Due Diligence | FCPA Compliance and Ethics Blog

May 3, 2013

How Much Due Diligence is Enough?

Filed under: compliance programs,Due Diligence,Ethics,FCPA,Financial Times,New York Times — tfoxlaw @ 1:01 am

Do you really know who you are doing business with in your supply chain? How much due diligence is enough? Should you update your due diligence on a regular basis? How about on a continuous basis? What ethical considerations come into play in the manufacturing sector, in the supply chain? These questions, and perhaps more, came to me as I was reading about the recent tragedy in Bangladesh involving the collapse of Rana Plaza. At this time, there are 433 confirmed dead and police report that 149 people are still missing in what has become the worst disaster for Bangladesh’s $20 billion-a-year garment industry. The collapsed building was built and owned by Mohammed Sohel Rana, he was not the owner of the factories that operated in Rana Plaza; he was simply the building owner and landlord and, therefore, is legally required to provide a safe structure

In an article in the New York Times (NYT), entitled “The Most Hated Bangladeshi, Toppled From a Shady Empire”, reporter Jim Yardley wrote about Mr. Rana’s rise to power and the problems that companies face when trying to do the right thing regarding corporate social responsibility in general, and bribery and corruption specifically, in the supply chain. This problem has become much more public for clothing companies who purchase finished goods from countries like Bangladesh. This is because even if you know who you are directly contracting with, your company may not know the subcontractors or your direct counter-party and you probably have no chance to know who the building owner or landlord might be. Finally, how can you determine if the building where your products are being produced meets minimum building code standards or is even safe to work in at all?

Rana Plaza was originally designed as a five story building. Yardley’s article details the methods that Rana used to secure the land and the permits to construct the building. Yardley reported, “To build Rana Plaza, Mr. Rana and his father bullied adjacent landowners, the landowners themselves say, and ultimately took their property by force. His political allies gave him a construction permit, despite his dubious claims of title to the land, and a second permit later to add upper floors that may have destabilized the building.” After the building was completed Mr. Rana successfully leased “out the existing five floors and gotten a permit from the local mayor, a political ally, to build additional floors. Mr. Khan, the former mayor, said this practice created serious risks, since officials were handing out permits, often for bribes, without insisting on the necessary safeguards.”

On the day before the building collapse “Workers on the third floor were stitching clothing when they were startled by a noise that sounded like an explosion. Cracks had appeared in the building. Workers rushed outside in terror. By late morning, Mr. Rana’s representatives had brought in Abdur Razzaque Khan, an engineer. Taken to the third floor, Mr. Khan examined three support pillars, and became horrified at the cracks he found. “I became scared,” Mr. Khan said. “It was not safe to stay inside this building.” He rushed downstairs and told one of Mr. Rana’s administrators that the building needed to be closed immediately. But Mr. Rana was apparently not impressed; he was holding court with about a dozen local journalists.”

Yardley quoted another journalist, Shamim Hossain, a local newspaper reporter, who reported that Mr. Rana said, “This is not a crack. The plaster on the wall is broken, nothing more. It is not a problem.” Unfortunately the next day the building collapsed.

Rana had rammed five separate garment factories into his now eight story building. How many people were employed there? I don’t think anyone will ever know the true number. As for Mr. Rana, perhaps understanding his personal criminal exposure for these actions, he was caught trying to flee the country. He is now in police custody. He, of course, says it was the evil factory owners which caused the entire catastrophe.

If your company is a US or EU purchaser of such finished products, what should your response be? In another NYT article, entitled “Some Retailers Rethink Role in Bangladesh”, reporter Steven Greenhouse noted that the Walt Disney Company “in March ordered an end to production of branded merchandise in Bangladesh.” Greenhouse said, “Disney’s move reflects the difficult calculus that companies with operations in countries like Bangladesh are facing as they balance profit and reputation against the backdrop of a wrenching human disaster.”

But is this the right response? In an article in the Financial Times (FT), entitled “Business must lead in Bangladesh”, John Grapper wrote “The first thing western companies need to do is the simplest: to stay in the country and to keep providing jobs for women, not to withdraw because they fear being tainted by association. Despite everything, the industry provides better-paid jobs than the alternative – working on rural farms – and has helped to emancipate women.”

Gapper further argues that US and EU retailer collective action is the only thing which will force change upon a corrupt Bangladeshi government. He said, “The second thing brands and retailers must do is band together. The factories they directly oversee in export zones tend to be better run. But they exert weak influence over the contractors and subcontractors that comprise most of the industry. Retailers use auditors to inspect suppliers but lack the information or power to stop abuses. Rana Plaza shows the difficulties. Planning and building controls are lax in Bangladesh and there is no simple way to check whether a factory is properly built. Raising building standards is beyond the power of any single company – it needs concerted action.”

Many have argued that the US government in particular has no place in enforcing its version of morality, in the form of the US Foreign Corrupt Practices Act (FCPA). But rarely is the flip side of this argument discussed, that being where a business solution can help to end corruption. Gapper notes this reality with the following, “Collectively, companies could push the government to overcome the obstacles of corruption, hidden army influence and factory owners who double as politicians. They hold the buying power in a sector that makes up 13 per cent of gross domestic product.”

What is the cost of bribery and corruption? I think that we are seeing it played out daily in Bangladesh as each body is pulled out of the rubble of the Rana Plaza. As a US company, how can you manage your FCPA risk? Should you perform due diligence on your landlord? I do not think any US company would think more than a nano-second when answering that question if they were leasing office space for their own employees. But the tragedy at Rana Plaza does beg the question, how much due diligence is enough and how far is far enough down the supply chain?

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Leave a Comment

May 1, 2013

From the Compact Model to the Luxury Model – Managing Your Third Party Risk

Filed under: Agents,Best Practices,compliance programs,Department of Justice,Distributors,Due Diligence,FCPA,FCPA Guidance,Foeign Business Partner,Hanson Wade,Risk Assessment,SEC — tfoxlaw @ 5:12 am
Tags: best practices, compliance programs, DOJ, FCPA, Foreign Corrupt Practices Act, SEC

I am currently attending the Hanson Wade Oil and Gas Supply Chain Compliance conference in Houston. The event is excellent and the presentations have been ‘spot on’ for the nuts and bolts of how to do compliance. As the conference is in Houston, a number of the speakers and attendees are from energy companies but the concepts that are being discussed apply to all companies which have an anti-corruption or anti-bribery compliance program. One of the things that came through each of the presentations was that as compliance programs mature, many companies are developing programs which are more tailored towards the risks that companies face, which are ascertained through more sophisticated risk assessments and management of those risks.

This pattern is certainly consistent with the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) FCPA Guidance which says that a company should assess its risks and manage its risks. From this starting position, a company can then put together a well thought out and reasoned approach to Foreign Corrupt Practices Act (FCPA) compliance. Many of the presentations dealt with third parties and the differing responses and approaches companies have developed for the specific risks that they have uncovered.

Clearly third party risk mitigation through due diligence is key. How much due diligence is enough? One speaker said that it is a balancing call to determine the right amount. There were several presentations which spoke about the increasing use of technology to assist companies in this process. One speaker, a former federal prosecutor, said that one of the things that she looked for when a prosecutor was the ‘thoughtful analysis’ that the FCPA Guidance speaks about. To this end she believes that the human element will always be important because prosecutors want to see the thought process of not only how your program is designed but how you have crafted your risk mitigation based upon the information that you have assessed.

