FCPA Compliance and Ethics Blog

July 9, 2014

Mid-Year FCPA Report, Part I

Mid Year ReportAs we are now past the halfway mark of 2014, I thought it might be a good time to look at the year in review, so over the next couple of days, I will be reviewing what I believe to be some issues and developments to the Foreign Corrupt Practices (FCPA) world. In this Part I, I will look at an enforcement action which brought a company to No. 5 on the list of highest FCPA settlements, to a company which seemingly came back from the edge of very bad FCPA conduct and finally some individual prosecutions and one interesting settlement in a SEC action against individuals. 

Alcoa

In one of the more long-running international bribery and corruption sagas, Alcoa Inc. settled a FCPA action by having one of its subsidiary’s plead guilty to bribing officials in Bahrain to win contracts to supply the raw materials for aluminum to Aluminum Bahrain BCS or Alba. As reported by the FCPA Professor, “Alcoa entities agreed to pay approximately $384 million to resolve alleged FCPA scrutiny (a criminal fine of $209 million and an administrative forfeiture of $14 million to resolve the DOJ enforcement action and $175 million in disgorgement to resolve the SEC enforcement action – of which $14 million will be satisfied by the payment of the forfeiture in the criminal action).” Alcoa now sits as No 5 on the list of all-time FCPA settlements and has the distinction of paying the largest disgorgement.

Payments were made through shell corporations, agents and distributors. As reported in the Wall Street Journal (WSJ), in an article entitled “Alcoa Snared in Bahrain Bribery Case”, although one of its subsidiaries, Alcoa World Aluminum, pled guilty to violating the FCPA, its parent Alcoa issues a statement that “neither the Department of Justice nor the SEC alleged or found that anyone at Alcoa “knowingly engaged in the conduct at issue.”” According to the WSJ article, the bribery scheme had been in place since at least 1989. Further, at least one in-house counsel had raised concerns in 1997 that the contracts around the bribery scheme when she wrote in an email to Alcoa’s corporate headquarters stating “The contract looks odd. Are these factors OK from an anti-trust and FCPA perspective?” I guess sometimes actual knowledge is really not actual knowledge.

Hewlett-Packard (HP)

In what can only be described as one of the most stunning failures of internal controls to be seen in the annuls of FCPA enforcement actions, HP resolved a matter through a guilty plea, a Deferred Prosecution Agreement (DPA) and a Non-Prosecution Agreement (NPA), for three separate bribery schemes in three countries. For a deal in Russia, HP paid a one-man agent approximately $10MM, which was simply a conduit to pay bribes. In Poland, HP’s Country Manager literally carried bags of cash in the amount of $600K to a Polish government representative for contracts. Finally, in HP’s Mexico subsidiary, according the to the Securities and Exchange Commission (SEC) Press Release, HP “paid a consultant to help the company win a public IT contract worth approximately $6 million. At least $125,000 was funneled to a government official at the state-owned petroleum company with whom the consultant had connections. Although the consultant was not an approved deal partner and had not been subjected to the due diligence required under company policy, HP Mexico sales managers used a pass-through entity to pay inflated commissions to the consultant.”

As noted by Mike Volkov, “In total the three HP entities paid $76 million in criminal penalties and forfeitures. In a related filing, the SEC and HP entered into a civil settlement under which HP agreed to pay $31 million in disgorgement, prejudgment interest, and civil penalties.”

The enforcement action is also notable for two other factors. The first is that HP did not self-disclose the conduct even after German authorities raided the company’s Germany subsidiary’s offices in connection with the Russia transaction. HP seemingly made a dramatic comeback in the eyes of the Department of Justice (DOJ), which leads to the second point of note. That involved the overall penalty assessed against HP. What are we to make of the criminal fines levied against the Russian and Polish subsidiaries of HP? The US Sentencing Guidelines for the Polish subsidiary suggested a fine range of $19MM to $38MM, yet the final fine was $15MM. The US Sentencing Guidelines for HP’s Russian subsidiary suggested a fine range of $87MM to $174MM, yet the final fine was $58MM.

What does it all mean? It would seem that a company could come back from the brink of very bad facts and no self-disclosure. How did HP do it? The resolution documents only reference HP’s ‘extraordinary cooperation’ and installation of a best practices compliance program. My hope is that HP will publicize the steps it took so that the rest of us might learn how they accomplished the results they received.

Individual Indictments, Arrests and Settlements

As reported in the FCPA Blog, there were a number of individuals who fell under FCPA criminal scrutiny in the first half of 2014.

PetroTiger

Joseph Sigelman, the former co-CEO of PetroTiger Ltd., was charged with conspiracy to violate the FCPA and to commit wire fraud, conspiracy to launder money, and substantive FCPA and money laundering offenses. He is accused of bribing an official at Ecopetrol SA, Colombia’s state-controlled oil company, and defrauding PetroTiger by taking kickbacks. As reported by Joel Schectman in the WSJ, two other PetroTiger executives, Sigelman’s co-CEO, Knut Hammarskjold and the company’s former General Counsel (GC), Gregory Weisman, have already pled guilty to the charges.

It is alleged that Sigelman bribed an official in Colombia to help win an oil contract worth $39 million and of seeking kickback payments during the acquisition of another company, in exchange for a better price. Most interestingly, even after the company conducted an internal investigation, which uncovered the conduct and self-disclosed its findings to the DOJ, Sigelman has said he will go to trial and contest the charges.

Firtash and His Associates

In what may be an early preview of the corrupt doings of the old guard in Ukraine, there were a number of individuals arrested or indicted in connection with an alleged scheme to pay $18.5 million in bribes to officials in India to gain titanium mining rights. They include team leader, Dmitry Firtash, a Ukrainian national, who was arrested in Vienna, Austria, March 12, 2014, and the following were indicated with Firtash and charged with conspiracy to violate the FCPA, and who are still at large: Andras Knopp, a Hungarian businessman,; Suren Gevorgyan a Ukrainian national,; Gajendra Lal, an Indian national and permanent resident of the US; Periyasamy Sunderalingam, a Sri Lankan. K.V.P. Ramachandra Rao, a member of parliament in India and former official of the state of Andhra Pradesh, has been charged along with the other five defendants with one count each of a racketeering conspiracy and a money laundering conspiracy, and two counts of interstate travel in aid of racketeering. Although he was not charged under the FCPA, the DOJ has asked India to arrest him.

Direct Access Partners

Continuing the investigation into the first investment bank, Direct Access Partners LLC (DAP), to be charged with FCPA violations, there were two more individuals charged, in addition to the four from 2013 who all pled guilty. Benito Chinea, former CEO of DAP, was charged in federal court in New York for bribery involving Venezuela’s state bank and Joseph Demeneses, a former managing director, was also charged in the 15-count indictment of paying kickbacks to a vice President of the Venezuelan Nation Bank BANDES, in exchange for the bank’s bond-trading business.

Noble Energy Executives

While it is not entirely clear if these cases belong in the first half or second half of the their, the Securities and Exchange Commission (SEC) rather unceremoniously dropped its enforcement action against one former and one current Noble Energy executives. The SEC had claimed that former Noble Corporation CEO Mark A. Jackson along with James J. Ruehlen, had bribed customs officials to process false paperwork purporting to show the export and re-import of oil rigs, when in fact the rigs never moved. These actions led to allegations that Jackson and Ruehlen directly violated the anti-bribery provisions, internal controls and false records provisions relating to the FCPA. For all of these claims the SEC sought injunctive relief and monetary damages.

But as reported in the FCPA Blog, “A docket entry from July 1 for the U.S. federal district court in Houston said all deadlines in the SEC’s civil FCPA enforcement action against two former Noble executives have been vacated “pending final settlement documents.”” Both defendants agreed not to violate or aid and abet any violation of the FCPA going forward. Pretty stout stuff when you consider that all US citizens have that obligation going forward, whether they agree to it in a court filed documents or not.

Tomorrow we continue with Part II.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

 

 

May 28, 2014

What Does an Effective Compliance Program Look Like? – The Regulators Perspective

Compliance ProgramWhat does an effective compliance program look like? Is it one that follows the Ten Hallmarks of an Effective Compliance Program as set out in the 2012 FCPA Guidance? How about one that uses the Six Principals of Adequate Procedures relating to the UK Bribery Act as its guideposts? Or should a company follow the OECD Good Practice Guidance on Internal Controls, Ethics, and Compliance? More importantly, for anti-corruption enforcement under the Foreign Corrupt Practices Act (FCPA), what does the Department of Justice (DOJ) or Securities and Exchange Commission (SEC) look for when assessing a compliance program?

