FCPA Compliance and Ethics Blog

July 29, 2013

What Is Due Diligence?

What is due diligence? When did due diligence begin? What does it really mean to perform due diligence? Further, how do you tie the information that you obtain in the due diligence process into your ongoing compliance program? I thought about those questions in the context of two very different types of information that I recently came across.

The first is Professor Donald Kagan’s 24 lecture series on Ancient Greece. Kagan, a professor at Yale, is considered to be one of the pre-eminent American scholars on Ancient Greece. I downloaded this lecture series on iTunes U, from the selection of Open Yale courses. For a non-Eli, such as myself, to have access to the lectures of Professor Kagan is a treat beyond words.

The Athenian democracy had many interesting features. The entire citizenship of Athens elected its leaders annually. One of the interesting features of the Athenian democracy was that before each election there would an exhaustive background investigation into each candidate, including their financial dealings, legal proceedings, military service and other relevant factors which might provide information on their character and fitness to hold office. After their one year tenure, there would be an audit of the former office holders’ finances to determine if anything was askance or if there was evidence of bribery and corruption. All of that sounds like a fairly robust program to determine the qualifications of a leader beforehand and then a backend determination if there was any indicia of bribery and corruption which could be further investigated if required.

Lest you think that there was no management of politicians during their term, there were 10 votes annually on whether a leader was doing his job. If there was a majority vote against the politician, he would have to go court to defend himself by proving that he was performing his job correctly and going to court in ancient Athens, meant a trial before the entire body of eligible voters. If the politician lost, he was thrown out before the end of his one year term. If he won, he reassumed his elected duties.

So the ancient Athenians had pre-election due diligence, management of the relationship during their annual term and then a post-relationship audit. Not too bad a system, particularly when you consider that it was developed over 2500 years ago.

The second item of interest was an article in the New York Times (NYT), High & Low Finance column of Floyd Norris, entitled “Intersection of Fraud and Traffic Violations”. The article was quite fascinating. It reported on a study by Robert Davidson, who teaches accounting at Georgetown University, along with Aiyesha Dey, of the University of Minnesota, and Abbie Smith, of the University of Chicago. Norris reported that “Their results are reported in a paper, “Executives’ ‘Off-the-Job’ Behavior, Corporate Culture and Financial Reporting Risk,” which is to appear in the Journal of Financial Economics.”

The bottom line is that if your company’s Chief Executive Officer (CEO) “likes to drive too fast, watch out. He may be more likely to commit fraud.” However, (and perhaps counter-intuitively) “If he lives too high on the hog, worry about whether he is paying enough attention to work to catch fraud being committed by his subordinates. And there may be a greater chance that the company is making mistakes in its accounting, though not fraudulently.”

The authors used some interesting investigative techniques for their paper. First they examined “fraud cases that the Securities and Exchange Commission [SEC] filed over the years — covering frauds that began between 1992 and 2004.” Next, the “researchers looked for other companies that were as similar as possible to the companies that were caught. Those companies were of similar size, had similar balance sheets and similar prefraud stock market performance as the fraudulent companies and were in the same industries.” This netted them “109 companies where fraud was detected and 109 similar ones where it was not.” The next step was the one that I found the most interesting, “The academics then hired private investigators to check out the bosses. They looked for past criminal records, including traffic violations, and they searched public records to see which cars, homes and boats the chief executives owned.”

Norris reported that while “The statistics are far from conclusive — 109 is not a large number — but they may take on a little more weight from the decision of the researchers to investigate an additional 164 chief executives. They came from 94 companies that were forced to restate their financial statements but were not accused of fraud by the S.E.C., and from 70 others chosen at random from the universe of companies that did not have fraud or accounting errors.” Norris believes what the report “could indicate is that people who are willing to violate one set of social norms are more likely to be willing to violate far more serious ones.”

I do not think that his last statement would be too controversial. However, the research went further. The authors of the report “also set out to if what they called unfrugal chief executives run companies that are fundamentally different from those run by bosses who spend less on themselves. To determine that required decisions on just what constituted unfrugal behavior. They settled on a definition involving ownership of homes, boats and cars, which is available from public records. Chief executives were deemed to be unfrugal if they owned a car that listed for more than $75,000, a boat that was more than 25 feet long or a house worth more than twice the average cost of a home near the company’s headquarters.”

Once again, the report findings seemed interesting. The researchers found that “Unfrugal chief executives are no more likely to commit fraud than their colleagues, but they are more likely to run companies where others commit fraud, and they are more likely to run companies that are forced to restate their financial statements.” In other words, they were playing with their expensive toys and not watching the shop.

Norris concludes his piece with the following, “I don’t think any of this proves that a traffic ticket should disqualify someone from running a public company. And it appears that most fraud is committed by chief executives who have no previous record of criminal behavior, so that is hardly the only thing a board should monitor. But the evidence may indicate that boards should routinely run background checks on top officers and on those being considered for such positions. If someone does have a bunch of traffic tickets, or worse, that could be an indication that deeper consideration is needed before that person is given control of a public company.”

I think that Norris has correctly articulated one of the key issues for any compliance practitioner in the due diligence process. What is the analysis that you should use? The FCPA Guidance provides a list of red flags which should be very large warning signs for a company in creating a business relationship with a third party. But beyond this well-known list of red flags, which information is relevant in assessing a third party, corporate CEO or other executive or simply a new hire. Does the fact that someone had a business failure and filed bankruptcy or has a low credit score mean they are prone to corruption? Or does that mean they have an entrepreneurial bend that would be an asset in a company? How about if they went through a major health issue and their health care provider and insurance carrier got into such a dispute over payment it affected the person’s credit score? What about multiple marriages, does that demonstrate a lack of stability?

So while Norris’ article does raise perhaps more questions than it has answers, you can take some solace in knowing that the due diligence process you have in your company is not new. The ancient Greeks used in 500 BCE.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

June 12, 2013

British PM Leads the Fight against Shell Corporations

One of the critical areas in due diligence for foreign business partners is determining who are the true owners of an entity. Unfortunately this is not always possible to determine as many countries do not require the names, addresses and other identifying information of shell company owners or limited liability partners. Many people think of the Cayman Islands or other traditional tax havens when such issues arise.

However, a surprising number of allegedly low risk countries also have this problem. New Zealand is generally recognized as one of the lowest risk countries in the annual Transparency International Corruption Perceptions Index (TI CPI), nevertheless this rating may not be all it seems. In an article by Michael Field on Stuff.co.nz, entitled “NZ firms linked to money laundering”, Field reported that one individual was listed as a Director of over 300 New Zealand formed companies. Another person, listed as the Director of the New Zealand Company alleged to have been involved with the shipment of arms to North Korea, was “convicted of 75 breaches of the Companies Act for giving false addresses on registration forms”.

