FCPA Compliance and Ethics Blog

October 29, 2014

Doing Compliance-The Book

Doing ComplianceI have consistently tried to bring a ‘Nuts and Bolts’ approach to my writing about compliance. Last year when describing some of my writing on the building blocks of a Foreign Corrupt Practices Act (FCPA) compliance program to my friend Mary Flood, she said “That’s great but what about actually doing compliance?” Fortunately for me, she did not ask how as there is no telling just how much hot water answering that question would have gotten me into! Her idea about writing a book which a compliance practitioner could use as a one-volume reference for the everyday work of anti-corruption compliance was the genesis of my most recent hardbound book, Doing Compliance: Design, Create, and Implement an Effective Anti-Corruption Compliance Program. I am pleased to announce that the book is hot off the presses and now available for purchase through Compliance Week in the US and Ark Publishing in the UK.

Just as the world becomes more flat for business and commercial operations, it is also becoming so for anti-corruption and anti-bribery enforcement. Any company that does business internationally must be ready to deal with a business environment with these new realities. My book is designed to be a one-volume work which will give to you some of the basics of creating and maintaining an anti-corruption and anti-bribery compliance program which will meet any business climate you face across the globe. I have based my discussion of a best practices compliance program on what the Criminal Division of the US Department of Justice (DOJ) and Enforcement Division of the Securities and Exchange Commission (SEC) set out in their jointly produced “FCPA - A Resource Guide to the U.S. Foreign Corrupt Practices Act”, the FCPA Guidance, the ‘Ten Hallmarks of an Effective Compliance Program.” The FCPA Guidance wisely made clear that there is no ‘one-size-fits-all’ approach when it stated, “Individual companies may have different compliance needs depending on their size and the particular risks associated with their businesses, among other factors.” Thus, the book is written to provide insight into the aspects of compliance programs that DOJ and SEC assesses, recognizing that companies may consider a variety of factors when making their own determination of what is appropriate for their specific business needs.

This book does not discuss the underlying basis of the FCPA, the UK Bribery Act or any other anti-corruption or anti-bribery legislation. I have assumed the reader will have a modicum of knowledge of these laws. If not, there are several excellent works, which can provide that framework. The book is about doing business in compliance with these laws. As with all Americans, I appreciate any list that is deca-based, so the format of 10 hallmarks resonates with me. I have used this basic ten-part organization in laying out what I think you should consider in your anti-corruption and anti-bribery compliance program. In addition to presenting my own views in these areas, I also set out the views of both FCPA practitioners and commentators from other areas of business study and review. The book includes the following:

Chapter 1 - Where It All Begins: Commitment from Senior Management and a Clearly Articulated Policy against Corruption  It all begins at the Top, what should management say and do? ‘Tone at the Top’ is a great buzz word but how does a company truly get the message of compliance down through the ranks? This chapter discusses the techniques management can use to move the message of compliance down through middle management and into the lower ranks of the company.

Chapter 2 - Some Written Controls: Code of Conduct and Compliance Policies and Procedures  The Cornerstone of your anti-bribery/anti-corruption compliance program is set out in your written standards and internal controls which consist of a Code of Conduct, Compliance Policy and implementing Procedures. This chapter discusses what should be in the written basics of your compliance program and how best to implement these controls.

Chapter 3 - For the CCO: Oversight, Autonomy, and Resources The role and function of a Chief Compliance Officer (CCO) in any compliant organization cannot be overstated. Simply naming a CCO is no longer enough to meet even the minimum requirements of best practices. One of the key areas that the DOJ will review is how is a CCO allowed to fulfill his role. Does the position have adequate resources? Does it have autonomy and support in the corporate environment? Does the Board of Directors exercise appropriate oversight? This chapter reviews the Compliance Function, Oversight, Autonomy and Resources and relates structuring the compliance function in an organization.

Chapter 4 - The Cornerstone of Your Compliance Program: Risk Assessment It all begins here, as a risk assessment is the road map to managing your compliance risk. The implementation of an effective compliance program is more than simply following a set of accounting rules or providing effective training. Compliance issues can touch many areas of your business and you need to know not only what your highest risks are, but where to marshal your efforts in moving forward. A risk assessment is designed to provide a big picture of your overall compliance obligations and then identify areas of high risk so that you can prioritize your resources to tackle these high-risk areas first. This chapter discusses what risks you should assess, the process for doing so and using that information going forward.

Chapter 5 - Getting Out on the Road: Training and Continuing Advice Once you have designed and implemented your compliance program, the real work begins and you must provide training on the compliance program and continuing advice to your company thereafter. This means that another pillar of a strong compliance program is properly training company officers, employees, and third parties on relevant laws, regulations, corporate policies, and prohibited conduct. However merely conducting training usually is not enough. Enforcement officials want to be certain the messages in the training actually get through to employees. The expectations for effectiveness are measured by who a company trains, how the training is conducted, and how often training occurs. This chapter discusses getting the message of compliance out to your employees.

Chapter 6 - Do As I Do & As I Say: Incentives and Disciplinary Measures Any effective compliance program will use a variety of tools to help ensure that it is followed. This means that you must employ both the carrot of incentives and the stick of disciplinary measures to further compliance. How can you burn compliance into the DNA of your company? Discipline has long been recognized as an important aspect of a compliance regime but more is now required. This chapter relates structuring compliance into the fabric of your company through hiring, promotion of personnel committed to compliance and how to reward them for doing business ethically and in compliance with the FCPA.

Chapter 7 – Your Greatest Source of FCPA Exposure: Third Parties and How to Manage the Risk Third Parties are universally recognized as the highest risk in any compliance program. Indeed it is estimated that well over 90% of all FCPA enforcement actions involve third parties. Therefore it is important how to manage this highest risk for an anti-corruption program. This chapter provides a five-step process for the investigation and management of any third party relationship; from agents in the sales chain to vendors in the supply chain.

Chapter 8 – How Do I Love Thee: Confidential Reporting and Internal Investigations In any company, your best source about not only the effectiveness of your compliance program but any violations are your own employees. This means that you must design and implement a system of confidential reporting to get your employees to identify issues and then have an effective internal investigation of any issues brought to your attention. Your own employees can be your best source of information to prevent a compliance issue from becoming a FCPA violation. This chapter provides the best practices for setting up internal reporting and investigating claims of compliance violations.

Chapter 9 - How to Get Better: Improvement: Periodic Testing and Review Once you have everything up and running you still need to not only periodically oil but also update the machinery of compliance. You do this through the step of continuous improvement, which is the use of monitoring and auditing to review and enhance your compliance regime going forward. A company should focus on whether employees are staying with the compliance program. Even after all the important ethical messages from management have been communicated to the appropriate audiences and key standards and controls are in place, there should still be a question of whether the company’s employees are adhering to the compliance program.

Chapter 10 - Should I or Shouldn’t I? Mergers and Acquisitions The last thing you want to bring in through an acquisition is another company’s FCPA violation for which your company must pay the piper; also known as buying a FCPA violation. Effectively managing your mergers and acquisitions (M&A) process can help you to identify risk areas in a potential acquisition and then remediate any issues in the post-acquisition integration phase. This chapter gives you the most recent pronouncements on how to avoid FCPA exposure in this key area of corporate growth and to use the M&A function to proactively manage compliance.

Chapter 11 – A Few Words about Facilitation Payments One of the key differences between the US FCPA and UK Bribery Act is that the US law allows facilitation payments. However, in today’s interconnected world, to allow one part of your company to make facilitation payments while UK subsidiaries or others covered by the UK Bribery Act are exempted out from your standard on facilitation payments has become an administrative nightmare. This chapter explores what is a facilitation payment, how the policing of your internal policy has become more difficult and some companies which have been investigated regarding their facilitation payments. It also provides guidelines for you to follow should your company decide to allow them going forward.

So with thanks to Mary Flood for the idea, Matt Kelly, the Editor of Compliance Week for the publishing platform and Helen Roche & Laura Slater and the rest of the team at Ark Publishing for getting me through the publishing process in a professional manner, I am published to announce that Doing Compliance: How to Design, Create, and Implement an Effective Anti-Corruption Compliance Program is now available for purchase.