Over the years, we have heard various formulations of inquiries that regulators might use when reviewing a compliance program. While not exactly a review of a compliance protocol, one of my favorites is what I call McNulty’s Maxims or the three questions that former United States Deputy Attorney General, and  Baker & McKenzie LLP partner, Paul McNulty said were three general areas of inquiry the he would assess regarding an enforcement action when he was at the DOJ. They are: first: “What did you do to stay out of trouble?” second: “What did you do when you found out?” and third: “What remedial action did you take?”

Paul’s former partner at Baker & McKenzie, Stephen Martin, who still runs Baker & McKenzie Compliance Consulting LLC, said that an inquiry he might make was along the lines of the following. First he would ask someone who came in before the DOJ what the company’s annual compliance budget was for the past year. If the answer started with something like, “We did all we could with what we had ($100K, $200K, name the figure), he would then ask, “How much was the corporate budget for Post-It Notes last year?” The answer was always in the 7-figure range. His next question would then be, “Which is more business critical for your company; complying with the FCPA or Post-It Notes?” Unfortunately, it has been Martin’s experience that most companies spent far more on the Post-It Notes than they were willing to invest into their compliance program.

Last week at Compliance Week 2014, Andrew Ceresney, Director of the Division of Enforcement of the SEC, gave one of the Keynote Addresses. In his remarks he talked about the importance that the SEC is putting into compliance. He said “I start from the premise that the companies that have done well in avoiding significant regulatory issues typically have prioritized legal and compliance issues, and developed a strong culture of compliance across their business lines and throughout the management chain. This is something I observed firsthand while in private practice and have come to fully appreciate from my perch at the SEC.”

But, more importantly, he said that he has “found that you can predict a lot about the likelihood of an enforcement action by asking a few simple questions about the role of the company’s legal and compliance departments in the firm.” He then went on to detail some rather straightforward questions that he believes can show just how much a company is committed to having a robust compliance regime.

  • Are legal and compliance personnel included in critical meetings?
  • Are their views typically sought and followed?
  • Do legal and compliance officers report to the CEO and have significant visibility with the board?
  • Are the legal and compliance departments viewed as an important partner in the business and not simply as support functions or a cost center?

Beyond simply going into the DOJ or SEC and claiming that your company is very ethical and does business in compliance with the FCPA, how can a company demonstrate the above? This is where the Tom Fox Mantra of Document, Document and Document comes into play. No matter how much input the compliance function has into the above suggested inquiries if the inputs are not documented, it is if they did not exist. So for meetings, you should keep attendance sheets or notations. A compliance representative can put a short, three to four sentence memo into the file about the recommendations and the response thereto. If the compliance department advise was not followed, there should be a business reason documented for the decision. Moreover, if there is a rejection of the compliance function advise and the course of action leads to some type of FCPA issue, it may well be assumed the company knew or should have known that the course of action taken could reasonably lead to a FCPA issue if not full blown violation. As to the issues of compliance visibility at the Board level, once again the documentation of any presentation and their substance can provide evidence to answer the query in the affirmative. But the key to all of these questions is if there is documentation to prove the assertions that they actually occurred.

Near the end of his presentation, Cerensey said that “Far too often, the answer to these questions is no, and the absence of real legal and compliance involvement in company deliberations can lead to compliance lapses, which, in turn, result in enforcement issues. When I was in private practice, I always could detect a significant difference between companies that prioritized legal and compliance and those that did not. When legal and compliance were not equal partners in the business, and were not consulted as a matter of course, problems were inevitable.”

McNulty’s Maxims, Martin’s question on budget and now Cerensey’s questions all provide significant guideposts to how regulators think about FCPA compliance programs. For me, I think the point is that companies which actually Do Compliance are easy to spot. For all the gnashing of teeth about how hard it is to comply with what the DOJ and SEC want to see in FCPA compliance, when the true focus can be distilled into whether a company actually does compliance as opposed to saying how ethical they are, I think it simplifies the inquiry and the issues senior management and a Board of Directors really needs to pay attention to.

For a copy of the full text of Director Cerensey’s remarks, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

May 2, 2014

Gehrig’s Streak Ends and Compliance Week 2014 Is Near

lou GehrigToday we celebrate greatness in two areas. The first is in baseball as on this day in 1939, “New York Yankees first baseman Lou Gehrig benches himself for poor play ending his streak of consecutive games played at 2,130. “The Iron Horse” was suffering at the time from amyotrophic lateral sclerosis (ALS), now known as “Lou Gehrig’s Disease.” Gehrig joined the Yankees in 1923, but he didn’t see any action until 1925, when he backed up star first baseman Wally Pipp. According to legend, Gehrig stepped in at first base when Pipp benched himself with a headache, and Pipp never made it back on to the field. Gehrig didn’t miss a game for the next 13 years.” Gehrig’s record of playing in 2,130 straight games was intact until broken by Cal Ripken, Jr.

In the area of conference excellence around all things compliance, there is the upcoming Compliance Week 2014. While the conference has not had as many appearances as Gehrig’s long streak, this is the 9th annual event. As usual, Matt Kelly and his team over at Compliance Week have put together a star-studded and first-rate program for a wide variety of compliance practitioners. From the US government there is Kara M. Stein, Commissioner of the Securities and Exchange Commission (SEC). Interested in the future of the audit committee, there will be Jay Hanson, Board member from the Public Company Accounting Oversight Board (PCAOB), together with others to talk on that subject. For export control there will be representatives from the Department of Commerce and Department of Justice (DOJ) to bring you the latest on export control enforcement issues. Finally, both Patrick Stokes from the DOJ and Kara Brockmeyer from the SEC will be there to discuss Foreign Corrupt Practices Act (FCPA) enforcement from the perspectives of their agencies.

As usual there will be many sessions aimed at the compliance practitioner. Are you interested in developing a strong corporate culture? If so there will be a panel to discuss how to do so from working with your board to determine what your culture should be to building ethics and compliance programs (and control systems) that amplify those values rather than undermine them. An often-discussed topic is the management of compliance in joint ventures (JVs) and in a panel you will hear from three compliance officers telling their approaches to JVs: from risk assessments before the deal to monitoring and cooperation during the partnership to practical tips on investigations should misconduct in a JV partner come to light.

If there are specific geographic areas that you are concerned about there will be conversations about India, the Middle East, Africa, China and Latin America. In these sessions, held in smaller groups to facilitate conversations and questions, there will be discussions that focus on ethics and compliance risks in geographic hotspots around the world. Wondering which regulators matter most in a specific area? What training tactics work best for local workforces? Which cultural differences can cause the biggest risks or mis-steps? All those questions and more are prime fodder for these sessions.

There are a couple of very interesting sessions aimed at providing data on compliance trends. In one, there will be a joint Deloitte and Compliance Week review of their findings of this year’s Compliance Trends report – a survey conducted this spring to benchmark compliance operations at the modern enterprise. Hear about current budget and staffing levels, as well as emerging trends in reporting structures, use of GRC (Governance, Risk management and Compliance) technology, risks confronting the enterprise, and strategies to address them. In a second, there will be a review of the joint Kroll and Compliance Week 2014 Anti-Bribery and Corruption Report – one of the most comprehensive reviews of corporate anti-corruption practices you’re ever likely to find. In this session Kroll executives present the findings and lead a discussion on what those findings say about current (and not necessarily best) practice in FCPA compliance.

There will be several sessions, which deal with training. An interesting one is entitled, “Employee Training – Four Statistics That Will Surprise You” and will provide you with information on best practices on how to align roles, risks, and priorities strategically, to make the most efficient use of limited training time while protecting the organization. The discussion will be framed around four key statistics that you can use to drive training decisions and true program effectiveness. Another interesting angle will be through the prism of social media in a session which will consider the new risks social media brings, and the best ways to square its advances in communications and IT with your existing compliance program, whether that’s through new policies, new technology, or a mix of both.

