FCPA Compliance and Ethics Blog

November 27, 2013

How Straight From The Lion’s Mouth Informs Your Hotline

The symbol of Venice is the Lion of St. Mark. The use of this symbol led to the maxim ‘straight from the lion’s mouth’. This adage came about because the Republic of Venice had its own hotline system where citizens could report misconduct. A citizen could write down his concern on paper and literally put the message into the mouth of statues of lion heads placed around the City. This system was originally set up to be anonymous but later changed to require that a citizen had to write his name down when submitting a message.

I thought about this early form of hotline and how its use portended the hotline systems used today to help companies identify compliance issues which might arise under an anti-corruption law such as the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. Obviously the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) recognize the importance of an internal company reporting system, such as a hotline. In the FCPA Guidance it states, “An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation. Companies may employ, for example, anonymous hotlines or ombudsmen.” I have often heard Chief Compliance Officers (CCOs) speak about how they are able to not only hear about but address employee’s concerns through confidential reporting where it is clear there will be no tolerance for retaliation.

So, once again, using Venice as inspiration for a compliance topic, today I would like to review some best practices regarding a compliance hotline.

  1.  The hotline should be developed and maintained externally. It seems axiomatic that em­ployees tend to trust hotlines maintained by third parties more than they do internally maintained systems. Through the submitting of reports via an external hotline there is a perceived extra layer of anonymity and impartiality compared to a sys­tem developed in-house. A third party provider is also more likely to bring specialist expertise that’s difficult to match within the organization.
  2. The hotline supports the collection of detailed infor­mation. As with most everything else, information is power. If a CCO can gather and re­cord information throughout a complaint life cycle, the company will have greater insight into the situation and a company can protect itself more effectively from accusations of negligence or wrongdoing. A hotline reporting system should provide consolidated, real-time access to data across all departments and locations, plus analytic capabilities that allow you to un­cover trends and hot spots. All reported materials should be consolidated in one comprehensive, chronologi­cally organized file, so a CCO can monitor ongoing progress and make better, more informed decisions.
  3. The hotline must meet your company’s data retention poli­cies. Retaining data in a manner consistent with your internal data retention policies is important. A hotline should offer a secure, accessible report retention database, or you may be faced with making your own complicated and costly arrangements for transmitting and storing older reports to a permanent storage location.
  4. The hotline should be designed to inspire employee confidence. Retaliation or perceived unfairness to those making hotline complaints will destroy the effectiveness of the internal reporting process and poison the corporate culture. A hot­line must be seen to offer the highest levels of protection and anonymity. To encourage employee participation, the hotline should allow them to bring their concerns directly to some­one outside their immediate chain of command or workplace environment – especially when the complaint concerns an immediate superior. The hotline should also enable employees to submit a re­port from the privacy of an off-site computer or telephone. It may seem like a small convenience, but giving employees the freedom to enter a complaint from a location that is safe can make a huge difference to participation rates.
  5. The hotline offers on-demand support from subject matter experts. Opening lines of communication can bring new issues to your compliance group. It is therefore important that once those reports are entered into the system, a person or function has the responsibility to follow up in a timely manner. One of the biggest mistakes you can make is to sit on a hotline complaint and let the employee reporting it fester. Additionally, with the short time frames set out in the Dodd-Frank Whistleblower timelines for resolution before an employee can go the SEC to seek a bounty, the clock is literally clicking.
  6. The hotline provides inbuilt litigation support and avoidance tools. A company must make certain that its hotline is preconfigured to meet the legal requirements for document retention, at­torney work product protection procedures, and attorney privilege. Developing these tools in-house can add signifi­cantly to your costs, and maintaining a hotline without one exposes your organization to unacceptable risk.
  7. The hotline supports direct communication. A hotline should open the lines of communication and give you a di­rect sight-line into the heart of your company. Look for a system that enables you to connect directly, privately, and anonymously with the person filing a complaint. Direct communication also signals to employees that their complaints are being heard at the highest levels.

Like other risk management issues, hotlines must also be managed effectively after implementation and roll-out. Here are some practical tips which will help you make your hotline an effective and useful tool.

Get the word out. If employees do not know about the hotline, they will not use it. Allocate a portion of your time and budget to promoting the corporate hotline through multiple channels. Put up posters and distribute cards that employees can keep in their wallets or desk drawers. Deliver in-person presentations where possible. And do not think of the promotional initiative as a one-time effort. It is important to remind employees regularly, through in-person communications, via e-mail, or through intranets, newsletters, and so on, that this resource is available to them. Some hotlines offer promotional materials to help make the job easier; make sure you ask what type of promotional support may be available.

Train all your employees. Getting employees to use the system is one half of the challenge; ensuring they use it properly is the other half. This is where training becomes essential. Make sure people understand what types of activities or observations are appropriate for reporting and which are not. HR and compliance staff will need training too, to help them understand how the hotline impacts their day-to-day activities. Company leaders also need to understand the role the hotline plays in the organizational culture, and the importance of their visible support for this compliance initiative.

Take a look at the data. Use the data derived from or through the hotline to identify unexpected trends or issues. Examples might be what percentage of employees use the hotline and what issues are they submitting? A healthy hotline reporting system will yield reports from .5 to 2 percent of your employee base. If your reporting patterns are higher or lower, it may indicate mistrust of the hotline, misuse, or a widespread compliance issue. Isolate the data by location and department to identify micro-trends that could indicate problems within a subset of your corporate culture. Analyzing the data can help you stay a step ahead of emerging issues.

Response is critical to fairness in the system. Seeing a hotline system in action in this way can go a long way toward dispelling employee fears of being ostracized or experiencing retaliation because if they see that their concerns are heard clearly and addressed fairly, they will learn to view the hotline as a valuable conduit. If your compliance group responds promptly and appropriately to hotline complaints, you can ensure robust participation and ongoing success. Even when a complaint proves to be unfounded, it can still provide an opportunity to open a dialogue with employees and clear up any misunderstandings. Responding to reported issues also gives compliance officers a chance to prove that issues can be resolved or addressed while protecting the privacy and anonymity of the whistleblower.

As my stay in Venice draws to an end, I am reminded how much the western world has to thank the Republic of Venice for. From the forms of republican democracy that the US Founding Fathers drew from to helping to establish a world-wide trade and banking system which still reverberates today. But, if you look closer, ancient Venice had many good government techniques which also still inform the modern world. Straight from the lion’s mouth to your company’s compliance hotline is just one of them.

A most Happy Thanksgiving to all.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

May 2, 2013

Get Out of the Ivory Tower – Using Internal Corporate Resources to Facilitate the Compliance Function

The second day of Hanson Wade Oil and Gas Supply Chain Compliance conference in Houston packed as much solid information into it as did the first day. One of the sessions dealt with utilizing other corporate functions to assist a compliance department in implementing or enhancing a compliance program. There are many resources which currently exist inside your organization and if you are in the position where you must use internal rather than external resources, this post will detail some of the functions which you may be able to call upon inside your organization.

You should start with a basic approach which the speaker termed “Get Out of the Ivory Tower”. He explained that the compliance department must obtain realistic input from geographies, cultures, business units and corporate functions within the company. As he rather succinctly put it to the audience “A procedure which may work in Texas may not work in Indonesia.” He also counseled to train in local languages. This may mean more than translating your talk into one language. He gave the example of his training in Spain where he had dual translations going, from English into Spanish and Catalan.

Part of this translation issue led to his next point, which was not to believe your own story or even worse, your own propaganda. Simply because a Country Manager says something is true means does not mean that it is true. Internal controls, monitoring and auditing are important to test that you are actually doing compliance rather than simply saying you are in compliance.

In determining what other departments might be able to assist the compliance function, the speaker suggested that you should start with three inquiries. They were:

  1. What can yours do? This is the initial assessment that you need to make about what your compliance department can do. What are your resources and budget? Start with this question.
  2. What can theirs do? In looking around your company, next ask this question. What are the functions of the departments? Are there things that they are currently doing which can supplement the compliance function? Are there functions in that department’s core function which can assist the company in the doing of compliance?
  3. How many employees does each of you have? An obvious concern is the number of employees that are available to assist the compliance function.

