for incentives to help drive behavior that is ethical and in compliance with the Foreign Corrupt Practices Act (FCPA) when they stated “DOJ and SEC recognize that positive incentives can also drive compliant behavior.” In the Guidance, the SEC cited to the following:

[M]ake integrity, ethics and compliance part of the promotion, compensation and evaluation processes as well. For at the end of the day, the most effective way to communicate that “doing the right thing” is a priority, is to reward it. Conversely, if employees are led to believe that, when it comes to compensation and career advancement, all that counts is short-term profitability, and that cutting ethical corners is an acceptable way of getting there, they’ll perform to that measure. To cite an example from a different walk of life: a college football coach can be told that the graduation rates of his players are what matters, but he’ll know differently if the sole focus of his contract extension talks or the decision to fire him is his winloss record.

A recent article in the Spring 2014 issue of the MIT Sloan Management Review, entitled “Combing Purpose with Profits”, by authors Julian Birkinshaw, Nicolai J. Foss and Siegwart Lindenberg, presents some interesting steps on how a company might work towards achieving the goals articulated by the DOJ and SEC. The key thesis of the authors is if you want to motivate employees you have to have purpose. In their article they presented case studies from three entities: the Tata Group, Handelsbanken and HCL Technologies. From these three cases studies they came up with six core principles, which I will adapt for the compliance function in an anti-corruption compliance program.

  1. Compliance incentives don’t have to be elaborate or novel. The first point is that there are only a limited number of compliance incentives that a company can meaningfully target. Evidence suggests the successful companies are the ones that were able to translate pedestrian-sounding compliance incentive goals into consistent and committed action.
  2. Compliance incentives need supporting systems if they are to stick. People take cues from those around them, but people are fickle and easily confused, and gain and hedonic goals can quickly drive out compliance incentives. This means that you will need to construct a compliance function that provides a support system to help them operationalize their pro-incentives at different levels, and thereby make them stick. The specific systems which support incentives can be created specifically to your company but the key point is that they are delivered consistently because it signals that management is sincere.
  3. Support systems are needed to reinforce compliance incentives. One important form of a supporting system for compliance incentives “Is to incorporate tangible manifestations of the company’s pro-social goals into the day-to-day work of employees.” Make the rewards visible. As stated in the FCPA Guidance, “Beyond financial incentives, some companies have highlighted compliance within their organizations by recognizing compliance professionals and internal audit staff. Others have made working in the company’s compliance organization a way to advance an employee’s career.”
  4. Compliance incentives need a “counterweight” to endure. Goal-framing theory shows how easy it is for compliance incentives to be driven out by gain or hedonic goals, so even with the types of supporting systems it is quite common to see executives bowing to short-term financial pressures. Thus, a key factor in creating enduring compliance incentives is a “counterweight,” by which we mean any institutional mechanism that exists to enforce a continued focus on a nonfinancial goal. This means that in any financial downturn compliance incentives are not the first thing that gets thrown out the window and if my oft-cited hypothetical foreign Regional Manager misses his number for two quarters, he does not get fired. So the key is that the counterweight has real influence; it must hold the leader to account.
  5. Compliance incentive alignment works in an oblique, not linear, way. The authors believe that “In most companies, there is an implicit belief that all activities should be aligned in a linear and logical way, from a clear end point back to the starting point. The language used — from cascading goals to key performance indicators — is designed to reinforce this notion of alignment. But goal-framing theory suggests that the most successful companies are balancing multiple objectives (pro-social goals, gain goals, hedonic goals) that are not entirely compatible with one another, which makes a simple linear approach very hard to sustain.” What does this mean in practical terms for your compliance program? If you want your employees to align around compliance incentives, your company will have to “eschew narrow, linear thinking, and instead provide more scope for them to choose their own oblique pathway.” This means emphasizing compliance as part of your company’s DNA on a consistent basis — “the intention being that by encouraging individuals to do “good,” their collective effort leads, seemingly as a side-effect, to better financial results. The logic of “[compliance first], profitability second” needs to find its way deeply into the collective psyche of the company.”
  1. Compliance incentive initiatives can be implemented at all levels. Who at your company is responsible for pursuing compliance incentives? If you head up a division or business unit, it is clearly your job to define what your pro-social goals are and to put in place the supporting structures and systems described here. But what if you are lower in the corporate hierarchy? It is tempting to think this is “someone else’s problem,” but actually there is no reason why you cannot follow your own version of the same process. We have seen quite a few mid-level managers make a real difference, and often quite quickly, using the principles outlined here.

The author’s have set out several steps that you can implement into your compliance program to enhance incentives to facilitate anti-corruption. There have been many who have criticized the FCPA Guidance. While I am certainly not one of them, I do not think there can be any argument that it does not present the DOJ and SEC views on a minimum best practices compliance program. So if the DOJ and SEC think incentives in your compliance program are important, I suggest to you, they are important. The article, which is the basis of this blog post, provides an excellent start for the exploration of some ways to inculcate anti-bribery and anti-corruption incentives into not only your compliance regime but also, more importantly, the DNA of your company.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

April 14, 2014

The HP FCPA Settlement

FCPA SettlementLast week the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) jointly announced the conclusion of a Foreign Corrupt Practices Act (FCPA) enforcement action against Hewlett-Packard Company (HP). In the settlement, HP agreed to pay $108MM in fines, penalties and disgorgements for criminal and civil acts. To say that it was one of the more perplexing FCPA settlements would seem to be an understatement. While some will read the settlement documents and see conduct which did not merit such a high total amount of fines and penalties, I am not from that camp.

The tale of this sordid affair of bribery and corruption occurred over 3 continents with multiple countries involved, evidencing an entire breakdown in company internal controls and a complete lack of a culture of compliance. Yet the settlement documents make great pains to emphasize that few employees were actually involved in the nefarious conduct. How bad was the conduct? Think right up there with BizJet because we had bags of cash delivered to a Polish government official. (But unlike BizJet, the Board of Directors did not approve the bribery scheme and it was not taken across the border.) For the Russian deal, it was shopped through several countries with multiple levels of company review, which did not seem to work or care much about anything except getting the deal done. For Mexico, they just seemed to get a free pass where the contract description for the agent who paid the bribe was “influencer fee”.