There will be a couple of sessions dealing with investigations. In one, I will lead a panel, entitled “Investigations Gone Global, Not Haywire”, where we will focus on how can you run an effective investigation in some of the most difficult spots in the world, where local law may conflict with what you need to do. We will explore local stumbling blocks to your investigation, and offer ideas on how to complete the job nonetheless. Another session will help you scope out your internal investigation by considering some of the most difficult parts of scoping (parameters for e-Discovery, for example), and techniques to help determine scope more effectively (say, using the audit team to help map out the issue).

Finally, one session looks timely and intriguing. It will focus on supply chain compliance issues and will look at misconduct in the supply chain – conflict minerals, human trafficking, bribery, and more – is one of the most dangerous risks a company faces: It can erupt anywhere, cause enormous reputational harm, and leave boards scrambling for answers. You will hear about the clues you have, in the vast databases of modern businesses, and how to draw out the answers you need – about which risks are looming, which require policy response, and which require the board’s attention. Lastly, I will be leading a conversation on the FCPA enforcement trends we have seen in 2014.

I have been authorized to offer readers of this blog, who register for Compliance Week, a discount off of the standard rate..  To register, please use this link and discount code CW14FOX (case sensitive) to receive the special pricing of $1,495 (rate applies to new registrations only; please read Compliance Week Terms of Sale about refunds or substitutions). Event website: http://conference.complianceweek.com.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

April 23, 2014

Gifts, Travel and Entertainment Under the FCPA – Part II

Travel and GiftsEd. Note – I know yesterday I said this would be a two-part series but as usual I got carried away so it has become a three part series. Today I review the Opinion Releases and Enforcement Actions dealing with gifts, travel and entertainment.

A. Opinion Releases

  1. Gifts

In the early 1980s the Department of Justice (DOJ) issued three Opinion Releases related to gifts under the Foreign Corrupt Practices Act (FCPA). While these Opinion Releases are clearly dated, they do remain instructive. In Opinion Release 82-01, the DOJ approved the gift of cheese samples made to Mexican governmental officials, made by the Department of Agriculture of the State of Missouri to promote the state of Missouri’s agricultural products. However the value of the cheese to be presented was not included. In Opinion Release 81-02, the DOJ approved a gift from the Iowa Beef Packers, Inc. to officials of the Soviet Ministry of Foreign Trade of its packaged beef products. The total value of all the samples presented was estimated to be less than $2,000 and the Iowa Beef Packers, Inc. averred that the individual sample packages would not exceed $250 in value. In Opinion Release 81-01, Bechtel sought approval to use the SGV Group to solicit business on behalf of Bechtel and Bechtel had proposed to reimburse the SGV Group for gift expenses incurred in this business solicitation. The DOJ approved gifts to be given by SGV in the amount of $500.00.

  1. Travel and Lodging for Governmental Officials

 Prior to the FCPA Guidance, the DOJ issued three Opinion Releases which offered guidance to companies considering whether, and if so how, to incur travel and lodging expenses for government officials. These facts provided strong guidance for any company that seeks to bring such governmental officials to the US for a legitimate business purpose. In Opinion Release 07-01, the Company was desired to cover the domestic expenses for a trip to the US for a six-person delegation of the government of an Asian country for an educational and promotional tour of one of the requestor’s US operations sites. In the Release the representations made to the DOJ were as follows:

  • A legal opinion from an established US law firm, with offices in the foreign country, stating that the payment of expenses by the US Company for the travel of the foreign governmental representatives did not violate the laws of the country involved;
  • The US Company did not select the foreign governmental officials who would come to the US for the training program;
  • The delegates who came to the US did not have direct authority over the decisions relating to the US Company’s products or services;
  • The US Company would not pay the expenses of anyone other than the selected officials;
  • The officials would not receive any entertainment, other than room and board from the US Company;
  • All expenses incurred by the US Company would be accurately reflected in this Company’s books and records.

In Opinion Release 07-02 the Company desired to pay certain domestic expenses for a trip within the US by approximately six junior to mid-level officials of a foreign government for an educational program at the Requestor’s US headquarters prior to the delegates attendance at an annual six-week long internship program for foreign insurance regulators sponsored by the National Association of Insurance Commissioners (NAIC). In the Release the representations made to the DOJ were as follows:

  • The US Company would not pay the travel expenses or fees for participation in the NAIC program.
  • The US Company had no “non-routine” business in front of the foreign governmental agency.
  • The routine business it did have before the foreign governmental agency was guided by administrative rules with identified standards.
  • The US Company would not select the delegates for the training program.
  • The US Company would only host the delegates and not their families.
  • The US Company would pay all costs incurred directly to the US service providers and only a modest daily minimum to the foreign governmental officials based upon a properly presented receipt.
  • Any souvenirs presented would be of modest value, with the US Company’s logo.
  • There would be one four-hour sightseeing trip in the city where the US Company is located.
  • The total expenses of the trip are reasonable for such a trip and the training which would be provided at the home offices of the US Company.

Lastly, is Opinion Release 12-02, in which the Requestors, 19 non-profit adoption agencies located in the US, asked the DOJ about bringing certain foreign governmental officials involved in the foreign country’s adoption process to the US. All the foreign governmental officials were involved in the process of allowing children from their country go through the adoption process with the US non-profits involved. The trips to the US would be for two days of meetings. The purpose of the visit would be to demonstrate the Requestors’ work to the government officials so that the officials can see how adopted children from the foreign country had adjusted to life in the US and to help the Requestors learn how they can provide that information to the foreign country’s government with appropriate information during the adoption process. The Requestors would allow the government officials to meet with the Requestors’ employees and to inspect the Requestors’ offices and case files from previous adoptions. The foreign country’s government officials would also meet with families who had adopted children from their country and learn more about the Requestors’ work.

The Requestors stated that they would pay for the following:

  • Business class airfare on international portions of flights for ministers, members of the legislature, and the director of the Orphanage Agency; coach airfare for international portions of flights for all other government officials; and coach airfare for domestic portions of flights for all government officials;
  • Two or three nights hotel stay at a business-class hotel;
  • Meals during the officials’ stays; and
  • Transportation between agencies and local transportation.

What can one glean from these three Opinion Releases? Based upon them, it would seem that a US company could bring foreign officials into the US for legitimate business purposes. A key component is that the guidelines are clearly articulated in a compliance policy. Based upon these Releases the following should be incorporated into a compliance policy regarding travel and lodging:

  • Any reimbursement for air fare will be for economy class, unless it is a long haul international flight, high ranking foreign officials or those entitled to travel business class by contract.
  • Do not select the particular officials who will travel. That decision will be made solely by the foreign government.
  • Only host the designated officials and not their spouses or family members.
  • Pay all costs directly to the service providers; in the event that an expense requires reimbursement, you may do so, up to a modest daily minimum (e.g., $35), upon presentation of a written receipt.
  • Any souvenirs you provide the visiting officials should reflect the business and/or logo and would be of nominal value, e.g., shirts or tote bags.
  • Apart from the expenses identified above, do not compensate the foreign government or the officials for their visit, do not fund, organize, or host any other entertainment, side trips, or leisure activities for the officials, or provide the officials with any stipend or spending money.
  • The training costs and expenses will be only those necessary and reasonable to educate the visiting officials about the operation of your company.

Incorporation of these concepts into a compliance program is a good first step towards preventing any FCPA violations from arising, but it must be emphasized that they are only a first step. These guidelines must be coupled with active training of all personnel, not only on the compliance policy, but also on the corporate and individual consequences that may arise if the FCPA is violated regarding gifts and entertainment. Lastly, it is imperative that all such gifts and entertainment are properly recorded, as required by the books and records component of the FCPA.

B. Enforcement Actions

Mike Volkov refers to the FCPA Paparazzi when he talks about those FCPA practitioners who confuse FCPA information with FCPA scare tactics and manipulate legal reasoning and practical advice with “marketing” using fear as opposed to reliable and accurate information. In a recent blog post, entitled “The So-Called Re-Emergence of Gifts, Meals and Entertainment as a Compliance Problem” Volkov bemoaned recent FCPA Paparazzi client alerts which said that the DOJ was now gunning after companies for FCPA transgressions in this area.

But one point Volkov raised for consideration by the compliance practitioner was the overall management of these risks. He asked the following questions: “Who is responsible for approving expenditures? What controls are in place for ensuring that money is used for proper purposes? How are these expenditures monitored? Who watches the person responsible for controlling the money and what controls are in place to monitor their behavior?” All good questions, and all questions that the compliance function should be able to answer going forward.

