FCPA Compliance and Ethics Blog

July 28, 2014

Bringing It All Home, the Two Tough Cookies Wrap It Up For You, Part I

Tales from the CryptNote-I asked the Two Tough Cookies if they could put together a series of blog posts wrapping up the lessons they have seen and learned and written about in their series of Tales from the Crypt. They graciously put together a series of posts on the seven elements of an effective compliance program from their 10 tales of Business Conduct. Today, Part I of a Three Part Series…

We’ve talked a lot in our Tales from the Crypt about the signs to watch for that indicate something’s gone wrong, from minor cultural twists to lapses of integrity that are tantamount to criminal activity. We all wish we had a crystal ball we could peer into to predict how various maneuvers will translate into the larger universe of corporate culture. One of the best tools to use to gauge the cultural baseline is an organizational ethics audit, reminding yourself that “what gets reported gets measured.”

Your first hurdle, of course, is getting executive leadership to support the initiative. If they don’t support it, then you have your first cultural indicator. After all, if you have nothing to hide, you have nothing to lose by peering under the covers, now do you? So let’s assume your leadership is supportive of developing, and/or sustaining, a “high integrity” organization. So what do you want to measure? The ‘seven elements of an effective compliance program’ is a good start, but by no means exhaustive. After all, many organizations fulfill “ethics oversight” by having a CCO in title (usually, the GC or CFO), but the day-to-day oversight and management of the program is led by staff members who are not empowered to work towards positive change. You know who you are, you know the daily frustration of knowing what should be done, and what leadership will allow. So while “oversight” is met, is it really “effective?”

So let’s remind ourselves of the seven elements once again:

1. Establish Policies, Procedures and Controls

2. Exercise Effective Compliance and Ethics Oversight

3. Exercise Due Diligence to Avoid Delegation of Authority to Unethical Individuals

4. Communicate and Educate Employees on Compliance and Ethics Programs

5. Monitor and Audit Compliance and Ethics Programs for Effectiveness

6. Ensure Consistent Enforcement and Discipline of Violations

7. Respond Appropriately to Incidents and Take Steps to Prevent Future Incidents

How do these elements translate into an organizational ethics audit? And how do our 10 rules of business conduct in the workplace (from our “Tales from the Crypt” series) fit in? Let’s break it down into manageable chunks.

1. Establish Policies, Procedures and Controls

Under this “bucket” include your Code of Conduct, your Vision and Values statements for your organization, and the various policies and procedures you rely upon to get business done. What you want to know, when conducting your audit, is not just do you have these, but

  • Does your Vision statement create an actionable description of the future? If so, what is it, and more importantly, do your people know it, and understand what role they play in achieving that future?
  • Is “Integrity” one of your Values?
  • What’s the purpose and Focus of your Code of Conduct? What kind of tone does it set, is it widely distributed, prominently displayed, easy to read? Does it have learning aids, and examples of not only wrong doing, but “right” doing behaviors? What expectation does it set? Is it universal or have you caved to various constituencies and created multiple versions (not translations, but actual versions) to “meet the needs” of various cultures. If you have, then you are net setting a single standard that all can live by, and you will have people applying their own standard to their behaviors, not yours. Ethics should not be subject to interpretation, nor external pressures such as Worker’s Councils, unions, or special interest groups.
  • Are your policies relevant to your business, or did someone just borrow something from an HR toolkit to get you started? Do you have a formal non-retaliation policy (and not just a nod towards the concept in your Code of Conduct), and formal procedures to deter retaliation. The rules in this area need to be cut and dry to make people know you “have their back” when the you know what hits the fan. You want to encourage people to step up, and the only way you can do that is a rock solid approach to non-retaliation.
  • Last, but not least, are your policies “uniformly enforced?” Much like the sentencing guidelines, organizations, large and small alike, should be dealing with transgressions with an even hand to truly have an ethical culture. People like boundaries, like to know where the line in the sand is drawn. Trust me on this. So do you know exactly where your organization’s boundaries are? Or does the line move from incident to incident?

2. Exercise Effective Compliance and Ethics Oversight

As I mentioned before, many organizations have day-to-day oversight managed by staff, with a titular CECO residing with one of the executive leaders, like the GC or the CFO. Larger organizations have dedicated compliance officers who aren’t forced to wear multiple hats, who truly have teams of dedicated compliance officials reporting up to their organization. This is particularly true in highly regulated industries, such as finance, insurance, healthcare, food and drug manufacturing, where government oversight plays a large role in day to day business.   It is fair to say that smaller organizations don’t need to have a dedicated compliance officer per se, but when you have a staff attorney, for instance, managing the day to day operations of your ethics and compliance program, you have put that person in a Catch 22. Period. You may want an attorney in that spot for attorney client privilege, but if you do that recognize that you’ve also handcuffed the person from being able to independently report wrong doing if something goes drastically wrong, as they are duty bound to keep matters confidential, even within the business.

So you want to measure whether or not the person with day-to-day oversight has the freedom (or mechanisms) to raise concerns.

  • If it’s a staff attorney, is the job description written so that when wearing the compliance hat, the attorney hat comes off? Tough to do, but possible.
  • Are there layers of management between the day-to-day person who is managing the ethics and compliance program, and the person with the “title” CECO?
  • Are there many people with “compliance” in their title, and do they work together, or independently? I have worked in organizations where “compliance” was part of several functions, but the right hand, and the left hand, weren’t speaking to each other. Trade Compliance reported to one division, Environmental Compliance reported to another division, product compliance reported to yet a third division, HIPAA compliance to yet a fourth, and so on. None of these units worked together, some were staffed heavily, some staffed thinly, and the actual “head” of Integrity & Compliance was ineffective at convincing senior leadership that all compliance functions should be at least working towards the same goals in the organization. It all depended on the business leader at the top of the silo and whether or not they were effective in getting the support they needed to run their business. It also depended on whether or not the business unit was a profit center or a cost center, and if a cost center, where it reported up into the business – as a G&A expense, or an administrative cost aligned with operations. Those that were part of operations were well-funded, those reporting in on the administrative side as a pure cost center (including the “head”) were poorly resourced.
  • Do you have an ethics steering committee or working group that represents all functions and business units, and is staffed by executive or senior leaders who are in a position to make decisions for the larger organization? This serves as a checks and balance that is critical if the day-to-day oversight is led by a staffer. The staffer can build consensus with a larger group that has a vested interest in the outcome by holding those critical meetings before the meeting to test run proposals, and receive important feedback on how to effectively present a proposal to the team to ensure acceptance and success. The staffer can also go to a trusted member of the committee if he or she feels that the CECO is not receptive to hearing concerns and serve as a sounding board. Hopefully, that is.

Tomorrow, elements 3-7.

Who are the Two Tough Cookies?

Tough Cookie 1 has spent the more than half of her 20+ legal career working in the Integrity and Compliance field, and has been the architect of award-winning and effective ethics and compliance programs at both publicly traded and privately held companies.  Tough Cookie 2 is a Certified Internal Auditor and CPA who has faced ethical and compliance challenges in a variety of industries and geographies and recently led a global internal audit team. Their series “Tales from the Crypt: Tough Choices for Tough Cookies” are drawn largely from real life experiences on the front line of working in Integrity & Compliance, and personal details have been scrubbed to protect, well, you know, just about everyone…

This publication contains general information only and is based on the experiences and research of the authors. The authors are not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The authors, their affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Authors give their permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the authors.

July 25, 2014

Code of Conduct, Compliance Policies and Procedures-Part IV

Policies and ProceduresThis is the fourth and final installment of my series on the the importance of a Code of Conduct and anti-corruption compliance policies and procedures in your compliance program and how you should go about drafting or updating Code of Conduct and anti-corruption compliance policies and procedures. On Tuesday, I reviewed the underlying legal and statutory basis for the documents as a foundation of your overall anti-corruption regime. In subsequent posts, I looked at how to go about drafting your Code of Conduct and anti-corruption compliance policies and procedures. Today, I will end the series on how to keep all of the above vibrant and dynamic through a discussion of how to assess, review and revise them and your Code of Conduct on a timely basis.

Simply having a Code of Conduct, together with policies and procedures is not enough. As articulated by former Assistant Attorney General, for the Criminal Division of the US Department of Justice, Lanny Breuer, “Your compliance program is a living entity; it should be constantly evolving.” In an article in the SCCE Magazine, entitled “Six steps for revising your company’s Code of Conduct”, authors Anne Marie Logarta and Ruth Ward suggest considering the following issues before you take on an update of your Code of Conduct.

