What’s the Message from BizJet? Self-Disclose and Cooperate

Over the past week there has been a plethora of Foreign Corrupt Practices Act (FCPA) enforcement actions released. One group was the four enforcement actions involving individuals concerning BizJet. While I cannot say that the enforcement actions against the individuals were stunning, perhaps what was surprising were the penalties that two of the individual received. The lineup of those three BizJet executives and one employee involved in these enforcement actions is as follows:

1. Bernd Kowalewski – President and Chief Executive Officer (CEO);
2. Peter DuBois – Vice President of Sales and Marketing;
3. Neal Uhl – Vice President of Finance; and
4. Jald Jensen – Regional Sales Manager

Defendants DuBois and Uhl pled guilty in January, 2012 and had their pleas unsealed on April 5, 2013. Defendants Kowalewski and Jensen were charged by Criminal Indictment, also in January, 2012 but are still at large today. The Department of Justice (DOJ) Press Release states that “The two remaining defendants are believed to remain abroad.”

BizJet Bribery Box Score

From the previously released Bizjet Deferred Prosecution Agreement (DPA) and the recently released documents, I have updated the “BizJet Bribery Box Score”.

BizJet Executive or Employee Named	Payment Made To	Amount of Payment	Others Involved
Jald Jensen	Official 6	Cell Phone and $10K	Peter DuBois and Neal Uhl
Jald Jensen	Official 3	$2K	Peter DuBois
Peter DuBois, Neal Uhl and Jald Jensen	Official 2	$20K
Neal Uhl	Official 2	$30K	Jald Jensen
Peter DuBois	Mexican Federal Police Chief	$10K	Neal Uhl and Jald Jensen
Neal Uhl	Official 5	$18K	Jald Jensen
Jald Jensen	Official 4	$50K
Jald Jensen	Mexican Federal Police	$176	Neal Uhl
Jald Jensen	Official 4	$40K
Jald Jensen	Mexican Federal Police	$210K	Neal Uhl
Jald Jensen	Official 5	$6K	Neal Uhl
Neal Uhl	Official 5	$22K

The above bribes were characterized as “commission payments” and “referral fees” on the company’s books and records. Payments were made from both international and company bank accounts here in the United States. In other words, this was as clear a case of a pattern and practice of bribery, authorized by the highest levels of the company, paid through US banks and attempts to hide all of the above by mis-characterizing them in the company’s books and records.

Penalty Box Score

As bad as the conduct of the BizJet executives and sales manager was – and it was very bad – the thing that stood out in the enforcement actions announced last week was the sentences. So without further ado here is the “Penalty Box Score” for defendants DuBois and Uhl.

Individual	Fine or Disgorgement	Potential Incarceration	Actual Incarceration
Peter DuBois	$159,950	108 to 120 months in jail	8 months home incarceration, 60 month’s probation
Neal Uhl	$10,000	60 months in jail	60 month’s probation

The clear import of the BizJet DPA was that a company can make a comeback in the face of very bad facts. In the BizJet DPA, the calculation of the fine, based upon the factors set out in the US Sentencing Guidelines, ranged between a low of $17.1MM to a high of $34.2MM. The final agreed upon monetary penalty was $11.8MM. This was a significant reduction from the suggested low or high end, or as was noted by the FCPA Blog “BizJet’s reduction was 30% off the bottom of the fine range, and a whopping 65% off the top of the fine range.” Finally, BizJet was able to avoid having an external monitor put in place.

Cooperation is the Key

What led to these sentence reductions? Quite simply the answer is full cooperation with the DOJ. The FCPA Professor stated, in a post entitled “Unsealed Documents In Enforcement Acton Against Former BizJet Executives Reveal A Trove Of Information”, that “As part of his plea agreement, DuBois worked in an undercover capacity for the government. The motion specifically states as follows. “As part of his work in an undercover capacity, Mr. DuBois has recorded conversations with former BizJet executives and other subjects of the government’s ongoing investigation.” Later, the motion to seal states that “public identification of Mr. DuBois as a defendant who likely is cooperating with the government may jeopardize the undercover aspect of the government’s investigation.”

In addition to his work as an undercover operative, the Professor quoted from the DOJ Sentencing Memorandum that “assisted in the investigation from the outset and cooperated fully with the government throughout its investigation. DuBois submitted to multiple interviews by the government and has assisted in every way that the government has asked. DuBois told the truth to the government from the outset and continued to do so up until this very day. DuBois’ cooperation not only assisted the government in connection with its investigation into BizJet, but also led to the investigation of another maintenance, repair, and overhaul company engaged in a similar scheme to pay bribes to government officials overseas.”

With regarding to UHL, the Professor quoted from the DOJ Motion for a Downward Departure as follows, “Uhl “agreed to a voluntary proffer session and, when confronted by the government, admitted to the illegal conduct. Throughout the course of the investigation, Uhl was cooperative and provided truthful information that substantially assisted the government in confronting other co-conspirators and witnesses. Uhl offered to assist in any way that he could.”

In another post, entitled “Where Was the BizJet Board?”, the FCPA Professor noted that the conduct engaged in by BizJet was “egregious” and I would certainly second that, perhaps adding that it was about as bad as it could get in the FCPA world. He goes on to state that “Yet, BizJet was allowed to resolve the enforcement action via a deferred prosecution agreement, meaning that should it abide by the terms and conditions of the agreement, BizJet will never be required to plead guilty to anything.” He went on to pose the question, “If that is the DOJ position, then it must be asked – does corporate criminal liability actually mean anything if a company like BizJet – given the DOJ’s allegations – is not actually criminally prosecuted or required to plead guilty?” He ended his post with the following, “In short, the resolution vehicles the DOJ has created and championed has again lead to a “facade of enforcement” – albeit an instance on the opposite end of the spectrum that I normally highlight.”

