FCPA Compliance and Ethics Blog

August 19, 2014

A Surprise in Progressive Rock – FCPA Internal Investigations

Prog RockThis past weekend I saw some great bands and heard some great music. On Friday night I finally got to see Yes perform two fabulous albums, Close to the Edge and Fragile complete uncut and straight through. To say I was blown away would be putting it mildly. But there was one great revelation that I received from the show and that was the opening band, Syd Arthur. They are an English band, from Canterbury, and very much the inheritors of the prog rock mantle from bands such as Yes. Their sound was simply amazing and if you are into progressive rock at all, I would suggest you check them out.

I thought about my surprise on finding a more current and certainly younger band so proudly carrying the prog rock mantle when I returned back to Houston and was contacted by a reporter asking for my comments about the appeal of Shell v. Writt to the Texas Supreme Court. For those compliance practitioners amongst you who may have placed this state court libel action to the recesses of your mind or never even heard about it; it is something you should pay attention to as the case has some clear implications about the manner in which companies conduct and use internal investigations.

The case has a long involved Foreign Corrupt Practices Act (FCPA) history. It involves Panalpina and its customer Shell. David Smyth, in his great blog Cady Bar the Door, reported, in a post entitled “Texas Court of Appeals Has Put Some FCPA Internal Investigations in an Awkward Spot”, the Department of Justice (DOJ) contacted Shell about its dealings with Panalpina. Sometime later, “Shell agreed to conduct an internal investigation into its dealings with Panalpina. As Shell’s “managing counsel” later testified, “Shell agreed to conduct the internal investigation with the understanding that it would ultimately report its finding to the DOJ . . . .” A DOJ Fraud Section attorney wrote a follow-up letter noting, “[I]t is our understanding that Shell intends to voluntarily investigate its business dealings with Panalpina Inc. and all other Panalpina subsidiaries and affiliates.”” Unfortunately for all involved, “Shell submitted an investigative report that pointed the finger at Writt.  Specifically, Shell said Writt had been involved in illegal conduct in a Shell Nigerian project by recommending that Shell reimburse contractor payments he knew to be bribes and failing to report illegal contractor conduct he was aware of.”

Writt sued Shell for libel and Shell defeated Writt at the trial court on the basis that it had an “absolute privilege to say what it did in its investigative report to the DOJ.” In Texas absolute privilege applies because the unfettered flow of information to the judicial system and administrative proceedings is favored over the worry that someone might be wrongly named in such information.

However, a Texas Court of Appeals reversed the trial court ruling holding that absolute privilege does not apply where a party voluntarily turns over information to a prosecutor before a judicial proceeding is initiated or contemplated.

As Smyth explained, “In the court’s view, DOJ was acting purely in a prosecutorial and non-judicial capacity.  Shell submitted its investigative report on February 5, 2009, and DOJ did not file a criminal complaint against the company until November 2010, 20 months later.  As the court said, “Just because the DOJ ultimately filed a judicial proceeding against Shell does not establish that it was proposing that one be filed when it contacted Shell on July 3, 2007 or received Shell’s report on February 5, 2009.””

Shell has appealed this matter to the Texas Supreme Court. Under Texas law, an appeal to the Texas Supreme Court is discretionary and at this point, the Texas Supreme Court has not indicated whether it will accept the case. Interestingly the US Chamber of Commerce submitted a letter brief, on behalf of its members, urging the Texas Supreme Court to accept the case for review. In its penultimate paragraph it states, “At the end of the day, it is an unavoidable truth that any business that wishes to be a good corporate citizen by reporting its FCPA violations to regulators will necessarily implicate its own employees of wrongdoing. Thus, any rule that imposes costs on a company implicating its employees in wrongdoing will necessarily chill voluntary reporting of FCPA violations and impose unfair burdens on those companies who nonetheless choose to self-report.”

One of the more interesting arguments made by the Chamber was that there is currently enough incentive for companies to get investigations right. While noting that the Court of Appeals had worried about the “concern that absolute immunity from suit might motivate parties to “deflect blame” for FCPA violations onto its employees “without fear of consequence””; the Chamber said, “But there are more effective ways to prevent false reports. For example, false statements to government officials are already a crime punishable under 18 U.S.C. § 1001. Moreover, a false report against an employee would also implicate the business itself. After all, corporations act through their employees. Far from deflecting blame, then, a false accusation of an FCPA violation against an employee would incriminate the company as well.”

The real problem with this argument is that it leaves no remedy for any employee who is wrongly accused (libeled in legal parlance) in an internal FCPA investigation report. It has always been against the law to give false reports to government officials so nothing is new in that argument. One might argue that the civil justice system is better to evaluate such wrongful claims. But Smyth points to another reality when he ended his piece with the following, “FCPA investigations these days are a different animal, and probably deserving of different treatment by the courts.  As of now, a company conducting an internal FCPA investigation in Texas has to ask, what do we do if one of an investigation reveals one of our employees as a bad actor?  Do we say as much in the report we turn over to the government, as the government surely expects? If we do, are we signing on for libel litigation by the employee?”

Whatever the Texas Supreme Court decides, this case points to the need to do your best to get it right. That means having an investigation protocol that you can follow. It may mean having outside counsel handle an investigation when it is appropriate. If you conclude that one or more of your employees has violated the FCPA, you need to be able to back up that assertion with facts, evidence and reasonable inferences therefrom.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 10, 2014

Where to Now St. Peter? – Due Diligence Going Forward in China

Tumbleweed ConnectionWhatever you might think of where his career went, Elton John had some great early stuff. I still rank Tumbleweed Connection right up there as one of my favorite albums of all-time. And while it was packed with some great tracks, one of my most favorite was Where to Now St. Peter? It was the opening track on Side 2 and dealt with whether a dying soldier would end up in heaven or hell. While perhaps having quite the spiritual overtones, I did think about this song when I read about the convictions on Saturday of Peter William Humphrey, a 58-year-old British national, and his wife, Yu Yingzeng, a 61-year-old naturalized American, on charges of illegally purchasing personal information about Chinese nationals.

In a one day trial the couple was convicted of illegally purchasing information on Chinese citizens. In an article in the Financial Times (FT), entitled “China court hands GSK investigator jail term and orders deportation”, Gabriel Wildau and Andrew Ward reported that husband Humphreys received a two and a half year jail term which was “just short of the three-year maximum”. In an article in the Wall Street Journal (WSJ), entitled “China Convicts Two Corporate Investigators”, James T. Areddy and Laurie Burkitt reported that he was also ordered to pay a fine of approximately $32,500 and will be deported from the country when his jail term is completed. Wife Yingzeng received a two year jail term and was ordered to pay a fine of approximately $23,000 but will be allowed to remain in the country after her sentence is completed.

In a New York Times (NYT) article, entitled “In China, British Investigator Hired by Glaxo, and Wife, Sentenced to Prison”, David Barboza reported that the couple “acknowledged that from 2009 to 2013, they obtained about 250 pieces of private information about individuals, including government-issued identity documents, entry and exit travel records and mobile phone records, all apparently in violation of China’s privacy laws.” According to the NYT article, wife Yu claimed that she did not know her actions where illegal and was quoted as saying, “We did not know obtaining these pieces of information was illegal in China. If I had known I would have destroyed the evidence.” According to the WSJ, the privacy law which was the basis of the conviction, was enacted in 2009 “to make it illegal to handle certain personal medical records and telephone records” but that the law itself “remains vague” on what precisely might constitute violation.

From the court statements, however, it did appear that the couple had trafficked in personal information. As reported by the WSJ, “In separate responses over more than 10 hours, My Humphreys and Ms. Yu denied that their firm trafficked in personal information, saying they had hired others to obtain personal data when clients requested it.” From the documents presented by the prosecution, it would seem clear that the couple had obtained my items which were more personal in nature. They were alleged by prosecutors to have “used hidden cameras to gather information as well as government records on identification numbers, family members, real-estate holdings, vehicle owner, telephone logs and travel records.”

