FCPA Compliance and Ethics Blog

May 30, 2014

Will TRACE Certify the World?

Chrisopher MarloweAaron Hernandez, formerly of New England Patriots tight end, was indicted for murder this week, allegedly killing a man for spilling his drink at a bar. But fatal disputes originating in taverns are not anything new as on this day, 501 years ago, the English playwright Christopher Marlowe, 29, was killed in a brawl over a bar tab. Marlowe was two months older than William Shakespeare. A bright student, he won scholarships to prestigious schools and earned his BA from Cambridge in 1584. While still in school, Marlowe wrote his play Tamburlaine the Great, about a 14th century shepherd who became an emperor. The blank verse drama caught on with the public, and Marlowe wrote five more plays before his death in 1593, including The Jew of Malta, Dido, Queen of Carthage and Dr. Faustus. He also published a translation of Ovid’s Elegies.

How famous was Christopher Marlowe? Marlowe heavily influenced Shakespeare himself in his work, from his reworking of Marlovian themes in Antony and Cleopatra, The Merchant of Venice, Richard II and Macbeth. In Hamlet, after meeting with the travelling actors, Hamlet requests the Player perform a speech about the Trojan War, which has an echo of Marlowe’s Dido, Queen of Carthage. In Love’s Labour’s Lost, Shakespeare brings on a character “Marcade” (three syllables) in conscious acknowledgement of Marlowe’s character “Mercury” from the Massacre at Paris. The most famous tribute to Marlowe was paid by Shakespeare in As You Like It, where he not only quotes a line from Hero and Leander (“Dead Shepherd, now I find thy saw of might, ‘Who ever loved that loved not at first sight?’”) but also gives to the clown Touchstone the words “When a man’s verses cannot be understood, nor a man’s good wit seconded with the forward child, understanding, it strikes a man more dead than a great reckoning in a little room.” This appears to be a reference to Marlowe’s murder, which involved a fight over the “Reckoning” (the bill), as well as to a line in Marlowe’s The Jew of Malta – “Infinite riches in a little room”.

I thought about Marlowe and his status as a playwright, even up to this day, when I considered something I heard Alexandra Wrage say at one of her recent talks here in Houston. She said, “TRACE wants to certify the world.” When I asked her what she meant by this she told me about the TRACE certification process. I had some familiarity with it, having seen reports from companies who had gone through the process and were presenting their certification when applying to do business as third party representatives for US or UK companies. The TRACE certification process is a detailed review, analysis and approval process that allows third parties to own and share their verified due diligence information. The TRACE certificationdue diligence reports contain a wealth of anti-bribery compliance information establishing that the candidate has been thoroughly vetted, trained and certified by TRACE. The report is packaged for the purpose of sharing verified due diligence information with an unlimited number of business partners. The TRACE certification is suitable for medium-to-higher risk relationships and involves an annual renewal requirement and a mandatory anti-bribery training course. Some of the key information contained in a report is as follows:

  • Red flags identified;
  • Comprehensive anti-bribery questionnaire;
  • Company literature collected and reviewed;
  • Business registrations;
  • Names and CVs for owners, directors, and key employees;
  • Contact information for three business references;
  • Financial reference; and
  • A signed Anti-Bribery Code of Conduct

One of the interesting things about the certification report is that TRACE calls them portable. By this, it means that once a company has gone through the TRACE certification process and receives its report, this report can be presented to other companies, which might desire to engage that third party. While there is no substitute for a company obtaining and evaluating the due diligence it receives based upon its own risk profile, the TRACE certification can be a powerful and persuasive tool to present to a company. In other words, the burden of performing due diligence is shifted away from the company to the foreign company seeking to show that they do business in compliance with anti-corruption laws, such as the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act.

All of this means that going through a TRACE certification process can have benefits for both parties in the lifecycle management of third parties for a company that wants to hire a foreign company as a third party representative. First, and foremost, is the cost as it is the foreign party who pays for the TRACE certification so this shifts the cost away from the US or UK Company because it is the foreign company who seeks the certification. But more than simply the cost can be the elimination of a large part of the expense and delay associated with the vetting process. Further, the TRACE certification offers ongoing monitoring of third party relationships with daily screening of names against international sanctions and enforcement lists and can aid to simplify third party recertification process for all companies in the process, both the companies seeking third party representatives and the foreign entities seeking to represent or do business with US or UK companies on a commercial basis.

For the entity outside the US or UK that wants to demonstrate its commit to doing business in compliance with anti-bribery legislation, the TRACE certification can provide appropriately qualified intermediaries with a valuable business credential, widely recognized in the compliance community, for successfully completing the due diligence gold standard. And again it allows foreign third parties to share their verified due diligence information with all of their business partners from a company known across the globe for its commitment to anti-bribery and anti-corruption – TRACE.

So while Marlowe may not receive all of the kudos that Shakespeare does; he is certainly well thought of. For a foreign company who wants to do business with a US or UK company, you might want to head over to the TRACE website and check out their certification process. It could provide to you a true market differentiator from others that might desire to represent US or UK companies.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

 

May 13, 2014

Working With Third Parties in the Due Diligence Process

Jamestown ColonyOn this day we celebrate the 1607 founding of the English colony at Jamestown. While credited with being the first English colony in what became America, it’s probably more accurate to refer to it as the first permanent English colony that survived for any length of time. The largely male colonists faced many tough years before they finally pulled through. One thing that made the colonists experience so difficult was that they had no idea about what to expect when they sailed over to the New World.

Hopefully in the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act compliance regime, the situation is a bit more advanced today when it comes to looking at third parties, in the pre-contract phase of third party management, during due diligence. While most companies, if not comfortable with the need for and execution of pre-contract signing due diligence, certainly understand the need for this process; the same is not universally true for the non-US or non-UK company upon which due diligence is being performed upon. An interesting article in the recent issue of Compliance Insider, entitled “Disclosing the Subject-Dealing with Compliance Immaturity”, deals with precisely this situation; where the third party has not gone through the due diligence process. The article provides some useful tips on how the compliance practitioner can get through this sometimes-delicate process.

One thing the article makes clear is that if you are performing due diligence on a third party, you should fully disclose this information to the third party. They state, “There is nothing to be gained by not telling the subject company about the process or trying to keep it secret. Except for in an acquisition where the buyer has yet to disclose themselves, there is little advantage in keeping quiet. The third party expects that you will be doing some form of due diligence and engaging a compliance or legal firm to complete a review. There is nothing that the due diligence company or law firm is going to do differently than if that due diligence were secret – no one would ever disclose more than they had to and would never disclose the name of the client for which they were acting.”

After you disclose to the third party that they need to go through your company’s due diligence process, which should begin with a questionnaire to help determine the appropriate level of due diligence to perform, you may face pushback from the third party. Unfortunately, as the article notes, such pushback usually goes initially to the business contact, which tends to side with the third party against the compliance function. This means that you need to educate your business unit sponsor on the reasons your company must engage in the third party management process so that they can communicate this to the third party. The article identifies three major reasons which a third party may resist your attempts at due diligence.

  1. Immaturity - the third party is “not used to due diligence or working with global companies that focus on compliance. They are not aware of the value of due diligence and have been living in the “compliance cave”. This is an issue in itself as it shows a degree of compliance immaturity and certainly gives an insight into how that company might be as an acquired entity. They are probably going to focus on the fact that there is an inbuilt level of trust that is needed in business and that the company should rely on that trust.”
  2. Negotiating - the third party may be “negotiating, trying to leverage the issue for their own gain as part of a negotiation. They may not be trying to hide anything per se, but may be sending a message that the company is taking too long, being too conservative, being caught in compliance obfuscation or losing sight of the real deal.”
  3. Hiding - it may also be that the third party does have something to hide.

