FCPA Compliance and Ethics Blog

February 12, 2014

Shirley Temple and Excellence in FCPA Training Video

Lead and LearnToday we honor one of the most interesting personalities of the 20th century, Shirley Temple, who died yesterday. She was probably the greatest child actress of all-time, being the lead grossing star for five straight years during the 1930s. But the thing I found most remarkable about this woman was her third career, after marriage and motherhood, in the US Diplomatic Corp. President Richard Nixon appointed her as a Representative UN. Nixon later appointed her as Ambassador to Ghana. President Ford named her to be the first female Chief of Protocol of the US. Finally, the first President Bush appointed her as Ambassador to Czechoslovakia. But whatever role Shirley Temple chose she did it with excellence.

Just as Ms. Temple had a commitment to excellence, so does my colleague, Mike Koehler, the FCPA Professor. Recently the FCPA Professor announced that he had partnered with Emtrain to create a best in class Foreign Corrupt Practices Act (FCPA) compliance training video. I had the opportunity to view the video and I can agree that it is certainly an excellent training video, which you should consider for use in your company’s ongoing compliance training and communication. As you would expect from the FCPA Professor, each slide is well documented and provides the basis for the training. However, the thing that I thought made the training stand out was the variety of techniques used throughout the video.

There are separate chapters on the following subjects: an Introduction to the FCPA, the social and business case for the FCPA, the definition of bribery under the Act, a definition of what constitutes “Anything of Value” under the Act, who is a Foreign Official under the Act and who else might be covered by the FCPA, what does it mean to “Obtain or Retain Business”, the high nature of Third Parties under the FCPA and how to manage that risk, what might be available as an exception to the Act and defenses under the FCPA, Books and Internal Controls, a discussion of the UK Bribery Act, Red Flags that you should be aware, creation of a FCPA compliance policy and self-reporting of violations to the DOJ/SEC and a summary section. After completion of the course you should be able to describe how corruption impedes global economic development and how it undermines the ability to compete fairly in business; outline three fundamental elements of a bribery offense that can lead to prosecution of companies as well as individuals; identify various red flags that can be indicators of bribery and outline how, and to whom, you should report concerns about possible bribery and corruption.

The video training includes the following:

  • Executive and non-executive versions
  • The ability to configure the course with company-specific policies, videos, graphics, text, and employee hotline or reporting information
  • 20+ video clips to illustrate real-world business scenarios that present risk
  • An Enforcement Risk Spectrum that helps learners “issue spot” bribery and corruption risk
  • The ability to use video scenes outside the e-Learning experience in live training, discussion groups, or company emails and reminders
  • A compliance Learning Management System (LMS), enabling an administrator to launch and track training efforts and generate audit-ready training reports showing time spent on each video, screen, policy, etc.
  • There will be productions available in Mandarin Chinese, Russian, Arabic, Portuguese, French, and other languages upon request.

But the video is more than simply a recitation of what is required under the FCPA. The thing that makes it stand out for me is the different types of training it employs to hold the listener’s attention. First is the length of 60 minutes for an executive/high risk trainee and a shorter length for those who do not fall into those categories. Next, for those who may desire to devolve deeply into the subject matter, are short concise descriptions of the legal and compliance concept involved in the discussions. For instance, in the section on the definition of bribery there is a discussion of the Organization for Economic Cooperation and Development (OECD) established standards to combat bribery and the United Nations Convention Against Corruption (UNCAC), which established guidelines for codes of conduct for public officials, transparent and objective procurement systems, and increased accounting and auditing standards for the private sector. Added to this is a short piece on the UK Bribery Act. All of these non-US laws are then tied into the FCPA so the listener will have a broad understanding of what they may be facing in any multi-national business from the anti-corruption compliance perspective. Significantly, and most soberingly, the video points out that according to the World Bank Institute, more than $1 trillion is paid globally in bribes each year. Some of the worst affected countries are the poorest ones in the world.

What I think makes the video unique and frankly enjoyable to watch, is that it  has several interactive features. The first is that it opens with an interactive pre-assessment that is designed to determine how much you already know about global bribery and corruption. From there, each section has a short interactive questionnaire at the conclusion of the video on the section’s topic. These features allow the participants to examine their own expertise and then self-assess the lessons that they have learned throughout the presentation. By making each session interactive, you not only hold the attention of the listener but also garner their participation in the training. Any time you can get participation in training, you are a long way towards having an effective training program.

There are a couple of other cool features. It allows your company to customize the training by attaching some of your key anti-corruption policies and procedures for review during the Policies section of the training. Additionally, and following my mantra of Document, Document and Document, after completion of the training, your participation is electronically noted for record keeping, along with a copy of the training materials. So when the regulators want to see not only who was trained but also the materials they were trained on, you have easily assessable records to document the event.

So when the FPCA Professor says he has created a best in class FCPA training program, I heartily agree. You can check out a demo version of the training video by clicking here.

=======================================================================================================================================================================================================================

As many of you know, Jon Rydberg and I wrote and published a book at the end of last year, entitled “Global Anti-Corruption & Anti-Bribery Leadership Practical FCPA and U.K. Bribery Act Compliance Concepts for the Corporate Board Member, C-Suite Executive and General Counsel”. On Thursday, February 13, we will discuss our book in a webinar hosted by Hiperos LLC. Hiperos President, Greg Dickinson, will be interviewing Jon and myself about the book, its genesis and our thoughts on ‘doing compliance’ as opposed to simply having a compliance program. The event is free and you can find details and register by clicking here.

=======================================================================================================================================================================================================================

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

January 21, 2014

The Culinary Aspects of Homer’s Odyssey and Compliance Training

Culinary in the Odyessy

I recently came across a fascinating book entitled “The Meaning of Meat and the Structure of the Odyssey” by Egbert Bakker. In this work, Bakker looks at the culinary aspects of Odysseus’ journey home from the Trojan War. Peter Thonemann, writing in the TLS, said that “Bakker’s book is a powerful illustration of the importance of food and culinary practices to past society.” In other words, the eating habits could be used to not only understand the past but also perhaps train those in the present about the “wider moral culpability” found in Homer’s work.

I thought about this different way of learning as I was reading a recent article by the Open Compliance and Ethics Group (OCEG) President Carol Switzer in the Compliance Week magazine, entitled “Playing the Game of Risk in Workplace Education”. Her article was coupled with a roundtable discussion of the subject and another in the OCEG, GRC Illustrated Series entitled “Risk-Based Education and Training”.

In the article, Switzer reminds us “one size does not fit all in deciding the content and intensity of training needs for each role or individual”. Recognizing that it all starts with a risk-based analysis of who needs the training is just the start. Switzer believes that by engaging employees in the training, it can become more effective. She looks to the world of gaming when stating that, “Well-designed games encourage engagement, and more engagement means more reinforcement, and that leads to better recollection and application of the information. Situational decision making drives the player to think, not just act. Making wrong choices and seeing the consequences leads to desire to act the right way and gain rewards, be it advancing to the next level of the game, earning a prize for success, or understanding that in the real workplace world the reward may be achievement of personal and organizational objectives.”