Recognizing the verdicts under Chinese laws are usually predetermined and the entire trials are scripted affairs, there is, nonetheless, important information communicated to the outside world by this trial. First and foremost is, as reported in the NYT article is a “chilling effect on companies that engage in due diligence work for global companies, many of whom believe the couple may have been unfairly targeted.” The WSJ article went further quoting Geoffrey Sant for the following, “It impacts all attempts to do business between the U.S. and China because it will be very challenging to verify the accuracy of company or personal financial information.” In other words, things just got a lot tougher to perform, what most companies would expect to be a minimum level of due diligence.

Second is the time frame noted in the court statements as to the time of the violations, from 2009 to 2013. Many had assumed that Humphreys and Yingzeng’s arrests related to their investigation work on behalf of the British pharmaceutical giant GlaxoSmithKline PLC (GSK) which was trying to determine who had filmed a sex tape of the company’s head of Chinese operations, which was then provided to the company via an anonymous whistleblower. This would seem to beg the question of whether the couple would have been prosecuted if they not engaged in or accepted the GSK assignment.

But as Elton John asked, “Where to now St. Peter?” You should always remember that performing due diligence is but one of five steps in the management of the third party life cycle. If you cannot perform due diligence at a level that you do in other countries or that you could even have done in China before the Humphreys and Yu trial, you can beef up the other steps to help proactively manage your third parties. I often say that your real work with third parties begins when the contract is executed because then you have to manage the relationship going forward. So, if you cannot perform the level of due diligence you might like, you can put more resources into monitoring the relationship, particularly in the area of invoice review and payments going forward.

In a timely article found in this month’s issue of the SCCE magazine, Compliance and Ethics Professional, Dennis Haist and Caroline Lee published an article, entitled “China clamps down on bribery and corruption: Why third-party due diligence is a necessity” where they discussed a more robust response to the issue as well. They note that the retention of third party’s to do business in China is an established mechanism through which to conduct business. They advise “For multinationals with a Chinese presence, or plans to enter the market in the near future, now is the time to pay close attention to the changing nature of the business landscape as it relates to bribery and corruption.” Further, they suggest that “In order to ensure compliance with ABAC [anti-bribery/anti-corruption] regulatory scrutiny, multinationals must demonstrate a consistent, intentional and systematic approach to third-party compliance.” But in addition to the traditional background due diligence, they believe that companies should consider an approach that moves to proactively managing and monitoring third parties for compliance. Lastly, at the end of the day if a regulator comes knocking from the Department of Justice (DOJ) or Serious Fraud Office (SFO), you will need to demonstrate the steps you have put in place and your active management of the process.

In the FT, WSJ and NYT articles it was clearly pointed out that the invisible elephant in the room was GSK. Also it is not clear what the personal tragedy that Humphreys and Yu have endured will mean for GSK or the individuals caught up in that bribery scandal going forward. Humphreys had previously said that he would not have taken on the GSK sex tape assignment if it had been disclosed to him that the company had sustained allegations of corruption by an internal whistleblower. Perhaps one lesson may be that in the future companies will have to disclosure more to those they approach to perform such investigative services.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 7, 2014

Continuous Improvement Of Your Compliance Program, Part II

7K0A0246Yesterday, I began a two-part series on continuous monitoring of your anti-corruption compliance program. In Monday’s post, I looked at the regulatory framework for such a requirement. In today’s conclude with some thoughts on how to continually improve and update your Foreign Corrupt Practices Act (FCPA) or UK Bribery Act compliance regime and take a look again at how the regulators might view your program, in some quick, easy and pithy ways.

Anti-corruption, anti-bribery, anti-money laundering (AML) programs policies and procedures and even export control systems are seemingly in a constant state of evolution. Many companies are struggling with the challenge of implementing effective controls and monitoring risks across a spectrum that could include the three above listed compliance areas as well as others. One area that has evolved into a minimum best practices requirement for compliance is that of continuous monitoring.

While many companies will look at continuous monitoring as a software solution that can assist in managing risk, provide reporting metrics and, thereby, insights across an organization, it should be viewed more holistically. You will need to take many disparate systems, usually across a wide international geographic area, which may seem like an overwhelming process. Justin Offen, explained this in his article, entitled “Mission Impossible? Six steps to continuous monitoring”, where he detailed a six-point program to ensure that your “CM solution doesn’t become part of the problem” rather than a solution.

  1. Know your global IT footprint. It is important to understand how continuous monitoring will be incorporated into your company’s overall IT strategy as well as your compliance strategy. This advocates that this inquiry begins with understanding what your current IT structure is and what it is anticipated to be in 3 and 5 years. Once you identify your global IT footprint you can determine which system will be the best fit.
  2. Define scope and necessary resources. You should determine what your goal is, begin by identifying your needs and then prioritize them. You should perform a risk analysis and then rank the risks. Next, you need to understand the amount of talent you have in your organization, identify who can implement and work with the system and determine your budget, which may need to be increased based upon your need for outside experts and unknown contingencies.
  3. Conduct a pilot or proof of concept. A phased rollout can be used as a proof of concept, which can yield greater functioning efficiency throughout your entire program implementation. It should also allow you to chalk up an early success to present to the inevitable nay-sayers in your organization.
  4. Decrease false positives. This is important because improper or incomplete testing may well lead to a larger amount of false positives which you are required to evaluate and clear. From each test, you can further refine your continuous monitoring solution to the specific needs of your organization and increase time and efficiency in your overall continuous monitoring program.
  5. Establish your escalation protocol. You should establish a response protocol when an exception or Red Flag arises. This protocol should include an escalation protocol if the Red Flag suggests that it is warranted or additional investigation determines a wider problem exists. This protocol should include specific individuals and departments that need to be notified, the makeup of your initial and secondary triage team and the accountability for each person in the process, all the way up to the Board.
  6. Demonstrate control through case management. This demonstrates once again the maxim of Document, Document and Document. You need to be ready to “respond with appropriate documentation of any transaction that’s been reviewed, showing the level of review and any additional steps taken.”

The benefits of such a continuous monitoring program are significant; the creation of documentation that can lead to a ‘ready response’ by a company to an issue before it becomes a larger problem, coupled with the ability to recall all steps and information when a regulator comes knocking. Internally, using the pilots or proofs of concepts, the compliance department can bring in other stakeholders to see the value of continuous monitoring within the organization.

You Have a Strategic Plan – Now What Do You Do?

Have you thought about your anti-corruption through the lens of a strategic plan? If not, you might want to use the formulation proffered by Bruce Rector, in an article entitled “Strategic planning needs constant follow-up to be successful”. Recognizing that a strategic plan can serve as guide for your company going forward, it must actually be utilized to garner any use out of it. I believe that the steps he lays out translate, without difficulty, into steps a compliance officer can take to meet the suggestion laid out by Offen above.

  • Review the Goals of the Strategic Plan. This requires that you arrange a time for the Chief Compliance Officer (CCO) and team to review the goals of the Strategic Plan. To the extent possible this should be done in person. The CCO should lead a discussion of the Strategic Plan and determine how this goal in the Plan measures up to its implementation in your company.
  • Design an Execution Plan. The “Keep it Simple Sir” or KISS method is the best to move forward. This would suggest that for each compliance goal, there should be a simple and straightforward plan to ensure that the goal in question is being addressed. Any such plan must be specific with clear goals for all involved, with tasks handed out, deliverables defined and a definite timeline for delivery.
  • Put Accountabilities in Place. In any plan of execution, there must be accountabilities attached to them. Simply having a time line is not enough. This means that the persons tasked with the responsibility of performing the tasks be clearly identified, by both the individual so tasked and the actual task they are assigned to complete. Accountability requires that there be follow-up to confirm that these targets are met. This requires the CCO or other senior compliance department representative to put these in place and then mandate a report requirement on how the task assigned is being achieved.
  • Schedule the Next Review of the Plan. There should be a regular review of the process. While noting that this may seem time consuming, this means the group responsibility gets into a regularity, which will assist the process moving forward more smoothly. It also allows any problems which may arise to be detected and corrected more quickly than if meetings are held at a less frequent basis.