You can purchase a copy of Doing Compliance: How to Design, Create, and Implement an Effective Anti-Corruption Compliance Program in the US by clicking here. You can purchase a copy of Doing Compliance: How to Design, Create, and Implement an Effective Anti-Corruption Compliance Program in the UK by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com. © Thomas R. Fox, 2014

October 27, 2014

Critiquing FCPA Enforcement and the GSK Domestic Corruption Conviction

Lady Scales of JusticeRecently the FCPA Professor posted a blog, entitled “Look in the Mirror Moments, in which he used written commentary by the US Secretary of the Treasury to the Chinese government about the Chinese governments anti-trust investigations as a mechanism to explore critiques of Foreign Corrupt Practices Act (FCPA) enforcement. In this post, he compared certain aspects of FCPA enforcement to the Chinese corruption enforcement action against GlaxoSmithKline PLC (GSK). Leaving aside the differences in anti-trust enforcement (price-fixing, monopolistic behavior and illegal collusion) and anti-corruption enforcement (bribery), I wanted to review his critiques through the prism of the known facts of the GSK enforcement action.

The FCPA Professor had the following comments about FCPA enforcement, in comparison with the Chinese corruption enforcement action against GSK. He said,

Without in any way trying to comprehensively compare the overall U.S. legal system to the overall Chinese legal system, the following attributes of FCPA enforcement must at least be acknowledged. 

The vast majority of corporate FCPA enforcement actions lack transparency and the resolution documents (whether a non-prosecution agreement, deferred prosecution agreement or civil administrative order) are the result of an opaque process ultimately controlled by the same office prosecuting or bringing the action. 

As to the swiftness of FCPA enforcement actions, one can only assume that the majority of general counsels and board of directors of companies under FCPA scrutiny would be jumping for joy if the scrutiny – from start to finish – would resolve itself in 15 months rather than the typical 3-5 years (and in some instances more) of FCPA scrutiny lingering.”

The difficulty I have with both of these points is that one cannot separate the Chinese enforcement action against GSK from the Chinese legal system that produced it. Let’s start with the ‘jumping for joy’ prong. The initial difference to note is that the Chinese enforcement action was a domestic prosecution based upon Chinese domestic law for bribery and corruption of Chinese. It was not a US (or UK) company violating US (or UK) laws. This means that the relevant documents and witness were in the locality where the investigation was performed. Even when a key witness, GSK China Country Manager Mark Reilly was in the UK, he voluntarily returned to China to give evidence but was prevented from leaving the country without being charged with a crime. So as far as is known, there were no government-to-government requests for information, no Letters Rogatory or use of any other international discovery mechanism to obtain evidence.

Moreover, the procedural protections in place under US (and UK) criminal procedure simply do not exist in China. There is no right to counsel, no right against self-incrimination, no right to confront witness and not even a right to know what the charges against you might be. These lack of rights were certainly borne out in the speed in which the Chinese investigative authorities were able to obtain evidence and public confessions from GSK principals involved in the bribery and corruption. The first 30-day timeline of the GSK investigation went as follows:

  • June 28, 2013 – Local Police announced they have place GSK officials under investigation for economic crimes.
  • July 11, 2013 – Public Security Ministry issued statement accusing GSK of bribery.
  • July 15 , 2013 – Four senior company execs ‘detained’. Finance chief barred from leaving country.
  • July 16, 2013 – GSK General Counsel (GC) placed under ‘house arrest’ along with 30 other employees. One of the four GSK China executives who were detained, admited to bribery allegations on Chinese state television.
  • July 22, 2013 – GSK formally apologized for breaking Chinese law regarding domestic bribery and corruption.
  • July 26, 2013 – Peter Humphrey, a UK citizen and his wife, a naturalized US citizen, both hired by GSK in an ancillary matter related to the GSK corruption scandal were arrested but not told of the charges against them.

A little over one year later, in July, 2014 the trial of Humphrey and his wife was announced. Orignially it was to be held in secret with both Humphrey and his wife still not told of the formal charges against them. However after diplomatic protests by both the US and UK governments, Humphrey and his wife were both convicted and sentenced in an open trial, albeit lasting only one day, on August 8, 2014. The charges against them were announced at trial. Thereafter, GSK pled guilty in a secret one-day trial GSK was fined approximately $491MM and China Country Manager Mark Reilly and four other GSK China business unit executives were found gulity. They were all sentenced to jail but given suspended sentences.

How did the Chinese government develop its evidence so quickly? One of the defendant’s, admitted, on state run televison, his involvement in the bribery scheme only 18 days after the investigation was announced by Chinese authorities. Indeed, GSK itself made a public apology only 24 days after the announcement by the Chinese authorities it was under investigation. We now know that GSK was informed by a whistleblower of allegations of bribery and corruption as early as January 2013 yet in June GSK announced it had not found anything to substantiate these allegations.

I believe the answer is found in the differences in the Chinese and US legal systems. It all starts with the following: in China you are presumed guilty while in the US (and the UK), you are presumed innocent until proven guilty. In an article in the New York Times (NYT), entitled “Presumed Guilty in China’s War on Corruption”, Andrew Jacobs and Chris Buckley wrote that the “war on corruption often operates beyond the law in a secret realm of party-run agencies”. The process “Known as Shuanggui, it is a secretive, extralegal process that leaves detainees cutoff from lawyers, associates and relatives.” Moreover, even as a case moves through the Chinese criminal justice system, defendants’ counsel “have limited access to evidence, witnesses, and their clients.” It does not get any better when a defendant actually goes to court because “Lawyers say Chinese courts rarely allow them to call defense witnesses, while prosecutors frequently withhold cruical evidence.” Finally, of the 8,110 officials charged with corruption “in the first half of this year, 99.8 percent were convicted”. To this rather amazing trial court conviction rate, I would add the the prosecution does even better on appeal, never losing to a convicted defendant.

Does that sound like a system in which you would jump for joy if you were caught up in, even knowing that the time from announcment of investigation until 99.8% chance of conviction awaited you? Even if the government investigation only took 14 months? In the US, corporations have the same rights as individuals at trial; to cross-examine witness, to be made aware of the charges against it, those charges must be brought with specficity, right to counsel, right to an open trial and right to appeal. These rights are all enshrined in the US Constitution. Those rights are not present for individuals or corporations under Chinese law or jurisprudence.

But the FCPA Professor also critiqued the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) in FCPA enforcements with the following observation: The vast majority of corporate FCPA enforcement actions lack transparency and the resolution documents (whether a non-prosecution agreement, deferred prosecution agreement or civil administrative order) are the result of an opaque process ultimately controlled by the same office prosecuting or bringing the action.When a company enters into negotiation with the DOJ and SEC it is with legal counsel in tow. Even if we in the general public are not privy to these negotiations over the terms and conditions of enforcement actions I am confident that there is some give and take. Further, while I only have personal knowledge of one negotiation for the specific terms of a Deferred Prosecution Agreement (DPA), the lawyer representing the company made clear it was a negotiation. It was not a Diktat with sentencing simply pronounced by the DOJ. Does the office which handles the investigation also handle the settlement negotiation? Yes but that is what prosecutors do each and every day in every city, county, town, hamlet, state and federal jurisdiction in this country.

Just as it takes two to tango, it takes two to negotiate. The DOJ does not negotiate with itself. Another party is sitting across the table and that other party is the company involved in the FCPA investigation. Why is that company there in the room negotiating? Because the company has assessed its interest and determined that it would be better off settling than going to trial. This is in the face of DOJ failures in the trial court in the Gun Sting cases, the O’Shea trial and the trial court overturning the verdict in the Lindsey Manufacturing conviction. Simply because there is a negotiation between the DOJ and a private party does not make it some nefarious process, even if the prosecutors hold the upper hand.

As far as the fines and penalites, there has been nothing to suggest the basis of the $491MM fine assessed against GSK. That amount is a bit less than the amounts initially reported that GSK China paid out as bribes, somewhere over $500MM. At least in the US, there are the Sentence Guidelines which form some basis of the calculation. Of course there is always some prosecutorial discretion to lessen a fine or penalty below the suggested amount. We have seen that occur this year with the HP enforcement action and recently Asst. Attorney General Leslie Caldwell suggested that Alcoa could have been fined over $1bn for its conduct, while the actual fine was $384MM. It is appropriate for prosecutors to have such discretion.

