DPA | FCPA Compliance and Ethics Blog

May 9, 2013

DPAs and NPAs – Useful Tools to Achieve Compliance

Filed under: Deferred Prosecution Agreement,Department of Justice,FCPA,FCPA Professor,Michael Volkov,Non-Prosecution Agreements,SEC,Uncategorized — tfoxlaw @ 1:01 am
Tags: compliance, compliance programs, Department of Justice, DOJ, DPA, FCPA, FCPA Professor, Foreign Corrupt Practices Act, Michael Volkov, NPA, SEC

The debate on whether the use of Deferred Prosecution Agreements (DPAs) and Non-Prosecution Agreements (NPAs) has become lively again over the past couple of weeks. Last week, there was a panel hosted by the Corporate Crime Reporter conference at the National Press Club. The panel was moderated by Steven Fagell, a partner at Covington & Burling LLP, and the panelists included Denis McInerney, the Criminal Division’s Deputy Assistant Attorney General, David Uhlmann, the former chief of the Environmental Crimes Section at the Department of Justice (DOJ), and currently a Professor of Law at the University of Michigan, the FCPA Professor, Michael Koehler, Kathleen Harris, a partner at Arnold & Porter LLP in London, and Anthony Barkow, a partner at Jenner & Block in New York.

The FCPA Professor wrote about the conference in two posts this week. The second post, entitled “Seeing the Light from the ‘Dark Ages’”, reported on the panel discussion. In this post, the Professor flatly says that DPAs and NPAs should be abolished in the context of Foreign Corrupt Practices Act (FCPA) enforcement and that a compliance defense should be added to the FCPA. In the other corner stands Mike Volkov, who said in a recent post, entitled “The Continuing Controversy Over DPAs and NPAs”, that DPAs and NPAs are part of the growing arsenal of prosecutorial tools that can be brought to bear by the DOJ and now the Securities and Exchange Commission (SEC).

The Professor previously articulated his views against DPAs and NPAs last fall in a post entitled “Assistant Attorney General Breuer’s Unconvincing Defense Of DPAs / NPAs”. In that post he said that the “use of NPAs or DPAs allow “under-prosecution” of egregious instance of corporate conduct while at the same time facilitate the “over-prosecution” of business conduct.” The ‘under-prosecution’ comes “because they [DPAs and NPAs] do not result in any actual charges filed against a company, and thus do not require the company to plead to any charges, allow egregious instances of corporate conduct to be resolved too lightly without adequate sanctions and without achieving maximum deterrence.” The ‘over-prosecution’ comes “because of the “carrots” and “sticks’ relevant to resolving a DOJ enforcement action often nudge companies to agree to these vehicles for reasons of risk-aversion and efficiency and not necessarily because the conduct at issue actually violates the law.” Volkov, being a former prosecutor, says that “Prosecutors like to have a variety of tools. An up or down decision system – indict or decline to indict – does not give prosecutors any ability to address the hard cases, where they are more inclined to decline prosecution rather than indict.”

However, I am neither a former prosecutor, like Volkov, nor a former white collar defense lawyer, like the Professor. I am a recovering trial lawyer who then went in-house. From this background I think that there is another line of reasoning as to why DPAs and NPAs are useful FCPA compliance enforcement tools and that line of reasoning is certainty. The primary reason for the prosecution and a company entering into a DPA/NPA is certainty. The one thing I learned in almost 20 years of trying cases is that nothing is certain when you leave the final decision to an ultimate trier of fact who is not yourself, whether that trier of fact be a jury, judge or arbitrator. The most important thing for a company is certainty and that is even more paramount when a potential criminal conviction looms over its corporate head. Certainty is equally critical for the prosecution. No matter how ‘slam dunk’ the facts are, or appear to be, once a prosecutor turns over the final decision in a case to another trier of fact; the prosecution has lost certainty in the final decision. Every corporate defendant who goes to trial can and should raise all procedural and factual defenses available to it. No prosecutor can ever be 100% certain that it will win every court ruling or that a guilty conviction will be upheld on appeal. However, a DPA/NPA can bring certainty. For a company, certainty in its rights and obligations, for the prosecution the same is true.

There was another article which considered the panel discussion held at the Corporate Crime Reporter conference entitled “McInerney Defends Deferred and Non Prosecution Agreements”. This article included quotes from David Uhlmann, who said that he believes, “This is about a profound ambivalence in parts of the Department about the very notion of corporate criminality.” Uhlmann believes that it this ambivalence which has driven the use of DPAs. He believes that the DOJ should make an “up or down” decision on whether a corporation should be prosecuted or not. He was quoted as saying “There is no more important role that the Justice Department plays than its role investigating and prosecuting crime. And if the Justice Department believes that a particular case warrants criminal prosecution, it should bring criminal charges. It should not sacrifice criminal prosecution to a private agreement never entered in court, never overseen by a judge in any meaningful way that doesn’t involve any public hearing, that doesn’t involve any corporate officials coming into the courtroom admitting guilt. On the other hand, if the Justice Department doesn’t believe that a criminal prosecution is necessary or warranted, then they should decline. They should decline prosecution in favor of — in most cases they have the option of civil or administrative enforcement.”

The Professor had a slightly different take on the use of DPAs in the context of criminal prosecutions of corporations. He was quoted as saying, “The Department has become so uncomfortable with the traditional notions of corporate criminal liability that they have constructed and indeed championed this alternative reality that is equally problematic.” Further, “These resolutions have had a troubling, distortive and toxic effect on this one area of law,” Koehler concluded. “There is no judicial scrutiny of most fcpa enforcement theories.” And, lastly, “Of course, the Justice Department is in favor of these because it makes their job easier. Of course, the FCPA bar and FCPA Inc. is in favor of these it expands the market for legal services.”

Criminal Division Deputy Assistant Attorney General McInerney made clear that he is not ambivalent at all about corporate criminal liability and specifically stated this. So let me speak from the perspective of a lawyer from Houston, who has represented companies in the energy space for quite some time. The frustration that boiled over from the lack of prosecutions regarding the financial troubles of the recent years should not obscure the fact that the DOJ has and will continue to pursue criminal cases against corporations.

But to paraphrase Joe Jackson, something else is going on ‘round here with prosecutions of corporate criminal conduct and the use of DPAs/NPAs. While one role of the DOJ is to prosecute law breakers; I believe that another role of the DOJ is to increase and encourage compliance with laws. The DPA/NPA debate does not stand in a vacuum. I believe that by offering incentives for companies to self-disclose and cooperate, the DOJ is increasing compliance with the FCPA. If there is no incentive to cooperate, there will be none. Period. If a company will face a criminal indictment or charge if it investigates a matter and self-discloses to the DOJ, how many companies will do so? McInerney was quoted as saying, “You are disincentivizing companies in terms of doing the right thing. You are not crediting companies for doing the right thing.”

Now let me take the flip side; Arthur Anderson. For all the howls that there is no empirical evidence that indicting and convicting companies puts them out of business; I am certainly not persuaded. I saw it happen, here in Houston. Was it in the interest of the US government to put Arthur Anderson out of business? Did it further the policies of this country to go from the Big Four to the Big Three? What about all the Arthur Anderson employees who did not work on the Enron account, what policy did it further to have them lose everything they invested in their professional life? If DPAs/NPAs are less draconian in their effect than destruction of a corporation’s existence, does that make them somehow less useful? If the DOJ wants to put such a factor into their decision making, I find that to be an appropriate calculus.

As to the charge that the FCPA Bar/FCPA Inc. used DPAs/NPAs to expand their market for work? [Full disclosure - I am a member of the FCPA Bar and ergo, FCPA Inc.] I think that it is the job of a lawyer to advise his or her clients on their legal obligations and to assist in fulfilling those obligations. Is it in my own myopic self-interest to advocate compliance with the FCPA? Or am I a part of the FCPA Bar and Inc. which assists companies to comply with a now 35 year old law? Whichever answer you prefer, I believe that there is more compliance now and that the use of DPAs/NPAs is a contributing factor to this increased compliance.