While there were three of enforcement actions in 2013 and one in 2014 where gifts, travel and entertainment were discussed. In only one of the four such enforcement actions were gifts, travel and entertainment discussed, where over a period of 15 months these actions were the primary cause of the violation. That matter was the Diebold enforcement action. In all others, HP, Weatherford and Stryker, the gifts, travel and entertainment matters were all ancillary to the primary illegal conduct at issue. This is consistent with DOJ enforcement of the FCPA so Volkov rights notes, the FCPA Paparazzi are howling at the moon once again.

Travel and Entertainment Enforcement Expense Box Score

Company Trip Locations Trip Costs & Perks Company Facilities Present
Lucent Technologies DisneyWorld, Hawaii, Las Vegas, Grand Canyon, Niagara Falls, Universal Studios, NYC $10 million in trips for 1000 Chinese governmental officials, including $34,000 for five days of sightseeing None of the travel destinations
Ingersoll-Rand Trip to Florence after trip to company facility in Vignate, Italy $1000 ‘pocket money’ per attendee Facilities in Vignate but not in Florence
Metcaf & Eddy First trip – Boston, Washington, D.C., Chicago and Orlando. Second trip – Paris, Boston and San Diego. First Class Travel and trip expenses for Egyptian governmental official and his family. Cash payments prior to trips of 150% of estimated daily expenses. Wakefield Mass., not in Washington DC, Chicago, Paris or DisneyWorld
Titan Corporation Reference in company books and records of $20,000 for promotional travel expenses. Not clear if ever funded (Remember a promise to pay equals making a payment under the FCPA)
UTStarcom Hawaii, Las Vegas and NYC Up to $7 million on gifts and all expense paid trips to US No company offices present in any of the travel destinations
Diebold Europe, with stays in:

  • Paris,
  • Amsterdam,
  • Florence,
  • Rome

In the US with visits to:

  • Disneyland,
  • Grand Canyon,
  • Napa Valley,
  • Las Vegas
$1.6MM to employees of Chinese state-owned banks; $175K to employees of Indonesian state-owned banks No company offices present in any of the travel destinations
Weatherford
  • Trip to Germany for the World Cup
  • Honeymoon for Sonatrach official’s daughter
  • Trip to Saudi Arabia for religious holiday
Payment of $24,000 in cash advance for Algerian government officials visiting Houston No legitimate business purpose for any of the business travel
Stryker NYC and Aruba $7000 for Polish gov official and wife No company offices present in any of the travel destinations
HP Las Vegas $35,000 in travel expenses paid for Polish gov official No company offices present in any of the travel destinations

Tomorrow we will tie it all together for you.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

April 15, 2014

Implementing Compliance Incentives In Your Company

IncentiveSeveral readers have asked why I have not written anything about the Houston Astros this year. The answer is two-fold. The first is that I really do not care. However, the more I thought about it, the real reason is that they are not relevant. Just how not relevant are the bumbling hometown (former) loveables? Last week they achieved the noteworthy accomplishment of obtaining a Nielson rating of 0.00 for a second consecutive season. I am not aware of any other major league team, which has been on television for a game where no one was recorded as watching for the entire game, for two straight seasons. Pretty amazing when you think about it.

However, one thing that is relevant in the context of any best practices anti-bribery compliance program is incentives. The Department Of Justice (DOJ) and Securities Exchange Commission (SEC) could not have been clearer in the FCPA Guidance about their views on the need for incentives to help drive behavior that is ethical and in compliance with the Foreign Corrupt Practices Act (FCPA) when they stated “DOJ and SEC recognize that positive incentives can also drive compliant behavior.” In the Guidance, the SEC cited to the following:

[M]ake integrity, ethics and compliance part of the promotion, compensation and evaluation processes as well. For at the end of the day, the most effective way to communicate that “doing the right thing” is a priority, is to reward it. Conversely, if employees are led to believe that, when it comes to compensation and career advancement, all that counts is short-term profitability, and that cutting ethical corners is an acceptable way of getting there, they’ll perform to that measure. To cite an example from a different walk of life: a college football coach can be told that the graduation rates of his players are what matters, but he’ll know differently if the sole focus of his contract extension talks or the decision to fire him is his winloss record.

A recent article in the Spring 2014 issue of the MIT Sloan Management Review, entitled “Combing Purpose with Profits”, by authors Julian Birkinshaw, Nicolai J. Foss and Siegwart Lindenberg, presents some interesting steps on how a company might work towards achieving the goals articulated by the DOJ and SEC. The key thesis of the authors is if you want to motivate employees you have to have purpose. In their article they presented case studies from three entities: the Tata Group, Handelsbanken and HCL Technologies. From these three cases studies they came up with six core principles, which I will adapt for the compliance function in an anti-corruption compliance program.

  1. Compliance incentives don’t have to be elaborate or novel. The first point is that there are only a limited number of compliance incentives that a company can meaningfully target. Evidence suggests the successful companies are the ones that were able to translate pedestrian-sounding compliance incentive goals into consistent and committed action.
  2. Compliance incentives need supporting systems if they are to stick. People take cues from those around them, but people are fickle and easily confused, and gain and hedonic goals can quickly drive out compliance incentives. This means that you will need to construct a compliance function that provides a support system to help them operationalize their pro-incentives at different levels, and thereby make them stick. The specific systems which support incentives can be created specifically to your company but the key point is that they are delivered consistently because it signals that management is sincere.
  3. Support systems are needed to reinforce compliance incentives. One important form of a supporting system for compliance incentives “Is to incorporate tangible manifestations of the company’s pro-social goals into the day-to-day work of employees.” Make the rewards visible. As stated in the FCPA Guidance, “Beyond financial incentives, some companies have highlighted compliance within their organizations by recognizing compliance professionals and internal audit staff. Others have made working in the company’s compliance organization a way to advance an employee’s career.”
  4. Compliance incentives need a “counterweight” to endure. Goal-framing theory shows how easy it is for compliance incentives to be driven out by gain or hedonic goals, so even with the types of supporting systems it is quite common to see executives bowing to short-term financial pressures. Thus, a key factor in creating enduring compliance incentives is a “counterweight,” by which we mean any institutional mechanism that exists to enforce a continued focus on a nonfinancial goal. This means that in any financial downturn compliance incentives are not the first thing that gets thrown out the window and if my oft-cited hypothetical foreign Regional Manager misses his number for two quarters, he does not get fired. So the key is that the counterweight has real influence; it must hold the leader to account.
  5. Compliance incentive alignment works in an oblique, not linear, way. The authors believe that “In most companies, there is an implicit belief that all activities should be aligned in a linear and logical way, from a clear end point back to the starting point. The language used — from cascading goals to key performance indicators — is designed to reinforce this notion of alignment. But goal-framing theory suggests that the most successful companies are balancing multiple objectives (pro-social goals, gain goals, hedonic goals) that are not entirely compatible with one another, which makes a simple linear approach very hard to sustain.” What does this mean in practical terms for your compliance program? If you want your employees to align around compliance incentives, your company will have to “eschew narrow, linear thinking, and instead provide more scope for them to choose their own oblique pathway.” This means emphasizing compliance as part of your company’s DNA on a consistent basis — “the intention being that by encouraging individuals to do “good,” their collective effort leads, seemingly as a side-effect, to better financial results. The logic of “[compliance first], profitability second” needs to find its way deeply into the collective psyche of the company.”
  1. Compliance incentive initiatives can be implemented at all levels. Who at your company is responsible for pursuing compliance incentives? If you head up a division or business unit, it is clearly your job to define what your pro-social goals are and to put in place the supporting structures and systems described here. But what if you are lower in the corporate hierarchy? It is tempting to think this is “someone else’s problem,” but actually there is no reason why you cannot follow your own version of the same process. We have seen quite a few mid-level managers make a real difference, and often quite quickly, using the principles outlined here.