What are some of the other corporate functions that might assist the compliance department going forward? An obvious starting place is Human Resources (HR). The speaker listed several areas in which HR can bring expertise and, in my experience, enthusiasm to the compliance function. Some of the reasons include the fact that HR is physically located at or touch every site in the company, globally. HR is generally seen as more approachable than many other organizations in a company, unfortunately including compliance. A person’s first touch point with a company is often HR in the interview process. If not in the interview process, it is certainly true after a hire is made. Use this approachability.

Obviously, HR has several key areas of expertise, such as in discrimination and harassment. But beyond this expertise, HR also has direct accountability for these areas. It does not take a very long or large step to expand this expertise into assistance for compliance. HR often is on the front line for hotline intake and responses. These initial responses may include triage of the compliant and investigations. With some additional training, you can create a supplemental investigation team for the compliance department.

Clearly HR puts on training. By ‘training the trainers’ on compliance you may well create an additional training force for your compliance department. HR can also give compliance advice on the style and tone of training. This is where the things that might work and even be legally mandated in Texas may not work in other areas of the globe; advice can be of great assistance. But more than just putting on the training, HR often maintains employee records of training certifications, certifications to your company’s Code of Conduct and compliance requirements. This can be the document repository for the Document, Document Document portion of your compliance program.

Internal Audit is another function that you may want to look at for assistance. Obviously, Internal Audit should have access to your company’s accounting systems. This can enable them to pull data for ongoing monitoring. This may allow you to move towards continuous controls monitoring, on an internal basis. Similarly, one of the areas of core competency of Internal Audit should also be internal controls. You can have Internal Audit assist in a gap analysis to understand what internal controls your company might be missing.

Just as this corporate function’s name implies, Internal Audit routinely performs internal audits of a company. You can use this routine job duty to assist compliance. There will be an existing audit schedule and you can provide some standard compliance issues to be on each audit. Further, compliance risks can also be evaluated in this process. Similar to the audit function are investigations. With some additional training, Internal Audit should be able to assist the compliance function to carry out or participate in internal compliance investigations. Lastly, Internal Audit should be able to assist the compliance function to improve controls following investigations.

A corporate IT department has several functions that can assist compliance. First and foremost, IT controls IT equipment and access to data. This can help you to facilitate investigations by giving you (1) access to email and (2) access to databases within the company. Similar to the above functions, IT will be a policy owner as the subject matter expert so you can turn to them for any of your compliance program requirements which may need a policy that touches on these areas. The final consideration for IT assistance is in the area of internal corporate communication. IT enables communications within a company. You can use IT to aid in your internal company intranet, online training, newsletters or the often mentioned ‘compliance reminders’ discussed in the Morgan Stanley Declination.

Finally, do not forget your business teams. You can embed a compliance champion in all divisions and functions around the company. You can take this a step further by placing a Facility Compliance Officer at every site or location where you might have a large facility or corporate presence. Such local assets can provide feedback for new policies to let you know if they do not they make sense. In some new environments, a policy may not work. If you company uses SAP and you make an acquisition of an entity which does not use this ERP system, your internal policy may need to be modified or amended. A business unit asset can also help to provide a push for training and communications to others similarly situated. One thing that local compliance champions can assist with is helping to set up and coordinate personnel for interviews of employees. This is an often over-looked function but it facilitates local coordination, which is always easier than from the corporate office.

There are many ways to implement or enhance a compliance program in a company. If you do not have the luxury of creating an entire compliance department with an unlimited budget, you may be able to call upon other areas of corporate expertise to facilitate your role. Do not be an Ivory Tower.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

March 21, 2013

What To Do If Your Gut Says It’s Wrong: Lessons from Project Alpha

I often write about what can happen to companies who run afoul of the Foreign Corrupt Practices Act (FCPA). Usually enforcement actions focus on companies and not individuals. However, as is often pointed out by commentators other than Mitt Romney, corporations are not humans but consist of people. It is individuals who engage in conduct that violates the FCPA, just as it is individuals who engage in conduct which violates other US securities laws.

I was reminded of this in an article by Loren Steffy, of the Houston Chronicle, entitled “She offers cautionary tale for corporate employees”. In this article Steffy writes about Helen Sharkey, who worked for Dynegy Inc, a Houston company which was involved in energy trading and gas transportation. Sharkey was an accountant who worked on an assignment known as Project Alpha, which Steffy wrote was “a $300 million scheme that inflated Dynegy’s cash flow.”

In an interview with Steffy she told him that she was the lowest of seven employees assigned to the project. According to the Securities and Exchange Commission (SEC) Sharkey and others disregarded the company’s external auditor’s advice that certain forms of risk-hedging involving derivative instruments, such as commodity price swaps and interest rate swaps, would defeat Dynegy’s goal of accounting for Alpha as an ordinary operating contract and require recording it as a financing. As reported by Steffy, “If the banks didn’t have risk, it meant the deal was a loan and required different accounting treatment.”

While the Enron Corporation is the poster child for corporate fraud in Houston, three Dynegy employees went to jail over Project Alpha: Sharkey; Gene Foster, who was Dynegy’s Vice President of Taxation during the relevant period; and Jamie Olis, who was Dynegy’s Senior Director, Tax Planning and International. Foster received a sentence of 15 months in jail. Olis, who went to trial, received a whopping sentence of 24 years by the trial judge, although this was later reduced to six years.

What did Sharkey think about the deal at the time? As quoted by Steffy, “Did I feel in my gut that it was wrong? Absolutely. Did I think it was illegal? No way.” Unfortunately Sharkey did not apparently have a mechanism that she could use to raise this concern that was in her gut.

What are some of the lessons that current compliance practitioners can draw from Sharkey, Dynegy and Project Alpha?

Hotlines

One of the results from the actions that companies like Dynegy, Enron and others was the passage of Sarbanes-Oxley (SOX). SOX required publicly traded companies to set up anonymous hotlines to allow employees to report company wrong-doing. This is enshrined in the FCPA world as one of the Ten Hallmarks of an Effective Compliance Program as set out in the Department of Justice (DOJ)/ SEC FCPA Guidance. Under the section entitled “Confidential Reporting and Internal Investigation”, it states, “An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation. Companies may employ, for example, anonymous hotlines or ombudsmen.”

Generally, employees tend to trust hotlines maintained by third parties more than they do internally maintained systems. By submitting reports through an external hotline there is a perceived extra layer of anonymity and impartiality compared to a system developed in-house. This is because there can be a fear of retaliation by employees. This fear can destroy the effectiveness of the internal reporting process and poison the corporate culture. The hotline must be seen to offer the highest levels of protection and anonymity. To encourage employee participation, the hotline should allow them to bring their concerns directly to someone outside their immediate chain of command or workplace environment – especially when the complaint concerns an immediate superior. A third party provider is also more likely to bring specialist expertise that’s difficult to match within the organization.

Failure to Escalate

In almost every circumstance where a significant FCPA compliance violation has arisen, if the issue had been reported or at least sent up the chain for consideration, there is a good chance that the incident would not have exploded into a full FCPA compliance violation. Matthew King, Group Head of Internal Audit at HSBC, calls this concept “escalation” and he believes that one of the more key features of any successful compliance program is to escalate compliance concerns up the chain for consideration and/or resolution.

This means that in almost every circumstance regarding a compliance issue he had been involved with, at some point a situation arose where an employee did not report a situation or event up to an appropriate level for additional review. This failure to escalate leads to the issue not reaching the right people in the company for review/action/resolution and the issue later becomes more difficult and more expensive to deal with in the company. A company needs to have a culture in place to not only allow escalation but to actively encourage escalation. This requires that both a structure and process for this must exist. Then the company must train, train and train all of its employees. Lastly, while a whistleblower process or hotlines are necessary these should not be viewed as the only systems which allow an employee to escalate a concern.