I think that there is another way to look at the BizJet enforcement action and the individual enforcement actions against DuBois and Uhl. BizJet self-disclosed to the DOJ, engaged in what the DOJ termed “extraordinary cooperation” and remediated the people and conduct in question. Further, DuBois and Uhl not only offered themselves up but actively worked with and assisted the DOJ in its investigation going forward. If one of the goals of the DOJ is to achieve greater compliance with the FCPA, I think that the BizJet cases is a clear demonstration that if a company has FCPA violations they can self-disclose and be given credit for working very diligently in conjunction with the DOJ to remedy the conduct at issue and move the investigation forward.

I believe the same is true for individuals who have engaged in FCPA violations. If a person provides the same level of cooperation as DuBois and Uhl and the DOJ then prosecutes them to the full extent of the US Sentencing Guidelines, how much cooperation do you think the DOJ will engender going forward once the word gets out in the white collar defense bar?

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

The Five Essential Elements of a Corporate Compliance Program-Part I

Next Tuesday morning, at the University Club of Chicago, Stephen Martin and I will co-present at a Foreign Corrupt Practices Act (FCPA) event hosted by Kreller. If you are in or near Chicago I hope that you can join us. The title of our presentation is “Anti-Corruption/FCPA Developments & Best Practices” and we will focus on a concept that Stephen and his partners at the law firm of Baker & McKenzie have developed which are five essential elements of a corporate compliance program. Over the next two posts, I will sketch out what Stephen and I will be presenting. In today’s post I will present the background to the development of the five essential elements and in Part II, I will go through the remaining elements.

First a word about Stephen Martin; for those of you who do not know Stephen Martin, he has a long and distinguished legal and compliance career. He was at the Department of Justice (DOJ) and then moved in-house, helping some of America’s largest companies to wade through major corporate scandals. He was most recently the General Counsel (GC) at Corpedia before heading into private practice at Baker & McKenzie. He has been around the (compliance) block more than once and I can assure you that he knows his FCPA compliance stuff. He is certainly one of the practitioners that I would go see to make a FCPA compliance presentation.

Why is it important to have such a compliance program? I will answer in two words, Morgan Stanley. The declination to prosecute, issued by the DOJ, provides the most recent and powerful evidence of the benefits of investing in compliance. Morgan Stanley’s pre-existing compliance program was highlighted in press releases and public comments as the biggest reason for the Government’s decision not to prosecute the bank. The decision not to prosecute was based on evidence of:

•           Rigorous internal controls;

•           Regular training and reminders on FCPA policy and compliance;

•           Internal policies addressing the corruption risks associated with the giving of gifts, business entertainment, travel, lodging, meals, charitable contributions and employment, that were updated regularly to reflect regulatory developments and specific risks;

•           Compliance program monitoring and auditing; and

•           Extensive pre-retention due diligence on business partners and stringent controls on payments to business partners.

The five essential elements of a corporate compliance program are based upon the best practices  as set out in the seven elements of a corporate compliance program under the US Sentencing Guidelines; the 13 Good Practices by the OECD on Internal Controls, Ethics, and Compliance; and the UK Bribery Act’s Six Principles of an Adequate Procedures compliance program. The following chart lists the elements of each.

While the above guidelines and statutes vary in length, tone and detail, depending on the jurisdiction and the enforcement agency, from this comparison Martin and his colleagues distilled five essential elements which they believe make up a best practices compliance program. They are as follows:

• Leadership – color coded Red.
• Risk Assessment – color coded Yellow.
• Standards and Controls – color coded Blue.
• Training and Communication – color coded Green.
• Oversight – color coded Grey.

I.                   Leadership

The point means more than simply “Tone-at-the-top”. A successful compliance program must be built on a solid foundation of ethics that are fully and openly endorsed by senior management; otherwise the program may amount to little more than a hollow set of internal rules and regulations. There should be an unambiguous, visible and active commitment to compliance. But even more than support or the right tone, compliance standards require that companies must have high-ranking compliance officers with the authority and resources to manage the program on a day-to-day basis. And compliance officers must have the ear of those ultimately responsible for corporate conduct, including the board of directors.

Some of the questions you might think about in connection with the leadership of your compliance program are the following: How is board oversight implemented? Is there an ethics or audit committee reporting to the full board? What is the role of the Chief Compliance Officer? What is the role of the General Counsel? How do the legal and compliance departments interact? Does the CCO have “real power”? Is she or he treated as a second-class citizen?

Equally the Board of Directors has a key role to fulfill. The Board must ensure compliance policies, systems and procedures are in place and it should monitor implementation and effectiveness of the compliance program:

• Be actively involved
• Attend Board meetings
• Review, consider and evaluate information provided
• Inquire further when presented with questionable circumstances or potential issues
• Once Board knows of a potential compliance issue it must act.
• Regularly receive compliance briefings and training.

I think everyone agrees and understands that the Chief Compliance Officer (CCO) is a key, if not the key, role in a company’s compliance program. Some of the important indicia of a CCO are that they are high ranking within the company and are dedicated to compliance and responsible for day-to-day management and oversight of compliance program. The position should have direct access to the Board or appropriate Board committee and the Compliance Department should be provided sufficient resources to achieve its goals.

In addition to the role of the CCO, there should be compliance officers in high-risk markets who regularly communicate with managers in the field because country and/or regional managers are often the employees in the trenches who are responsible for overseeing sales people and third-party agents who are producing, selling and distributing the company’s products and services. Lastly, local managers are often in the best position to set the tone for compliance and to detect and address illegal or unethical practices before they become issues that put the company at risk.

II.                Risk Assessment

The implementation of an effective compliance program is more than simply following a set of accounting rules or providing effective training. Compliance issues can touch many areas of your business and you need to know not only what your highest risks are but where to marshal your efforts in moving forward. A risk assessment is designed to provide a big picture of your overall compliance obligations and then identify areas of high risk so that you can prioritize your resources to tackle these high risk areas first.