  • When was the last time your Code of Conduct was released or revised?
  • Have there been changes to your company’s internal policies since the last revision?
  • Have there been changes to relevant laws relating to a topic covered in your company’s Code of Conduct?
  • Are any of the guidelines outdated?
  • Is there a budget to create/revise a Code?

After considering these issues, the authors suggest that you should benchmark your current Code of Conduct against others companies in your industry. I would also add that your standards, policies and procedures should be reviewed and updated in the same manner. If you decide to move forward the authors have a six-point guide which they believe will assist you in making your revision process successful, which I have used as a basis to include revisions to your compliance policies and procedures.

  1. Get buy-in from decision makers at the highest level of the company 

The authors believe that your company’s highest level must give the mandate for a revision to a Code of Conduct and compliance polices and procedures. It should be the Chief Executive Officer (CEO), General Counsel (GC) or Chief Compliance Officer (CCO), or better yet all three to mandate this effort. Whoever gives the mandate, this person should be “consulted at every major step of the Code review process if it involves a change in the direction of key policies.”

  1. Establish a core revision committee 

You should have a cross-functional working group would be ideal to head up your effort to revise your Code of Conduct and compliance polices and procedures. This group should include representatives from the following departments: legal, compliance, communications, HR; there should also be other functions which represent the company’s domestic and international business units; finally there should be functions within the company represented such as finance and accounting, IT, marketing and sales.

From this large group, the topics can be assigned for initial drafting to functions based on “relevancy or necessity”. These different functions would also solicit feedback from their functional peers and deliver a final, proposed draft to the Drafting Committee. The authors emphasize that creation of a “timeline at the outset of the revision is critical and hold the function representatives accountable for meeting their deliverables.”

  1. Conduct a thorough technology assessment 

The cornerstone of the revision process is how your company captures, collaborates and preserves “all of the comments, notes, edits and decisions during the entire project.” They believe that technology such as SharePoint or Google Cloud can be of great assistance to accomplish this process even if you are required to train team members on their use.

In addition to this use of technology in drafting your Code of Conduct and compliance polices and procedures revisions, you should determine if they will be available in hard copy, online or both. If it will be available online, you should assess “the best application to launch your Code and whether it includes a certification process”. Lastly, there must be a distribution plan, particularly if the Code and compliance polices and procedures will only be available in hard copy.

  1. Determine translations and localizations 

The authors emphasize, “If your company does business internationally, then this step is vital to ensure you have one Code, no matter the language.” They do note that if you decide to translate your Code of Conduct be sure and hire someone who is an “approved company translation subject matter expert.” Here I would simply say to contact Jay Rosen at Merrill Brink, as those guys are the one of the top Language Service Providers and know what they are doing when it comes to translations. The key is that “your employees have the same understanding of the company’s Code-no matter the language.” 

  1. Develop a plan to communicate the Code of Conduct 

A rollout is always critical because it “is important that the new or revised Code is communicated in a manner that encourages employees to review and use the Code on an ongoing basis.” Your company should use the full panoply of tools available to it to publicize your new or revised Code of Conduct and compliance polices and procedures. This can include a multi-media approach or physically handing out a copy to all employees at a designated time. You might consider having a company-wide Code of Conduct and compliance polices and procedures meeting where the new or revised documents are rolled out across the company all in one day. But remember, with all thing compliance; the three most important aspects are ‘Document, Document and Document’. However you deliver the new or revised Code of Conduct, you must document that each employee receives it.

6.   Stay on Target 

The authors end by noting that if you set realistic expectations you should be able to stay on deadline and stay within your budget. They state that “You want to set aside enough time so that you won’t feel rushed or in a hurry to get it done.” They also reiterate that to keep a close watch on your budget so that you do not exceed it.

These points are a useful guide to not only thinking through how to determine if your Code of Conduct, and compliance policies and procedure needs updating, but also practical steps on how to tackle the problem. If it has been more than five years since it was last updated, you should begin the process that the authors have laid out. It is far better to review and update if appropriate than wait for a massive FCPA investigation to go through the process.

There are numerous reasons to put some serious work into your Code of Conduct, policies and procedure. They are certainly a first line of defense when the government comes knocking. The FCPA Guidance makes clear that “Whether a company has policies and procedures that outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and documentation policies, and set forth disciplinary procedures will also be considered by DOJ and SEC.” And by considered, I think it is clear that this means the regulators will take a strong view against a company that does not have well thought out and articulated policies, procedures or Code of Conduct; all of which are systematically reviewed and updated. Moreover, as Allen emphasized, “having policies written out and signed by employees provides what some consider the most vital layer of communication.” Together with a signed acknowledgement, these documents can serve as evidentiary support if a future issue arises. In other words, the ‘Document, Document and Document’ mantra applies just as strongly to this area of anti-corruption compliance.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

July 24, 2014

Code of Conduct, Compliance Policies and Procedures-Part III

Policies and ProceduresToday, I continue with Part III of my four-part series on the best practices surrounding your Code of Conduct and anti-corruption policies and procedures. In this post, I take a look at drafting policies and procedures. I conclude with some thoughts by well-known policy pundit Michael Rasmussen on management of policies going forward.

One of the key components of any best practices compliance regime under any anti-bribery and anti-corruption program is policies and procedures. Policies and procedures tie together a company, its business environment, the risks it faces and the compliance requirements. Policies procedures are a specific requirement for any anti-corruption/anti-bribery compliance regime. In the FCPA Guidance it stated, “Whether a company has policies and procedures that outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and documentation policies, and set forth disciplinary procedures will also be considered by DOJ and SEC.” Under the UK Bribery Act, policies are discussed in the Six Principles of an Adequate Procedures compliance program under Principle V – Communication, where it states “The business seeks to ensure that its bribery prevention policies and procedures are embedded and understood throughout the company through internal and external communication, including training, that is proportionate to the risks it faces.”

As further stated in the FCPA Guidance, “Among the risks that a company may need to address include the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.” Policies help form the basis of expectation and conduct in your company and Procedures are the documents that implement these standards of conduct.

Borrowing from an article in the Houston Business Journal (HBJ) by John Allen, entitled “Company policies are source and structure of stability”, I found some interesting and important insights into the role of policies in any anti-corruption compliance program. Allen says that the role of policies is “to protect companies, their employees and consumers, and despite an occasional opposite outcome, that is typically what they do. A company’s policies provide a basic set of guidelines for their employees to follow. They can include general dos and don’ts or more specific safety procedures, work process flows, communication guidelines or dress codes. By establishing what is and isn’t acceptable workplace behavior, a company helps mitigate the risks posed by employees who, if left unchecked, might behave badly or make foolhardy decisions.”

Allen notes that policies “are not a surefire guarantee that things won’t go wrong, they are the first line of defense if things do.” The effective implementation and enforcement of policies demonstrate to regulators and the government that a “company is operating professionally and proactively for the benefit of its stakeholders, its employees and the community it serves.” If it is a company subject to the FCPA, by definition it is an international company so that can be quite a wide community.

Allen believes that there are five key elements to any “well-constructed policy”. They are:

  • identify to whom the policy applies;
  • establish the objective of the policy;
  • explain why the policy is necessary;
  • outline examples of acceptable and unacceptable behavior under the policy; and
  • warn of the consequences if an employee fails to comply with the policy.

Allen notes that for polices to be effective there must be communication. He believes that training is only one type of communication. I think that this is a key element for compliance practitioners because if you have a 30,000+ worldwide work force, simply the logistics of training can appear daunting. Small groups, where detailed questions about policies can be raised and discussed, can be a powerful teaching tool. Allen even suggests posting FAQ’s in common areas as another technique. And please do not forget that one of the reasons Morgan Stanley received a declination to prosecute by the DOJ was that it sent out bi-monthly compliance reminder emails to its employee Garth Peterson for the seven years he was employed by the company.

Interesting, Allen emphasizes, “having policies written out and signed by employees provides what some consider the most vital layer of communication. A signed acknowledgement can serve as evidentiary support if a future issue arises.” I also like it when others recognize my ‘Document, Document and Document’ mantra for FCPA compliance.