One of the speakers listed some of the factors to begin the review of your third parties. Recognizing that there is no one all-encompassing list, she suggested the following:

How many third parties do you have?
Where are these third parties located?
Industry or sector do you conduct business?
What is the relationship of the third party to a foreign government or state owned enterprise?
Are the owners of the third party related at all to government employees?
Is the use of the third party a business necessity or not? Why do you need to use sales representatives?
What are the reputations and qualifications of the third parties? Can they do what you need them to do from a commercial perspective?
How much control will you have over the third parties? Contrast the control that you have over sales agents with the lesser amount of control that you have over distributors and joint ventures.

From the answers to some of these questions you can begin to craft your third party due diligence inquiries. I was intrigued by one speaker who speech contrasted the steps that you might take with a lower risk third party with that of a higher risk third party. She likened the lower risk approach to that of a compact car and set out the following suggestions:

Rank each third party by the risk you have assessed;
Perform an Internet search on the third party;
Perform reference checks on the third party;
Interview control persons involved with the third party;
Agreement to abide by anti-bribery and anti-corruption laws;
Insert appropriate compliance terms and conditions in your third party contracts.

She contrasted the Compact model with what she termed the ‘Luxury model’ requirements of a third party program:

Prioritize your third parties by risk;
Appoint a Business Unit sponsor for each third party;
Develop a detailed third party application;
Perform an electronic records search on each third party;
Also perform independent screening of each third party;
Perform reference checks on each third party;
Perform site visits and interviews of each third party;
Have each third party acknowledgement your company’s Code of Conduct;
Require each third party to go through ethics training;
Create a company committee, consisting of internal business, legal and compliance representatives to review your high risk third parties;
Insert compliance terms and conditions into each third party contract;
Require both internal and external audits of each third party;
Perform annual updates on your third parties; and
Perform quarterly electronic database rescreening.

There was also a discussion of some common Red Flags that you should be on the outlook for. They included:

Excessive commissions paid to third parties;
Unreasonable discounts given to third parties such as distributors;
Vaguely described services in a third party contract or invoice back to your company;
A third party which is in a different line of business than the one you want to hire to assist your company;
Close association by the third party with a Foreign Official;
Retention of the third party is required by a Foreign Official;
The third party is a shell company located offshore; and
Payments made to the third party are in a country different from the location where the third party’s services are delivered.

The concepts I derived from this presentation is that you should assess and manage your risks. If you determine them to be low, the Compact Model may work for you. If your third party risks are high, then the Luxury Model may be more appropriate. If you use a thoughtful and reasoned approach, you can navigate this area. But always Document, Document and then Document what you have done and why.

© Thomas R. Fox, 2013

Leave a Comment

April 10, 2013

Q: Do You Tell The Central Bank What To Do? A: ‘In Which Country’?

Filed under: Adequate Procedures,Best Practices,Bribery Act,compliance programs,Department of Justice,Due Diligence,FCPA,Financial Times — tfoxlaw @ 1:01 am
Tags: best practices, Bribery Act, compliance programs, Due Diligence, FCPA, FT

Last weekend in the Financial Times (FT) was a report by Tim Burgis of an interview he held over a lunch meeting with the Angolan Isabel dos Santos, who Forbes magazine recently declared “the continent’s first female billionaire.” Ms. dos Santos is the daughter of José Eduardo dos Santos, who has been Angola’s president for the past 33 years. The interview was a fascinating insight into how doing business in some countries under US or UK anti-corruption and anti-bribery laws can be so challenging.

Burgis quoted an un-named expert who described Angola as a place of “corny capitalism” where those with connections to “the Futungo, as the presidential coterie is known (after Futungo de Belas, the old presidential palace) have made fortunes.” Ms. dos Santos denied that she is involved in politics, claiming that she is only interested in business. Interestingly, Burgis quoted her as stating “I’m not involved in politics and I’ve never had any political role. I’ve never been in office. I’ve never taken any public administrative jobs. So, like I said, I don’t work with the government.”

Some of her business interests “include stakes in two Portuguese banks, BIC and BPI, and a communications group called ZON Multimédia and an indirect holding in Galp, a Portuguese energy group with assets from Mozambique to Venezuela.” While admitting that the “oil industry is politically driven” she insisted that in the business sectors in which she is involved “politics don’t come into it”, she says, even if her own big moment came when she was part of a consortium that won a public tender for Angola’s second mobile telephony licence in the late 1990s.”

Burgis noted that there are believed to be many ways for the well connected to make lots of money in Angola. He wrote, “There are, however, easy ways to make money if you’re connected in Angola, particularly in the resources industries, where top officials and generals have been known to take hidden stakes in ventures led by oil majors and to enjoy titles to diamond-bearing land.” He also went on to note that these systems may be perpetuating the overall poverty in African countries such as Angola when he said that “There are those who would say that corrupt models lie at the heart of the power structures that keep most Africans poor and unable to call their rulers to account.”

He noted that Ms. dos Santos has recently become involved in the energy sector through her partnership with the Portuguese businessman, Américo Amorim and his company Amorim Enereria. Burgis wrote “I ask her to clarify how those energy interests tie in with Sonangol, the Angolan state-owned oil company with assets from Iraq to Brazil that some critics perceive as a Futungo fiefdom. She fends off my questions before fixing me with the look one might give a particularly vexing eight-year-old. “The business is relatively complex because, when you structure a business, you have to look at different aspects from legislation to taxation, to governance, issues like that.”

Near the end of their lunch Burgis asks the following question do you “call up the governor of the central bank and tell him what to do? “In which country?” she quips. We laugh merrily.” She went on to explain how she did have the reputation for extraordinary power. Burgis quoted her as saying, “Well, it’s very difficult, I would imagine, to distinguish father and daughter. And maybe some of it comes as I’m doing my thing and my father being a very strong political African figure for so many years. Whatever he does is almost like some kind of cloud on top,” she says, reaching for the right metaphor and waving a hand over her head, as though her father were some celestial phenomenon. “So maybe some of these ideas come from this cloud-over effect from his position. But, no, I don’t call the central bank and I most certainly don’t give them instructions.”

Even from the head feigns, non-responsive and jocular tone of many of these answers, one can see just how challenging doing business in Angola can be for any company subject to the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. The first issue that would seem to pop up is just who are you doing business with and are they a Politically Exposed Person (PEP). Burgis specifically states “top officials and generals have been known to take hidden stakes in ventures led by oil majors”. Whether such interests are hidden or not, it is the responsibility of any US or UK company to perform the appropriate level of due diligence to ascertain whether they are doing business with such governmental officials. I have heard more than one Chief Compliance Officer (CCO) say that they had to pull the plug on a business proposition because they could not determine the beneficial owners of an entity with which they were considering doing business.

What about a country such as Angola, where people move freely between government and business. Once again if it is later determined that your company is in a joint venture or other business relationship, and your local partner obtains a government appointment during the pendency of the business relationship, it is up to your company to find out that information. This requires ongoing monitoring through company or software which alerts you when someone moves to becoming a PEP.

This is where it is critical that compliance terms and conditions be put into a contract for any such business relationship. Initially, you should have contract protections in place which require any business partner who obtains a government appointment to notify you. This should also be included with a clause that allows the contract to be terminated if the appropriate anti-corruption/anti-bribery protections cannot be put in place if such an eventuality occurs.

Clearly there are no easy answers to the quandary of doing business in a country such as Angola. With many of the top government officials, energy company higher-ups and extractive mineral elite not only closely related to each other but moving seamlessly between all three groups; a company under the FCPA or Bribery Act must tread very carefully. Or to quote the signature line from Hill Street Blues, “Let’s be careful out there.”