Another panelist, Anthony Barkow posited yet another angle. He said “one the primary policy justifications — or certainly a significant policy justification — is — getting DPAs and NPAs is easy. “It’s a lot easier than charging a company,”” Barkow said. “And it’s a lot easier than charging it and to try to get a plea.” While I do not pretend to know the intricacies of obtaining an indictment or going before a grand jury, it is always easier to settle something rather than try a case. But that does not mean any less work goes on, either from the corporate side or especially from the government side. FCPA enforcement actions are huge, document intensive cases and from what little I know of the process, the DOJ works quite hard to craft an appropriate resolution for each case. Further, there are multiple levels of review in the DOJ so many sets of eyes look at these matters. So while it may be easier to reach a resolution rather than charging and criminally trying a corporation, that does not mean in any way, shape or form that this work is easy. The work is hard, time intensive and takes literally thousands of man-hours by all parties involved to reach any resolution. Simply because a new enforcement tool is available, which is short of a criminal indictment and trial, does not mean that it is not a useful tool and should not be used.

Mike Volkov ended his post with the following, “The debate will continue – I have no doubt of that.” I would certainly second that notion. But from where I sit the use of DPAs/NPAs has improved compliance with the FCPA because their use has given corporations a real incentive to thoroughly investigate allegations of bribery and corruption and then work with the government to appropriately remediate the situation.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Leave a Comment

April 9, 2013

Why Eat Your Words When You Can Eat a Peach?

Filed under: Deferred Prosecution Agreement,Department of Justice,FCPA,FCPA Professor,Financial Times — tfoxlaw @ 1:01 am
Tags: Department of Justice, DPA, FCPA Professor, Standard Chartered

Taken to the woodshed or when should a company have to eat its own words? Remember when President Reagan’s Director of the Office of Management and Budget, David Stockman, was ‘taken to the woodshed’ by White House Chief of Staff James Baker after public comments that Stockman made for an Atlantic Monthly article that questioned the monetary policy which underpinned the entire Reagan Revolution? Stockman was most contrite thereafter.

We had a recent example of this in the context of US federal enforcement actions in the Standard Chartered (StanChart) matter. For those who might not remember, our friends at StanChart agreed to pay approximately $667MM in fines to several US regulators for the bank’s conduct around its breach of US sanctions on Iran. The bank agreed to voluntarily enter into a Deferred Prosecution Agreement (DPA) and as part of that DPA it agreed not to publicly contest the agreement or generally make any public statements contradicting the acceptance of responsibility. There are usually similar clauses in Foreign Corrupt Practices Act (FCPA) DPAs as well.

In an article in the Financial Times (FT), entitled “StanChart trio are called before US regulators”, by Kara Scannell, Patrick Jenkins and Lina Saigol, they reported that Sir John Peace, StanChart chairman said at a March 5 Press Conference that the Bank had engaged in “no wilful act to avoid sanctions; you know, mistakes are made – clerical errors” related to its myriad of conduct in doing business with Iran, in violation of US trade sanctions. This language directly contradicted the terms of the StanChart’s various settlement agreements with US regulators. On March 21, he was required to eat those words when he “said those comments were “both legally and factually incorrect”” and retracted them. “Standard Chartered Bank unequivocally acknowledges and accepts responsibility . . . for past knowing and wilful criminal conduct in violating US economic sanctions laws and regulations”.

According to the article this retraction was the result of a meeting he, Chief Executive Peter Sands and Finance Director Richard Meddings were called to with the Department of Justice (DOJ) and New York district attorney Cy Vance, “Standard Chartered was required to retract the statement or be subject to prosecution,” the DOJ said. The article also reported that “US officials at the meeting emphasised the importance of the terms of a settlement over sanction violations, including the bank’s ongoing co-operation. DoJ officials were concerned because the comments came from the top of the bank and had pushed for a public retraction and email to the entire staff. Sir John told them it was a humiliating day for him personally and for the bank, the person said.” This is the ‘going to the woodshed part’.

But what about these clauses prohibiting such contradictions? The FCPA Professor lets you know where he stands on the issue with his post on StanChart, entitled “The “Muzzle” Clause”, where he poses the question, “Is this an effective system of justice?” when the following exists:

First, the DOJ can use its leverage and its ability to bring criminal charges against a company. Second, the DOJ will can then use an NPA or DPA to insulate its version of the facts and enforcement theories from judicial scrutiny which the risk averse company will more often that not accept. Third, in the resolution agreement, the DOJ can include a “muzzle” clause prohibiting anyone associated with the company from making any statement inconsistent with the DOJ’s version of the facts or its enforcement theories. Fourth, if the DOJ believes, in its sole discretion, that a public statement has been made contradicting its version of the facts or its enforcement theories, the DOJ can “pounce” and threaten to bring criminal charges.

As to the first point, I think that the DOJ would respond that it brings enforcement actions that are appropriate under the facts and circumstances of the case. But as to the second point, I believe that DPAs and Non-Prosecution Agreements (NPAs) are equally preferred, if not more so by companies. The reason is that they bring closure with certainty, which is what company’s desire in any legal proceeding. If there are company’s which want to go to trial and test the Arthur Anderson result, they should go ahead and do so but I certainly do not want to be the first General Counsel (GC) or Chief Compliance Officer (CCO) who makes the wrong call and have my company go poof because I turned down an offer to settle.

As to point three, I am somewhat more concerned with this issue in the context of the First Amendment. Here the Professor cites to Professor Ellen Podgor who asked “whether the government can include such clauses in resolution agreements without infringing on First Amendment rights.” Clearly if a person or company is convicted of a crime they have the right to contest that finding, vocally or otherwise. However, in the DPA context, a company has admitted to conduct and findings so perhaps there is a difference than a person convicted at trial who wants to scream from the highest mountaintop “I didn’t do it”.

On point four, I have to disagree with the Professor. In another FT article, entitled “StanChart chairman forced to eat his words over Iran”, the reports quoted Simon Maughan, an analyst at Olivetree Securities, who with perhaps less delicacy and also with greater English irony, said “StanChart had tried to play hardball with the US regulators and lost.”

I have worked in a company under a DPA for its FCPA violations. I did not find it hard to not contradict the facts and findings in the DPA. In fact, the company used those facts and findings to make itself into a stronger and more financially viable entity. It seems to me, if one cannot even accept the fact that it was your company which engaged in legal violations and not simply some ‘clerical errors’ which caused your company to pay $667MM in fines, you really have not learned very much. Perhaps that is what the DOJ really wants companies to understand.

Eat A Peach is the final studio Allman Brothers album on which both Duane and Greg Allman played before the untimely death of Duane.

© Thomas R. Fox, 2013

Comments (2)

February 13, 2013

Distributors under the FCPA

Filed under: Best Practices,Books and Records,compliance programs,Department of Justice,Distributors,Eli Lilly and Company,FCPA — tfoxlaw @ 1:01 am
Tags: Department of Justice, DOJ, DPA, FCPA, Foreign Corrupt Practices Act, Lilly, Oracle, Smith & Nephew

If there was ever a question that distributors were covered under the Foreign Corrupt Practices Act (FCPA), in 2012, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) made it emphatically clear that this class of entities in a company’s sales chain would be treated that same as any other sales agent, reseller or any other entity which sells a US company’s products outside the United States. While the terms agent, reseller and distributor have distinct definitions in the legal world, they no longer do for FCPA purposes.

The three enforcement actions which made clear that there were no distinctions between agents and distributors in 2012 were the Smith & Nephew, Inc., (S&N) Deferred Prosecution Agreement (DPA) for criminal FCPA violations, the Oracle SEC Complaint for books and records violations and the Eli Lilly and Company (Lilly) SEC Compliant for books and records violations. Each of these enforcement actions had different FCPA violations and they each revealed separate steps which a company should take to both prevent and detect FCPA violations in their company.

Smith & Nephew

On February 1, 2012, the DOJ announced that it entered into a DPA with Smith & Nephew, Inc., a medical equipment manufacturer, for violations of the FCPA. The violations revolved around Greek distributors of S&N who paid bribes to Greek doctors so that they would purchase and use S&N products. According to the Criminal Information, “S&N, certain of its executives, employees, and affiliates agreed to sell to [the] Greek Distributor at full list price, then pay the amount of the distributor discount – between 25 and 40 percent of the sales made by [the] Greek Distributor – to an off-shore shell company controlled by [the] Greek Distributor, in order to provide off-the-books funds for [the] Greek Distributor to pay cash incentives and other things of value to publicly-employed Greek HCPs to induce the purchase of S&N products, while concealing the payments.” Additionally, S&N “falsely recorded or otherwise accounted for the payments to the shell companies on its books and records as ‘marketing services’ in order to conceal the true nature of the payments in the consolidated books and records of S&N and GmbH.”