While I think that most compliance practitioners understand this need for policies and procedures, one of the things that is not usually emphasized at a company is effective policy management. Michael Rasmussen writing in Compliance Week in an article entitled “Improving Policies Through Metrics” discussed the need for effective policy management. He believes that it requires that a company must periodically review their policies to ensure that they are relevant and aligned with both current laws and corporate objectives. This is because today’s business environment is dynamic and involves both internal and external factors, so, consequently, as a company evolves and changes its policies need to be updated to reflect these changes.

Rasmussen believes that at a minimum, policies must be reviewed annually. He recommends that each policy should go through a yearly review process to determine if it is still appropriate. There should be a “system of accountability and workflow that facilitates” any policy review process. The end product should be a decision to “retire the process, keep the policy as it is, or revise the policy.” Rasmussen lists five items that a policy owner should evaluate as a part of the policy review process.

  • Violations. Here Rasmussen believes that information from reporting systems such as hotlines or other anonymous lines as well as internal or external investigations must be reviewed. Not only would such information indicate if a company policy was violated but the follow-up investigation would help to determine how the policy might have failed, whether it was through “lack of awareness, unauthorized exceptions [or] outright violations.”
  • Understanding. Here Rasmussen writes that there should be an analysis of “training and awareness programs, policy attestations” and attendant metrics to determine an appropriate level of policy understanding. He believes that questions to a helpdesk or compliance department could help to discover any ambiguities in a policy that might need to be corrected.
  • Exceptions. If you have a policy it should be followed. If an exception to a policy was granted the reason for the exception should have been documented. If there are too many exceptions granted for a policy, it might indicate that “the policy is inappropriate and unenforceable” and therefore should be revised.
  • Compliance. A policy should govern and authorize internal controls. These internal controls should be reviewed in conjunction with the policy review to determine overall policy effectiveness. This is because “At the end of the day the policy needs to be complied with.”
  • Environment. All the factors around a policy are in flux. This includes a company’s risk profile, its business strategy, laws and regulations. Since a business’ climate is dynamic, a policy should be reviewed in the context of a company’s overall situation and revised accordingly.

If there is a change in a policy it is important that not only the correct change be made but that any change is documented. An audit trail is a key component for a company to internally understand when a change is made and the reason for that change but also to demonstrate to a regulator effective policy management and to present “a defensible history of policy interactions on communications, training, acknowledgements, assessments and related details needed to show the was enforced and operational.” This audit trail should include “key data points such as the owner, who read it, who was trained, acceptance acknowledgements and dates for specific policy versions”. In addition to an audit trail, policy revisions should be archived for referral back at a later time. So, once again, the key message is document, document and document.

Just as best practices in the FCPA compliance arena evolve, so do business practices, markets and risks. If you throw in the complexities from an inter-connected global business milieu, the task becomes even tougher. Business policies are one of the keystones of a company’s communications to its employees on what it expects and what is required of its employees. To keep policies up-to-date and properly take advantage of this valuable tool, policies need to be evaluated and updated as appropriate. If your company fails to do so this takes away from the value of having policies in the first place. I hope that you will use the techniques which Rasmussen has described to help you effectively manage your policies going forward.

The FCPA Guidance ends its section on policies with the following, “Regardless of the specific policies and procedures implemented, these standards should apply to personnel at all levels of the company.” Allen puts a bit differently in that “it is important that policies are applied fairly and consistently across the organization.” He notes that the issue can be that “If policies are applied inconsistently, there is a greater chance that an employee dismissed for breaching a policy could successfully claim he or she was unfairly terminated.” This last point cannot be over-emphasized. If an employee is going to be terminated for fudging their expense accounts in Brazil, you had best make sure that same conduct lands your top producer in the US with the same quality of discipline.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

July 23, 2014

Code of Conduct, Compliance Policies and Procedures-Part II

Policies and ProceduresThis week, I am reviewing the importance of a Code of Conduct and anti-corruption compliance policies and procedures in your compliance program and how you should go about drafting or updating Code of Conduct and anti-corruption compliance policies and procedures. Yesterday, I reviewed the underlying legal and statutory basis for the documents as a foundation of your overall anti-corruption regime. Today, I want to look at how to go about drafting your Code of Conduct. In subsequent posts, I will consider both anti-corruption compliance policies and procedures and how to assess, review and revise them and your Code of Conduct on a timely basis.

What is the value of having a Code of Conduct? I have heard many business folks ask that question over the years. In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to “wave in a defense situation” by claiming that “see we have one”. But is such a legalistic code effective? Is a Code of Conduct more than simply, your company’s law? What is it that makes a Code of Conduct effective? What should be the goal in the creation of your company’s Code of Conduct?

Carol Switzer, President of the Open Compliance and Ethics Group (OCEG), explored some of these questions in an article in Compliance Week, entitled “The Code of Conduct Conundrum”. As a part of her article, Switzer interviewed Jimmy Lin, Vice President (VP) of Product Management and Corporate Development at The Network, and Kendall Tieck, VP of Internal Audit at Workday, for their thoughts on what makes an effective Code of Conduct.

Tieck views a Code of Conduct as not simply a static piece of paper or document “but as a set of expected behaviors that are integral to the fabric of the business and an organization’s value system. A Code of Conduct is not a compliance activity, but how an entity demonstrates integrity and acquires trust from markets, shareholders, customers, partners, and governments. To achieve these outcomes, a careful plan, aligned with a policy lifecycle management framework, should articulate how the Code is integrated in the core of the company’s activities and culture.”

Switzer believes that one of the key components of a best practices Code of Conduct is to integrate the connection between a business’ objectives, its risk and compliance management. There are numerous factors, which can move a company towards having such an effective integration. Switzer wrote that some of these include, “external stakeholder expectations and pressures, internal culture and context, objectives for the code, process of development and implementation, content of the code, consequences for non-conforming conduct, strength of sub-codes (e.g. policies), and employee character.”

Switzer ends her piece by relating that there is a huge benefit to a company for a well thought out Code of Conduct, as a tool to drive both corporate values and sinew the expectations of conduct into the fabric of the company. By designing a Code of Conduct, which can be measured for effectiveness, you can continuously keep the goals moving.

A GRC Illustrated series, provided with Switzer’s article, entitled “The Next Generation Code of Conduct”, lays out six steps for the compliance practitioner to think through and implement during a Code of Conduct upgrade or rewrite. These six steps are (1) design; (2) deliver; (3) interact; (4) measure; (5) maintain; and (6) improve.

Design

Under this step, a company needs to define the behavior that it desires to inspire and allow employees to collaborate at all levels. Lin, said that a key aspect was relevancy, “But times change—business environments change, cultures change, risk appetites change. We all need to keep in mind that the Code, the ultimate policy, should not be a stale document on the shelf. It needs to inspire, engage, and change with the organization.” Tieck said that your Code of Conduct should be “considered a part of the entity’s overall policy landscape. Leveraging an effective policy lifecycle management framework will promote integration and alignment across the policy governance landscape.”

Deliver

Switzer also identified the delivery of a Code of Conduct as a key element of its effectiveness. She said, “modern communication methods that allow the user to engage, interact, and research further behind the Code into related policies, procedures, and helplines for additional guidance can be better monitored and measured. Code content that is integrated with efforts to monitor changes in the external and internal environment can be updated as needed rather than on a static schedule.” This should also include relevant third parties such as suppliers and sales agents. “And failure to comply with the Code can be better identified and tracked, indicating possible need for clarification, additional training, or better screening of employees.”

Interact

Lin pointed out that a Code of Conduct is both a corporate governance document and a marketing document. As such you will need to create a marketing campaign to get the message of your Code of Conduct out to not only your employee base but also relevant third parties. If you have a large number of non-English speaking personnel or employees without access to online training, these factors need to be considered when determining the delivery method.

Measure

Initially, you should prioritize both qualitative results with positive feedback by including such metrics as speed of completion, reminders, which must be sent to facilitate completion of Code of Conduct training, and the percent of employees and third parties who attest to the review of your Code of Conduct. You should also measure the effectiveness of your communication campaign. Tieck suggests drilling down further because each component of your Code of Conduct sets “an expected behavior. Selecting a few critical behaviors to measure and monitor may be adequate for most organizations. These selected measures might represent an aggregate measure of the overall conformance to the code. Large organizations may be able to mine HR data to capture statistics associated with the identified behaviors. For instance, termination reason codes may be one source.”