The starkest example of which I am aware of this failure to escalate in the FCPA arena is the Hewlett-Packard (HP) matter involving its German subsidiary and allegation of bribery to receive a contract for the sale of hardware into Russia. The Wall Street Journal (WSJ) has reported that at least one witness has said that the transactions in question were internally approved by HP through its then existing, contract approval process. That witness, Dieter Brunner, a contract employee who was working as an accountant on the group that approved the transaction, said in an interview that he was surprised when, as a temporary employee of HP, he first saw an invoice from an agent in 2004. “It didn’t make sense,” because there was no apparent reason for HP to pay such big sums to accounts controlled by small-businesses, Mr. Brunner said. He then proceeded to say he processed the transactions anyway because he was the most junior employee handling the file, “I assumed the deal was OK, because senior officials also signed off on the paperwork”.

Training

Why is training of employees regarding a hotline and the ability to escalate important in the context of an anti-corruption/anti-bribery compliance program? Training is recognized as one of the points in the Ten Hallmarks of an Effective Compliance Program and one of the elements under the US Sentencing Guideline’s Seven Elements of an Effective Compliance Program. It is also recognized in Principle 5 of the Six Principles of an Adequate Procedures compliance program as set out by the UK Ministry of Justice (MOJ). Lastly, it is recognized by the OECD in its 13 Good Practices for Internal Controls, Ethics and Compliance.

In the case of HP, think what position the company might be in today if Brunner had been trained on the company’s system for internally reporting compliance issues? If Brunner had escalated his concern that the payment to the agent “didn’t make sense” perhaps HP would not have been under investigation by governmental authorities in Germany and Russia. In the United States, both the DOJ and SEC have announced they are investigating the transaction, for potential FCPA violations. Further, HP is now investigating other international operations to ascertain if other commissions paid involved similar allegations of bribery and corruption as those in this German subsidiary’s transaction.

Dénouement

Steffy penultimate paragraph states, “her story lends insight into one of the most enduring questions that linger from a decade ago – how corrupt corporate cultures encouraged so many who considered themselves law-abiding citizens, to commit crimes, often without realizing it.” One of the things that I emphasize in training to employees is that if their guts turns in knots, the hair on the back of their neck stands up or if something doesn’t smell right, just raise your hand. You don’t have to know the ins and outs of the FCPA, but if something does not feel right, raise your hand and get the matter to someone who does know the ins and outs of the FCPA and who can thoroughly investigate the issue that you do not feel right about. If you do not do so, you may end up like Sharkey and, as Steffy writes as the final sentence of his piece, “The one time she wavered became a mistake she’ll regret the rest of her life.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

February 8, 2013

How Does Your Organization Treat Whistleblowers?

As almost everyone knows, Lance Armstrong spoke for the first time about his performance enhancing drug (PED) use recently on Oprah. On the first night he admitted for the first time that he used PEDs during his seven wins at the Tour De France. The title of my colleague Doug Cornelius’ piece in Compliance Building really said it all in his article “Lance Armstrong – A Lying Liar Just Like Madoff”. Cornelius said “What caught my attention about the Armstrong interview was the window into the mind of a pathological liar. Armstrong had been telling the lie over and over and over. He lied to the public. He lied to the press. He lied to cancer survivors. He lied under oath.”

One of the areas which came up for me was how the people who blew the whistle on Armstrong’s use of PEDs before his admission were treated and how Armstrong subsequently treated them. Armstrong admitted that he was a ‘bully’ to those who said, hinted, or even implied that he had taken PEDs. He attacked ex-teammates; wives of ex-teammates and even a masseur who saw him take such substances. He put on an aggressive PR campaign for the better part of the past decade, to which the wife of ex-Tour De France winner Greg LeMond said “I can’t describe to you the level of fear that he brings to a family.”

While I would hope that most American and European companies have moved past the situation where whistleblowers are ostracized or worse threatened, one can certainly remember the GlaxoSmithKline (GSK) whistleblower Cheryl Eckard. A 2010 article in the Guardian by Graeme Wearden, entitled “GlaxoSmithKline whistleblower awarded $96m payout”, he reported that Eckard was fired by the company “after repeatedly complaining to GSK’s management that some drugs made at Cidra were being produced in a non-sterile environment, that the factory’s water system was contaminated with micro-organisms, and that other medicines were being made in the wrong doses.” She later was awarded $96MM as her share of the settlement of a Federal Claims Act whistleblower lawsuit. Eckard was quoted as saying, “It’s difficult to survive this financially, emotionally, you lose all your friends, because all your friends are people you have at work. You really do have to understand that it’s a very difficult process but very well worth it.”

More recently there was the example of NCR Corp., as reported in the Wall Street Journal (WSJ) by Christopher M. Matthews and Samuel Rubenfeld, in an article entitled “NCR Investigates Alleged FCPA Violations”, who stated that NCR spokesperson Lou Casale said “While NCR has certain concerns about the veracity and accuracy of the allegations, NCR takes allegations of this sort very seriously and promptly began an internal investigation that is ongoing,” regarding whistleblowers claims of Foreign Corrupt Practices Act (FCPA) violations. In a later WSJ article by Matthews, entitled “NCR Discloses SEC Subpoena Related to Whistleblower, he reported that NCR also said “NCR has certain concerns about the motivation of the purported whistleblower and the accuracy of the allegations it received, some of which appear to be untrue.”

Lastly, is the situation of two whistleblowers from the British company EADS. As reported by Carola Hoyos in a Financial Times (FT) article, entitled “Emails tell of fears over EADS payments”, Hoyos told the story of two men who notified company officials of allegations of bribery and corruption at the company and who suffered for their actions. The first, Mike Paterson, the then financial controller for an EADS subsidiary GPT, internally reported “unexplained payments to the Cayman Island bank accounts for Simec International and Duranton International, which totaled £11.5M between 2007 and 2009.” Hoyos reported that Paterson was so marginalized in his job that he was basically twiddling his thumbs all day at work.

The second whistleblower was Ian Foxley, a retired British lieutenant-colonel, who had joined the company in the spring of 2010 stationed in Saudi Arabia, to oversee a £2M contract between the British Ministry of Defence (MOD) and the Saudi Arabian National Guard. In December 2010, Foxley discovered some of the concerns which Mike Paterson had raised. According to Hoyos, “The morning after he discovered Mr. Paterson’s concerns he assessed the emails that Mr. Paterson had told him he had written over the previous three years.” This led Foxley to flee Saudi Arabia with documents of these suspicious payments, which he has turned over to the Institute of Chartered Accountants and the UK Serious Fraud Office (SFO).

What does the response of any of these three companies say about the way that it treats whistleblowers? Is it significantly different from the bullying Armstrong admitted he engaged in during his campaign to stop anyone who claimed that he was doping? While I doubt that companies will ever come to embrace whistleblowers, the US Department of Justice’s (DOJ’s) recent FCPA Guidance stated that “An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation.” However, by marginalizing, attacking or even making a whistleblower fear for their life, such actions can drive a whistleblower to go the DOJ, Securities and Exchange Commission (SEC) or SFO. The Guidance recognized that “Assistance and information from a whistleblower who knows of possible securities law violations can be among the most powerful weapons in the law enforcement arsenal.”

So what is the compliance professional to make of the Armstrong confession and how can it be used for a compliance program? A recent White Paper, entitled “Blowing the Whistle on Workplace Misconduct”, released by the Ethics Resource Center (ERC) detailed several findings that the ERC had determined through surveys, interviews and dialogues. One of the key findings in this White Paper was that that a culture of ethics within a company does matter. Such a culture should start with a strong commitment to ethics at the top, however it is also clear that this message must be reinforced throughout all levels of management, and that employees must understand that their company has the expectation that ethical standards are vital in the business’ day-to-day operations. If employees have this understanding, they are more likely to conduct themselves with integrity and report misconduct by others when they believe senior management has a genuine and long-term commitment to ethical behavior. Additionally, those employees who report misconduct are often motivated by the belief that their reports will be properly investigated. Conversely, most employees are less concerned with the particular outcome than in knowing that their report was seriously considered.