New Zealand is not the only country with a low corruption perception which may not be completely accurate. In a Reuters article, entitled “Special Report: A little house of secrets on the Great Plains”, authors Kelly Carr and Brian Grow reported on one house in Cheyenne, Wyoming, which the authors claim “serves as a little Cayman Island on the Great Plains” as it is home to the registration of over 2,000 entities. The article claims that Wyoming allows “the real owners of corporations to hide behind “nominee” officers and directors with no direct role in the business, often executives of the mass incorporator.” Carr and Grow also quote Jason Sharman, a professor at Griffith University in Nathan, Australia, who states that “Somalia has slightly higher standards [for business incorporation] than Wyoming and Nevada.”

One of the anomalies in the ongoing Hewlett-Packard (HP) investigation, for alleged bribery and corruption violations in its German subsidiary, was the German authorities’ investigation of activities in and through the state of Wyoming. The article by Carr and Grow may help explain why the German authorities needed to investigate matters relating to Wyoming where the allegations were that bribes were paid by a HP German subsidiary for a sale into Russia.

Against this backdrop, British Prime Minister David Cameron has taken the lead in forcing jurisdictions who register such companies to disclose their ownership. While Cameron has come at this problem through the angle of tax evasion and compliance, it clearly has implications for the US Foreign Corrupt Practices Act (FCPA), UK Bribery Act and various anti-money laundering (AML) laws. The issue of public registers and beneficial ownership is coming to the fore on the eve of the G8 Summit which will be held in Northern Ireland starting next Monday. The Guardian has reported, in an article entitled “David Cameron under pressure to clarify owners of firms at G8”, that Cameron has also been given a political boost by the Cayman Islands agreeing to sign the OECD multilateral convention on tax transparency and information, the most important of the British overseas territories to do so.”

However, perhaps there is legislation on the way to close this loophole in the US. In another Reuters article, entitled “US House bill targets anonymous shell corporations”, Patrick Temple-West reported on prior US legislative attempts to require disclosure of corporate beneficial owners. Three such efforts have failed since the year 2000. Who might oppose such legislation? Temple-West reported that “Some state government group[s] remain opposed. In the past, resistance has also come from business groups and lawyers.” I am also somewhat chagrined to report that an organization that I belong to, the American Bar Association (ABA), has opposed prior legislation to provide greater discloser for shell companies.

Still this resistance may be changing. In an article in the New York Times (NYT), entitled “Obama Urged To Back Plan To List Owners Of Shell Firms”, Ravi Somaiya reported that “Anticorruption activists have urged President Obama to back a plan to publicly register the owners of shell companies in the United States and around the world, a move they say is essential to thwart corrupt government officials, tax evaders and money launderers who rely on an opaque financial system.” This problem has existed for several years in the US. Somaiya reported that “The Financial Crimes Enforcement Network, a bureau of the Treasury Department, estimated in 2005 that as much as $18 billion in suspicious transactions were made using international wire transfers that used shell companies in the United States.”

Somaiya also quoted Jack A. Blum, a lawyer and the chairman of Tax Justice Network USA, who said “These anonymous shell companies are used by everybody who steals money. Tens of thousands of shell corporations have been set up within the United States, he said, primarily in four states — Delaware, Montana, Nevada and Wyoming — that have loose regulations.” We know that the bad guys are selling the U.S. as a place to set up companies,” Mr. Blum said, citing its “aura of legitimacy.”

How does all of this relate to due diligence as the US problem would not seem to impact a company covered by FCPA? First of all, a company should know with whom they are doing business, and more pointedly a US company which is subject to the UK Bribery Act needs to recognize that any agent, distributor or other type of representative here in the US, is a foreign entity under the Bribery Act and needs full due diligence. While the jurisdictional scope of the Bribery Act has yet to be fully fleshed out, such a US company needs to consider its due diligence here in the US and may need to strengthen its investigations and background checks on such parties to comply with the Bribery Act.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

May 29, 2013

Kroll and Compliance Week Survey Anti-Bribery and Anti-Corruption

Not many people realize that the US has elected one president who served as a prisoner of war. That man was Andrew Jackson, who was captured by the British during the Revolutionary War. Now, can you name the American President who killed another man in a duel? If you guessed Andrew Jackson you are right and if you knew that today is the anniversary you receive extra credit and can proceed directly to Final Jeopardy.

I thought about the somewhat surprising history on Jackson when I read the recently released the “2013 Anti-Bribery and Corruption Benchmarking Report-A joint effort between Kroll and Compliance Week” (the “Survey”). Much like Jackson himself, the Survey had some interesting and somewhat disturbing findings as well regarding companies and their third parties. The findings were troubling because I think that most compliance practitioners recognize that their highest compliance risks under the Foreign Corrupt Practices Act (FPCA) and UK Bribery Act revolve around third parties. Some of the highlights of the survey are as follows.

I.                   Risks

While 43% of respondents said their bribery and corruption risks have increased in the last two years, another 39% said those compliance risks have remained mostly the same and, finally, 7.7% reported that they believe their compliance risks have actually fallen. Regarding future corruption risks, the respondents were split with half saying they expect compliance risks to rise in the next 12 months, and half do not. The single most common reason given for increasing compliance risks was expansion into new markets, followed by more vigorous enforcement of current anti-bribery laws. The Survey reported the “good news is that 57% of respondents say they conduct an enterprise-wide assessment of bribery and corruption risk annually. The bad news: the other 43% conduct such an assessment less than once a year, and 16.9% say they’ve never conducted a corruption risk assessment at all. A solid majority of companies also say they have some sort of documented approach to managing bribery and corruption risks; 37.7 say they have a “well-defined, documented process dedicated solely to global bribery risks,” and another 42.7% say they treat corruption risks as part of a larger documented process to address all compliance risks.”

II.                Due diligence

The Survey indicated that most companies have a good understanding of the need to, and performance of due diligence on third parties or acquisition targets. It found that 87% perform at least some sort of due diligence on third parties, and the criteria that help a compliance department decide how much diligence to perform generally seem risk-based. The top criteria were, in order, the nature of the work a third party would provide; the amount of contact the third party has with foreign officials; and where the third party is domiciled. A variety of tools were used to perform due diligence. These tools included: certifications from the third party that it has no corruption problems; reviews by your company’s legal or finance team; and data collected by your local business-unit leaders. Reference checks, on-site interviews, and research from professional investigators were some of the less-used techniques.

III.             Third parties

The Survey found that many companies are still struggling with ongoing anti-corruption monitoring and training for their third parties. Regarding training, 47% of the respondents said that they conduct no anti-corruption training with their third parties at all. The efforts companies do take to educate and monitor third parties are somewhat pro forma. More than 70% require certification from their third parties that they have completed anti-corruption training; 43% require in-person training and another 40% require online training. Large companies require training considerably more often than smaller ones, although when looking at all the common training methods, fully 100% of respondents say their company uses at least one method, if not more.