In her roundtable, she posed the question, “How do you suggest companies decide on the appropriate amount of training? Earl Jones, Shareholder at Littler Mendelson PC, responded that a company needs to evaluate where its risks are, “If the company is betting on international expansion, then intensive anti-bribery and corruption intensive training is a necessity for key employees. Also design training to build and protect sources of value. If an intangible asset, like a brand, is an important source of value, thoroughly train employees to identify, understand, and react to events or behavior that could impair the brand.”

When it comes to the scope and style of training, Steve Perreault, Global Head of eLearning GRC for Thomson Reuter, suggested you should assess your training by employee groups. You should “Understand things like: How likely is a group of employees to participate in activity that is related to a particular regulatory area? How complex is that regulation? What controls are in place already? Is this employee group responsible for making sure others comply with policies and regulations? You also have to consider what you will need to provide to evidence to regulators and courts that the program exists and is effective. Once you get that figured out, you must ensure that you stay on top of changes in legislation and enforcement, and revise policy, procedures, and training accordingly.”

Switzer next turned to measuring the effectiveness of training and how a company might determine this. Alisha Lynch, Global Ethics and Compliance Education Leader at Dell Inc., said, “Determining the scope and style of training should have several input sources.  Most organizations have three- to five-year strategic plans, and training programs should be designed to support those plans and initiatives. One good analogy is that a training initiative should be like a physical fitness regime. You cannot exercise the same muscle every time to make significant improvements, and you cannot ignore the diet. A culture is like a diet. If the organization designs and delivers great training but the culture is toxic, probably no improvement will be made.”

In the GRC Illustrated Series, it suggests that companies take a risk-based approach to provide appropriate levels and types of training and education to different individuals across the organization. Some of the factors they suggest you review are the role of the individuals, geography, and their level of exposure to particular risk areas. Such an approach moves away from the ‘tick-the-box’ approach that generally renders such compliance useless. It also helps to ensure that there is a more effective use of budgetary resources by focusing training efforts to maximize the return on the investment. The piece advocates a three-pronged approach.

Define

The first step is to define what you are trying to achieve. The piece recognizes that “while some organizations limit their training programs to what is legally required, more successful ones know that there are many reasons for developing a thoughtful, well-designed approach to employee education.” It puts forward that if training is done right, it will help the organization to achieve several goals. These include: the business Objectives; managing threats and business opportunities; it will address change in positive manner; it can help to ensure integrity and the company’s reputation; it can strengthen the business’s culture and ethical conduct; and, lastly, it can provide evidence that the company has complied with legal requirements such as the US Sentencing Guidelines and the Ten Hallmark’s of an Effective Compliance Program.

Design

The next step is to design the training program, which is further broken down into three steps, which drill down into the specifics of training. By using these three steps, you can help to assure that the training will be effective for the individual but also for the nature of the risk involved.

The first is to design the training program. Steps include the development of curriculum using a risk-based model. You should set uniform methods for acquiring content, maintaining records, and reporting. This should be followed by the establishment of standards for selecting appropriate content, delivery methods, frequency, and assurance based on risk exposure. You can review any technological solutions for both e-learning delivery and documentation. Finally, you will need to consider training content revision when requirements or risk analyses change.

After the design of the training program, the next level is to design the specific training courses. Here you should establish your learning objectives and map the training to legal and competency requirements. You must always remember who is your audience and what their characteristics might be. You need to ensure that the content is timely and the instructors are effective. Finally, you will need to determine not only the most appropriate mechanism to deliver the content but also define the key performance indicators and determine methods to audit them.

The final design level is the individual’s training plan. Here you need to analyze what the person’s role is within the organization and use this to determine mandatory and risk-based training needs. You will need to consider modifying the risk profile based upon assessments given before and after the training is delivered and then adapt the training as an employee’s role and risk profile changes within an organization

Deliver

For the delivery of the training materials, they also have a tripartite scheme. They break it down into high risk exposure roles; medium risk exposure roles and low-risk exposure roles.

  • High Risk Exposure Roles – are defined as those employees whose roles in an organization can significantly impact the company. Here expert subject proficiency is demanded and individuals should be able to act with confidence in a wide range of scenarios and conditions based on a strong understanding of the risks, requirements, and penalties. Training may be repeated frequently using several methods of delivery, have greater assurance through testing and certification of course completion, and include ongoing risk profiling of individuals through assessment of behavior choices in online courses or live simulation exercises.
  • Medium Risk Exposure Roles – are defined as those employees who face risk on regular basis or present a moderate level of negative impact to a company if they mishandle the risk. These individuals should know the risks, requirements, and penalties and should be able to apply their knowledge to common scenarios using standards and tools given to them. Training should have content to make them proficient in the subject, be refreshed periodically, use a mix of modes of delivery, and have methods to prove evidence of understanding.
  • Low Risk Exposure Roles – are defined as those employees with a low likelihood of facing the attendant risk. Persons in this category should be made aware of the risks, requirements, and penalties, as well as the organization’s expectations about how to address it. They should know relevant policies and procedures and where to get assistance in addressing a risk or making a behavior decision.

As with all areas in an anti-corruption compliance program, Switzer and the OCEG suggest that you monitor and audit your program so that you can review it and improve as circumstances warrant. I would add that you should also Document, Document and Document what you are doing for the same reasons. Just as Bakker’s new look at the culinary aspects of the classics can provide new insights into interpretation, it also shows the training that was written into Homer’s Odyssey.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

December 13, 2013

More Compliance Lessons from the Asiana/SFO Crash Investigation

I have long been interested in the intersection in the changes in attitude regarding safety in the workplace by corporations and the changing attitudes on doing business through bribery and corruption. As a trial lawyer defending corporations in catastrophic accident lawsuits, I saw a sea change in the corporate attitude regarding safety, beginning in the 1980s through the 1990s. Many of the arguments used against safety during that era are used now. Some of my favorites are: (the financial excuse) it costs too much and doesn’t contribute to the bottom line; (the traditional excuse) we’ve always done it that way; and (my personal favorite) you can’t stop humans from screwing up and trying to injure themselves. But the reality is that safety at the work place did improve and now most companies not only say that safety is job No. 1 but they live and breathe that motto. Does this sea change mean that serious accidents do not happen at the workplace? Of course not, but it does not mean that companies have or even should give up the quest for zero accidents at work.