The article suggests four clear steps that you can take if you are faced with one or a multiple of the above reasons for pushback from the third party.

  1. Engage the issue head on – it is important that you quickly and succinctly address concerns that your compliance team or compliance process is “heavy handed or that there is a lack of trust” between your company and the third party.
  2. Engage the business sponsor – as I stated above, one of the key components of any successful third party lifecycle management program is the engagement of the business sponsor. Obviously the business sponsor needs to justify the potential contractual relationship your company would have with the third party but the business sponsor is also the primary point of contact with the third party, throughout both the pre-contracting phase and the post-contracting relationship management. The article intones that if the third party tries to use an excuse to stop or lessen the process, “then the transaction is probably not worth it.”
  3. Develop your company’s compliance message – you should be crystal clear that your company will “conduct due diligence and background screening on all its proposed business partners and it is company policy to do so.” This can be done so through reference to the FPCA and your company policy. But more than simply a legal explanation, reputational risk is also important for your company. Be clear and re-emphasize your message that “there is neither a lack of trust nor an assumption of lack of integrity on the part of the subject company – it is normal procedure and gets done for all third parties of certain types right across the company, and this subject company is no different.”
  4. Negotiate a proposed go-forward plan – the article emphasizes that you should “not back down” and I whole-heartedly agree. But more than simply standing strong, you can use these discussions to help educate the third party involved why it is not only important for your company but also the third party. If they want to do business with any US or UK Company, they will need to go through this process. Indeed, it will make them more marketable to US or UK Companies if they have gone through the process.

Like many compliance practitioners, I came to the field of compliance through the legal department. Working for a very big fish company in the energy company it was very much ‘big fish-little fish’ where the big fish told the little fish what would be in the contract. However that model does not, nor should it, work in the compliance field. I have found that most third parties understand that if they desire to do business with a US or UK company, since we are required to perform due diligence as part of any best practices compliance program, the third party will need to be a part of that process. The Compliance Insider article provides a valuable look at a topic which is not always focused on from the perspective of the US or UK based compliance practitioner.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

April 11, 2014

Joint Venture Partners and the Company You Keep Under the FCPA

Lie Down Wtih DogsAs the father of a teenage daughter I am sometimes, reluctantly, forced to admit that upon rare occasions my parents were right about a few things. One was asking for permission first rather than asking for forgiveness after the fact, or in my case as a teenager the untoward event. Another was my mother’s admonition that you are judged by the company you keep. I thought about that truism when I read an article in the Financial Times (FT) yesterday, entitled “Steinmetz unit won Guinea mining riches corruptly, inquiry says”, by reporter Tom Burgis.

The article relates the long running story of the BSG Resources’ (BSGR) winning of the multi-billion mining concession for the Simandou iron-ore mine in the country of Guinea, which was awarded to the company at the end of the reign of the country’s former dictator Lansana Conté, before he died in 2008. According to a report prepared by the current government of Guinea, BSGR won the contract by paying bribes to his fourth wife Mamadie Touré in the form of cash and shares “to help ensure those rights were stripped from Anglo-Australian miner Rio-Tinto and granted to BSGR.”

Of course there is also the tale of BSGR employee/agent/representative/other Frederic Cilins who contacted Ms. Touré in the US and offered to pay her some $5MM to retrieve the contracts which detailed the payments she was to receive from BSGR. It turned out that there was a Grand Jury investigation going on over BSGR at the time and by now Ms. Touré was a cooperating witness with the Department of Justice (DOJ). Cilins was arrested, charged with and pled guilty to obstruction of justice.

BSGR has denied all of these allegations and says that it received the rights to the mining concession fair and square. Further, it has questioned not only the legitimacy of the report issued by the Guinea government but of the government itself, saying “[current] President Conté has manipulated the process through unconditional technical and financial support from activists line [billionaire transparency advocate] George Soros and NGOs that function as his personal advocacy groups.” The Guinea government report notes recommends that BSGR’s mining concession be cancelled.

So how does all this imbroglio relate to my mother’s admonition? It is because BSGR was in a joint venture (JV) with the Brazilian company Vale for this concession. The FT article reports “After spending $160m on preliminary development of its Guinea assets, BSGR in April 2010 struck its $2.5bn deal with Vale, of which $500m was payable immediately. The balance was to be paid if targets were met but Vale halted payments last year, after the corruption allegations surfaced. The inquiry concluded that, although payments to Ms Touré allegedly continued following the Vale transaction, it was “likely” that the Brazilian group “has not participated in corrupt practices”. Nonetheless, it said the Vale-BSGR joint venture – which BSGR says has spent $1bn at Simandou – should be stripped of its rights to that and other prospects.”

Vale’s response to all of this has been – wait for it – “conducts appropriate due diligence prior to its investments.” Vale had no comment on the Guinea government report released yesterday. I wonder what its due diligence on BSGR turned up?

I wrote last week about the life cycle management of the third party relationship. Those series of articles was primarily aimed at agents and other representatives in the sales channel and vendors in the supply chain. While those same concepts apply to JV’s, there is another level of management when there is a relationship such as a JV. One JV partner must have transparency into the actions of its partner and there must be as much assurance as can be possible that there is no corruption going on. From the time line presented in the FT article it appears that the JV between BSGR and Vale was created (2010) after the payments were contracted to Ms. Touré and the concession granted to BSGR (2008).

However I am sure that is of little comfort to Vale who is now down its $500MM that it paid to BSGR to enter into the JV relationship. How much has it had to spend to circle the wagons to defend itself? And do you think the DOJ has come knocking on their door during its investigation? (The smart money says yes). To top it all off, last week the company announced it might have to write-off its entire investment in Guinea. While Guinea indicated that Vale would not be banned from rebidding if rights for the mining concessions were reopened, what do you thing Vale’s chances would be? (Here the smart money says no).

Did Vale subject itself to Foreign Corrupt Practices Act (FCPA) liability by joining into a JV with BSGR? At this point I have no idea. But you know my Mom was right, in the FCPA world, when it comes to JV’s, you are known by the company you keep.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

April 2, 2014

Life Cycle of Third Party Management – Step 3 – Due Diligence

Five stepsMost companies fully understand the need to comply with the Foreign Corrupt Practices Act (FCPA) Act regarding third parties as they represent the greatest risks for an FCPA violation. However most companies are not created out of new cloth but are ongoing enterprises with a fully up and running business in place. They need to bring in resources to comply with the FCPA while continuing to do business. This can be particularly true in the area of performing due diligence on third parties. Many companies understand the need for a robust due diligence program to investigate third parties, but have struggled with how to create an inventory to define the basis of risk of each foreign business partner and, thereby, perform the requisite due diligence required under the FCPA.

Getting your arms around due diligence can sometimes seem bewildering for the compliance practitioner. However, the information that you should have developed in Steps 1 & 2 of the life cycle of third party management should provide you with the initial information to consider the level of due diligence that you should perform on third parties. This leads to today’s topic of Step 3 in the five steps of the life cycle management of third parties – Due Diligence.

Jay Martin, Chief Compliance Officer (CCO) at BakerHughes, often emphasizes, when he speaks on the topic, that a company needs to evaluate and address its risks regarding third parties. This means that an appropriate level of due diligence may vary depending on the risks arising from the particular relationship. So, for example, the appropriate level of due diligence required by a company when contracting for the performance of Information Technology (IT) services may be low, to reflect low risks of bribery on its behalf. Conversely, a business entering into the international energy market and selecting an intermediary to assist in establishing a business in such markets will typically require a much higher level of due diligence to mitigate the risks of bribery on its behalf.