Maintain

All commentators note that it is important to keep your Code of Conduct design and content fresh. One of the ways to do so is by employee feedback, which can assist you in identifying if your Code of Conduct is not only effective, but also truly reflective of your company’s culture. Lin points out that to gain these insights you need to incorporate both formal and informal techniques for gauging the relevant employee and third party populations. He states, “Questionnaires, surveys, forms and hotlines can be good anonymous sources, but engaging employees in conversation is just as, if not more, important. Make sure executives and managers alike spend time in small-group and one-on-one conversations. Have these conversations throughout the year and across your employee base to get the “real” story. This helps engage the employees and ensure they know you value their input.”

Improve

OCEG advocates that your Code of Conduct should be evaluated for revision at least every two years. This should be done to keep abreast of the changes in laws and regulations and your own business operations and risk tolerances. Switzer said, “Code content that is integrated with efforts to monitor changes in the external and internal environment can be updated as needed rather than on a static schedule.”

Switzer ends her piece by relating that there is a huge benefit to a company for a well thought out Code of Conduct, as a tool to drive both corporate values and sinew the expectations of conduct into the fabric of the company. By designing a Code of Conduct, which can be measured for effectiveness, you can continuously keep the goals moving.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

July 22, 2014

Code of Conduct, Compliance Policies and Procedures-Part I

Policies and ProceduresFor the remainder of this week, I will have a four-part episode on your Code of Conduct and anti-corruption compliance policies and procedures. In today’s post I will review the underlying legal and statutory basis for the documents as a foundation of your overall anti-corruption regime. In subsequent posts, I will review how to go about drafting your Code of Conduct and anti-corruption compliance policies and procedures and how to assess, review and revise them on a timely basis.

The cornerstone of a US Foreign Corrupt Practice Act (FCPA) compliance program is its written protocols. This includes a Code of Conduct, policies and procedures. These requirements have long been memorialized in the US Federal Sentencing Guidelines (FSG), which contain seven basic compliance elements that can be tailored to fit the needs and financial realities of any given organization. From these seven compliance elements the Department of Justice (DOJ) has crafted its minimum best practices compliance program, which is now attached to every Deferred Prosecution Agreement (DPA) and Non-Prosecution Agreement (NPA). These requirements were incorporated into the 2012 FCPA Guidance. The FSG assumes that every effective compliance and ethics program begins with a written standard of conduct; i.e. a Code of Conduct. What should be in this “written standard of conduct? The starting point, as per the FSG, reads as follows:

Element 1

Standards of Conduct, Policies and Procedures (a Code of Conduct)An organization should have an established set of compliance standards and procedures. These standards should not be a “paper only” document, but a living document that promotes organizational culture that encourages “ethical conduct” and a commitment to compliance with applicable regulations and laws. 

In the FCPA Guidance, the DOJ and Securities and Exchange Commission (SEC) state, “A company’s code of conduct is often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted in its charging documents, the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.” Indeed, it would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it. When assessing a compliance program, DOJ and SEC will review whether the company chapter has taken steps to make certain that the code of conduct remains current and effective and whether a company has periodically reviewed and updated its code.”

In each DPA and NPA over the past 36 months the DOJ has said the following as item No. 1 for a minimum best practices compliance program.

  1. Code of Conduct. A Company should develop and promulgate a clearly articulated and visible corporate policy against violations of the FCPA, including its anti-bribery, books and records, and internal controls provisions, and other applicable foreign law counterparts (collectively, the “anti-corruption laws”), which policy shall be memorialized in a written compliance code. 

Stephen Martin and Paul McNulty, partners in the law firm of Baker and McKenzie, developed one of the best formulations that I have seen of these requirements in their Five Elements of an Effective Compliance Program. In this formulation, they posit that your Code of Conduct, policies and procedures should be grouped under the general classification of ‘Standards and Procedure’. They articulate that every company has three levels of standards and controls. First, every company should have a Code of Conduct, which should, most generally express its ethical principles. But simply having a Code of Conduct is not enough. So a second step mandates that very company should have standards and policies in place that build upon the foundation of the Code of Conduct and articulate Code-based policies, which should cover such issues as bribery, corruption and accounting practices. From the base of a Code of Conduct and standards and policies, every company should then ensure that enabling procedures are implemented to confirm those policies are implemented, followed and enforced.

FCPA compliance best practices now require companies to have additional standards and controls, including, for example, detailed due diligence protocols for screening third-party business partners for criminal backgrounds, financial stability and improper associations with government agencies. Ultimately, the purpose of establishing effective standards and controls is to demonstrate that your compliance program is more than just words on a piece of paper.

In an article in the Society for Corporate Compliance and Ethics (SCCE) Complete Compliance and Ethics Manual, 2nd Ed., entitled “Essential Elements of an Effective Ethics and Compliance Program”, authors Debbie Troklus, Greg Warner and Emma Wollschlager Schwartz, state that your company’s Code of Conduct “should demonstrate a complete ethical attitude and your organization’s “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” Your Code of Conduct must be aimed at all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.” This would also include all “management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.”

There are several purposes identified by the authors which should be communicated in your Code of Conduct. Of course the overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this by communicating what is required of them, to provide a process for proper decision-making and then to require that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company “upholds and supports proper compliance conduct.”

The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. To that end, suggest that your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasize it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

As I often say, the three most important things about your FCPA compliance program are ‘Document, Document and Document’. The same is true of communicating your company’s Code of Conduct. You need to do more than simply put it on your website and tell folks it is there, available and that they should read it. You need to document that all employees, or anyone else that your Code of Conduct is applicable to, has received, read, and understands the Code. For employees, it is important that a representative of the Compliance Department, or other qualified trainer, explains the standards set forth in your Code of Conduct and answers any questions that an employee may have. Your company’s employees need to attest in writing that they have received, read, and understood the Code of Conduct and this attestation must be retained and updated as appropriate.

The DOJ expects each company to begin its compliance program with a very public and very robust Code of Conduct. If your company does not have one, you need to implement one forthwith. If your company has not reviewed or assessed your Code of Conduct for five years, I would suggest that you do in short order as much has changed in the compliance world.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

July 16, 2014

Mergers and Acquisitions Under the FCPA, Part III

M&AToday I conclude my three-part series on mergers and acquisitions under the Foreign Corrupt Practices Act (FCPA) with a review of the post-acquisition phase.

Previously many compliance practitioners had based decisions in the M&A context on DOJ Opinion Release 08-02 (08-02), which related to Halliburton’s proposed acquisition of the UK entity, Expro. In the spring of 2011, the Johnson & Johnson (J&J) DPA changed the perception of compliance practitioners regarding what is required of a company in the M&A setting related to FCPA due diligence, both pre and post-acquisition. On June 18 2012, the DOJ released the Data Systems & Solutions LLC (DS&S) DPA which brought additional information to the compliance practitioner on what a company can do to protect itself in the context of M&A activity.

08-02 began as a request from Halliburton to the DOJ from issues that arose in the pre-acquisition due diligence of the target company Expro. Halliburton had submitted a request to the DOJ specifically posing these three questions: (1) whether the proposed acquisition transaction itself would violate the FCPA; (2) whether, through the proposed acquisition of Target, Halliburton would “inherit” any FCPA liabilities of Target for pre-acquisition unlawful conduct; and (3) whether Halliburton would be held criminally liable for any post-acquisition unlawful conduct by Target prior to Halliburton’s completion of its FCPA and anti-corruption due diligence, where such conduct is identified and disclosed to the Department within 180 days of closing.

I. Halliburton 

Halliburton committed to the following conditions in 08-02, if it was the successful bidder in the acquisition:

  1. Within ten business days of the closing. Halliburton would present to the DOJ a comprehensive, risk-based FCPA and anti-corruption due diligence work plan which would address, among other things, the use of agents and other third parties; commercial dealings with state-owned customers; any joint venture, teaming or consortium arrangements; customs and immigration matters; tax matters; and any government licenses and permits. The Halliburton work plan committed to organizing the due diligence effort into high risk, medium risk, and lowest risk elements.

a)     Within 90 days of Closing. Halliburton would report to the DOJ the results of its high risk due diligence.

b)    Within 120 days of Closing. Halliburton would report to the DOJ the results to date of its medium risk due diligence.

c)     Within 180 days of Closing. Halliburton would report to the DOJ the results to date of its lowest risk due diligence.

d)    Within One Year of Closing. Halliburton committed full remediation of any issues which it discovered within one year of the closing of the transaction.