Part of the ongoing debate about compliance is whether the Department of Justice (DOJ) approach of corporate enforcement actions and the use of Deferred Prosecution Agreements (DPAs) and Non-Prosecution Agreements (NPAs) help or hurt compliance with the Foreign Corrupt Practices Act (FCPA). Some commentators remark that the simple fact that there are enforcement actions is indicia itself that the DOJ approach is not working. Mike Volkov took on this topic in his post, entitled “The Sky is the Limit: Escalating Fines, DPA/NPAs and Deterrence”, by asking if “it is important to ask the question whether the current enforcement scheme adequately punishes and deters corporations”? In his discussion he points to some who want more prosecution of individuals as a greater deterrent and others, notably the FCPA Professor, who want greater corporate protections against prosecution through the addition of a compliance defense as a mechanism to give corporations more incentive to do business in compliance with the law. Volkov ends by observing the DOJ’s current enforcement focus “will not change unless and until there is a good reason to do so – so far no one has pointed to any significant reason for the Department of Justice to change its practices.”

I thought about all of the above in the context of the hearings in Washington in front of the National Transportation Safety Board (NTSB) surrounding the crash of the Asiana jet at San Francisco’s airport last summer. Earlier this week I wrote about one of the lessons from the hearings which was the need for enhanced training by Asiana pilots on not only the specific planes they pilot but also training that they can speak up when they see something that they believe is not right.

This need for training was made even more acute when the story about the testimony given by the Captain on board the flight in question in a New York Times (NYT) article, entitled “Pilots in Crash Were Confused About Control Systems, Experts Say”, where Captain Lee said that he told investigators that any of the three pilots on the plane could have decided to break off the approach, but he said it was “very hard” for him to do so because he was a “low-level” person being supervised by an instructor pilot. But more than even the failure to raise his hand and speak up, Lee did not heed the warning of a junior officer. As reported in an article by the Associated Press, entitled “Pilot who crashed at SFO was worried about landing”, after the accident, Lee told NTSB investigators that neither he nor the instructor pilot onboard the flight said anything when the first officer raised concerns four times about the plane’s rapid descent. Further, he was very concerned about his ability to make a visual landing. So not only was Lee afraid to speak the truth to a superior, he didn’t listen when questioned by a junior. In the world of workplace or airline safety, this is a recipe for disaster.

I think the key to overcoming these problems is training, which has long been recognized as a cornerstone of any best practices ethics and compliance program. I thought it might be an appropriate time to review the training statements made regarding the FCPA. The US Sentencing Guidelines list “Conducting effective training programs” as one of the factors the DOJ will take into account when a company accused of a FCPA violation is being evaluated for a sentence reduction. The Sentencing Guidelines mandate:

(4) (A) The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subdivision (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities. 

After the promulgation of the Sentencing Guidelines, the DOJ and Securities and Exchange Commission (SEC) gave their views on training in the 2012 FCPA Guidance. Their Ten Hallmarks of an Effective Compliance Program listed Training and Communication as one of the key elements. In this section they said that anti-corruption and anti-bribery compliance policies cannot work unless effectively communicated throughout a company. They advised that “a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.” But more than a simple dyadic promulgation of a rule, a company should tailor its training to its needs and its risks. This means that any “information should be presented in a manner appropriate for the targeted audience, including providing training and training materials in the local language.

In addition to the FCPA Guidance, the UK Ministry of Justice (MOJ) has stated that training is one of the Six Principles of an effective compliance program. Under Principle V, it states that “The business seeks to ensure that its bribery prevention policies and procedures are embedded and understood throughout the company through internal and external communication, including training, that is proportionate to the risks it faces.” The Guidance recognizes that communication and training deters bribery by companies, their employees and those persons associated with it, by enhancing awareness and understanding anti-corruption policies and procedures and the company’s commitment to their proper application. It therefore follows that making information available on legal requirements, obligations and policies and procedures for implementation of the same assists in more effective monitoring, evaluation and review of bribery prevention procedures. Anti-bribery training should provide, to company employees and those persons and entities associated with the company, the knowledge and skills needed to implement and utilize the anti-bribery procedures and handle in a satisfactory manner any bribery related problems or issues that may arise.

Fortunately violations of the FCPA rarely result in loss of life or limb. But that does not diminish the responsibility of companies to comply with the law. And just as corporate attitudes around safety changed dramatically, corporate attitudes about following the FCPA can change as well. Indeed they could even take the basic approach suggested by (the then) DOJ representative Greg Anders in testimony about attempts to amend the FCPA before the House Judiciary Committee, don’t pay bribes.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

December 11, 2013

Keep Your Hand on the Control

#14748 Hand on the Throttle by Karl-Heinz Morawietz 2011-01-27Yesterday Nelson Mandela’s casket was driven to the state capital where he will lay in state until his funeral on Sunday 15th December. Dignitaries from all over the world will attend. Mandela was praised for his non-violent approach to ending apartheid in South Africa and his leadership in the peaceful transition of power. But he was also recognized as incorruptible. So today we honor that aspect of his career.

I am continually amazed at the seemingly disparate current events which provide tangible lessons for the compliance practitioner. In an article in the New York Times (NYT), entitled “Hearings on San Francisco Crash Set to Explore Broader Problems”, reporter Matthew L. Wald wrote about the upcoming National Transportation Safety Board (NTSB) hearings on the deadly plane crash last July at San Francisco International Airport. Investigators quickly were able to determine the immediate cause of the crash; that being the pilots failure to monitor their airspeed. However these hearings will go further and try to determine more basic reasons which led to the pilots to make the decisions which caused or contributed to the disaster.

The first was an over-reliance on technology. Crews for the airline involved, Asiana, are “accustomed to programming the autopilot to land their planes” rather than manually taking over during the landing procedure. The first problem was compounded and became disaster when a second problem apparently arose which was that the pilots had “evidently limited ability to manage the ubiquitous automated systems in the cockpit.” So they flew expecting the auto-pilot to land the plane but did not realize or appreciate that the auto-throttle portion of the system was in the off position. The article was clear that, even with these reasons, the problems which led to the crash were “more broad than bad pilots.”

The reliance on technology or big data has become an issue in the Foreign Corrupt Practices Act (FCPA) or other anti-corruption laws such as the UK Bribery Act. The Department of Justice (DOJ) has brought up the tool of transaction monitoring as a best practice at least since the Morgan Stanley Declination. But, just as these tools are important to the compliance practitioner, it is important to keep in mind that one of the remedies certain US based airlines have come up with will make it harder for crews to overlook problems like low airspeed, even when a plane’s auto-pilot is turned on during a descent. The solution is elegant for its simplicity, certain airlines mandated that “a pilot keep a hand on the throttle, to sense its position, during descent.” Simple, elegant and cost effective I would add.

For the compliance professional this also means a compliance program is more than simply about numbers and systems. As Paul McNutly and Stephen Martin say in their five essential elements of an effective compliance program, it is important to not only understand but ascertain if your employees are staying with the compliance program. Even after all the important ethical messages from management have been communicated to the appropriate audiences and key standards and controls are in place, there should still be a question of whether the company’s employees are adhering to the compliance program. Two of the seven compliance elements in the Federal Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three highlighted activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.