Oracle

Oracle got into FCPA hot water because its Indian subsidiary directed its distributor to set up a separate slush fund of monies which could be, and were, used to pay monies to persons unknown. As specified in the SEC Compliant, “certain Oracle India employees created extra margins between the end user and distributor price and directed the distributors to hold the extra margin in side funds. Oracle India’s employees made these margins large enough to ensure a side fund existed to pay third parties. “At the direction of the Oracle India employees, the distributor then made payments out of the side funds to third parties, purportedly for marketing and development expenses.” The SEC Compliant noted that “about $2.2 million in funds were improperly “parked” with the Company’s distributors.” To compound this problem, employees of Oracle India concealed the existence of this side fund from Oracle in the US and hence there was an incorrect accounting in Oracle’s books and records.

Lilly

In Brazil, Lilly used the distributor model to market its drugs through third-party distributors who then resold these products to public and private entities. As noted by Matt Ellis, in his post entitled “Eli Lilly’s Distributor in Brazil: The Non-Obvious FCPA Risk”, the discounts that distributors typically receive from manufacturers such as Lilly can be problematic under the FCPA because “enforcement officials can see these discounts as potential “loose money” that can be used for bribe payments. This is especially the case when the distributor is engaging in other activities on behalf of the producer, like marketing, licensing, and customs clearance.”

This was the situation that Lilly found itself in in Brazil, where Lilly sold drugs to distributors who then resold the products to both public and private entities. It was the classic distributor model where Lilly sold the drugs to the distributors at a discount and then the distributors would resell the products “at a higher price and then took their discount as compensation.” There was a fairly standard discount given to the distributors which generally ranged “between 6.5% and 15%, with the majority of distributors in Brazil receiving a 10% discount.”

However, in early 2007, at the request of a Lilly sales manager, the company awarded an unusually high discount of between 17% and 19% to a distributor for the sale of a Lilly drug to the government of one of the states of Brazil. The distributor used approximately 6% of this additional discount to create a fund to pay Brazilian government representatives to purchase the Lilly drugs from him. Further, the Lilly sales manager who requested this unusual discount was aware of the bribery scheme. Moreover, this increase in the discount was approved by the company with no further inquiry as to the reason for the request or to substantiate the basis for such an unusually high discount. If there were any internal controls they were not followed.

Prevention and Detection

These three separate bribery schemes call for three different but overlapping responses. In the case with Lilly, the SEC Complaint noted the following “Lilly-Brazil’s pricing committee approved the discounts without further inquiry. The policies and procedures in place to flag unusual distributor discounts were deficient.” Lastly, as stated by Ellis, “It noted that the company relied on representations of the sales and marketing manager without adequate verification and analysis of the surrounding circumstances of the transactions.”

The Lilly enforcement action also makes clear the need for internal audit to follow up with ongoing monitoring and auditing. Internal audit can be used to help determine the reasonableness of a commission rate outside the accepted corporate norm. As noted by Jon Rydberg, of Orchid Advisors, in an article entitled “Eli Lilly’s Remedial Efforts for FCPA Compliance – After the Fact”, the company should be “implementing compliance monitoring and corporate auditing specifically tailored to anti-corruption” for the distributor sales model.

The Oracle enforcement action demonstrates that Oracle needed to institute the proper controls to prevent its employees at Oracle India from creating and misusing the parked funds in the distributor’s account. The Company needed to audit and compare the distributor’s margin against the end user price to ensure excess margins were not being built into the pricing structure. Oracle should have sought to either (1) seek transparency in its dealing with the distributor or (2) audit third party payments made by the distributors on Oracle’s behalf, both of which would have enabled the Company to check that payments were made to appropriate recipients.

What are some of the factors that demonstrate the distributors used by S&N were fraudulent and did not have a legitimate business purpose? It was clear that S&N did not perform sufficient due diligence on these distributors nor did they document any. I would note that the distributor was domiciled in a location separate and apart, the UK, from the sole location it was designed to deliver products or services into, Greece. This clearly demonstrated that the entities were used for a purpose that the company wished to hide from Greek authorities. While it is true that a distributor might sell products into a country different than its domicile, if the products are going into a single country, this should have raised several Red Flags.

However, the biggest indicium of corruption was the amount of the commission paid. The traditional sales model for a distributor has been to purchase a product, take the title, and therefore the risk, and then sell it to an end user. Based upon this sales model, there has been a commission structure more generous than those usually accorded a reseller or sales agent, who is usually only a negotiator between the Original Equipment Manufacturer (OEM) and the end user. This difference in taking title, and risk of loss, have led to a cost structure which has provided a deeper discount of pricing for distributors than commission rates paid to resellers or sales agents. The sales structure used by S&N had pricing discounts of between 26-40% off the list price. Further, this money was used precisely to pay bribes to Greek Doctors to use S&N products.

These three enforcement actions make clear that distributors will be treated like any other representative in the sales chain. This means that distributors need to go through the same rigorous due diligence and review, contracts and management going forward as agents or resellers.

© Thomas R. Fox, 2013

Leave a Comment

December 20, 2012

The CCO: Co-Equal to the General Counsel in the Eyes of the DOJ

Filed under: Best Practices,Chief Compliance Officer,compliance programs,Department of Justice,FCPA,FCPA Guidance,SEC — tfoxlaw @ 1:04 am
Tags: best practices, compliance programs, Department of Justice, DOJ, DPA, ethical leadership, FCPA, NPA, SEC

One of the items that the Department of Justice (DOJ) has increasingly focused on in its enforcement actions is the role of the Chief Compliance Officer (CCO) and whether this position has adequate staffing and resources to accomplish its mandated tasks in a minimum best practices compliance program under the Foreign Corrupt Practices Act (FCPA). In the recent Pfizer Deferred Prosecution Agreement (DPA), it stated regarding the CCO position (called Chief Compliance and Risk Officer) that:

Pfizer will:

a. Maintain the appointment of a senior corporate executive with significant experience with compliance with the FCPA, including its anti-bribery, books and records, and internal controls provisions, as well as other applicable anticorruption laws and regulations (hereinafter “anti-corruption laws and regulations”) to serve as Chief Compliance and Risk Officer. The Chief Compliance and Risk Officer will have reporting obligations directly to the Chief Executive Officer and periodic reporting obligations to the Audit Committee of the Board of Directors.

Regarding the resources which should be dedicated to the compliance function, the Pfizer DPA stated:

Pfizer has committed and will continue the commitment of significantly enhanced resources for the international functions of the Compliance Division that have reporting obligations through the Chief Compliance…

The Pfizer DPA is one in a line of DPAs and Non-Prosecution Agreements (NPAs) where the DOJ and the Securities and Exchange Commission (SEC) have made clear that the CCO must be a senior level employee within the company. I think that this requirement is absolutely mandatory to not only set the proper tone within a company but also to give the CCO and the compliance function the clout needed to implement, enhance and run a minimum best practices FCPA compliance program.

Indeed, in the recently released FCPA Guidance, the DOJ and SEC made clear that in appraising a compliance program; [we] “consider whether a company has assigned responsibility for the oversight and implementation of a company’s compliance program to one or more specific senior executives within an organization. Those individuals must have appropriate authority within the organization, adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively. Adequate autonomy generally includes direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee). Depending on the size and structure of an organization, it may be appropriate for day-to-day operational responsibility to be delegated to other specific individuals within a company. The DOJ and SEC recognize that the reporting structure will depend on the size and complexity of an organization. Moreover, the amount of resources devoted to compliance will depend on the company’s size, complexity, industry, geographical reach, and risks associated with the business. In assessing whether a company has reasonable internal controls, the DOJ and SEC typically consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.” [Emphasis supplied]

I think that the DOJ and SEC are moving companies to not only have more robust compliance programs but the CCOs and their programs must be adequately situated within the organization and adequately funded. For CCOs I think that this means they should be at a level in the organization equal to the General Counsel (GC) and compensated at an amount equal to the GC. The reason is clear, the DOJ and SEC expect the compliance function to be a leadership function within the company’s structure and given all the respect due such a position. The days where the compliance function is viewed as something other than legal work are long gone and companies need to have their CCOs at least equivalent to their GCs. I also think that this always means the CCO must sit on a company’s Executive Leadership Team (ELT). Once again the reason is clear, Compliance must not only be shown to be Mission 1A (Safety being Mission 1) but the CCO can only manage the compliance risk if it has a seat at the executive leadership table.