It is a function of the CCO to reinforce the vision and goals of the compliance function, where assessment and updating are critical to an ongoing best practices compliance program. If you follow this protocol, you will put a mechanism in place to demonstrate your company’s commitment to compliance by following through on intentions as set forth in your strategic plan.

The Regulators Perspective

What does an effective compliance program look like? Over the years, we have heard various formulations of inquiries that regulators might use when reviewing a compliance program. While not exactly a review of a compliance protocol, one of my favorites is what I call McNulty’s Maxims or the three questions that former United States Deputy Attorney General, and Baker & McKenzie LLP partner, Paul McNulty said were three general areas of inquiry the he would assess regarding an enforcement action when he was at the DOJ. They are: first: “What did you do to stay out of trouble?” second: “What did you do when you found out?” and third: “What remedial action did you take?”

Stephen Martin said that an inquiry he might make was along the lines of the following. First he would ask someone who came in before the DOJ what the company’s annual compliance budget was for the past year. If the answer started with something like, “We did all we could with what we had ($100K, $200K, name the figure), he would then ask, “How much was the corporate budget for Post-It Notes last year?” The answer was always in the 7-figure range. His next question would then be, “Which is more business critical for your company; complying with the FCPA or Post-It Notes?” Unfortunately, it has been Martin’s experience that most companies spent far more on the Post-It Notes than they were willing to invest in compliance.

Andrew Ceresney, Director of the Division of Enforcement of the SEC, speaking at Compliance Week 2014, said that he has “found that you can predict a lot about the likelihood of an enforcement action by asking a few simple questions about the role of the company’s legal and compliance departments in the firm.” He then went on to detail some rather straightforward questions that he believes could show just how much a company is committed to having a robust compliance regime.

  • Are legal and compliance personnel included in critical meetings?
  • Are their views typically sought and followed?
  • Do legal and compliance officers report to the Chief Executive Officer (CEO) and have significant visibility with the board?
  • Are the legal and compliance departments viewed as an important partner in the business and not simply as support functions or a cost center?

Near the end of his presentation, Cerensey said that “Far too often, the answer to these questions is no, and the absence of real legal and compliance involvement in company deliberations can lead to compliance lapses, which, in turn, result in enforcement issues. When I was in private practice, I always could detect a significant difference between companies that prioritized legal and compliance and those that did not. When legal and compliance were not equal partners in the business, and were not consulted as a matter of course, problems were inevitable.”

McNulty’s Maxims, Martin’s question on budget and now Cerensey’s questions all provide significant guideposts to how regulators think about FCPA compliance programs. For me, I think the point is that companies which actually Do Compliance are easy to spot. For all the gnashing of teeth about how hard it is to comply with what the DOJ and SEC want to see in FCPA compliance, when the true focus can be distilled into whether a company actually does compliance as opposed to saying how ethical they are, I think it simplifies the inquiry and the issues senior management and a Board of Directors really needs to pay attention to.

Continuous improvement through continuous monitoring or other techniques will help key your compliance program abreast of any changes in your business model’s compliance risks and allow growth based upon new and updated best practices specified by regulators. A compliance program is in many ways a continuously evolving organism, just as your company is. You need to build in a way to keep pace with both market and regulatory changes to have a truly effective anti-corruption compliance program. The Guidance makes clear that the “DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines. Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improve­ment and sustainability.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 6, 2014

Theme from Shaft and Continuous Improvement of Your Compliance Program, Part I

Isaac HayesThe composer of what I believe to be the absolute coolest movie theme ever was born on this date in 1942, Isaac Hayes. Hayes continually succeeded in many areas. In the 1960s it was with soul music on the great label Stax. In the 90s it was as the voice of Chef on the animated TV series South Park. But for my generation it was for the theme song, and indeed entire soundtrack, to the movie Shaft that I will always remember Hayes for. The success of that soundtrack led not only to nearly four more decades in the public eye, but as I will never forget sight of Isaac Hayes, playing shirtless in heavy chains and sunglasses as he performed the #1 pop single “Theme from ‘Shaft'” on national television the night he was awarded the Academy Award for Best Score.

How Hayes continued to reinvent of himself as a performer informs my blog posts over the next two days as I look at continuous improvement in your Foreign Corrupt Practices Act (FCPA) compliance program. Today, I will review the regulators view on continuous improvement and tomorrow I will provide some specific techniques that you can engage in to help satisfy this prong of the Ten Hallmarks of an Effective Compliance Program.

You should keep track of external and internal events that may cause change to business process, policies and procedures. Some examples are new laws applicable to your business organization and internal events driving changes within a company. Such internal changes could be a company reorganization or major acquisition. This type of review appears to be similar to the Department of Justice (DOJ) advocacy of ongoing risk assessments. The FCPA Guidance (Guidance) specifies, “a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its industry. In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.”

Continuous improvement requires that you not only audit but also monitor whether employees are staying with the compliance program. In addition to the language set out in the FCPA Guidance, two of the seven compliance elements in the Federal Sentencing Guidelines (FSG) call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.

A review plan is an excellent tool for the compliance practitioner because it provides a method for the ongoing evaluation of policies and sets forth a manner to communicate and train on any changes that are implemented. More than simply staying current, this approach will help provide the dynamics that the DOJ continually talks about in keeping your program fresh. Lastly, such a review plan can also guide the compliance practitioner in creating an ongoing game plan for compliance program upgrades and updates that Stephen Martin advocates.

The Guidance makes clear that each company should assess and manage its risks and specifically notes that small and medium-size enterprises likely will have different risk profiles and therefore different attendant compliance programs than large multi-national corporations. Moreover, this is something that the DOJ and Securities and Exchange Commission (SEC) take into account when evaluating a company’s compliance program in any FCPA investigation. This is why a “Check-the-Box” approach is not only disfavored by the DOJ, but, at the end of the day, it is also ineffectual. It is because each compliance program should be tailored to the enterprise’s own specific needs, risks, and challenges.

One tool that is extremely useful in the continuous improvement cycle, yet is often misused or misunderstood, is ongoing monitoring. This can come from the confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis across a wide spectrum of data and information.

Auditing is a more limited review that targets a specific business component, region, or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. Although unique in protocol, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance, if you notice a trend of suspicious payments in recent monitoring reports from AsiaPac, it may be time to conduct an audit of those operations to further investigate the issue.

Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks, and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with local Finance departments in your foreign offices to ask if they’ve noticed any accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries in which they manage. These ongoing efforts demonstrate that your company is serious about compliance.

The DOJ emphasized again with the 2011 Pfizer Deferred Prosecution Agreement (DPA), the need for a company to establish protocols for auditing. It included the following detail on auditing protocols:

  • On-site visits by an FCPA review team comprised of qualified personnel from the Compliance, Audit and Legal functions who have received FCPA and anti-corruption training.
  • Review of a representative sample (appropriately adjusted for the risks of the market) of contracts with and payments to individual foreign government officials as well as other high-risk transactions in the market.
  • Creation of action plans resulting from issues identified during the proactive reviews; these action plans will be shared with appropriate senior management and should contain mandatory remedial steps designed to enhance anti-corruption compliance, repair process weaknesses, and deter violations.
  • A review of the books and records of a sample of third party representatives that, in the view of the FCPA proactive review team, may present corruption risk. Prior to such an investigation, however, the company should have procedures in place to make sure every investigation is thorough and authentic, including document preservation protocols, data privacy policies, and communication systems designed to manage and deliver information efficiently.