An astonishing 47% of all respondents said they conduct no anti-corruption training with their third parties at all. The numbers are even higher for companies based outside of North America (51%) and those with less than $1 billion in annual revenue (55%). Violet Ho, senior managing director for Kroll’s practice in greater China, was quoted as saying, “A lot of companies have very good intentions of doing a thorough job looking at their third parties,” Ho says. “But ultimately when you are a very large organization with more than 10,000 vendors, it’s not financially viable. You do not really have the time or resources to look deep into each and every one of them.” Another factor that Ho noted was significant is that companies often do not even know how many third parties they use, which makes training all of them impossible. Moreover, corporations typically have much less bargaining power with third parties, especially when they are located in far-flung jurisdictions. The result: if a company is using only one vendor to source an item and asks that vendor to promise to follow some anti-corruption code of conduct, the vendor feels emboldened to refuse.

Lastly, Ho stated “Trying to reach all third parties with a generic, headquarters-issued policy is a waste of time and money. Such policies tempt employees and third parties to find loopholes, and they ignore important regional differences. On-the-ground workers, are focused on revenue and profit, not compliance. Those goals aren’t mutually exclusive, but they do require coordination for a policy’s effective implementation—which adds all the more pressure on compliance officers to articulate why strong anti-corruption programs are good for business.” Clearly this Survey shows the challenges around third parties.

IV.              Effectiveness

For all a company’s efforts at risk assessment, due diligence, and monitoring third parties, the ultimate question for a compliance officer is simply does my system work? Questions about effectiveness, therefore, get to that core issue of whether all the compliance activities outlined above actually make the business less vulnerable to corruption risk. The Survey found that the responses in their anti-corruption procedures depended on how close to home the tasks actually are. 73% rated their training of domestic employees as “effective” or “very effective.” That figure dropped to 63.8% for foreign employees, and only 30% for third parties.

Melvin Glapion, Kroll managing director in EMEA, said that this phenomenon was the “downward and outward” problem. He explained that this meant that companies tend to overestimate how seriously messages sent from corporate headquarters are received elsewhere. Cultural differences abound, and many employees don’t see how anti-bribery policies apply to them in their daily jobs. Worse, the person doing compliance checks is often less senior than the executives he or she is monitoring.

Companies with less than $1 billion in revenue were actually more confident in their procedures’ effectiveness than larger businesses, the survey showed. Glapion was quoted as saying “that may be because smaller organizations have less bureaucracy and fewer third parties, or they may feel that they are not necessarily in the firing line.”

The Survey appears to indicate that companies still have a long way to go in certain areas, particularly third parties. The Survey provides the compliance practitioner with a good benchmark to look at the overall company program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

May 3, 2013

How Much Due Diligence is Enough?

Do you really know who you are doing business with in your supply chain? How much due diligence is enough? Should you update your due diligence on a regular basis? How about on a continuous basis? What ethical considerations come into play in the manufacturing sector, in the supply chain? These questions, and perhaps more, came to me as I was reading about the recent tragedy in Bangladesh involving the collapse of Rana Plaza. At this time, there are 433 confirmed dead and police report that 149 people are still missing in what has become the worst disaster for Bangladesh’s $20 billion-a-year garment industry. The collapsed building was built and owned by Mohammed Sohel Rana, he was not the owner of the factories that operated in Rana Plaza; he was simply the building owner and landlord and, therefore, is legally required to provide a safe structure

In an article in the New York Times (NYT), entitled “The Most Hated Bangladeshi, Toppled From a Shady Empire”, reporter Jim Yardley wrote about Mr. Rana’s rise to power and the problems that companies face when trying to do the right thing regarding corporate social responsibility in general, and bribery and corruption specifically, in the supply chain. This problem has become much more public for clothing companies who purchase finished goods from countries like Bangladesh. This is because even if you know who you are directly contracting with, your company may not know the subcontractors or your direct counter-party and you probably have no chance to know who the building owner or landlord might be. Finally, how can you determine if the building where your products are being produced meets minimum building code standards or is even safe to work in at all?

Rana Plaza was originally designed as a five story building. Yardley’s article details the methods that Rana used to secure the land and the permits to construct the building. Yardley reported, “To build Rana Plaza, Mr. Rana and his father bullied adjacent landowners, the landowners themselves say, and ultimately took their property by force. His political allies gave him a construction permit, despite his dubious claims of title to the land, and a second permit later to add upper floors that may have destabilized the building.” After the building was completed Mr. Rana successfully leased “out the existing five floors and gotten a permit from the local mayor, a political ally, to build additional floors. Mr. Khan, the former mayor, said this practice created serious risks, since officials were handing out permits, often for bribes, without insisting on the necessary safeguards.”

On the day before the building collapse “Workers on the third floor were stitching clothing when they were startled by a noise that sounded like an explosion. Cracks had appeared in the building. Workers rushed outside in terror. By late morning, Mr. Rana’s representatives had brought in Abdur Razzaque Khan, an engineer. Taken to the third floor, Mr. Khan examined three support pillars, and became horrified at the cracks he found. “I became scared,” Mr. Khan said. “It was not safe to stay inside this building.” He rushed downstairs and told one of Mr. Rana’s administrators that the building needed to be closed immediately. But Mr. Rana was apparently not impressed; he was holding court with about a dozen local journalists.”

Yardley quoted another journalist, Shamim Hossain, a local newspaper reporter, who reported that Mr. Rana said, “This is not a crack. The plaster on the wall is broken, nothing more. It is not a problem.” Unfortunately the next day the building collapsed.

Rana had rammed five separate garment factories into his now eight story building. How many people were employed there? I don’t think anyone will ever know the true number. As for Mr. Rana, perhaps understanding his personal criminal exposure for these actions, he was caught trying to flee the country. He is now in police custody. He, of course, says it was the evil factory owners which caused the entire catastrophe.

If your company is a US or EU purchaser of such finished products, what should your response be? In another NYT article, entitled “Some Retailers Rethink Role in Bangladesh”, reporter Steven Greenhouse noted that the Walt Disney Company “in March ordered an end to production of branded merchandise in Bangladesh.” Greenhouse said, “Disney’s move reflects the difficult calculus that companies with operations in countries like Bangladesh are facing as they balance profit and reputation against the backdrop of a wrenching human disaster.”

But is this the right response? In an article in the Financial Times (FT), entitled “Business must lead in Bangladesh”, John Grapper wrote “The first thing western companies need to do is the simplest: to stay in the country and to keep providing jobs for women, not to withdraw because they fear being tainted by association. Despite everything, the industry provides better-paid jobs than the alternative – working on rural farms – and has helped to emancipate women.”

Gapper further argues that US and EU retailer collective action is the only thing which will force change upon a corrupt Bangladeshi government. He said, “The second thing brands and retailers must do is band together. The factories they directly oversee in export zones tend to be better run. But they exert weak influence over the contractors and subcontractors that comprise most of the industry. Retailers use auditors to inspect suppliers but lack the information or power to stop abuses. Rana Plaza shows the difficulties. Planning and building controls are lax in Bangladesh and there is no simple way to check whether a factory is properly built. Raising building standards is beyond the power of any single company – it needs concerted action.”