Finally, as most readers might remember, HP did not self-report this misconduct to the DOJ or SEC. Apparently, the story of HP’s bribery by its German subsidiary to gain a contract in Russia was broken by the Wall Street Journal (WSJ) article in April 15, 2010. The next day, the DOJ and SEC announced they were investigating the allegations of bribery. However, HP was made aware of the allegations by its German subsidiary in December 2009, when German authorities raided HP’s offices in Munich and arrested one HP Germany executive and two former employees. Yet HP never self-reported. Not exactly the poster child for self-disclosure for any company going forward.

Of course HP’s public response at the time indicated its attitude, when a HP spokesperson was quoted in the WSJ article as saying “This is an investigation of alleged conduct that occurred almost seven years ago, largely by employees no longer with HP. We are cooperating fully with the German and Russian authorities and will continue to conduct our own internal investigation.”

More befuddlement comes from the reported facts around HP Germany. As noted by the WSJ report, one, then current, HP executive was arrested and two former employees were arrested in connection with the investigation by German authorities. There is no mention of them in any of the settlement documents. The WSJ article also reported that investigation-related documents submitted to a German court showed that German prosecutors were “looking into whether H-P executives funneled the suspected bribes through a network of shell companies and accounts in places including Britain, Austria, Switzerland, the British Virgin Islands, Belize, New Zealand, the Baltic nations of Latvia and Lithuania, and the states of Delaware and Wyoming”. While some of these countries were mentioned in the settlement documents there was no mentions of DOJ or SEC investigations into Wyoming, Belize, the British Virgin Islands or New Zealand.

What are we to make of the criminal fines levied against the Russian and Polish subsidiaries of HP? The Polish subsidiary pled guilty to a two count Criminal Information consisting of (1) violating the FCPA’s internal control provisions; (2) violating the FCPA’s books and records provisions. The US Sentencing Guidelines suggested a fine range of $19MM to $38MM, the final fine was $15,450,244.

For the Russia deal, the Russian subsidiary pled guilty to a four count Criminal Information consisting of (1) conspiracy to violate the books and records provisions of the FCPA; (2) violating the FCPA’s anti-bribery provisions; (3) violating the FCPA’s internal control provisions; (4) violating the FCPA’s books and records provisions. The US Sentencing Guidelines suggested a fine range of $87MM to $174MM, yet the final fine was $58,772,250.

Finally, in Mexico HP’s subsidiary, according the to the SEC Press Release, “paid a consultant to help the company win a public IT contract worth approximately $6 million. At least $125,000 was funneled to a government official at the state-owned petroleum company with whom the consultant had connections. Although the consultant was not an approved deal partner and had not been subjected to the due diligence required under company policy, HP Mexico sales managers used a pass-through entity to pay inflated commissions to the consultant.” This was internally referred to by HP as an “influencer fee.” Pretty clear evidence of what it was to be used for, wouldn’t you say? Yet the DOJ did not to criminally prosecute the company’s Mexican subsidiary and entered into a Non-Prosecution Agreement (NPA), HP agreed to pay forfeiture in the amount of $2,527,750.

How did HP accomplish all of this? In a Press Release HP Executive Vice President and General Counsel John Schultz said, “The misconduct described in the settlement was limited to a small number of people who are no longer employed by the company. HP fully cooperated with both the Department of Justice and the Securities and Exchange Commission in the investigation of these matters and will continue to provide customers around the world with top quality products and services without interruption.”

As reported by the FCPA Professor, in his blog post entitled “HP And Related Entities Resolve $108 Million FCPA Enforcement Action”, the HP Russian subsidiary Plea Agreement gave the following factors for the reduction in the fine from the Sentencing Guideline range:

“(a) monetary assessments that HP has agreed to pay to the SEC and is expected to pay to law enforcement authorities in Germany relating to the same conduct at issue …; (b) HP Russia’s and HP’s cooperation has been, on the whole, extraordinary, including conducting an extensive internal investigation, voluntarily making U.S. and foreign employees available for interviews, and collecting, analyzing, and organizing voluminous evidence and information for the Department; (c) HP Russia and HP have engaged in extensive remediation, including by taking appropriate disciplinary action against culpable employees of HP and enhancing their internal accounting, reporting, and compliance functions; (d) HP has committed to continue enhancing its compliance program and internal accounting controls … (e) the misconduct identified … was largely undertaken by employees associated with HP Russia, which employed a small fraction of HP global workforce during the relevant period; (f) neither HP nor HP Russia has previously been subject of any criminal enforcement action by the Department or law enforcement authority in Russia or elsewhere; (g) HP Russia and HP have agreed to continue to cooperate with the Department and other U.S. and foreign law enforcement authorities, if requested by the Department …”

In the same blog post, the Professor reported the following reasons were stated for reduction in the final fine by HP’s Polish subsidiary’s:

“(a) HP Poland’s cooperation with the Department’s investigation; (b) HP Poland’s ultimate parent corporation, HP, has committed to maintain and continue enhancing its compliance program and internal accounting controls …; and (c) HP Poland and HP have agreed to continue with the Department and other U.S. and foreign law enforcement authorities in any ongoing investigation …”

We have witnessed companies, which have engaged in ‘extraordinary cooperation’ with the DOJ during the pendency of their FCPA investigations. BizJet is certainly one that comes to mind. Further, there are clear examples of companies, which extensively remediated during the pendancies of their FCPA investigations, from which they clearly benefited. Two prime examples are Parker Drilling, which not only received a financial penalty below the suggested range but also was not required to have a corporate monitor, while they had C-Suite involvement in its bribery scheme. Weatherford seeming came back from the brink during mid-investigation when they hired Billy Jacobson and turned around not only their attitude towards cooperation with the DOJ but also their efforts toward remediation.