The next area that the NTSB hearings will look at is training and procedures. One thing that US pilots are trained on and given a wide berth to do is to “speak up if they sense a problem, even if the pilot at the controls has seniority, and to listen to subordinates.” Recognizing that part of the issue here is cultural, because South Korean crews “have had trouble with those procedures”,  the clear message here is training. For the compliance practitioner, the message is also clear, again it is training, training and training. Whether you call it a ‘Speak Up, Speak Out’ or ‘Raise Your Hand’ culture, such a system must be put in place to allow an employee who senses a problem to get that information to people who can take a more focused look at the problem.

But, more than training, the company has to commit to more than having a system. The company must commit to listening. One of the biggest changes in the airlines cockpits is that more senior pilots are instructed listen to junior pilots. The same must be true in a company. The company has to listen to employee concerns. This requirement to listen has been made even stronger with the Dodd-Frank Whistleblower provisions. But the clear message for the compliance practitioner is that speaking up and listening are a two-way exercise.

Just as in every catastrophic accident, in almost every circumstance regarding a compliance issue which becomes a FCPA violation, there is at some point a situation where an employee did not report a situation or event up to an appropriate level for additional review. This failure to escalate led to the issue not reaching the right people in the company for review/action/resolution and the issue later became more difficult and more expensive to deal with in the company. This means that a company needs to have a culture in place to not only allow elevation but to actively encourage elevation. Additionally, both a structure and process for that structure must exist. Lastly, while a whistleblower process or hotlines are necessary these should not be viewed as the only systems which allow an employee to escalate a concern. In the cockpit it means a junior pilot can speak directly to a more senior pilot.

One of the things that I have learned practicing compliance is that process is very important. But the investigation into the Asiana crash shows that keeping your hand on the throttle to understand the pulse of things is a very good technique to maintain.

—————————————————————————————————————————————————————–

Please join myself and Eddie Cogan, CEO of Catelas as we discuss Risk-Based 3rd Party Vetting, Screening and Monitoring Strategies for High Risk Jurisdictions Thursday, December 12. For information and registration click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

November 15, 2013

The Texans Are 2-7: What is Missing from Your Compliance Program?

I usually do not write about the Houston Texans because (1) unlike the sad sack Astros, they are not often relevant enough to care about and (2) they usually are relatively well-run. They continue to be not relevant this year, coming into this week’s game with a sterling 2-7 record. However, they showed themselves not be too well run this week when they summarily dismissed from the team  safety Ed Reed, after he publicly said that the Texans were “out-coached and out-played” last week following the team’s seventh straight loss. As my friend and colleague Richard Lummis is fond of saying “No sh– Sherlock.”

For those of you who do not know Ed Reed, he is in his 12th season of playing in the National Football League. He is a two-time Super Bowl Champion, a nine-time Pro Bowler, a former NFL Defensive Player of the Year and a sure-fired first ballot Hall of Famer. In other words, he not only knows pro football but he is winner. Reed played his first 11 seasons with the Baltimore Ravens and was signed as a Free Agent by the Texans to bring some professionalism and winning attitude to the club. He had surgery in the offseason which slowed him down to the point he longer started but he still has the attitude and credentials of a winner. So what does it say about the Texans when a player of Reed’s stature speaks the truth and is summarily cut the next day. How many top notch free agents or top talent would want to play with an organization that punishes people who publicly complain about losing?

I thought about Reed and the Texans when I read a post from the noted site JDSupra entitled, “What’s the One Thing Missing From Your Corporate Compliance Program?” They put that question to various compliance attorneys writing on JD Supra, asking each to commit to just one essential element that, in their experience, they regularly see missing from corporate programs; IE., programs that are required to address myriad regulatory issues to do with privacy and data security, insider trading, bribery and corruption, and other such matters across numerous jurisdictions. I found the replies quite interesting and perhaps some insights which the Texans can use.

From Jeremy B. Zucker, Co-chair, International Trade and Government Regulation practice at Dechert LLP: “For a compliance program to be truly effective, personnel must take ownership of their behavior and take pride in being part of the team. To achieve this, a truly effective compliance program must demonstrate that a values-based approach is relevant to the daily conduct of business…”

From Charles F. Connolly, partner in Akin Gump’s white collar practice in Washington, D.C.: “…the key question enforcement authorities ask when evaluating a company’s compliance program is ‘does it work?’  The only way to answer that question proactively is to review – and test – the program on a regular basis.”

From Joe Bermudez, partner at Wilson Elser: “Crisis management policies, protocols and procedures are a necessary element for any company’s compliance program. Often overlooked because companies refuse or fail to consider the contingencies involved with catastrophic or tragic events, an effective crisis management plan may be the difference between a company surviving a crisis event and not…The issue is not when a crisis will strike, the issue is whether the company is prepared to survive the event.”

From Peter Menard, senior partner in the Corporate Practice Group at Sheppard Mullin: “Forms of policies, procedures and contract provisions are widely available on the Internet to ensure compliance with such diverse regulations as FCPA and other anti-bribery rules, prohibitions on insider trading, protection of confidential personal financial and health records, and import/export controls…Lawyers can draft the most comprehensive policy, but only management can take the policy out of the file cabinet and make it an integral part of the corporate culture…”

From Chester Hosch, partner in the Corporate and Tax Group at Burr Forman: “The one thing lacking in most corporate compliance programs is a culture of unshakable commitment to integrity and ethics. The commitment has to be embraced and encouraged notoriously, unambiguously and completely by senior management. The commitment will manifest itself in adequate funding, effective training and consistent monitoring. In the end, the compliance officer will have absolute confidence top management will remain true to the commitment, no matter the consequences.”

From Bettina Eckerle at Eckerle Law: “In my experience, often companies do not treat their compliance program as living breathing organism that need to be tested, reviewed, changed, brought up-to-date as market conditions, business practices and the regulatory environment evolve.  One should never think one is ‘done’ with what is in place but rather incorporate compliance in the day-to-day ebb and flow of the business.”

From yours truly: Document Document Document

These observations bring to bear a different set of focuses which you should consider in the context of your compliance program. Take each point raised and ask yourself, do we have this concept or protocol in place? If you do, then ask yourself my mantra: Did you Document Document Document it so that if a regulator, from the US to China comes knocking you will be able to demonstrate that you did have such protocol or concept in place.

As to the Texans, I think the thing that they are missing is reality. They should ask themselves about now if they are dedicated to winning or something else. After losing seven straight games it is even obvious to my English wife that they are being out-coached and out-played. Fortunately she cannot be fired from her job for saying so.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

October 24, 2013

How Do You Develop a Compliance Practitioner?

The Morrill Act was a seminal moment in American education. This law, passed in 1862, provided that land-grant institutions of higher learning should be created “without excluding other scientific and classical studies and including military tactic, to teach such branches of learning as are related to agriculture and the mechanic arts, in such manner as the legislatures of the States may respectively prescribe, in order to promote the liberal and practical education of the industrial classes in the several pursuits and professions in life.”