The author’s have set out several steps that you can implement into your compliance program to enhance incentives to facilitate anti-corruption. There have been many who have criticized the FCPA Guidance. While I am certainly not one of them, I do not think there can be any argument that it does not present the DOJ and SEC views on a minimum best practices compliance program. So if the DOJ and SEC think incentives in your compliance program are important, I suggest to you, they are important. The article, which is the basis of this blog post, provides an excellent start for the exploration of some ways to inculcate anti-bribery and anti-corruption incentives into not only your compliance regime but also, more importantly, the DNA of your company.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

April 14, 2014

The HP FCPA Settlement

FCPA SettlementLast week the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) jointly announced the conclusion of a Foreign Corrupt Practices Act (FCPA) enforcement action against Hewlett-Packard Company (HP). In the settlement, HP agreed to pay $108MM in fines, penalties and disgorgements for criminal and civil acts. To say that it was one of the more perplexing FCPA settlements would seem to be an understatement. While some will read the settlement documents and see conduct which did not merit such a high total amount of fines and penalties, I am not from that camp.

The tale of this sordid affair of bribery and corruption occurred over 3 continents with multiple countries involved, evidencing an entire breakdown in company internal controls and a complete lack of a culture of compliance. Yet the settlement documents make great pains to emphasize that few employees were actually involved in the nefarious conduct. How bad was the conduct? Think right up there with BizJet because we had bags of cash delivered to a Polish government official. (But unlike BizJet, the Board of Directors did not approve the bribery scheme and it was not taken across the border.) For the Russian deal, it was shopped through several countries with multiple levels of company review, which did not seem to work or care much about anything except getting the deal done. For Mexico, they just seemed to get a free pass where the contract description for the agent who paid the bribe was “influencer fee”.

Finally, as most readers might remember, HP did not self-report this misconduct to the DOJ or SEC. Apparently, the story of HP’s bribery by its German subsidiary to gain a contract in Russia was broken by the Wall Street Journal (WSJ) article in April 15, 2010. The next day, the DOJ and SEC announced they were investigating the allegations of bribery. However, HP was made aware of the allegations by its German subsidiary in December 2009, when German authorities raided HP’s offices in Munich and arrested one HP Germany executive and two former employees. Yet HP never self-reported. Not exactly the poster child for self-disclosure for any company going forward.

Of course HP’s public response at the time indicated its attitude, when a HP spokesperson was quoted in the WSJ article as saying “This is an investigation of alleged conduct that occurred almost seven years ago, largely by employees no longer with HP. We are cooperating fully with the German and Russian authorities and will continue to conduct our own internal investigation.”

More befuddlement comes from the reported facts around HP Germany. As noted by the WSJ report, one, then current, HP executive was arrested and two former employees were arrested in connection with the investigation by German authorities. There is no mention of them in any of the settlement documents. The WSJ article also reported that investigation-related documents submitted to a German court showed that German prosecutors were “looking into whether H-P executives funneled the suspected bribes through a network of shell companies and accounts in places including Britain, Austria, Switzerland, the British Virgin Islands, Belize, New Zealand, the Baltic nations of Latvia and Lithuania, and the states of Delaware and Wyoming”. While some of these countries were mentioned in the settlement documents there was no mentions of DOJ or SEC investigations into Wyoming, Belize, the British Virgin Islands or New Zealand.

What are we to make of the criminal fines levied against the Russian and Polish subsidiaries of HP? The Polish subsidiary pled guilty to a two count Criminal Information consisting of (1) violating the FCPA’s internal control provisions; (2) violating the FCPA’s books and records provisions. The US Sentencing Guidelines suggested a fine range of $19MM to $38MM, the final fine was $15,450,244.

For the Russia deal, the Russian subsidiary pled guilty to a four count Criminal Information consisting of (1) conspiracy to violate the books and records provisions of the FCPA; (2) violating the FCPA’s anti-bribery provisions; (3) violating the FCPA’s internal control provisions; (4) violating the FCPA’s books and records provisions. The US Sentencing Guidelines suggested a fine range of $87MM to $174MM, yet the final fine was $58,772,250.

Finally, in Mexico HP’s subsidiary, according the to the SEC Press Release, “paid a consultant to help the company win a public IT contract worth approximately $6 million. At least $125,000 was funneled to a government official at the state-owned petroleum company with whom the consultant had connections. Although the consultant was not an approved deal partner and had not been subjected to the due diligence required under company policy, HP Mexico sales managers used a pass-through entity to pay inflated commissions to the consultant.” This was internally referred to by HP as an “influencer fee.” Pretty clear evidence of what it was to be used for, wouldn’t you say? Yet the DOJ did not to criminally prosecute the company’s Mexican subsidiary and entered into a Non-Prosecution Agreement (NPA), HP agreed to pay forfeiture in the amount of $2,527,750.

How did HP accomplish all of this? In a Press Release HP Executive Vice President and General Counsel John Schultz said, “The misconduct described in the settlement was limited to a small number of people who are no longer employed by the company. HP fully cooperated with both the Department of Justice and the Securities and Exchange Commission in the investigation of these matters and will continue to provide customers around the world with top quality products and services without interruption.”

As reported by the FCPA Professor, in his blog post entitled “HP And Related Entities Resolve $108 Million FCPA Enforcement Action”, the HP Russian subsidiary Plea Agreement gave the following factors for the reduction in the fine from the Sentencing Guideline range:

“(a) monetary assessments that HP has agreed to pay to the SEC and is expected to pay to law enforcement authorities in Germany relating to the same conduct at issue …; (b) HP Russia’s and HP’s cooperation has been, on the whole, extraordinary, including conducting an extensive internal investigation, voluntarily making U.S. and foreign employees available for interviews, and collecting, analyzing, and organizing voluminous evidence and information for the Department; (c) HP Russia and HP have engaged in extensive remediation, including by taking appropriate disciplinary action against culpable employees of HP and enhancing their internal accounting, reporting, and compliance functions; (d) HP has committed to continue enhancing its compliance program and internal accounting controls … (e) the misconduct identified … was largely undertaken by employees associated with HP Russia, which employed a small fraction of HP global workforce during the relevant period; (f) neither HP nor HP Russia has previously been subject of any criminal enforcement action by the Department or law enforcement authority in Russia or elsewhere; (g) HP Russia and HP have agreed to continue to cooperate with the Department and other U.S. and foreign law enforcement authorities, if requested by the Department …”

In the same blog post, the Professor reported the following reasons were stated for reduction in the final fine by HP’s Polish subsidiary’s:

“(a) HP Poland’s cooperation with the Department’s investigation; (b) HP Poland’s ultimate parent corporation, HP, has committed to maintain and continue enhancing its compliance program and internal accounting controls …; and (c) HP Poland and HP have agreed to continue with the Department and other U.S. and foreign law enforcement authorities in any ongoing investigation …”

We have witnessed companies, which have engaged in ‘extraordinary cooperation’ with the DOJ during the pendency of their FCPA investigations. BizJet is certainly one that comes to mind. Further, there are clear examples of companies, which extensively remediated during the pendancies of their FCPA investigations, from which they clearly benefited. Two prime examples are Parker Drilling, which not only received a financial penalty below the suggested range but also was not required to have a corporate monitor, while they had C-Suite involvement in its bribery scheme. Weatherford seeming came back from the brink during mid-investigation when they hired Billy Jacobson and turned around not only their attitude towards cooperation with the DOJ but also their efforts toward remediation.

Both of these companies are headquartered in Houston and both have been quite active on the conference circuit talking about their compliance programs so most compliance practitioners are aware that these companies are on the forefront of best practices. Perhaps HP is on some circuit doing that, somewhere. If so, kudos to them. If their remediation work led to a best practices compliance program for the company and their extraordinary cooperation led to the astonishing reduction in penalties to their entities, I certainly tip my cap to them. If their lawyers were great negotiators and made great presentations to the DOJ and SEC, all of which led to or contributed to the final results, a tip of the cap to them as well.

So what is the lesson to be learned for the compliance practitioner? Other than befuddlement, I am not sure. Congratulating HP and its counsel is not a lesson it is an action. If HP now has a best practices compliance program, I hope they will provide the compliance community with the lessons that they learned and incorporated into their compliance program, which allowed them to obtain the fines below the minimum suggested range. If they have incorporated some enhanced compliance components into their program I hope they will share those enhancements too.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

April 8, 2014

Mickey Rooney and The 90 Cent Solution

Mickey Rooney as PuckWe begin today with a word on the death of Mickey Rooney. Rooney’s career, spanning nearly 90 years was certainly was from a different era. He was short of stature and long in his number of marriages but as Bob Lefsetz noted in his blog post tribute to Rooney, “But they stood in front of us twenty feet tall. At the drive-in. Even when the pictures truly got small on the tiny old screens of yore they emerged triumphant, because they were so good-looking, so charismatic. And if you were big enough, a bright enough star, your legacy lived on, even if your present day circumstances bore no resemblance to fame.” But here’s why there is always a place in my heart for Mickey Rooney. When I was very young I lived with my grandparents and one night I watched the 1935 movie version of Shakespeare’s A Mid Summer Night’s Dream on television with my grandmother. Rooney’s so over the top performance of Puck began for me a life long love affair with the Bard. So here’s to the grandmother that started me off on a lifelong love affair of Shakespeare’s works and here’s to the Mickster—you did it your way.