Many have argued that the US government in particular has no place in enforcing its version of morality, in the form of the US Foreign Corrupt Practices Act (FCPA). But rarely is the flip side of this argument discussed, that being where a business solution can help to end corruption. Gapper notes this reality with the following, “Collectively, companies could push the government to overcome the obstacles of corruption, hidden army influence and factory owners who double as politicians. They hold the buying power in a sector that makes up 13 per cent of gross domestic product.”

What is the cost of bribery and corruption? I think that we are seeing it played out daily in Bangladesh as each body is pulled out of the rubble of the Rana Plaza. As a US company, how can you manage your FCPA risk? Should you perform due diligence on your landlord? I do not think any US company would think more than a nano-second when answering that question if they were leasing office space for their own employees. But the tragedy at Rana Plaza does beg the question, how much due diligence is enough and how far is far enough down the supply chain?

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

May 1, 2013

From the Compact Model to the Luxury Model – Managing Your Third Party Risk

I am currently attending the Hanson Wade Oil and Gas Supply Chain Compliance conference in Houston. The event is excellent and the presentations have been ‘spot on’ for the nuts and bolts of how to do compliance. As the conference is in Houston, a number of the speakers and attendees are from energy companies but the concepts that are being discussed apply to all companies which have an anti-corruption or anti-bribery compliance program. One of the things that came through each of the presentations was that as compliance programs mature, many companies are developing programs which are more tailored towards the risks that companies face, which are ascertained through more sophisticated risk assessments and management of those risks.

This pattern is certainly consistent with the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) FCPA Guidance which says that a company should assess its risks and manage its risks. From this starting position, a company can then put together a well thought out and reasoned approach to Foreign Corrupt Practices Act (FCPA) compliance. Many of the presentations dealt with third parties and the differing responses and approaches companies have developed for the specific risks that they have uncovered.

Clearly third party risk mitigation through due diligence is key. How much due diligence is enough? One speaker said that it is a balancing call to determine the right amount. There were several presentations which spoke about the increasing use of technology to assist companies in this process. One speaker, a former federal prosecutor, said that one of the things that she looked for when a prosecutor was the ‘thoughtful analysis’ that the FCPA Guidance speaks about. To this end she believes that the human element will always be important because prosecutors want to see the thought process of not only how your program is designed but how you have crafted your risk mitigation based upon the information that you have assessed.

One of the speakers listed some of the factors to begin the review of your third parties. Recognizing that there is no one all-encompassing list, she suggested the following:

  1. How many third parties do you have?
  2. Where are these third parties located?
  3. Industry or sector do you conduct business?
  4. What is the relationship of the third party to a foreign government or state owned enterprise?
  5. Are the owners of the third party related at all to government employees?
  6. Is the use of the third party a business necessity or not? Why do you need to use sales representatives?
  7. What are the reputations and qualifications of the third parties? Can they do what you need them to do from a commercial perspective?
  8. How much control will you have over the third parties? Contrast the control that you have over sales agents with the lesser amount of control that you have over distributors and joint ventures.

From the answers to some of these questions you can begin to craft your third party due diligence inquiries. I was intrigued by one speaker who speech contrasted the steps that you might take with a lower risk third party with that of a higher risk third party. She likened the lower risk approach to that of a compact car and set out the following suggestions:

  • Rank each third party by the risk you have assessed;
  • Perform an Internet search on the third party;
  • Perform reference checks on the third party;
  • Interview control persons involved with the third party;
  • Agreement to abide by anti-bribery and anti-corruption laws;
  • Insert appropriate compliance terms and conditions in your third party contracts.

She contrasted the Compact model with what she termed the ‘Luxury model’ requirements of a third party program:

  • Prioritize your third parties by risk;
  • Appoint a Business Unit sponsor for each third party;
  • Develop a detailed third party application;
  • Perform an electronic records search on each third party;
  • Also perform independent screening of each third party;
  • Perform reference checks on each third party;
  • Perform site visits and interviews of each third party;
  • Have each third party acknowledgement your company’s Code of Conduct;
  • Require each third party  to go through ethics training;
  • Create a company committee, consisting of internal business, legal and compliance representatives to review your high risk third parties;
  • Insert compliance terms and conditions into each third party contract;
  • Require both internal and external audits of each third party;
  • Perform annual updates on your third parties; and
  • Perform quarterly electronic database rescreening.

There was also a discussion of some common Red Flags that you should be on the outlook for. They included:

  • Excessive commissions paid to third parties;
  • Unreasonable discounts given to third parties such as distributors;
  • Vaguely described services in a third party contract or invoice back to your company;
  • A third party which is in a different line of business than the one you want to hire to assist your company;
  • Close association by the third party with a Foreign Official;
  • Retention of the third party is required by a Foreign Official;
  • The third party is a shell company located offshore; and
  • Payments made to the third party are in a country different from the location where the third party’s services are delivered.

The concepts I derived from this presentation is that you should assess and manage your risks. If you determine them to be low, the Compact Model may work for you. If your third party risks are high, then the Luxury Model may be more appropriate. If you use a thoughtful and reasoned approach, you can navigate this area. But always Document, Document and then Document what you have done and why.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

April 10, 2013

Q: Do You Tell The Central Bank What To Do? A: ‘In Which Country’?

Last weekend in the Financial Times (FT) was a report by Tim Burgis of an interview he held over a lunch meeting with the Angolan Isabel dos Santos, who Forbes magazine recently declared “the continent’s first female billionaire.” Ms. dos Santos is the daughter of José Eduardo dos Santos, who has been Angola’s president for the past 33 years. The interview was a fascinating insight into how doing business in some countries under US or UK anti-corruption and anti-bribery laws can be so challenging.

Burgis quoted an un-named expert who described Angola as a place of “corny capitalism” where those with connections to “the Futungo, as the presidential coterie is known (after Futungo de Belas, the old presidential palace) have made fortunes.” Ms. dos Santos denied that she is involved in politics, claiming that she is only interested in business. Interestingly, Burgis quoted her as stating “I’m not involved in politics and I’ve never had any political role. I’ve never been in office. I’ve never taken any public administrative jobs. So, like I said, I don’t work with the government.”

Some of her business interests “include stakes in two Portuguese banks, BIC and BPI, and a communications group called ZON Multimédia and an indirect holding in Galp, a Portuguese energy group with assets from Mozambique to Venezuela.” While admitting that the “oil industry is politically driven” she insisted that in the business sectors in which she is involved “politics don’t come into it”, she says, even if her own big moment came when she was part of a consortium that won a public tender for Angola’s second mobile telephony licence in the late 1990s.”

Burgis noted that there are believed to be many ways for the well connected to make lots of money in Angola. He wrote, “There are, however, easy ways to make money if you’re connected in Angola, particularly in the resources industries, where top officials and generals have been known to take hidden stakes in ventures led by oil majors and to enjoy titles to diamond-bearing land.” He also went on to note that these systems may be perpetuating the overall poverty in African countries such as Angola when he said that “There are those who would say that corrupt models lie at the heart of the power structures that keep most Africans poor and unable to call their rulers to account.”