Our British compliance cousins of course are subject to the UK Bribery Act. In its Principle VI of an Adequate Procedures compliance program, the UK Ministry of Justice (MOJ) stated, “The commercial organisation applies due diligence procedures, taking a proportionate and risk based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified bribery risks.” The purpose of Principle VI is to encourage businesses to put in place due diligence procedures that adequately inform the application of proportionate measures designed to prevent persons associated with a company from bribing on their behalf. The MOJ recognized that due diligence procedures act both as a procedure for anti-bribery risk assessment and as a risk mitigation technique. The MOJ said that due diligence is so important that “the role of due diligence in bribery risk mitigation justifies its inclusion here as a Principle in its own right.”

Carol Switzer, writing in Compliance Week, related that you should initially set up categories for your third parties of high, moderate and low risk. Based upon which risk category the third party falls into, you can design specific due diligence. She defined low risk screening as “trusted data source search and risk screening such as the aforementioned World Compliance”; moderate risk screening as “enhanced evaluation to include in-country public records…and research into corporate relationships”; high risk screening is basically a “deep dive assessment” where there is an audit/review of third party controls and financial records, in-country interviews and investigations “leveraging local data sources.”

A three-step approach was also discussed favorably in Opinion Release 10-02. In this Opinion Release, the Department of Justice (DOJ) discussed the due diligence that the requesting entity performed. “First, it [the requestor] conducted an initial screening of six potential grant recipients by obtaining publicly available information and information from third-party sources…Second, the Eurasian Subsidiary undertook further due diligence on the remaining three potential grant recipients. This due diligence was designed to learn about each organization’s ownership, management structure and operations; it involved requesting and reviewing key operating and assessment documents for each organization, as well as conducting interviews with representatives of each MFI to ask questions about each organization’s relationships with the government and to elicit information about potential corruption risk. As a third round of due diligence, the Eurasian Subsidiary undertook targeted due diligence on the remaining potential grant recipient, the Local MFI. This diligence was designed to identify any ties to specific government officials, determine whether the organization had faced any criminal prosecutions or investigations, and assess the organization’s reputation for integrity.”

Based upon the wisdom of the aforementioned compliance experts, Opinion Release 10-02 and others I have reviewed break due diligence down into three stages: Level I, Level II and Level III. A very good description of the three levels of due diligence was presented by Candace Tal in a guest post, entitled “Deep Level Due Diligence: What You Need to Know”.

Level I

First level due diligence typically consists of checking individual names and company names through several hundred Global Watch lists comprised of anti-money laundering (AML), anti-bribery, sanctions lists, coupled with other financial corruption & criminal databases. These global lists create a useful first-level screening tool to detect potential red flags for corrupt activities. It is also a very inexpensive first step in compliance from an investigative viewpoint. Tal believes that this basic Level I due diligence is extremely important for companies to complement their compliance policies and procedures; demonstrating a broad intent to actively comply with international regulatory requirements.

Level II

Level II due diligence encompasses supplementing these Global Watch lists with a deeper screening of international media, typically the major newspapers and periodicals, from all countries plus detailed internet searches. Such inquiries will often reveal other forms of corruption-related information and may expose undisclosed or hidden information about the company, the third party’s key executives and associated parties. I believe that Level II should also include an in-country database search regarding the third party. Some of the other types of information that you should consider obtaining are country of domicile and international government records; use of in-country sources to provide assessments of the third party; a check for international derogatory electronic and physical media searches, you should perform both English and foreign-language repositories searches on the third party, in its country of domicile, if you are in a specific industry, using technical specialists you should also obtain information from sector specific sources.

Level III

This level is the deep dive. It will require an in-country ‘boots-on-the-ground’ investigation. I agree with Tal that a Level III due diligence investigation is designed to supply your company “with a comprehensive analysis of all available public records data supplemented with detailed field intelligence to identify known and more importantly unknown conditions. Seasoned investigators who know the local language and are familiar with local politics bring an extra layer of depth assessment to an in country investigation.” Further, the “Direction of the work and analyzing the resulting data is often critical to a successful outcome; and key to understanding the results both from a technical perspective and understanding what the results mean in plain English. Investigative reports should include actionable recommendations based on clearly defined assumptions or preferably well-developed factual data points.”

But more than simply an investigation of the company, critically including a site visit and coupled with onsite interviews, Tal says that some other things you investigate include “an in-depth background check of key executives or principal players. These are not routine employment-type background checks, which are simply designed to confirm existing information; but rather executive due diligence checks designed to investigate hidden, secret or undisclosed information about that individual.” Tal believes that such “Reputational information, involvement in other businesses, direct or indirect involvement in other law suits, history of litigious and other lifestyle behaviors which can adversely affect your business, and public perceptions of impropriety, should they be disclosed publicly.”

Further, you may need to engage a foreign law firm, to investigate the third party in its home country to determine the third party’s compliance with its home country’s laws, licensing requirements and regulations. Lastly, and perhaps most importantly, you should use Level III to look the proposed third party in the eye and get a firm idea of his or her cooperation and attitude towards compliance as one of the most important inquiries is not legal but based upon the response and cooperation of the third party. More than simply trying to determine if the third party objected to any portion of the due diligence process or did they object to the scope, coverage or purpose of the FCPA; you can use Level III to determine if the third party is willing to stand up with you under the FCPA and are you willing to partner with the third party.

The Risk Advisory Group, has put together a handy chart of its Level I, II and III approaches to integrity and due diligence. I have found it useful in explaining the different scopes and focuses of the various levels of due diligence.

Level Issues Addressed Scope of Investigation
One
  • That the company exists
  • Identities of directors and shareholders
  • Whether such persons are on regulators’ watch lists
  • Signs that such persons are government officials
  • Obvious signs of financial difficulty
  • Signs of involvement in litigation
  • Media reports linking the company to corruption
  • Company registration and status
  • Registered Address
  • Regulators’ watch lists
  • Credit Checks
  • Bankruptcy/Liquidation Proceedings
  • Review accounts and auditors comments
  • Litigation search
  • Negative media search
Two As above with the following additions:

  • Public Profile integrity checks
  • Signs of official investigations and/or sanctions from regulatory authorities
  • Other anti-corruption Red Flags
As above with the following additions:

  • Review and summary of all media and internet references
  • Review and summary of relevant corporate records and litigation filings, including local archives
  • Analysis and cross-referencing of all findings
Three As above with the following additions:

  • But seeking fuller answers to any questions raised by drawing on a wider range of intelligence sources and/or addressing specific issues of potential concern already identified

 

As above with the following additions:

  • Enquiries via local sources
  • Enquiries via industry experts
  • Enquiries via western agencies such as embassies or trade promotion bodies
  • Enquires via sources close to local regulatory agencies

As you can see from this blog post, there are many different approaches to the specifics of due diligence. By laying out some of the approaches of other experts in the field, I hope that you can craft the relevant portions into your program. The Level I, II & III trichotomy appears to have the greatest favor and one that you should be able to implement in a straightforward manner. However, as Jay Martin constantly says, you need to assess your company’s risk and manage that risk. So if you need to perform additional due diligence to answer questions or clear red flags you should do so. And do not forget to Document, Document and Document all your due diligence.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

February 27, 2014

Alfred the Great, GE and the Management of Third Party Risk

Alfred the GreatI am currently studying Medieval England including the reign of Alfred the Great. As you might expect with someone monikered as ‘The Great’ he is certainly considered right up there with the greatest Kings of England. Not only did he largely drive out the Viking invaders from his country but he also set the stage for the unification of England under one crown, for the first time since the days of Roman Britain under the Caesars. One of the innovations he developed was fortified towns, called burgs, from which to resist Viking raids and incursion. But more than simply walled cities for defense, within these fortified towns was a wide road running down the middle of the town called the ‘High Street’ and a street situated next to the town’s walls appropriately called ‘Wall Street’. These streets were wider than the others in the town to facilitate the movement of troops in the time of crisis, such as a Viking raid. In other words, Alfred evaluated the risk to his kingdom and put multiple layers of steps into place to manage those risks.