I have often considered the role of senior management is to set a proper ‘Tone-At-The-Top” to do business ethically and in compliance with anti-corruption laws like the Foreign Corrupt Practices Act (FCPA) or the UK Bribery Act. Incentives to do business ethically and in compliance are also recognized as an important part of any best practices compliance program. The flip side of incentives is disincentives, such as discipline or financial penalties for affirmatively engaging in misconduct. But how far should such disincentives go and how strong should they be? Should there be penalties for not only affirmatively engaging in misconduct but also failing to monitor risk-taking that allows misconduct to occur? If the latter becomes prevalent, how close do we come to criminalizing conduct, which is arguably negligent and not simply intentional?

I have thought about several of these questions and many others over the past few days when reading about the ongoing struggles of General Motors (GM) over its Cobalt recall issues and Citigroup in regards to its Mexican banking operations. In an article by Gretchen Morgenson in the New York Times (NYT), entitled “The Wallet as Ethics Enforcer”, where she asked “Who decided—and who agreed—that 90 cents was too much to pay for each switch that would have fixed the problem that apparently led to 13 deaths? How much did that decision add to the bottom line and add to executives’ compensation over the years? What will the company have to pay in possible regulatory penalties and legal settlements?” One of her own answers to these questions reads, “While the shareholders of G.M. will shoulder the cost of the fines, the settlements and loss of trust arising from the mess, the executives responsible for monitoring internal risks like these are unlikely to be held accountable by returning past pay.”

Citigroup, which had previously indicated that it had been the victim of a huge fraud perpetrated by one of its customers in Mexico, Oceanografía. However, now Citigroup now faces both federal criminal and civil investigations over the affair. As reported in a Wall Street Journal (WSJ) article, entitled “Crime Inquiry Said to Open On Citigroup”, Ben Protess and Michael Corkery reported that both the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) have opened investigations “focusing in part on whether holes in the bank’s internal controls contributed to the fraud in Mexico. The question for the investigators is whether Citigroup—as other banks have been accused of doing in the context of money laundering—ignored warning signs.” For a bank to be criminally liable, “prosecutors would typically need to show that the bank willfully ignored warning signs of the fraud.” However, to show a civil violation, the threshold is lower and there may only need to be a showing that the bank lacked the proper internal controls or internal oversight.

In her article, Morgenson spoke with Scott M. Stringer, the New York City Comptroller, who is a strong advocate of corporate requirements which “make sure that insiders who engage in questionable conduct are required to pay the piper” in the form of clawback provisions. Stringer has worked with companies to expand clawback provisions beyond those mandated by Sarbanes-Oxley (SOX), which required “boards to recover some incentive pay from a chief executive and chief financial officer if a company did not comply with financial reporting requirements.” Now, clawbacks have expanded to require executives to return compensation “even if they did not commit the misconduct themselves; they run afoul of the rules by failing to monitor conduct or risk-taking by subordinates.” Stringer believes that such clawback provisions not only “speak to the issue of financial accountability but also to setting a tone at the top.”

Morgenson ends her article by noting that unless GM makes public its internal investigation, “we may never know how many G.M. executives knew about the Cobalt problems and looked the other way.” In the meantime though, this debacle shows the importance of policies that hold high-level employees accountable for conduct that, even if not illegal, can do serious damage to their companies. Directors creating such policies would be sending a clear signal that they take their duties to the company’s owners seriously.”

At this point, we do not know high up the decision went in GM not to install the 90 cent solution. But I would argue it really does not matter. Somewhere in the company, some engineer figured out a solution and indeed one was implemented without changing the part number. I am sure the GM Board would have been sufficiently shocked, just shocked, to find out that such decisions as monetary over safety were going on inside the company. What does all of the information released so far tell us about the culture inside GM when these decisions were made? While I am certainly willing to give current GM Chief Mary Barra the benefit of the doubt about her intentions for the company going forward, particularly after a grueling couple of days before Congress, what do you think the financial incentives were in the company when the 90 cent solution was rejected?

It initially appeared that Citigroup was the victim of a massive fraud perpetrated by one of its customers. However, even initially it was reported that Citigroup let its Mexican operation, Banamex run its own show with very little oversight from the corporate office in New York. Now Citigroup is not only under a civil investigation for lack of proper internal controls but also a criminal investigation for willful ignorance of Banamex’s operations. Does any of this sound far-fetched or perhaps familiar? Think about Frederick Bourke and ‘conscious indifference’. Even the judge in Burke’s criminal trial mused that she did not know if he was a perpetrator or a victim. Perhaps Citigroup is both, but if he was both it certainly did not help Bourke. While I am certainly sure that the Citigroup Board of Directors would also say that it would also simply be shocked, just shocked, to find that there were even insufficient internal controls over Banamex, let alone willful ignorance of criminal actions of its Mexico subsidiary, it does pose the question as to what is the culture at the bank?

As important as clawbacks are, until the message of compliance gets down from the top of an organization, into the middle and then to the bottom, a culture of compliance will not exist. I have worked in an industry where safety is goal number one. But in the same industry I have heard the apocryphal tale of the foreign Regional Manager who is alleged to have said, “If I violate the Code of Conduct, I may or may not get caught. If I violate the Code of Conduct and get caught, I may or may not be punished. If I miss my numbers for two quarters, I will be fired.” Clawbacks for Board members would not have influenced this apocryphal foreign Regional Manager, any more than they would have worked on the psyche of the GM engineers who proposed and then later dropped the 90 cent solution. It was clear to them what their bosses thought was important for them to keep their jobs. As long as management has that message, doing business ethically and in compliance will always take a second seat.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

 

April 4, 2014

Life Cycle Management of Third Parties – Step 5 – Management of the Relationship

Five stepsToday ends my review of what I believe to be the five steps in the management of a third party under an anti-bribery regime such as the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. On Monday, I reviewed Step 1 – the Business Justification, which should kick off your process with any third party relationship. On Tuesday, I looked at Step 2 – the questionnaire that you should send and third party and what information you should elicit. On Wednesday, I discussed Step 3 – the due diligence that you should perform based upon the information that you have received from and ascertained on the third party. On Thursday, I examined Step 4 – how you should use the information you obtain in the due diligence process and the compliance terms and conditions which you should place in any commercial agreement with a third party. Today, I will conclude this series by reviewing how you should manage the relationship after the contract is signed.

I often say that after you complete Steps 1-4 in the life cycle management of a third party, the real work begins and that work is found in Step 5– the Management of the Relationship. While the work done in Steps 1-4 are absolutely critical, if you do not manage the relationship it can all go down hill very quickly and you might find yourself with a potential FCPA or UK Bribery Act violation. There are several different ways that you should manage your post-contract relationship. This post will explore some of the tools which you can use to help make sure that all the work you have done in Steps 1-4 will not be for naught and that you will have a compliant anti-corruption relationship with your third party going forward.

Managing third party relationships is an area that continues to give companies trouble and heartburn. The “2013 Anti-Bribery and Corruption Benchmarking Report – A joint effort between Kroll and Compliance Week” found that many companies are still struggling with ongoing anti-corruption monitoring and training for their third parties. Regarding training, 47% of the respondents said that they conduct no anti-corruption training with their third parties at all. The efforts companies do take to educate and monitor third parties are somewhat pro forma. More than 70% require certification from their third parties that they have completed anti-corruption training; 43% require in-person training and another 40% require online training. Large companies require training considerably more often than smaller ones, although when looking at all the common training methods, 100% of respondents say their company uses at least one method, if not more.

While the FCPA Guidance itself only provides that “companies should undertake some form of ongoing monitoring of third-party relationships”. Diana Lutz, writing in the White Paper by The Steele Foundation entitled “Global anti-corruption and anti-bribery program best practices”, said, “As an additional means of prevention and detection of wrongdoing, an experienced compliance and audit team must be actively engaged in home office and field activities to ensure that financial controls and policy provisions are routinely complied with and that remedial measures for violations or gaps are tracked, implemented and rechecked.”