Both of these companies are headquartered in Houston and both have been quite active on the conference circuit talking about their compliance programs so most compliance practitioners are aware that these companies are on the forefront of best practices. Perhaps HP is on some circuit doing that, somewhere. If so, kudos to them. If their remediation work led to a best practices compliance program for the company and their extraordinary cooperation led to the astonishing reduction in penalties to their entities, I certainly tip my cap to them. If their lawyers were great negotiators and made great presentations to the DOJ and SEC, all of which led to or contributed to the final results, a tip of the cap to them as well.

So what is the lesson to be learned for the compliance practitioner? Other than befuddlement, I am not sure. Congratulating HP and its counsel is not a lesson it is an action. If HP now has a best practices compliance program, I hope they will provide the compliance community with the lessons that they learned and incorporated into their compliance program, which allowed them to obtain the fines below the minimum suggested range. If they have incorporated some enhanced compliance components into their program I hope they will share those enhancements too.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

April 11, 2014

Joint Venture Partners and the Company You Keep Under the FCPA

Lie Down Wtih DogsAs the father of a teenage daughter I am sometimes, reluctantly, forced to admit that upon rare occasions my parents were right about a few things. One was asking for permission first rather than asking for forgiveness after the fact, or in my case as a teenager the untoward event. Another was my mother’s admonition that you are judged by the company you keep. I thought about that truism when I read an article in the Financial Times (FT) yesterday, entitled “Steinmetz unit won Guinea mining riches corruptly, inquiry says”, by reporter Tom Burgis.

The article relates the long running story of the BSG Resources’ (BSGR) winning of the multi-billion mining concession for the Simandou iron-ore mine in the country of Guinea, which was awarded to the company at the end of the reign of the country’s former dictator Lansana Conté, before he died in 2008. According to a report prepared by the current government of Guinea, BSGR won the contract by paying bribes to his fourth wife Mamadie Touré in the form of cash and shares “to help ensure those rights were stripped from Anglo-Australian miner Rio-Tinto and granted to BSGR.”

Of course there is also the tale of BSGR employee/agent/representative/other Frederic Cilins who contacted Ms. Touré in the US and offered to pay her some $5MM to retrieve the contracts which detailed the payments she was to receive from BSGR. It turned out that there was a Grand Jury investigation going on over BSGR at the time and by now Ms. Touré was a cooperating witness with the Department of Justice (DOJ). Cilins was arrested, charged with and pled guilty to obstruction of justice.

BSGR has denied all of these allegations and says that it received the rights to the mining concession fair and square. Further, it has questioned not only the legitimacy of the report issued by the Guinea government but of the government itself, saying “[current] President Conté has manipulated the process through unconditional technical and financial support from activists line [billionaire transparency advocate] George Soros and NGOs that function as his personal advocacy groups.” The Guinea government report notes recommends that BSGR’s mining concession be cancelled.

So how does all this imbroglio relate to my mother’s admonition? It is because BSGR was in a joint venture (JV) with the Brazilian company Vale for this concession. The FT article reports “After spending $160m on preliminary development of its Guinea assets, BSGR in April 2010 struck its $2.5bn deal with Vale, of which $500m was payable immediately. The balance was to be paid if targets were met but Vale halted payments last year, after the corruption allegations surfaced. The inquiry concluded that, although payments to Ms Touré allegedly continued following the Vale transaction, it was “likely” that the Brazilian group “has not participated in corrupt practices”. Nonetheless, it said the Vale-BSGR joint venture – which BSGR says has spent $1bn at Simandou – should be stripped of its rights to that and other prospects.”

Vale’s response to all of this has been – wait for it – “conducts appropriate due diligence prior to its investments.” Vale had no comment on the Guinea government report released yesterday. I wonder what its due diligence on BSGR turned up?

I wrote last week about the life cycle management of the third party relationship. Those series of articles was primarily aimed at agents and other representatives in the sales channel and vendors in the supply chain. While those same concepts apply to JV’s, there is another level of management when there is a relationship such as a JV. One JV partner must have transparency into the actions of its partner and there must be as much assurance as can be possible that there is no corruption going on. From the time line presented in the FT article it appears that the JV between BSGR and Vale was created (2010) after the payments were contracted to Ms. Touré and the concession granted to BSGR (2008).

However I am sure that is of little comfort to Vale who is now down its $500MM that it paid to BSGR to enter into the JV relationship. How much has it had to spend to circle the wagons to defend itself? And do you think the DOJ has come knocking on their door during its investigation? (The smart money says yes). To top it all off, last week the company announced it might have to write-off its entire investment in Guinea. While Guinea indicated that Vale would not be banned from rebidding if rights for the mining concessions were reopened, what do you thing Vale’s chances would be? (Here the smart money says no).

Did Vale subject itself to Foreign Corrupt Practices Act (FCPA) liability by joining into a JV with BSGR? At this point I have no idea. But you know my Mom was right, in the FCPA world, when it comes to JV’s, you are known by the company you keep.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

April 8, 2014

Mickey Rooney and The 90 Cent Solution

Mickey Rooney as PuckWe begin today with a word on the death of Mickey Rooney. Rooney’s career, spanning nearly 90 years was certainly was from a different era. He was short of stature and long in his number of marriages but as Bob Lefsetz noted in his blog post tribute to Rooney, “But they stood in front of us twenty feet tall. At the drive-in. Even when the pictures truly got small on the tiny old screens of yore they emerged triumphant, because they were so good-looking, so charismatic. And if you were big enough, a bright enough star, your legacy lived on, even if your present day circumstances bore no resemblance to fame.” But here’s why there is always a place in my heart for Mickey Rooney. When I was very young I lived with my grandparents and one night I watched the 1935 movie version of Shakespeare’s A Mid Summer Night’s Dream on television with my grandmother. Rooney’s so over the top performance of Puck began for me a life long love affair with the Bard. So here’s to the grandmother that started me off on a lifelong love affair of Shakespeare’s works and here’s to the Mickster—you did it your way.

I have often considered the role of senior management is to set a proper ‘Tone-At-The-Top” to do business ethically and in compliance with anti-corruption laws like the Foreign Corrupt Practices Act (FCPA) or the UK Bribery Act. Incentives to do business ethically and in compliance are also recognized as an important part of any best practices compliance program. The flip side of incentives is disincentives, such as discipline or financial penalties for affirmatively engaging in misconduct. But how far should such disincentives go and how strong should they be? Should there be penalties for not only affirmatively engaging in misconduct but also failing to monitor risk-taking that allows misconduct to occur? If the latter becomes prevalent, how close do we come to criminalizing conduct, which is arguably negligent and not simply intentional?