Many lawyers were heard to exclaim, “What an order, we cannot go through with it.” However, we advised our clients not to be discouraged because 08-02 laid out a clear road map for dealing with some of the difficulties inherent in conducting sufficient pre-acquisition due diligence in the FCPA context. Indeed the DOJ concluded 08-02 by noting, “Assuming that Halliburton, in the judgment of the Department, satisfactorily implements the post-closing plan and remediation detailed above… the Department does not presently intend to take any enforcement action against Halliburton.”

II.Johnson & Johnson (J&J)

In Attachment D of the J&J DPA, entitled “Enhanced Compliance Obligations”, there is a list of compliance obligations in which J&J agreed to undertake certain enhanced compliance obligations for at least the duration of its DPA beyond the minimum best practices also set out in the J&J DPA. With regard to the M&A context, J&J agreed to the following:

  1. J&J will ensure that new business entities are only acquired after thorough FCPA and anti-corruption due diligence by legal, accounting, and compliance personnel. Where such anti-corruption due diligence is not practicable prior to acquisition of a new business for reasons beyond J&J’s control, or due to any applicable law, rule, or regulation, J&J will conduct FCPA and anti-corruption due diligence subsequent to the acquisition and report to the Department any corrupt payments, falsified books and records, or inadequate internal controls as required by … the Deferred Prosecution Agreement.
  2. J&J will ensure that J&J’s policies and procedures regarding the anti-corruption laws and regulations apply as quickly as is practicable, but in any event no less than one year post-closing, to newly-acquired businesses, and will promptly, for those operating companies that are determined not to pose corruption risk, J&J will conduct periodic FCPA Audits, or will incorporate FCPA components into financial audits.
  3. Train directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners, and relevant employees thereof, who present corruption risk to J&J, on the anticorruption laws and regulations and J&J’s related policies and procedures; and
  4. Conduct an FCPA-specific audit of all newly acquired businesses within 18 months of acquisition.

These enhanced obligations agreed to by J&J in the M&A context were less time sensitive than those agreed to by Halliburton in 08-02. In the J&J DPA, the company agreed to the following time frames:

  1. 18 Month - conduct a full FCPA audit of the acquired company.
  1. 12 Month - introduce full anti-corruption compliance policies and procedures into the acquired company and train those persons and business representatives which “present corruption risk to J&J.”

III. Data Systems & Solutions LLC (DS&S)

In the DS&S DPA there were two new items listed in the Corporate Compliance Program, attached as Schedule C to the DPA, rather than the standard 13 items we have seen in every DPA since at least November 2010. The new additions are found on items 13 & 14 on page C-6 of Schedule C and deal with mergers and acquisitions. They read in full:

  1. DS&S will develop and implement policies and procedures for mergers and acquisitions requiring that DS&S conduct appropriate risk-based due diligence on potential new business entities, including appropriate FCPA and anti-corruption due diligence by legal, accounting, and compliance personnel. If DS&S discovers any corrupt payments or inadequate internal controls as part of its due diligence of newly acquired entities or entities merged with DS&S, it shall report such conduct to the Department as required in Appendix B of this Agreement.
  2. DS&S will ensure that DS&S’s policies and procedures regarding the anticorruption laws apply as quickly as is practicable to newly acquired businesses or entities merged with DS&S and will promptly:
  3. Train directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners, and relevant employees thereof, who present corruption risk to DS&S, on the anti-corruption laws and DS&S’s policies and procedures regarding anticorruption laws.
  4. Conduct an FCPA-specific audit of all newly acquired or merged businesses as quickly as practicable.

This language draws from and builds upon the prior Opinion Release 08-02 regarding Halliburton’s request for guidance and the J&J “Enhanced Compliance Obligations” incorporated into its DPA. While the DS&S DPA does note that it is specifically tailored as a solution to DS&S’s FCPA compliance issues, I believe that this is the type of guidance that a compliance practitioner can rely upon when advising his or her clients on what the DOJ expects during M&A activities.

 

FCPA M&A Box Score Summary

Time Frames Halliburton 08-02 J&J DS&S
FCPA Audit
  1. High Risk Agents - 90 days
  2. Medium Risk Agents - 120 Days
  3. Low Risk Agents - 180 days
18 months to conduct full FCPA audit As soon “as practicable
Implement FCPA Compliance Program Immediately upon closing 12 months As soon “as practicable
Training on FCPA Compliance Program 60 days to complete training for high risk employees, 90 days for all others 12 months to complete training As soon “as practicable

 

The Guidance, coupled with the 08-02 and the two enforcement actions, speak to the importance that the DOJ puts on M&A in the FCPA context. The time frames for post-acquisition integration are quite tight. This means that you should do as much work as you can in the pre-acquisition stage. The DOJ makes clear that rigor is needed throughout your entire compliance program, including M&A. This rigor should be viewed as something more than just complying with the FCPA; it should be viewed as just making good business sense.

Nat Edmonds, in an interview in the Wall Street Journal (WSJ) entitled, “Former Justice Official: How to Buy Corrupt Companies”, emphasized that if a company does not have the opportunity to make these types of inquiries in the pre-acquisition stage the “DOJ and SEC generally recognize that sometimes it’s not possible to do complete due diligence beforehand. However, if there are good faith efforts to conduct due diligence, integrate compliance programs and take remedial actions by removing those wrongdoers — if all of that is done on a quick basis [authorities] give very strong credit. The best example of this is the 2009 purchase by Pfizer of Wyeth. I was prosecutor on the Pfizer Wyeth [bribery] case. Pfizer was able to do some due diligence before the acquisition but because both are massive organizations it was not possible to do complete due diligence prior to acquisition. But after the acquisition within 180 days they had identified much of the wrongdoing at Wyeth and ensured it was halted. As a result of that we gave them credit. On the criminal side Pfizer was not held criminally liable for any of the conduct at Wyeth. Most of what Pfizer was held responsible for was as a result of a previous acquisition of Pharmacia, which they acquired in 2002 and 2003. At the time of the Pharmacia acquisition, acquirers did not typically conduct anti-corruption due diligence on targets. And during the investigation most of the violations of FCPA [Pfizer] was held criminally liable for began prior to the acquisition of Pharmacia –some was afterwards. Pfizer was held responsible for the misconduct at Pharmacia both before and afterwards. The Pfizer case is interesting because it shows both the good and bad.”

I believe that he information is out there for the steps to take in a merger or acquisition to avoid FCPA liability. You should place emphasis on both the pre and post acquisition phases; equally because as with most FCPA compliance program components, they just make good business sense.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

July 14, 2014

Mergers and Acquisitions Under the FCPA, Part I

M&AToday, I begin a three-part series on mergers and acquisitions under the Foreign Corrupt Practices Act. Today I will review the pre-acquisition phase, focusing the information and issues you should review, tomorrow in Part II, I will look at how you should use that information in the evaluation process and in Part III, I will consider steps you should take in the post-acquisition phase.

The Foreign Corrupt Practices Act (FCPA) Guidance, issued in 2012, makes clear that one of the ten hallmarks of an effective compliance program is around mergers and acquisitions (M&A), in both the pre and post-acquisition context. A company that does not perform adequate FCPA due diligence prior to a merger or acquisition may face both legal and business risks. Perhaps, most commonly, inadequate due diligence can allow a course of bribery to continue – with all the attendant harms to a business’s profitability and reputation, as well as potential civil and criminal liability. In contrast, companies that conduct effective FCPA due diligence on their acquisition targets are able to evaluate more accurately each target’s value and negotiate for the costs of the bribery to be borne by the target. But, equally important is that if a company engages in the suggested actions, they will go a long way towards insulating, or at least lessening, the risk of FCPA liability going forward.

Nat Edmonds, in an interview in the Wall Street Journal (WSJ) entitled, “Former Justice Official: How to Buy Corrupt Companies” said “I think most companies and their outside counsel believe any potential corruption problem should stop a deal from occurring. Companies would be surprised to learn that neither the Securities and Exchanges Commission nor the DOJ takes that position. In many ways the SEC and DOJ encourage good companies with strong compliance programs to buy the companies engaged in improper conduct in order to help implement strong compliance in companies that have engaged in wrongful conduct. What companies must do and what outside counsel should advise them to do is to have a realistic perspective of what effect that corruption or potential improper payment has on the value of the deal itself. Because of the concern that any corruption would stop the deal or implicate the buyers, many times companies don’t look as thoroughly as they should at potential corruption. There is often concern that if you start to look for something you may find a problem and it could slow down or stop the whole deal.”