This is the ‘Fair Process Doctrine’. This Doctrine generally recognizes that there are fair procedures, not arbitrary ones, in a process involving rights. Considerable research has shown that people are more willing to accept negative, unfavorable, and non-preferred outcomes when they are arrived at by processes and procedures that are perceived as fair. Adhering to the Fair Process Doctrine in two areas of your Compliance Program is critical for you, as a compliance specialist or for your Compliance Department, to have credibility with the rest of the workforce.

In this area is that of internal company investigations, if your employees do not believe that the investigation is fair and impartial, then it is not fair and impartial. Furthermore, those involved must have confidence that any internal investigation is treated seriously and objectively. One of the key reasons that employees will go outside of a company’s internal hotline process is because they do not believe that the process will be fair.

This fairness has several components. One would be the use of outside counsel, rather than in-house counsel, to handle the investigation. Moreover, if company uses a regular firm, it may be that other outside counsel should be brought in, particularly if regular outside counsel has created or implemented key components which are being investigated. Further, if the company’s regular outside counsel has a large amount of business with the company, then that law firm may have a very vested interest in maintaining the status quo. Lastly, the investigation may require a level of specialization which in-house or regular outside counsel does not possess.

Phrasing it in another way, Mike Volkov, writing in his blog Corruption, Crime and Compliance, in an article entitled “How to Prevent Whistleblower Complaints”, had these suggestions: (1) Listen to the Whistleblower – In dealing with a whistleblower, it is critical to listen to the whistleblowers concerns. (2) Do Not Overpromise – At the conclusion of an initial meeting with a whistleblower, the company representative should inform the whistleblower that the company will review the allegations, conduct a “preliminary” investigation and report back to the whistleblower during, or at the conclusion of, any investigation. (3) Conduct a Fair Investigation – Depending on the nature of the allegations, a follow up inquiry should be conducted. The steps taken in the investigation should be documented.

I would add that after your investigation is complete, the Fair Process Doctrine demands that any discipline must not only be administered fairly but it must be administered uniformly across the company for the violation of any compliance policy. Simply put if you are going to fire employees in South America for lying on their expense reports, you have to fire them in North America for the same offense. It cannot matter that the North American employee is a friend of yours or worse yet a ‘high producer’. Failure to administer discipline uniformly will destroy any vestige of credibility that you may have developed.

Lance Armstrong has and will continue to provide the ethics and compliance practitioner with many lessons. You can use his treatment of whistleblowers as an opportunity to review how your company treats such persons who make notifications of unethical or illegal conduct. With the increasing number of financial incentives available to persons to blow the whistle to government agencies, such as the SEC under the Dodd-Frank Act, it also makes very good business sense to do so.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

January 25, 2013

Chesapeake Lighthouses and Lighting the Way for Compliance

In the winter 2013 issue of the Colonial Williamsburg magazine is an article by Michael Lombardi, entitled “Lighthouses Marked the Shoals of the Commerce Clause”. In this article, Lombardi wrote about four lighthouses authorized by Congress in the late 18th and early 19th century to light the way for sailors in Chesapeake Bay. The four lighthouses were the Cape Henry Lighthouse, the Old and New Point Comfort Lighthouses and the Smith Point Lighthouse. All four still exist today and one, the Old Point Comfort Lighthouse, is still in operation.

I thought about the story of these lighthouses and how they literally lit the way for sailors for over 200 years when I read an article in the Q2 issue of Ethisphere Magazine, entitled “Imagination Working with Integrity: How General Electric Creates a Global Culture of Ethics”, by Michael Price. Price discusses how General Electric (GE) has made “ethics and compliance a benchmark of its operations around the world, and is, in many ways the gold standard that other companies look to when it comes to modeling global compliance and ethics programs.”

I also considered these lighthouses in the context of how GE sets the tone for ethics and compliance and then communicates that commitment throughout its organization. Obviously it all starts at the top and GE is a prime example of this strength. Price noted that GE’s top brass meets annually at a conference where one of the frequent topics was ethics and compliance and the need for integrity in GE. Following this meeting of the GE senior management, they cascade down this commitment to middle management and emphasize the reputational risk to GE should there be a violation of the Foreign Corrupt Practices Act (FCPA) or other anti-corruption statute by the company. The middle managers then further cascade this message down so that it goes through the whole company at regular intervals.

Price made clear that one thing that GE will not tolerate is a manager who fails to take ethics and compliance seriously. This extends to managers who were ignorant of compliance issues in their units. He wrote that GE has “removed people from leadership positions when they didn’t know there was a problem”. GE demands that its management not only be aware of compliance in their units, but to ask “the right questions when they are faced with an uncertain situation”.

As you might expect from a company which has business in over 100 countries, GE has to work with many different cultural norms. It can be that “different cultures have different frameworks for understanding integrity and how to confront unethical conduct.” So, for instance, to overcome some cultural barriers of reporting unethical conduct GE has “five different pathways in which employees around the world can bring their concerns to management’s attention.” These pathways include the following:

  • Employees can talk directly to their managers;
  • Employees can go to talk to people in the compliance function;
  • Employees can go to talk to someone in the legal department;
  • Employees can take their concerns to HR; and
  • Employees can report anonymously to an ombudsman through a variety of channels.

GE provides several types of training in each of these methods and has “Compliance Days” in “which the company discusses compliance issues and reiterates the importance about employees raising concerns about unethical practices.” The article makes clear not only how seriously GE takes compliance but that it believes its commitment to ethical practices makes it stand out as a market differentiator. I would say that ethics and compliance is even a lighthouse for corporate culture at GE, in many ways, leading the way by which GE does business and conducts itself.

I once worked for a major oilfield service company where it was clear that safety was the Number 1 priority. We started every meeting with a safety moment. Each year, there was one day where the entire company stood down and met on safety on a world-wide basis. Both of these techniques emphasized to me not only the importance of safety but that safety was my responsibility as well, even though I was a lawyer doing international transactional work. This was another lighthouse but it was one for safety.

As a recovering trial lawyer who has handled many personal injury lawsuits and then worked in the energy industry, I will always consider safety as Mission Number 1 but I would like to propose that ethics and compliance is Mission 1A in your company. Try some of the techniques that GE uses to communicate its commitment to ethics and compliance. It does not cost anything to have senior management meet with middle management and tell them about the company’s commitment to integrity. It does not cost anything to allow employees to speak with their immediate managers about concerns over unethical practices, go talk to someone in the compliance department or legal department about such concerns or report their concerns to HR. If you do not have an anonymous reporting line, it is about time you invested in one. I do recognize that many companies do not have an ethics and compliance ombudsman but the key concept there might be that by having such an impartial position, employees believe they will be treated fairly.

How about having a compliance moment before every meeting? By having such a moment before every meeting you can not only provide some teachable moments but also drive home the concept that compliance is everyone’s responsibility not just the responsibility of the compliance or legal department. How about a Compliance Day? If you cannot go that far, I would suggest that you hold a series of brown bag lunches where you talk about doing business with integrity through ethical and compliant business practices. You could hold them throughout the company.

One thing I learned as a lawyer is that you are only limited by your imagination. Try to get the message out because compliance is in many ways, the 21st century lighthouse for doing business.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

January 23, 2013

The FCPA Guidance on the Ten Hallmarks of an Effective Compliance Program

Many commentators are still mining the Department of Justice (DOJ)/Securities and Exchange Commission (SEC) publication, A Resource Guide to the U.S. Foreign Corrupt Practices Act, (the “Guidance”), which was released last November. I continue to find nuggets to provide to the compliance practitioner, as do others. But as we are a Base 10 culture, today I want discuss the 10 points listed as the ‘Hallmarks of Effective Compliance Programs”. They are a change in style, but not content, from the prior 13 point minimum best practices that the DOJ has in the Deferred Prosecution Agreements (DPAs) since at least November, 2010 and, indeed, from prior information made available by the DOJ.