I have thought about several of these questions and many others over the past few days when reading about the ongoing struggles of General Motors (GM) over its Cobalt recall issues and Citigroup in regards to its Mexican banking operations. In an article by Gretchen Morgenson in the New York Times (NYT), entitled “The Wallet as Ethics Enforcer”, where she asked “Who decided—and who agreed—that 90 cents was too much to pay for each switch that would have fixed the problem that apparently led to 13 deaths? How much did that decision add to the bottom line and add to executives’ compensation over the years? What will the company have to pay in possible regulatory penalties and legal settlements?” One of her own answers to these questions reads, “While the shareholders of G.M. will shoulder the cost of the fines, the settlements and loss of trust arising from the mess, the executives responsible for monitoring internal risks like these are unlikely to be held accountable by returning past pay.”

Citigroup, which had previously indicated that it had been the victim of a huge fraud perpetrated by one of its customers in Mexico, Oceanografía. However, now Citigroup now faces both federal criminal and civil investigations over the affair. As reported in a Wall Street Journal (WSJ) article, entitled “Crime Inquiry Said to Open On Citigroup”, Ben Protess and Michael Corkery reported that both the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) have opened investigations “focusing in part on whether holes in the bank’s internal controls contributed to the fraud in Mexico. The question for the investigators is whether Citigroup—as other banks have been accused of doing in the context of money laundering—ignored warning signs.” For a bank to be criminally liable, “prosecutors would typically need to show that the bank willfully ignored warning signs of the fraud.” However, to show a civil violation, the threshold is lower and there may only need to be a showing that the bank lacked the proper internal controls or internal oversight.

In her article, Morgenson spoke with Scott M. Stringer, the New York City Comptroller, who is a strong advocate of corporate requirements which “make sure that insiders who engage in questionable conduct are required to pay the piper” in the form of clawback provisions. Stringer has worked with companies to expand clawback provisions beyond those mandated by Sarbanes-Oxley (SOX), which required “boards to recover some incentive pay from a chief executive and chief financial officer if a company did not comply with financial reporting requirements.” Now, clawbacks have expanded to require executives to return compensation “even if they did not commit the misconduct themselves; they run afoul of the rules by failing to monitor conduct or risk-taking by subordinates.” Stringer believes that such clawback provisions not only “speak to the issue of financial accountability but also to setting a tone at the top.”

Morgenson ends her article by noting that unless GM makes public its internal investigation, “we may never know how many G.M. executives knew about the Cobalt problems and looked the other way.” In the meantime though, this debacle shows the importance of policies that hold high-level employees accountable for conduct that, even if not illegal, can do serious damage to their companies. Directors creating such policies would be sending a clear signal that they take their duties to the company’s owners seriously.”

At this point, we do not know high up the decision went in GM not to install the 90 cent solution. But I would argue it really does not matter. Somewhere in the company, some engineer figured out a solution and indeed one was implemented without changing the part number. I am sure the GM Board would have been sufficiently shocked, just shocked, to find out that such decisions as monetary over safety were going on inside the company. What does all of the information released so far tell us about the culture inside GM when these decisions were made? While I am certainly willing to give current GM Chief Mary Barra the benefit of the doubt about her intentions for the company going forward, particularly after a grueling couple of days before Congress, what do you think the financial incentives were in the company when the 90 cent solution was rejected?

It initially appeared that Citigroup was the victim of a massive fraud perpetrated by one of its customers. However, even initially it was reported that Citigroup let its Mexican operation, Banamex run its own show with very little oversight from the corporate office in New York. Now Citigroup is not only under a civil investigation for lack of proper internal controls but also a criminal investigation for willful ignorance of Banamex’s operations. Does any of this sound far-fetched or perhaps familiar? Think about Frederick Bourke and ‘conscious indifference’. Even the judge in Burke’s criminal trial mused that she did not know if he was a perpetrator or a victim. Perhaps Citigroup is both, but if he was both it certainly did not help Bourke. While I am certainly sure that the Citigroup Board of Directors would also say that it would also simply be shocked, just shocked, to find that there were even insufficient internal controls over Banamex, let alone willful ignorance of criminal actions of its Mexico subsidiary, it does pose the question as to what is the culture at the bank?

As important as clawbacks are, until the message of compliance gets down from the top of an organization, into the middle and then to the bottom, a culture of compliance will not exist. I have worked in an industry where safety is goal number one. But in the same industry I have heard the apocryphal tale of the foreign Regional Manager who is alleged to have said, “If I violate the Code of Conduct, I may or may not get caught. If I violate the Code of Conduct and get caught, I may or may not be punished. If I miss my numbers for two quarters, I will be fired.” Clawbacks for Board members would not have influenced this apocryphal foreign Regional Manager, any more than they would have worked on the psyche of the GM engineers who proposed and then later dropped the 90 cent solution. It was clear to them what their bosses thought was important for them to keep their jobs. As long as management has that message, doing business ethically and in compliance will always take a second seat.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014


April 4, 2014

Life Cycle Management of Third Parties – Step 5 – Management of the Relationship

Five stepsToday ends my review of what I believe to be the five steps in the management of a third party under an anti-bribery regime such as the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. On Monday, I reviewed Step 1 – the Business Justification, which should kick off your process with any third party relationship. On Tuesday, I looked at Step 2 – the questionnaire that you should send and third party and what information you should elicit. On Wednesday, I discussed Step 3 – the due diligence that you should perform based upon the information that you have received from and ascertained on the third party. On Thursday, I examined Step 4 – how you should use the information you obtain in the due diligence process and the compliance terms and conditions which you should place in any commercial agreement with a third party. Today, I will conclude this series by reviewing how you should manage the relationship after the contract is signed.