What are some of the areas where you need to assess your risks? As set out in the DPA’s of Tyson Foods, Alcatel-Lucent and Maxwell Technologies the following are suggested:

1. Country Risk - What is the correlation between growth markets and corruption risk and what is the perceived level of corruption? In other words, the Transparency International Corruption Perceptions Index or similar list.
2. Sector Risk - Has government publicly stated industry is under scrutiny or already conducted investigations in sector? Are there corruption risks particular to the industry?
3. Business Opportunity Risk - Is the business opportunity a high value project for your company? Are there multiple contractors or intermediaries involved in the bidding or contract execution phase?
4. Business Partnership Risk - Does this business opportunity require a foreign government relationship? Does a foreign government require you to rely upon any third parties?
5. Transaction Risk - Will your company be required to make any “compelled giving” through any requirements for political or charitable contributions? Are you required to use any intermediaries to obtain licenses and permits?

In addition to an initial risk assessment to either (1) inform your compliance program or (2) help you to identify high risks and prioritize their remediation, risk assessments should be a regular, systemic part of compliance efforts rather than an occasional, ad hoc exercise cobbled together when convenient or after a crisis. These should be conducted at the same time every year and deputize a consistent group, such as your internal audit department or enterprise risk management team, to conduct the annual review. Such annual risk assessments act as a strong preventive measure if they are performed before something goes wrong. In addition, enforcement trends and government priorities change rapidly so it is vital to stay up to date and conduct regular assessments. Lastly, it avoids a “wait and see” approach.

Risk assessments should also be used to scrutinize new business partners and third-party agents. The majority of FCPA/anti-corruption investigations and enforcement actions involve some use of third parties, including consultants, distributors, contractors and sales agents. By conducting a formal risk assessment each year it provides an opportunity to take a closer look at recently-established business relationships to make sure partners and third parties do not have improper connections to government officials or some involvement in unethical or illegal conduct. Additionally conducting such a risk assessment allows your company to proactively address and remediate any risks that are uncovered.

Stephen Martin and the Baker & McKenzie team have put together an excellent resource for the compliance practitioner in their five essential elements of a corporate compliance program. I hope that you can attend our FCPA event next week. For those of you who cannot attend in person, you can email me for the slide deck and other materials after the event.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

DS&S DPA: Lessons Learned for the Compliance Practitioner

On Monday, June 18, the Department of Justice (DOJ) announced the resolution of a matter involving violations of the Foreign Corrupt Practices Act (FCPA) by Data Systems & Solutions LLC (DS&S), a US entity based in Virginia. The settlement resulted in the company agreeing to a two year and 7 day Deferred Prosecution Agreement (DPA). The case was interesting for a number of reasons and it has some significant lessons which the compliance practitioner can put into place in a corporate compliance program. The charges related to DS&S’s business included the design, installation and maintenance of instrumentation and controls systems at nuclear power plants, fossil fuel power plants and other critical infrastructure facilities. In reading the Criminal Information, I can only say that this was no one-off or rogue employee situation but this was a clear, sustained and well known bribery scheme that went on within the company.

I.                   The Criminal Information

The bribery scheme involved payments made to officials at a state-owned nuclear power facility in Lithuania, named Ignalina Nuclear Power Plant (INPP). The payments were made to allow DS&S to obtain and retain business with INPP. The Information listed contracts awarded to DS&S in the amount of over $30MM from 1999 to 2004. Significantly, DS&S did not self-disclose this matter to the DOJ but only began an investigation after receiving a DOJ Subpoena for records.

The Players Box Score

DS&S Officials	INPP Officials	Subcontractors
Exec A – VP of Marketing and Business Development (BD)	Official 1 – Deputy Head of Instrumentation and Controls Department	Subcontractor A – Simulation Technology Products and Services
	Official 2 – Head of Instrumentation and Controls Department	Subcontractor B – Beneficially owned by Official 1 and which employed INPP Officials
	Official 3 – Director General at INPP	Subcontractor C – Shell company used a funneling entity to pay bribes
	Official 4 – Head of International Projects at INPP
	Official 5 – Lead SW Engineer at INPP

The bribery scheme used by DS&S recycled about every known technique there is to pay bribes. The Information listed 51 instances of bribes paid or communications via email about the need to continue to pay bribes. The bribery scheme laid in the Information reflected the following techniques used by:

•       Payment of bribes by Subcontractors to Officials on behalf of DS&S;
•       Direct payment of bribes by DS&S into US bank accounts controlled by INPP Officials;
•       Creation of fictional invoices from the Subcontractors to fund the bribes;
•      Payment of above-market rates for services allegedly delivered by the Subcontractors so the excess monies could be used to fund bribes;
•      Payment of salaries to INPP Officials while they were ‘employed’ by Subcontractor B;
•       Providing travel and entertainment to Officials to Florida, where DS&S has no facilities and which travel and entertainment had no reasonable business purpose; and last but not least…
•      Purchase of a Cartier watch as a gift.

II.                The Deferred Prosecution Agreement

I set out these details with some specificity for two reasons. The first is that the Information is a must read for anyone in Internal Audit who reviews books and records. It gives you the precise types of Red Flags to look for. But secondly is the fact that DS&S received a discount of 30% off the low end of the penalty range as calculated under the US Sentencing Guidelines. The calculation as listed in the DPA is as follows:

Calculation of Fine Range:

Base Fine $10,500,000

Multipliers 1.20(min)/2.40(max)

Fine Range $12,600,000/$25,200,000

The ultimate fine paid by DS&S was only $8.82MM, which the DPA states is “an approximately thirty-percent reduction off the bottom of the fine range…” So for the compliance practitioner the question is what did DS&S do to get such a dramatic reduction? We know that one thing they did NOT do was self-report as the DPA notes that this case began as a DOJ investigation and DS&S received Subpoenas “in connection with the government’s investigation.” However, after this initial delivery of Subpoenas DS&S engaged a clear pattern of conduct which led directly to this 30% discount of the low end of the fine range. The DPA reports that DS&S took the following steps:

 

• Internal Investigation. DS&S initiated an internal investigation and provided real-time reports and updates of its investigation into the conduct described in the Information and Statement of Facts.
• Extraordinary Cooperation. DS&S’s cooperation has been extraordinary, including conducting an extensive, thorough, and swift internal investigation; providing to the Department searchable databases of documents downloaded from servers, computers, laptops, and other electronic devices; collecting, analyzing, and organizing voluminous evidence and information to provide to the DOJ in a comprehensive report; and responding promptly and fully to the DOJ’s requests.
• Extensive Remediation. The number of steps DS&S took in regard to remediation included the following:
  • Termination of company officials and employees who were engaged in the bribery scheme;
  • Dissolving the joint venture and then reorganizing and integrating the dissolved entity as a subsidiary of DS&S;
  • Instituting a rigorous compliance program in this newly constituted subsidiary;
  • Enhancing the company’s due diligence protocols for third-party agents and subcontractors;
  • Chief Executive Officer (CEO) review and approval of the selection and retention of any third-party agent or subcontractor;
  • Strengthening of company ethics and compliance policies;
  • Appointment of a company Ethics Representative who reports directly to the CEO;
  • The Ethics Representative provides regular reports to the Members Committee (the equivalent of a Board of Directors in a LLC); and
  • A heightened review of most foreign transactions.
  • Enhanced Compliance Program. More on this in the next section.
  • Continued Cooperation with DOJ. The company agreed to continue to cooperate with the Department in any ongoing investigation of the conduct of DS&S and its officers, directors, employees, agents, and subcontractors relating to violations of the FCPA and to fully cooperate with any other domestic or foreign law enforcement authority and investigations by Multilateral Development Banks.

III.             Enhanced Compliance Obligations

One of the interesting aspects of the DS&S DPA is that there are 15 points listed in the Corporate Compliance Program, attached as Schedule C to the DPA, rather than the standard 13 items we have seen in every DPA since at least November 2010. The new additions are found on items 13 & 14 on page C-6 of Schedule C and deal with mergers and acquisitions. They read in full:

13. DS&S will develop and implement policies and procedures for mergers and acquisitions requiring that DS&S conduct appropriate risk-based due diligence on potential new business entities, including appropriate FCPA and anti-corruption due diligence by legal, accounting, and compliance personnel. If DS&S discovers any corrupt payments or inadequate internal controls as part of its due diligence of newly acquired entities or entities merged with DS&S, it shall report such conduct to the Department as required in Appendix B of this Agreement.

14. DS&S will ensure that DS&S’s policies and procedures regarding the anticorruption laws apply as quickly as is practicable to newly acquired businesses or entities merged with DS&S and will promptly:

a. Train directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners, and relevant employees thereof, who present corruption risk to DS&S, on the anti-corruption laws and DS&S’s policies and procedures regarding anticorruption laws.

b. Conduct an FCPA-specific audit of all newly acquired or merged businesses as quickly as practicable.

This language draws from and builds upon the prior Opinion Release 08-02 regarding Halliburton’s request for guidance during an attempted acquisition and the Johnson and Johnson (J&J) Enhanced Compliance Obligations which were incorporated into its DPA. While the DS&S DPA does note that it is specifically tailored as a solution to DS&S’s FCPA compliance issues, I believe that this is the type of guidance that a compliance practitioner can rely upon when advising his or her clients on what the DOJ expects during Mergers and Acquisitions (M&A). The five keys under these new items, 13 & 14 highlighted above, are: (1) develop policies and procedures for M&A work prior to engaging in such transactions; (2) full FCPA audit of any acquired entities “as quickly as practicable”; (3) report any corrupt payments or inadequate internal controls it discovers in this process to the DOJ; (4) apply DS&S anti-corruption policies and procedures to the newly acquired entities; and (5) train any persons who might “present a corruption risk to DS&S” on the company’s policies and procedures and the law.

IV.              Summary

The DS&S DPA provides some key points for the compliance practitioner. First and foremost, I believe that it demonstrates the reasonableness of the DOJ. The bribery scheme here was about as bad as it can get, short of suitcases of money carried by the CEO to pay bribes. The company did not self-report, yet received a significant reduction on the minimum level of fine. The specificity in the DPA allows a compliance practitioner to understand what type of conduct is required to not only avoid a much more significant monetary penalty but also a corporate monitor. Lastly, is the specific guidance on FCPA compliance in relation to M&A activities, to the extent that if anyone in the compliance arena did not understand what was required in the M&A context; this question would seem to be answered in the DS&S DPA.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

How the DOJ Looks at Compliance Programs in an Enforcement Action – Part II

Today’s post is Part II in our two-part series of how the Department of Justice (DOJ) looks at compliance programs during the pendency of an enforcement action. Today we will review how a prosecutor may review the existence and effectiveness of a Foreign Corrupt Practices Act (FCPA) compliance program based upon the Principles of Federal Prosecution of Business Organizations (“the Principles) and an analysis of what is an effective compliance program under the US Sentencing Guidelines (“the Guidelines). Both yesterday and today’s post are based upon the tract “Complying with the Foreign Corrupt Practices Act: A Practical Primer” (herein “the Primer”), published by the ABA Criminal Justice Section, Global Anti-Corruption Task Force.

Independent Evaluation of Compliance Programs

The Primer reports that under this analysis, prosecutors look into three broad categories to make a determination if a compliance program was in existence and effective “at the time of the FCPA violation.” These categories and their specific inquiries are as follows:

1. The Existence and Design of the Compliance Program

(a)    Whether a compliance program is adequately designed for maximum effectiveness in preventing and detecting wrong doing by employees;

(b)   Whether the compliance program is designed to detect the particular types of misconduct most likely to occur in a particular corporation’s line of business;

(c)    The comprehensiveness of a compliance program; and

(d)   Whether the compliance program has established corporate governance mechanisms that can effectively detect and prevent misconduct.