© Thomas R. Fox, 2013

Leave a Comment

February 28, 2013

Distributors under the FCPA – Post Game Wrap Up

Filed under: Best Practices,compliance programs,Department of Justice,Distributors,Due Diligence,FCPA,FCPA Guidance,Risk Assessment,Risk Management,SEC — tfoxlaw @ 1:01 am
Tags: compliance, compliance programs, Department of Justice, Distributors, DOJ, FCPA, Foreign Corrupt Practices Act, SEC

This week we have focused on distributors and how a company might think through ranking the risk, performing due diligence on and, finally, how to manage distributors going forward. This was spurred on by a discussion that David Simon and I had engaged in previously on LinkedIn. In today’s post I will try and wrap up and wrap together our approaches so that you might decide which works best for you and your organization.

But first I must note the passing of one of the most famous Texans of the 20th Century, Van Cliburn, the pianist who won the first-place award at the 1958 Tchaikovsky International Competition in Moscow. His gold medal in the inaugural year of the Tchaikovsky competition, won in Moscow, was viewed at the time as an American triumph over the Soviet Union at the height of the cold war. He became a cultural celebrity of pop-star dimensions and brought overdue attention to the musical assets of his native land. But he gave back as well, starting his own piano competition which also became world famous.

While I had been initially skeptical of David’s approach, as I read his White Paper on the subject and his guest post this week, I became convinced that his approach has merit because it follows what is set out in the recently released Department of Justice (DOJ)/Securities and Exchange Commission (SEC) Foreign Corrupt Practices Act (FCPA) Guidance, which I quote from the introductory section of the Ten Hallmarks of an Effective Compliance Program:

Compliance programs that employ a “check-the-box” approach may be inefficient and, more importantly, ineffective. Because each compliance program should be tailored to an organization’s specific needs, risks, and challenges, the information provided below should not be considered a substitute for a company’s own assessment of the corporate compliance program most appropriate for that particular business organization. In the end, if designed carefully, implemented earnestly, and enforced fairly, a company’s compliance program—no matter how large or small the organization—will allow the company generally to prevent violations, detect those that do occur, and remediate them promptly and appropriately.[emphasis supplied]

Based upon this language, I believe that if a company takes a carefully designed and reasoned approach to assessing the risk of its distributors and then manages that risk, it is something that meets the above prescription from the FCPA Guidance. While I believe that distributors should be considered the same as agents under the FCPA, I am persuaded that David’s approach meets the cited recommendation from the FCPA Guidance.

I. Fox Approach – The Full Monty Approach

While I wish I had thought of that name I have to credit it to Simon. In 2012, there were three enforcement actions which I believe made clear that there were no distinctions between agents and distributors. They were, the Smith & Nephew, Inc., (S&N) Deferred Prosecution Agreement (DPA) for criminal FCPA violations, the Oracle SEC Complaint for books and records violations and the Eli Lilly and Company (Lilly) SEC Compliant for books and records violations. I reviewed the enforcement actions and based upon the deficiencies noted by both the DOJ and SEC, that these enforcement agencies were classing distributors the same as agents or other similar entities in the sales chain.

In the S&N enforcement action, it was clear that S&N had not performed sufficient due diligence on these distributors nor did they document any due diligence that they may have engaged in. In the Lilly case, the policies and procedures in place to flag unusual distributor discounts were deficient as the enforcement action “noted that the company relied on representations of the sales and marketing manager without adequate verification and analysis of the surrounding circumstances of the transactions.” In the Oracle enforcement action it demonstrated that Oracle needed to institute the proper controls to prevent its employees at Oracle India from creating and misusing the parked funds in the distributor’s account and that Oracle needed to audit and compare the distributor’s margin against the end user price to ensure excess margins were not being built into the pricing structure. What I gleaned from these enforcement actions was that the full five steps suggested for agents and other third parties in the sales chain was needed for distributors. They are (1) Business Justification; (2) Due diligence, the level being based on your risk assessment; (3) Evaluation of due diligence; (4) Written contract with compliance terms and conditions; and (5) Management of the relationship going forward.

II. Simon Approach – The Agency Approach

Simon advocated that a risk analysis should more appropriately based on the nature of a company’s relationships with their distributors. The goal should be to determine which distributors are the most likely to qualify as agents; for whose acts the company would likely to be held responsible. He argues that it is a continuum of risk; that is, on the low-risk end are distributors that are really nothing more than re-sellers with little actual affiliation with the supplier company. On the high-risk end are distributors who are very closely tied to the supplier company, who effectively represent the company in the market and end up looking more like a quasi-subsidiary than a customer.

Simon looks at agency principles to guide his analysis of whether a distributor qualifies as an agent for FCPA purposes. He argues that factors to consider include:

The volume of sales made to the distributor;
The percentage of total sales of the distributor’s total business the principal’s product represents;
Whether the distributor represents the principal in the market, including whether it can (and does) use the company trademarks and logos in its business; and
Whether the principal company is involved in the running of the distributor’s business (such as by training the distributor’s sales agents, imposing performance goals and objectives, or providing reimbursement for sales activity).

Once a company segregates out the high-risk distributors that likely qualify as agents and potentially subject the company to FCPA liability from those that are mere resellers and pose less FCPA risk, FCPA compliance procedures can be tailored appropriately. For those distributors that qualify as “agents” and also pose FCPA risk, full FCPA due diligence, certifications, training and contract language are imperative. For those that do not, more limited compliance measures that reflect the risk-adjusted potential liability are perfectly appropriate.

III. Athanas Approach – Management of the Relationship

I often say that once you have a business justification, perform and evaluate due diligence on an agent and then ink a contract; your real work now begins as you have to manage that relationship going forward. Athanas set out a plan to assist in that management component under which he provides a framework to help provide a business justification, assess/manage and document any discount offered to a distributor; all of which he calls the ‘Discount Authorization Request’ (DAR) and states as follows:

1. Capturing and Memorializing Discount Authorization Requests

Athanas says that it all begins with a DAR. This is so important that he argues a DAR template should be prepared, which is designed to capture the particulars of a given request and allow for an informed decision about whether it should be granted. Because the specifics of a particular DAR are critical to evaluating its legitimacy, it is expected that the employee submitting the DAR will provide details about how the request originated as well as an explanation in the business justification for the elevated discount. In addition, the DAR template should be designed so as to identify gaps in compliance that may otherwise go undetected.

2. Evaluation and Authorization of DARs

The next step is that channels should be created to evaluate DARs. The precise structure of that system will depend on several factors, but ideally the goal should be to allow for tiered levels of approval. Athanas believes that three levels of approval are sufficient, but can be expanded or contracted as necessary. The key is the greater the discount contemplated, the more scrutiny the DAR should receive. The goal is to ensure that all DARs are vetted in an appropriately thorough fashion without negatively impacting the company’s ability to function efficiently.

3. Tracking of DARs

Lastly comes the Document, Document, Document component. Once the information gathering, review and approval processes are formulated, there must be a system in place to track, record and evaluate information relating to DARs, both approved and denied. The documentation of the total number of DARs allows companies to more accurately determine where and why discounts are increasing, whether the standard discount range should be raised or lowered, and gauge the level of commitment to FCPA compliance within the company. This information, in turn, leaves these companies better equipped to respond to government inquiries down the road.

IV. Bringing It All Home

You do not have to dream like Van Cliburn did but you can try other or new approaches. Whether you use the Fox ‘Full Monty’ approach or the Simon ‘Agency’ approach will depend on many different factors unique to your organization. You are only limited by your imagination. There may well be other approaches you can take if they are carefully thought out and well-reasoned.