Tomorrow, I will review some specific steps you can take to meet these goals.

For your listening pleasure, close your eyes and listen to the Theme From Shaft, by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

July 22, 2014

Code of Conduct, Compliance Policies and Procedures-Part I

Policies and ProceduresFor the remainder of this week, I will have a four-part episode on your Code of Conduct and anti-corruption compliance policies and procedures. In today’s post I will review the underlying legal and statutory basis for the documents as a foundation of your overall anti-corruption regime. In subsequent posts, I will review how to go about drafting your Code of Conduct and anti-corruption compliance policies and procedures and how to assess, review and revise them on a timely basis.

The cornerstone of a US Foreign Corrupt Practice Act (FCPA) compliance program is its written protocols. This includes a Code of Conduct, policies and procedures. These requirements have long been memorialized in the US Federal Sentencing Guidelines (FSG), which contain seven basic compliance elements that can be tailored to fit the needs and financial realities of any given organization. From these seven compliance elements the Department of Justice (DOJ) has crafted its minimum best practices compliance program, which is now attached to every Deferred Prosecution Agreement (DPA) and Non-Prosecution Agreement (NPA). These requirements were incorporated into the 2012 FCPA Guidance. The FSG assumes that every effective compliance and ethics program begins with a written standard of conduct; i.e. a Code of Conduct. What should be in this “written standard of conduct? The starting point, as per the FSG, reads as follows:

Element 1

Standards of Conduct, Policies and Procedures (a Code of Conduct)An organization should have an established set of compliance standards and procedures. These standards should not be a “paper only” document, but a living document that promotes organizational culture that encourages “ethical conduct” and a commitment to compliance with applicable regulations and laws. 

In the FCPA Guidance, the DOJ and Securities and Exchange Commission (SEC) state, “A company’s code of conduct is often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted in its charging documents, the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.” Indeed, it would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it. When assessing a compliance program, DOJ and SEC will review whether the company chapter has taken steps to make certain that the code of conduct remains current and effective and whether a company has periodically reviewed and updated its code.”

In each DPA and NPA over the past 36 months the DOJ has said the following as item No. 1 for a minimum best practices compliance program.

  1. Code of Conduct. A Company should develop and promulgate a clearly articulated and visible corporate policy against violations of the FCPA, including its anti-bribery, books and records, and internal controls provisions, and other applicable foreign law counterparts (collectively, the “anti-corruption laws”), which policy shall be memorialized in a written compliance code. 

Stephen Martin and Paul McNulty, partners in the law firm of Baker and McKenzie, developed one of the best formulations that I have seen of these requirements in their Five Elements of an Effective Compliance Program. In this formulation, they posit that your Code of Conduct, policies and procedures should be grouped under the general classification of ‘Standards and Procedure’. They articulate that every company has three levels of standards and controls. First, every company should have a Code of Conduct, which should, most generally express its ethical principles. But simply having a Code of Conduct is not enough. So a second step mandates that very company should have standards and policies in place that build upon the foundation of the Code of Conduct and articulate Code-based policies, which should cover such issues as bribery, corruption and accounting practices. From the base of a Code of Conduct and standards and policies, every company should then ensure that enabling procedures are implemented to confirm those policies are implemented, followed and enforced.

FCPA compliance best practices now require companies to have additional standards and controls, including, for example, detailed due diligence protocols for screening third-party business partners for criminal backgrounds, financial stability and improper associations with government agencies. Ultimately, the purpose of establishing effective standards and controls is to demonstrate that your compliance program is more than just words on a piece of paper.

In an article in the Society for Corporate Compliance and Ethics (SCCE) Complete Compliance and Ethics Manual, 2nd Ed., entitled “Essential Elements of an Effective Ethics and Compliance Program”, authors Debbie Troklus, Greg Warner and Emma Wollschlager Schwartz, state that your company’s Code of Conduct “should demonstrate a complete ethical attitude and your organization’s “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” Your Code of Conduct must be aimed at all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.” This would also include all “management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.”

There are several purposes identified by the authors which should be communicated in your Code of Conduct. Of course the overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this by communicating what is required of them, to provide a process for proper decision-making and then to require that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company “upholds and supports proper compliance conduct.”

The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. To that end, suggest that your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasize it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

As I often say, the three most important things about your FCPA compliance program are ‘Document, Document and Document’. The same is true of communicating your company’s Code of Conduct. You need to do more than simply put it on your website and tell folks it is there, available and that they should read it. You need to document that all employees, or anyone else that your Code of Conduct is applicable to, has received, read, and understands the Code. For employees, it is important that a representative of the Compliance Department, or other qualified trainer, explains the standards set forth in your Code of Conduct and answers any questions that an employee may have. Your company’s employees need to attest in writing that they have received, read, and understood the Code of Conduct and this attestation must be retained and updated as appropriate.

The DOJ expects each company to begin its compliance program with a very public and very robust Code of Conduct. If your company does not have one, you need to implement one forthwith. If your company has not reviewed or assessed your Code of Conduct for five years, I would suggest that you do in short order as much has changed in the compliance world.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

July 16, 2014

Mergers and Acquisitions Under the FCPA, Part III

M&AToday I conclude my three-part series on mergers and acquisitions under the Foreign Corrupt Practices Act (FCPA) with a review of the post-acquisition phase.

Previously many compliance practitioners had based decisions in the M&A context on DOJ Opinion Release 08-02 (08-02), which related to Halliburton’s proposed acquisition of the UK entity, Expro. In the spring of 2011, the Johnson & Johnson (J&J) DPA changed the perception of compliance practitioners regarding what is required of a company in the M&A setting related to FCPA due diligence, both pre and post-acquisition. On June 18 2012, the DOJ released the Data Systems & Solutions LLC (DS&S) DPA which brought additional information to the compliance practitioner on what a company can do to protect itself in the context of M&A activity.

08-02 began as a request from Halliburton to the DOJ from issues that arose in the pre-acquisition due diligence of the target company Expro. Halliburton had submitted a request to the DOJ specifically posing these three questions: (1) whether the proposed acquisition transaction itself would violate the FCPA; (2) whether, through the proposed acquisition of Target, Halliburton would “inherit” any FCPA liabilities of Target for pre-acquisition unlawful conduct; and (3) whether Halliburton would be held criminally liable for any post-acquisition unlawful conduct by Target prior to Halliburton’s completion of its FCPA and anti-corruption due diligence, where such conduct is identified and disclosed to the Department within 180 days of closing.

I. Halliburton 

Halliburton committed to the following conditions in 08-02, if it was the successful bidder in the acquisition:

  1. Within ten business days of the closing. Halliburton would present to the DOJ a comprehensive, risk-based FCPA and anti-corruption due diligence work plan which would address, among other things, the use of agents and other third parties; commercial dealings with state-owned customers; any joint venture, teaming or consortium arrangements; customs and immigration matters; tax matters; and any government licenses and permits. The Halliburton work plan committed to organizing the due diligence effort into high risk, medium risk, and lowest risk elements.

a)     Within 90 days of Closing. Halliburton would report to the DOJ the results of its high risk due diligence.

b)    Within 120 days of Closing. Halliburton would report to the DOJ the results to date of its medium risk due diligence.

c)     Within 180 days of Closing. Halliburton would report to the DOJ the results to date of its lowest risk due diligence.

d)    Within One Year of Closing. Halliburton committed full remediation of any issues which it discovered within one year of the closing of the transaction.