While the DOJ is also critiqued that DPAs (and Non-Prosecution Agreement [NPAs]) are essentially the same as going to trial with a near 100% success rate, I think this belies the number of declinations that the DOJs gives out. Unfortunately (and here the FCPA Professor and I do agree); there is not enough information given out about declinations; either regarding the raw numbers or the specific reasons for a declination. Only if a company agrees or is required to make such information public does it become known. Nevertheless, there is the recent example of Layne Christensen, which received a declination. In an article in Compliance Week, entitled “How Two Companies Got Regulators to Drop FCPA Charges”, Jaclyn Jaeger reported on the reasons the company sustained this result of receiving a declination through interviews with Christensen GC, Steve Crooke, its Chief Compliance Officer (CCO), Jennafer Watson and its outside counsel Russ Berland. Jaeger detailed the specific steps the company took and we can all see the effect it had upon the DOJ, through the declination to prosecute the company.

The debate about the costs of FCPA enforcement actions, the proper role of DPAs/NPAs and length of time of investigations is a healthy one and living in the open society that we have in the US, one that we will continue to have. Since I am not a prosecutor (or ex-prosecutor), I cannot look in the mirror at FCPA enforcement but I can review the facts of the DOJ and SEC’s FCPA enforcement, contrasted with the Chinese domestic bribery and corruption proseuction of GSK and believe that there is no basis for comparing the two systems, as they are so different in too many fundamental aspects.

I can however say one thing with absolute certainly; wherever you do want to be, a Chinese jail is not high on the list.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

October 22, 2014

Right to Retire Or Termination: Remediation of Leadership To Foster Compliance

Fall of RomeMany historians have long given 476 AD as the date of the fall of the Roman Empire. Further, it was from this date forward that Europe began its long slide into the abyss, which came to be known as the Dark Age. However, this view was challenged in 1971 by Peter Brown, with the publication of his seminal work “The World of Late Antiquity”. One of the precepts of Brown’s work was to reinterpret the 3rd to 8th centuries not as simply a decline of the greatness that had been achieved in the heydays of the Roman Empire, but more on their own terms. It was in the year of 476 AD that the last Roman Emperor, Romulus Augustulus, left the capital of Rome in disgrace. However as Brown noted, he was not murdered or even thrown out but allowed to retire to his country estates, sent there by the conquers of the western half of the Roman Empire, the Goths. Not much conquering going on if a ruler is allowed to ‘retire’, it was certainly a replacement but not quite the picture of marauding barbarians at the gate.

I thought about this anomaly of retirement by a leader in the context where a company or other entity might be going through investigations for corruption and non-compliance with such laws as the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. Yesterday I wrote about three recent articles and what they showed about a company’s oversight of its foreign subsidiaries. Today I want to use these same articles to explore what a company’s response and even responsibility should be to remediate leadership under which the corruption occurs. The first was an article in the New York Times (NYT), entitled, “Another Scandal Hits Citigroup’s Moneymaking Mexican Division” by Michael Corkery and Jessica Silver-Greenberg. Their article spoke about the continuing travails of Citigroup’s Mexican subsidiary Banamex. Back in February, the company reported “a $400 million fraud involving the politically connected, but financially troubled, oil services firm Oceanografía.”

This has led Citigroup to ever so delicately try to oust the leader of its Mexico operations, Mr. Medina-Mora, by encouraging him to retire. While Citigroup did terminate 12 individuals around the Oceanografía scandal earlier in the year, it has not changed the employment status of the head of the Mexico business unit. This may be changing as the article said, “In a delicate dance, Citigroup is encouraging its Mexico chairman, Manuel Medina-Mora, 64, to retire, according to four people briefed on the matter. The bank has been quietly laying the groundwork for his departure, which could come by early next year, the people said. Still, Mr. Medina-Mora’s business acumen and connections to the country’s ruling elite have made him critical to the bank’s success in Mexico. Citigroup and its chairman, Michael E. O’Neill, cannot afford to alienate Mr. Medina-Mora and risk jeopardizing those relationships, these people said.”

Should Mr. Medina-Mora be allowed to retire? Should he even be required to retire? What about the ‘mints money’ aspect of the Mexican operations for Citigroup? Was any of that money minted through violations of the FCPA or other laws? What will the Department of Justice (DOJ) think of Citigroup’s response or perhaps even its attitude towards this very profitable business unit and Citigroup’s oversight, lax or other?

Does a company have to terminate employees who engage in corruption? Or can it allow senior executives to gracefully retire into the night with full pension and other golden parachute benefits intact? What if a company official “purposely manipulated appointment data, covered up problems, retaliated against whistle-blowers or who was involved in malfeasance that harmed veterans must be fired, rather than allowed to slip out the back door with a pension.” Or engaged in the following conduct, “had steered business toward her lover and to a favored contractor, then tried to “assassinate” the character of a colleague who attempted to stop the practice.” Finally, what if yet another company official directed company employees to “delete hundreds of appointments from records” during the pendency of an investigation?

All of the above quotes came from a second NYT article about a very different subject. In the piece, entitled “After Hospital Scandal, V.A. Official Jump Ship”, Dave Phillips reported that two of the four VA Administration executives who engaged in the above conduct and were selected for termination, had resigned before they could be formally terminated. The article reported that the VA “had no legal authority to stop” the employees from resigning. Current VA Secretary Robert McDonald was quoted in the article as saying, “It’s also very common in the private sector. When I was head of Procter & Gamble, it happened all the time, and it’s not a bad thing — it saves us time and rules out the possibility that these people could win an appeal and stick around.” Plus, he said, their records reflect that they were targeted for termination. “They can’t just go get a job at another agency,” Mr. McDonald said. “There will be nowhere to hide.”

The third article was in the Wall Street Journal (WSJ) and entitled, “GM Says Top Lawyer to Step Down”. In this piece, reporters John D. Stroll and Joseph B. White, with contributions from Chris Matthews and Joann Lublin, reported that General Motors (GM) General Counsel (GC) Michael Millikin will retire early next year. Milliken is famously the GC who claimed not to know what was going on in his own legal department around the group’s settlements of product liability claims of faulty ignition switches. Milliken claimed he was kept “in the dark” by his own lieutenants about the safety issues involved with this group of litigation. Does Milliken have any responsibility for the failures of GM around this safety issue? What does his apparent graceful retirement say about the corporate culture of GM and its desire to actually change anything in the light of its ongoing travails? Of course one might cynically point to GM’s failure to even have a Chief Ethics and Compliance Officer as evidence of the company’s attitude towards compliance and ethics. (I wonder how that might look to the DOJ/Securities and Exchange Commission (SEC) if GM goes under any FCPA scrutiny?)

With Citigroup, the Department of Veterans Affairs and GM, we have three separate excuses for companies (and a Cabinet level department) not disciplining top employees for ethical and/or compliance failures. At Citigroup, the excuse is apparently that it does not want to rock the boat from a top producing foreign subsidiary by terminating the head of the subsidiary under investigation. At the Department of Veterans Affairs, the excuse seems to be they can go ahead and resign because we prefer to get rid of them that way. At GM, it is not clear why the GC who claimed not to know what was going on in even his own law department can ride off into the sunset with nary a contrary word in sight. Millikin’s conduct would seem to be the product of a larger cultural issue at GM.

I thought about how the DOJ might look at these situations for companies if a FCPA claim were involved. Even with McDonald’s observations about what happened when he was with Procter & Gamble; does a company show something less than commitment to having a culture of compliance if it allows an employee to retire? What does it say about Citigroup and its culture given the current dance it is having with its head of the Mexico unit? What about GM and its Sgt. Schultz of a GC and his ‘I was in the dark posture’? As stated by Mike Volkov, in his post entitled “Goodbye Mr. Millikin: GM’s Continuing Culture Challenges”, GM does under appear to understand the situation it finds itself in currently over its failures. He wrote, “GM still does not understand the significance of its governance failure…GM should have taken dramatic and affirmative steps to create a new culture – resources and new initiatives should be launched to rid GM of its current culture and replace it with a new speak up culture. It is a daunting task in such a large company but it has to be done. Until GM wakes up, missteps and failures will continue.” One might say the same for Citigroup and the Department of Veterans Affairs as well.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

October 21, 2014

Carlton Fisk, The Homer and Oversight of a Profitable Subsidiary

Fisk HomerToday we celebrate one of the great moments in World Series history. At approximately at 12:34 AM on this date in 1975, Carlton Fisk came to bat at the bottom of the 12th, in Game 6 of the World Series between the Boston Red Sox and Cincinnati Reds. He hit a pitch down the left field line. He stood at the plate, bouncing up and down and flailing at the ball as though he was helping an airplane land on a dark runway. “I was just wishing and hoping,” he said at a ceremony some years later. “Maybe, by doing it, you know, you ask something of somebody with a higher power. I like to think that if I didn’t wave, it would have gone foul.” Whether or not the waving was responsible, the ball bounced off of the bright-yellow foul pole above the Green Monster for a home run. Fenway’s organist played the Hallelujah Chorus from Handel’s Messiah while Fisk rounded the bases. One for the ages indeed as it appeared the Baseball Gods might finally be smiling on the Red Sox nation. Alas, they lost the next game and it was not to be for another 30 years.