In the Foreign Corrupt Practices Act (FCPA) compliance world, one of the key components that the Department of Justice (DOJ) wants to see is a risk assessment and a company managing its risks, based upon said risk assessment. One company’s response to a risk or set of risks does not necessarily mean that another company must follow it. The DOJ’s Ten Hallmarks of an Effective Compliance Program are broad enough to allow companies to manage their own risks, hopefully effectively. I thought about this concept when I was listening to a presentation by Flora Francis and Andrew Baird of GE Oil & Gas at the 2014 SCCE Utility and Energy Conference in Houston this week on GE’s third party risk management. First of all, if you have the chance to hear a couple of nuts and bolts compliance practitioners from GE like these two speak, run, don’t walk, to their presentation. GE’s commitment to compliance is well known but also the company’s willingness to share about their compliance program is a great boon to the compliance community. Lastly, is the gold-standard nature of the GE compliance program and while it may be more than your company needs to manage their own risks, the GE compliance regime does shine a light that we can all aspire to in our own compliance programs.

Both speakers made clear that GE’s program was the company’s response to its assessed risks. Further, the compliance program has evolved, not only as the company’s risks have evolved but also as the company has determined what works and does not work as well. Within the realm of third parties’ the prescient question from compliance to the business unit would be ‘What is your “Go To Market Strategy” and how will your use of third parties assist you in carrying out that strategy?’ Some of the factors the speakers cited could include your company’s market coverage strategy, product segmentation, pricing and margin expectation, an added capability which your company may not possess such as technology, and finally there could be local legal requirements for a local content third party in certain countries.

Some of the factors which GE considers, when evaluating a third party, include the following: 

  • Business Model: Do we need third parties to reach our customers or can we build the organization ourselves?
  • In-house Capabilities: Do we already have the organization in place to handle these capabilities?
  • Overlap: Do we already have a third party in the region/country that can handle our needs?
  • Volume of Business: How much business will this third party bring to the company?
  • Compliance Risk: Where is the third party located? Will they interact with government officials? Do they have same commitment to compliance?
  • Regulatory Environment: Is it simple or strict? What are the chances of regulatory violations?
  • Reputation: What is the third party’s reputation in the market? 

I was also intrigued to learn about the risk analysis process that GE uses with its third parties. Initially the process breaks the risks down into low risk and high risk. A low risk received a limited review and analysis, while a high risk receives an escalated review and analysis consisting of the following reviews: compliance, legal, business leadership and finance.

But more than simply the level of review, I was interested in the ‘Risk Score Drivers’ that GE has developed. Once again, the speakers emphasized that these are GE’s risk score drivers and have been developed over time through the company’s internal analysis and processes. Nevertheless I found them to be a very useful way to think about third party risk. The risk score drivers listed were:

  •  Country channel where the third party is located in or where it sells into;
  • Experience by the third party with the sales channel;
  • Type of third party involved; agent, reseller, distributor;
  • Commission rate, is it standard v. non-standard;
  • Will any sub-third party relationships be involved;
  • Will the third party sell to government entity or instrumentality;
  • Do any of the third party’s principals, Officers or Agents work for a foreign government, state owned enterprise or political party;
  • Was the third party mandated by customer or the end user;
  • What is the third party’s contract duration;
  • Is the third party involved in more than one project;
  • Does the third party have any historical compliance issues;
  • What is the percent of sales with products or services; and
  • What is GE’s annual revenue with the third party?

GE compliance then takes these scoring factors and puts them into an evaluation matrix when determining the amount of risk involved and whether or not the company should move forward with a proposed third party. If the decision is made to move forward and create a commercial relationship, the third part must agree to commit to the compliance standards of GE; stay current with and obey all applicable legal and regulatory provisions; comply with all contractual provisions; grant to GE audit rights; agree to report any compliance violations; certify to all compliance requirements on a regular basis; receive and complete compliance training and to allow regular site visits. GE also requires each third party to have a relationship manager assigned to it who is there to establish ongoing communication, provide ongoing training and to provide a platform for business improvement. Internally GE has processes in place to refresh due diligence; review, renew and update as appropriate contracts; conduct regular site visits and periodic audits.

Flora and Andrew ended their presentation with the following quote from the US Sentencing Guidelines about the question – ‘When is Enough, Enough?’ When you can show the government agency asking that you have taken appropriate steps to design, implement, and enforce a compliance program that is generally effective in preventing and detecting criminal conduct.

Their presentation was an excellent mechanism for the compliance practitioner to assess their third party management program. Although they made clear that this program was not for all companies, there is enough meat present for anyone to use in evaluating where you might be and where you might need to go in management of your third parties. And just as Alfred the Great constructed a defense-in-depth in his fortified towns, so the GE program for the management of third party risk has several layers of protection so that when the crisis does arise, they can adequately respond when the government comes knocking.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

December 4, 2013

The Weatherford FCPA Settlement, Part III

Yesterday, I reviewed the conduct which Weatherford International Limited (Weatherford) engaged in over a period from 2002-2011 in connection with its Foreign Corrupt Practices Act (FCPA) investigation, noted the deficiencies in its compliance program and its internal controls and even how the company intentionally impeded the investigations of both the Department of Justice (DOJ) and Securities and Exchange Commission (SEC). Today, I want to look at how the company changed course in mid-stream during the investigation, brought in a top-notch and well respected lawyer as its Chief Compliance Officer (CCO), created a best-in-class compliance program; all of which saved the company millions of dollars in potential fines and penalties.

  1. I.                    DOJ Fine Calculation

To resolve the criminal aspects of this case, Weatherford agreed to pay an $87.2 million criminal penalty as part of a Deferred Prosecution Agreement (DPA) with the DOJ. There was also another $65.6 million paid to the SEC. However the figure paid to the DOJ was at the very bottom range of a potential criminal penalty. The range listed in the DPA was from $87.2 to $174.3 million. In coming up with this range under the Federal Sentencing Guidelines, it is significant for the actions that Weatherford did not receive credit for during the pendency of the investigation. The company did not receive a credit for self-reporting. The company only received a -2 for its cooperation because prior to 2008 the company engaged in activities to impede the regulators’ investigation.

So the fine range could have been more favorable to the company. But the key is that Weatherford received the low end of the range. How did they do this?

A.     New Sheriff in Town

One of the key things Weatherford did was bring in Billy Jacobson as its CCO and give him a seat at the table of the company’s Executive Board. He was a Federal Prosecutor in the Fraud Section, Criminal Division, US Department of Justice. He also served as an Assistant Chief for FCPA Enforcement Department so we can assume he understood the FCPA and how prosecutors think through issues. (Jacobson also worked as a State Prosecutor in New York City, with my former This Week in FCPA co-host Howard Sklar, so shout out to Howard.) Jacobson was not hired directly from the DOJ but after he had left the DOJ and had gone into private practice. There is nothing that shows credibility like bringing in a respected subject matter expert and giving that person the tools and resources to turn things around.