The FCPA Guidance was the first time that many compliance practitioners focused on the pre-acquisition phase of a transaction as part of a compliance regime. However, the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) made clear the importance of this step. In addition to the above language, they cited to another example in the section on Declinations where the “DOJ and SEC declined to take enforcement action against a U.S. publicly held consumer products company in connection with its acquisition of a foreign company.” The steps taken by the company led the Guidance to state the following, “The company identified the potential improper payments to local government officials as part of its pre-acquisition due diligence and the company promptly developed a comprehensive plan to investigate, correct, and remediate any FCPA issues after acquisition.”

In a hypothetical, the FCPA Guidance provided some specific steps a company had taken in the pre-acquisition phase. These steps included, “(1) having its legal, accounting, and compliance departments review Foreign Company’s sales and financial data, its customer contracts, and its third-party and distributor agreements; (2) performing a risk-based analysis of Foreign Company’s customer base; (3) performing an audit of selected transactions engaged in by Foreign Company; and (4) engaging in discussions with Foreign Company’s general counsel, vice president of sales, and head of internal audit regarding all corruption risks, compliance efforts, and any other corruption-related issues that have surfaced at Foreign Company over the past ten years.”

Pre-Acquisition Risk Assessment

It should all begin with a preliminary pre-acquisition assessment of risk. Such an early assessment will inform the transaction research and evaluation phases. This could include an objective view of the risks faced and the level of risk exposure, such as best/worst case scenarios. A pre-acquisition risk assessment could also be used as a “lens through which to view the feasibility of the business strategy” and help to value the potential target.

The next step is to develop the risk assessment as a base document. From this document, you should be able to prepare a focused series of queries and requests to be obtained from the target company. Thereafter, company management can use this pre-acquisition risk assessment to attain what might be required in the way of integration, post-acquisition. It would also help to inform how the corporate and business functions may be affected. It should also assist in planning for timing and anticipation of the overall expenses involved in post-acquisition integration. These costs are not insignificant and they should be thoroughly evaluated in the decision-making calculus.

Next is a five step process on how to plan and execute a strategy to perform pre-acquisition due diligence in the M&A context.

  1. Establish a point of contact. Here you need to determine one point of contact that you can liaise with throughout the process. Typically this would be the target’s Chief Compliance Officer (CCO) if the company is large enough to have full time position.
  2. Collect relevant documents. Obtain a detailed list of sales going back 3-5 years, broken out by country and, if possible, obtain a further breakdown by product and/or services; all Joint Venture (JV) contracts, due diligence on JVs and other third party business partners; the travel and entertainment records of the acquisition target company’s top sales personnel in high risk countries; internal audit reports and other relevant documents. You do not need to investigate de minimis sales amounts but focus your compliance due diligence inquiry on high sales volumes in high-risk countries. If the acquisition target company uses a sales model of third parties, obtain a complete list, including JVs. It should be broken out by country and amount of commission paid. Review all underlying due diligence on these foreign business representatives, their contracts and how they were managed after the contract was executed; your focus should be on large commissions in high risk countries.
  3. Review the compliance and ethics mission and goals. Here you need to review the Code of Conduct or other foundational documents that a company might have to gain some insight into what they publicly espouse.
  4. Review the seven elements of an effective compliance program as listed below:

a. Oversight and operational structure of the compliance program. Here you should assess the role of board, CCO and if there is one, the compliance committee. Regarding the CCO, you need to look at their reporting and access – is it independent within the overall structure of the company? Also, what are the resources dedicated to the compliance program including a review of personnel, the budget and overall resources? Review high-risk geographic areas where your company and the acquisition target company do business. If there is overlap, seek out your own sales and operational people and ask them what compliance issues are prevalent in those geographic areas. If there are compliance issues that your company faces, then the target probably faces them as well.

b. Policies/Procedures, Code of Conduct. In this analysis you should identify industry practices and legal standards that may exist for the target company. You need to review how the compliance policies and procedures were developed and determine the review cycles, if any. Lastly, you need to know how everything is distributed and what the enforcement mechanisms for compliance policies are. Additionally you need to validate, with Human Resources (HR), if there have been terminations or disciplines relating to compliance.cEducation, training and communication. Here you need to review the compliance training process, as it exists in the company, both the formal and the informal. You should ask questions, such as “What are the plans and schedules for compliance training?” Next determine if the training material itself is fit for its intended purpose, including both internal and external training for third parties. You should also evaluate the training delivery channels, for example is the compliance training delivered live, online, or through video? Finally, assess whether the company has updated their training based on changing of laws. You will need to interview the acquisition target company personnel responsible for its compliance program to garner a full understanding of how they view their program. Some of the discussions that you may wish to engage in include visiting with the target company’s General Counsel (GC), its Vice President (VP) of sales and head of internal audit regarding all corruption risks. You should also delve into the target’s compliance efforts, and any other corruption-related issues that may have surfaced.

c. Monitoring and auditing. Under this section you need to review both the internal audit plan and methodology used regarding any compliance audits. A couple of key points are (1) is it consistent over a period of time and (2) what is the audit frequency? You should also try and judge whether the audit is truly independent or if there was manipulation by the business unit(s). You will need to review the travel and entertainment records of the acquisition target company’s top sales personnel in high-risk countries. You should retain a forensic auditing firm to assist you with this effort. Use the resources of your own company personnel to find out what is reasonable for travel and entertainment in the same high-risk countries which your company does business.

d. Reporting. What is the company’s system for reporting violations or allegations of violations? Is the reporting system anonymous? From there you need to turn to who does the investigations to determine how are they conducted? A key here, as well as something to keep in mind throughout the process, is the adequacy of record keeping by the target.

e. Response to detected violations. This review is to determine management’s response to detected violations. What is the remediation that has occurred and what corrective action has been taken to prevent future, similar violations? Has there been any internal enforcement and discipline of compliance policies if there were violations? Lastly, what are the disclosure procedures to let the relevant regulatory or other authorities know about any violations and the responses thereto? Further, you may be required to self-disclose any FCPA violations that you discover. There may be other reporting issues in the M&A context such as any statutory obligations to disclose violations of any anti-bribery or anti-corruption laws in the jurisdiction(s) in question; what effect will disclosure have on the target’s value or the purchase price that your company is willing to offer?

f. Enforcement Practices/Disciplinary Actions. Under this analysis, you need to see if there was any discipline delivered up to and including termination. If remedial measures were put in place, how were they distributed throughout the company and were they understood by employees?

  1. Periodically evaluate the M&A review procedures’ effectiveness benchmarked against any legal proceedings, FCPA enforcement actions, Opinion Releases or other relevant information.

Tomorrow, I will review how you use the information that you are able to obtain in the pre-acquisition process.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

July 11, 2014

Friday Comings and Goings

7K0A0032I wish I could be there.

Next week, the FCPA Professor is leading his first FCPA Institute this summer over two days, July 16 and 17. The event will be held in Milwaukee and hosted by the law firm of Foley and Lardner.

The Professor’s stated goal in leading this first Institute is “to develop and enhance fundamental skills relevant to the FCPA and FCPA compliance in a stimulating and professional environment with a focus on learning. Information at the FCPA Institute is presented in an integrated and cohesive way by an expert instructor with FCPA practice and teaching experience.” Some of the topics, which will be covered, include the following:

  • An informed understanding of why the FCPA became a law and what it seeks to accomplish;
  • A comprehensive understanding of the FCPA’s anti-bribery and books and records and internal controls provisions and related enforcement theories;
  • Various realties of the global marketplace which often give rise to FCPA scrutiny;
  • The typical origins of FCPA enforcement actions including the prominence of corporate voluntary disclosures;
  • The “three buckets” of FCPA financial exposure and how settlement amounts in an actual FCPA enforcement action are typically not the most expensive aspect of FCPA scrutiny and enforcement;
  • Facts and figures relevant to corporate and individual FCPA enforcement actions including how corporate settlement amounts are calculated;
  • How FCPA scrutiny and enforcement can result in related foreign law enforcement investigations as well as other negative business effects from market capitalization issues, to merger and acquisition activity, to FCPA related civil suits; and
  • Practical and provocative reasons for the general increase in FCPA enforcement.