These comments are consistent with the US Sentencing Guidelines which were revised in November 2010. In these revisions, there was a change in the reporting structure in corporations where the CCO reported to the GC rather than a committee on the Board of Directors. The change read “the individual…with operational responsibility for the compliance and ethics program…have direct reporting obligations to the governing authority or any appropriate subgroup… (e.g. an audit committee or the board of directors)”. If a company has the CCO reporting to the GC, who then reports to the Board, such structure most probably no longer qualifies as an effective compliance and ethics program under the amended Sentencing Guidelines. The better practice would now appear to be that the CCO should be a direct report to the Board or appropriate subcommittee of the Board such as compliance or audit.

Equally important are the resources dedicated to the compliance function. My colleague Stephen Martin, a former state and US prosecutor, gives this rather straight-forward example of a question that a prosecutor would ask when confronted by a company that provides limited internal funding to the compliance function. He would ask how much does your company spend on yellow post-it notes (or paper clips or pens)? If the answer is significantly more funding than is afforded to the compliance function, his response would be “Which area is more mission-critical to complying with the FCPA; your compliance function or yellow post-it notes?”

The DOJ is clearly signally the increased importance of the CCO. The position should be viewed as co-equal to the GC. Just as clearly, the DOJ has signaled that an appropriate level of resources should be devoted to the compliance function. By following these evolving best practices you can add to the credibility of your defenses if your company becomes involved in a FCPA investigation or enforcement action.

© Thomas R. Fox, 2012

Leave a Comment

September 26, 2012

Tyco International – The Importance of the Books and Records under the FCPA

Filed under: Books and Records,compliance programs,Deferred Prosecution Agreement,Department of Justice,FCPA,SEC — tfoxlaw @ 1:48 am
Tags: Department of Justice, DOJ, DPA, FCPA, NPA, SEC, Tyco

On Monday, the Securities and Exchange Commission (SEC) and Department of Justice (DOJ) announced settlement with Tyco International (Tyco) for books and records violation of the Foreign Corrupt Practices Act (FCPA). Tyco agreed to a fine of $26MM for “at least twelve different, post-injunction illicit payment schemes occurring at Tyco subsidiaries across the globe. The schemes frequently entailed illicit payments to foreign officials that were inaccurately recorded so as to conceal the nature of the payments” and failure “to devise and maintain internal controls sufficient to provide reasonable assurances that all transactions were properly recorded in the company’s books, records, and accounts”. $10,564,992 of the fine was paid in disgorgement and an additional $2,566,517 in prejudgment interest was paid to the SEC and the remainder of $13.68MM was paid as fine to the DOJ. All of this was discovered because Tyco was already a FCPA violator, having admitted to violations back in 2006 and these additional violations were discovered as a part of a companywide review required under its 2006 Deferred Prosecution Agreement (DPA). Tyco received a Non-Prosecution Agreement (NPA) from the DOJ for this post-DPA conduct and I will discuss the NPA in a subsequent post.

While a large portion of the FCPA commentaratti focused on the damning email which read “”Hell, everyone knows you have to bribe somebody to do business in Turkey. Nevertheless, I’ll play it dumb”; another portion of the commentaratti seemed somewhat amazed that hiding bribery and corruption in a company’s books and records is a stand-alone violation of the FCPA. As part of the 2006 settlement Tyco agreed to engage in a companywide review of its operations to determine if there was “anything else”. Not only did it turn out there was something else “rotten in Denmark” but this bribery and corruption continued after the first enforcement action. This companywide review determined that Tyco had engaged in “illicit payment schemes”; that these bribery schemes “were inaccurately recorded so as to conceal the nature of the payments” and Tyco “failed to devise and maintain internal controls sufficient to provide reasonable assurances that all transactions were properly recorded in the company’s books, records, and accounts.”

So with a nod to the final week of the baseball season we present the Tyco Bribery Box Score

Subsidiary Location	Bribe Amount Paid	Inaccurate Books and Records Description
Turkey	Not reported	Equipment sold at a mark-up over invoice price
China	$3700	Commission to sales team
Germany	Not reported	Commission to sales team
France	Not reported	Commissions to agents for ‘business introductions’
China-different sub	$483K	Commissions to agent
Thailand	$50K	Renovation work
Malaysia	Not reported	Commissions to agents
Egypt	$282K	Disguised as inflated invoices from agent
Saudi Arabia	Not reported	Promotional expenses and sales development
Poland	Not reported	Bogus service contracts

What I find so interesting about all of this is that it occurred, in large part, after the 2006 DPA. As Bill Clinton might say, “It takes some brass” to initiate or continue a bribery scheme while you are under a DPA for FCPA violations. With the above in mind I was intrigued by an article in the Navigant Quarterly, 2012 Volume 1, Issue 13, entitled “If You Think You Are Done Looking…Keep Looking”, by Eileen Felson and Nicole Wrigley. In their article, the authors note that “every fraud has to be hidden somewhere on a company’s books. Most financial statement frauds grow in size, scope and duration.” The authors also talk about “collusive fraud” which is the situation where “fraudsters work together to manipulate the balance sheet and actually launder the fraud through various accounts.” It sounds like a description of the machinations folks must go through to hide corrupt payments while under a FCPA DPA. Although the authors specifically address frauds, their concepts are certainly broad enough to include bribery and corruption.

The authors detail several types of corrupt practices and end their article with some tips on investigation. They note that the “logical start-off point in conducting a forensic investigation of how a fraud was committed includes a detailed review of revenue and expense account activity.” But more importantly, a forensic examiner must keep looking. The reason for this is simply because if evidence of bribery or corruption is found in one area the entire scheme is revealed. Therefore a forensic examiner needs to review unrelated accounts to see if there are other indicia of corruption.

What does all of this mean for a compliance program? There is some very clear guidance for the role of Internal Audit in detecting bribery and corruption in a best practices FCPA compliance program. First and foremost, if there are any types of commission payments being made, Internal Audit needs to review the documentation supporting why such payments are being made. A review of contracts or other legal requirements which may obligate a company to make such payments should be a basic undertaking in any internal audit. After an internal auditor has determined if commission payments are legally authorized, the internal auditor should review evidence that such commission payments have been earned. In other words, is there any evidence in the company’s books and records that the person or entity performed the services which might have entitled them to such commission payments? And do not forget that another role for Internal Audit is to correctly classify payments so that the books and records of the company accurately reflect them as expenses.

The Tyco SEC Compliant is chocked full of information regarding what an internal auditor needs to look for in reviewing expenses charged by employees; commissions paid to employees; invoices by agents and other third party representatives and over-inflated sales contracts; all used to disguise corrupt payments. The sad fact, as noted by authors Felson and Wrigley, is that many corruption schemes are not “committed for personal gain (such as stealing cash) but for other incentives, such as continued employment/advancement, fear of delivering bad news to investors or an intimidating supervisor, or a desire to increase the value of performance-based bonuses.” While it is not clear why it took Tyco so long to uncover these ongoing acts of bribery and corruption or why Tyco employees continued to engage in conduct violative of the FCPA while under a DPA; I think that the Tyco example speaks to the need for an overall, comprehensive robust compliance program that focuses on all factors which led to the continued bribery and corruption in the company which was reported in the SEC Complaint.

© Thomas R. Fox, 2012

Leave a Comment

September 13, 2012

Sometimes No Evidence is Meaningless: Voluntary Disclosure under the FCPA

Filed under: Deferred Prosecution Agreement,Department of Justice,Enforcement Actions,FCPA,SEC,Self-Disclosure — tfoxlaw @ 1:02 am
Tags: Department of Justice, DOJ, DPA, FCPA, SEC

The Foreign Corrupt Practices Act (FCPA) world went crazy last week with headlines along the lines of “No credit for self-reporting”; “No credit for cooperation”; and “Voluntary disclosure doesn’t change penalties”. All of these pronouncements were based upon a draft study done by Professors from the New York University School of Law (NYU School of Law) in an attempt to provide an answer. As reported by Sam Rubenfeld in Corruption Currents, in an article entitled “Study Says Voluntary Disclosure Doesn’t Change FCPA Penalties”, the study, which examines US anti-bribery enforcement actions from 2004 through 2011, found no evidence that voluntary disclosure of wrongdoing results in lesser penalties. He also quoted one of the study’s co-authors Kevin E. Davis, a Vice Dean at NYU School of Law, who said in an email, “We cannot rule out the possibility that voluntary disclosure does result in some form of leniency”.