I.                   Where Have We Been

Beginning with at least the Metcalfe & Eddy Consent and Undertaking, filed in December, 1999, the DOJ has laid out its thoughts on what should go into a Foreign Corrupt Practices Act (FCPA) anti-corruption compliance program. In the Metcalfe & Eddy Consent and Undertaking, the DOJ laid out ten points of an effective FCPA anti-corruption compliance program. This was modified somewhat in Opinion Release 04-02, which laid out a best practices compliance program in 12 points, where the DOJ reviewed the proposal by an investment group who were acquiring certain companies and assets from ABB Ltd. ABB Vetco Gray Inc. and ABB Vetco Gray (UK) Ltd., two of the entities being acquired, had previously pled guilty to FCPA violations. The investment group desired to protect itself from further liability, to the extent possible, by proposing to the DOJ a comprehensive best practices compliance program. While the DOJ noted that this compliance program was not a shield against future violations, the DOJ would not “intend to take an enforcement action [against the investors] for violations of the FCPA prior to their acquisition from ABB.”

In the Panalpina DPA, issued in November, 2010, the DOJ laid out a 13 point minimum best practices compliance program. This number was changed this past summer when the Data Systems & Solutions LLC (DS&S) DPA was announced. In this enforcement action the DOJ listed 15 points on its minimum best practices FCPA anti-corruption compliance program. Then later in the summer, the DOJ moved to a 9 point compliance program in the Pfizer DPA. Even with all these changes in the number, the substance of each compliance program has remained the same.

II.                Where Are We Now? Hallmarks of Effective Compliance Programs

The Guidance cautions that there is no “one-size-fits-all” compliance program. It recognizes that depending on a variety of factors such as size, type of business, industry and risk profile that a company should determine what is appropriate for its own needs regarding a FCPA compliance program. But the Guidance makes clear that these ten points are “meant to provide insight into the aspects of compliance programs that DOJ and SEC assess”. In other words you should pay attention to these and use this information to assess your own compliance regime.

  1. Commitment from Senior Management and a Clearly Articulated Policy Against Corruption. It all starts with tone at the top. But more than simply ‘talk-the-talk’ company leadership must ‘walk-the-walk’ and lead by example. Both the DOJ and SEC look to see if a company has a “culture of compliance”. More than a paper program is required, it must have real teeth and it must be put into action, all of which is led by senior management. The Guidance states that “A strong ethical culture directly supports a strong compliance program. By adhering to ethical standards, senior managers will inspire middle managers to reinforce those standards.” This prong ends by stating that the DOJ and SEC will “evaluate whether senior management has clearly articulated company standards, communicated them in unambiguous terms, adhered to them scrupulously, and disseminated them throughout the organization.”
  2. Code of Conduct and Compliance Policies and Procedures. The Code of Conduct has long been seen as the foundation of a company’s overall compliance program and the Guidance acknowledges this fact. But a Code of Conduct and a company’s compliance policies need to be clear and concise. The Guidance makes clear that if a company has a large employee base that is not fluent in English such documents need to be translated into the native language of those employees. A company also needs to have appropriate internal controls based upon the risks that a company has assessed for its business model. Some of the risks a company should assess include “the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.”
  3. Oversight, Autonomy, and Resources. This section starts with a discussion on whether a company has assigned a senior level executive to oversee and implement a company’s compliance program. Not only must a company assign such a person with appropriate authority but that person, and the overall compliance function, must have “sufficient resources to ensure that the company’s compliance program is implemented effectively.” Additionally, the compliance function should report to the company’s Board of Directors or an appropriate committee of the Board such as the Audit Committee. Overall the DOJ and SEC will “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”
  4. Risk Assessment. The Guidance states that “assessment of risk is fundamental to developing a strong compliance program”. Indeed, if there is one over-riding theme in the Guidance it is that a company should assess its risks in all areas of its business. The Guidance lists factors that a company should consider in any risk assessment. They are “the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.” The Guidance is also quite clear that when the DOJ and SEC look at a company’s overall compliance program, they “take into account whether and to what degree a company analyzes and addresses the particular risks it faces.”
  5. Training and Continuing Advice. Communication of a compliance program is a cornerstone of any anti-corruption compliance program. The Guidance specifies that both the “DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.” The training should be risk based so that those high risk employees and third party business partners receive an appropriate level of training. A company should also devote appropriate resources to providing its employees with guidance and advice on how to comply with their own compliance program on an ongoing basis.
  6. Incentives and Disciplinary Measures. This involves both the carrot and the stick. Initially the Guidance notes that a company’s compliance program should apply from “the board room to the supply room – no one should be beyond its reach.” There should be appropriate discipline in place and administered for any violation of the FCPA or a company’s compliance program. Additionally, the “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance program, and rewards for ethics and compliance leadership.” These incentives can take the form of a part of senior management’s bonuses or simply recognition on the shop floor.
  7. Third-Party Due Diligence and Payments. Here the Guidance focuses on the ongoing problem area of third parties. The Guidance says that companies must engage in risk based due diligence to understand the “qualifications and associations of its third-party partners, including its business reputation, and relationship, if any, with foreign officials.” Next a company should articulate a business rationale for the use of the third party. This would include an evaluation of the payment arrangement to ascertain that the compensation is reasonable and will not be used as a basis for corrupt payments. Lastly, there should be ongoing monitoring of third parties.
  8. Confidential Reporting and Internal Investigation. This means more than simply a hotline. The Guidance suggests that anonymous reporting, and perhaps even a company ombudsman, might be appropriate to have in place for employees to report allegations of corruption or violations of the FCPA. Furthermore, it is just as important what a company does after an allegation is made. The Guidance states, “once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken.” The final message is what did you learn from the allegation and investigation and did you apply it in your company?
  9. Continuous Improvement: Periodic Testing and Review. As noted in the Guidance, “compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” The DOJ/SEC expects that a company will review and test its compliance controls and “think critically” about its own weaknesses and risk areas. Internal controls should also be periodically tested through targeted audits.
  10. Mergers and Acquisitions. Pre-Acquisition Due Diligence and Post-Acquisition Integration. Here the DOJ and SEC spell out what it expects in not only the post-acquisition integration phase but also in the pre-acquisition phase. This pre-acquisition information is not something that most companies had previously focused on. Basically, a company should attempt to perform as much substantive compliance due diligence that it can do before it purchases a company. After the deal is closed, an acquiring entity needs to perform a FCPA audit, train all senior management and risk employees in the purchased company and integrate the acquired entity into its compliance regime.

As I commented earlier in this article, the DOJ and SEC have communicated what they believe are the important parts of a risk based, anti-corruption compliance program for many years. I do not think that a compliance defense could be set out any more succinctly. However, I do like things set out in Base 10 and the “Hallmarks of Effective Compliance Programs” is an excellent compilation of where we are and what you need in place to go forward. I recommend this as a good a starting point for any compliance practitioner to implement a new compliance program or to evaluate the state of an ongoing compliance regime so assess your company’s risks and use these hallmarks as a basis to move forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

January 2, 2013

The Allianz FCPA Enforcement Action – What the Compliance Practitioner Needs to Know

Who is your favorite character from the Iliad? Is it Agamemnon the king who brings the Greek Armada to Troy for his brother’s honor; perhaps Ajax the mountain of a man who is the most loyal Greek warrior; how about Achilles the warrior who single-handedly destroys more Trojans than any Greek; or perchance Nestor the wise old counselor who tries to keep the Greeks united in the face of ten years of war? Perhaps your taste runs to the Trojan characters, Priam, the leader of Troy, Paris, now husband of the most beautiful woman on earth, or Hector, the stalwart son of Priam who dies in a duel with Achilles. In the Iliad, my money is on Odysseus, who is a king like Agamemnon and Priam; a shrewd advisor like Nestor; and a great warrior like Ajax, Achilles and Hector. Lastly, he has, if not the most beautiful wife in the world, certainly the most loyal in Penelope.