But more than simply bringing in a new sheriff, Weatherford turned this talk into action by substantially increasing its cooperation with the government, thoroughly investigating all issues, turning over the results to the DOJ and SEC and providing literally millions of pages of documents to the regulators. The company also cleaned house by terminating officers and employees who were responsible for the illegal conduct.

B.     Increase in Compliance Function

In addition to establishing Jacobson in the high level CCO position, the company significantly increased the size of its compliance department by hiring 38 compliance professionals and conducted 30 anti-corruption compliance reviews in the countries in which Weatherford operates. This included the hiring of outside consultants to assess and review the company’s compliance program and beefing up due diligence on all third parties, including those in the sales and supply chain, joint venture (JV) partners and merger or acquisition (M&A) candidates. The company also agreed to continue to enhance its internal controls and books and records to prevent and/or detect future suspect conduct.

If you have ever heard any of the current Weatherford compliance professionals speak at FCPA conferences, you can appreciate that they are first rate; that they know their stuff and the company supports their efforts on an ongoing basis.

C.     Best in Class Compliance Program

During the pendency of the investigation, Weatherford moved to create a best practices compliance program. They appear to have done so and agreed in the DPA to continue to maintain such a compliance program. Under Schedule C to the DPA, it set out the compliance program which the company had implemented and continued to keep in place, at least during the length of the DPA. It included the following components.

  1. High level commitment from company officials and senior management to do business in compliance with the FCPA.
  2. A substantive written anti-corruption compliance code of conduct.
  3. Written policies and procedures to implement this code of conduct.
  4. A robust system of internal controls, including accounting and financial controls.
  5. Risk assessments and risk reviews of its ongoing business.
  6. No less than annual assessments of its overall compliance program.
  7. Appropriate oversight and responsibility of a Chief Compliance Officer.
  8. Effective training for all employees and relevant third parties.
  9. An effective compliance function which can provide guidance to company employees.
  10. A robust internal reporting system.
  11. Effective investigations of any reported compliance issue.
  12. Appropriate incentives for employees to do business ethically and in compliance.
  13. Enforced discipline for any employee who violates the company’s compliance program.
  14. Suitable due diligence and management of third parties and business partners.
  15. A correct level of pre-acquisition due diligence for any merger or acquisition candidate, including a risk assessment and reporting to the DOJ if the company uncovers and FCPA-violative conduct during this pre-acquisition phase.
  16. As soon as practicable, Weatherford will integrate any newly acquired entity into its compliance regime, including training of all relevant new employees, a FCPA forensic audit and reporting of any ongoing violations.
  17. Ongoing monitoring, testing and auditing of the company’s compliance function, taking into account any “relevant developments in the field and the evolving international and industry standards.”

D.    Monitor

Weatherford also agreed to an external monitor. However, the term of the monitor is not the entire length of the three-year DPA; the term of the monitor is only 18 months. The monitor’s primary function is to assess the company’s compliance with the terms of the DPA and report the results to the DOJ at least twice during the terms of the monitorship. After this 18 month term the DOJ will allow the company to self-report to the regulators. It should be noted that the term of the external monitor can be extended by the DOJ.

II.                Conclusion

It certainly has been a long, strange journey for Weatherford. I should note that I have not discussed at all the Oil-For-Food aspect of this settlement, which was an additional $100MM penalty to the company. However, with regard to the FCPA aspects of the matter, there are some very solid and telling lessons to be drawn from this case. First and foremost is that cooperation is always the key. But more than simply cooperating in the investigation is that a company should take a pro-active approach to putting a best-in-class compliance program in place during, rather than after the investigation concludes. Also, a company cannot simply ‘talk-the-talk’ but must come through and do the work to gain the credit. The bribery schemes that the company had engaged in and the systemic failures of its compliance program and internal controls, should serve as a good set of examples for the compliance practitioner to use in assessing a compliance program.

The settlement also sends a clear message from both the DOJ and SEC on not only what type of conduct will be rewarded under the US Sentencing Guidelines, but what they expect as a compliance program. One does not have read tea leaves or attempt to divine what might be an appropriate commitment to compliance to see what the regulators expect these day.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

December 3, 2013

The Weatherford FCPA Settlement, Part II

Yesterday, I reviewed the Weatherford International Limited (Weatherford) Foreign Corrupt Practices Act (FCPA) settlement. Today I will take a more focused look at the bribery schemes involved and the failure of the company to bring internal controls up to standard or even follow its own compliance program. Weatherford’s compliance program was a joke but worse was its conduct, which many in the company knew was illegal and reported internally but the company did not stop the conduct. The company also, early on in the investigation, actively impeded regulators access to personnel and documents. However, and this is one of the key messages from the Weatherford FCPA enforcement action, the company truly ‘turned it around’. Tomorrow we will explore how the company made this dramatic turnaround.

The bribery schemes had four basic scenarios and, for those of you keeping score at home, I have summarized them below.

I.                   Corrupt Conduct

Weatherford Bribery Box Score

Country Bribery Scheme Government or SOE Official Involved Amount of Bribe Paid
Angola Payments through 3rd parties Sonagol Drilling Manager $250K
Angola JV Partners Government Ministers, wives and other relatives $810K
Congo Payments thru 3rd parties SOE officials $500K
Middle East Countries Unauthorized distributor discounts SOE officials $11.8MM
Algeria Improper travel and entertainment SOE officials $35K
Albania Misappropriation of company funds Tax Auditors $41K

Angola

In Angola two separate bribery schemes were used. The first involved payment of a $250,000 bribe to the Sonagol Drilling Manager. To funnel the bribe the company retained a Swiss agent who paid the money. This Swiss agent billed Weatherford for non-existent and fraudulent services. He would retain a percentage of the total he billed as a commission and would pass the remainder to the Sonagol Drilling Manager. The bribery of the Drilling Manager also included a week long, all-expenses paid trip to Italy and Portugal, where only one of the days was business related.

The company continued this further creativity when it set up a joint venture (JV) which had two local JV partners, JV Partner A and JV Partner B. Partner A consisted of Sonagol government officials, their wives and other relatives and held a 45% stake in the overall JV. JV Partner B’s principals included the relative of an Angolan Minister, the relative’s spouse, and another Angolan official. It held 10% of the overall JV interest. Neither of these JV Partners contributed capital, expertise or labor to the JV. In addition to the straight quid pro quo of awarding Weatherford 100% of the Angolan well screens market, these JV Partners had contracts which were awarded to Weatherford competitors, revoked after the initial award and then awarded them to Weatherford.

Congo

In the Congo, Weatherford made over $500,000 in commercial bribe payments through the same Swiss Agent they had utilized in the initial Angolan bribery scheme to employees of a commercial customer, a wholly-owned subsidiary of an Italian energy company, between March 2002 and December 2008. The Swiss Agent’s role in the scheme included submitting false invoices and sending payments to individuals as directed by Weatherford Services Limited (WSL) employees and others. WSL employees created and sent false work orders to the Swiss Agent. The Swiss Agent, WSL employees and others knew the services would not be performed and that the work orders were a pretext to funnel money to the Swiss Agent. The Swiss Agent forwarded the money, less a commission, once again based on fraudulent invoices for non-existent services.