I often say that after you complete Steps 1-4 in the life cycle management of a third party, the real work begins and that work is found in Step 5– the Management of the Relationship. While the work done in Steps 1-4 are absolutely critical, if you do not manage the relationship it can all go down hill very quickly and you might find yourself with a potential FCPA or UK Bribery Act violation. There are several different ways that you should manage your post-contract relationship. This post will explore some of the tools which you can use to help make sure that all the work you have done in Steps 1-4 will not be for naught and that you will have a compliant anti-corruption relationship with your third party going forward.

Managing third party relationships is an area that continues to give companies trouble and heartburn. The “2013 Anti-Bribery and Corruption Benchmarking Report – A joint effort between Kroll and Compliance Week” found that many companies are still struggling with ongoing anti-corruption monitoring and training for their third parties. Regarding training, 47% of the respondents said that they conduct no anti-corruption training with their third parties at all. The efforts companies do take to educate and monitor third parties are somewhat pro forma. More than 70% require certification from their third parties that they have completed anti-corruption training; 43% require in-person training and another 40% require online training. Large companies require training considerably more often than smaller ones, although when looking at all the common training methods, 100% of respondents say their company uses at least one method, if not more.

While the FCPA Guidance itself only provides that “companies should undertake some form of ongoing monitoring of third-party relationships”. Diana Lutz, writing in the White Paper by The Steele Foundation entitled “Global anti-corruption and anti-bribery program best practices”, said, “As an additional means of prevention and detection of wrongdoing, an experienced compliance and audit team must be actively engaged in home office and field activities to ensure that financial controls and policy provisions are routinely complied with and that remedial measures for violations or gaps are tracked, implemented and rechecked.”

One noted commentator has discussed techniques to provide this management and oversight any third party relationship. Carol Switzer, President of the Open Compliance and Ethics Group (OCEG), writing in the Compliance Week magazine set out a five-step process for managing corruption risks, which I have adapted for third parties.

  1. Screen - Monitor third party records against trusted data sources for red flags.
  2. Identify – Establish helplines and other open channels for reporting of issues and asking compliance related questions by third parties.
  3. Investigate - Use appropriately qualified investigative teams to obtain and assess information about suspected violations.
  4. Analyze - Evaluate data to determine “concerns and potential problems” by using data analytics, tools and reporting.
  5. Audit - Finally, your company should have regular internal audit reviews and inspections of the third party’s anti-corruption program; including testing and assessment of internal controls to determine if enhancement or modification is necessary.

Based upon the foregoing and other commentators, I believe there are several different roles in a company that play a function in the ongoing monitoring of the third party. While there is overlap, I believe that each role fulfills a critical function in any best practices compliance program.

Relationship Manager

There should be a Relationship Manager for every third party which the company does business with through the sales chain. The Relationship Manager should be a business unit employee who is responsible for monitoring, maintaining and continuously evaluating the relationship between your company and the third party. Some of the duties of the Relationship Manager may include:

  • Point of contact with the Third Party for all compliance issues;
  • Maintaining periodic contact with the Third Party;
  • Meeting annually with the Third Party to review its satisfaction of all company compliance obligations;
  • Submitting annual reports to the company’s Oversight Committee summarizing services provided by the Third Party;
  • Assisting the company’s Oversight Committee with any issues with respect to the Third Party.

Compliance Professional

Just as a company needs a subject matter expert (SME) in anti-bribery compliance to be able to work with the business folks and answer the usual questions that come up in the day-to-day routine of doing business internationally, third parties also need such access. A third party may not be large enough to have its own compliance staff so I advocate a company providing such a dedicated resource to third parties. I do not believe that this will create a conflict of interest or that there are other legal impediments to providing such services. They can also include anti-corruption training for the third party, either through onsite or remote mechanisms. The compliance practitioner should work closely with the relationship manager to provide advice, training and communications to the third party.

Oversight Committee

I advocate that a company should have an Oversight Committee review all documents relating the full panoply of a third party’s relationship with the company. It can be a formal structure or some other type of group but the key is to have the senior management put a ‘second set of eyes’ on any third parties who might represent a company in the sales side. In addition to the basic concept of process validation of your management of third parties, as third parties are recognized as the highest risk in FCPA or Bribery Act compliance, this is a manner to deliver additional management of that risk.

After the commercial relationship has begun the Oversight Committee should monitor the third party relationship on no less than an annual basis. This annual audit should include a review of remedial due diligence investigations and evaluation of any new or supplement risk associated with any negative information discovered from a review of financial audit reports on the third party. The Oversight Committee should review any reports of any material breach of contract including any breach of the requirements of the Company Code of Ethics and Compliance. In addition to the above remedial review, the Oversight Committee should review all payments requested by the third party to assure such payment is within the company guidelines and is warranted by the contractual relationship with the third party. Lastly, the Oversight Committee should review any request to provide the third party any type of non-monetary compensation and, as appropriate, approve such requests.


A key tool in managing the relationship with a third party post-contract is auditing the relationship. I hope that you will have secured audit rights, as that is an important clause in any compliance terms and conditions. Your audit should be a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which your compliance terms and conditions are followed. Noted fraud examiner expert Tracy Coenen described the process as one to (1) capture the data; (2) analyze the data; and (3) report on the data, which is also appropriate for a compliance audit. As a base line I would suggest that any audit of a third party include, at a minimum, a review of the following:

  1. the effectiveness of existing compliance programs and codes of conduct;
  2. the origin and legitimacy of any funds paid to Company;
  3. books, records and accounts, or those of any of its subsidiaries, joint ventures or affiliates, related to work performed for, or services or equipment provided to, Company;
  4. all disbursements made for or on behalf of Company; and
  5. all funds received from Company in connection with work performed for, or services or equipment provided to, Company.