However, if one reads the study by Davis and Stephen Choi, entitled “Foreign Affairs and Enforcement of the Foreign Corrupt Practices Act”, it becomes clear that the purpose of the study was to test “the extent to which four broad theories explain the recent pattern of enforcement of the FCPA.” Using a dataset of FCPA cases resolved from 2004 to 2011, the inquiry revolved around the extent to which these four theories explain variations in the treatment of actors who violate the FCPA.

I. Proportionality Theory

The first theory is described by the authors as the “most consistent with the text of the relevant legislation, guidelines and international conventions.” Not surprising given its names, this theory “suggests that differences in treatment of defendants will depend entirely on differences in their moral culpability. This may reflect the idea that the purpose of the FCPA is to make a statement that bribery is equally immoral regardless of where it takes place. Alternatively, proportionality may reflect an attempt to apply deterrence optimally (at least in a rough sense), imposing greater sanctions on more egregious and extensive harms all other things being equal (such as detection probability).” Interestingly, and I find somewhat unpersuasively, the authors believe that the Proportionality Theory contrasts with the three other theories because the Proportionality Theory “is inherently parochial because it suggests that patterns of enforcement will not be affected by foreign policy considerations or the presence (or absence) of foreign regulators.”

II. Altruism Theory

The second theory suggests that FCPA enforcement is influenced by foreign policy considerations. The authors believe that the Altruism Theory “suggests that the FCPA will be enforced with a view to the interests of foreign actors, with U.S. enforcement making up for the shortcomings of foreign states that are not capable of regulating transnational activity on their own. On this account, differences in treatment of defendants might be explained by the needs or institutional capacity of the country whose official has been bribed.”

III. Self-Interest Theory

This third theory suggests that US enforcement will tend to promote the interests of the US. This implies that factors such as the nationality of the defendant and the extent to which the misconduct prejudiced US firms ought to be taken into account.

IV. Coordination Theory

The fourth theory suggests that US officials’ enforcement decisions will be influenced by the actions of foreign regulators, such as those at the UK Serious Fraud Office (SFO) or the German prosecutors in the Siemens case. The authors posit that these overseas regulators might “complement U.S. enforcement actions by helping to gather evidence. Alternatively, foreign regulators might impose sanctions that serve as substitutes for U.S. enforcement.”

So what did the authors conclude? First, they found “support for the hypothesis that Proportionality drives the SEC [Securities and Exchange Commission] and DOJ [Department of Justice] in specific cases. Once a case is filed, the sanction imposed in a FCPA action increases with the size of the bribe, the profit related to the bribe, and the amount of business affected by the bribe. The sanction also increases with measures of the extensiveness of the FCPA violation, including, in particular, whether a subsidiary is sufficiently involved to face separate FCPA charges.” Second, the authors found “mixed support for our Altruism theory. Sanctions in individual FCPA actions do not vary with the underlying economic development, as measured by GNI [Gross National Income] per capita, or strength of legal institutions, as measured by World Bank rule of law scores. In contrast, Altruism does appear important in how the DOJ and SEC distribute sanctions among violation countries.” Third, the authors found “mixed evidence that Self-Interest motivates the SEC and DOJ. The SEC and DOJ impose greater sanctions, all other things being equal, on foreign companies.” Finally, for the fourth theory the authors found there is “mixed evidence on the Coordination theory. At the level of individual FCPA actions, we find that the activity of a foreign regulator (both an investigation as well as a sanction) correlates with significantly higher and not lower sanctions.”

The authors ultimately found “evidence that the magnitude of sanctions imposed on defendant companies in FCPA actions depends not only on what they did but where they are from and where they committed their violations.” Personally I do not see such a finding as unreasonable, unwarranted or even surprising. FCPA prosecutions are based upon the US Sentencing Guidelines and the DOJ has, for some time, set out the formulas under which it determines a range of proposed fines and penalties. This range is certainly influenced by self-disclosure as it is one of the listed factors for determining the range. However, it is only one of many factors and it is possible to see the reduction in any number of recent Deferred Prosecution Agreements (DPAs). So quoting from the BizJet DPA is the following:

(g)(1) The organization, prior to imminent threat of disclosure or government investigation and within a reasonably prompt time after becoming aware of the offense, reported the offense to appropriate governmental authorities, fully cooperated in the investigation, and clearly demonstrated recognition and affirmative acceptance of responsibility for its criminal conduct

This is not a DOJ guideline but was derived by the US Sentencing Guidelines, which are promulgated by the US Sentencing Commission and passed upon by Congress. Do I wish there was a specific line item for early, self-disclosure; you bet I do but there is not. Self-disclosure is lumped in with cooperation, recognition of responsibility for criminal conduct. How much is self-disclosure worth? It could be 25% or not, there is simply no way to know with the current system, under which the DOJ is mandated to operate. Conversely, will your company be penalized if they do not self-disclosure? Once again there is no way to know. So sometimes no evidence has meaning and sometimes it does not.

© Thomas R. Fox, 2012

Leave a Comment

August 14, 2012

Pfizer DPA Part III – What Does It All Mean?

Filed under: Agents,Best Practices,Board of Directors,Code of Conduct,compliance programs,Deferred Prosecution Agreement,Department of Justice,Discipline,Enforcement Actions,FCPA,Mergers and Acquisition — tfoxlaw @ 6:06 am
Tags: compliance programs, Department of Justice, DOJ, DPA, Due Diligence, ethical leadership, FCPA, Pfizer

Last week I began an exploration of the Pfizer Deferred Prosecution Agreement (DPA) which was announced last week by the Department of Justice (DOJ) in connection with its settlement of Foreign Corrupt Practices Act (FCPA) violations. In Part I, I reviewed the Corporate Compliance Obligations, Attachment C.1. In Part II, I reviewed the Enhanced Compliance Obligations, Attachment C.2 and Corporate Reporting Obligation, Attachment C.3, which Pfizer agreed to implement and operate under. In Part III, I will discuss some of the implications raised by the Pfizer DPA for the compliance practitioner.

Below is a comparison chart of the minimum best practices compliance program as set out in the Panalpina DPA and all DPAs coming forward with the minimum best practices compliance program as set out in the Pfizer DPA. While the number of compliance obligations is somewhat different, when read in conjunction with the Enhanced Compliance Obligations of Attachment C.2, there is not significant difference. Therefore, and initially, the compliance practitioner must read both the Corporate Compliance Obligations and Enhanced Compliance Obligations in conjunction with each other.

CORPORATE COMPLIANCE COMPARISON CHART

Panalpina Minimum Best Practices	Pfizer 9 Point Corporate Compliance Program
1. Code of Conduct. To ensure against FCPA violations.	1. Clearly articulated corporate policy against FCPA violations.
2. Tone at the Top. A company will ensure that its senior management provides visible support and commitment to its corporate anti-corruption policy.	2. Promulgation of compliance standards and procedures designed to reduce the prospect of violations of the anti-corruption laws and Pfizer’s compliance code.
3. Written policies and procedures. Should be created in the following areas (a) gifts; (b) hospitality, entertainment, and expenses; (c) customer travel; (d) political contributions; (e) charitable donations and sponsorships; (f) facilitation payments; and (g) solicitation and extortion.	3. Assignment of one or more senior corporate execs for implementation and oversight of compliance program. They shall report to the Board.
4. Risk Assessment. Perform risk assessment and use it to inform your compliance program. 9(b)-internal and confidential reporting system.	4. Effective communication of the compliance policies including training and certification of training.
5. Annual Reviews. No less than annually, a company should review and update as appropriate to ensure continued compliance program effectiveness.	5. An effective system for reporting illegal conduct or violations of the company anti-corruption program.
6. Senior Management Oversight and Reporting. Assignment of one or more senior corporate executives for implementation & oversight of compliance program and they shall report to Board of Directors	6. Appropriate disciplinary procedures.
7. Internal controls. These should include financial and accounting procedures which should ensure that the company has accurate and fair books and records, which cannot be used for or conceal bribery.	7. Appropriate due diligence for retention and oversight of agents and business partners.
8. Training. A company shall effectively communicate compliance program through training and annual certifications	8. Standard compliance terms and conditions in contracts including (1) reps and undertakings re: anti-corruption compliance; (2) right to audit; and (3) right to terminate for breach thereof.
9. Advice and Guidance. The Company should establish or maintain an effective system for: (a) Providing guidance; (b) Internal and confidential reporting; and (c) Responding to such requests and undertaking appropriate action in response to such reports.	9. Periodic testing of Pfizer compliance code and anti-corruption procedures.
10. Discipline. A company shall institute appropriate disciplinary procedures to address violations compliance policy or ant-corruption laws.
11. Third Party Reps. (a) Properly documented risk-based due diligence and regular oversight of agents and business partners; (b) Informing agents and business partners of the compliance standards; and (c) Seeking a reciprocal commitment from agents and business partners.
12. Compliance terms and conditions. Should be included in every agent agreement.
13. Ongoing Assessment. Period review and testing of compliance program to evaluate it and improve the program’s effectiveness.