But whatever approach you take on risk ranking and performing due diligence on your distributors, I would urge you to use Athanas’ DAR system or something similar to it. While it is of the utmost importance that you do so from the compliance perspective, the business reason is even more compelling. A company really does need to know what discounts it is giving to distributors and why they are receiving said discounts.

I hope that you have enjoyed our discussion and dialogue on distributors this week. I wanted to thank, once again, David Simon and Bill Athanas for their most excellent and timely posts. I certainly have learned quite a bit.

© Thomas R. Fox, 2013

Leave a Comment

January 28, 2013

Boeing and the Conduct of Due Diligence on Sub-Suppliers

Filed under: compliance programs,Due Diligence,FCPA,James Stewart,New York Times,Sub-Suppliers,Supply Chain — tfoxlaw @ 12:20 pm
Tags: best practices, Boeing, compliance programs, Due Diligence, FCPA, James Stewart, New York Times, NYT

The Foreign Corrupt Practices Act (FCPA) act has language which makes illegal a direct or indirect act which might be used to obtain or retain business from prohibited parties. This has caused companies to begin to look at their suppliers as one area which might give them FCPA exposure. I have been considering the role of suppliers in a compliance program as I followed the issue of the smoldering batteries in the Boeing 787 Dreamliner.

As reported in a New York Times (NYT) article by James B. Stewart, entitled Japan’s Role in Making Batteries for Boeing, the construction of the batteries at issue was outsourced by Boeing to a Japanese company called GS Yuasa. Stewart’s article points out the need for close review of suppliers and what can happen if the quality does not meet the standards required for the project. However, I considered the article from the FCPA perspective. Stewart initially noted that “No one has claimed that GS Yuasa was chosen for the 787 for anything but merit.” But then he goes on to say that “Boeing has long been dogged by suspicion that in return for awarding major contracts to Japanese companies, which also receive subsidies from the Japanese government, the countries airlines buy Boeing aircraft almost exclusively.”

The question all of this raised for me is just how much due diligence should a company engage in for its suppliers? The first thing to note is that GS Yuasa is not a direct contractor to Boeing. The Japanese company is a subcontractor to a French company named Thales, which was contracted by Boeing to supply the electrical system. However, Stewart noted that Boeing approved the Thales/GS Yuasa contract and relationship. Does this mean that Boeing performed any kind of due diligence on GS Yuasa? The article does not specify any of these facts. However, Stewart asks the question of whether the outsourcing of this work was a for the benefit of sales of planes to Japan? He quotes Richard L. Aboulafia who said, “And then there’s Japan. All the normal ways of doing business are upended.” When asked if there might be a ‘quid pro quo’ Aboulafia said, “Yes, absolutely. But no one will talk about it, and no one can prove it.” He went on to say that in Japan “there is a unique relationship between the airlines, the suppliers and the government. The government supported the airlines, the government and the industries and they developed together. The government has enormous influence. They all work together.”

Are these questions which should be explored in due diligence? I think this situation brings up the issue of how far down in the supply chain that a company needs to go in performing due diligence. Many contracts with suppliers require that if there is a sub-supplier that sub needs to go through due diligence. However, in the case of GS Yuasa, Boeing had the right to select the supplier and if you have that right you probably need to perform due diligence on the supplier.

The key question that Stewart raises in his article is whether Boeing is using the hiring of GS Yuasa as leverage to gain sales to the Japanese government. GS Yuasa admitted that the battery component of its company is a money loser, even with the Boeing contract. This obviously raises the question of why the company is in such a business. The company also admitted that it had received subsidies to the tune of $3.5 billion from the Japanese Ministry of Economy, Trade and Industry to “begin mass production of lithium-ion batteries…”.

However, does Boeing has strong supplier relationships with other Japanese companies? In addition to the sales to Japan Air, Boeing works closely with Japan’s Defense Ministry and Boeing was quoted in the article as saying that it had “a long history of working together to meet Japan’s defense needs.” In addition to the hiring of GS Yuasa, Boeing said that its Japanese partners had “designed and developed 35 percent of the 787 airframe structure, including the main box wing, which is the first time Boeing has ever entrusted such a critical design component to another company.”

Stewart penultimately notes that “any questions about GS Yuasa may be premature.” In addition to the investigation of GS Yuasa, both the French company Thales and Securaplane, an American subsidiary of the UK engineering company Meggitt which makes the battery chargers, are also being looked at in connection with the fires aboard the Boeing planes. Stewart does believe the “whatever the outcome, experts said that with so many lives at stake, the design and manufacturing of new aircraft should be based solely on legitimate issues of cost and quality, and the selection process for suppliers should be transparent and untainted by other commercial or political concerns.

To end his article, Stewart quotes Aboulafia who states that “The greatest enemy of good aircraft is people who interfere with the freedom to shop for the highest quality.” I think that the same could be said in conjunction with the FCPA and the Supply Chain. If a company allows inferior quality into its supply chain through the bribery or corruption that the FCPA is designed to stop it could well allow an inferior product to be constructed. While such actions may not have the catastrophic and very public impact that the apparent battery failures on the 787 have sustained the damage can be severe.

© Thomas R. Fox, 2013

Comments (3)

January 23, 2013

The FCPA Guidance on the Ten Hallmarks of an Effective Compliance Program

Many commentators are still mining the Department of Justice (DOJ)/Securities and Exchange Commission (SEC) publication, A Resource Guide to the U.S. Foreign Corrupt Practices Act, (the “Guidance”), which was released last November. I continue to find nuggets to provide to the compliance practitioner, as do others. But as we are a Base 10 culture, today I want discuss the 10 points listed as the ‘Hallmarks of Effective Compliance Programs”. They are a change in style, but not content, from the prior 13 point minimum best practices that the DOJ has in the Deferred Prosecution Agreements (DPAs) since at least November, 2010 and, indeed, from prior information made available by the DOJ.

I. Where Have We Been

Beginning with at least the Metcalfe & Eddy Consent and Undertaking, filed in December, 1999, the DOJ has laid out its thoughts on what should go into a Foreign Corrupt Practices Act (FCPA) anti-corruption compliance program. In the Metcalfe & Eddy Consent and Undertaking, the DOJ laid out ten points of an effective FCPA anti-corruption compliance program. This was modified somewhat in Opinion Release 04-02, which laid out a best practices compliance program in 12 points, where the DOJ reviewed the proposal by an investment group who were acquiring certain companies and assets from ABB Ltd. ABB Vetco Gray Inc. and ABB Vetco Gray (UK) Ltd., two of the entities being acquired, had previously pled guilty to FCPA violations. The investment group desired to protect itself from further liability, to the extent possible, by proposing to the DOJ a comprehensive best practices compliance program. While the DOJ noted that this compliance program was not a shield against future violations, the DOJ would not “intend to take an enforcement action [against the investors] for violations of the FCPA prior to their acquisition from ABB.”

In the Panalpina DPA, issued in November, 2010, the DOJ laid out a 13 point minimum best practices compliance program. This number was changed this past summer when the Data Systems & Solutions LLC (DS&S) DPA was announced. In this enforcement action the DOJ listed 15 points on its minimum best practices FCPA anti-corruption compliance program. Then later in the summer, the DOJ moved to a 9 point compliance program in the Pfizer DPA. Even with all these changes in the number, the substance of each compliance program has remained the same.

II. Where Are We Now? Hallmarks of Effective Compliance Programs

The Guidance cautions that there is no “one-size-fits-all” compliance program. It recognizes that depending on a variety of factors such as size, type of business, industry and risk profile that a company should determine what is appropriate for its own needs regarding a FCPA compliance program. But the Guidance makes clear that these ten points are “meant to provide insight into the aspects of compliance programs that DOJ and SEC assess”. In other words you should pay attention to these and use this information to assess your own compliance regime.