Many lawyers were heard to exclaim, “What an order, we cannot go through with it.” However, we advised our clients not to be discouraged because 08-02 laid out a clear road map for dealing with some of the difficulties inherent in conducting sufficient pre-acquisition due diligence in the FCPA context. Indeed the DOJ concluded 08-02 by noting, “Assuming that Halliburton, in the judgment of the Department, satisfactorily implements the post-closing plan and remediation detailed above… the Department does not presently intend to take any enforcement action against Halliburton.”

II.Johnson & Johnson (J&J)

In Attachment D of the J&J DPA, entitled “Enhanced Compliance Obligations”, there is a list of compliance obligations in which J&J agreed to undertake certain enhanced compliance obligations for at least the duration of its DPA beyond the minimum best practices also set out in the J&J DPA. With regard to the M&A context, J&J agreed to the following:

  1. J&J will ensure that new business entities are only acquired after thorough FCPA and anti-corruption due diligence by legal, accounting, and compliance personnel. Where such anti-corruption due diligence is not practicable prior to acquisition of a new business for reasons beyond J&J’s control, or due to any applicable law, rule, or regulation, J&J will conduct FCPA and anti-corruption due diligence subsequent to the acquisition and report to the Department any corrupt payments, falsified books and records, or inadequate internal controls as required by … the Deferred Prosecution Agreement.
  2. J&J will ensure that J&J’s policies and procedures regarding the anti-corruption laws and regulations apply as quickly as is practicable, but in any event no less than one year post-closing, to newly-acquired businesses, and will promptly, for those operating companies that are determined not to pose corruption risk, J&J will conduct periodic FCPA Audits, or will incorporate FCPA components into financial audits.
  3. Train directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners, and relevant employees thereof, who present corruption risk to J&J, on the anticorruption laws and regulations and J&J’s related policies and procedures; and
  4. Conduct an FCPA-specific audit of all newly acquired businesses within 18 months of acquisition.

These enhanced obligations agreed to by J&J in the M&A context were less time sensitive than those agreed to by Halliburton in 08-02. In the J&J DPA, the company agreed to the following time frames:

  1. 18 Month - conduct a full FCPA audit of the acquired company.
  1. 12 Month - introduce full anti-corruption compliance policies and procedures into the acquired company and train those persons and business representatives which “present corruption risk to J&J.”

III. Data Systems & Solutions LLC (DS&S)

In the DS&S DPA there were two new items listed in the Corporate Compliance Program, attached as Schedule C to the DPA, rather than the standard 13 items we have seen in every DPA since at least November 2010. The new additions are found on items 13 & 14 on page C-6 of Schedule C and deal with mergers and acquisitions. They read in full:

  1. DS&S will develop and implement policies and procedures for mergers and acquisitions requiring that DS&S conduct appropriate risk-based due diligence on potential new business entities, including appropriate FCPA and anti-corruption due diligence by legal, accounting, and compliance personnel. If DS&S discovers any corrupt payments or inadequate internal controls as part of its due diligence of newly acquired entities or entities merged with DS&S, it shall report such conduct to the Department as required in Appendix B of this Agreement.
  2. DS&S will ensure that DS&S’s policies and procedures regarding the anticorruption laws apply as quickly as is practicable to newly acquired businesses or entities merged with DS&S and will promptly:
  3. Train directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners, and relevant employees thereof, who present corruption risk to DS&S, on the anti-corruption laws and DS&S’s policies and procedures regarding anticorruption laws.
  4. Conduct an FCPA-specific audit of all newly acquired or merged businesses as quickly as practicable.

This language draws from and builds upon the prior Opinion Release 08-02 regarding Halliburton’s request for guidance and the J&J “Enhanced Compliance Obligations” incorporated into its DPA. While the DS&S DPA does note that it is specifically tailored as a solution to DS&S’s FCPA compliance issues, I believe that this is the type of guidance that a compliance practitioner can rely upon when advising his or her clients on what the DOJ expects during M&A activities.

 

FCPA M&A Box Score Summary

Time Frames Halliburton 08-02 J&J DS&S
FCPA Audit
  1. High Risk Agents - 90 days
  2. Medium Risk Agents - 120 Days
  3. Low Risk Agents - 180 days
18 months to conduct full FCPA audit As soon “as practicable
Implement FCPA Compliance Program Immediately upon closing 12 months As soon “as practicable
Training on FCPA Compliance Program 60 days to complete training for high risk employees, 90 days for all others 12 months to complete training As soon “as practicable

 

The Guidance, coupled with the 08-02 and the two enforcement actions, speak to the importance that the DOJ puts on M&A in the FCPA context. The time frames for post-acquisition integration are quite tight. This means that you should do as much work as you can in the pre-acquisition stage. The DOJ makes clear that rigor is needed throughout your entire compliance program, including M&A. This rigor should be viewed as something more than just complying with the FCPA; it should be viewed as just making good business sense.

Nat Edmonds, in an interview in the Wall Street Journal (WSJ) entitled, “Former Justice Official: How to Buy Corrupt Companies”, emphasized that if a company does not have the opportunity to make these types of inquiries in the pre-acquisition stage the “DOJ and SEC generally recognize that sometimes it’s not possible to do complete due diligence beforehand. However, if there are good faith efforts to conduct due diligence, integrate compliance programs and take remedial actions by removing those wrongdoers — if all of that is done on a quick basis [authorities] give very strong credit. The best example of this is the 2009 purchase by Pfizer of Wyeth. I was prosecutor on the Pfizer Wyeth [bribery] case. Pfizer was able to do some due diligence before the acquisition but because both are massive organizations it was not possible to do complete due diligence prior to acquisition. But after the acquisition within 180 days they had identified much of the wrongdoing at Wyeth and ensured it was halted. As a result of that we gave them credit. On the criminal side Pfizer was not held criminally liable for any of the conduct at Wyeth. Most of what Pfizer was held responsible for was as a result of a previous acquisition of Pharmacia, which they acquired in 2002 and 2003. At the time of the Pharmacia acquisition, acquirers did not typically conduct anti-corruption due diligence on targets. And during the investigation most of the violations of FCPA [Pfizer] was held criminally liable for began prior to the acquisition of Pharmacia –some was afterwards. Pfizer was held responsible for the misconduct at Pharmacia both before and afterwards. The Pfizer case is interesting because it shows both the good and bad.”

I believe that he information is out there for the steps to take in a merger or acquisition to avoid FCPA liability. You should place emphasis on both the pre and post acquisition phases; equally because as with most FCPA compliance program components, they just make good business sense.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

July 15, 2014

Mergers and Acquisitions Under the FCPA, Part II

M&AYesterday I began a three part series on mergers and acquisitions under the Foreign Corrupt Practices Act (FCPA). In Part I, I reviewed what you should accomplish in the pre-acquisition stage. Today I want to look at what you should do with the information that you obtain in your pre-acquisition compliance due diligence.

Jay Martin, Chief Compliance Officer (CCO) at BakerHughes Inc. suggests an approach that reviews key risk factors to move forward. Martin has laid out 15 key risk factors of targets under a FCPA analysis, which he believes should prompt a purchaser to conduct extra careful, heightened due diligence or even reconsider moving forward with an acquisition under extreme circumstances.