In other words, it is what you have come to expect from the FCPA Professor; well-thought out reasoned analysis, practical knowledge and learning, and provocative thinking and assessment. But more than all of the above I believe you will receive some great insight into and why the FCPA Professor continually challenges the status quo in many areas about the FCPA. He and I often look at the same thing and see different views but by seeing more than one view, I believe you will come away with a deeper overall understanding of the entire FCPA picture.

For complete information on the FCPA Institute, click here.

As Monty Python might say And Now For Something Completely Different. If you would like a much shorter view of some FCPA and anti-corruption related topics, check out some of my most recent podcasts, the FCPA Compliance and Ethics Report. 

In Episode 74, I visit with Paul McNulty about his upcoming move to become the President of his alma mater, Grove City College.

In Episode 72, I visit with the GRC Pundit, Michael Rasmussen about why companies have such a disconnect when it comes to the theory and practice of their GRC practices.

In Episode 69, I visit with Joe Oringel about his company’s exciting new approach to transaction monitoring in the anti-corruption space.

In Episode 68, I interview Neil Swidey, author of Trapped Under the Sea about his experiences in researching and writing his book.

In Episode 66, the FCPA Professor shares his thoughts on the Esquenazi decision.

In Episode 63 and 64, I have a two-part discussion of the management of third parties under the FCPA.

For those few of you on the planet not aware of it, the World Cup final will be held this coming Sunday. Mike Brown and I have been discussing the World Cup, FIFA and anti-corruption in our World Cup Report series. You can check out Part I, Part II, Part III, Part IV, or Part V.

All of the episodes of the FCPA Compliance and Ethics Report are available for download on iTunes at no cost so if you want to catch up on all things FCPA and compliance related on the drive to work, you can do so. A happy Friday and enjoyable weekend to all.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

July 10, 2014

Mid-Year FCPA Report, Part II

Mid Year ReportToday, I continue my look at what I think were some of the most significant highlights from the first half of 2014 relating to the Foreign Corrupt Practices Act (FCPA). Yesterday, the focus was on corporate and individual enforcement. Today we review a very rare court of appeals decision on whether a state-owned enterprise is covered by the FCPA; yet another surprising result in an opinion release and finally take a look at some real world examples of why the FCPA is such a powerful and positive law for US companies doing business overseas.

Esquenazi Decision on State Owned Enterprises Covered by the FCPA

In what can only be called a judicial decision based on common sense the 11th Circuit Court of Appeals, in an opinion released on May 16, upheld the convictions of Joel Esquenazi and Carlos Rodriguez for violations of the FCPA and certain US anti-money laundering (AML) laws. The two had engaged in a long running bribery scheme with the Haitian telephone company, Telecommunications d’Haiti, S.A.M (Teleco). The pair were convicted and sentenced to lengthy jail terms, Esquenazi receiving 15 years and Rodriguez receiving 7 years. One of their myriad defenses was that a state owned enterprise, such as Telco, was not an instrumentality and thereby not covered under the FCPA.

This opinion was the first time that a Court of Appeals had reviewed the FCPA question of what is an ‘instrumentality’ under the Act. Both defendants had argued that instrumentality could only mean (1) “that only an actual part of the government would qualify as an instrumentality” or (2) the FCPA should be construed to encompass only foreign entities performing ‘core’ governmental functions similar to departments or agencies. The Court rejected both arguments.

The Court constructed a two-prong test to determine if a state owned enterprise is an instrumentality under the FCPA. The first prong is the ‘Control Test’ and the second prong is the ‘Function Test’. Under the Control Test, a compliance practitioner should analyze how much control a foreign government has over a state owned enterprise. The Court suggested questions like: (1) The foreign government’s formal designation of the entity; (2) Whether the government has an interest in the entity; (3) The government’s ability to hire and fire the entity’s principals; (4) The extent to which the entity’s profits, if any, go directly into the governmental fisc; (5) The extent to which the government funds the entity if it fails to break even; and (6) The length of time these indicia have existed. The Court suggested the following for the Function Test: (1) Does the entity have a monopoly over the function it exists to carry out; (2) Does the foreign government subsidize the costs associated with the entity providing the services; (3) Does the entity provide services to the public at large in the foreign Country; and (4) Does the foreign government generally perceive the entity to be performing a governmental function?

I can only say that common sense won out in this decision. The word ‘instrumentality’ must mean something under the FCPA and I believe the Court correctly found that state owned enterprises falls under the rubric of instrumentality under the FCPA.

Opinion Release 14-01

Continuing its run of publishing Opinion Releases where it comes down on the side I had not expected, the DOJ released Opinion Release 14-01. In 14-01, a company wanted to buy-out a now government official from a company he had been a part of before he went into government service. The problem was that his buy-out provision was entered into during the past economic downturn and the value of his buy-out was under water. He wanted to get something for his prior investment. The Relator proposed another formula for his exit compensation and the DOJ agreed it would not be a FCPA violation to do so.

For the compliance practitioner, there are several key points to consider. The first point is found in a footnote detailing the length of time it took to secure the DOJ opinion. This is the first time that I recall seeing a time line laid out in an Opinion Release. This gives a compliance practitioner some idea of the time frames involved in the process. The second is the use of representations and warranties by the parties. In 14-01, the DOJ accepted representations that the foreign official in question would not pass on business in which he either had an interest or help the Relator to ‘obtain or retain’ business with the agency at which the foreign official now worked. This type of evidence is something that a company should now consider when designing protocols to satisfy issues similar to those presented in 14-01. Finally was the quality and quantity of payment(s) to be made to the now foreign official to cash him out and purchase his interest. Here the parties agreed to an independent valuation by an internationally recognized accounting firm. This provides some type of arms-length analysis. It also provides a market based approach to the payment issue so that there is evidence of true (or perhaps truer) market value, not some arbitrary number agreed to by the parties.

The message from 14-01 and last year’s Opinion Release, seems to me, that the DOJ is open to creative arguments about ways to comply with the FCPA. 14-01 also shows that the process can move quickly when the situation warrants it.

The International Effect of the FCPA

In certainly one of the most interesting revelations of the first half of 2014, former US Secretary of Defense, Robert Gates wrote the following in his recently released memoirs, entitled “Duty: A Memoir of a Secretary at War”, in which he said the following, ““In a private meeting, the king [King Abdullah of Saudi Arabia] committed to a $60 billion weapons deal including the purchase of eighty-four F-15’s, the upgrade of seventy-15s already in the Saudi air force, twenty-four Apache helicopters, and seventy-two Blackhawk helicopters. His ministers and generals had pressed him hard to buy either Russian or French fighters, but I think he suspected that was because some of the money would end up in their pockets. He wanted all the Saudi money to go toward military equipment, not into Swiss bank accounts, and thus he wanted to buy from us. The king explicitly told me saw the huge purchase as an investment in a long-term strategic relationship with the United States, linking our militaries for decades to come.”

I would ask you to consider, just how many US interests can be identified in the above quote. I can identify at least five: (1) US security interests; (2) US foreign policy interests; (3) US military interests; (4) US economic interests; and (5) US legal interests as reflected in compliance with the FCPA. For any person or business interest that does not think that the FCPA has a positive aspect, I would commend you to the above Gates quote. His quote, buried at page 395 of a 618-page book, did not even merit an entry in the Index. Yet, I find it to one of the finest, clearest and most concise affirmations of the positive power of the FCPA. Anytime you face criticism of your FCPA compliance program, a senior executive wants to know why you need resources to comply with the FCPA or you hear a business colleague whining about how ‘those people’ do business corruptly, I would suggest that you read to them this quote to show the power of the FCPA in international business.

Tangentially related to this revelation was the work by Scott Killingsworth to lay the legal and theoretical foundations for my real world observation about a business solution to FCPA compliance in his latest article entitled “The Privatization of Compliance”, which he calls this “private-to-private or P2P compliance.” In his introduction he stated, “Embodied in contract clauses and codes of conduct for business partners, these obligations often go beyond mere compliance with law and address the methods by which compliance is assured. They create new compliance obligations and enforcement mechanisms and touch upon the structure, design, priorities, functions and administration of corporate ethics and compliance programs. And these obligations are contagious: increasingly accountable not only for their own compliance but also that of their supply chains, companies must seek corresponding contractual assurances upstream. Compliance is becoming privatized, and privatization is going viral.”

With the long-expected Avon settlement on the horizon and the collapse of the SEC case against the Noble executives, it will be most interesting to see what the second half of the year will bring.