One noted commentator has discussed techniques to provide this management and oversight any third party relationship. Carol Switzer, President of the Open Compliance and Ethics Group (OCEG), writing in the Compliance Week magazine set out a five-step process for managing corruption risks, which I have adapted for third parties.

  1. Screen - Monitor third party records against trusted data sources for red flags.
  2. Identify – Establish helplines and other open channels for reporting of issues and asking compliance related questions by third parties.
  3. Investigate - Use appropriately qualified investigative teams to obtain and assess information about suspected violations.
  4. Analyze - Evaluate data to determine “concerns and potential problems” by using data analytics, tools and reporting.
  5. Audit - Finally, your company should have regular internal audit reviews and inspections of the third party’s anti-corruption program; including testing and assessment of internal controls to determine if enhancement or modification is necessary.

Based upon the foregoing and other commentators, I believe there are several different roles in a company that play a function in the ongoing monitoring of the third party. While there is overlap, I believe that each role fulfills a critical function in any best practices compliance program.

Relationship Manager

There should be a Relationship Manager for every third party which the company does business with through the sales chain. The Relationship Manager should be a business unit employee who is responsible for monitoring, maintaining and continuously evaluating the relationship between your company and the third party. Some of the duties of the Relationship Manager may include:

  • Point of contact with the Third Party for all compliance issues;
  • Maintaining periodic contact with the Third Party;
  • Meeting annually with the Third Party to review its satisfaction of all company compliance obligations;
  • Submitting annual reports to the company’s Oversight Committee summarizing services provided by the Third Party;
  • Assisting the company’s Oversight Committee with any issues with respect to the Third Party.

Compliance Professional

Just as a company needs a subject matter expert (SME) in anti-bribery compliance to be able to work with the business folks and answer the usual questions that come up in the day-to-day routine of doing business internationally, third parties also need such access. A third party may not be large enough to have its own compliance staff so I advocate a company providing such a dedicated resource to third parties. I do not believe that this will create a conflict of interest or that there are other legal impediments to providing such services. They can also include anti-corruption training for the third party, either through onsite or remote mechanisms. The compliance practitioner should work closely with the relationship manager to provide advice, training and communications to the third party.

Oversight Committee

I advocate that a company should have an Oversight Committee review all documents relating the full panoply of a third party’s relationship with the company. It can be a formal structure or some other type of group but the key is to have the senior management put a ‘second set of eyes’ on any third parties who might represent a company in the sales side. In addition to the basic concept of process validation of your management of third parties, as third parties are recognized as the highest risk in FCPA or Bribery Act compliance, this is a manner to deliver additional management of that risk.

After the commercial relationship has begun the Oversight Committee should monitor the third party relationship on no less than an annual basis. This annual audit should include a review of remedial due diligence investigations and evaluation of any new or supplement risk associated with any negative information discovered from a review of financial audit reports on the third party. The Oversight Committee should review any reports of any material breach of contract including any breach of the requirements of the Company Code of Ethics and Compliance. In addition to the above remedial review, the Oversight Committee should review all payments requested by the third party to assure such payment is within the company guidelines and is warranted by the contractual relationship with the third party. Lastly, the Oversight Committee should review any request to provide the third party any type of non-monetary compensation and, as appropriate, approve such requests.

Audit

A key tool in managing the relationship with a third party post-contract is auditing the relationship. I hope that you will have secured audit rights, as that is an important clause in any compliance terms and conditions. Your audit should be a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which your compliance terms and conditions are followed. Noted fraud examiner expert Tracy Coenen described the process as one to (1) capture the data; (2) analyze the data; and (3) report on the data, which is also appropriate for a compliance audit. As a base line I would suggest that any audit of a third party include, at a minimum, a review of the following:

  1. the effectiveness of existing compliance programs and codes of conduct;
  2. the origin and legitimacy of any funds paid to Company;
  3. books, records and accounts, or those of any of its subsidiaries, joint ventures or affiliates, related to work performed for, or services or equipment provided to, Company;
  4. all disbursements made for or on behalf of Company; and
  5. all funds received from Company in connection with work performed for, or services or equipment provided to, Company.

If you want to engage in a deeper dive you might consider evaluation of some of the following areas:

  • Review of contracts with third parties to confirm that the appropriate FCPA compliance terms and conditions are in place.
  • Determine that actual due diligence took place on the third party.
  • Review FCPA compliance training program; both the substance of the program and attendance records.
  • Does the third party have a hotline or any other reporting mechanism for allegations of compliance violations? If so how are such reports maintained? Review any reports of compliance violations or issues that arose through anonymous reporting, hotline or any other reporting mechanism.
  • Does the third party have written employee discipline procedures? If so have any employees been disciplined for any compliance violations? If yes review all relevant files relating to any such violations to determine the process used and the outcome reached.
  • Review employee expense reports for employees in high-risk positions or high-risk countries.
  • Testing for gifts, travel and entertainment that were provided to, or for, foreign governmental officials.
  • Review the overall structure of the third party’s compliance program. If the company has a designated compliance officer to whom, and how, does that compliance officer report? How is the third party’s compliance program designed to identify risks and what has been the result of any so identified?
  • Review a sample of employee commission payments and determine if they follow the internal policy and procedure of the third party.
  • With regard to any petty cash activity in foreign locations, review a sample of activity and apply analytical procedures and testing. Analyze the general ledger for high-risk transactions and cash advances and apply analytical procedures and testing.

In addition to monitoring and oversight of your third parties, you should periodically review the health of your third party management program. Once again I turn to Diana Lutz and her colleague Marjorie Doyle, and their White Paper entitled “Third Party Essentials: A Reputation/Liability Checkup When Using Third Parties Globally”, where they gave a checklist to test companies on their relationships with their third parties.

  1. Do you have a list or database of all your third parties and their information?
  2. Have you done a risk assessment of your third parties and prioritized them by level of risk?
  3. Do you have a due diligence process for the selection of third parties, based on the risk assessment?
  4. Once the risk categories have been determined, create a written due diligence process.
  5. Once the third party has been selected based on the due diligence process, do you have a contract with the third party stating all the expectations?
  6. Is there someone in your organization who is responsible for the management of each of your third parties?
  7. What are “red flags” regarding a third party?

Perhaps now you will understand why I say that after you prepare the Business Justification; send out, receive back and evaluate the Questionnaire; set the appropriate level of Due Diligence; evaluate the due diligence and execute a contract with appropriate Compliance Terms and Conditions; now the real work begins, as you have to manage the third party relationship.

I hope that you have found this review of the life cycle management of third parties helpful for your compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

March 31, 2014

Life Cycle of Third Party Management – Step 1 Business Justification

Five stepsWith thanks to the Two Tough Cookies, I am back from a successful Spring Break college tour to universities in the state of Washington. My daughter and I had a great time, experienced some typical and untypical Seattle weather and met some very interesting folks on our trip. But I would have to say that one of my greatest joys as a father has been watching my daughter grow into a young woman as she navigated the college tour process with much aplomb.

This week I am going to present a series on my views of the life cycle of third party management under an anti-corruption (or anti-money laundering (AML) program for that matter) under the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. I have broken down the life cycle of third party management into five steps:

  1. Business Justification and Business Sponsor;
  2. Questionnaire to Third Party;
  3. Due Diligence on Third Party;
  4. Compliance Terms and Conditions, including payment terms; and
  5. Management and Oversight of Third Parties After Contract Signing.

Today I will begin with the business justification.

It really seems to me that it should be common sense that you should have a business justification to hire or use a third party. If that third party is in the sales chain of your international business it is important to understand why you need to have a particular third party represent your company. This concept is enshrined in the FCPA Guidance, which says, “companies should have an understanding of the business rationale for including the third party in the transaction. Among other things, the company should understand the role of and need for the third party and ensure that the contract terms specifically describe the ser­vices to be performed.”

The Internal Revenue Service (IRS) also considers a business justification to be an important part of any best practices anti-corruption compliance regime. Clarissa Balmaseda, a special agent in charge of IRS criminal investigation, speaking at the 2013 ACI Bootcamp in Houston, said that the lack of business justification could be a Red Flag, which could signify a possible indicia of corruption. With the Department of Justice (DOJ); Securities and Exchange Commission (SEC) and IRS all noting the importance of a business justification, it is clear that this is something you should incorporate into your compliance program.