On December 17, 2012, the Securities and Exchange Commission (SEC) entered into an agreed Cease and Desist Order (Order) with Allianz SE regarding violations of the Foreign Corrupt Practices Act (FCPA). Much like Odysseus, this Order provides several different types of information for the compliance practitioner to digest. This post will work through some of the information and point out to you the lessons which can be drawn from this enforcement action.

The company is in the insurance business, writing lines including property and casualty, life, and health insurance and also is in asset management. Initially it is to be noted that the FCPA violations involve a subsidiary Allianz created to do business in Indonesia, PT Asuransi Allianz Utama Indonesia Ltd (Utama), through which the illegal payments were made. Allianz was the majority owner of this entity and Utama’s financial reporting was rolled up into the parent’s books and records. The Order reported that Utama secured at least 295 Indonesian government contracts through improper payments of approximately $650,626. From these improper payments, Allianz “realized $5,315,649 in profits.”

I.                   Jurisdiction

While the company is headquartered in Munich, Germany, from November 3, 2000 to October 23, 2009, Allianz’s American Depositary Shares and bonds were registered with the Commission pursuant to Section 12(b) of the Exchange Act and traded on the New York Stock Exchange (“NYSE”). This made Allianz an “issuer” within the meaning of the FCPA and therefore subject to the Act. The conduct at issue occurred when Allianz was a US issuer. Interestingly, in 2009, Allianz voluntarily delisted its securities from the New York Stock Exchange (NYSE).

II.                The Bribery Scheme

Back in 1981, the company opened up a “special purpose bank account” for the payment of agent commissions in Indonesia. However, in February, 2001, the Chief Compliance Officer (CEO) and Chief Financial Officer (CFO) of Utama “opened a separate, off-the-books account in the Indonesian Agent’s name (the “Agent special purpose account”). The Agent special purpose account was used to make improper payments to employees of Indonesian state-owned entities and others for the purpose of obtaining and retaining insurance contracts.” Contemporaneously with the creation of this new Agent special purpose account, Utama contracted with its Indonesian Agent a “Paying Agency Agreement” which established the Agent special purpose account would serve as the slush fund to make bribe payments to foreign officials and others as instructed by Utama.

a.      2001-2005

The scheme worked in this manner. There were two components for the insurance premiums, a “technical premium” which was 75-95% of the cost of the insurance product and the “overriding premium” which was the remaining 5-25% of the premium and was to be paid to the agent for the sale. During this time frame, the Utama Marketing Manager would make payments into the Agent special purpose account and these monies would be used to make improper payments to Indonesian government officials. The Indonesian government purchasing the insurance would be billed the combined total of these two premiums for 100% of the cost of the insurance product. The monies received by Utama would be deposited into one bank account and then the amount of the overriding commission would be transferred into the Agent special purpose account. This money would then be paid to the Indonesian government official who directed the purchase of the insurance product, in cash.

b.      2005-2008

Due to an internal whistleblower and subsequent investigation which will be discussed later, this original bribery scheme was modified in 2005; that is after completion of payments to Indonesian government officials who were owed bribes for insurance products purchased previously, up through 2008. Thereafter, Utama employed a variety of methods to make illegal and improper payments to Indonesian government officials. These methods included “1) booking commissions to an agent that was not associated with the account for the government insurance contract and then withdrawing the funds booked to the agent’s account as cash to pay the foreign official; or 2) overstating the amount of a client’s insurance premium, booking the excess amount to an unallocated account and then “reimbursing” the excess funds to the foreign officials, who were responsible for procuring the government insurance contracts.”

III.             Whistleblower and Internal Investigations

In 2005, an internal whistleblower made a complaint about the Agent special purpose account. This whistleblower apparently provided detailed information on the account and “a number of internal controls weaknesses.” The company initiated an internal audit of Utama and the Agent special purpose account but amazingly limited the scope of the audit to “embezzlement from the Company”. Even with this limited scope Allianz’s internal audit group identified the Agent special purpose account as a “vehicle to pay project development and overriding commissions to the special projects and clients for securing business with Utama” and other indicia of FCPA improper payments however “no additional steps were taken to determine the nature and purpose of the accounts or to identify the recipients of payments from the accounts.” The company did instruct Utama to close the Agent special purpose account but as noted above, not only did Utama continue to make improper payments out of the Agent special purpose account but also widened the scope of its bribery practices.

In 2009, the company’s outside auditor “received an anonymous complaint alleging that an Allianz executive created or initiated slush funds during his tenure with AZAP.” In response to this complaint the company created “a Whistleblower Committee to do an internal investigation and retained counsel to conduct an internal investigation of Utama’s payment practices in Indonesia.” However, Allianz did not self-report either the allegations of improper payments or the results of its internal investigations to the SEC or Department of Justice (DOJ). In 2010, the SEC opened an investigation after receiving “an anonymous complaint of possible FCPA violations.” After some initial delay in the timeliness in reporting to the SEC, the company began cooperation with the SEC and began remedial efforts.

IV.              Lessons Learned

There are several lessons which can be learned from the Allianz enforcement action. The first and foremost is jurisdiction. Simply because you are a foreign based company, do not think you are shielded from FCPA enforcement actions. Foreign companies need to review their US listings to determine if they have inadvertently subjected themselves to FCPA jurisdiction. In Allianz’s situation its American Depositary Shares and bonds were registered with the SEC. That is enough for jurisdiction. So if you are sitting across the Atlantic or Pacific or north or south of the border and have some American interests, holdings or anything else that you own or are a part of the US, you had better get your FCPA compliance house in order.

There is a wealth of information that internal auditors can use from this enforcement action. The first and foremost is that when you turn a rock over and look under it there may well be several things that show up under the light of day. If you are tasked with trying to find one scheme, such as embezzlement and find indicia of another, for example bribery and corruption of foreign government officials, it is in the interest of both you and your company to keep looking. If substantive information comes to a company in any manner, the company has a duty to investigate it and not to bury its collective head in the sand.

The bribery schemes used by Utama are also instructive. Initially, they give internal audit and anyone else looking for that matter, clear red flags to investigate further. If there is a “special purpose fund” of any type, the reason for the fund and justifications for payments out of it, thorough review of backup documentation is mandatory for your review. Additionally, there should be a review of the commissions paid. It is easy enough to do; match up the commission paid with the contract for which it is due under, coupled with the work done by the agent who is alleged to be owed the commission. You should also review the amount of commission paid to ascertain if it is within a reasonable range.

Internal controls must also not only be reviewed but additional monitoring and auditing should be put in place to make sure that any recommendations made are followed. Here Utama was told to close the Agent special purpose account in 2005 but not only did they fail to do so they continued to pay bribes out of it into 2008. Apparently no one at Allianz thought they should follow up to see if the instruction to close the Agent special purpose account was followed.

We started this blog with the question of who was your favorite hero from the Iliad. My favorite is Odysseus. He is the only Greek hero who combines all of the traits I listed in the opening paragraph. I think that the Allianz FCPA enforcement action is similar because there are many different lessons which can be learned. The DOJ and SEC consistently put out solid information that the compliance practitioner can use to evaluate and assess a compliance program or to manage specific risks. You do not have to read the tea leaves or try to go to the Oracle of Delphi to understand what the DOJ and SEC expect in the way of FCPA compliance. The Allianz SEC enforcement action continues this tradition.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

November 8, 2012

Wal-Mart Cover Up- Would a Hot-Line Have Helped?

Ed. Note-we continue our series of guest posts from our colleague Mary Shaddock Jones, who today draws some lessons from the Wal-Mart matter.