If you want to engage in a deeper dive you might consider evaluation of some of the following areas:

  • Review of contracts with third parties to confirm that the appropriate FCPA compliance terms and conditions are in place.
  • Determine that actual due diligence took place on the third party.
  • Review FCPA compliance training program; both the substance of the program and attendance records.
  • Does the third party have a hotline or any other reporting mechanism for allegations of compliance violations? If so how are such reports maintained? Review any reports of compliance violations or issues that arose through anonymous reporting, hotline or any other reporting mechanism.
  • Does the third party have written employee discipline procedures? If so have any employees been disciplined for any compliance violations? If yes review all relevant files relating to any such violations to determine the process used and the outcome reached.
  • Review employee expense reports for employees in high-risk positions or high-risk countries.
  • Testing for gifts, travel and entertainment that were provided to, or for, foreign governmental officials.
  • Review the overall structure of the third party’s compliance program. If the company has a designated compliance officer to whom, and how, does that compliance officer report? How is the third party’s compliance program designed to identify risks and what has been the result of any so identified?
  • Review a sample of employee commission payments and determine if they follow the internal policy and procedure of the third party.
  • With regard to any petty cash activity in foreign locations, review a sample of activity and apply analytical procedures and testing. Analyze the general ledger for high-risk transactions and cash advances and apply analytical procedures and testing.

In addition to monitoring and oversight of your third parties, you should periodically review the health of your third party management program. Once again I turn to Diana Lutz and her colleague Marjorie Doyle, and their White Paper entitled “Third Party Essentials: A Reputation/Liability Checkup When Using Third Parties Globally”, where they gave a checklist to test companies on their relationships with their third parties.

  1. Do you have a list or database of all your third parties and their information?
  2. Have you done a risk assessment of your third parties and prioritized them by level of risk?
  3. Do you have a due diligence process for the selection of third parties, based on the risk assessment?
  4. Once the risk categories have been determined, create a written due diligence process.
  5. Once the third party has been selected based on the due diligence process, do you have a contract with the third party stating all the expectations?
  6. Is there someone in your organization who is responsible for the management of each of your third parties?
  7. What are “red flags” regarding a third party?

Perhaps now you will understand why I say that after you prepare the Business Justification; send out, receive back and evaluate the Questionnaire; set the appropriate level of Due Diligence; evaluate the due diligence and execute a contract with appropriate Compliance Terms and Conditions; now the real work begins, as you have to manage the third party relationship.

I hope that you have found this review of the life cycle management of third parties helpful for your compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

April 3, 2014

Life Cycle Management of Third Parties – Step 4 – The Contract

Five stepsThis post continues to outline what I believe are the five steps in the life cycle of third party management. Today I will look at Step 4, the contract. However, before we get to the contracting stage a word about what to do with Steps 1-3. You cannot simply obtain the information detailed in these first three steps; you must evaluate the information and show that you have used it in your process. If it is incomplete, it must be completed. If there are Red Flags, which have appeared, these Red Flags must be cleared or you must demonstrate how you will manage the risks identified. In others words you must Document, Document and Document that you have read, synthesized and evaluated the information garnered in Steps 1-3. As the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) continually remind us, a compliance program must be a living, evolving system and not simply a ‘Check-the-Box’ exercise.

After you have completed Steps 1-3 and then evaluated and documented your evaluation, you are ready to move onto to Step 4 – the contract. Obviously any commercial relationship should be governed by the terms and conditions of a written contract. Clearly your commercial terms should be set out in the contract. In the area of commercial terms the FCPA Guidance intones “Additional considerations include payment terms and how those payment terms compare to typical terms in that industry and country, as well as the timing of the third party’s introduction to the business.” This means that you need to understand what the rate of commission is and whether it is reasonable for the services delivered. If the rate is too high, this could be indicia of corruption as high commission rates can create a pool of money to be used to pay bribes. If your company uses a distributor model in its sales side, then it needs to review the discount rates it provides to its distributors to ascertain that the discount rate it warranted.

In addition to the above analysis from the compliance perspective, you should incorporate compliance terms and conditions into your contracts with third parties. I would suggest that you begin with some type of compliance terms and conditions template, which can be used as a starting point for your negotiations. The advantages of such a template are several; they include: (1) the contract language is tested against real events; (2) the contract language assists the company in managing its compliance risks; (3) the contract language fits into a series of related contracts; (4) the contract language is straight-forward to administer and (5) the contract language helps to manage the expectations of both contracting parties regarding anti-bribery and anti-corruption.

What are the compliance terms and conditions that you should include in your commercial contracts with third parties? In the Panalpina Deferred Prosecution Agreement (DPA), Attachment C, Section 12 is found the following language, “Where necessary and appropriate, Panalpina will include standard provisions in agreements, contracts, and renewals thereof with all agents and business partners that are reasonably calculated to prevent violations of the anticorruption laws, which may, depending upon the circumstances, include: (a) anticorruption representations and undertakings relating to compliance with the anticorruption laws; (b) rights to conduct audits of the books and records of the agent or business partner to ensure compliance with the foregoing; and (c) rights to terminate an agent or business partner as a result of any breach of anti-corruption laws, and regulations or representations and undertakings related to such matters.” In the Johnson & Johnson (J&J) DPA, the same language as used in the Panalpina DPA is found in Attachment C, entitled “Corporate Compliance Program”. However, in Attachment D, entitled “Enhanced Compliance Obligations”, the following language is found: “Contracts with such third parties are to include appropriate FCPA compliance terms and conditions including; (i) representatives and undertakings of the third party to compliance; (ii) right to audit; and (iii) right to terminate.”

Mary Jones, in an article in this blog entitled “Panalpina’s World Wide Web”, suggested the following language be present in your compliance terms and conditions:

  • payment mechanisms that comply with this Manual, the FCPA [Foreign Corrupt Practices Act], the UKBA [UK Bribery Act] and other applicable anti-corruption and/or anti-bribery laws during the term of such contract;
  • the counterparty’s obligation to maintain accurate books and records in compliance with the Company’s Policy and Compliance Manual;
  • the counterparty’s obligation to certify on an annual basis that: (i) counterparty has not made, offered, or promised any payment or gift of money or anything of value, directly or indirectly, to any Government Official (or any other person or entity if UK Bribery Act applies) for the purpose of obtaining or retaining business or getting any improper business advantage; and (ii) counterparty has not engaged in any conduct or behavior prohibited by the Code of Conduct, Anti-Corruption Policy and Compliance Manual and other applicable anti-corruption and/or anti-bribery law;
  • the Company’s right to audit the counterparty’s books and records, including, without limitation, any documentation relating to the counterparty’s interaction with any governmental entity (or any entity if UK Bribery Act applies) on behalf of the Company, and the counterparty’s obligation to cooperate fully with any such audit; and
  • remedies (including termination rights) for the failure of the counterparty to comply with the terms of the contract, the Code of Conduct, the Anti-Corruption Policy and Compliance Manual and other applicable anti-corruption and/or anti-bribery law during the term of such contract.