=================================================================================================================================================================================================================================================

On another note, I saw Queen play last night and while I will write about them and their show next week, I can only say that if they are coming to a town near you, run don’t walk to see them. The show was fabulous.

And on a final note, if you are in the mid-west or so inclined to travel their and are interested in the FCPA, I urge you to attend the FCPA Professor‘s initial FCPA Institute, which he is holding in Milwaukee next week. For more information, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

July 9, 2014

Mid-Year FCPA Report, Part I

Mid Year ReportAs we are now past the halfway mark of 2014, I thought it might be a good time to look at the year in review, so over the next couple of days, I will be reviewing what I believe to be some issues and developments to the Foreign Corrupt Practices (FCPA) world. In this Part I, I will look at an enforcement action which brought a company to No. 5 on the list of highest FCPA settlements, to a company which seemingly came back from the edge of very bad FCPA conduct and finally some individual prosecutions and one interesting settlement in a SEC action against individuals. 

Alcoa

In one of the more long-running international bribery and corruption sagas, Alcoa Inc. settled a FCPA action by having one of its subsidiary’s plead guilty to bribing officials in Bahrain to win contracts to supply the raw materials for aluminum to Aluminum Bahrain BCS or Alba. As reported by the FCPA Professor, “Alcoa entities agreed to pay approximately $384 million to resolve alleged FCPA scrutiny (a criminal fine of $209 million and an administrative forfeiture of $14 million to resolve the DOJ enforcement action and $175 million in disgorgement to resolve the SEC enforcement action – of which $14 million will be satisfied by the payment of the forfeiture in the criminal action).” Alcoa now sits as No 5 on the list of all-time FCPA settlements and has the distinction of paying the largest disgorgement.

Payments were made through shell corporations, agents and distributors. As reported in the Wall Street Journal (WSJ), in an article entitled “Alcoa Snared in Bahrain Bribery Case”, although one of its subsidiaries, Alcoa World Aluminum, pled guilty to violating the FCPA, its parent Alcoa issues a statement that “neither the Department of Justice nor the SEC alleged or found that anyone at Alcoa “knowingly engaged in the conduct at issue.”” According to the WSJ article, the bribery scheme had been in place since at least 1989. Further, at least one in-house counsel had raised concerns in 1997 that the contracts around the bribery scheme when she wrote in an email to Alcoa’s corporate headquarters stating “The contract looks odd. Are these factors OK from an anti-trust and FCPA perspective?” I guess sometimes actual knowledge is really not actual knowledge.

Hewlett-Packard (HP)

In what can only be described as one of the most stunning failures of internal controls to be seen in the annuls of FCPA enforcement actions, HP resolved a matter through a guilty plea, a Deferred Prosecution Agreement (DPA) and a Non-Prosecution Agreement (NPA), for three separate bribery schemes in three countries. For a deal in Russia, HP paid a one-man agent approximately $10MM, which was simply a conduit to pay bribes. In Poland, HP’s Country Manager literally carried bags of cash in the amount of $600K to a Polish government representative for contracts. Finally, in HP’s Mexico subsidiary, according the to the Securities and Exchange Commission (SEC) Press Release, HP “paid a consultant to help the company win a public IT contract worth approximately $6 million. At least $125,000 was funneled to a government official at the state-owned petroleum company with whom the consultant had connections. Although the consultant was not an approved deal partner and had not been subjected to the due diligence required under company policy, HP Mexico sales managers used a pass-through entity to pay inflated commissions to the consultant.”

As noted by Mike Volkov, “In total the three HP entities paid $76 million in criminal penalties and forfeitures. In a related filing, the SEC and HP entered into a civil settlement under which HP agreed to pay $31 million in disgorgement, prejudgment interest, and civil penalties.”

The enforcement action is also notable for two other factors. The first is that HP did not self-disclose the conduct even after German authorities raided the company’s Germany subsidiary’s offices in connection with the Russia transaction. HP seemingly made a dramatic comeback in the eyes of the Department of Justice (DOJ), which leads to the second point of note. That involved the overall penalty assessed against HP. What are we to make of the criminal fines levied against the Russian and Polish subsidiaries of HP? The US Sentencing Guidelines for the Polish subsidiary suggested a fine range of $19MM to $38MM, yet the final fine was $15MM. The US Sentencing Guidelines for HP’s Russian subsidiary suggested a fine range of $87MM to $174MM, yet the final fine was $58MM.

What does it all mean? It would seem that a company could come back from the brink of very bad facts and no self-disclosure. How did HP do it? The resolution documents only reference HP’s ‘extraordinary cooperation’ and installation of a best practices compliance program. My hope is that HP will publicize the steps it took so that the rest of us might learn how they accomplished the results they received.

Individual Indictments, Arrests and Settlements

As reported in the FCPA Blog, there were a number of individuals who fell under FCPA criminal scrutiny in the first half of 2014.

PetroTiger

Joseph Sigelman, the former co-CEO of PetroTiger Ltd., was charged with conspiracy to violate the FCPA and to commit wire fraud, conspiracy to launder money, and substantive FCPA and money laundering offenses. He is accused of bribing an official at Ecopetrol SA, Colombia’s state-controlled oil company, and defrauding PetroTiger by taking kickbacks. As reported by Joel Schectman in the WSJ, two other PetroTiger executives, Sigelman’s co-CEO, Knut Hammarskjold and the company’s former General Counsel (GC), Gregory Weisman, have already pled guilty to the charges.

It is alleged that Sigelman bribed an official in Colombia to help win an oil contract worth $39 million and of seeking kickback payments during the acquisition of another company, in exchange for a better price. Most interestingly, even after the company conducted an internal investigation, which uncovered the conduct and self-disclosed its findings to the DOJ, Sigelman has said he will go to trial and contest the charges.

Firtash and His Associates

In what may be an early preview of the corrupt doings of the old guard in Ukraine, there were a number of individuals arrested or indicted in connection with an alleged scheme to pay $18.5 million in bribes to officials in India to gain titanium mining rights. They include team leader, Dmitry Firtash, a Ukrainian national, who was arrested in Vienna, Austria, March 12, 2014, and the following were indicated with Firtash and charged with conspiracy to violate the FCPA, and who are still at large: Andras Knopp, a Hungarian businessman,; Suren Gevorgyan a Ukrainian national,; Gajendra Lal, an Indian national and permanent resident of the US; Periyasamy Sunderalingam, a Sri Lankan. K.V.P. Ramachandra Rao, a member of parliament in India and former official of the state of Andhra Pradesh, has been charged along with the other five defendants with one count each of a racketeering conspiracy and a money laundering conspiracy, and two counts of interstate travel in aid of racketeering. Although he was not charged under the FCPA, the DOJ has asked India to arrest him.

Direct Access Partners

Continuing the investigation into the first investment bank, Direct Access Partners LLC (DAP), to be charged with FCPA violations, there were two more individuals charged, in addition to the four from 2013 who all pled guilty. Benito Chinea, former CEO of DAP, was charged in federal court in New York for bribery involving Venezuela’s state bank and Joseph Demeneses, a former managing director, was also charged in the 15-count indictment of paying kickbacks to a vice President of the Venezuelan Nation Bank BANDES, in exchange for the bank’s bond-trading business.

Noble Energy Executives

While it is not entirely clear if these cases belong in the first half or second half of the their, the Securities and Exchange Commission (SEC) rather unceremoniously dropped its enforcement action against one former and one current Noble Energy executives. The SEC had claimed that former Noble Corporation CEO Mark A. Jackson along with James J. Ruehlen, had bribed customs officials to process false paperwork purporting to show the export and re-import of oil rigs, when in fact the rigs never moved. These actions led to allegations that Jackson and Ruehlen directly violated the anti-bribery provisions, internal controls and false records provisions relating to the FCPA. For all of these claims the SEC sought injunctive relief and monetary damages.

But as reported in the FCPA Blog, “A docket entry from July 1 for the U.S. federal district court in Houston said all deadlines in the SEC’s civil FCPA enforcement action against two former Noble executives have been vacated “pending final settlement documents.”” Both defendants agreed not to violate or aid and abet any violation of the FCPA going forward. Pretty stout stuff when you consider that all US citizens have that obligation going forward, whether they agree to it in a court filed documents or not.

Tomorrow we continue with Part II.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

 

 

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 4,530 other followers