I thought about Fisk’s homer and the ultimate heartbreak of Red Sox nation once again in 1975 when I read about several recent issues involving corruption and corporate responsibility for oversight, or perhaps more appropriately, the lack thereof. The first was an article in the New York Times (NYT), entitled “Another Scandal Hits Citigroup’s Moneymaking Mexican Division”, by Michael Corkery and Jessica Silver-Greenberg. Their article spoke about the continuing travails of Citigroup’s Mexican subsidiary Banamex. Back in February, the company revealed “a $400 million fraud involving the politically connected, but financially troubled, oil services firm Oceanografía.”

However, company investigators have unearthed another problem at the Mexico unit. The article reported “An internal investigation, begun by Citigroup in July, found evidence that the security unit was overcharging vendors and may have been taking kickbacks, a person briefed on the investigation said. The internal inquiry also found shell companies that had been set up to look like vendors and receive payments from the Banamex unit.” In a statement reported in the piece, Citigroup’s Chief Executive Officer (CEO) Michael L. Corbat “called the conduct of the individuals in the security unit ‘appalling’”.

What I found most interesting in the article was the response of Citigroup and what its implications might mean for the compliance practitioner, particularly one whose company is under scrutiny for a Foreign Corrupt Practices Act (FCPA) violation by the Department of Justice (DOJ) and Securities and Exchange Commission (SEC). The NYT piece made clear that the Mexico unit is so profitable that it figuratively “mints money” for the company. Moreover, “despite the latest headline-grabbing turmoil at Banamex, Citigroup does not want to cede any ground in Mexico where it dominates a large portion of the retail market.”

What is the responsibility for a US corporate parent when a foreign subsidiary ‘mints money’ for the company? Should the corporate parent pay closer attention to make sure the subsidiary is doing business in compliance with the FCPA and other relevant laws? In the past few posts, I have discussed some of the specific internal controls a compliance practitioner might consider for a company’s international operations. One of the problems Citigroup is facing with the conduct of its Mexico subsidiary is the company’s concern of “lax controls and oversight”. Moreover, there is concern that some part of the ongoing troubles in the Mexico unit relates to its head, Manuel Medina-Mora. Citigroup Chairman Michael O’Neill, was said to have “privately expressed concerns to board members that Mr. Medina-Mora, who is also co-president of the parent company, has not always relayed problems in the region to executives at the bank’s headquarters on Park Avenue, according to the people briefed on the matter. Instead of looping in executives in New York, Mr. Medina-Mora has at times chosen to handle the issues himself.”

How much oversight should a parent corporation have over a subsidiary? At a basic level it would seem that oversight should be enough to prevent and detect illegal conduct. Clearly, a Chief Compliance Officer (CCO) should be considering the entity-wide internal controls for a company. Under the FCPA accounting provisions, issuers can be held liable for the conduct of their foreign subsidiaries, even though the improper conduct occurred outside of the US. The scope of liability is based on the issuer’s incorporation of the subsidiary’s financial statements in its own records and SEC filings.

While a CCO should expect (and the DOJ & SEC for that matter) that internal controls at locations outside the US are of the same effectiveness as internal controls in US business units and at the US corporate office; unfortunately, that might not always be the case. It is often the case that corporate level internal controls are stronger than those in foreign business units. The Citigroup situation with its Mexican subsidiary would seem to be a clear example of the oft-cited reason that many companies were built through acquisitions, resulting in many business units (both in and outside the US) having completely different accounting and internal control systems than US corporate office. There is often a tendency to leave acquired companies in the state in which they were acquired, rather than trying to integrate their controls and conform them to those of current business units. After all, the reason for the acquisition was the profitability of the acquired company and nobody wants to be accused of negatively impacting profitability, especially one that ‘mints money’.

The second example is one a bit closer to home and it is that of the General Motors (GM) legal department. In an article in the Wall Street Journal (WSJ) entitled “GM Says Top Lawyer to Step Down”, John D. Stroll and Joseph B. White, with contributions from Christopher Matthews and Joann S. Lublin, reported that GM General Counsel (GC) Michael Millikin will retire early next year. Millikin was criticized after the GM internal investigation found that he ran the GM legal department in such a hands off manner that he did not know about his legal department’s own settlements for product liability claims involving faulty ignition switches until February of this year. His defense was that his own lawyers “left him in the dark” even though there was evidence that he had been repeatedly warned, “GM could face punitive damage awards related to its failure to address the safety defect.” Missouri Senator Claire McCaskill summed up sentiment about Milliken with her statement “This is either gross negligence or gross incompetence.” In other words if you are a GC or CCO you had better know what is going on in your own department. What would it say about a CCO who did not know that compliance department members were dealing with violations of the FCPA without informing him or her? It would say that the CCO failed to exercise leadership and oversight.

And while you are watching things closely, you may want to check out a clip of Carlton Fisk’s famous homer by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

October 15, 2014

Tommy Lewis, Dicky Maegle and the DOJ Call for Individual Prosecutions

Lewis and off the bench tackleTommy Lewis died this week. For those of you uninitiated in college football, Lewis was an Alabama football player who jumped up off the Alabama bench to tackle Rice University halfback Dicky Maegle, who was scampering untouched down the sideline for a touchdown in the 1954 Cotton Bowl. Lewis’ off the bench tackle led to a flag and the referees’ awarding Maegle a 95-yard touchdown on the play. Why did Lewis do it? As reported in his obituary in the Houston Chronicle, Lewis always maintained he was “too full of Alabama”. Maegle, perhaps more charitably, said, “He was a good guy who got caught up in the moment and the excitement.”

I thought about Maegle and Lewis when I was re-reading and considering the recent remarks of Assistant Attorney General for the Criminal Division Leslie R. Caldwell at the recent Ethics and Compliance Officers Association (ECOA) Conference. As Mike Volkov said in his post on Tuesday, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) communicate quite clearly what their enforcement priorities are; one does not have to read tea leaves, it is out there in black and white for all to see and hear. Caldwell’s remarks would seem to follow this observation of Volkov.

Caldwell made clear that the DOJ will prosecute individuals for violations of the Foreign Corrupt Practices Act (FCPA). In her remarks she said, “When criminal misconduct is discovered, a critical factor in the department’s prosecutorial decision making is the extent and nature of the company’s cooperation. The department’s Principles of Federal Prosecution of Business Organizations provides that prosecutors should consider “the corporation’s timely and voluntary disclosure of wrongdoing and its willingness to cooperate in the investigation of its agents.””

Recognizing that “Corporations do not act, but for the actions of individuals” Caldwell then laid down some quite strong prescriptions which compliance practitioners need to be cognizant about. Caldwell stated, “Now let me flesh out the often discussed, but sometimes poorly understood, concept of cooperation. Most companies now understand the benefits of voluntarily disclosing the misconduct before we come asking, and the benefits of conducting an internal investigation and providing facts about the misconduct to the government. But companies all too often tout what they view as strong cooperation, while ignoring that prosecutors specifically consider “the company’s willingness to cooperate in the investigation of its agents.””

She went on to add, “In all but a few cases, an individual or group of individuals is responsible for the corporation’s criminal conduct. The prosecution of culpable individuals – including corporate executives – for their criminal wrongdoing continues to be a high priority for the department. For a company to receive full cooperation credit following a self-report, it must root out the misconduct and identify the individuals responsible, even if they are senior executives.”

Fortunately the DOJ is not asking for undercover corporate sting operations because, as Caldwell explained, “We are not asking that you become surrogate FBI agents or prosecutors, or that you use law enforcement tactics like body wires.  And we do not need to hear you say that executive A violated a particular criminal law. All we are saying is that we expect you to provide us with facts. We will take it from there. But a company that interviews its employees in an effort to whitewash the facts or spread the company’s narrative spin risks receiving any cooperation credit.”