2.   The Administration of the Program

(a)    Whether the company’s management is enforcing the program or is tacitly encouraging or pressuring employees to engage in misconduct to achieve business objectives;

(b)   Whether a compliance program is being applied earnestly and in good faith;

(c)    Whether a compliance program ‘works’;

(d)   Whether a compliance program is merely a ‘paper program’ or whether it was designed, implemented, reviewed and revised, as appropriate, in an effective manner;

(e)    Whether the company has provided for a staff sufficient to audit, document, analyze, and utilize the results of the company’s compliance efforts; and

(f)    Whether the company’s employees are adequately informed about the compliance program and are convinced of the corporation’s commitment to it.

3.   The Misconduct in Question

(a)    The extent and pervasiveness of the misconduct in question;

(b)   The nature and level of the corporate employees involved in the misconduct;

(c)    The seriousness, duration and frequency of the misconduct;

(d)   Whether a corporation has taken remedial actions including discipline against past violators and revisions to the company’s compliance program in light of lessons learned; and

(e)    The promptness of any disclosure of wrongdoing to the government.

As the Primer points out, these factors are “not exhaustive and are often overlapping but they do provide insight into how DOJ prosecutors conduct investigations and determine whether to bring charges under the FCPA.”

I find this final section on how the DOJ analyzes compliance programs the most helpful for the compliance practitioner, particularly when they must explain to management what is required and why the resources need to be expended. Remember, this analysis is performed based upon your company’s compliance program at the time the FCPA violation arose, not after program remediation. So just think about some of the questions posed above:

• Have we trained the appropriate employees?
• If so, how do we prove it?
• Has anyone ever been disciplined for a Code of Conduct violation or more appropriately a compliance program violation?
• If so, is it documented?
• Prior to our FCPA violation, had the company ever audited or even reviewed the state of its compliance policy?
• If so, were any changes made to the compliance program? What changes were made and why?
• Our Chief Executive Officer (CEO) signed a cover letter, written by the Legal/Compliance Department, which introduced our compliance program when we rolled it out (fill in the blank) years ago. What evidence is there of the CEO’s continued commitment to the company’s compliance program since roll-out that can be documented?
• Have we opened any new business lines or gone into any new geographic areas since the compliance program roll-out? Did we assess these new business initiatives?
• When was the last time we did a comprehensive compliance risk assessment?
• Do we have effective internal controls?
• If we believe so, how do we know?
• When was the last time a compliance audit was conducted?
• What were the results or lessons learned?
• Did the company incorporate any of these lessons learned into an enhanced or modified compliance program?
• What criteria is the sales team evaluated upon?
• Is there a compliance component to their annual review/evaluation?
• What is the budget for the Compliance Department?
• Is a senior person assigned to lead the company’s compliance efforts or is it everyone’s responsibility? (i.e.: if everyone is in charge then no one is in charge.)

These are just some of the questions that come to my mind in looking at how a prosecutor might review a compliance program. There are obviously many, many others. I highly recommend that you consider some of these questions plus any that you can develop. I would also urge you to download, read and then keep handy the Primer. It is free and one of the best FCPA compliance resources around.

US Sentencing Guidelines

The Primer notes that the Principles are not the only source of authority which a prosecutor might refer to in evaluating a company’s compliance program during an enforcement action. The US Sentencing Guidelines note that one of the two factors which can mitigate downwards in determing the amount of a fine and penalty is “the existence of an effective compliance and ethics program”. Further under the Amended November 2010 Guidelines, the Primer says that the “government may now significantly reduce fines and other sanctions if an organization takes reasonable steps to achieve compliance with its standards, e.g., by utilizing monitoring and auditing systems reasonably designed to detect criminal conduct by its employees and other agents.”

The Guidelines provide in broad parameters how a prosecutor will evaluate compliance programs during the pendency of a FCPA enforcement action. As such they also provide guidance to the compliance practitioner on DOJ thinking. While there is not a specific program listed, the Guidelines place “an emphasis on the results of a program—that is, whether it is reasonably designed, implemented and enforced so that [it] is generally effective in preventing and deterring criminal conduct.” The Primer goes on to note that an effective compliance program consists of documentation that an organization “exercise[s] due diligence to prevent and detect criminal conduct; and otherwise promote[s] an organizational culture that encourages ethical conduct and a commitment to compliance with the law.”

One of the key factors is that the Guidelines do rely on the existence of a written compliance program. This means that a prosecutor’s primary focus is on the effectiveness of a company’s compliance program. The Primer lists out the following parameters, which the Guidelines suggest that a compliance program should minimally include and I cite from the Primer in its entirety:

• The organization to “establish standards and procedures to prevent and detect criminal conduct.
• The “organization’s governing authority . . . be knowledgeable about the content and operation of the compliance and ethics program and . . . exercise reasonable oversight . . .
• High-level personnel of the organization . . . ensure that the organization has an effective . . . program . . . .
• Specific individual(s) within the organization . . . be delegated day-to-day operational responsibility for the . . . program . . . [and] shall report periodically . . . on the effectiveness of the . . . program.
• To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority.
• The “organization . . . use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known . . . has engaged in illegal activities or other conduct inconsistent with an effective . . . program.
• The “organization . . . take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the . . .program . . . by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities, to “members of the governing authority, high-level personnel, substantial authority personnel, the organization’s employees, and, as appropriate, the organization’s agents.
• The organization . . . take reasonable steps . . . to ensure that the organization’s . . . program is followed, including monitoring and auditing to detect criminal conduct.
• The organization . . . take reasonable steps . . . to evaluate periodically the effectiveness of the organization’s . . . program.
• The organization shall take reasonable steps . . . to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.
• The organization’s . . . program . . . be promoted and enforced consistently throughout the organization through appropriate incentives to perform in accordance with the . . . program; and appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct
• After criminal conduct has been detected, the organization . . . take reasonable steps to respond appropriately to the criminal conduct and to prevent further similar criminal conduct, including making any necessary modifications to the organization’s . . . program
• And in doing all of the above, “the organization . . . periodically assess the risk of criminal conduct and . . . take appropriate steps to design, implement, or modify each [above] requirement . . . to reduce the risk of criminal conduct identified through this process.