In addition to a Chief Compliance Officer (CCO) and Risk Officer (RO) who will have report directly to the Chief Executive Officer (CEO), there was further specified requirements for compliance leads to be appointed with responsibility for each of its business units who would in turn report to the CCO and RO or General Counsel (GC). Finally, similar to the situation we observed in the Halliburton settlement of its shareholder derivative action, Pfizer will have an Executive Compliance Committee, which will sit below the Board of Directors to oversee Pfizer’s compliance program.

The Enhanced Compliance Obligations require that Pfizer maintain policies and procedures regarding gifts, hospitality, and travel in each jurisdiction that are appropriately designed to prevent violations of the anti-corruption laws and regulations, presumably tailored to each jurisdiction. This statement would seem to focus on reasonableness not only in terms of monetary value but also in factoring in the jurisdiction where the gift or hospitality is to be provided. Finally, and as always, travel and training must have a business purpose.

There was a very detailed plan laid out for a risk-based program of annual proactive anti-corruption reviews of high-risk markets. It consists of five markets which are at high risk for corruption because of the business and location. The specifics for each visit will be a useful guide for the compliance practitioner to compare with similar work done by his compliance group. It includes (a) On-site visits by an FCPA review team comprised of qualified personnel from the Compliance, Audit and Legal functions who have received FCPA and anti-corruption training; (b) Review of a representative sample, appropriately adjusted for the risks of the market, of contracts with, and payments, to individual foreign government officials or health care providers, as well as other high-risk transactions in the market; (c) Creation of action plans resulting from issues identified during the proactive reviews; these action plans will be shared with appropriate senior management and should contain mandatory remedial steps designed to enhance anti-corruption compliance, repair process weaknesses, and deter violations; and (d) a review of the books and records of a sample of distributors which, in the view of the FCPA proactive review team, may present corruption risk.

Interesting, the DPA specifies that Pfizer will maintain “significant” resources for the compliance function. These significant resources will be dedicated to several different types of compliance tools, including (a) an international investigations group charged with responding to and investigating anti-corruption compliance issues and ensuring that appropriate remedial measures are undertaken after the completion of an investigation; (b) an anti-corruption program office providing centralized assistance and guidance regarding the implementation, updating and revising of the FCPA Procedure, the establishment of systems to enhance compliance with the FCPA Procedure, and the administration of corporate-level training and annual anti-corruption certifications; and (c) a mergers and acquisitions (M&A) compliance team designed to support early identification of compliance risks associated with complex business transactions and to ensure the integration of Pfizer’s compliance procedures into newly acquired entities. There was a slightly different time schedule listed for Pfizer to complete post-acquisition auditing, training and implementation of the Pfizer compliance program into the acquired company. I have added to my recent FCPA M&A Box Score Summary.

Time Frames	Halliburton 08-02	J&J	DS&S	Pfizer
FCPA Audit	High Risk Agents - 90 days Medium Risk Agents - 120 Days Low Risk Agents - 180 days	18 months to conduct full FCPA audit	As soon “as practicable”	One year
Implement FCPA Compliance Program	Immediately upon closing	12 months	As soon “as practicable”	One year
Training on FCPA Compliance Program	60 days to complete training for high risk employees, 90 days for all others	12 months to complete training	As soon “as practicable”	One Year

While there was no new language regarding risk evaluation, due diligence on, or other management of third party business parties, the DPA did specify that when it is appropriate on the basis of a FCPA risk assessment, the company will provide FCPA and anti-corruption training to relevant agents and business partners, at least once every three years.

The company is also to use annual certifications from senior managers in each of Pfizer’s Business Units, Divisions, and operational functions confirming that their standard operating procedures adequately implement Pfizer’s anti-corruption policies, procedures and controls, including training requirements; that they have reviewed and followed up on any issues identified in FCPA trend analyses; and that they are not aware of any FCFA or other corruption issues that have not already been reported to the Compliance Division or the Legal Division.

There is a wealth of information in the Pfizer DPA and other documents relating to its resolution of these FCPA issues. I would commend all the documents to you to read and see what areas your company may need to look at more closely and how these Compliance and Enhanced Compliance Obligation Attachments may provide insight into areas where you might be lacking or need to enhance your compliance program and coverage. These enhanced obligations could well become the new minimum best practices in the FCPA compliance arena.

Leave a Comment

June 22, 2012

Take the A Train to Find Your Compliance Team

Filed under: Chief Compliance Officer,compliance programs,Corporate Monitors — tfoxlaw @ 6:14 am
Tags: Department of Justice, DOJ, DPA, FCPA

Some organizations, such as the SCCE provide specialized training for compliance professionals. Others, such as Trace International, are beginning to offer such specialization and certification. My This Week in FCPA Colleague Howard Sklar wrote a great piece last year on who to call when you need some serious help for a Foreign Corrupt Practices Act (FCPA) issue, entitled “Getting Advice”, other than calling Ghostbusters it is the best single source for who you should call when the FCPA going gets tough.

However, as the compliance field evolves and matures, the need for more experienced compliance professionals continues to grow, there is the need to hire top notch compliance talent to do the day-to-day work of implementing, enhancing or running a compliance program. Where can you go if you want to hire some experienced compliance professionals to insert in your organization who can hit the ground running? I thought about that question when reading a book review of David Schiff’s “The Ellington Century” in a recent issue of the Times Literary Supplement. In this review, entitled “Sentimentals”, Stephen Brown noted that Ellington’s instrument was his band. While the Duke was very good at spotting talent, he was willing “to let it have its own voice, and more, to highlight and showcase it, and most importantly to involve it in the creative process.” When a musician came out of the Ellington Band, they had worked steadily with other great musicians and had learned from one of the greatest composers and arrangers of the past century.

How does that relate to finding some top notch compliance talent? It means there is no better place to look than people who have worked where compliance is under the microscope, usually because of a Department of Justice (DOJ) investigation or company which is under a Deferred Prosecution Agreement (DPA). In Houston one company that went through that process was BakerHughes. It’s Chief Compliance Officer (CCO), Jay Martin, is recognized as one of the leaders in our field not only here in Houston but across the country. The team Jay put together has now fanned out to become CCO’s at several other major companies here in Houston. Dan Chapman is the CCO at Parker Drilling, Brian Moffatt is the CCO at ENSCO, Rod Hardie is the CCO at Exterran and most recently Doug Walter was named as CCO at the newly formed company (albeit with a long and storied name) Phillips 66. There are probably others as well but I have worked or been on panels with each of the above folks and I can attest, they have all learned their compliance stuff and understand how to practice compliance.

Another place you can look is to law firms which have performed monitoring services. But here I would suggest that you look to the associate ranks for the lawyer who generally did the day-to-day spade work for the lead lawyer who had been appointed monitor. In my last corporate position, my company was under a Monitorship and we worked closely with the full team of lawyers in the law firm to implement, train and operate the company’s compliance program. Several of the former associates from the firm now hold prominent in-house positions and the experience they gained in their oversight roles was no doubt very instrumental in their current level of (compliance) experience.

The talent is out there. If you wanted a very good musician for a project, last century you could turn to an alumna of Ellington’s band. In the compliance arena, you can do no better than hiring someone who has been under the gun, so to speak, and worked for or with a company under significant DOJ scrutiny. So, sit back, listen to some great music by the Duke and ask around about who has gone through such an experience. If you want to populate your compliance team, it is a great way to do so.