The Middle East

In certain un-named Middle Eastern countries between the years of 2005 and 2011 another Weatherford subsidiary employed another bribery scheme to funnel payments to officials of state owned National Oil Company (NOC). This bribery scheme entailed the awarding of improper “volume discounts” to a company that served as an agent, distributor and reseller which supplied Weatherford products to a state-owned and controlled NOC, believing that those discounts were being used to create a slush fund with which to make bribe payments to decision makers at the NOC.

The Securities and Exchange Commission (SEC) Complaint noted that as early as 2001, officials at the un-named national oil company directed Weatherford to sell goods to the company through a particular distributor. Prior to entering into the contract with the distributor, Weatherford did not conduct any due diligence on the distributor, despite: (a) the fact that the distributor would be furnishing Weatherford goods directly to an instrumentality of a foreign government; (b) the fact that a foreign official had specifically directed the company to contract with that particular distributor; and (c) the fact that Weatherford executives knew that a member of the country’s royal family had an ownership interest in the distributor. In late 2001, the company entered into a representation agreement with the distributor to sell its Completion and Production Systems products to the NOC.

Thereafter, the distributor created a slush fund by providing the distributor with unauthorized volume and pricing discounts, in addition to the agent’s 5% commission. Company employees intended that the slush fund would be used to pay officials at the un-named NOC. The “volume discounts” to the distributor were typically between 5-l0% of the contact price. The discounts allowed the distributor to accumulate funds which were used to pay bribes to the NOC officials.

Algeria

Weatherford also provided improper travel and entertainment to officials of the Algerian NOC, Sonatrach, which did not have any legitimate business purpose. The SEC Complaint detailed the following improper travel and entertainment provided to Sonatrach officials:

  • June 2006 trip by two Sonatrach officials to the FIFA World Cup soccer tournament in Hanover, Germany;
  • July 2006 honeymoon trip of the daughter of a Sonatrach official; and
  • October 2005 trip by a Sonatrach employee and his family to Jeddah, Saudi Arabia, for religious reasons that were improperly booked as a donation.

In addition, on at least two other occasions, Weatherford provided Sonatrach officials with cash sums while they were visiting Houston. For example, in May 2007, Weatherford paid for four Sonatrach officials, including a tender committee official, to attend a conference in Houston. Further, the company provided an approximate $24,000 cash advance for the trip where there was no evidence of any legitimate business purpose or promotional expenses.

Albania

In Albania, Weatherford had a tax evaluation problem. To deal with this issue the general manager and financial manager of the company’s Italian subsidiary misappropriated over $200,000 of company funds, to fund a bribery scheme involving Albanian tax auditors. The general manager, financial manager and the Albania country manager made $41,000 in payments to Albanian tax auditors who questioned details of the company’s accounts and demanded payment to close out the audit or speed up the certification process in 2001, 2002 and 2004.

The general manager and financial manager misappropriated the funds by taking advantage of Weatherford’s inadequate system of internal accounting controls. They misreported cash advances, diverted payments on previously paid invoices, misappropriated government rebate checks and received reimbursement of expenses that did not relate to business activities. A memo drafted by the general manager and financial manager in the months after their co-worker confronted them discussed the misappropriated funds and indicated that funds were paid to tax auditors in Albania and others for the benefit of Weatherford. This was the bribery scheme which was reported to the company and the internal whistle-blower employee was terminated.

II.                Program Deficiencies Lack of Cooperation

The DPA laid out in equally stark terms the complete and utter disregard, non-existence of and/or complete failure of any systemic compliance program, prior to 2008. These deficiencies included:

  • Failure to establish internal accounting controls to prevent bribery and corruption;
  • Failure to perform due diligence on any prospective third parties, including who they were, ultimate beneficial ownership and business justifications;
  • Failure to perform due diligence or in any meaningful manage joint venture partners;
  • Failure to have any meaningful internal controls for gifts, travel and entertainment;
  • No effective internal reporting system for FCPA violations or issues; and
  • (Most amazingly) No Chief Compliance Officer or even compliance professionals in a multi-billion dollar, multi-national company in the energy industry.

In addition to all of the above, Weatherford engaged in active conduct to impede the investigations of both the SEC and DOJ. In one instance, the company told investigators that a key witness was dead when he was not only still alive and well but working for Weatherford. In other instances, the company, emails were deleted by employees prior to the imaging of their computers. It was also noted that Weatherford failed to secure important computers and documents and allowed potentially complicit employees to collect documents subpoenaed by the staff.

Tomorrow, the Weatherford compliance comeback.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

December 2, 2013

The Weatherford FCPA Settlement, Part I

Last week Weatherford International Limited (Weatherford) concluded one of the longest running open Foreign Corrupt Practices Act (FCPA) investigations when it agreed to the ninth largest FCPA fine of all-time and one of its subsidiaries, Weatherford Services Limited (WSL), agreed to plead guilty to violating the anti-bribery provisions of the FCPA. The total amount of fines and penalties for the FCPA violations was $152.6 million. The company was also hit with another $100 million in fines and penalties for trade sanctions bringing its total amount paid to $252.6 million.

The bribery schemes that Weatherford used were varied but stunning in their brazen nature. Further, early on in the investigation, the company thumbed its nose at the Department of Justice (DOJ) by refusing to cooperate in any meaningful way and actually destroying documents and computer hard drives rather than turn over relevant documents. There were also examples of internal company whistleblowers, who were either ignored or, worse, terminated when they internally reported illegal conduct which violated the FCPA. Lastly, the company did not self-disclose their conduct so things started out badly, badly, did I say badly, for the company. But in spite of how things began, Weatherford was able to make a turnaround and substantially improve its position by reversing this initial nose-thumbing at US regulators. Over the next three blog posts I will explore the bribery schemes involved, how the company’s new-found attitude led to lower fines that might otherwise have been expected and what the lessons are for the compliance practitioner going forward.

DOJ Criminal Information and Deferred Prosecution Agreement

To resolve the criminal aspects of this case, Weatherford agreed to pay an $87.2 million criminal penalty as part of a Deferred Prosecution Agreement (DPA) with the DOJ.

In the Information filed as a part of the resolution reveals that company employees established and operated a joint venture (JV) in Africa with two local entities controlled by foreign officials and their relatives from 2004 through at least 2008. These foreign officials selected the entities with which WSL would partner and the company knew that the members of the local entities included foreign officials’ relatives and associates. The sole purpose of those local entities was to serve as conduits through which WSL pay bribes to the foreign officials controlling them as neither of the JV partners contributed capital, expertise or labor to the JV. In exchange for the illegal payments they received, through the JV, lucrative contracts, gave WSL inside information about competitors’ pricing, and took contracts away from WSL’s competitors and awarded them to the JV.

The Information also noted that Weatherford knowingly failed to establish an effective system of internal accounting controls designed to detect and prevent corruption, including FCPA violations. The company failed to implement these internal controls despite operating in an industry with a substantial corruption risk profile and despite growing its global footprint in large part by purchasing existing companies, often themselves in countries with high corruption risks.   As a result, a permissive and uncontrolled environment existed within which employees of certain Weatherford’s wholly owned subsidiaries in Africa and the Middle East were able to engage in corrupt conduct over the course of many years, including the bribery of foreign officials.

In yet another scheme detailed in the Information, a Weatherford employee in the Middle East, gave improper “volume discounts” to a distributor who supplied company products to a government-owned National  Oil Company (NOC), believing that those discounts were being used to create a slush fund with which to make bribe payments to decision-makers at the NOC. Between 2005 and 2011, Weatherford Oil Tools Middle East Limited (WOTME) paid approximately $15 million in “volume discounts” to the distributor.