  1. A presence in a BRIC (Brazil, Russia, India and China) country and other countries whose corruption risk is high, for example, a country with a Transparency International CPI rating of 5 or less;
  2. Participation in an industry that has been the subject of recent anti-bribery or FCPA investigations, for example, in the oil and energy, telecommunications, or pharmaceuticals sectors;
  3. Significant use of third-party agents, for example, sales representatives, consultants, distributors, subcontractors, or logistics personnel (customs, visas, freight forwarders, etc.)
  4. Significant contracts with a foreign government or instrumentality, including state-owned or state-controlled entities;
  5. Substantial revenue from a foreign government or instrumentality, including a state-owned or state-controlled entity;
  6. Substantial projected revenue growth in the foreign country;
  7. High amount or frequency of claimed discounts, rebates, or refunds in the foreign country;
  8. A substantial system of regulatory approval, for example, for licenses and permits, in the country;
  9. A history of prior government anti-bribery or FCPA investigations or prosecutions;
  10. Poor or no anti-bribery or FCPA training;
  11. A weak corporate compliance program and culture, in particular from legal, sales and finance perspectives at the parent level or in foreign country operations;
  12. Significant issues in past FCPA audits, for example, excessive undocumented entertainment of government officials;
  13. The degree of competition in the foreign country;
  14. Weak internal controls at the parent or in foreign country operations; and
  15. In-country managers who appear indifferent or uncommitted to U.S. laws, the FCPA, and/or anti-bribery laws.

In evaluating answers to the above inquiries or those you might develop on your own, you may also wish to consider some type of risk rating for the responses, to better determine is the amount of risk that your company is willing to accept to do so you will need to both assess risk and subsequently evaluate that risk. Borrowing from a matrix developed by Michele Abraham from Timken Co., I have found Timken’s matrix for risk rating and assessment useful. Risks should initially be identified and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of the your post-acquisition remediation plan going forward. A risk-rating guide similar to the following can be used.

LIKELIHOOD

Likelihood Rating Assessment Evaluation Criteria
1 Almost Certain High likely, this event is expected to occur
2 Likely Strong possibility that an event will occur and there is sufficient historical incidence to support it
3 Possible Event may occur at some point, typically there is a history to support it
4 Unlikely Not expected but there’s a slight possibility that it may occur
5 Rare Highly unlikely, but may occur in unique circumstances

 

‘Likelihood’ factors to consider: The existence of controls, written policies and procedures designed to mitigate risk capable of leadership to recognize and prevent a compliance breakdown; Compliance failures or near misses; Training and awareness programs. Product of ‘likelihood’ and significance ratings reflects the significance of particular risk universe. It is not a measure of compliance effectiveness or to compare efforts, controls or programs against peer groups.

The key to such an approach is the action steps prescribed by their analysis. This is another way of saying that the pre-acquisition risk assessment informs the post-acquisition remedial actions to the target’s compliance program. This is the method set forth in the FCPA Guidance. I believe that the DOJ wants to see a reasoned approach with regards to the actions a company takes in the mergers and acquisitions arena. The model set forth by Michele Abraham of Timken certainly is a reasoned approach and can provide the articulation needed to explain which steps were taken.

It is also important that after the due diligence is completed, and if the transaction moves forward, the acquiring company should attempt to protect itself through the most robust contract provisions that it can obtain, these would include indemnification against possible FCPA violations, including both payment of all investigative costs and any assessed penalties. An acquiring company should also include reps and warranties in the final sales agreement that the entire target company uses for participation in transactions as permitted under local law; that there is an absence of government owners in company; and that the target company has made no corrupt payments to foreign officials. Lastly, there must be a rep that all the books and records presented to the acquiring company for review were complete and accurate.

To emphasize all of the above, the DOJ stated in the Pfizer Deferred Prosecution Agreement (DPA), in the mergers and acquisition context, that a company is to ensure that, when practicable and appropriate on the basis of a FCPA risk assessment, new business entities are only acquired after thorough risk-based FCPA and anti-corruption due diligence is conducted by a suitable combination of legal, accounting, and compliance personnel. When such anti-corruption due diligence is appropriate but not practicable prior to acquisition of a new business for reasons beyond a company’s control, or due to any applicable law, rule, or regulation, an acquiring company should continue to conduct anti-corruption due diligence subsequent to the acquisition and report to the DOJ any corrupt payments or falsified books and records.

Tomorrow in Part III, I will take a look at your post-acquisition actions in the mergers and acquisition context.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

July 14, 2014

Mergers and Acquisitions Under the FCPA, Part I

M&AToday, I begin a three-part series on mergers and acquisitions under the Foreign Corrupt Practices Act. Today I will review the pre-acquisition phase, focusing the information and issues you should review, tomorrow in Part II, I will look at how you should use that information in the evaluation process and in Part III, I will consider steps you should take in the post-acquisition phase.

The Foreign Corrupt Practices Act (FCPA) Guidance, issued in 2012, makes clear that one of the ten hallmarks of an effective compliance program is around mergers and acquisitions (M&A), in both the pre and post-acquisition context. A company that does not perform adequate FCPA due diligence prior to a merger or acquisition may face both legal and business risks. Perhaps, most commonly, inadequate due diligence can allow a course of bribery to continue – with all the attendant harms to a business’s profitability and reputation, as well as potential civil and criminal liability. In contrast, companies that conduct effective FCPA due diligence on their acquisition targets are able to evaluate more accurately each target’s value and negotiate for the costs of the bribery to be borne by the target. But, equally important is that if a company engages in the suggested actions, they will go a long way towards insulating, or at least lessening, the risk of FCPA liability going forward.

Nat Edmonds, in an interview in the Wall Street Journal (WSJ) entitled, “Former Justice Official: How to Buy Corrupt Companies” said “I think most companies and their outside counsel believe any potential corruption problem should stop a deal from occurring. Companies would be surprised to learn that neither the Securities and Exchanges Commission nor the DOJ takes that position. In many ways the SEC and DOJ encourage good companies with strong compliance programs to buy the companies engaged in improper conduct in order to help implement strong compliance in companies that have engaged in wrongful conduct. What companies must do and what outside counsel should advise them to do is to have a realistic perspective of what effect that corruption or potential improper payment has on the value of the deal itself. Because of the concern that any corruption would stop the deal or implicate the buyers, many times companies don’t look as thoroughly as they should at potential corruption. There is often concern that if you start to look for something you may find a problem and it could slow down or stop the whole deal.”

The FCPA Guidance was the first time that many compliance practitioners focused on the pre-acquisition phase of a transaction as part of a compliance regime. However, the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) made clear the importance of this step. In addition to the above language, they cited to another example in the section on Declinations where the “DOJ and SEC declined to take enforcement action against a U.S. publicly held consumer products company in connection with its acquisition of a foreign company.” The steps taken by the company led the Guidance to state the following, “The company identified the potential improper payments to local government officials as part of its pre-acquisition due diligence and the company promptly developed a comprehensive plan to investigate, correct, and remediate any FCPA issues after acquisition.”

In a hypothetical, the FCPA Guidance provided some specific steps a company had taken in the pre-acquisition phase. These steps included, “(1) having its legal, accounting, and compliance departments review Foreign Company’s sales and financial data, its customer contracts, and its third-party and distributor agreements; (2) performing a risk-based analysis of Foreign Company’s customer base; (3) performing an audit of selected transactions engaged in by Foreign Company; and (4) engaging in discussions with Foreign Company’s general counsel, vice president of sales, and head of internal audit regarding all corruption risks, compliance efforts, and any other corruption-related issues that have surfaced at Foreign Company over the past ten years.”

Pre-Acquisition Risk Assessment

It should all begin with a preliminary pre-acquisition assessment of risk. Such an early assessment will inform the transaction research and evaluation phases. This could include an objective view of the risks faced and the level of risk exposure, such as best/worst case scenarios. A pre-acquisition risk assessment could also be used as a “lens through which to view the feasibility of the business strategy” and help to value the potential target.