Commitment from Senior Management and a Clearly Articulated Policy Against Corruption. It all starts with tone at the top. But more than simply ‘talk-the-talk’ company leadership must ‘walk-the-walk’ and lead by example. Both the DOJ and SEC look to see if a company has a “culture of compliance”. More than a paper program is required, it must have real teeth and it must be put into action, all of which is led by senior management. The Guidance states that “A strong ethical culture directly supports a strong compliance program. By adhering to ethical standards, senior managers will inspire middle managers to reinforce those standards.” This prong ends by stating that the DOJ and SEC will “evaluate whether senior management has clearly articulated company standards, communicated them in unambiguous terms, adhered to them scrupulously, and disseminated them throughout the organization.”
Code of Conduct and Compliance Policies and Procedures. The Code of Conduct has long been seen as the foundation of a company’s overall compliance program and the Guidance acknowledges this fact. But a Code of Conduct and a company’s compliance policies need to be clear and concise. The Guidance makes clear that if a company has a large employee base that is not fluent in English such documents need to be translated into the native language of those employees. A company also needs to have appropriate internal controls based upon the risks that a company has assessed for its business model. Some of the risks a company should assess include “the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.”
Oversight, Autonomy, and Resources. This section starts with a discussion on whether a company has assigned a senior level executive to oversee and implement a company’s compliance program. Not only must a company assign such a person with appropriate authority but that person, and the overall compliance function, must have “sufficient resources to ensure that the company’s compliance program is implemented effectively.” Additionally, the compliance function should report to the company’s Board of Directors or an appropriate committee of the Board such as the Audit Committee. Overall the DOJ and SEC will “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”
Risk Assessment. The Guidance states that “assessment of risk is fundamental to developing a strong compliance program”. Indeed, if there is one over-riding theme in the Guidance it is that a company should assess its risks in all areas of its business. The Guidance lists factors that a company should consider in any risk assessment. They are “the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.” The Guidance is also quite clear that when the DOJ and SEC look at a company’s overall compliance program, they “take into account whether and to what degree a company analyzes and addresses the particular risks it faces.”
Training and Continuing Advice. Communication of a compliance program is a cornerstone of any anti-corruption compliance program. The Guidance specifies that both the “DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.” The training should be risk based so that those high risk employees and third party business partners receive an appropriate level of training. A company should also devote appropriate resources to providing its employees with guidance and advice on how to comply with their own compliance program on an ongoing basis.
Incentives and Disciplinary Measures. This involves both the carrot and the stick. Initially the Guidance notes that a company’s compliance program should apply from “the board room to the supply room – no one should be beyond its reach.” There should be appropriate discipline in place and administered for any violation of the FCPA or a company’s compliance program. Additionally, the “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance program, and rewards for ethics and compliance leadership.” These incentives can take the form of a part of senior management’s bonuses or simply recognition on the shop floor.
Third-Party Due Diligence and Payments. Here the Guidance focuses on the ongoing problem area of third parties. The Guidance says that companies must engage in risk based due diligence to understand the “qualifications and associations of its third-party partners, including its business reputation, and relationship, if any, with foreign officials.” Next a company should articulate a business rationale for the use of the third party. This would include an evaluation of the payment arrangement to ascertain that the compensation is reasonable and will not be used as a basis for corrupt payments. Lastly, there should be ongoing monitoring of third parties.
Confidential Reporting and Internal Investigation. This means more than simply a hotline. The Guidance suggests that anonymous reporting, and perhaps even a company ombudsman, might be appropriate to have in place for employees to report allegations of corruption or violations of the FCPA. Furthermore, it is just as important what a company does after an allegation is made. The Guidance states, “once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken.” The final message is what did you learn from the allegation and investigation and did you apply it in your company?
Continuous Improvement: Periodic Testing and Review. As noted in the Guidance, “compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” The DOJ/SEC expects that a company will review and test its compliance controls and “think critically” about its own weaknesses and risk areas. Internal controls should also be periodically tested through targeted audits.
Mergers and Acquisitions. Pre-Acquisition Due Diligence and Post-Acquisition Integration. Here the DOJ and SEC spell out what it expects in not only the post-acquisition integration phase but also in the pre-acquisition phase. This pre-acquisition information is not something that most companies had previously focused on. Basically, a company should attempt to perform as much substantive compliance due diligence that it can do before it purchases a company. After the deal is closed, an acquiring entity needs to perform a FCPA audit, train all senior management and risk employees in the purchased company and integrate the acquired entity into its compliance regime.

As I commented earlier in this article, the DOJ and SEC have communicated what they believe are the important parts of a risk based, anti-corruption compliance program for many years. I do not think that a compliance defense could be set out any more succinctly. However, I do like things set out in Base 10 and the “Hallmarks of Effective Compliance Programs” is an excellent compilation of where we are and what you need in place to go forward. I recommend this as a good a starting point for any compliance practitioner to implement a new compliance program or to evaluate the state of an ongoing compliance regime so assess your company’s risks and use these hallmarks as a basis to move forward.

© Thomas R. Fox, 2013

Leave a Comment

January 9, 2013

Marks of Excellence – the Lakers 33 Game Winning Streak and FCPA Compliance Tools

Filed under: Best Practices,Catelas,Due Diligence,FCPA,software tools,Visual Risk IQ — tfoxlaw @ 1:01 am
Tags: compliance programs, FCPA, Foreign Corrupt Practices Act, FT, New York Times, NYT

Sorry Bill Simmons, but today we celebrate one of the great modern day records of any American sports franchise. On this day 41 years ago, the Milwaukee Bucks beat the Los Angeles Lakers to end the Lakers 33 game winning streak. This is the longest winning streak of any professional American sports team. 1971-72 was the greatest season in Laker history with the team winning the then record of 69 games for the season, topped off with a National Basketball Association (NBA) championship, after a 4-1 romp over the New York Knicks in the finals. By any measure, the Lakers achieved true greatness in that season.

One of the more interesting areas of Foreign Corrupt Practices Act (FCPA) compliance work is its evolving nature (although some might say more frustrating). However, as compliance work and compliance programs mature the tools, products and services available to help companies better manage the business of compliance continues to evolve as well. Several articles recently caught my attention and, in particular, one product caught my eye. Two of the articles appeared in the Financial Times (FT) and spoke to the advance in the sophisticated nature of compliance tools available. The final article was in the New York Times (NYT) and focused on a systemic failure by the US Air Force in the implementation of a computer upgrade that spoke to the difficulties a compliance practitioner can face in implementing a new compliance regime or engaging in a system upgrade.

The first FT article was by Jennifer Thompson, entitled “Rogues revealed by bad language”. In this article Thompson reported on research by Ernst & Young on information they received from the US Federal Bureau of Investigation (FBI). Thompson reported that “Phrases such “as “nobody will find out”, “cover up” and “off the books” are among those most likely to litter the in-boxes of corporate rogues, according to fraud investigators deploying increasingly popular linguistic software.” Moreover, “Expressions such as “special fees” and “friendly payments” abound for those embroiled in bribery cases, while rogue employees feeling the heat are likeliest to write that they “want no part of this” as well as the somewhat misguided “don’t leave a trail”.”

The technology angle is that there is software available which performs linguistic analysis that “initially protects employee anonymity, can flag uncharacteristic changes in tone and language in electronic conversations and can be tailored for particular types of employees, such as traders.” Further, Thompson noted that the “use of technology is set to grow as compliance departments police sprawling organisations to avert potentially costly mistakes.”