He noted that Ms. dos Santos has recently become involved in the energy sector through her partnership with the Portuguese businessman, Américo Amorim and his company Amorim Enereria. Burgis wrote “I ask her to clarify how those energy interests tie in with Sonangol, the Angolan state-owned oil company with assets from Iraq to Brazil that some critics perceive as a Futungo fiefdom. She fends off my questions before fixing me with the look one might give a particularly vexing eight-year-old. “The business is relatively complex because, when you structure a business, you have to look at different aspects from legislation to taxation, to governance, issues like that.”

Near the end of their lunch Burgis asks the following question do you “call up the governor of the central bank and tell him what to do? “In which country?” she quips. We laugh merrily.” She went on to explain how she did have the reputation for extraordinary power. Burgis quoted her as saying, “Well, it’s very difficult, I would imagine, to distinguish father and daughter. And maybe some of it comes as I’m doing my thing and my father being a very strong political African figure for so many years. Whatever he does is almost like some kind of cloud on top,” she says, reaching for the right metaphor and waving a hand over her head, as though her father were some celestial phenomenon. “So maybe some of these ideas come from this cloud-over effect from his position. But, no, I don’t call the central bank and I most certainly don’t give them instructions.”

Even from the head feigns, non-responsive and jocular tone of many of these answers, one can see just how challenging doing business in Angola can be for any company subject to the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. The first issue that would seem to pop up is just who are you doing business with and are they a Politically Exposed Person (PEP). Burgis specifically states “top officials and generals have been known to take hidden stakes in ventures led by oil majors”. Whether such interests are hidden or not, it is the responsibility of any US or UK company to perform the appropriate level of due diligence to ascertain whether they are doing business with such governmental officials. I have heard more than one Chief Compliance Officer (CCO) say that they had to pull the plug on a business proposition because they could not determine the beneficial owners of an entity with which they were considering doing business.

What about a country such as Angola, where people move freely between government and business. Once again if it is later determined that your company is in a joint venture or other business relationship, and your local partner obtains a government appointment during the pendency of the business relationship, it is up to your company to find out that information. This requires ongoing monitoring through company or software which alerts you when someone moves to becoming a PEP.

This is where it is critical that compliance terms and conditions be put into a contract for any such business relationship. Initially, you should have contract protections in place which require any business partner who obtains a government appointment to notify you. This should also be included with a clause that allows the contract to be terminated if the appropriate anti-corruption/anti-bribery protections cannot be put in place if such an eventuality occurs.

Clearly there are no easy answers to the quandary of doing business in a country such as Angola. With many of the top government officials, energy company higher-ups and extractive mineral elite not only closely related to each other but moving seamlessly between all three groups; a company under the FCPA or Bribery Act must tread very carefully. Or to quote the signature line from Hill Street Blues, “Let’s be careful out there.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

February 28, 2013

Distributors under the FCPA – Post Game Wrap Up

This week we have focused on distributors and how a company might think through ranking the risk, performing due diligence on and, finally, how to manage distributors going forward. This was spurred on by a discussion that David Simon and I had engaged in previously on LinkedIn. In today’s post I will try and wrap up and wrap together our approaches so that you might decide which works best for you and your organization.

But first I must note the passing of one of the most famous Texans of the 20th Century, Van Cliburn, the pianist who won the first-place award at the 1958 Tchaikovsky International Competition in Moscow. His gold medal in the inaugural year of the Tchaikovsky competition, won in Moscow, was viewed at the time as an American triumph over the Soviet Union at the height of the cold war. He became a cultural celebrity of pop-star dimensions and brought overdue attention to the musical assets of his native land. But he gave back as well, starting his own piano competition which also became world famous.

While I had been initially skeptical of David’s approach, as I read his White Paper on the subject and his guest post this week, I became convinced that his approach has merit because it follows what is set out in the recently released Department of Justice (DOJ)/Securities and Exchange Commission (SEC) Foreign Corrupt Practices Act (FCPA) Guidance, which I quote from the introductory section of the Ten Hallmarks of an Effective Compliance Program:

Compliance programs that employ a “check-the-box” approach may be inefficient and, more importantly, ineffec­tive. Because each compliance program should be tailored to an organization’s specific needs, risks, and challenges, the information provided below should not be considered a substitute for a company’s own assessment of the corpo­rate compliance program most appropriate for that particu­lar business organization. In the end, if designed carefully, implemented earnestly, and enforced fairly, a company’s compliance program—no matter how large or small the organization—will allow the company generally to prevent violations, detect those that do occur, and remediate them promptly and appropriately.[emphasis supplied]

Based upon this language, I believe that if a company takes a carefully designed and  reasoned approach to assessing the risk of its distributors and then manages that risk, it is something that meets the above prescription from the FCPA Guidance. While I believe that distributors should be considered the same as agents under the FCPA, I am persuaded that David’s approach meets the cited recommendation from the FCPA Guidance.

I.                   Fox Approach – The Full Monty Approach

While I wish I had thought of that name I have to credit it to Simon. In 2012, there were three enforcement actions which I believe made clear that there were no distinctions between agents and distributors. They were, the Smith & Nephew, Inc., (S&N) Deferred Prosecution Agreement (DPA) for criminal FCPA violations, the Oracle SEC Complaint for books and records violations and the Eli Lilly and Company (Lilly) SEC Compliant for books and records violations. I reviewed the enforcement actions and based upon the deficiencies noted by both the DOJ and SEC, that these enforcement agencies were classing distributors the same as agents or other similar entities in the sales chain.

In the S&N enforcement action, it was clear that S&N had not performed sufficient due diligence on these distributors nor did they document any due diligence that they may have engaged in. In the Lilly case, the policies and procedures in place to flag unusual distributor discounts were deficient as the enforcement action “noted that the company relied on representations of the sales and marketing manager without adequate verification and analysis of the surrounding circumstances of the transactions.” In the Oracle enforcement action it demonstrated that Oracle needed to institute the proper controls to prevent its employees at Oracle India from creating and misusing the parked funds in the distributor’s account and that Oracle needed to audit and compare the distributor’s margin against the end user price to ensure excess margins were not being built into the pricing structure. What I gleaned from these enforcement actions was that the full five steps suggested for agents and other third parties in the sales chain was needed for distributors. They are (1) Business Justification; (2) Due diligence, the level being based on your risk assessment; (3) Evaluation of due diligence; (4) Written contract with compliance terms and conditions; and (5) Management of the relationship going forward.

II.                Simon Approach – The Agency Approach

Simon advocated that a risk analysis should more appropriately based on the nature of a company’s relationships with their distributors. The goal should be to determine which distributors are the most likely to qualify as agents; for whose acts the company would likely to be held responsible.  He argues that it is a continuum of risk; that is, on the low-risk end are distributors that are really nothing more than re-sellers with little actual affiliation with the supplier company. On the high-risk end are distributors who are very closely tied to the supplier company, who effectively represent the company in the market and end up looking more like a quasi-subsidiary than a customer.