I believe that the DOJ has presented significant information to the compliance practitioner about not only it’s most current thinking on what may constitute a minimum best practices compliance program in recent Deferred Prosecution Agreements (DPAs) and Non Prosecution Agreements (NPAs) but with through the Principles and the Guidelines, the DOJ provides guidance of how a prosecutor will look at and analyze a company’s compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

How the DOJ Looks at Compliance Programs in an Enforcement Action-Part I

Although often discussed in Deferred Prosecution Agreements (DPAs) or Non-Prosecution Agreements (NPAs), most compliance practitioners are not familiar with one of the most important sources of Department of Justice (DOJ) policy regarding the charging of corporations under the Foreign Corrupt Practices Act (FCPA). This source is found in the United States Attorney’s Manual section, entitled “Principles of Federal Prosecution of Business Organizations” (“the Principles”). However, there is an excellent discussion found on this issue in the January 2012 publication of “Complying with the Foreign Corrupt Practices Act: A Practical Primer” (“the Primer”), published by the ABA Criminal Justice Section, Global Anti-Corruption Task Force. The Primer has several authors including Salen Churi, David Finkelstein, Joe Mueller; persons from the University of Chicago School of Law, Dean David Zarfes, Michael Bloom and Sean Kramer; the Microsoft Corporation, including John Frank and Michel Gahard (collectively “the authors”).

The Principles themselves recognize that while prosecutors are to apply “the same factors in determining whether to charge a corporation as they do with respect to individuals” such as evidence, likelihood of trial success, deterrent to others similarly situated and others factors, the prosecution of corporations is different than prosecuting individuals. The Primer notes that the Principles state “that prosecutors have a duty to protect economic and capital market, to protect those compete in those markets through lawful means and to generally protect the American public from corporate misconduct.”  To assist prosecutors in making these determinations, the Principles provide a list of factors which must be considered in any decision on whether or not to bring charges or enter into DPAs or NPAs with companies. They are:

• The nature and seriousness of the offense, including the risk of harm to the public and any policies governing the prosecution of corporations for specific types of crimes;
• The pervasiveness of wrongdoing within the corporation, including managerial complicity;
• The organization’s history of similar misconduct;
• The corporation’s disclosure of wrongdoing and willingness to cooperate;
• The existence and effectiveness of the corporation’s compliance program;
• The corporation’s remedial actions, including efforts to implement or improve effective compliance programs, to replace management, to discipline or terminate wrongdoers, to pay restitution, and to cooperate with government agencies;
• The harmful collateral consequences of charges or agreements, including those to investors and the public;
• The adequacy of personal prosecution as opposed to organizational prosecution; and
• The adequacy of non-criminal remedies.

In addition to these specific guidelines, the Principles “indicate that compliance programs are specifically relevant to the DOJ’s evaluation of four general contexts: (1) the pervasiveness of wrongdoing within the corporate; (2) the history of a corporation’s conduct; (3) whether a corporation should be eligible for a reduced sanction because of voluntary disclosures; and (4) whether a corporation has taken significant remedial actions to deter future violations.” The Principles also require a prosecutor to “independently consider the sufficiency of a company’s compliance program.” The Primer further discussed these four general contexts plus the requirement for an independent consideration of a company’s compliance program.

Pervasiveness of Wrongdoing

The Primer initially notes that a company should not be held liable for isolated or small numbers of FCPA violations by company employees particularly if the company has a “robust compliance program in place.” Pervasiveness will be determined on a case-by-case basis and is a fact intensive analysis. However, one of the clearest pronouncements is that corporate management is responsible for “a corporate culture in which criminal conduct is either discouraged or tacitly encouraged”. In other words, tone at the top does matter. The Primer relates that “in evaluating pervasiveness, compliance programs are relevant in determining when any wrongdoing can be fairly attributed to the actions of a corporate management and the culture it has fostered.”

History of Conduct

The history of a wrongful conduct is relevant in how the DOJ may well resolve a case. This means that your company had better have a written compliance program in place but such written program should not simply be a paper program, present as window dressing in case the DOJ comes knocking. This is the document, document and document part that I continually write and speak about. Not only must you document your actions and decisions but you must be able to call up such documentation in a reasonable time frame. Further, if the company has a history of misconduct it may well be construed by the DOJ as “probative of a corporate culture” which condones, if not actively encourages, violations of the FCPA.

Voluntary Disclosures

Voluntary disclosures and compliance programs converge in the DOJ’s analysis because, as the Primer denotes the DOJ desires that company’s “conduct internal investigations and to disclose …relevant facts to the appropriate authorities.” Recognizing that under Dodd-Frank, or other legislation, a disclosure could come to the DOJ via another mechanism, it is still important to understand that a prosecutor “may consider a corporation’s timely and voluntary disclosure in evaluating the adequacy of the corporation’s compliance program and its management’s commitment to the compliance program.”

Remedial Actions

The Primer reports that the DOJ assesses several factors when looking at a corporation’s response to a FCPA violation. The Primer lists these factors as the following:

• Has the corporation “appropriately disciplined the wrongdoers, even if they are at the highest level of seniority?;
• Is the company focused on ‘the integrity and credibility of its remedial and disciplinary measures” rather than the protection of the wrongdoers?;
• Has the corporation paid restitution in advance of a court order, most particularly under the restitution has the corporation accepted responsibility for its actions?; and
• Whether the corporation “quickly recognized the flaws in its compliance program and has made efforts to improve the program?”

These four factors seem to boil down into two areas: (1) did the company take “meaningful” steps to ensure the conduct does not occur again; and (2) did the company take responsibility for its own actions?