© Thomas R. Fox, 2012

Comments (1)

June 20, 2012

The DOJ Listens: the Evolution of FCPA Compliance in M&A

Filed under: Best Practices,Department of Justice,FCPA,Johnson & Johnson,Mergers and Acquisition,Opinion Releases — tfoxlaw @ 5:59 pm
Tags: DPA, DS&S, FCPA, M&A

Earlier this week the US Department of Justice (DOJ) released a Deferred Prosecution Agreement (DPA) with the company Data Systems & Solutions (DS&S). I explored the factual allegations against DS&S and the highlights of the DPA in yesterday’s post. Today I want to discuss the DS&S DPA in the context of the DOJ’s evolution in thinking regarding what a company can do to protect itself under the Foreign Corrupt Practices Act (FCPA) when it purchases another entity or otherwise engages in mergers and acquisitions (M&A) work. In other words, forces the evolution of best practices.

Previously many compliance practitioners had based decisions in the M&A context on DOJ Opinion Release 08-02 (08-02), which related to Halliburton’s proposed acquisition of the UK entity, Expro. In the spring of 2011, the Johnson & Johnson (J&J) DPA changed the perception of compliance practitioners regarding what is required of a company in the M&A setting related to FCPA due diligence, both pre and post-acquisition. On June 18, the DOJ released the DS&S DPA which brought additional information to the compliance practitioner on what a company can do to protect itself in the context of M&A activity.

Opinion Release 08-02 began as a request from Halliburton to the DOJ from issues that arose in the pre-acquisition due diligence of the target company Expro. Halliburton had submitted a request to the DOJ specifically posing these three questions: (1) whether the proposed acquisition transaction itself would violate the FCPA; (2) whether, through the proposed acquisition of Target, Halliburton would “inherit” any FCPA liabilities of Target for pre-acquisition unlawful conduct; and (3) whether Halliburton would be held criminally liable for any post-acquisition unlawful conduct by Target prior to Halliburton’s completion of its FCPA and anti-corruption due diligence, where such conduct is identified and disclosed to the Department within 180 days of closing.

I. 08-02 Conditions

Halliburton committed to the following conditions, if it was the successful bidder in the acquisition:

Within ten business days of the closing, Halliburton would present to the DOJ a comprehensive, risk-based FCPA and anti-corruption due diligence work plan which would address, among other things, the use of agents and other third parties; commercial dealings with state-owned customers; any joint venture, teaming or consortium arrangements; customs and immigration matters; tax matters; and any government licenses and permits. The Halliburton work plan committed to organizing the due diligence effort into high risk, medium risk, and lowest risk elements.

a) Within 90 days of Closing. Halliburton would report to the DOJ the results of its high risk due diligence.

b) Within 120 days of Closing. Halliburton would report to the DOJ the results to date of its medium risk due diligence.

c) Within 180 days of Closing. Halliburton would report to the DOJ the results to date of its lowest risk due diligence.

d) Within One Year of Closing. Halliburton committed full remediation of any issues which it discovered within one year of the closing of the transaction.

Many lawyers were heard to exclaim, “What an order, we cannot go through with it.” However, we advised our clients not to be discouraged because 08-02 laid out a clear road map for dealing with some of the difficulties inherent in conducting sufficient pre-acquisition due diligence in the FCPA context. Indeed the DOJ concluded 08-02 by noting, “Assuming that Halliburton, in the judgment of the Department, satisfactorily implements the post-closing plan and remediation detailed above… the Department does not presently intend to take any enforcement action against Halliburton.”

II. Johnson & Johnson “Enhanced Compliance Obligations”

Attachment D of the J&J DPA, entitled “Enhanced Compliance Obligations”, is a list of compliance obligations in which J&J agreed to undertake certain enhanced compliance obligations for at least the duration of its DPA beyond the minimum best practices also set out in the J&J DPA. With regard to the M&A context, J&J agreed to the following:

7. J&J will ensure that new business entities are only acquired after thorough FCPA and anti-corruption due diligence by legal, accounting, and compliance personnel. Where such anti-corruption due diligence is not practicable prior to acquisition of a new business for reasons beyond J&J’s control, or due to any applicable law, rule, or regulation, J&J will conduct FCPA and anti-corruption due diligence subsequent to the acquisition and report to the Department any corrupt payments, falsified books and records, or inadequate internal controls as required by … the Deferred Prosecution Agreement.

8. J&J will ensure that J&J’s policies and procedures regarding the anti-corruption laws and regulations apply as quickly as is practicable, but in any event no less than one year post-closing, to newly-acquired businesses, and will promptly, for those operating companies that are determined not to pose corruption risk, J&J will conduct periodic FCPA Audits, or will incorporate FCPA components into financial audits.

a. Train directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners, and relevant employees thereof, who present corruption risk to J&J, on the anticorruption laws and regulations and J&J’s related policies and procedures; and

b. Conduct an FCPA-specific audit of all newly-acquired businesses within 18 months of acquisition.

These enhanced obligations agreed to by J&J in the M&A context were less time sensitive than those agreed to by Halliburton in 08-02. In the J&J DPA, the company agreed to following time frames:

A. 18 Month - conduct a full FCPA audit of the acquired company.

B. 12 Month - introduce full anti-corruption compliance policies and procedures into the acquired company and train those persons and business representatives which “present corruption risk to J&J.”

So there is no longer a risk based approach as set out in 08-02 and the tight time frames are also relaxed. Once again we applaud the DOJ for setting out specific information for the compliance practitioner through the release of the J&J DPA. As many have decried 08-02 is a standard too difficult to satisfy in the real world of time constraints and budget cuts, the “Acquisition” component of the J&J DPA should provide those who have made this claim with some relief.

III. DS&S

In the DS&S DPA there are two new items listed in the Corporate Compliance Program, attached as Schedule C to the DPA, rather than the standard 13 items we have seen in every DPA since at least November 2010. The new additions are found on items 13 & 14 on page C-6 of Schedule C and deal with mergers and acquisitions. They read in full:

13. DS&S will develop and implement policies and procedures for mergers and acquisitions requiring that DS&S conduct appropriate risk-based due diligence on potential new business entities, including appropriate FCPA and anti-corruption due diligence by legal, accounting, and compliance personnel. If DS&S discovers any corrupt payments or inadequate internal controls as part of its due diligence of newly acquired entities or entities merged with DS&S, it shall report such conduct to the Department as required in Appendix B of this Agreement.

14. DS&S will ensure that DS&S’s policies and procedures regarding the anticorruption laws apply as quickly as is practicable to newly acquired businesses or entities merged with DS&S and will promptly:

a. Train directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners, and relevant employees thereof, who present corruption risk to DS&S, on the anti-corruption laws and DS&S’s policies and procedures regarding anticorruption laws.

b. Conduct an FCPA-specific audit of all newly acquired or merged businesses as quickly as practicable.

This language draws from and builds upon the prior Opinion Release 08-02 regarding Halliburton’s request for guidance and the J&J Enhanced Compliance Obligations incorporated into its DPA. While the DS&S DPA does note that it is specifically tailored as a solution to DS&S’s FCPA compliance issues, I believe that this is the type of guidance that a compliance practitioner can rely upon when advising his or her clients on what the DOJ expects during M&A activities.

FCPA M&A Box Score Summary

Time Frames	Halliburton 08-02	J&J	DS&S
FCPA Audit	High Risk Agents - 90 days Medium Risk Agents - 120 Days Low Risk Agents - 180 days	18 months to conduct full FCPA audit	As soon “as practicable”
Implement FCPA Compliance Program	Immediately upon closing	12 months	As soon “as practicable”
Training on FCPA Compliance Program	60 days to complete training for high risk employees, 90 days for all others	12 months to complete training	As soon “as practicable”

I believe that the DOJ does listen to the concerns of US companies about issues relating to FCPA enforcement, which is consistent with its duty to uphold that law. Last month we saw the issue of the Morgan Stanley declination in the context of the Garth Peterson FCPA prosecution. With the DS&S DPA, there is clearly more flexible language presented in the context of M&A work and potential liability for ‘buying a FCPA claim.’