Simon looks at agency principles to guide his analysis of whether a distributor qualifies as an agent for FCPA purposes. He argues that factors to consider include:

  • The volume of sales made to the distributor;
  • The percentage of total sales of the distributor’s total business the principal’s product represents;
  • Whether the distributor represents the principal in the market, including whether it can (and does) use the company trademarks and logos in its business; and
  • Whether the principal company is involved in the running of the distributor’s business (such as by training the distributor’s sales agents, imposing performance goals and objectives, or providing reimbursement for sales activity).

Once a company segregates out the high-risk distributors that likely qualify as agents and potentially subject the company to FCPA liability from those that are mere resellers and pose less FCPA risk, FCPA compliance procedures can be tailored appropriately. For those distributors that qualify as “agents” and also pose FCPA risk, full FCPA due diligence, certifications, training and contract language are imperative. For those that do not, more limited compliance measures that reflect the risk-adjusted potential liability are perfectly appropriate.

III.              Athanas Approach – Management of the Relationship

I often say that once you have a business justification, perform and evaluate due diligence on an agent and then ink a contract; your real work now begins as you have to manage that relationship going forward. Athanas set out a plan to assist in that management component under which he provides a framework to help provide a business justification, assess/manage and document any discount offered to a distributor; all of which he calls the ‘Discount Authorization Request’ (DAR) and states as follows:

1.         Capturing and Memorializing Discount Authorization Requests

 Athanas says that it all begins with a DAR. This is so important that he argues a DAR template should be prepared, which is designed to capture the particulars of a given request and allow for an informed decision about whether it should be granted. Because the specifics of a particular DAR are critical to evaluating its legitimacy, it is expected that the employee submitting the DAR will provide details about how the request originated as well as an explanation in the business justification for the elevated discount. In addition, the DAR template should be designed so as to identify gaps in compliance that may otherwise go undetected.

2.         Evaluation and Authorization of DARs

The next step is that channels should be created to evaluate DARs. The precise structure of that system will depend on several factors, but ideally the goal should be to allow for tiered levels of approval. Athanas believes that three levels of approval are sufficient, but can be expanded or contracted as necessary. The key is the greater the discount contemplated, the more scrutiny the DAR should receive. The goal is to ensure that all DARs are vetted in an appropriately thorough fashion without negatively impacting the company’s ability to function efficiently.

3.         Tracking of DARs

Lastly comes the Document, Document, Document component. Once the information gathering, review and approval processes are formulated, there must be a system in place to track, record and evaluate information relating to DARs, both approved and denied. The documentation of the total number of DARs allows companies to more accurately determine where and why discounts are increasing, whether the standard discount range should be raised or lowered, and gauge the level of commitment to FCPA compliance within the company. This information, in turn, leaves these companies better equipped to respond to government inquiries down the road.

IV.              Bringing It All Home

You do not have to dream like Van Cliburn did but you can try other or new approaches. Whether you use the Fox ‘Full Monty’ approach or the Simon ‘Agency’ approach will depend on many different factors unique to your organization. You are only limited by your imagination. There may well be other approaches you can take if they are carefully thought out and well-reasoned.

But whatever approach you take on risk ranking and performing due diligence on your distributors, I would urge you to use Athanas’ DAR system or something similar to it. While it is of the utmost importance that you do so from the compliance perspective, the business reason is even more compelling. A company really does need to know what discounts it is giving to distributors and why they are receiving said discounts.

I hope that you have enjoyed our discussion and dialogue on distributors this week. I wanted to thank, once again, David Simon and Bill Athanas for their most excellent and timely posts. I certainly have learned quite a bit.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

January 28, 2013

Boeing and the Conduct of Due Diligence on Sub-Suppliers

The Foreign Corrupt Practices Act (FCPA) act has language which makes illegal a direct or indirect act which might be used to obtain or retain business from prohibited parties. This has caused companies to begin to look at their suppliers as one area which might give them FCPA exposure. I have been considering the role of suppliers in a compliance program as I followed the issue of the smoldering batteries in the Boeing 787 Dreamliner.

As reported in a New York Times (NYT) article by James B. Stewart, entitled Japan’s Role in Making Batteries for Boeing, the construction of the batteries at issue was outsourced by Boeing to a Japanese company called GS Yuasa. Stewart’s article points out the need for close review of suppliers and what can happen if the quality does not meet the standards required for the project. However, I considered the article from the FCPA perspective. Stewart initially noted that “No one has claimed that GS Yuasa was chosen for the 787 for anything but merit.” But then he goes on to say that “Boeing has long been dogged by suspicion that in return for awarding major contracts to Japanese companies, which also receive subsidies from the Japanese government, the countries airlines buy Boeing aircraft almost exclusively.”

The question all of this raised for me is just how much due diligence should a company engage in for its suppliers? The first thing to note is that GS Yuasa is not a direct contractor to Boeing. The Japanese company is a subcontractor to a French company named Thales, which was contracted by Boeing to supply the electrical system. However, Stewart noted that Boeing approved the Thales/GS Yuasa contract and relationship. Does this mean that Boeing performed any kind of due diligence on GS Yuasa? The article does not specify any of these facts. However, Stewart asks the question of whether the outsourcing of this work was a for the benefit of sales of planes to Japan? He quotes Richard L. Aboulafia who said, “And then there’s Japan. All the normal ways of doing business are upended.” When asked if there might be a ‘quid pro quo’ Aboulafia said, “Yes, absolutely. But no one will talk about it, and no one can prove it.” He went on to say that in Japan “there is a unique relationship between the airlines, the suppliers and the government. The government supported the airlines, the government and the industries and they developed together. The government has enormous influence. They all work together.”

Are these questions which should be explored in due diligence? I think this situation brings up the issue of how far down in the supply chain that a company needs to go in performing due diligence. Many contracts with suppliers require that if there is a sub-supplier that sub needs to go through due diligence. However, in the case of GS Yuasa, Boeing had the right to select the supplier and if you have that right you probably need to perform due diligence on the supplier.

The key question that Stewart raises in his article is whether Boeing is using the hiring of GS Yuasa as leverage to gain sales to the Japanese government. GS Yuasa admitted that the battery component of its company is a money loser, even with the Boeing contract. This obviously raises the question of why the company is in such a business. The company also admitted that it had received subsidies to the tune of $3.5 billion from the Japanese Ministry of Economy, Trade and Industry to “begin mass production of lithium-ion batteries…”.

However, does Boeing has strong supplier relationships with other Japanese companies? In addition to the sales to Japan Air, Boeing works closely with Japan’s Defense Ministry and Boeing was quoted in the article as saying that it had “a long history of working together to meet Japan’s defense needs.” In addition to the hiring of GS Yuasa, Boeing said that its Japanese partners had “designed and developed 35 percent of the 787 airframe structure, including the main box wing, which is the first time Boeing has ever entrusted such a critical design component to another company.”