On November 8, 2006 Wal-Mart entered the Canadian Market opening three supercenters in Ancaster, London and Stouffville in Ontario, Canada.  On April 21, 2012, the New York Times published an article which included the following statements:

“In September 2005, a senior Wal-Mart lawyer received an alarming e-mail from a former executive at the company’s largest foreign subsidiary, Wal-Mart de Mexico. In the e-mail and follow-up conversations, the former executive described how Wal-Mart de Mexico had orchestrated a campaign of bribery to win market dominance. In its rush to build stores, he said, the company had paid bribes to obtain permits in virtually every corner of the country.   The former executive gave names, dates and bribe amounts. He knew so much, he explained, because for years he had been the lawyer in charge of obtaining construction permits for Wal-Mart de Mexico.   Wal-Mart dispatched investigators to Mexico City, and within days they unearthed evidence of widespread bribery. They found a paper trail of hundreds of suspect payments totaling more than $24 million. They also found documents showing that Wal-Mart de Mexico’s top executives not only knew about the payments, but had taken steps to conceal them from Wal-Mart’s headquarters in Bentonville, Ark. In a confidential report to his superiors, Wal-Mart’s lead investigator, a former F.B.I. special agent, summed up their initial findings this way: “There is reasonable suspicion to believe that Mexican and USA laws have been violated.”   The lead investigator recommended that Wal-Mart expand the investigation.   Instead, an examination by The New York Times found, Wal-Mart’s leaders shut it down.”

This is not the type of news that the Board of Directors of U.S. public company wants to learn about through a newspaper headline. Section 301(4) of the Sarbanes-Oxley Act requires the audit committee of every United States based  publicly traded company to establish procedures for “the confidential, anonymous submission by employees….of concerns regarding questionable accounting or auditing matters” (emphasis supplied). To comply with § 301(4), many employers have designed whistle blowing systems, such as telephone “hotlines”, enabling employees to report potential violations anonymously.

I do not know if Wal-Mart had a “hotline” in 2005, but in order to give employees and/ or third parties the tools necessary to alert executives or members of the Board of Directors to potential illegal or questionable activity- the existence and promotion of an anonymous hotline system is invaluable.

The practical pointer for today’s blog is this- one essential element of a compliance program is an anonymous hotline. Companies do have to be careful when implementing a hotline to understand and abide by European data privacy laws.  However, in the United States,  under most of the recent “Schedule C’s” attached to Deferred Prosecution Agreements, the Department of Justice clearly outlines anonymous reporting systems as one of the required “best practices” for a compliance program: “The Company should establish or maintain an effective system for: a) Providing guidance to directors, officers, employees, and its agents and business partners, on complying with the Company’s anti-corruption compliance policies, including when they need advice on an urgent basis or in any country in which the Company operates; b) Internal and confidential reporting and protection of those reporting breaches of the law or professional standards or ethics concerning anticorruption occurring within the company, suspected criminal conduct, and/or violations of the compliance policies directors, officers, employees; and c) Responding to such requests and undertaking appropriate action in response to such reports.”

 Consider the following policy language on reporting questions and concerns, along with a clear statement regarding non-retaliation for such reporting:

 Reporting Obligations of Company Personnel, Agents, and Partners

All Company Personnel, Agents, and Partners are required to report any knowledge, awareness or suspicion of a potential violation of: (i) the FCPA, the UKBA, or any other anti-corruption and/or anti-bribery laws applicable to the Company; (ii) the Policy; or (iii) the Compliance Manual by the Company or any of its Personnel, Agents, or Partners.

  • Company Personnel are required to report such information to the Company Compliance Officer or his or her designee, or to the hotline described below.
  • Company Agents and Partners are required to report such information to a Company representative, the Company Compliance Officer or his or her designee, or to the hotline described below.  Any Company representative that receives such a report from an Agent or Partner must report that information to the Company Compliance Officer or his or her designee, or to the hotline described below.

Non-Retaliation Policy

The Company has zero tolerance for any retaliation of any kind against any individual who in good faith makes inquiries, reports concerns, or participates in external or internal investigations.  This policy extends to any whistleblower or individual who makes a report to government authorities outside of the procedures described in this Manual.  Any individual who is concerned about retaliation or feels he or she has been subjected to such retaliation should immediately contact your Human Resources representative, the Vice President of Human Resources, the Company Compliance Officer or his or her designee, or through XYZ Hotline .

Retaliation against any individual for making a report as described in this Section in good faith can result in serious disciplinary action up to and including termination.

On a final note, it is not sufficient to just have an anonymous reporting system/hotline number tucked away in a Code of Conduct or a company’s Anti-Corruption policy.  The existence of the hotline should be prominently displayed through the use of posters or wallet cards, preferably in the native language of the employees at each particular location.  Periodic reminders should also be sent out to employees and to third party business agents encouraging them to use the anonymous reporting system if they have questions or concerns that they want answered or reported.

 Mary Shaddock Jones has practiced law for 25 years in Texas and Louisiana primarily in the international marine and oil service industries.  She was of the first individuals in the United States to earn TRACE Anti-bribery Specialist Accreditation (TASA).  She can be reached at msjones@msjllc.com or 337-513-0335. Her associate, Miller M. Flynt, assisted in the preparation of this series.  He can be reached at mmflynt@msjllc.com.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor.

 

October 4, 2012

What is Your Magic Number? Creation, Implementation and Administration of a Hotline

For the Astros, it is not this season’s ignominious record of 107 losses, which they achieved yesterday with a season ending loss to the Chicago Cubs, but the magic number of 186; which is the number of days until the Astros open the 2013 season and the next time they will be tied for first place in the American League (AL) West Division.

For the compliance practitioner, the same might be asked of your company’s hotline. However apocryphal the story might be it is too good to pass up so here we go: When, in final negotiations with a company to resolve a Foreign Corrupt Practices Act (FCPA) violation, the Department of Justice (DOJ) attorney asked for the phone number of the company’s hotline. Counsel representing the company dutifully provided the number and the DOJ attorney called the hotline only to find it was “not a working number.” Oops.

I thought about the above story in the context of the maxim that not all hotlines are created, or more importantly, administered equally. In an article entitled “Hotline Report Reveals Compliance Concerns” author Karen Kroll looked at the “2012 Corporate Governance and Compliance Hotline Benchmarking Report” and found what she termed “troubling findings”, which are that not only are instances of fraud increasing but that retaliation against whistleblowers is increasing as well. Kroll noted that “despite greater protection for whistleblowers in the Dodd-Frank Act, calls concerning potential retaliation against an employee who has made an inquiry through a hotline increased to 2.9 percent of overall incidents, up from just 2.1 percent in 2010.” But as bad as these figures are they seem to only presage Kroll’s penultimate conclusion, which is that internal reporting will slowly wither away with the protections offered by whistleblowers under the Dodd-Frank Act and the attendant bounties that can be paid to a whistleblower in the event a violation is uncovered and an enforcement action results in a fine or penalty paid to the US government.

I recently saw a White Paper by Business Controls, Inc., released through Compliance Week, where an un-named author posited that there are seven essential features to create an effective hotline. I found this article to be useful in that it provided information by which a compliance practitioner could quickly review how his or her company might set up a hotline. The seven criteria are as follows.

  1.  The hotline is developed and maintained externally. The author believes that em­ployees tend to trust hotlines maintained by third parties more than they do internally maintained systems. By submitting reports through an external hotline there is a perceived extra layer of anonymity and impartiality compared to a sys­tem developed in-house. A third party provider is also more likely to bring specialist expertise that’s difficult to match within the organization.
  2. The hotline supports the collection of detailed infor­mation. If information can be gathered and re­corded at every point during the complaint life cycle, then compli­ance officers should have greater insight into the situation and a company can protect itself more effectively from accusations of negligence or wrongdoing. A hotline reporting system should provide consolidated, real-time access to data across all departments and locations, plus analytic capabilities that allow you to un­cover trends and hot spots. All report materials should be consolidated in one comprehensive, chronologi­cally organized file, so that you can monitor ongoing progress and make better, more informed decisions.
  3. The hotline meets your company’s data retention poli­cies. Retaining data in a manner consistent with your internal data retention policies is important. Make sure your hotline offers a secure, accessible report retention database, or you may be faced with making your own complicated and costly arrangements for transmitting and storing older reports to a permanent storage location.
  4. The hotline is designed to inspire employee confidence. Kroll’s article discussed above cites the fear of retaliation as strong but also increasing among potential whis­tleblowers. This can destroy the effectiveness of the internal reporting process and poison the corporate culture. The hot­line must be seen to offer the highest levels of protection and anonymity. To encourage employee participation, the hotline should allow them to bring their concerns directly to some­one outside their immediate chain of command or workplace environment – especially when the complaint concerns an immediate superior. The hotline should also enable employees to submit a re­port from the privacy of an off-site computer or telephone. It may seem like a small convenience, but giving employees the freedom to enter a complaint from a location that “feels safe” can make a huge difference to participation rates.
  5.  The hotline offers on-demand support from subject matter experts. Opening lines of communication can bring new issues to your compliance group. It is therefore important that once those reports are entered into the system, a person or function has the responsibility to follow up in a timely manner.
  6.  The hotline provides inbuilt litigation support and avoidance tools. Ascertain that your hotline is preconfigured to meet the legal requirements for document retention, at­torney work product protection procedures, and attorney privilege. Developing these tools in-house can add signifi­cantly to your costs, and maintaining a hotline without one exposes your organization to unacceptable risk.
  7.  The hotline supports direct communication. A hotline should open the lines of communication and give you a di­rect sight-line into the heart of your company. Look for a system that enables you to connect directly, privately, and anonymously with the person filing a complaint. Direct communication also signals to employees that their complaints are being heard at the highest levels.