Based on the foregoing experts and the research I have engaged in, I believe that compliance terms and conditions should be stated directly in the document, whether such document is a simple agency or consulting agreement or a joint venture (JV) with several formation documents. The compliance terms and conditions should include representations that in all undertakings the third party will make no payments of money, or anything of value, nor will such be offered, promised or paid, directly or indirectly, to any foreign officials, political parties, party officials, candidates for public or political party office, to influence the acts of such officials, political parties, party officials, or candidates in their official capacity, to induce them to use their influence with a government to obtain or retain business or gain an improper advantage in connection with any business venture or contract in which the company is a participant.

In addition to the above affirmative statements regarding conduct, a commercial contract with a third party should have the following compliance terms and conditions in it.

  • Indemnification: Full indemnification for any FCPA violation, including all costs for the underlying investigation.
  • Cooperation: Require full cooperation with any ethics and compliance investigation, specifically including the review of foreign business partner emails and bank accounts relating to your Company’s use of the foreign business partner.
  • Material Breach of Contract: Any FCPA violation is made a material breach of contract, with no notice and opportunity to cure. Further, such a finding will be the grounds for immediate cessation of all payments.
  • No Sub-Vendors (without approval): The foreign business partner must agree that it will not hire an agent, subcontractor or consultant without the Company’s prior written consent (to be based on adequate due diligence).
  • Audit Rights: An additional key element of a contract between a US Company and a foreign business partner should include the retention of audit rights. These audit rights must exceed the simple audit rights associated with the financial relationship between the parties and must allow a full review of all FCPA related compliance procedures such as those for meeting with foreign governmental officials and compliance related training.
  • Acknowledgment: The foreign business partner should specifically acknowledge the applicability of the FCPA to the business relationship as well as any country or regional anti-corruption or anti-bribery laws, which apply to either the foreign business partner or business relationship.
  • On-going Training: Require that the top management of the foreign business partner and all persons performing services on your behalf shall receive FCPA compliance training.
  • Annual Certification: Require an annual certification stating that the foreign business partner has not engaged in any conduct that violates the FCPA or any applicable laws, nor is it aware of any such conduct.
  • Re-qualification: Require the foreign business partner re-qualify as a business partner at a regular interval of no greater than every three years.

Many will exclaim, “What an order, I can’t go through with it.” By this they mean that they do not believe that they will be able to get the third party to agree to such compliance terms and conditions. I have found that while it may not be easy, it is relatively simply to get a third party to agree to these, or similar, terms and conditions. One approach to take is that they are not negotiable. When faced with such a position on non-commercial terms many third parties will not fight such a position. There is some flexibility but the DOJ will require the minimum terms and conditions that it has suggested in the various Attachment Cs to the DPAs I have discussed. But the best position I have found is that if a third party agrees with these terms and conditions, they can then use that as a market differentiator from other third parties who have not gone through the life cycle management of a third party as this series has discussed.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

April 2, 2014

Life Cycle of Third Party Management – Step 3 – Due Diligence

Five stepsMost companies fully understand the need to comply with the Foreign Corrupt Practices Act (FCPA) Act regarding third parties as they represent the greatest risks for an FCPA violation. However most companies are not created out of new cloth but are ongoing enterprises with a fully up and running business in place. They need to bring in resources to comply with the FCPA while continuing to do business. This can be particularly true in the area of performing due diligence on third parties. Many companies understand the need for a robust due diligence program to investigate third parties, but have struggled with how to create an inventory to define the basis of risk of each foreign business partner and, thereby, perform the requisite due diligence required under the FCPA.

Getting your arms around due diligence can sometimes seem bewildering for the compliance practitioner. However, the information that you should have developed in Steps 1 & 2 of the life cycle of third party management should provide you with the initial information to consider the level of due diligence that you should perform on third parties. This leads to today’s topic of Step 3 in the five steps of the life cycle management of third parties – Due Diligence.

Jay Martin, Chief Compliance Officer (CCO) at BakerHughes, often emphasizes, when he speaks on the topic, that a company needs to evaluate and address its risks regarding third parties. This means that an appropriate level of due diligence may vary depending on the risks arising from the particular relationship. So, for example, the appropriate level of due diligence required by a company when contracting for the performance of Information Technology (IT) services may be low, to reflect low risks of bribery on its behalf. Conversely, a business entering into the international energy market and selecting an intermediary to assist in establishing a business in such markets will typically require a much higher level of due diligence to mitigate the risks of bribery on its behalf.

Our British compliance cousins of course are subject to the UK Bribery Act. In its Principle VI of an Adequate Procedures compliance program, the UK Ministry of Justice (MOJ) stated, “The commercial organisation applies due diligence procedures, taking a proportionate and risk based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified bribery risks.” The purpose of Principle VI is to encourage businesses to put in place due diligence procedures that adequately inform the application of proportionate measures designed to prevent persons associated with a company from bribing on their behalf. The MOJ recognized that due diligence procedures act both as a procedure for anti-bribery risk assessment and as a risk mitigation technique. The MOJ said that due diligence is so important that “the role of due diligence in bribery risk mitigation justifies its inclusion here as a Principle in its own right.”

Carol Switzer, writing in Compliance Week, related that you should initially set up categories for your third parties of high, moderate and low risk. Based upon which risk category the third party falls into, you can design specific due diligence. She defined low risk screening as “trusted data source search and risk screening such as the aforementioned World Compliance”; moderate risk screening as “enhanced evaluation to include in-country public records…and research into corporate relationships”; high risk screening is basically a “deep dive assessment” where there is an audit/review of third party controls and financial records, in-country interviews and investigations “leveraging local data sources.”