This is about as clear a warning as you can expect to receive. But the difficulty it puts company’s in is in regard to their internal investigations. Last week Joel Schectman, writing in the Wall Street Journal (WSJ) article entitled, “Are Internal Bribery Probes Private?”, explored the issue of whether such investigations are privileged, in the context of a current individual FCPA prosecution. In the matter of Joseph Sigelman, the former Chief Executive Officer (CEO) PetroTiger Ltd. Co., Schectman reported that “Prosecutors say the payments of approximately $333,500 to the wife for “consulting services” was actually a bribe to her husband to win a contract for PetroTiger worth around $39.6 million.”

Some or all of the underlying facts were turned over to the DOJ by PetroTiger’s internal investigation. The Defendant Sigelman wants to obtain copies of whatever PetroTiger turned over to the DOJ, arguing that the company waived any claim of attorney/client privilege “when it divulged the investigation’s findings to third parties, including officials of the United States.” The company has refused to hand over its internal investigation to the defendant based on this claim of attorney/client privilege.

What happens if a company, or its law firm gets the investigation wrong and falsely accuses an individual? Should the company be protected? That is the issue currently before the Texas Supreme Court in a libel case styled, Shell v. Writt. It involves our old friend Panalpina Inc. and its customer Royal Dutch Shell. David Smyth, in a post entitled Texas Court of Appeals Has Put Some FCPA Internal Investigations in an Awkward Spot”, said the DOJ contacted Shell about its dealings with Panalpina. Sometime later, “Shell agreed to conduct an internal investigation into its dealings with Panalpina.” Smyth noted that, “Shell submitted an investigative report that pointed the finger at Writt.  Specifically, Shell said Writt had been involved in illegal conduct in a Shell Nigerian project by recommending that Shell reimburse contractor payments he knew to be bribes and failing to report illegal contractor conduct he was aware of.”

Writt sued Shell for libel and Shell defeated Writt at the trial court on the basis that it had an “absolute privilege to say what it did in its investigative report to the DOJ.”

However, a Texas Court of Appeals reversed the trial court ruling holding that absolute privilege does not apply where a party voluntarily turns over information to a prosecutor before a judicial proceeding is initiated or contemplated. As Smyth explained, “In the court’s view, DOJ was acting purely in a prosecutorial and non-judicial capacity.” Shell has appealed this matter to the Texas Supreme Court, which has accepted the case for review.

There are several difficult issues from the facts of this case. Smyth points to one when he ended his piece, “FCPA investigations these days are a different animal, and probably deserving of different treatment by the courts. As of now, a company conducting an internal FCPA investigation in Texas has to ask, what do we do if one of an investigation reveals one of our employees as a bad actor? Do we say as much in the report we turn over to the government, as the government surely expects? If we do, are we signing on for libel litigation by the employee?” But now Caldwell has made clear that the DOJ expects companies to “identify the individuals responsible, even if they are senior executives”. If you are one of the individuals so identified, are you entitled to know what the accusations against you might be? What if the company’s lawyers got it wrong? Should they have a duty?

Moreover, there are a plethora of procedural protections available to criminal defendants not available to civil defendants or even those who are the subject of internal corporate investigations. Should a Miranda warning now be given during internal corporate investigations? Is the right to remain silent and not self-incriminate oneself available in such an investigation? In paper entitled “Navigating Potential Pitfalls in Conducting Internal Investigations: Upjohn Warnings, “Corporate Miranda,” and Beyond” Craig Margolis and Lindsey Vaala, of the law firm Vinson & Elkins LLP, explored the pitfalls faced by counsel, both in-house and outside investigative, and corporations when an employee admits to wrong doing during an internal investigation, where such conduct is reported to the US Government and the employee is thereafter prosecuted criminally under a law such as the FCPA.

Employees who are subject to being interviewed or otherwise required to cooperate in an internal investigation may find themselves on the sharp horns of a dilemma requiring either (1) cooperating with the internal investigation or (2) losing their jobs for failure to cooperate by providing documents, testimony or other evidence. Many US businesses mandate full employee cooperation with internal investigations or those handled by outside counsel on behalf of a corporation. These requirements can exert a coercive force, “often inducing employees to act contrary to their personal legal interests in favor of candidly disclosing wrongdoing to corporate counsel.”  Moreover, such a corporate policy may permit a company to claim to the US government a spirit of cooperation in the hopes of avoiding prosecution in “addition to increasing the chances of learning meaningful information.”

Where the US Government compels such testimony, through the mechanism of inducing a corporation to coerce its employees into cooperating with an internal investigation, by threatening job loss or other economic penalty, the in-house counsel’s actions may raise Fifth Amendment due process and voluntariness concerns because the underlying compulsion was brought on by a state actor, namely the US Government. Margolis and Vaala note that by utilizing corporate counsel and pressuring corporations to cooperate, the US Government is sometimes able to achieve indirectly what it would not be able to achieve on its own – inducing employees to waive their Fifth Amendment right against self-incrimination and minimizing the effectiveness of defense counsel’s assistance.

All of the above would seem to make clear the need for company’s to get their internal investigations done right. If you are going to receive credit from the DOJ going forward, your investigations must be done thoroughly, in a timely manner and provide to the DOJ the information that Caldwell has laid out that they want. At least currently in Texas, a company has to get it right or risk being sued if they mis-identify a potential criminal actor.

Tommy Lewis and Dicky Maegle? Lewis made a mistake, probably carried away in the heat of the moment. What did Maegle have to say about him on the occasion of his death? “He was very remorseful, and I thought he was sincere. I liked him. We became friends.” Let’s hope your employees still like your company at the end of an internal investigation.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

 

 

October 13, 2014

Ringo, Sir Paul and an Effective Compliance Program

Paul McCartneySometimes the universe converges in ways that are beyond my simple comprehension. This past weekend was one of them. It began a few months ago when I saw an advertisement from StubHub that showed Ringo Starr playing in Houston on October 10 and Sir Paul McCartney playing in New Orleans on October 11. I figured if the two surviving members of the greatest rock and roll band in the history of the world were going to play on two consecutive nights it was a sure sign from the Oracle of Rock ‘N Roll that I was intended to attend both, lest I tempt a fate worse than going against an entity nearly as powerful as the Oracle of Delphi. Moreover, the Friday concert coincided with the birthday of my little sister who happened to be in town and one of the planets biggest Beatles fans, it made the convergence complete. Ringo Starr

I also learned two completely new and unrelated facts this weekend. The first is that a native of Liverpool, England, is called a ‘Scouser’. That comes from my Liverpudlian friend Pam, who also introduced me to the Liverpool Football Club. The second is that my wife is a closet Mr. Mister uber fan, who rocked out as a teenager to this group in the early days of MTV. On reflection that is perhaps the more odder convergence.

While there is clearly a reason Ringo Starr tours with true musical all-stars and Sir Paul McCartney has been raised to the peerage for his musical prowess, in many ways the Ringo Starr concert was the bigger revelation. I had wondered how Ringo would fill out an entire concert. He did it by surrounding himself with musicians fabulous in their own right. They included: Steve Lukather, former lead singer from Toto on vocals, lead and rhythm guitar; Gregg Rolie, former keyboardist from Santana and Journey on vocals, organ, keyboards; Richard Page, former lead singer from Mr. Mister, on vocals and bass guitar; and finally, best and certainly not least, Todd Rundgren on vocals, lead and rhythm guitar, bass guitar, percussion, harmonica and, occasionally, even keyboards.

So in addition to Ringo singing his standards of Photograph, It Don’t Come Easy, Yellow Submarine and (of course) With a Little Help From My Friends. We also got to hear songs first released by Santana, Toto, Mr. Mister and some great Todd Rundgren hits. The group clearly loved playing and jamming with each other. Further, these other groups’ songs were great fun to hear and as they may never reform, I would not otherwise have the chance to hear them performed lived.

Sir Paul McCartney. You really do not have to say much more. His concert did not exceed my expectations because they were about as high as expectations could have been. He seriously rocked out for over three hours, playing everything from the earliest Beatles songs up to a ballad for his latest wife. I cannot remember ever attending a concert where everyone one in attendance knew the words to every song but we all did and we all sung them all the way through the entire show.