Like other risk management issues, hotlines must also be managed effectively after implementation and roll-out. Here are some practical tips which will help you make your hotline an effective and useful tool.

Get the word out. If employees don’t know about the hotline, they won’t use it. Allocate a portion of your time and budget to promoting the corporate hotline through multiple channels. Put up posters and distribute cards that employees can keep in their wallets or desk drawers. Deliver in-person presentations where possible. And don’t think of the promotional initiative as a one-time effort. It’s important to remind employees regularly, through in-person communications, via e-mail, or through intranets, newsletters, and so on, that this resource is available to them. Some hotlines offer promotional materials to help make the job easier; make sure you ask what type of promotional support may be available.

Train all your employees. Getting employees to use the system is one half of the challenge; ensuring they use it properly is the other half. This is where training becomes essential. Make sure people understand what types of activities or observations are appropriate for reporting and which are not. HR and compliance staff will need training too, to help them understand how the hotline impacts their day-to-day activities. Company leaders also need to understand the role the hotline plays in the organizational culture, and the importance of their visible support for this compliance initiative.

Take a look at the data. Use the data derived from or through the hotline to identify unexpected trends or issues. Examples might be what percentage of employees use the hotline and what issues are they submitting? A healthy hotline reporting system will yield reports from .5 to 2 percent of your employee base. If your reporting patterns are higher or lower, it may indicate mistrust of the hotline, misuse, or a widespread compliance issue. Isolate the data by location and department to identify micro-trends that could indicate problems within a subset of your corporate culture. Analyzing the data can help you stay a step ahead of emerging issues.

 Response is critical to fairness in the system. Seeing a hotline system in action in this way can go a long way toward dispelling employee fears of being ostracized or experiencing retaliation because if see that their concerns are heard clearly and addressed fairly, they will learn to view the hotline as a valuable conduit. If your compliance group responds promptly and appropriately to hotline complaints, you can ensure robust participation and ongoing success. Even when a complaint proves to be unfounded, it can still provide an opportunity to open a dialogue with employees and clear up any misunderstandings. Responding to reported issues also gives compliance officers a chance to prove that issues can be resolved or addressed while protecting the privacy and anonymity of the whistleblower.

As with the management of third party representatives, your real work begins are the contract is signed. You simply cannot set up a hotline without managing it. A fairly administered hotline and investigation protocol is a key component of fair process in your compliance regime. So take a look at your hotline based upon the above concepts. It may be that your magic number needs to change.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

August 23, 2012

What is Your Integrity Capital?

Compliance practitioners often hear that bribes must be paid in emerging markets to get anything done. Indeed a recent survey by CEB (formerly Corporate Executive Board) of more than 700,000 employees of multinationals around the world, discussed in a Harvard Business Review article, entitled “Greased Palms, Giant Headaches”, by Dan Currell and Tracy Davis Bradley reported that there was a large jump in the payments of bribes, providing or receiving improper gifts and failures to report conflicts of interest in the BRIC (Brazil, Russia, India and China) countries over developed countries. Is bribery really pervasive in those countries or is it simply the perception? On the other hand, as Andre Agassi was found to say “Perception is reality.” Certainly the story by the New York Times (NYT) about Wal-Mart in Mexico paying over $24 million to be the first big box retailer into the Mexican market may lead some credence to that perception. While the authors did not specifically address the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act, they did report that “bribery and corruption is the second leading category of unlawful activity by Western companies in emerging markets”.

However, Currell and Bradley focus their collective attention on the US corporate headquarters in their article. They note that “Our research suggests that one driver originates at headquarters-multinationals’ increasing growth imperative in emerging markets.” While it certainly is a recognized and valid long-term growth strategy to identify and develop new markets, the authors believe that companies are now thinking that they can “meet our targets by increasing revenues quickly in markets” like the BRIC countries. In other words, long-term strategic plans suddenly become “short-term necessities” and this change can increase “the pressure on local employees to make their numbers, tempting some to break the law.”

What is a company to do when short term goals cause pressure, pressure and more pressure for increased revenues? The authors acknowledge that a robust compliance program is a key component for protection against bribery and corruption by employees, but they believe that more is needed. They identify “Integrity Capital” as a key component to “lower levels of misconduct along with higher levels of reporting when employees do witness wrongdoing. Integrity capital is embedded in the culture, not instituted through controls, and it helps shape employee behavior, which could include offering a bribe or defrauding the company.” The authors identify the following as five factors of Integrity Capital:

  1. Management takes action when it becomes aware of misconduct. This means that companies “must insist on a swift response to complaints, unbiased investigations” and even “public hangings” of offenders.
  2. Employees are comfortable speaking up about misconduct and don’t fear retaliation. While this would seem to be self-evident, it is a sad fact that in many companies, whistleblowers are ostracized or even blamed for the conduct in question. Witness the initial response by Wal-Mart management in the 2005 time frame to allegations of corruption made by an employee with knowledge of the conduct. He was blamed for the conduct at issue. Even in the recent allegations brought to light with EADS, the whistleblowers were marginalized or worse by the company.
  3. Senior leaders and managers treat employees with respect. The authors believe that in addition to not mistreating whistleblowers, companies should “praise employees who have the courage to call out wrongdoing.”
  4. Managers hold employees accountable. Simply put, if an employee engages in bribery or corruption, they need to be disciplined or discharged. Allowing high revenue generators or high income generating territories or business units to avoid scrutiny and/or sanctions is a clear recipe to destroy the integrity of a compliance program.
  5. High levels of trust exist among colleagues. Your employees must believe that the company will take allegations seriously and will act on the information that they provide.

The authors conclude their article with three different concepts which they believe will minimize the occurrences of bribery and corruption within an organization. First, a company should use commonsense observation. If an emerging market shows success in “speeding things along”, such as regulatory approvals for the construction of bricks-and-mortar facilities, this made need to be looked at closer. Since regulatory approvals do not happen quickly in BRIC countries, it may be that the skids were greased with cash to pay bribes. The second is that a company must be proactive in seeking out and obtaining information from employees about allegations of bribery and corruption. The authors “advise companies to also proactively solicit information from frontline employees and to use surveys or online tools to guarantee anonymity” in reporting allegations of bribery and corruption. Lastly, the authors insist that companies have organization justice so that if there are credible reports of misconduct they are not swept under the rug.

Currell and Bradley provide interesting observations which can be used by a compliance professional to evaluate the sufficiency of their compliance program. Their thoughts on things to look for from an emerging market provide solid guidance on searching for potential red flags which might warrant further investigation from internal audit or a FCPA based compliance audit team. There are a number of practitioners and ethicists who talk about the need for ethics in any company culture to compliment a compliance program. The article by Currell and Bradley provides some of their guidance on what that may look like.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 4,513 other followers