But the business justification also provides your company the opportunity to help drive compliance into the fabric of your everyday operations. This is done by requiring the employee who prepares the business justification to be the Business Sponsor of that third party. The Business Sponsor can provide the most direct means of communication to the third party and can be the point of contact for compliance issues.

Tyco International takes this approach in its Seven Step Process for Third Party Qualification. Tyco breaks the first step into two parts, which include:

  1. Business Sponsor – Initially identify a business sponsor or primary contact for the third party within your company. This requires not only business unit buy-in but also business unit accountability for the business relationship or as Scott Moritz, a partner at Navigant and one of the architects of the Tyco Process, said “This puts the onus on each stakeholder.”
  2. Business Justification – The business unit must articulate a commercial reason to initiate or continue to work with the third party. You need to determine how this third party will fit into your company’s value chain and whether they will become a strategic partner or will they be involved in a one-off only transaction?

Further, at the same conference as IRS Agent Balmaseda spoke, another Chief Compliance Officer (CCO) of a major energy service company detailed his thoughts on his company’s 12 point evaluation process for reviewing, assessing, then contracting with and managing foreign business partners. Under Step 2, which he entitled, “Competence of foreign business partner”;he detailed a two-part analysis for his company. “It includes a review of the qualifications of the candidate for subject matter expertise and the resources to perform the services for which they are being considered. However, it also in includes an identification of the representative’s expected activities for your company.”  He also added, that under one of his company’s steps, which he monikered “Business justification for use of agent and reasonableness of compensation”, “you should begin the entire process by requiring the relevant business unit which desires to obtain the services of any foreign business partner to provide you with a business justification including current opportunities in territory, how the candidate was identified and why no currently existing foreign business relationships can provide the requested services. Your next inquiry should focus on the terms of the engagement, including the commission rate, the term of the agreement, what territory may be covered by the agreement and if such relationship will be exclusive.”

So what should go into your Business Justification? First and foremost is that you should craft a document, which works for both you as the compliance practitioner and the business folks in your company. There are some basic concepts that I think are important but you may want to modify my suggestions based on your own experiences.

You need the name and contact information for both the Business Sponsor and the proposed third party. You need to inquire into how the Business Sponsor came to know about the third party because it is a Red Flag if a customer or government representative points you towards a specific third party. You should inquire into what services the third party would perform for your company, the length of time and compensation rate for the third party. You will also need an explanation of why this particular third party should be used, as opposed to an existing or other third party, if such were considered. All of this information should be written down and then signed by the Business Sponsor.

Remember, the purpose of the Business Justification is to document the satisfactoriness of the business case to retain a third party. The Business Justification should be included in the compliance review file assembled on every third party at the time of initial certification and again if the third party relationship is renewed. In the Tom Fox Mantra, this means Document, Document, and Document.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

March 17, 2014

Join Us For Hanson Wade’s Compliance Strategy Day

Strategy DayOne of the best annual compliance and ethics conferences returns to Houston next month when Hanson Wade presents its 4th Annual Oil & Gas Supply Chain Compliance Community Week from April 14-17. While one past participant labeled the conference as the “Best of the best compliance conferences I have attended in the past 3 years”, the company has expanded its offering to provide the compliance practitioner with a wide range of presentations tailored to a wide variety of needs.

As usual, the event features the best of Houston’s multi-talented compliance practitioners including Jay Martin, Chief Compliance Officer (CCO) from Baker Hughes Inc., Melissa Bohannon, Director of Logistics, Global Supply Chain – Weatherford International Inc., Kwesi Baiden, CCO at ENSCO Inc., Fred Ratliff, Senior Counsel, Anti-Bribery and Corruption – Shell Oil Company, Graham Vanhegan, Deputy General Counsel, Corporate and CCO from ConocoPhillips Co, Ron de los Santos, Regional Ethics and Compliance Manager – Americas at American Bureau of Shipping (ABS) and Kim Walker, Associate General Counsel & Deputy CCO – Transocean Inc.

In addition to the Houston talent, there will be a wealth of top compliance practitioners from outside the city of Houston; including, Arvind Sharma, Senior International Trade Counsel from Flowserve Corp, Mike Volkov of the Volkov Law Group, Bill Fischer, Vice President and Chief Legal and Compliance Officer from T.D. Williamson Inc., Bruce Thames, Senior Vice President and Chief Operating Officer from T.D. Williamson Inc. From the world of non-governmental organizations (NGO’s) working towards anti-corruption and anti-bribery there will be representation from the always popular and excellent speaker Alexandra Wrage and David Woodcock, Regional Director of the Securities and Exchange Commission’s (SEC) Fort Worth Regional Office. There are many other excellent and knowledgeable speakers who will be presenting the event.

Some of the topics over the two days of plenary sessions include the following: Ensure the ‘Tone from the Top’ meets the ‘Message in the Middle’ by hearing how ConocoPhillips, GE Oil & Gas, T.D. Williamson, Flowserve & Transocean embed a culture of compliance in their organizations. Understand how the compliance model has shifted and how you can develop more effective partnerships with your third parties with new collaborative insights from representatives from Weatherford. You will be shown how to overcome the inhibitors to effective risk management in a complex global supply chain by learning from Parker Drilling, Navex and Statoil. Learn how compliance can create added value that executives, middle management and employees can get behind by learning from in a very interesting, unique joint insight from T.D. Williamson’s COO and CCO. Discover what to do once you have opened Pandora’s box by looking at how National Oilwell Varco responded to issues when conducting a corporate acquisition. Discover how to get a better return on your compliance spend by learning how to deploy a risk-based due diligence program that is defensible and cost-effective with TRACE. Understand how to benchmark your compliance program with the best of the best by hearing industry-first insights from Fluor, Technip, Cameron and Shell compliance professionals.

There are two separate workshops that will provide specific insight into two keys areas. The first workshop is how to develop a blueprint to increase the effectiveness of your compliance training. It will be led by Arvind Sharma and Flora Francis, Senior Compliance Counsel, Global Compliance Leader at GE Oil & Gas. This workshop will address several different areas of concern such as: How you can continually manage compliance risk amongst your employees worldwide; understanding how often to refresh your programs and catching up with new employees; how you can more effectively identify and classify “at risk” positions and red flags. You will also obtain an understanding of how programs have been rolled out effectively across the supply chain; how to overcome the risk of training fatigue and increase the effectiveness of your training and finally how to develop your own blueprint to enhance the effectiveness of your compliance training.

In the second workshop you will hear about new approaches to ensure your trade compliance program does not leave your business exposed to charges of Foreign Corrupt Practices Act (FCPA) violations. It will be led by three noteworthy compliance practitioners: James Scott, Exports and Compliance Manager from Hydrasun Ltd., Ron de los Santos from ABS and Cindy Johnson, Global Trade Compliance Specialist from FMC Technologies Inc. In this session you will hear about keeping on top of evolving export control laws and managing programs across international borders; defining your export compliance for different departments, divisions and businesses with their implication for business growth; and installing the compliance ethos and training across cultures throughout an international organization. From these topics you will be able to identify your biggest risks and set in place an export control program to suit your business; develop an understanding of what you need to do to receive customs clearance more swiftly and effectively; and finally, you will discover the steps you need to take to ensure you are not leaving your business exposed in this critical area of compliance.

Hanson Wade has added a new feature this year, which I think takes this conference up to a notch above their usual excellent event. They have added a fourth day, entitled Compliance Strategy Day. Presentations on this day have been designed to give the attendee an interactive opportunity to explore the strategic considerations you need to be aware of when it comes to managing regulatory and enforcement risks over the next 12 months. On this day, attendees will have the opportunity hear directly from the SEC, as well as gain perspectives from those with experience at the Department of Justice (DOJ), and gain insights from both outside counsel and industry as to how to best manage these strategic risks.

I will be speaking on the Compliance Strategy Day, looking back, for some hindsight, at the compliance lessons we have learned over the past year and forward to how we can put those lessons to use. I will also provide an update of the current state of anti-corruption compliance in Latin America. So I hope that you can join us. 

You can find out more about this event, by clicking here. Readers of this blog are entitled to a discount to this event. To receive this discount, please enter the following code FOXLAW10.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 4,514 other followers