Stewart penultimately notes that “any questions about GS Yuasa may be premature.” In addition to the investigation of GS Yuasa, both the French company Thales and Securaplane, an American subsidiary of the UK engineering company Meggitt which makes the battery chargers, are also being looked at in connection with the fires aboard the Boeing planes. Stewart does believe the “whatever the outcome, experts said that with so many lives at stake, the design and manufacturing of new aircraft should be based solely on legitimate issues of cost and quality, and the selection process for suppliers should be transparent and untainted by other commercial or political concerns.

To end his article, Stewart quotes Aboulafia who states that “The greatest enemy of good aircraft is people who interfere with the freedom to shop for the highest quality.” I think that the same could be said in conjunction with the FCPA and the Supply Chain.  If a company allows inferior quality into its supply chain through the bribery or corruption that the FCPA is designed to stop it could well allow an inferior product to be constructed. While such actions may not have the catastrophic and very public impact that the apparent battery failures on the 787 have sustained the damage can be severe.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

January 23, 2013

The FCPA Guidance on the Ten Hallmarks of an Effective Compliance Program

Many commentators are still mining the Department of Justice (DOJ)/Securities and Exchange Commission (SEC) publication, A Resource Guide to the U.S. Foreign Corrupt Practices Act, (the “Guidance”), which was released last November. I continue to find nuggets to provide to the compliance practitioner, as do others. But as we are a Base 10 culture, today I want discuss the 10 points listed as the ‘Hallmarks of Effective Compliance Programs”. They are a change in style, but not content, from the prior 13 point minimum best practices that the DOJ has in the Deferred Prosecution Agreements (DPAs) since at least November, 2010 and, indeed, from prior information made available by the DOJ.

I.                   Where Have We Been

Beginning with at least the Metcalfe & Eddy Consent and Undertaking, filed in December, 1999, the DOJ has laid out its thoughts on what should go into a Foreign Corrupt Practices Act (FCPA) anti-corruption compliance program. In the Metcalfe & Eddy Consent and Undertaking, the DOJ laid out ten points of an effective FCPA anti-corruption compliance program. This was modified somewhat in Opinion Release 04-02, which laid out a best practices compliance program in 12 points, where the DOJ reviewed the proposal by an investment group who were acquiring certain companies and assets from ABB Ltd. ABB Vetco Gray Inc. and ABB Vetco Gray (UK) Ltd., two of the entities being acquired, had previously pled guilty to FCPA violations. The investment group desired to protect itself from further liability, to the extent possible, by proposing to the DOJ a comprehensive best practices compliance program. While the DOJ noted that this compliance program was not a shield against future violations, the DOJ would not “intend to take an enforcement action [against the investors] for violations of the FCPA prior to their acquisition from ABB.”

In the Panalpina DPA, issued in November, 2010, the DOJ laid out a 13 point minimum best practices compliance program. This number was changed this past summer when the Data Systems & Solutions LLC (DS&S) DPA was announced. In this enforcement action the DOJ listed 15 points on its minimum best practices FCPA anti-corruption compliance program. Then later in the summer, the DOJ moved to a 9 point compliance program in the Pfizer DPA. Even with all these changes in the number, the substance of each compliance program has remained the same.

II.                Where Are We Now? Hallmarks of Effective Compliance Programs

The Guidance cautions that there is no “one-size-fits-all” compliance program. It recognizes that depending on a variety of factors such as size, type of business, industry and risk profile that a company should determine what is appropriate for its own needs regarding a FCPA compliance program. But the Guidance makes clear that these ten points are “meant to provide insight into the aspects of compliance programs that DOJ and SEC assess”. In other words you should pay attention to these and use this information to assess your own compliance regime.

  1. Commitment from Senior Management and a Clearly Articulated Policy Against Corruption. It all starts with tone at the top. But more than simply ‘talk-the-talk’ company leadership must ‘walk-the-walk’ and lead by example. Both the DOJ and SEC look to see if a company has a “culture of compliance”. More than a paper program is required, it must have real teeth and it must be put into action, all of which is led by senior management. The Guidance states that “A strong ethical culture directly supports a strong compliance program. By adhering to ethical standards, senior managers will inspire middle managers to reinforce those standards.” This prong ends by stating that the DOJ and SEC will “evaluate whether senior management has clearly articulated company standards, communicated them in unambiguous terms, adhered to them scrupulously, and disseminated them throughout the organization.”
  2. Code of Conduct and Compliance Policies and Procedures. The Code of Conduct has long been seen as the foundation of a company’s overall compliance program and the Guidance acknowledges this fact. But a Code of Conduct and a company’s compliance policies need to be clear and concise. The Guidance makes clear that if a company has a large employee base that is not fluent in English such documents need to be translated into the native language of those employees. A company also needs to have appropriate internal controls based upon the risks that a company has assessed for its business model. Some of the risks a company should assess include “the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.”
  3. Oversight, Autonomy, and Resources. This section starts with a discussion on whether a company has assigned a senior level executive to oversee and implement a company’s compliance program. Not only must a company assign such a person with appropriate authority but that person, and the overall compliance function, must have “sufficient resources to ensure that the company’s compliance program is implemented effectively.” Additionally, the compliance function should report to the company’s Board of Directors or an appropriate committee of the Board such as the Audit Committee. Overall the DOJ and SEC will “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”
  4. Risk Assessment. The Guidance states that “assessment of risk is fundamental to developing a strong compliance program”. Indeed, if there is one over-riding theme in the Guidance it is that a company should assess its risks in all areas of its business. The Guidance lists factors that a company should consider in any risk assessment. They are “the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.” The Guidance is also quite clear that when the DOJ and SEC look at a company’s overall compliance program, they “take into account whether and to what degree a company analyzes and addresses the particular risks it faces.”
  5. Training and Continuing Advice. Communication of a compliance program is a cornerstone of any anti-corruption compliance program. The Guidance specifies that both the “DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.” The training should be risk based so that those high risk employees and third party business partners receive an appropriate level of training. A company should also devote appropriate resources to providing its employees with guidance and advice on how to comply with their own compliance program on an ongoing basis.
  6. Incentives and Disciplinary Measures. This involves both the carrot and the stick. Initially the Guidance notes that a company’s compliance program should apply from “the board room to the supply room – no one should be beyond its reach.” There should be appropriate discipline in place and administered for any violation of the FCPA or a company’s compliance program. Additionally, the “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance program, and rewards for ethics and compliance leadership.” These incentives can take the form of a part of senior management’s bonuses or simply recognition on the shop floor.
  7. Third-Party Due Diligence and Payments. Here the Guidance focuses on the ongoing problem area of third parties. The Guidance says that companies must engage in risk based due diligence to understand the “qualifications and associations of its third-party partners, including its business reputation, and relationship, if any, with foreign officials.” Next a company should articulate a business rationale for the use of the third party. This would include an evaluation of the payment arrangement to ascertain that the compensation is reasonable and will not be used as a basis for corrupt payments. Lastly, there should be ongoing monitoring of third parties.
  8. Confidential Reporting and Internal Investigation. This means more than simply a hotline. The Guidance suggests that anonymous reporting, and perhaps even a company ombudsman, might be appropriate to have in place for employees to report allegations of corruption or violations of the FCPA. Furthermore, it is just as important what a company does after an allegation is made. The Guidance states, “once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken.” The final message is what did you learn from the allegation and investigation and did you apply it in your company?
  9. Continuous Improvement: Periodic Testing and Review. As noted in the Guidance, “compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” The DOJ/SEC expects that a company will review and test its compliance controls and “think critically” about its own weaknesses and risk areas. Internal controls should also be periodically tested through targeted audits.
  10. Mergers and Acquisitions. Pre-Acquisition Due Diligence and Post-Acquisition Integration. Here the DOJ and SEC spell out what it expects in not only the post-acquisition integration phase but also in the pre-acquisition phase. This pre-acquisition information is not something that most companies had previously focused on. Basically, a company should attempt to perform as much substantive compliance due diligence that it can do before it purchases a company. After the deal is closed, an acquiring entity needs to perform a FCPA audit, train all senior management and risk employees in the purchased company and integrate the acquired entity into its compliance regime.