What is the compliance angle to all of this? Just as there is more than one way to put on a great concert, there is more than one way to have an effective compliance program. This continual message from the Department of Justice (DOJ) came again earlier this month through remarks by Assistant Attorney General for the Criminal Division, Leslie R. Caldwell, at the 22nd Annual Ethics and Compliance Conference, where she made clear that while the FCPA Ten Hallmarks of an Effective Compliance Program is one set of guidelines for an effective compliance program, there is no “one-size fits all” compliance program. She laid out another way to think through, review and analyze your compliance program. 

  1. High-level commitment. A company must ensure that its directors and senior management provide strong, explicit, and visible commitment to its corporate compliance policy. Stated differently, and again, “tone from the top.”
  1. Written Policies. A company should have a clearly articulated and visible corporate compliance policy memorialized in a written compliance code. Again, employees need to know what to do–or not do–when faced with a tough judgment call involving business ethics. Companies need to make that as easy as possible for their employees.
  1. Periodic Risk-Based Review. A company should periodically evaluate these compliance codes on the basis of a risk assessment addressing the individual circumstances of the company. Companies change over time through natural growth, mergers, and acquisitions.
  1. Proper Oversight and Independence. A company should assign responsibility to senior executives for the implementation and oversight of the compliance program. Those executives should have the authority to report directly to independent monitoring bodies, including internal audit and the Board of Directors, and should have autonomy from management. Compliance programs needed to be funded; they need to have resources. And they need to have teeth and respect within the company.
  1. Training and Guidance. A company should implement mechanisms designed to ensure that its compliance code is effectively communicated to all directors, officers, employees. This means repeated communication, frequent and effective training, and an ability to provide guidance when issues arise.
  1. Internal Reporting. A company should have an effective system for confidential, internal reporting of compliance violations. I know that many companies have multiple mechanisms, which is good.
  1. Investigation. A company should establish an effective process with sufficient resources for responding to, investigating, and documenting allegations of violations. What this means on the ground will depend on the company. A sophisticated multi-national corporation obviously will be expected to have more resources devoted to compliance than a small regional company.
  1. Enforcement and Discipline. A company should implement mechanisms designed to enforce its compliance code, including appropriately incentivizing compliance and disciplining violations. Further, the response to a violation must be even-handed. People watch what people do much more carefully than what they say. When it comes to compliance, you must both say and do.
  1. Third-Party Relationships. A company should institute compliance requirements pertaining to the oversight of all agents and business partners. This cannot be emphasized strongly enough.
  2. Monitoring and Testing. A company should conduct periodic reviews and testing of its compliance code to improve its effectiveness in preventing and detecting violations. Kick the tires regularly. As I said, compliance programs must evolve with changes in the law, business practices, technology and culture.

Caldwell also emphasized that as important as the compliance program itself; the implementation is also reviewed and evaluated by the DOJ. When the DOJ investigates a case, they look at the messages about compliance that are given to employees; they look at what employees are told in their day-to-day work. This means the DOJ will look at emails, chats, and recorded phone calls. They will interview witnesses about the messages they received from their supervisors and management to determine if they received messages about compliance, or about making money at all costs.

Another consideration for the DOJ is incentives. The DOJ will examine the incentives that a company provides to encourage compliant behavior – or not. This means that if a company is actually encouraging compliance, if its values are to be ethical and within the law, this message must be conveyed to employees in a meaningful way. If not, it is likely that the DOJ will not view the compliance program as credible. Interestingly, Caldwell said that sometimes the effective implementation of a compliance program means standing apart from the other companies in your industry.

Just as Ringo and Sir Paul ably demonstrated, there is more than one way to put on a great concert. They both assessed their strengths and weaknesses and used that information to put great bands around them illustrated their strengths. The same is true in the world of Foreign Corrupt Practices Act (FCPA) compliance. The key is to review and assess your compliance risks and then manage them. And, as always, Document, Document, and Document whatever you do so that if a regulator comes knocking, you can demonstrate evidence of the above.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

 

 

 

October 10, 2014

The Horror of Dracula and Internal Controls in International Locations, Part I

Christopher Lee as DraculaThis Friday we celebrate the second in the Hammer Films horror series, which was actually its first offering, based on Count Dracula, entitled “Horror of Dracula”. It starred the famous Hammer Films horror movie two-some of Peter Cushing as Professor Van Helsing and Christopher Lee as Count Dracula. If you have grown up on the classic Universal monster films, the first thing that strikes you about the Hammer Films is the glorious technical color production. The second thing is the focus on gore. Horror of Dracula, with its emphasis on blood is particularly focused. Nevertheless, the productions are first rate and with Cushing and Lee bringing some gravitas to the cast, the movie certainly holds up. One of the biggest changes from Bram Stoker’s novel and the Universal movie version starring Bela Lugosi, is the location change from England to Transylvania for the confrontation between Professor Van Helsing and Dracula. In other words, they were on Dracula’s home turf; not in England on Professor Van Helsing’s home ground.

As the Foreign Corrupt Practices Act (FCPA) deals largely with conduct outside the US, today, I will begin a multi-part series on internal controls at locations outside the US. Part I will focus on how to think through the issues of internal controls outside the US and why your company’s internal controls might require changes for different countries across the globe. In Part II, I will review how to determine the risk in a geographic region outside the US, through a Location Risk Assessment and for Part III, I will close with how a compliance practitioner should use a Location Risk Assessment.

Clearly, a Chief Compliance Officer (CCO) should be considering the entity-wide internal controls for a company. Under the FCPA accounting provisions, issuers can be held liable for the conduct of their foreign subsidiaries, even though the improper conduct occurred outside of the US. The scope of liability is based on the issuer’s incorporation of the subsidiary’s financial statements in its own records and Securities and Exchange Commission (SEC) filings. So, as with the use of third party distributors to sell product, FCPA enforcement looks past the structure of the transaction and makes enforcement decisions based upon the substance. Once again I visited with internal controls expert Henry Mixon to discuss these issues.

While a CCO should expect (or at least hope) that internal controls at locations outside the US are of the same effectiveness as internal controls within US business units and at the US corporate office; unfortunately, that might not always be the case. It is often the case that corporate level internal controls are stronger than those in foreign business units. Mixon indicated that there may well be several reasons for this. First, the company’s Chief Financial Officer (CFO) may be paying closer attention to the corporate level internal controls, with the idea that the corporate level internal controls are the final “filter” to detect issues. This follows partly from the focus in most companies on the controls over financial reporting, which does not include all controls needed for FCPA compliance. A second reason is that many companies were built through acquisitions, resulting in many business units (both in and outside the US) having completely different accounting and internal control systems than the corporate office. There is often a tendency to leave acquired companies in the state in which they were acquired, rather than trying to integrate their controls and conform them to those of current business units. After all, the reason for the acquisition was the profitability of the acquired company and nobody wants to be accused of negatively impacting profitability.

A third situation may exist at locations outside the US that began simply as a sales office. Then the location gradually expanded its scope of operations to become a full scope business unit with its own accounting and data processing functions. Unfortunately, it is not often the situation in which there was a master plan for internal controls as the location’s scope grew. Often processes were added internally and were usually designed by the local personnel that in practice meant the Country Manager had total control over financial affairs and was not really accountable to the Corporate Office. This can be particularly true as long as a country business unit’s profits continue. In such situations, there will rarely be any focus on effective preventive internal controls for FCPA risk.

The next area for inquiry is where should a CCO begin in any of the above scenarios? Mixon believes that the initial first step is to determine the extent of centralization or decentralization of relevant processes or put another way, to what extent are relevant processes performed at the corporate offices? In some companies it is common, for example, to have all vendor invoices paid from the corporate office. In other companies, the corporate accounting function only aggregates information received from business unit accounting departments. This translates into a varying analysis of risk regarding locations outside the US, depending on the degree of accounting decentralization. A good starting point is to determine the extent to which the financial statements of business units outside the US are reviewed and analyzed by the corporate accounting function. This will give good insight into whether the corporate accounting function provides an element of internal control or merely serves as a data aggregator.

The first step for the CCO is to determine the possible universe of risks and to assess the risks to result in a priority of how attention will be focused. One useful approach advocated by Mixon is the Location Risk Assessment (LRA), whose purpose is to capture in one place each location outside the US where your company conducts business and to assess the compliance risks posed by the nature of operations at each location. Once the risks at each location have been properly categorized, you can then prioritize your approach to dealing with the risks.