The second FT article was by Richard Waters, entitled “Counter-terrorism tools used to spot fraud”. In this article Waters detailed how “JPMorgan Chase has turned to technology used for countering terrorism to spot fraud risk among its own employees and to tackle problems such as deciding how much to charge when selling property behind troubled mortgages. The technology involves crunching vast amounts of data to identify hard-to-detect patterns in markets or individual behaviour that could reveal risks or openings to make money.” While the article focused on the use of the software to spot fraudsters, I believe that such techniques could well be brought in to help in the fight against corruption and bribery.

Another area where technology has come into play to help compliance programs is in due diligence. Most compliance practitioners are aware of the various levels of due diligence, that being Levels I, II and III. One difficult question has been how does a company perform in-country native language source business information investigations, without paying someone to put ‘boots on the ground’ and then have to pay for a translation, sort of due diligence Level I (a). I was recently introduced to a software tool by Arachnys Information Services Ltd (Arachnys) and I can tell you that it does some really cool stuff and can certainly help to fill a gap. Arachnys software can run your designated search terms in local media, such as newspapers or other sources, and not simply through a Google search database. It can then translate the local source for you and deliver the results to your computer. This software allows a compliance practitioner to perform in-country computer based due diligence at a level that I had not previously seen available. And as I said, it is really cool.

The final article was by Randall Stross, entitled “Billion-Dollar Flop: Air Force Stumbles on Software Plan”. In this article Stross discussed the failure by the Air Force to install and implement ‘off-the-shelf software’ which was originally budgeted at $628MM. In November of last year, the Air Force “canceled a six-year-old modernization effort that had eaten up more than $1 billion. When the Air Force realized that it would cost another $1 billion just to achieve one-quarter of the capabilities originally planned – and that even then the system would not be fully ready before 2020 – it decided to decamp.” While there were numerous reasons given for the failure, the main reason attributed was that there was not “a single accountable leader” who “has the authority and willingness to exercise the authority to enforce all necessary changes to the business required for successful fielding of the software.”

The failure of the Air Force’s attempt to modernize its software speaks to one of the issues present when implementing or scaling up a compliance regime. First, do not start with the ‘Big Bang’ approach and try to do everything at once. There is usually more success by scaling implementation or enhancement down into manageable chunks. Next is the point raised above, that being that there must be a leader who not only has the authority but the willingness to exercise the authority to make the changes. Additionally, coupled with this type of leader, is the need for local buy-in which is important, as is empowering small groups to make the necessary decisions.

So today we celebrate the greatness of the Lakers and their phenomenal season of ‘71-72. In the compliance world, best practices are evolving but so are the tools which you can implement into your compliance program. The mining of data has many uses. Some companies such as Catelas Inc. can look at the relationships of persons and parties involved. Other software, such as that available through VisualRisk IQ, can mine the data and come up with financial or data points for further investigation. On the due diligence front, Arachnys software can help fill in holes for your in-country native source business information searches. Lastly, do not fall into the trap of the US Air Force; manage not only the expectations but the entire compliance process.

© Thomas R. Fox, 2013

Leave a Comment

January 4, 2013

The Lilly FCPA Enforcement Action (Part III) Lessons Learned from Russia

Filed under: Agents,Best Practices,compliance programs,Due Diligence,Eli Lilly and Company,Enforcement Actions,FCPA,Offshore Payments,SEC — tfoxlaw @ 1:03 am
Tags: best practices, FCPA, Foreign Corrupt Practices Act, Lilly, SEC

This Part III is the final installment of my review of the Eli Lilly and Company (Lilly) FCPA enforcement action brought by the Securities and Exchange Commission (SEC). In this Part III, I will review the FCPA issues that Lilly found itself involved with in Russia and use those issues in the context of Paul McNulty’s Three Maxims regarding the effectiveness of a FCPA compliance program. First, what did you do to prevent it? Second, what did you do to detect it? Third, what did you do to remedy it?

I. Russia

Lilly used a distributor sales model in Russia. However, there was a further twist which got Lilly into FCPA hot water. Lilly would enter into an agreement with a third party other than the distributor who was selected by the government official making decisions on the purchase of Lilly products. Lilly did little to no due diligence on these third parties which would have identified the beneficial owners of these entities. Further, these other third parties were usually not domiciled in Russia, nor did they have bank accounts in Russia. In other words, they were Offshore Agents who were paid a flat fee or percentage of the total sales with no discernible work or services performed.

The SEC Complaint noted that Lilly itself provided contracts to these third parties which described their services as “immediate customs clearance” or “immediate delivery” of the products or in assisting Lilly in “obtaining payment for the sales transaction” and such other oldie but goodies as “the promotion of the products” and “marketing research.” The SEC Complaint also noted that the services described were actually provided by other entities including Lilly itself.

There also charitable donations made by Lilly in Russia but here Lilly simply made proposals to government decision makers regarding how the company “could donate or other support various initiatives there were affiliated with public or private institutions headed by the government officials or otherwise were important to the government officials.” In addition to the problems with the charitable donations policy in Russia, there were two reports provided to Lilly’s corporate headquarters identifying some of the compliance issues that the company was having in Russia but there was follow up from the corporate office. You have to put “boots on the ground” to make a proper inquiry, assessment or review for a high risk country. Antonia Chion, Associate Director in the SEC Enforcement Division put it another way when he was quoted in the SEC Press Release announcing the Complaint. He said, “When a parent company learns tell-tale signs of a bribery scheme involving a subsidiary, it must take immediate action to assure that the FCPA is not being violated. We strongly caution company officials from averting their eyes from what they do not wish to see.”

a. Prevent

From the prevent prong there are several things that the compliance practitioner can put in place. There should be an adequate system of internal accounting sufficient to provide reasonable assurance that a company maintains accountability for its assets. Such a system would also provide a procedure that would ensure transactions were executed in accordance with management’s authority. Regarding third parties, a company cannot simply rely on the paperwork submitted by third parties but must verify its accuracy through independent due diligence. A company should also have procedures in place to safeguard that it is not offering anything of value to government officials to assist in retaining or obtaining business. Lastly, when the corporate office receives a report from a high risk country or area in which to do business, there must be follow up on the report.

b. Detect

Regarding detect, a company’s internal audit must have procedures in place designed to assess FCPA compliance or other anti-bribery law risk for sales of products and purchases of goods. If there are red flags or other indicia of high risk noted, there must be additional monitoring, review and auditing. As noted in Part I of these posts on the Lilly enforcement action, several Russian distributors were domiciled outside the company, in both Cyprus and the British Virgin Islands. None of these red flags were investigated or followed up. Audit must do more than simply assure itself of the soundness of the paperwork which is submitted to it or it reviews. If the circumstances surrounding the existence of a party or transaction suggest the possibility of a FCPA violation or corruption it must be followed up and reviewed.

II. Remedy

I have laid out the facts as reported in the SEC Complaint in some detail for several reasons. One of which is to emphasize how wide ranging Lilly’s conduct was regarding FCPA violations. I think that it is incumbent to note that even with this wide ranging and apparently pervasive conduct, Lilly did not sustain a Deferred Prosecution Agreement or even a Non-Prosecution Agreement for criminal violations of the FCPA by the Department of Justice. There was only a civil Complaint filed by the SEC. As to the financial penalty, Lilly agreed to pay disgorgement of $13,955,196, prejudgment interest of $6,743,538, and a penalty of $8.7 million for a total payment of $29,398,734. Lilly also agreed the retention of an independent consultant to review and make recommendations about its foreign corruption policies and procedures but it does not have a monitor.