Under the Act, each eligible state received a total of 30,000 acres of federal land, either within or contiguous to its boundaries, for each member of congress the state had as of the census of 1860. This land, or the proceeds from its sale, was to be used toward establishing and funding the educational institutions described above. The law had been introduced in the 1850s but the Southern land aristocracy, who most assuredly did not want universal education for the masses, prevented it from being enacted into law. With the South in rebellion, the measure passed in the first Congress elected after the Civil War had begun.

I was at Michigan State University (MSU) this past weekend and one of the school’s biggest points of pride is that it was an original land-grant college, originally named Michigan Agricultural College. I met with the Director of my old graduate program, which is now Human Resources-Labor Relations (HR-LR), Bill Cooke. One of the things that the school does is to train HR professionals. I talked with Director Cooke about my beliefs on how HR ties into a company’s compliance program. That led to a discussion about the training HR professionals receive on anti-corruption compliance programs such as those designed to comply with the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act.

My visit to MSU, and the discussions about training in graduate programs, got me to thinking about the training of a compliance profession. How do you do it? What should go into it? Most compliance practitioners’ experience is somewhat similar to mine; I am a lawyer and worked in a corporate legal department. I was thrown into a compliance role with not little training, but no training. It was simply go to a seminar and learn about FCPA compliance. And, of course, good luck. I had the same happy experience when I was appointed as world-wide export control director. At least I could spell FCPA when I started that role.

What is available out there if you want to learn how to become a compliance practitioner? If you are a law student and attending Southern Illinois University (SIU) School of Law, you could take the FCPA Professor’s upper-level elective course entitled “Current Developments in American Law: Foreign Corrupt Practices Act”. The Professor was interviewed about his class in the Chicago Daily Law Bulletin, in an article entitled “Students take bribe(ry class).” The article noted that through this study of the FCPA itself, its history, judicial decisions involving it, enforcement of it and resolved FCPA enforcement actions, the FCPA Professor believes that “Understanding how the law is enforced and critically analyzing it and developing FCPA compliance skills is really a skill set for any future lawyer to have.” The FCPA Professor also uses this course to expose his students to other areas, “including corporate criminal liability, U.S. Department of Justice and SEC enforcement policies and “a working knowledge of resolution vehicles that are used to resolve FCPA enforcement actions.””

But this is a law school class for (most probably) prospective lawyers. There are many compliance practitioners out there who are not lawyers. In my discussions with Director Cooke there are so many areas where a HR professional can help inculcate compliance into a company’s DNA. Think about some or all of the following areas that are in the core function of HR.

Training – A key role for HR in any company is training. This has traditionally been in areas such as discrimination, harassment and safety, to name just a few and based on this traditional role of HR in training it is a natural extension of HR’s function to expand to the area of FCPA compliance and ethics.

Employee Evaluation and Succession Planning - One of the very important functions of HR is assisting management in setting the criteria for employee bonuses and in the evaluation of employees for those bonuses. This is an equally important role in conveying the company message of adherence to a FCPA compliance and ethics policy. In addition to employee evaluation, HR can play a key role in assisting a company to identify early on in an employee’s career the propensity for compliance and ethics by focusing on leadership behaviors in addition to simply business excellence.

Hotlines and Investigations - One of the traditional roles of HR in the US is to maintain a hotline for reporting of harassment claims, whether based on EEOC violations or other types of harassment. It is a natural extension of HR’s traditional function to handle this role.

I believe that the compliance practitioner needs a multi-disciplinary training. The legal training is a good basis but if you went to a law school like mine, real world discussion were considered what ‘other’ law schools did. Further, there are non-legal areas such as review of financial data and financial controls which are a part of any compliance practitioners remit which also need to be considered. Most of these areas are a part of separate disciplines which need to be tied together for the compliance practitioner.

One resource for such training is the SCCE, which provides a compliance certification through its Compliance Certification Board (CCB) which has developed criteria to determine competence in the practice of compliance and ethics across various industries and specialty areas, and recognizes individuals meeting these criteria through its compliance certification programs. But even these programs only provide a starting point as best practices in a compliance regime continue to evolve, particularly through the use of advanced analytics.

Just as the Morrill Act provided an initial basis for professional studies in agricultural and mechanical disciplines, land-grant colleges continue to evolve. MSU, for instance, wants to be a university to the world. The same evolution is true for compliance practitioners. As our field matures, the need for the development of compliance practitioners will increase. Courses like the FCPA Professor leads for lawyers and the SCCE puts on for compliance practitioners will help drive the next generation of compliance professionals.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

June 13, 2013

Why Can’t We Be Friends? Compliance and HR

I have long been an advocate of the compliance function working with the Human Resources (HR) function in any company to help achieve greater compliance under anti-corruption laws such as the Foreign Corrupt Practices Act (FCPA) and UK Bribery Act. I think that HR is uniquely situated to ‘connect the dots’ in many areas of compliance. My thoughts on this subject were echoed in a recent article in the June issue of Compliance Week Magazine, in an article by Jaclyn Jaeger, entitled “How Compliance and HR Can Get It Together”. Jaeger quoted Alex Weisgerber for the following, “Boards are increasingly asking their executive teams to identify and address major people risks.” He further stated that “The HR-compliance partnership can help anticipate this request and set the organization’s human capital risk management agenda proactively.”

However, Jaeger wrote that in some companies this cooperation towards the goal of greater compliance has been found to be lacking. There may be several factors which lead to a more asymmetrical approach by these functions, particularly due to “gaps in communication and collaboration between compliance and HR.” She quoted Weisberger that “The two groups simply haven’t found many opportunities to collaborate in supporting organizational performance.” While I disagree with this statement, Jaeger’s article does detail some of the steps the compliance practitioner can take to bring these two corporate functions into alignment.

Jaeger quotes Shanti Atkins, for the following, “The first challenge to overcome is the “deeply held stereotypes that legal, compliance, and HR typically have of each other.” It’s important to talk about those if we are to get past them.” But perhaps more importantly is the notation held in many legal departments and compliance functions that “the HR function is not a strategic player in the company—that its central function is to manage paperwork, schedule training sessions, and mediate mundane spats such as who hogs the best space in the parking lot.”

As mentioned above, I have long advocated that HR is uniquely situated to connect the dots and along this line of thought, Jaeger wrote that “Getting employees to function as a coherent, engaged unit has to do with people, not policies—and people issues are exactly where HR excels, or course. HR has its finger on the pulse of employee culture, Atkins says because it is the primary channel employees use to complain when there is a problem—and those problems are usually a warning sign of wider compliance-related issues.” What are some of the areas that HR can assist the compliance function with? I believe that there are five key areas. They include the following.

Training

A key role for HR in any company is training. This has traditionally been in areas such as discrimination, harassment and safety, to name just a few, and based on this traditional role of HR in training this commentator would submit that it is a natural extension of HR’s function to expand to the area of FCPA compliance and ethics. There is a training requirement set forth in the US Sentencing Guidelines. Companies are mandated to “take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subdivision (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.”