The next step is to develop the risk assessment as a base document. From this document, you should be able to prepare a focused series of queries and requests to be obtained from the target company. Thereafter, company management can use this pre-acquisition risk assessment to attain what might be required in the way of integration, post-acquisition. It would also help to inform how the corporate and business functions may be affected. It should also assist in planning for timing and anticipation of the overall expenses involved in post-acquisition integration. These costs are not insignificant and they should be thoroughly evaluated in the decision-making calculus.

Next is a five step process on how to plan and execute a strategy to perform pre-acquisition due diligence in the M&A context.

  1. Establish a point of contact. Here you need to determine one point of contact that you can liaise with throughout the process. Typically this would be the target’s Chief Compliance Officer (CCO) if the company is large enough to have full time position.
  2. Collect relevant documents. Obtain a detailed list of sales going back 3-5 years, broken out by country and, if possible, obtain a further breakdown by product and/or services; all Joint Venture (JV) contracts, due diligence on JVs and other third party business partners; the travel and entertainment records of the acquisition target company’s top sales personnel in high risk countries; internal audit reports and other relevant documents. You do not need to investigate de minimis sales amounts but focus your compliance due diligence inquiry on high sales volumes in high-risk countries. If the acquisition target company uses a sales model of third parties, obtain a complete list, including JVs. It should be broken out by country and amount of commission paid. Review all underlying due diligence on these foreign business representatives, their contracts and how they were managed after the contract was executed; your focus should be on large commissions in high risk countries.
  3. Review the compliance and ethics mission and goals. Here you need to review the Code of Conduct or other foundational documents that a company might have to gain some insight into what they publicly espouse.
  4. Review the seven elements of an effective compliance program as listed below:

a. Oversight and operational structure of the compliance program. Here you should assess the role of board, CCO and if there is one, the compliance committee. Regarding the CCO, you need to look at their reporting and access – is it independent within the overall structure of the company? Also, what are the resources dedicated to the compliance program including a review of personnel, the budget and overall resources? Review high-risk geographic areas where your company and the acquisition target company do business. If there is overlap, seek out your own sales and operational people and ask them what compliance issues are prevalent in those geographic areas. If there are compliance issues that your company faces, then the target probably faces them as well.

b. Policies/Procedures, Code of Conduct. In this analysis you should identify industry practices and legal standards that may exist for the target company. You need to review how the compliance policies and procedures were developed and determine the review cycles, if any. Lastly, you need to know how everything is distributed and what the enforcement mechanisms for compliance policies are. Additionally you need to validate, with Human Resources (HR), if there have been terminations or disciplines relating to compliance.cEducation, training and communication. Here you need to review the compliance training process, as it exists in the company, both the formal and the informal. You should ask questions, such as “What are the plans and schedules for compliance training?” Next determine if the training material itself is fit for its intended purpose, including both internal and external training for third parties. You should also evaluate the training delivery channels, for example is the compliance training delivered live, online, or through video? Finally, assess whether the company has updated their training based on changing of laws. You will need to interview the acquisition target company personnel responsible for its compliance program to garner a full understanding of how they view their program. Some of the discussions that you may wish to engage in include visiting with the target company’s General Counsel (GC), its Vice President (VP) of sales and head of internal audit regarding all corruption risks. You should also delve into the target’s compliance efforts, and any other corruption-related issues that may have surfaced.

c. Monitoring and auditing. Under this section you need to review both the internal audit plan and methodology used regarding any compliance audits. A couple of key points are (1) is it consistent over a period of time and (2) what is the audit frequency? You should also try and judge whether the audit is truly independent or if there was manipulation by the business unit(s). You will need to review the travel and entertainment records of the acquisition target company’s top sales personnel in high-risk countries. You should retain a forensic auditing firm to assist you with this effort. Use the resources of your own company personnel to find out what is reasonable for travel and entertainment in the same high-risk countries which your company does business.

d. Reporting. What is the company’s system for reporting violations or allegations of violations? Is the reporting system anonymous? From there you need to turn to who does the investigations to determine how are they conducted? A key here, as well as something to keep in mind throughout the process, is the adequacy of record keeping by the target.

e. Response to detected violations. This review is to determine management’s response to detected violations. What is the remediation that has occurred and what corrective action has been taken to prevent future, similar violations? Has there been any internal enforcement and discipline of compliance policies if there were violations? Lastly, what are the disclosure procedures to let the relevant regulatory or other authorities know about any violations and the responses thereto? Further, you may be required to self-disclose any FCPA violations that you discover. There may be other reporting issues in the M&A context such as any statutory obligations to disclose violations of any anti-bribery or anti-corruption laws in the jurisdiction(s) in question; what effect will disclosure have on the target’s value or the purchase price that your company is willing to offer?

f. Enforcement Practices/Disciplinary Actions. Under this analysis, you need to see if there was any discipline delivered up to and including termination. If remedial measures were put in place, how were they distributed throughout the company and were they understood by employees?

  1. Periodically evaluate the M&A review procedures’ effectiveness benchmarked against any legal proceedings, FCPA enforcement actions, Opinion Releases or other relevant information.

Tomorrow, I will review how you use the information that you are able to obtain in the pre-acquisition process.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

July 11, 2014

Friday Comings and Goings

7K0A0032I wish I could be there.

Next week, the FCPA Professor is leading his first FCPA Institute this summer over two days, July 16 and 17. The event will be held in Milwaukee and hosted by the law firm of Foley and Lardner.

The Professor’s stated goal in leading this first Institute is “to develop and enhance fundamental skills relevant to the FCPA and FCPA compliance in a stimulating and professional environment with a focus on learning. Information at the FCPA Institute is presented in an integrated and cohesive way by an expert instructor with FCPA practice and teaching experience.” Some of the topics, which will be covered, include the following:

  • An informed understanding of why the FCPA became a law and what it seeks to accomplish;
  • A comprehensive understanding of the FCPA’s anti-bribery and books and records and internal controls provisions and related enforcement theories;
  • Various realties of the global marketplace which often give rise to FCPA scrutiny;
  • The typical origins of FCPA enforcement actions including the prominence of corporate voluntary disclosures;
  • The “three buckets” of FCPA financial exposure and how settlement amounts in an actual FCPA enforcement action are typically not the most expensive aspect of FCPA scrutiny and enforcement;
  • Facts and figures relevant to corporate and individual FCPA enforcement actions including how corporate settlement amounts are calculated;
  • How FCPA scrutiny and enforcement can result in related foreign law enforcement investigations as well as other negative business effects from market capitalization issues, to merger and acquisition activity, to FCPA related civil suits; and
  • Practical and provocative reasons for the general increase in FCPA enforcement.

In other words, it is what you have come to expect from the FCPA Professor; well-thought out reasoned analysis, practical knowledge and learning, and provocative thinking and assessment. But more than all of the above I believe you will receive some great insight into and why the FCPA Professor continually challenges the status quo in many areas about the FCPA. He and I often look at the same thing and see different views but by seeing more than one view, I believe you will come away with a deeper overall understanding of the entire FCPA picture.

For complete information on the FCPA Institute, click here.

As Monty Python might say And Now For Something Completely Different. If you would like a much shorter view of some FCPA and anti-corruption related topics, check out some of my most recent podcasts, the FCPA Compliance and Ethics Report. 

In Episode 74, I visit with Paul McNulty about his upcoming move to become the President of his alma mater, Grove City College.

In Episode 72, I visit with the GRC Pundit, Michael Rasmussen about why companies have such a disconnect when it comes to the theory and practice of their GRC practices.

In Episode 69, I visit with Joe Oringel about his company’s exciting new approach to transaction monitoring in the anti-corruption space.

In Episode 68, I interview Neil Swidey, author of Trapped Under the Sea about his experiences in researching and writing his book.

In Episode 66, the FCPA Professor shares his thoughts on the Esquenazi decision.