Lilly also engaged in the third prong of McNulty’s Maxims by remedying the FCPA violations during the pendency of the investigation. These remedies were listed in the SEC Complaint. In China, where the FCPA violation were engaged in by Lilly employees, the company “terminated or otherwise disciplined” those involved. Lilly also agreed to certain structural changes in its compliance program. These changes included:

enhancing anti-corruption due diligence requirements for relationships with third parties;
implementing compliance monitoring and corporate auditing specifically tailored to anti-corruption;
enhancing financial controls and governance; and,
expanding anti-corruption training throughout the organization.

III. Conclusion

The Lilly FCPA enforcement action, as laid out in the SEC Complaint, provides the compliance practitioner with solid information which can be used in a variety of ways to strengthen an anti-corruption/anti-bribery compliance program. First and foremost is the detailed discussion the different types of bribery schemes that were engaged in throughout the company. If your sales model is an employee based sales force, a distributor model with discounts off your list price or commission based third party agents, the Lilly FCPA enforcement action provides you with questions that you can ask to see if you company has FCPA issues to investigate. The SEC Complaint also details the internal controls failures which Lilly sustained and led to the enforcement action. There is also significant and detailed information on what you might look at or do in your compliance program to answer Paul McNulty’s three questions if you are in the position to deal with the SEC or DOJ on a FCPA issue.

Leave a Comment

December 30, 2012

The Lilly FCPA Enforcement Action Part I – Key Lessons Learned on Sportsmanlike Conduct

Filed under: Agents,Charitable donations,Distributors,Due Diligence,Eli Lilly and Company,Enforcement Actions,FCPA,Jay Rosen,Matt Kelly,Offshore Payments,Wall Street Journal — tfoxlaw @ 5:54 pm
Tags: compliance programs, Due Diligence, FCPA, Offshore Payments, Wall Street Journal

As you see from today’s picture I am enthusiastically wearing a New England Patriots (classic) shirt. You may ask yourself why am I wearing this shirt? The reason is because of a rather rash wager I made with Jay Rosen, Vice President of Merrill Brink, earlier this month on the Patriots/Texans football game. (I also made the same wager with Matt Kelly, Editor of Compliance Week, who says he will use the photo for marketing Compliance Week 2013, good luck with that!) I can’t quite seem to remember the final score but I do recall that it was what we in Texas might call a full ‘butt-whoopin’. Up until that game, the Patriots were 19-1 at home in the month of December over the past ten years, after beating the Texans, they became 20-1. The key lesson I learned from this experience is to evaluate your risk and then manage that risk accordingly.

Earlier this month, the Securities and Exchange Commission (SEC) announced the settlement of the Eli Lilly and Company’s (Lilly) violations of the Foreign Corrupt Practices Act (FCPA). The enforcement action details a number of bribery schemes that Lilly had engaged in for many years in multiple countries. Indeed Lilly used four different styles of bribery schemes in four separate countries; all of which violated the FCPA. In China, corrupt payments were falsely called reimbursement of expenses; in Brazil, money that was characterized as a discount for distributor was used to pay a bribe; in Poland, charitable donations were falsely labeled and used to induce a Polish government official to approve the purchase of Lilly products; and, finally, Lilly’s subsidiary in Russia, paid bribes to Offshore Agents who were domiciled outside Russia and who performed no services for which they were compensated.

I think the most noteworthy information found in this enforcement action is that it provides significant guidance to the compliance practitioner on not only the different types of bribery schemes used, but more importantly, by reading into the types of conduct the DOJ and SEC finds violates the FCPA, it is valuable as a lesson on how to structure tools to manage FCPA risks going forward. In this post I will detail the bribery schemes that Lilly engaged in and in Part II, I will discuss how the Lilly enforcement action should inform your FCPA compliance program.

I. China – Use of False Expense Reports to Cover Improper Gifts and Cash Payments

In China, Lilly employees used the classic system of submitting inflated expense reports and using the excess reimbursements to pay bribes. More ominously, not only did the sales representatives engage in this tactic but their supervisors did and also instructed subordinates to do so as well. The list of gifts that were provided to Chinese government officials was as wide ranging as it was creative. There were gifts consisting of specialty foods, wines and a jade bracelet. There were paid trips to bath houses, karaoke bars and spas. There was money paid to purchase “door prizes and publication fees to government employed physicians.” It was even noted that bribes were paid consisting of cigarettes. In the SEC complaint it stated that “Although the dollar amount of each gift was generally small, the improper payments were wide-spread across the [China] subsidiary.”

II. Brazil – Use of Distributor Discounts to Fund Bribes

In Brazil, Lilly sold drugs to distributors who then resold the products to both public and private entities. It was the classic distributor model where Lilly sold the drugs to the distributors at a discount and then the distributors would resell the products “at a higher price and then took their discount as compensation.” There was a fairly standard discount given to the distributors which generally ranged “between 6.5% and 15%, with the majority of distributors in Brazil receiving a 10% discount.”

However in early 2007, at the request of a Lilly sales manager, the company awarded an unusually high discount of between 17% and 19% to a distributor for the sale of a Lilly drug to the government of one of the states of Brazil. The distributor used approximately 6% of this additional discount to create a fund to pay Brazilian government representatives to purchase the Lilly drugs from him. Further, the Lilly sales manager who requested this unusual discount was aware of the bribery scheme. Moreover, this increase in the discount was approved by the company with no further inquiry as to the reason for the request or to substantiate the basis for such an unusually high discount. If there were any internal controls they were not followed.

III. Poland – Use of Charitable Donations to Obtain Sales of Drugs

In Poland we see our old friend the Chudow Castle Foundation (Foundation). You may remember this charity as it was the subject of a prior SEC enforcement action involving Schering-Plough Corporation. The thing that got both Lilly and Schering-Plough into trouble was that the Foundation was controlled by the Director of the Silesian Health Fund (Director) and with this position he was able to exercise “considerable influence over the pharmaceutical products local hospitals and other health care providers in the region purchased.”

Just how did this bribery scheme camouflaged as a charitable donation work? Initially it started while Lilly was in negotiations with the Director for the purchase of one of Lilly’s cancer drugs for public hospitals and other health care providers in the region. The Director actually made a request for a donation directly to representatives of Lilly. Thereafter, the Foundation itself made “subsequent requests” for donations.

In addition to this obvious red flag, Lilly did no due diligence on the Foundation and falsely described the nature of the payments not once but three separate times with three separate descriptions. Lilly turned some of the monies over not to the Foundation, but to the Director for use at his “discretion”. Interestingly, the donations were not only made at or near the time of a contract execution, with one donation being made two days after the Director authorized the purchase of the drugs from Lilly. Internally Lilly even discussed the size of a donation, calling it a “rebate” and said “it will depend on the purchases of medicines.”

IV. Russia – Use of Offshore Agents Who Performed No Services

As with Brazil, Lilly used a distributor sales model in Russia. However, there was a further twist which got Lilly into FCPA hot water. Lilly would enter into an agreement with a third party other than the distributor who was selected by the government official making decisions on the purchase of Lilly products. The other third parties were usually not domiciled in Russia, nor did they have bank accounts in Russia. In other words, they were Offshore Agents who were paid a flat fee or percentage of the total sales with no discernible work or services performed.