In its Press Release the DOJ also spoke to the nefarious conduct of the company. Acting Assistant Attorney General Raman was quoted as saying “This case demonstrates how loose controls and an anemic compliance environment can foster foreign bribery and fraud by a company’s subsidiaries around the globe. Although Weatherford’s extensive remediation and its efforts to improve its compliance functions are positive signs, the corrupt conduct of Weatherford International’s subsidiaries allowed it to earn millions of dollars in illicit profits, for which it is now paying a significant price.” He also said that “Effective internal accounting controls are not only good policy, they are required by law for publicly traded companies – and for good reason.” The Federal Bureau of Investigation (FBI) chimed in when Assistant Director in Charge Parlave said that “The FBI is committed to investigating corrupt backroom deals that influence contract procurement and threaten our global commerce.”

SEC Compliant

In its civil Complaint, the Securities and Exchange Commission (SEC) alleged that Weatherford and its subsidiaries falsified its books and records to conceal not only these illicit payments, but also commercial transactions with Cuba, Iran, Syria, and Sudan that violated US sanctions and export control laws. Further, the company failed to establish an effective system of internal accounting controls to monitor risks of improper payments and prevent or detect misconduct. The company obtained more than $59.3 million in profits from business obtained through improper payments, and more than $30 million in profits from its improper sales to sanctioned countries. This conduct lasted from 2002 up until 2011 and included the lack of internal controls plus the affirmative falsification of its books and records to facilitate the bribe payments. The payment of disgorgement, prejudgment interest, and civil penalties to the SEC was in the amount of $65,612,360.34.

As you would expect, the SEC focused on the company’s books and records violations. Andrew Ceresney, co-director of the SEC’s Enforcement Division, was quoted in the SEC’s Press Release that “The nonexistence of internal controls at Weatherford fostered an environment where employees across the globe engaged in bribery and failed to maintain accurate books and records,” said  “They used code names like ‘Dubai across the water’ to conceal references to Iran in internal correspondence, placed key transaction documents in mislabeled binders, and created whatever bogus accounting and inventory records were necessary to hide illegal transactions.” Kara Brockmeyer, Chief of the SEC Enforcement Division’s FCPA Unit, said, “Whether the money went to tax auditors in Albania or officials at the state-owned oil company in Angola, bribes and improper payments were an accustomed way for Weatherford to conduct business. While the profits may have seemed bountiful at the time, the costs far outweigh the benefits in the end as coordinated law enforcement efforts have unraveled the widespread schemes and heavily sanctioned the misconduct.”

All of the settlement documents are chocked full of information about bribery schemes Weatherford engaged in for many years. For the compliance practitioner, they provide a list that can be used a check and balance to see if your company may be engaging in any of these practices. Additionally, both the DOJ and SEC listed out the internal controls and books and records failures of the company. Tomorrow, I will review the specific bribery scheme and failures of the Weatherford compliance program.

For a copy of the DOJ Information, click here.

For a copy of the DOJ Deferred Prosecution Agreement, click here.

For a copy of the SEC Civil Compliant, click here.

For a copy of the Plea Agreement, click here.

For a copy of the DOJ Press Release, click here.

For a copy of the SEC Press Release, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

November 11, 2013

Honor Our Veterans and Compliance in the Supply Chain

Today is National Remembrance Day for Veterans who served their country and across the world. In the US we call it Veterans Day. In the UK, it is called Remembrance Day. Whatever it is called, it is designed so that we may never forget the sacrifices that the men and women made so that we can live in a free society. So today, I ask you to personally thank a veteran, buy them a cup of coffee or simply reflect on those who made the ultimate sacrifice to allow us all to go forward into the 21st Century.

My father is a veteran of both World War II and the Korean Conflict. I saw him this weekend and at 87 he is still kicking along, reading, studying and thinking about the relevant issues of the day. He gave to me a copy of the Fall 2013 issue of the University of Illinois, College of Law, Comparative Labor Law & Policy Journal which had an article, entitled “Toward Joint Liability in Global Supply Chains: Addressing the Root Causes of Labor Violations In International Subcontracting Networks”, by authors Mark Anner, Jennifer Bair and Jeremy Blasi. So to honor my father’s continuing interest in anti-corruption compliance, today I will write about this article and how it informs anti-corruption compliance in the Supply Chain.

The authors starting point is that of the Rana Plaza building collapse in Bangladesh, which killed at least 1129 workers, which has led to a “significant departure from the extant model of labor compliance that has developed over the past two decades”. The previous model of labor compliance had assumed that labor issues were a “factory-level problem and the only entity that needs to be regulated is the contractor factory.” This was enforced by companies adopting codes of conduct and then monitoring their suppliers for compliance. However, after the Rana Plaza tragedy, certain western corporations adopted the Bangladesh Accord, which anticipates joint responsibility for labor issues between both vendors and the purchasers of their goods and services. Further, the Bangladesh Accord is not merely like the prior general statements of intent but brings binding, contractually enforceable duties.

While the focus of the article was on labor issues such as pay, safety and retaliation for raising such concerns, the article did point to some interesting ideas which could be applied to this issue as it relates to anti-corruption compliance under laws such as the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. Obviously both laws require a specified protocol for the hiring of third parties which represent companies. These concepts and techniques are now being used for third parties who develop relationships with companies through the supply chain. Companies such as freight forwarders, visa processors and customs brokers have foreign governmental touch points which clearly mandate a through due diligence process under the FCPA and Bribery Act. However, many companies may not recognize their potential exposure for companies which supply them but engage in bribery and corruption to fulfill their contracts.

Using the authors discussion of the regulatory scheme for compliance of labor and safety issues for suppliers under the Bangladesh Accord I have adapted them for anti-corruption compliance. The intention is to create stable, long term relationships and also to promote a stable core of suppliers who are FCPA or Bribery Act compliant in anti-corruption and anti-bribery. These points can incentive suppliers to not only become more compliant in anti-corruption and anti-bribery programs but also reward them for doing business with other like-minded sub-suppliers and sub-contractors. They include:

  • Requiring suppliers to designate all sub-suppliers and sub-contractors that they will use.
  • Restrict the subset of sub-suppliers and sub-contractors to those who have been certified, through a recognized Non-governmental organization (NGO) or company, in anti-corruption.
  • Prohibit retaliation against supplier employees who report, in good faith, allegations of bribery and corruption.
  • Require a supplier to register the number of sub-suppliers and sub-contractors that it intends to use for a company.

For US, and other western companies, I think that there are some lessons which might be drawn from the authors’ piece in connection with their compliance programs around the Supply Chain.

Know Your Suppliers

When it comes to anti-corruption compliance in the Supply Chain, many companies either fail to embrace this concept or, worse yet, do not understand how this concept is interwoven into an overall compliance program. Indeed, one of the perceived banes of compliance is that a company is responsible for the actions of its suppliers. Nevertheless, if companies understand that suppliers are a critical component of an overall compliance program it becomes much easier to understand how such a model can and should be used as a guidepost for the Supply Chain and compliance.

The Compliance Oversight Committee

The Oversight Committee is a key component of any best practices compliance program. Not only should it be used for reviewing and managing traditional high risk areas such as third party business representatives in the sales chain; a company can create such committees for other high risk issues particular to a company. Witness the Johnson & Johnson (J&J) Deferred Prosecution Agreement (DPA) and its “Enhanced Compliance Obligations”. In this J&J agreed to establish “a “Sensitive Issue Triage Committee” to review and respond to any such [Foreign Corrupt Practices Act] FCPA issues as may arise.” This is precisely the type of rigor which should be included in a best practices compliance program. Compliance Committees can serve to escalate compliance issues before they become violations of the FCPA or UK Bribery Act and are becoming a part of a best practices compliance program. If a company decides to disband such a committee it must clearly perform rigorous audits or place such safeguards in place to send a message to both vendors in the Supply Chain and employees that compliance is still held in the highest regard by the company.