Employee Evaluation and Succession Planning

What policy does a company take to punish those employees who may engage in unethical and non-compliant behavior in order to meet company revenue targets? Conversely, what rewards are handed out to those employees who integrate such ethical and compliant behavior into their individual work practices going forward? One of the very important functions of HR is assisting management in setting the criteria for employee bonuses and in the evaluation of employees for those bonuses. This is an equally important role in conveying the company message of adherence to a FCPA compliance and ethics policy. In addition to employee evaluation, HR can play a key role in assisting a company to identify early on in an employee’s career the propensity for compliance and ethics by focusing on leadership behaviors in addition to simply business excellence. If a company has an employee who meets, or exceeds, all his sales targets, but does so in a manner which is opposite to the company’s stated FCPA compliance and ethics values, other employees will watch and see how that employee is treated. Is that employee rewarded with a large bonus? This requirement is codified in the Sentencing Guidelines with the following language, “The organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.”

Hotlines and Investigations

One of the requirements for a company under the Sentencing Guidelines is that they “… have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.” This requirement is met by having a hotline. One of the traditional roles of HR in the US is to maintain a hotline for reporting of harassment claims, whether based on EEOC violations or other types of harassment. It is a natural extension of HR’s traditional function to handle this role.

Regarding investigations, HR can bring broad benefits to any FCPA compliance and ethics program through an efficient investigation process. It is recognized that a Legal or Compliance Department may wish to take over and complete an investigation process. However, HR can bring a consistency in both the process and any discipline which is imposed. Such consistency reinforces the senior management’s message of commitment by the company to FCPA compliance and ethics. Such a function by HR can lead to an understanding of emerging risks. Lastly, it may be that employees are more willing to speak up to HR and the building of trust can be utilized to assist in overall risk mitigation.

Background Screening

A key role for HR in any company is the background screening of not only employees at the time of hire, but also of employees who may be promoted to senior leadership positions. HR is usually on the front lines of such activities, although it may be in conjunction with the Legal Department or Compliance Department. This requirement is discussed in the Federal Sentencing Guidelines for Organizations (FSGO) as follows “The organization shall use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program.”

When the Government Comes Calling

While it is true that a company’s Legal and/or Compliance Department will lead the  response to a government investigation, HR can fulfill an important support role due to the fact that HR should maintain, as part of its routine function, a hard copy of many of the records which may need to be produced in such an investigation. This would include all pre-employment screening documents, including background investigations, all post-employment documents, including any additional screening documents, compliance training and testing thereon and annual compliance certifications. HR can be critical in identifying and tracking down former employees. HR will work with Legal and/or Compliance to establish protocols for the conduct of investigations and who should be involved.

Lastly, another role for HR can be in the establishment and management of (1) an Amnesty Program or (2) a Leniency Program for both current and former employees. Such programs were implemented by Siemens during its internal bribery and corruption investigation. The Amnesty Program allowed appropriate current or former employees, who fully cooperated and provided truthful information, to be relieved from the prospect of civil damage claims or termination. The Leniency Program allowed Siemens employees who had provided untrue information in the investigation to correct this information for certain specific discipline. Whichever of these programs, or any variations, that are implemented HR can perform a valuable support role to Legal and/or Compliance.

Doing More with Less

While many practitioners do not immediately consider HR as a key component of a FCPA compliance solution, it can be one of the lynch-pins in spreading a company’s commitment to compliance throughout the employee base. HR can also be used to ‘connect the dots’ in many divergent elements in a company’s FCPA compliance and ethics program. The roles listed for HR in this series are functions that HR currently performs for almost any company with international operations. By asking HR to expand their traditional function to include the FCPA compliance and ethics function, a US company can move towards a goal of a more complete compliance program, while not significantly increasing costs. Additionally, by asking HR to include these roles, it will drive home the message of compliance to all levels and functions within a company; from senior to middle management and to those on the shop floor. Just as safety is usually message Number 1, compliance can be message Number 1A. HR focuses on behaviors, and by asking this department to include a compliance and ethics message, such behavior will become a part of a company’s DNA.

If your company does not integrate HR into several ongoing roles for FCPA compliance I believe that is high time you did so. Jaeger’s article points out several steps you can take to bring these two functions into greater collaboration. From my perspective, HR can be a valuable partner for compliance and one that you should begin to take advantage of now.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

May 29, 2013

Kroll and Compliance Week Survey Anti-Bribery and Anti-Corruption

Not many people realize that the US has elected one president who served as a prisoner of war. That man was Andrew Jackson, who was captured by the British during the Revolutionary War. Now, can you name the American President who killed another man in a duel? If you guessed Andrew Jackson you are right and if you knew that today is the anniversary you receive extra credit and can proceed directly to Final Jeopardy.

I thought about the somewhat surprising history on Jackson when I read the recently released the “2013 Anti-Bribery and Corruption Benchmarking Report-A joint effort between Kroll and Compliance Week” (the “Survey”). Much like Jackson himself, the Survey had some interesting and somewhat disturbing findings as well regarding companies and their third parties. The findings were troubling because I think that most compliance practitioners recognize that their highest compliance risks under the Foreign Corrupt Practices Act (FPCA) and UK Bribery Act revolve around third parties. Some of the highlights of the survey are as follows.

I.                   Risks

While 43% of respondents said their bribery and corruption risks have increased in the last two years, another 39% said those compliance risks have remained mostly the same and, finally, 7.7% reported that they believe their compliance risks have actually fallen. Regarding future corruption risks, the respondents were split with half saying they expect compliance risks to rise in the next 12 months, and half do not. The single most common reason given for increasing compliance risks was expansion into new markets, followed by more vigorous enforcement of current anti-bribery laws. The Survey reported the “good news is that 57% of respondents say they conduct an enterprise-wide assessment of bribery and corruption risk annually. The bad news: the other 43% conduct such an assessment less than once a year, and 16.9% say they’ve never conducted a corruption risk assessment at all. A solid majority of companies also say they have some sort of documented approach to managing bribery and corruption risks; 37.7 say they have a “well-defined, documented process dedicated solely to global bribery risks,” and another 42.7% say they treat corruption risks as part of a larger documented process to address all compliance risks.”

II.                Due diligence

The Survey indicated that most companies have a good understanding of the need to, and performance of due diligence on third parties or acquisition targets. It found that 87% perform at least some sort of due diligence on third parties, and the criteria that help a compliance department decide how much diligence to perform generally seem risk-based. The top criteria were, in order, the nature of the work a third party would provide; the amount of contact the third party has with foreign officials; and where the third party is domiciled. A variety of tools were used to perform due diligence. These tools included: certifications from the third party that it has no corruption problems; reviews by your company’s legal or finance team; and data collected by your local business-unit leaders. Reference checks, on-site interviews, and research from professional investigators were some of the less-used techniques.