Tomorrow we will take a look at how a prosecutor might analyze a company’s compliance program and also review the US Sentences Guidelines related to FCPA compliance.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

The BizJet DPA: Cooperation is the Key

Last week, the Department of Justice (DOJ) announced the resolution of an enforcement action under the Foreign Corrupt Practices Act (FCPA) involving the Tulsa based company, BizJet. The company is in the business of providing aircraft maintenance, repair and overhaul services (MRO) to customers in the US and internationally. BizJet ran into FCPA trouble regarding its Latin American operations, specifically in the countries of Mexico and Panama. BizJet employees and executives were involved in multi-year running bribery scheme which paid hundreds of thousands of dollars for these MRO contracts. These payments were discussed at the highest levels of the company, including the Board of Directors, and occurred from 2004 until 2010.

BizJet Bribery Box Score

The Deferred Prosecution Agreement (DPA) listed the following instances of recorded bribery, a/k/a the “BizJet Bribery Box Score”.

BizJet Executive or Employee Named	Payment Made To	Amount of Payment	Others Involved
Sales Manager  A	Official 6	Cell Phone and $10K	Executive B and C
Sales Manager A	Official 3	$2K	Executive  B
Executive B, C and Sales Manager A	Official 2	$20K
Executive C	Official 2	$30K	Sales Manager A
Executive B	Mexican Federal Police Chief	$10K	Executive C and Sales Manager. A
Executive C	Official 5	$18K	Sales Manager A
Sales Manager A	Official 4	$50K
Sales Manager A	Mexican Federal Police	$176	Executive C
Sales Manager A	Official 4	$40K
Sales Manager A	Mexican Federal Police	$210K	Executive C
Sales Manager A	Official 5	$6K	Executive C
Executive C	Official 5	$22K

The above bribes were characterized as “commission payments” and “referral fees” on the company’s books and records. Payments were made from both international and company bank accounts here in the United States. In other words, this was as clear a case of a pattern and practice of bribery, authorized by the highest levels of the company, paid through US banks and attempts to hide all of the above by mis-characterizing them in the company’s books and records.

Reduction in Monetary Fine

I set out these facts as listed in the DPA in some detail to show the serious nature of enforcement action. However, the clear import that I found in this is that a company can make a comeback in the face of very bad facts. The calculation of the fine, based upon the factors set out in the US Sentencing Guidelines, ranged between a low of $17.1MM to a high of $34.2MM. The final agreed upon monetary penalty was $11.8MM. This is obviously a significant reduction from the suggested low or high end, or as was noted by the FCPA Blog “BizJet’s reduction was 30% off the bottom of the fine range, and a whopping 65% off the top of the fine range.”

How did BizJet achieve this reduction and avoid an external monitor? As reported by the FCPA Professor, the following were factors:

(a) following discovery of the FCPA violations during the course of an internal audit of the implementation of enhanced compliance related to third-party consultants, BizJet initiated an internal investigation and voluntarily disclosed to the DOJ the misconduct …;

(b) BizJet’s cooperation has been extraordinary, including conducting an extensive internal investigation, voluntarily making U.S. and foreign employees available for interviews, and collecting, analyzing, and organizing voluminous evidence and information for the DOJ;

(c) BizJet has engaged in extensive remediation, including terminating the officers and employees responsible for the corrupt payments, enhancing its due diligence protocol for third-party agents and consultants, and instituting heightened review of proposals and other transactional documents for all BizJet contracts;

(d) BizJet has committed to continue to enhance its compliance program and internal controls, including ensuring that its compliance program satisfies the minimum elements set forth in the” corporate compliance program set forth in an attachment to the DPA; and

(e) “BizJet has agreed to continue to cooperate with the DOJ in any ongoing investigation of the conduct of BizJet and its officers, directors, employees, agents, and consultants relating to violations of the FCPA.

Reports to the DOJ

As mentioned, the company avoided an external monitor. However, it agreed that it would report “at no less that twelve-month intervals during the three year term” [of the DPA] to the DOJ on “remediation and implementation of the compliance program and internal controls, policies and procedures” which were listed in Attachment C to the DPA (the DOJ guidelines for a minimum best practices compliance program). The initial report was required to be delivered one year from the date of the DPA and would also include BizJet’s proposals “reasonably designed to improve BizJet’s internal controls, policies and procedures for ensuring compliance with the FCPA and other applicable anti-corruption laws.”

Cooperation is the Key

Last week I attended the Ethisphere 2012 Global Ethics Summit where Lanny Breuer closed the conference. He did not present a speech but engaged in dialogue with Alex Brigham and took questions from the audience. One of the clear points Breuer emphasized was that if companies will come to the DOJ, make a voluntary disclosure and fully cooperate, it will pay dividends. I believe that this is clearly the case in the BizJet matter. Here you had a multi-year bribery scheme in place, not only approved at the highest levels of the company but with active involvement from senior managers, yet the final monetary penalty was almost 30% below even the lowest in the Sentencing Guideline range. Clearly BizJet benefited through its cooperation with the DOJ and that message should be made clear to any other company which might find itself in such a “fine mess.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

The Story of Ajax: Fairness in Rewarding Employee Behaviors

How does your company deal with the question of fairness in its compliance program? I thought about that question while reading an article in the New York Times (NYT), entitled “That Eternal Question of Fairness”, by Nancy Koehn. In her article, Koehn discussed the book “The Ajax Dilemma: Justice, Fairness and Rewards” written by Paul Woodruff which considers how a company might distribute rewards to its employees “without damaging the larger community.” I have written about the Fair Process Doctrine which generally is recognized as allowing employees to accept a negative result if they think that the process through which the result was determined was fair and not arbitrary and capricious. In the Department of Justice’s (DOJ) 13 point minimum best practices compliance program, Item 10 states:

10.  Discipline. A Company should have appropriate disciplinary procedures to address, among other things, violations of the anti-corruption laws and the Company’s anti-corruption compliance code, policies, and procedures by the Company’s directors, officers, and employees. A Company should implement procedures to ensure that where misconduct is discovered, reasonable steps are taken to remedy the harm resulting from such misconduct, and to ensure that appropriate steps are taken to prevent further similar misconduct, including assessing the internal controls, ethics, and compliance program and making modifications necessary to ensure the program is effective.