There was little to no due diligence performed on these Offshore Agents. In one instance, detailed in the SEC Complaint, Lilly ran a Dun and Bradstreet report on a third party agent, coupled with an internet search on a third party domiciled in Cyprus. There was no determination of the beneficial ownership of this Offshore Agent nor was there any determination of the business services which this Offshore Agent would provide, subsequently this . This Offshore Agent was paid approximately $3.8MM. An additional Offshore Agent, again in Cyprus, which Lilly conducted little to no due diligence on, received a $5.2MM commission. Under another such agreement, yet another Cypriot Offshore Agent received a commission rate of 30% of the total sale.

What about the services that these Offshore Agents provided to Lilly? First and foremost, they all had their own special “Marketing Agreement” which was actually a template contract prepared by Lilly. The services allegedly provided by these Offshore Agents included “immediate customs clearance” or “immediate delivery” of the product. There were other equally broad and vague descriptions such as “promotion of the products” and “marketing research”. But not only was there little if no actual evidence that these Offshore Agents provided such services; Lilly, or its regular in-country distributors, actually performed these services.

Unlike their experience in Poland, officials from Lilly simply inquired directly from government officials with whom it was negotiating if it could “donate or otherwise support various initiatives that were affiliated with public or private institutions headed by the government officials or otherwise important to the government officials.” As noted in the SEC Complaint, Lilly had neither the internal controls in place nor performed any vetting to determine whether it “was offering something of value to a government official for the purpose of influencing or inducing him or her to assist Lilly-Vostok in obtaining or retaining business.”

In my next post I will discuss how the compliance practitioner can use the information and facts presented in the Lilly enforcement action as teaching points to evaluate and enhance a company’s compliance program.

Although I rarely agree with Peggy Noone, I always read her Saturday column in the Wall Street Journal (WSJ) and would like to end my blogging year with the closing paragraph, which I quote in full, from her article entitled “About Those 2012 Political Predictions”:

Lesson? For writers it’s always the same. Do your best, call it as you see it, keep the past in mind but keep your eyes open for the new things of the future. And say what you’re saying with as much verve as you can. Life shouldn’t be tepid and dull. It’s interesting—try to reflect the aliveness in your work. If you’re right about something, good. If you’re wrong, try to see what you misjudged and figure out why. And, always, “Wait ’til next year.”

A safe and Happy New Year to all.

Comments (2)

December 12, 2012

Doing More with Less in Your Compliance Program (Not the 2013 Astros)

Filed under: Best Practices,compliance programs,Due Diligence,Ethical Leadership,FCPA,New York Times — tfoxlaw @ 1:01 am
Tags: best practices, DD, Due Diligence, FCPA, New York Times, NYT

It was reported today that the Houston Astros pitchers and catchers report for Spring Training on February 11, 2013, with position players reporting on February 15. I thought about how much I used to look forward to Spring Training in conjunction with the phrase that I think that most people are aware of ‘how to do more with less’. Could it be that my Astros will try and do more with less next year? Alas, I do not believe that will be the situation with the Astros, who have apparently decided to do ‘less with less’ by not spending any of the $80MM they receive from the local television contract on their $30MM payroll. Either new owner Jim Crane needs some serious money to service his mountain of debt or he is just keeping the money and laughing all the way home. One thing neither Jim Crane nor I am laughing about is the smack down the Houston Texas received by the New England Patriots on Monday Night Football this week. Being on the short side of two ‘friendly’ wagers for this game, keep checking out my blog, as you will soon see me gracing a Patriots jersey so stay tuned. And for Matt and Jay, I wear an XL.

The Astros upcoming season came to mind when I was reading a recent Corner Office section in the New York Times (NYT), where reporter Adam Bryant interviewed Sandra L. Kurtzig, chairwoman and Chief Executive Officer (CEO) of Kenandy, in an article entitled “Don’t Chase Everything That Shines”. One of the things that Kurtzig said which struck me was “I am conservative in hiring. I don’t over-hire. The reason is that you can get a lot more work done with fewer people. If you have a lot of people, you have to give them something to do, and you have to give them something to manage, and then you have to manage them. You can get a lot less done. So you want to have a core set of people while you’re really trying to discover your product, your direction, your market. And the more people you have, the more difficult it is to take risks because it affects a lot more people.”

Kurtzig takes this same attitude to making decisions, particularly in the area of business opportunities. She was quoted as saying, “I don’t run after “shiny objects.” That’s a mistake that a lot of people make in running a company, especially in starting one. They tend to get a lot of opportunities from people who want to partner with them. And these are just shiny objects, because there are very few partners that end up being right for your company. So I’m much more selective. If I hear something, I’m very quick to think, ‘Hey, that’s a shiny object; let’s get back to work.’ I think that’s what’s so distracting to a lot of companies — they see a big customer or some other distraction, and they spend too much time on it and they lose their way.” This thought about not running after shiny objects; I think that it may be one of the most overlooked aspects of due diligence on third parties. An evolving best practice regarding third parties must include a step that requires a business unit person to provide a business case as to why your company may need another third party to provide the services, goods or products; whether on the sales side or in the supply chain. This Business Justification should be obtained before you send out your questionnaire, assign a risk ranking or begin due diligence. There needs to be a valid business reason for going through the time and expense of looking at another third party representative and not simply because someone wants another company.

Kurtzig said that one thing she strongly believes in is transparency. She said that she is constantly asking her employees for their opinions. So, for instance, she asks “what they like about their job and what they don’t like about their job. What can we be doing better? In your previous job, how did you do it? What worked better and what worked worse than what we are doing now?” She believes that you must really listen to someone, “two-way conversations are an important ingredient for building a company. Nowadays, I hear that so many younger people who are starting companies are so used to working on the Internet that they tend to send only e-mails and communicate with their screens more than they communicate with people around them. You need to interact with people and not just your computers.”

I often write about the need to listen as a part of your compliance program. Today, Jeffery Spalding, Assistant General Counsel at Halliburton, spoke at the Hanson Wade Pharmaceutical Anti-Corruption Compliance Conference that I am attending in Philadelphia. One of the things he spoke about is the live compliance training that Halliburton puts on around the globe for its employees. In addition to the benefits of receiving live training, employees get to meet Jeff and put a face to a name. He gets to not only meet them but hear some of their concerns in person. This leads to much better chance that they will call him for compliance advice in the future. One of the key points he highlighted is that he listens and that engenders respect from the company’s employees across the globe.

I found the Kurtzig interview to provide some interesting and well placed management pointers which have application to a compliance program and are useful to compliance practitioners. Now if I could just get the Astros to use some of them.

Comments (2)

FCPA Compliance and Ethics Blog

May 3, 2013

How Much Due Diligence is Enough?

May 1, 2013

From the Compact Model to the Luxury Model – Managing Your Third Party Risk

April 10, 2013

Q: Do You Tell The Central Bank What To Do? A: ‘In Which Country’?

February 28, 2013

Distributors under the FCPA – Post Game Wrap Up

January 28, 2013

Boeing and the Conduct of Due Diligence on Sub-Suppliers

January 23, 2013

The FCPA Guidance on the Ten Hallmarks of an Effective Compliance Program

January 9, 2013

Marks of Excellence – the Lakers 33 Game Winning Streak and FCPA Compliance Tools

January 4, 2013

The Lilly FCPA Enforcement Action (Part III) Lessons Learned from Russia

December 30, 2012

The Lilly FCPA Enforcement Action Part I – Key Lessons Learned on Sportsmanlike Conduct

December 12, 2012

Doing More with Less in Your Compliance Program (Not the 2013 Astros)

January

Blogroll

Pages

Admin

Read by Email

Follow “FCPA Compliance and Ethics Blog”

May 2013
M	T	W	T	F	S	S
« Apr
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31