In Episode 63 and 64, I have a two-part discussion of the management of third parties under the FCPA.

For those few of you on the planet not aware of it, the World Cup final will be held this coming Sunday. Mike Brown and I have been discussing the World Cup, FIFA and anti-corruption in our World Cup Report series. You can check out Part I, Part II, Part III, Part IV, or Part V.

All of the episodes of the FCPA Compliance and Ethics Report are available for download on iTunes at no cost so if you want to catch up on all things FCPA and compliance related on the drive to work, you can do so. A happy Friday and enjoyable weekend to all.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

July 10, 2014

Mid-Year FCPA Report, Part II

Mid Year ReportToday, I continue my look at what I think were some of the most significant highlights from the first half of 2014 relating to the Foreign Corrupt Practices Act (FCPA). Yesterday, the focus was on corporate and individual enforcement. Today we review a very rare court of appeals decision on whether a state-owned enterprise is covered by the FCPA; yet another surprising result in an opinion release and finally take a look at some real world examples of why the FCPA is such a powerful and positive law for US companies doing business overseas.

Esquenazi Decision on State Owned Enterprises Covered by the FCPA

In what can only be called a judicial decision based on common sense the 11th Circuit Court of Appeals, in an opinion released on May 16, upheld the convictions of Joel Esquenazi and Carlos Rodriguez for violations of the FCPA and certain US anti-money laundering (AML) laws. The two had engaged in a long running bribery scheme with the Haitian telephone company, Telecommunications d’Haiti, S.A.M (Teleco). The pair were convicted and sentenced to lengthy jail terms, Esquenazi receiving 15 years and Rodriguez receiving 7 years. One of their myriad defenses was that a state owned enterprise, such as Telco, was not an instrumentality and thereby not covered under the FCPA.

This opinion was the first time that a Court of Appeals had reviewed the FCPA question of what is an ‘instrumentality’ under the Act. Both defendants had argued that instrumentality could only mean (1) “that only an actual part of the government would qualify as an instrumentality” or (2) the FCPA should be construed to encompass only foreign entities performing ‘core’ governmental functions similar to departments or agencies. The Court rejected both arguments.

The Court constructed a two-prong test to determine if a state owned enterprise is an instrumentality under the FCPA. The first prong is the ‘Control Test’ and the second prong is the ‘Function Test’. Under the Control Test, a compliance practitioner should analyze how much control a foreign government has over a state owned enterprise. The Court suggested questions like: (1) The foreign government’s formal designation of the entity; (2) Whether the government has an interest in the entity; (3) The government’s ability to hire and fire the entity’s principals; (4) The extent to which the entity’s profits, if any, go directly into the governmental fisc; (5) The extent to which the government funds the entity if it fails to break even; and (6) The length of time these indicia have existed. The Court suggested the following for the Function Test: (1) Does the entity have a monopoly over the function it exists to carry out; (2) Does the foreign government subsidize the costs associated with the entity providing the services; (3) Does the entity provide services to the public at large in the foreign Country; and (4) Does the foreign government generally perceive the entity to be performing a governmental function?

I can only say that common sense won out in this decision. The word ‘instrumentality’ must mean something under the FCPA and I believe the Court correctly found that state owned enterprises falls under the rubric of instrumentality under the FCPA.

Opinion Release 14-01

Continuing its run of publishing Opinion Releases where it comes down on the side I had not expected, the DOJ released Opinion Release 14-01. In 14-01, a company wanted to buy-out a now government official from a company he had been a part of before he went into government service. The problem was that his buy-out provision was entered into during the past economic downturn and the value of his buy-out was under water. He wanted to get something for his prior investment. The Relator proposed another formula for his exit compensation and the DOJ agreed it would not be a FCPA violation to do so.

For the compliance practitioner, there are several key points to consider. The first point is found in a footnote detailing the length of time it took to secure the DOJ opinion. This is the first time that I recall seeing a time line laid out in an Opinion Release. This gives a compliance practitioner some idea of the time frames involved in the process. The second is the use of representations and warranties by the parties. In 14-01, the DOJ accepted representations that the foreign official in question would not pass on business in which he either had an interest or help the Relator to ‘obtain or retain’ business with the agency at which the foreign official now worked. This type of evidence is something that a company should now consider when designing protocols to satisfy issues similar to those presented in 14-01. Finally was the quality and quantity of payment(s) to be made to the now foreign official to cash him out and purchase his interest. Here the parties agreed to an independent valuation by an internationally recognized accounting firm. This provides some type of arms-length analysis. It also provides a market based approach to the payment issue so that there is evidence of true (or perhaps truer) market value, not some arbitrary number agreed to by the parties.

The message from 14-01 and last year’s Opinion Release, seems to me, that the DOJ is open to creative arguments about ways to comply with the FCPA. 14-01 also shows that the process can move quickly when the situation warrants it.

The International Effect of the FCPA

In certainly one of the most interesting revelations of the first half of 2014, former US Secretary of Defense, Robert Gates wrote the following in his recently released memoirs, entitled “Duty: A Memoir of a Secretary at War”, in which he said the following, ““In a private meeting, the king [King Abdullah of Saudi Arabia] committed to a $60 billion weapons deal including the purchase of eighty-four F-15’s, the upgrade of seventy-15s already in the Saudi air force, twenty-four Apache helicopters, and seventy-two Blackhawk helicopters. His ministers and generals had pressed him hard to buy either Russian or French fighters, but I think he suspected that was because some of the money would end up in their pockets. He wanted all the Saudi money to go toward military equipment, not into Swiss bank accounts, and thus he wanted to buy from us. The king explicitly told me saw the huge purchase as an investment in a long-term strategic relationship with the United States, linking our militaries for decades to come.”

I would ask you to consider, just how many US interests can be identified in the above quote. I can identify at least five: (1) US security interests; (2) US foreign policy interests; (3) US military interests; (4) US economic interests; and (5) US legal interests as reflected in compliance with the FCPA. For any person or business interest that does not think that the FCPA has a positive aspect, I would commend you to the above Gates quote. His quote, buried at page 395 of a 618-page book, did not even merit an entry in the Index. Yet, I find it to one of the finest, clearest and most concise affirmations of the positive power of the FCPA. Anytime you face criticism of your FCPA compliance program, a senior executive wants to know why you need resources to comply with the FCPA or you hear a business colleague whining about how ‘those people’ do business corruptly, I would suggest that you read to them this quote to show the power of the FCPA in international business.

Tangentially related to this revelation was the work by Scott Killingsworth to lay the legal and theoretical foundations for my real world observation about a business solution to FCPA compliance in his latest article entitled “The Privatization of Compliance”, which he calls this “private-to-private or P2P compliance.” In his introduction he stated, “Embodied in contract clauses and codes of conduct for business partners, these obligations often go beyond mere compliance with law and address the methods by which compliance is assured. They create new compliance obligations and enforcement mechanisms and touch upon the structure, design, priorities, functions and administration of corporate ethics and compliance programs. And these obligations are contagious: increasingly accountable not only for their own compliance but also that of their supply chains, companies must seek corresponding contractual assurances upstream. Compliance is becoming privatized, and privatization is going viral.”

With the long-expected Avon settlement on the horizon and the collapse of the SEC case against the Noble executives, it will be most interesting to see what the second half of the year will bring.

=================================================================================================================================================================================================================================================

On another note, I saw Queen play last night and while I will write about them and their show next week, I can only say that if they are coming to a town near you, run don’t walk to see them. The show was fabulous.

And on a final note, if you are in the mid-west or so inclined to travel their and are interested in the FCPA, I urge you to attend the FCPA Professor‘s initial FCPA Institute, which he is holding in Milwaukee next week. For more information, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 4,591 other followers