However, I believe that the DOJ best practices are more active than the ‘stick’ of employee discipline to make a compliance program effective and I believe that it also requires a ‘carrot’. This requirement is codified in the US Sentencing Guidelines with the following language, “The organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.”

I have advocated that the Compliance Department work with Human Resources (HR) to ensure that rewards are handed out to those employees who integrate such ethical and compliant behavior into their individual work practices going forward.  One of the very important functions of HR is assisting management in setting the criteria for employee bonuses and in the evaluation of employees for those bonuses. This is an equally important role in conveying the company message of adherence to a Foreign Corrupt Practices Act (FCPA) compliance and ethics policy.

Ajax relates to all of these fairness issues through his story from the Iliad. He was one of two Greek warriors who were in line to receive the armor from the mighty Achilles, after he was slain by the Trojan Prince Hector. Achilles’ armor was to be rewarded by the Greek King Agamemnon to “the Army’s most valuable soldier.” Ajax and Odysseus competed for the prize via a speech made before the King. The book’s author uses this speech competition and Agamemnon’s subsequent award of Achilles armor to Odysseus to explore the issues of rewards, which he says “mark the difference between winners and losers.” Paraphrasing several questions that Koehn asked about communities: Which does your company value more: Cleverness or hard work?; Strength or intelligence?; Loyalty or inventiveness?

These questions can play out in a company in a variety of ways. Does your company identify early on in an employee’s career the propensity for compliance and ethics by focusing on leadership behaviors in addition to simply business excellence? If a company has an employee who meets, or exceeds, all his sales targets, but does so in a manner which is opposite to the company’s stated business ethics values, other employees will watch and see how that employee is treated. Is that employee rewarded with a large bonus? Is that employee promoted or are the employee’s violations of the company’s compliance and ethics policies swept under the carpet? If the employee is rewarded, both monetarily and through promotions, or in any way not sanctioned for unethical or non-compliant behavior, it will be noticed and other employees will act accordingly. I think one of requirements under the Sentencing Guidelines is to ensure consistent application of company values throughout the organization, including those identified as ‘rising stars’.

In her book review, Koehn states that she believes the Ajax example still has relevance today. Most employees are like Ajax, loyally doing the important day-to-day work. If doing business in a manner antithetical to a company’s stated culture of ethics and compliance is seen to be rewarded then those loyal, hard-working employees may well stop working in a compliant manner. The end for Ajax was not good, as after the King’s award of Achilles armor to Odysseus, his anger exploded and he lost his life, his family and his reputation down to this day. From this lesson we draw the conclusion that rewards must be distributed in a way to ensure a company’s health. This, the author believes, is why the “story of Ajax is sure to resonate with many” even today.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Code of Conduct – The Cornerstone of Your FCPA Compliance Program

The cornerstone of a Foreign Corrupt Practices Act (FCPA) compliance program is the US Federal Sentencing Guidelines (FSG). They contain seven (7) basic compliance elements that can be tailored to fit the needs and financial realities of any given organization. From these seven compliance elements the Department of Justice (DOJ) has crafted its minimum best practices compliance program which is now attached to every Deferred Prosecution Agreement (DPA) and Non-Prosecution Agreement (NPA). The FSG assumes that every effective compliance and ethics program begins with a written standard of conduct; i.e. a Code of Conduct. What should be in this “written standard of conduct? The starting point, as per the FSG, reads as follows:

Element 1

Standards of Conduct, Policies and Procedures (a Code of Conduct)

An organization should have an established set of compliance standards and procedures. These standards should not be a “paper only” document, but a living document that promotes organizational culture that encourages “ethical conduct” and a commitment to compliance with applicable regulations and laws.

 In each DPA and NPA over the past 18 months the DOJ has said the following as item No. 1 for a minimum best practices compliance program.

1. Code of Conduct. A Company should develop and promulgate a clearly articulated and visible corporate policy against violations of the FCPA, including its anti-bribery, books and records, and internal controls provisions, and other applicable foreign law counterparts (collectively, the “anti-corruption laws”), which policy shall be memorialized in a written compliance code.

In an article in the SCCE Complete Compliance and Ethics Manual, 2^nd Ed., entitled “Essential Elements of an Effective Ethics and Compliance Program”, authors Debbie Troklus, Greg Warner and Emma Wollschlager Schwartz, state that your company’s Code of Conduct “should demonstrate a complete ethical attitude and your organization’s “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” Your Code of Conduct must be aimed at all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.” This would also include all “management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.”

There are several purposes identified by the authors which should be communicated in your Code of Conduct. Of course the overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this in a Code by communicating what is required of them, to provide a process for proper decision-making and then to require that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company “upholds and supports proper compliance conduct.”

The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena to do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. To that end suggest that your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasis it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

As I often say, the three most important things about your FCPA compliance program are document, document and then document. The same is true of communicating your company’s Code of Conduct. You need to do more than simply put it on your website and tell folks it is there, available and that they should read it. You need to document that all employees, or anyone else that your Code of Conduct is applicable to, has received, read, and understands the Code. For employees, it is important that a representative of the Compliance Department, or other qualified trainer, explains the standards set forth in your Code of Conduct and answers any questions that an employee may have. Your company’s employees need to attest in writing that they have received, read, and understood the Code of Conduct and this attestation must be retained and updated as appropriate.

The DOJ expects each company to begin its compliance program with a very public and very robust Code of Conduct. If your company does not have one, you need to implement one forthwith. If your company has not reviewed or assessed your Code of Conduct for five years, I would suggest that you do in short order as much has changed in the compliance world.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012