For your weekend viewing, I would suggest you kick your feet up and look forward to some good, old-fashioned 1950s flavored gore found in the Horror of Dracula. If your temporal compliance matters need your attention, you can look forward to Part II next week, in which I will discuss how a compliance practitioner should perform a Local Risk Assessment.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

September 25, 2014

Come On Get Happy – The Partridge Family and GSK’s Internal Investigation

Partridge Family BusToday we celebrate an anniversary of one of the all-time lows in the American cultural milieu; for on this date in 1970, the television show The Partridge Family appeared on the ABC Television network. Symbiotically created from the ashes of the television show The Monkees and the real-life family pop group The Cowsills; The Partridge Family starred, as its TV-mom, Oscar winning actress Shirley Jones and as her eldest TV son, and teenaged girl heartthrob, her real-life stepson David Cassidy. Proving once again that 1960s and 1970s television really was largely a cultural wasteland, the family romped and sang their way across a never-ending sunny southern California in multi-colored converted school bus. While the episodes themselves were as close to putrid as one can get, they did have better success with their lip-synced music from each episode. One song, I Think I Love You, reached No. 1 on the Billboard Pop Charts that year.

I thought about this strange convergence of history and culture (or perhaps the lack of culture) when considering more lessons learned from the GlaxoSmithKline PLC (GSK) corruption scandal. I was particularly focused on GSK’s response to at least two separate reports from an anonymous whistleblower (brilliantly self-monikered as GSK Whistleblower) of allegations of bribery and corruption going on in the company’s China business unit. One of the clear lessons from the GSK matter is that serious allegations of bribery and corruption require a serious corporate response. Not, as GSK appears to have done, in their best Inspector Clouseau imitation, not being able to find the nose on their face.

Further, and more nefariously, was GSK’s documented treatment of and history with internal whistleblowers. One can certainly remember GSK whistleblower Cheryl Eckard. A 2010 article in The Guardian by Graeme Wearden, entitled “GlaxoSmithKline whistleblower awarded $96m payout”, where he reported that Eckard was fired by the company “after repeatedly complaining to GSK’s management that some drugs made at Cidra were being produced in a non-sterile environment, that the factory’s water system was contaminated with micro-organisms, and that other medicines were being made in the wrong doses.” She later was awarded $96MM as her share of the settlement of a Federal Claims Act whistleblower lawsuit. Eckard was quoted as saying, “It’s difficult to survive this financially, emotionally, you lose all your friends, because all your friends are people you have at work. You really do have to understand that it’s a very difficult process but very well worth it.” So to think that GSK may simply have been SHOCKED, SHOCKED, that allegations of corruption were brought by an internal whistleblower may well be within the realm of accurate.

There would have seemed to have been plenty of evidence to let the company know that something askance was going on in its Chinese operations. The international press was certainly able to make that connection early on in the scandal. An article in the Financial Times (FT), entitled “China accuses GSK of bribery” by Kathrin Hille and John Aglionby, reported “GSK said it had conducted an internal four-month investigation after a tip-off that staff had bribed doctors to issue prescriptions for its drugs. The internal inquiry found no evidence of wrongdoing, it said.” Indeed after the release of information from the Chinese government, GSK said it was the first it had heard of the investigation. In a prepared statement, quoted in the FT, GSK said ““We continuously monitor our businesses to ensure they meet our strict compliance procedures – we have done this in China and found no evidence of bribery or corruption of doctors or government officials.” However, if evidence of such activity is provided we will act swiftly on it.”

Laurie Burkitt, reporting in the Wall Street Journal (WSJ) in an article entitled “China Accuses Glaxo of Bribes”, wrote that “Emails and documents reviewed by the Journal discuss a marketing strategy for Botox that targeted 48 doctors and planned to reward them with either a percentage of the cash value of the prescription or educational credits, based on the number of prescriptions the doctors made. The strategy was called “Vasily,” borrowing its name from Vasily Zaytsev, a noted Russian sniper during World War II, according to a 2013 PowerPoint presentation reviewed by the Journal.” Burkitt reported in her article that “A Glaxo spokesman has said the company probed the Vasily program and “[the] investigation has found that while the proposal didn’t contain anything untoward, the program was never implemented.”” From my experience, if you have a bribery scheme that has its own code name, even if you never implemented that scheme, it probably means that the propensity for such is pervasive throughout the system.

I have often written about the need for a company to have an investigative protocol in place so that it is not making up its process in the face of a crisis. However the GSK matter does not appear to be that situation. It would not have mattered what investigation protocol that GSK followed, it would seem they were determined not to find any evidence of bribery and corruption in their China business unit. So the situation is more likely that GSK should have brought in a competent investigation expert law firm to head up their investigation in the face of this anonymous whistleblower’s allegations.

In an ACC Docket article, entitled “Risks and Rewards of an Independent Investigation”, authors James McGrath and David Hildebrandt discuss the use of specialized outside counsel to lead an independent internal investigation as compliance and ethics best practices. This is based upon the US Sentencing Guidelines, under which a scoring system is utilized to determine what a final sentence should be for a criminal act. Factors taken into account include the type of offense involved and the severity of the said offense, as well as the harm produced. Additional points are either added or subtracted for mitigating factors. One of the mitigating factors can be whether an organization had an effective compliance and ethics program. McGrath and Hildebrandt argue that a company must have a robust internal investigation.

McGrath and Hildebrandt take this analysis a step further in urging that a company, when faced with an issue such as an alleged Foreign Corrupt Practices Act (FCPA) violation, should engage specialized counsel to perform the investigation. There were three reasons for this suggestion. The first is that the Department of Justice (DOJ) would look towards the independence and impartiality of such investigations as one of its factors in favor of declining or deferring enforcement. If in-house counsel were heading up the investigation, the DOJ might well deem the investigative results “less than trustworthy”.

Matthew Goldstein and Barry Meier discussed the need for independence from the company being investigated in an article the New York Times (NYT) about the General Motors (GM) internal investigation entitled “G.M Calls the Lawyers”. They quoted William McLucas, a partner at WilmerHale, who said, “If you are a firm that is generating substantial fees from a prospective corporate client, you may be able to come in and do a bang-up inquiry. But the perception is always going to be there; maybe you pulled your punches because there is a business relationship.” This is because if “companies want credibility with prosecutors and investors, it is generally not wise to use their regular law firms for internal inquiries.” Another expert, Charles Elson, a professor of finance at the University of Delaware who specializes in corporate governance, agreed adding, “I would not have done it because of the optics. Public perception can be affected by using regular outside counsel.””

Adam G. Safwat, a former deputy chief of the fraud section in the Justice Department, said that the key is “Prosecutors expect an internal investigation to be an honest assessment of a company’s misdeeds or faults, “What you want to avoid is doing something that will make the prosecutor question the quality of integrity of the internal investigation.”” Also quoted was Internal Investigations Blog editor, Jim McGrath who said, “A shrewd law firm that gets out in front of scandal can use that to its advantage in negotiating with authorities to lower penalties and sanctions. There is a great incentive to ferret out information so they can spin it.”

The GSK experience in China will inform compliance practitioners for years to come with the company’s plethora of miss-steps. Perhaps one day the company will become as successful as The Partridge Family and they can open their annual meeting with The Partridge Family Theme - Come On Get Happy!

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

September 24, 2014

Lessons from GSK in China – Internal Controls, Auditing and Monitoring

InvestigationsOne of the great things about writing your own blog is that sometimes you can get going on a subject and just explore it. While I think I might sometimes get carried away when I delve into a topic, I certainly learn much while doing so. This week appears to be such a situation where in studying and researching the GlaxoSmithKline PLC (GSK); I find that the case has much more to inform the compliance practitioner. So I am going to try and tie together some of the major lessons learned from the GSK Chinese enforcement action for the remainder of the week and present to you how such lessons might assist you in designing, implementing or upgrading a best practices compliance program. Today I want to look at internal controls, auditing and monitoring.