A three-step approach was also discussed favorably in Opinion Release 10-02. In this Opinion Release, the Department of Justice (DOJ) discussed the due diligence that the requesting entity performed. “First, it [the requestor] conducted an initial screening of six potential grant recipients by obtaining publicly available information and information from third-party sources…Second, the Eurasian Subsidiary undertook further due diligence on the remaining three potential grant recipients. This due diligence was designed to learn about each organization’s ownership, management structure and operations; it involved requesting and reviewing key operating and assessment documents for each organization, as well as conducting interviews with representatives of each MFI to ask questions about each organization’s relationships with the government and to elicit information about potential corruption risk. As a third round of due diligence, the Eurasian Subsidiary undertook targeted due diligence on the remaining potential grant recipient, the Local MFI. This diligence was designed to identify any ties to specific government officials, determine whether the organization had faced any criminal prosecutions or investigations, and assess the organization’s reputation for integrity.”

Based upon the wisdom of the aforementioned compliance experts, Opinion Release 10-02 and others I have reviewed break due diligence down into three stages: Level I, Level II and Level III. A very good description of the three levels of due diligence was presented by Candace Tal in a guest post, entitled “Deep Level Due Diligence: What You Need to Know”.

Level I

First level due diligence typically consists of checking individual names and company names through several hundred Global Watch lists comprised of anti-money laundering (AML), anti-bribery, sanctions lists, coupled with other financial corruption & criminal databases. These global lists create a useful first-level screening tool to detect potential red flags for corrupt activities. It is also a very inexpensive first step in compliance from an investigative viewpoint. Tal believes that this basic Level I due diligence is extremely important for companies to complement their compliance policies and procedures; demonstrating a broad intent to actively comply with international regulatory requirements.

Level II

Level II due diligence encompasses supplementing these Global Watch lists with a deeper screening of international media, typically the major newspapers and periodicals, from all countries plus detailed internet searches. Such inquiries will often reveal other forms of corruption-related information and may expose undisclosed or hidden information about the company, the third party’s key executives and associated parties. I believe that Level II should also include an in-country database search regarding the third party. Some of the other types of information that you should consider obtaining are country of domicile and international government records; use of in-country sources to provide assessments of the third party; a check for international derogatory electronic and physical media searches, you should perform both English and foreign-language repositories searches on the third party, in its country of domicile, if you are in a specific industry, using technical specialists you should also obtain information from sector specific sources.

Level III

This level is the deep dive. It will require an in-country ‘boots-on-the-ground’ investigation. I agree with Tal that a Level III due diligence investigation is designed to supply your company “with a comprehensive analysis of all available public records data supplemented with detailed field intelligence to identify known and more importantly unknown conditions. Seasoned investigators who know the local language and are familiar with local politics bring an extra layer of depth assessment to an in country investigation.” Further, the “Direction of the work and analyzing the resulting data is often critical to a successful outcome; and key to understanding the results both from a technical perspective and understanding what the results mean in plain English. Investigative reports should include actionable recommendations based on clearly defined assumptions or preferably well-developed factual data points.”

But more than simply an investigation of the company, critically including a site visit and coupled with onsite interviews, Tal says that some other things you investigate include “an in-depth background check of key executives or principal players. These are not routine employment-type background checks, which are simply designed to confirm existing information; but rather executive due diligence checks designed to investigate hidden, secret or undisclosed information about that individual.” Tal believes that such “Reputational information, involvement in other businesses, direct or indirect involvement in other law suits, history of litigious and other lifestyle behaviors which can adversely affect your business, and public perceptions of impropriety, should they be disclosed publicly.”

Further, you may need to engage a foreign law firm, to investigate the third party in its home country to determine the third party’s compliance with its home country’s laws, licensing requirements and regulations. Lastly, and perhaps most importantly, you should use Level III to look the proposed third party in the eye and get a firm idea of his or her cooperation and attitude towards compliance as one of the most important inquiries is not legal but based upon the response and cooperation of the third party. More than simply trying to determine if the third party objected to any portion of the due diligence process or did they object to the scope, coverage or purpose of the FCPA; you can use Level III to determine if the third party is willing to stand up with you under the FCPA and are you willing to partner with the third party.

The Risk Advisory Group, has put together a handy chart of its Level I, II and III approaches to integrity and due diligence. I have found it useful in explaining the different scopes and focuses of the various levels of due diligence.

Level Issues Addressed Scope of Investigation
  • That the company exists
  • Identities of directors and shareholders
  • Whether such persons are on regulators’ watch lists
  • Signs that such persons are government officials
  • Obvious signs of financial difficulty
  • Signs of involvement in litigation
  • Media reports linking the company to corruption
  • Company registration and status
  • Registered Address
  • Regulators’ watch lists
  • Credit Checks
  • Bankruptcy/Liquidation Proceedings
  • Review accounts and auditors comments
  • Litigation search
  • Negative media search
Two As above with the following additions:

  • Public Profile integrity checks
  • Signs of official investigations and/or sanctions from regulatory authorities
  • Other anti-corruption Red Flags
As above with the following additions:

  • Review and summary of all media and internet references
  • Review and summary of relevant corporate records and litigation filings, including local archives
  • Analysis and cross-referencing of all findings
Three As above with the following additions:

  • But seeking fuller answers to any questions raised by drawing on a wider range of intelligence sources and/or addressing specific issues of potential concern already identified


As above with the following additions:

  • Enquiries via local sources
  • Enquiries via industry experts
  • Enquiries via western agencies such as embassies or trade promotion bodies
  • Enquires via sources close to local regulatory agencies

As you can see from this blog post, there are many different approaches to the specifics of due diligence. By laying out some of the approaches of other experts in the field, I hope that you can craft the relevant portions into your program. The Level I, II & III trichotomy appears to have the greatest favor and one that you should be able to implement in a straightforward manner. However, as Jay Martin constantly says, you need to assess your company’s risk and manage that risk. So if you need to perform additional due diligence to answer questions or clear red flags you should do so. And do not forget to Document, Document and Document all your due diligence.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Next Page »

Customized Rubric Theme. Create a free website or blog at WordPress.com.


Get every new post delivered to your Inbox.

Join 4,221 other followers