III.             Third parties

The Survey found that many companies are still struggling with ongoing anti-corruption monitoring and training for their third parties. Regarding training, 47% of the respondents said that they conduct no anti-corruption training with their third parties at all. The efforts companies do take to educate and monitor third parties are somewhat pro forma. More than 70% require certification from their third parties that they have completed anti-corruption training; 43% require in-person training and another 40% require online training. Large companies require training considerably more often than smaller ones, although when looking at all the common training methods, fully 100% of respondents say their company uses at least one method, if not more.

An astonishing 47% of all respondents said they conduct no anti-corruption training with their third parties at all. The numbers are even higher for companies based outside of North America (51%) and those with less than $1 billion in annual revenue (55%). Violet Ho, senior managing director for Kroll’s practice in greater China, was quoted as saying, “A lot of companies have very good intentions of doing a thorough job looking at their third parties,” Ho says. “But ultimately when you are a very large organization with more than 10,000 vendors, it’s not financially viable. You do not really have the time or resources to look deep into each and every one of them.” Another factor that Ho noted was significant is that companies often do not even know how many third parties they use, which makes training all of them impossible. Moreover, corporations typically have much less bargaining power with third parties, especially when they are located in far-flung jurisdictions. The result: if a company is using only one vendor to source an item and asks that vendor to promise to follow some anti-corruption code of conduct, the vendor feels emboldened to refuse.

Lastly, Ho stated “Trying to reach all third parties with a generic, headquarters-issued policy is a waste of time and money. Such policies tempt employees and third parties to find loopholes, and they ignore important regional differences. On-the-ground workers, are focused on revenue and profit, not compliance. Those goals aren’t mutually exclusive, but they do require coordination for a policy’s effective implementation—which adds all the more pressure on compliance officers to articulate why strong anti-corruption programs are good for business.” Clearly this Survey shows the challenges around third parties.

IV.              Effectiveness

For all a company’s efforts at risk assessment, due diligence, and monitoring third parties, the ultimate question for a compliance officer is simply does my system work? Questions about effectiveness, therefore, get to that core issue of whether all the compliance activities outlined above actually make the business less vulnerable to corruption risk. The Survey found that the responses in their anti-corruption procedures depended on how close to home the tasks actually are. 73% rated their training of domestic employees as “effective” or “very effective.” That figure dropped to 63.8% for foreign employees, and only 30% for third parties.

Melvin Glapion, Kroll managing director in EMEA, said that this phenomenon was the “downward and outward” problem. He explained that this meant that companies tend to overestimate how seriously messages sent from corporate headquarters are received elsewhere. Cultural differences abound, and many employees don’t see how anti-bribery policies apply to them in their daily jobs. Worse, the person doing compliance checks is often less senior than the executives he or she is monitoring.

Companies with less than $1 billion in revenue were actually more confident in their procedures’ effectiveness than larger businesses, the survey showed. Glapion was quoted as saying “that may be because smaller organizations have less bureaucracy and fewer third parties, or they may feel that they are not necessarily in the firing line.”

The Survey appears to indicate that companies still have a long way to go in certain areas, particularly third parties. The Survey provides the compliance practitioner with a good benchmark to look at the overall company program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

May 19, 2013

The Drugstore Cowboy and Compliance

One does not have to look very far in the business world to come across the phrase “Know Your Customer.” A company certainly needs to know if an entity that it may sell products or provide services to will pay for those items. Running a Dun & Bradstreet credit check is routinely performed to ascertain if a counter-party is a good credit risk. But how much more should a company do in regards to its customers? Clearly banks, other financial institutions and even casinos need to assess a customer from the perspective of anti-money laundering (AML). Is there a reason grounded in the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act that would suggest that customers should go through background scrutiny from the anti-bribery/anti-corruption compliance perspective?

I thought about internal controls regarding due diligence requirements on customers, effective compliance programs and third party validation of credentials when reading an article in June issue of Wired Magazine, entitled “Drugstore Cowboy”, by Jake Pearson. I found this article to be a very cautionary tale for those companies which need to consider just whom they are doing business with or for. The story involved an undercover sting operation by the US government against Google. The operation involved a convicted felon, one David Whitaker, who convinced law enforcement authorities that Google had assisted him, in violation of its own internal protocols and US laws, to sell illegal “black market steroids and human growth hormones” online. Whitaker told federal officials that “Google employees had actively helped him advertise his business, even though he made no attempt to hide its illegal nature.” Based upon his experience, Whitaker believed that Google must be “helping other rogue Internet pharmacies too.”

On paper, it appeared from the article that Google has a systems designed to ferret out sites which used words or had other indicia that they were selling illegal drugs. There was an initial screening by a Google sales representative. There was an automated program which searched for key words that might indicate illegal drugs were being sold. There was a review of the website itself to see of other factors were present which might show that illegal products were being sold. Finally, Google used a third party verification service, to attest that any site selling pharmaceutical products was properly licensed.

Based upon his experiences, the government set Whitaker up with an alias, fake company, bank account and phone lines and then monitored and watched him to see if his claims were true. He was told to see if Google would actively assist him to sell advertising for a non-existent company called “SportsDrugs.net, a website that sold HGH and steroids from Mexico, with no doctor’s prescription.” The plan that Whitaker used was straightforward.

  1. Establish a fake identity. Whitaker made cold calls to representatives of Google to get set up as an account in the company’s system.
  2. Submit the site. The feds designed the sting operation so that it would be obvious the false company was selling illegal drugs. So it offered HGH and steroids, had pictures of the drugs and even had a ‘Buy Now’ button to make clear that no doctor’s prescription was required. The Google sales representative passed the fake sales site along for “policy review, an automated process that Google uses to vet all advertisers.”
  3. Scrub the site. After the fake sales company was initially rejected by the policy review process, a Google representative agreed to help “tweak it” so that it would pass through the Google approval process. The Google sales representative advised Whitaker to rename the site, remove the pictures of the illegal drugs and delete the ‘Buy Now’ button from the site.
  4. Rework the site. After the suggested changes were made by Whitaker, his fake site was approved by Google. Thereafter the items which had been removed from the website, including both the photos of illegal drugs and ‘Buy Now’ button were added back into the site, all with the assistance of the Google sale representative.
  5. Raise the stakes. In this phase, the undercover sting operation widened. After their initial success with SportsDrugs.net; the feds created other fake websites for Whitaker, all of which purported to sell illegal drugs. The other sites included one selling “RU-486, better known as the abortion pill, which is normally taken under close supervision of a doctor.”  Another site sold the psychotropic drugs Xanax and Valium, both without any need of a doctor’s prescription. In a final example the feds created a ‘Trojan Horse’ site; in which a pharmacy site that held a valid license also had sales for “three clearly disreputable online pharmacies.”

The chilling thing I found in this article was it reported that in each one of the false scenarios, Whitaker was reported to have explained to the Google representative the true nature and purpose of the site. All of the information that Whitaker conveyed made clear that these sites were designed to sell drugs which are illegal in the US, without a doctor’s prescription. In just over the span of three months, the undercover operation spent over $200,000 with Google.