One of the questions that GSK will have to face during the next few years of bribery and corruption investigations is how an allegedly massive bribery and corruption scheme occurred in its Chinese operations? The numbers went upwards of $500MM, which coincidentally was the amount of the fine levied by the Chinese court on GSK. It is not as if the Chinese medical market is not well known for its propensity towards corruption, as prosecutions of the Foreign Corrupt Practices Act (FCPA) are littered with the names of US companies which came to corruption grief in China. GSK itself seemed to be aware of the corruption risks in China. In a Reuters article, entitled “How GlaxoSmithKline missed red flags in China”, Ben Hirschler reported that the company had “more compliance officers in China than in any country bar the United States”. Further, the company conducted “up to 20 internal audits in China a year, including an extensive 4-month probe earlier in 2013.” GSK even had PricewaterhouseCoopers (PwC) as its outside auditor in China. Nevertheless, he noted, “GSK bosses were blindsided by police allegations of massive corruption involving travel agencies used to funnel bribes to doctors and officials.”

Internal Controls

Where were the appropriate internal controls? You might think that a company as large as GSK and one that had gone through the ringer of a prior Department of Justice (DOJ) investigation resulting in charges for off-label marketing and an attendant Corporate Integrity Agreement (CIA) might have such controls in place. It was not as if the types of bribery schemes in China were not well known. In an article in the Financial Times (FT), entitled “Bribery built into the fabric of Chinese healthcare system”, reporters Jamil Anderlini and Tom Mitchell wrote about the ‘nuts and bolts’ of how bribery occurs in the health care industry in China. The authors quoted Shaun Rein, a Shanghai-based consultant and author of “The End of Cheap China”, for the following “This is a systemic problem and foreign pharmaceutical companies are in a conundrum. If they want to grow in China they have to give bribes. It’s not a choice because officials in health ministry, hospital administrators and doctors demand it.”

Their article discussed the two primary methods of paying bribes in China: the direct incentives and indirect incentives method. Anderlini and Mitchell reported, “The 2012 annual reports of half a dozen listed Chinese pharmaceutical companies reveal the companies paid out enormous sums in “sales expenses”, including travel costs and fees for sales meetings, marketing “business development” and “other expenses”. Most of the largest expenses were “travel costs or meeting fees and the expenses of the companies’ sales teams were, in every case, several multiples of the net profits each company earned last year.””

It would be reasonable to expect that internal controls over gifts would be designed to ensure that all gifts satisfy the required criteria, as defined and interpreted in Company policies. It should fall to a Compliance Officer to finalize and approve a definition of permissible and non-permissible gifts, travel and entertainment and internal controls will follow from such definition or criteria set by the company. These criteria would include the amount of the spend, localized down into increased risk such the higher risk recognized in China. Within this context, noted internal controls expert Henry Mixon has suggested the following specific controls. (1) Is the correct level of person approving the payment / reimbursement? (2) Are there specific controls (and signoffs) that the gift had proper business purpose? (3) Are the controls regarding gifts sufficiently preventative, rather than relying on detect controls? (4) If controls are not followed, is that failure detected?

Auditing Lessons Learned

Following Mixon’s point 4 above, what can or should be a company’s response if one country’s gifts, travel and entertainment expenses were kept ‘off the books’? This is where internal audit or outside auditors are critical. Hirschler quoted an un-named source for the following, ““You’d look at invoices and expenses, and it would all look legitimate,” said a senior executive at one top accountancy firm. The problem with fraud – if it is good fraud – is it is well hidden, and when there is collusion high up then it is very difficult to detect.”” Jeremy Gordon, director of China Business Services was quoted as saying “There is a disconnect between the global decision makers and the guys running things on the ground. It’s about initially identifying red flags and then searching for specifics.”

There are legitimate reasons to hold medical conferences, such as to make physicians aware of products and the latest advances in medicine, however, this legitimate purpose can easily be corrupted. Hirschler quoted Paul Gillis, author of the China Accounting Blog, for the following “Travel agencies are used like ATMs in China to distribute out illegal payments. Any company that does not have their internal audit department all over travel agency spending is negligent.” Based on this, GSK’s auditors should have looked more closely on marketing expenses and more particularly, the monies spent on travel agencies. Hirschler wrote, “They [un-named auditing experts] say that one red flag was the number of checks being written to travel agencies for sending doctors to medical conferences, although this may have been blurred by the fact that CME accounts for a huge part of drug industry marketing.”

Another issue for auditing is materiality. If GSK’s internal auditors had not been trained that there is no materiality standard under the FCPA, they may have simply skipped past a large number of payments made that were under a company’s governance procedure for elevated review of expenses. Further, if more than one auditor was involved with more than one travel agency, they may not have been able to connect the dots regarding the totality of payments made to one travel agency.

Ongoing Monitoring

A final lesson learned for today is monitoring. As Stephen Martin often says, many compliance practitioners confuse auditing with monitoring. Monitoring is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. Auditing is a more limited review that targets a specific business component, region, or market sector during a particular timeframe in order to uncover and/or evaluate certain risks.

Here I want to focus on two types of ongoing monitoring. The first is relationship monitoring, performed by companies such Boston-based Catelas, through software products. It was reported in a Wall Street Journal (WSJ) article, entitled “Glaxo Probes Tactics Used to Market Botox in China”, that internal GSK emails showed the company’s China sales staff were instructed by local managers to use their personal email addresses to discuss marketing strategies related to Botox. The Catelas software imports and analyzes communications data, like email, IM, telephony and SMTP log files from systems such as Microsoft Exchange Servers and Lotus Notes. The software then leverages social network analysis and behavioral science algorithms to analyze this communications data. These interactions are used to uncover and display the networks that exist within companies and between the employees of companies. Additionally, relationships between employees and external parties such as private webmail users, competitors and other parties can be uncovered.

The second type of monitoring is transaction monitoring. Generally speaking, transaction monitoring involves review of large amounts of data. The analysis can be compared against an established norm which is derived either against a businesses’ own standard or an accepted industry standard. If a payment, distribution or other financial payment made is outside an established norm, thus creating a red flag that can be tagged for further investigation.

GSK’s failure in these three areas now seems self-evident. However, the company’s foibles can be useful for the compliance practitioner in assessing where their company might be in these same areas. Moreover, as within any anti-corruption enforcement action, you can bet your bottom dollar that the regulators will be assessing best practices going forward based upon some or all of GSK’s miss-steps going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

September 12, 2014

The FCPA Compliance and Ethics Report

If you have not done so, I hope that you might go over to my podcast site, the FCPA Compliance and Ethics Report,  to check out some of my recent podcasts. The episodes are between 20-30 minutes long and they are available for download on iTunes so you can listen to them on your commute to work or when working out at the gym.

Internal Controls

I have begun a series on internal controls in a best practices FCPA compliance program with noted internal controls expert Henry Mixon. In Parts I & II, Mixon and I discuss the basics of what are internal controls. These podcasts supplement some of my recent blogs on internal controls.

Episode 85-What Are Internal Controls, Part I

Episode 87-What Are Internal Controls, Part II

HR and Compliance

One of the best allies for the compliance function in any company is the Human Resources department. I explore how HR can assist compliance in a myriad of components of any best practices compliance program.

Episode 86-Use of HR in a Compliance Program

Continuous Improvement of a Compliance Program

In the FCPA Guidance and in almost every speech I have heard by a Department of Justice official, they talk about how your compliance program should evolve to meet new compliance risks, changes in best practices, geographic markets where your company does business and new product/service offerings. You can do this by continuous improvement of your compliance program.

Episode 84-Continuous Improvement of Your Compliance Program

The Compliance EcoSystem

Jon Rydberg is the Founder and CEO of Orchid Advisors. He is also the former CCO of Smith & Wesson and was at the company when it navigated it way through a FCPA investigation and enforcement proceeding. From these experiences, Rydberg has developed a holistic approach to compliance which he has trademarked as the “Compliance EcoSystem”. I explore his ideas on an fully integrated approach to compliance

Episode 83-Interview with Jon Rydberg

Use of Interviews in Your Compliance Program

Brian Ching is the most famous player in the history of the Houston Dynamos soccer club. Ching recently retired and moved into the front office as the General Manager of the Houston Dash, the Houston professional women’s soccer club. I interviewed Ching on his transition to management and how the Dash use the face-to-face interview process to not only assess the non-soccer skills that the team requires of its players but also to communicate the team’s expectations. There are some very significant insights about how a company can communicate its expectations regarding ethical business practices.

Episode 79-Interview with Brian Ching

The FCPA Professor

Finally and last but certainly not least, I bring back the FCPA Professor for a two-part podcast on his new book The Foreign Corrupt Practices Act In a New Era.

Episode 80, Interview with the FCPA Professor, Part I

Episode 81-Interview with the FCPA Professor, Part II

A good weekend to all.

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 4,760 other followers