Leave a Comment

DS&S DPA: Lessons Learned for the Compliance Practitioner

On Monday, June 18, the Department of Justice (DOJ) announced the resolution of a matter involving violations of the Foreign Corrupt Practices Act (FCPA) by Data Systems & Solutions LLC (DS&S), a US entity based in Virginia. The settlement resulted in the company agreeing to a two year and 7 day Deferred Prosecution Agreement (DPA). The case was interesting for a number of reasons and it has some significant lessons which the compliance practitioner can put into place in a corporate compliance program. The charges related to DS&S’s business included the design, installation and maintenance of instrumentation and controls systems at nuclear power plants, fossil fuel power plants and other critical infrastructure facilities. In reading the Criminal Information, I can only say that this was no one-off or rogue employee situation but this was a clear, sustained and well known bribery scheme that went on within the company.

I. The Criminal Information

The bribery scheme involved payments made to officials at a state-owned nuclear power facility in Lithuania, named Ignalina Nuclear Power Plant (INPP). The payments were made to allow DS&S to obtain and retain business with INPP. The Information listed contracts awarded to DS&S in the amount of over $30MM from 1999 to 2004. Significantly, DS&S did not self-disclose this matter to the DOJ but only began an investigation after receiving a DOJ Subpoena for records.

The Players Box Score

DS&S Officials	INPP Officials	Subcontractors
Exec A – VP of Marketing and Business Development (BD)	Official 1 – Deputy Head of Instrumentation and Controls Department	Subcontractor A – Simulation Technology Products and Services
	Official 2 – Head of Instrumentation and Controls Department	Subcontractor B – Beneficially owned by Official 1 and which employed INPP Officials
	Official 3 – Director General at INPP	Subcontractor C – Shell company used a funneling entity to pay bribes
	Official 4 – Head of International Projects at INPP
	Official 5 – Lead SW Engineer at INPP

The bribery scheme used by DS&S recycled about every known technique there is to pay bribes. The Information listed 51 instances of bribes paid or communications via email about the need to continue to pay bribes. The bribery scheme laid in the Information reflected the following techniques used by:

Payment of bribes by Subcontractors to Officials on behalf of DS&S;
Direct payment of bribes by DS&S into US bank accounts controlled by INPP Officials;
Creation of fictional invoices from the Subcontractors to fund the bribes;
Payment of above-market rates for services allegedly delivered by the Subcontractors so the excess monies could be used to fund bribes;
Payment of salaries to INPP Officials while they were ‘employed’ by Subcontractor B;
Providing travel and entertainment to Officials to Florida, where DS&S has no facilities and which travel and entertainment had no reasonable business purpose; and last but not least…
Purchase of a Cartier watch as a gift.

II. The Deferred Prosecution Agreement

I set out these details with some specificity for two reasons. The first is that the Information is a must read for anyone in Internal Audit who reviews books and records. It gives you the precise types of Red Flags to look for. But secondly is the fact that DS&S received a discount of 30% off the low end of the penalty range as calculated under the US Sentencing Guidelines. The calculation as listed in the DPA is as follows:

Calculation of Fine Range:

Base Fine $10,500,000

Multipliers 1.20(min)/2.40(max)

Fine Range $12,600,000/$25,200,000

The ultimate fine paid by DS&S was only $8.82MM, which the DPA states is “an approximately thirty-percent reduction off the bottom of the fine range…” So for the compliance practitioner the question is what did DS&S do to get such a dramatic reduction? We know that one thing they did NOT do was self-report as the DPA notes that this case began as a DOJ investigation and DS&S received Subpoenas “in connection with the government’s investigation.” However, after this initial delivery of Subpoenas DS&S engaged a clear pattern of conduct which led directly to this 30% discount of the low end of the fine range. The DPA reports that DS&S took the following steps:

Internal Investigation. DS&S initiated an internal investigation and provided real-time reports and updates of its investigation into the conduct described in the Information and Statement of Facts.
Extraordinary Cooperation. DS&S’s cooperation has been extraordinary, including conducting an extensive, thorough, and swift internal investigation; providing to the Department searchable databases of documents downloaded from servers, computers, laptops, and other electronic devices; collecting, analyzing, and organizing voluminous evidence and information to provide to the DOJ in a comprehensive report; and responding promptly and fully to the DOJ’s requests.
Extensive Remediation. The number of steps DS&S took in regard to remediation included the following:
- Termination of company officials and employees who were engaged in the bribery scheme;
- Dissolving the joint venture and then reorganizing and integrating the dissolved entity as a subsidiary of DS&S;
- Instituting a rigorous compliance program in this newly constituted subsidiary;
- Enhancing the company’s due diligence protocols for third-party agents and subcontractors;
- Chief Executive Officer (CEO) review and approval of the selection and retention of any third-party agent or subcontractor;
- Strengthening of company ethics and compliance policies;
- Appointment of a company Ethics Representative who reports directly to the CEO;
- The Ethics Representative provides regular reports to the Members Committee (the equivalent of a Board of Directors in a LLC); and
- A heightened review of most foreign transactions.
- Enhanced Compliance Program. More on this in the next section.
- Continued Cooperation with DOJ. The company agreed to continue to cooperate with the Department in any ongoing investigation of the conduct of DS&S and its officers, directors, employees, agents, and subcontractors relating to violations of the FCPA and to fully cooperate with any other domestic or foreign law enforcement authority and investigations by Multilateral Development Banks.

III. Enhanced Compliance Obligations

One of the interesting aspects of the DS&S DPA is that there are 15 points listed in the Corporate Compliance Program, attached as Schedule C to the DPA, rather than the standard 13 items we have seen in every DPA since at least November 2010. The new additions are found on items 13 & 14 on page C-6 of Schedule C and deal with mergers and acquisitions. They read in full:

a. Train directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners, and relevant employees thereof, who present corruption risk to DS&S, on the anti-corruption laws and DS&S’s policies and procedures regarding anticorruption laws.

b. Conduct an FCPA-specific audit of all newly acquired or merged businesses as quickly as practicable.

This language draws from and builds upon the prior Opinion Release 08-02 regarding Halliburton’s request for guidance during an attempted acquisition and the Johnson and Johnson (J&J) Enhanced Compliance Obligations which were incorporated into its DPA. While the DS&S DPA does note that it is specifically tailored as a solution to DS&S’s FCPA compliance issues, I believe that this is the type of guidance that a compliance practitioner can rely upon when advising his or her clients on what the DOJ expects during Mergers and Acquisitions (M&A). The five keys under these new items, 13 & 14 highlighted above, are: (1) develop policies and procedures for M&A work prior to engaging in such transactions; (2) full FCPA audit of any acquired entities “as quickly as practicable”; (3) report any corrupt payments or inadequate internal controls it discovers in this process to the DOJ; (4) apply DS&S anti-corruption policies and procedures to the newly acquired entities; and (5) train any persons who might “present a corruption risk to DS&S” on the company’s policies and procedures and the law.

IV. Summary

The DS&S DPA provides some key points for the compliance practitioner. First and foremost, I believe that it demonstrates the reasonableness of the DOJ. The bribery scheme here was about as bad as it can get, short of suitcases of money carried by the CEO to pay bribes. The company did not self-report, yet received a significant reduction on the minimum level of fine. The specificity in the DPA allows a compliance practitioner to understand what type of conduct is required to not only avoid a much more significant monetary penalty but also a corporate monitor. Lastly, is the specific guidance on FCPA compliance in relation to M&A activities, to the extent that if anyone in the compliance arena did not understand what was required in the M&A context; this question would seem to be answered in the DS&S DPA.

Leave a Comment

FCPA Compliance and Ethics Blog

May 9, 2013

DPAs and NPAs – Useful Tools to Achieve Compliance

April 9, 2013

Why Eat Your Words When You Can Eat a Peach?

February 13, 2013

Distributors under the FCPA

December 20, 2012

The CCO: Co-Equal to the General Counsel in the Eyes of the DOJ

September 26, 2012

Tyco International – The Importance of the Books and Records under the FCPA

September 13, 2012

Sometimes No Evidence is Meaningless: Voluntary Disclosure under the FCPA

August 14, 2012

Pfizer DPA Part III – What Does It All Mean?

June 22, 2012

Take the A Train to Find Your Compliance Team

June 20, 2012

The DOJ Listens: the Evolution of FCPA Compliance in M&A

DS&S DPA: Lessons Learned for the Compliance Practitioner

January

Blogroll

Pages

Admin

Read by Email

Follow “FCPA Compliance and Ethics Blog”

May 2013
M	T	W	T	F	S	S
« Apr
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31