Risk Assessments – Don’t Let Growth Overwhelm Your Compliance Program

The Department of Justice (DOJ) continually reminds us of the need for risk assessments. One of the areas often overlooked in risk assessments is growth. Growth and indeed explosive growth can be pursued or occur while not fully assessing or even appreciating the risks involved. This could mean that there were many new vendors in the Supply Chain that did not receive the rigorous due diligence and training in anti-corruption and anti-bribery compliance. A company can also hire huge numbers of new contract employees who do not receive the same anti-corruption training as previously hired employees. These can lead to organizational incentives that become skewered towards growth and not compliance.

If a company wants to move forward with an aggressive growth model, it should assess the compliance risks of doing so. Through a risk assessment, it might be determined that compliance might suffer through the increased use of new vendors. For the compliance practitioner, these risks might also be that new vendors in the Supply Chain need full and complete compliance training, that contract employees need the same compliance training as full-time employees; additionally new vendors need rigorous screening through a robust due diligence process to not only identify Red Flags regarding corruption but to help educate them that your company takes compliance very seriously.

So today I honor my father and all Veterans everywhere. And thanks to my father for continuing to be interested enough to read articles which help inform my knowledge of anti-corruption compliance.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

October 11, 2013

Pre-Acquisition Due Diligence Program for Evaluating Target Companies in M&A

7K0A0223I am just back from our nation’s capital attending the Society of Corporate Compliance and Ethics (SCCE) 2013 annual Compliance and Ethics Institute. If you have a chance to attend next year’s event in Chicago I urge you to do so. The sessions were first rate, topical and had great insights. The networking and sharing of information was also great. While the vendors were there to market their own products and services they were clearly part of the overall solution, so kudos to every company that showed at the event. Hats off to everyone on Team SCCE for doing a great job. Finally, to Roy Snell, Matt Kelly was right; you take the casual, hip look up to the next level, I wish I had your style.

One of the sessions I attended was entitled “Compliance Due Diligence In Multi-National Transactions: Mergers & Acquisitions and Third Parties”, led by Louis Perold, Legal Compliance Manager at Sasol Ltd., and Krista Muszak, Senior Compliance Analyst at Paychex, Inc. In this session, they laid out the steps that you should take when looking at an acquisition from the compliance perspective.

I.                   Review

They suggested a five step process which I thought was well laid out to show you how to plan and execute a strategy to perform pre-acquisition due diligence in the merger context. The process was as follows:

  1. Establish a point of contact. Here you need to determine one point of contact that you can liaise with throughout the process. They suggested that typically this would be the target’s Chief Compliance Officer (CCO) if the company is large enough to have full time position.
  2. Collect relevant documents. The documents suggested that you begin with are a detailed list of sales going back 3-5 years, broken out by country and, if possible, obtain a further breakdown by product and/or services; all JV contracts and due diligence on JVs and other third party business partners; the travel and entertainment records of the acquisition target company’s top sales personnel in high risk countries; internal audit reports and other relevant documents.
  3. Review the compliance and ethics mission and goals. Here they said you should look at the Code of Conduct or other foundational documents that a company might have to gain some insight into what they publicly espouse.
  4. Review the seven elements of an effective compliance program, as below:

A. Oversight and operational structure of the compliance program. Here you should assess the role of board, CCO and if there is one, the compliance committee. Regarding the CCO, you need to look at their reporting and access – is it independent within the overall structure of the company? Also, what are the resources dedicated to the compliance program including a review of personnel, the budget and overall resources?

B. Policies/Procedures, Code of Conduct. In this analysis you should identify industry practices and legal standards which may exist for the target company. You need to review how the compliance policies and procedures were developed and determine the review cycles for compliance policies, if any. Lastly, you need to know how everything is distributed and what are the enforcement mechanisms for compliance policies? The speakers pointed out that you should check with HR for terminations or discipline relating to compliance

C. Education, training and communication. Here you need to review the compliance training process as it exists in the company; both the formal and the informal. You should ask such questions as “What are the plans and schedules for compliance training?” Next determine if the training material itself is fit for intended purpose, including both internal and external training for third parties. You should also evaluate the training delivery channels. Is the compliance training delivered live, online, or through video? Finally, assess whether the company has updated their training based on changing of laws.

D. Monitoring and auditing. Under this section you need to review both the internal audit plan and methodology used regarding any compliance audits. A couple of key points are (1) is it consistent over a period of time and (2) what is the audit frequency? You should also try and judge whether the audit is truly independent or if there was manipulation by the business unit.

E. Reporting. What is the company’s system for reporting violations or allegations of violations? Is the reporting system anonymous? From there you need to then turn to who does the investigations and how are they conducted? A key here, as well as something to keep in mind throughout the process, is the adequacy of record keeping by the target.

F. Response to detected violations. This review is to determine management’s response to detected violations. What is the remediation that has occurred and what corrective action has been taken to prevent future, similar violations. Has there been any internal enforcement and discipline of compliance policies if there were violations? Lastly, what are the disclosure procedures to let the relevant regulatory or other authorities know about any violations and the responses thereto?

G. Enforcement Practices/Disciplinary Actions. Under this analysis, you need to see if there was any discipline delivered up to and including termination. If remedial measures were put in place, how were they distributed throughout the company and were they understood by employees?

5. Review the periodic evaluation of the program’s effectiveness. Under this they suggested a review of the target’s internal audit reports or outside investigations if they were performed.

II.        Red Flags

The speakers provided a short list of red flags that, should you determine exist, need to be further investigated and cleared. They listed the following:

  • Ineffective compliance program elements
  • Company in financial difficulty
  • Frequent breach of policies and procedures
  • Inactive compliance and ethics committee
  • No access to the board
  • No regular reports to the board
  • CCO not allowed direct access to the Chief Executive Officer (CEO)
  • Lack of independence
  • Frequent requests to waive policies
  • No consistent consequence management for violations

III.             Evaluation

The speakers also provided a ranking system which can be used to think through and evaluate the information that you have obtained. They proposed the following.

  • Level 1 – Absent. There is no commitment to compliance illustrated by no dedicated resources, no formal compliance policy and the absence of a compliance program.
  • Level 2 – Reactive. There is commitment to address compliance issues when major breaches arise.
  • Level 3 – Foundational. While there is commitment to address compliance issues when major breaches arise, there is no formal compliance program but policies and monitoring activities are put in place to prevent the reoccurrence of major breaches.
  • Level 4 – Proactive. There is a commitment to have a strong compliance program in place with dedicated resources and a clear assessment of all risk areas. The program encompasses ongoing monitoring and measurement as well as proactive and preventative elements.
  • Level 5 – Embedded. The compliance program pervades the organization in every respect: strategically, culturally and operationally. Every staff member is aware of and takes appropriate responsibility for the effective implementation of the compliance program and its ongoing improvement.

I found their program a very useful session on how you should think through performing due diligence on a target in the acquisition context. With the Department Of Justice’s (DOJ’s) emphasis on pre-acquisition due diligence, as set out in last year’s FCPA Guidance, I think more companies will need to strengthen this portion of their compliance program.

And once again, a big thanks to SCCE for a great week at the Compliance and Ethics Institute 2013.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

« Previous PageNext Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 4,816 other followers