Google ended up settling with the US government for a fine of $500 million. Although Pearson did not quote the US Assistant District Attorney, who headed the investigation and enforcement action, Peter Neronha, was quoted as telling the Wall Street Journal (WSJ) the “culpability went far higher than the sales reps that Whitaker worked with. Indeed, he said, some of the company’s most powerful executives were aware that illegal pharmacies were advertising on the site.” Google itself would not comment for the Pearson article.

From the account in the Pearson piece it would appear that Google had a system in place to check and make sure that it was not advertising sites which sold illegal drugs but that system, both human and automated, was worked around. For the anti-corruption compliance practitioner, I think that there are several key lessons which can be learned from this tale.

Train, Train, Train. If you sell services, which can be used to facilitate illegal conduct, you need to train your sales force to watch out for signs of that illegal activity. The initial Google sales representative who was contacted by Whitaker should have been the first line of prevention to stop the issue before it came up for the company.

Monitor, Monitor, Monitor. There should be several types of monitoring. If a business name comes through your system and it is rejected, there should be a monitoring mechanism in place to note if it reappears later or is approved through some other means, as was done in this situation. Similarly, if the name of a business owner comes up in connection with another company, there needs to a mechanism in place to perform a cross check. The sales representatives should also be monitored to determine if they are manipulating the system.

Incentives, Incentives, Incentives. While not discussed in the Pearson article, what do you want to bet that the Google sales representatives were compensated, at least in part, with a commission based upon the number of GoogleAds that they sold? If your compensation structure or other incentive structure rewards people who use shortcuts, then there will always be employees who take them.

Audit, Audit, Audit. Remember the part of the story about how the Google sales representative would advise Whitaker how to scrub his website of key words, search terms and other information which would indicate that it was selling illegal pharmaceuticals only to reinsert those on the site after the scrubbed site had been approved? You need to audit to determine if any illegal conduct has begun after the contract is signed. And if you do not have audit rights, you have a very slim chance of actually performing an audit.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

May 16, 2013

Four Keys to Compliance Leadership

One of the most divisive moments in American history occurred on this date in 1868. On this day the US Senate voted against impeaching President Andrew Johnson thereby acquitting him of having committed “high crimes and misdemeanors” as required under the US Constitution. After all the arguments had been presented for and against him, Johnson waited for his fate, which hung on one swing vote, as there is a Constitutional requirement that requires a vote of 2/3rds of the Senate for impeachment. The vote was one short, at 35-19. Johnson was acquitted and finished out his term. If Johnson had been impeached, it surely would have led to a very different political development in the US, where not liking the sitting President could have become a constitutional basis for impeachment.

The Radical Republicans who ran the Congress immediately after the conclusion of the Civil War certainly did not think much of President Johnson’s leadership style. So what about you as a compliance officer? Certainly part of your leadership is implementing and enhancing policies and procedures? In many ways it is the human element, which President Johnson sorely lacked, that you may well need to devote most of your time focusing on. I recently read an excellent article it the Corner Office section of the New York Times (NYT), entitled “We’re Family Yes, but We’re Still Accountable”, in which Adam Bryant reported on his interview with Brooke Denihan Barrett, the co-Chief Executive Officer (co-CEO) of the Denihan Hospitality Group (Denihan), a 50-year old family business which focuses on the hospitality business.

Training

One of the things that Barrett has learned is how to train people. She explained that “I thought the way you got things done was by telling people what to do. That’s where I learned what not to do. I spent a good portion of my time telling people what they did wrong instead of really encouraging them about what they did right.” She came to realize that was perhaps not the best way to manage people and “learned to cut people some slack.” She said that she found “that you get a lot more with the carrot routine than the stick routine. I also realized that you really needed to explain the “why” of things. You need to give people a little bit of space to come around, and say, “Yeah, that makes sense,” before you really engage them in what needed to be done.”

I found that her final point may be critical for compliance training. By explaining the why of compliance, employees can better understand what the company is trying to accomplish. So if your goal is to do business in an ethical manner, then explain this and how the company’s compliance program will help to accomplish this goal through its policies and procedures.

Accountability

One of the things that Barrett emphasized was the erroneous perception that because her company was a family business there was no accountability. She made clear that “You have to set certain standards that you want people to live up to. And if people need help, then we want to help them along the way.” However, accountability is a two-way street. Just as the employee must be held accountable, so must the company in terms of providing support to allow employees who want to do the right thing and to do their job well. Barrett said, “Sometimes organizations can fall down if they don’t also ask: How do you give people the tools they need to be successful? How do you get that person to understand what change needs to happen, and how do you help them along the way? Because people can’t always figure it out on their own, and nor should you expect them to.”

Listening

Many of the CEOs that Bryant interviews for his Corner Office section speak about the need for listening skills. Barrett was no exception. But as CEO she found that employees were sometimes reluctant to speak openly and candidly with her. So she began to meet with employees in small groups of 10 to 12 people. At Denihan they call them ‘Roundtables’. Barrett said that she will say to them ““Tell me something I don’t know.” And I’ll get comments like: “Oh, but you know everything. You’re the C.E.O.” It’s just a reminder of the perceptions that people have of the head of the company. But every time I ask that question, I learn something new.” Imagine as a compliance officer if you were to ask that question in a roundtable, what do you think you might hear back from your company’s employees?

Barrett also spoke about how to have a ‘difficult conversation’. She said that if there is a mistake made she views it as an opportunity for learning and professional growth. At Denihan, they call them ‘lessons learned conversations’ and they may occur with a group where a problem has arisen. Barrett related, “we might bring people together in a room who were involved in a project and ask: What were the things that worked? What were the things that didn’t? What could we have done differently? And we’ve had some very spirited and cathartic conversations. You have to be able to let people put something on the table without actually pointing the finger. It allows things to come out in more of a non-accusatory manner.”

Hiring and Promotion

These are two key areas in compliance that are finally beginning to receive the attention that they deserve. Barrett’s thoughts on how she views these in the context of her interviewing are instructive. She acknowledged that by the “time somebody meets me, you can assume that the skills are there. So what I interview for is fit. And I’m always very curious to know, what is it about our company that appeals to that person?” She asks specifically about culture, requesting the candidate define it and how do you think that culture is special. She also asks candidates to talk about a failure and what lessons that they learned from the experience and how they dealt with the experience. I would suggest that both of those lines of inquiries should be used when evaluating a candidate for hire or promotion.

Barrett’s interview provided some interesting insights on leadership. Moreover, her experience in professional growth has shown there are different styles and techniques that you can successfully use in your company’s compliance program. Train people on the reasons why your company is doing compliance so that they will understand how to do it. Make them accountable but also provide them with the compliance tools and support to do business the right way. If there is a problem or issue, use it as a lesson learned so that employees can profit from the experience. Lastly, make a discussion of culture a cornerstone in your hiring interview or promotion interview process.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Next Page »

Customized Rubric Theme Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 4,199 other followers