As I commented earlier in this article, the DOJ and SEC have communicated what they believe are the important parts of a risk based, anti-corruption compliance program for many years. I do not think that a compliance defense could be set out any more succinctly. However, I do like things set out in Base 10 and the “Hallmarks of Effective Compliance Programs” is an excellent compilation of where we are and what you need in place to go forward. I recommend this as a good a starting point for any compliance practitioner to implement a new compliance program or to evaluate the state of an ongoing compliance regime so assess your company’s risks and use these hallmarks as a basis to move forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

January 9, 2013

Marks of Excellence – the Lakers 33 Game Winning Streak and FCPA Compliance Tools

Sorry Bill Simmons, but today we celebrate one of the great modern day records of any American sports franchise. On this day 41 years ago, the Milwaukee Bucks beat the Los Angeles Lakers to end the Lakers 33 game winning streak. This is the longest winning streak of any professional American sports team. 1971-72 was the greatest season in Laker history with the team winning the then record of 69 games for the season, topped off with a National Basketball Association (NBA) championship, after a 4-1 romp over the New York Knicks in the finals. By any measure, the Lakers achieved true greatness in that season.

One of the more interesting areas of Foreign Corrupt Practices Act (FCPA) compliance work is its evolving nature (although some might say more frustrating). However, as compliance work and compliance programs mature the tools, products and services available to help companies better manage the business of compliance continues to evolve as well. Several articles recently caught my attention and, in particular, one product caught my eye. Two of the articles appeared in the Financial Times (FT) and spoke to the advance in the sophisticated nature of compliance tools available. The final article was in the New York Times (NYT) and focused on a systemic failure by the US Air Force in the implementation of a computer upgrade that spoke to the difficulties a compliance practitioner can face in implementing a new compliance regime or engaging in a system upgrade.

The first FT article was by Jennifer Thompson, entitled “Rogues revealed by bad language”. In this article Thompson reported on research by Ernst & Young on information they received from the US Federal Bureau of Investigation (FBI). Thompson reported that “Phrases such “as “nobody will find out”, “cover up” and “off the books” are among those most likely to litter the in-boxes of corporate rogues, according to fraud investigators deploying increasingly popular linguistic software.” Moreover, “Expressions such as “special fees” and “friendly payments” abound for those embroiled in bribery cases, while rogue employees feeling the heat are likeliest to write that they “want no part of this” as well as the somewhat misguided “don’t leave a trail”.”

The technology angle is that there is software available which performs linguistic analysis that “initially protects employee anonymity, can flag uncharacteristic changes in tone and language in electronic conversations and can be tailored for particular types of employees, such as traders.” Further, Thompson noted that the “use of technology is set to grow as compliance departments police sprawling organisations to avert potentially costly mistakes.”

The second FT article was by Richard Waters, entitled “Counter-terrorism tools used to spot fraud”. In this article Waters detailed how “JPMorgan Chase has turned to technology used for countering terrorism to spot fraud risk among its own employees and to tackle problems such as deciding how much to charge when selling property behind troubled mortgages. The technology involves crunching vast amounts of data to identify hard-to-detect patterns in markets or individual behaviour that could reveal risks or openings to make money.” While the article focused on the use of the software to spot fraudsters, I believe that such techniques could well be brought in to help in the fight against corruption and bribery.

Another area where technology has come into play to help compliance programs is in due diligence. Most compliance practitioners are aware of the various levels of due diligence, that being Levels I, II and III. One difficult question has been how does a company perform in-country native language source business information investigations, without paying someone to put ‘boots on the ground’ and then have to pay for a translation, sort of due diligence Level I (a). I was recently introduced to a software tool by Arachnys Information Services Ltd (Arachnys) and I can tell you that it does some really cool stuff and can certainly help to fill a gap. Arachnys software can run your designated search terms in local media, such as newspapers or other sources, and not simply through a Google search database. It can then translate the local source for you and deliver the results to your computer. This software allows a compliance practitioner to perform in-country computer based due diligence at a level that I had not previously seen available. And as I said, it is really cool.

The final article was by Randall Stross, entitled “Billion-Dollar Flop: Air Force Stumbles on Software Plan”. In this article Stross discussed the failure by the Air Force to install and implement ‘off-the-shelf software’ which was originally budgeted at $628MM. In November of last year, the Air Force “canceled a six-year-old modernization effort that had eaten up more than $1 billion. When the Air Force realized that it would cost another $1 billion just to achieve one-quarter of the capabilities originally planned –  and that even then the system would not be fully ready before 2020 – it decided to decamp.” While there were numerous reasons given for the failure, the main reason attributed was that there was not “a single accountable leader” who “has the authority and willingness to exercise the authority to enforce all necessary changes to the business required for successful fielding of the software.”

The failure of the Air Force’s attempt to modernize its software speaks to one of the issues present when implementing or scaling up a compliance regime. First, do not start with the ‘Big Bang’ approach and try to do everything at once. There is usually more success by scaling implementation or enhancement down into manageable chunks. Next is the point raised above, that being that there must be a leader who not only has the authority but the willingness to exercise the authority to make the changes. Additionally, coupled with this type of leader, is the need for local buy-in which is important, as is empowering small groups to make the necessary decisions.

So today we celebrate the greatness of the Lakers and their phenomenal season of ‘71-72. In the compliance world, best practices are evolving but so are the tools which you can implement into your compliance program. The mining of data has many uses. Some companies such as Catelas Inc. can look at the relationships of persons and parties involved. Other software, such as that available through VisualRisk IQ, can mine the data and come up with financial or data points for further investigation. On the due diligence front, Arachnys software can help fill in holes for your in-country native source business information searches. Lastly, do not fall into the trap of the US Air Force; manage not only the expectations but the entire compliance process.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

« Previous PageNext Page »

Customized Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 4,228 other followers