FCPA Compliance and Ethics Blog

August 21, 2014

What Can You Do When Risk Changes in a Third Party Relationship?

RiskThe GlaxoSmithKline PLC (GSK) corruption matter in China continues to reverberate throughout the international business community, inside and outside China. The more I think about the related trial of Peter Humphrey and his wife, Yu Yingzeng for violating China’s privacy laws regarding their investigation of who filmed the head of GSK’s China unit head in flagrante delicto with his Chinese girlfriend, the more I ponder the issue of risk in the management of third parties under the Foreign Corrupt Practices Act (FCPA). In an article in the Wall Street Journal (WSJ), entitled “Chinese Case Lays Business Tripwires”, reporters James T. Areddy and Laurie Burkitt explored some of the problems brought about by the investigators convictions.

They quoted Manuel Maisog, chief China representative for the law firm Hunton & Williams LLP, who summed up the problem regarding background due diligence investigations as “How can I do that in China?” Maisog went on to say, “The verdict created new uncertainties for doing business in China since the case hinged on the couple’s admissions that they purchased personal information about Chinese citizens on behalf of clients. Companies in China may need to adjust how they assess future merger partners, supplier proposals or whether employees are involved in bribery.”

I had pondered what that meant for a company that wanted to do business in China, through some type of third party relationship, from a sales representative to distributor to a joint venture (JV). What if you cannot get such information? How can you still have a best practices compliance program around third parties representatives if you cannot get information such as ultimate beneficial ownership? At a recent SCCE event, I put that question to a Department of Justice (DOJ) representative. Paraphrasing his response, he said that companies still need to ask the question in a due diligence questionnaire or other format. What if a third party refuses to answer, citing some national law against disclosure? His response was that a company needs to very closely weigh the risk of doing business with a party that refuses to identify its ownership.

The more that I thought about that answer the more I became convinced that it was not only the right answer under any type of FCPA compliance program but also the right response from a business perspective. A company must know who it is doing business with, for a wide variety of reasons. The current situation in China and even the convictions of Humphrey and Yu do not change this basic premise. You can ask the question. If a party does not want to disclose its ownership, you should consider this in any business relationship going forward.

The Humphrey and Yu conviction do not prevent you from asking the question about ownership. Their convictions mean that you may not be able to verify that information through what many people thought was publicly available information, at least publicly available in the west. I was struck by one line in the Areddy and Burkitt article, “It’s not just that the tactical business practices need to change; it’s the mind set” quoting again from Maisog.

I breakdown the management of third parties under the FCPA into five steps, which are:

  1. Business Justification and Business Sponsor;
  2. Questionnaire to Third Party;
  3. Due Diligence on Third Party;
  4. Compliance Terms and Conditions, including payment terms; and
  5. Management and Oversight of Third Parties After Contract Signing.

The due diligence step is but one of these five. Further due diligence is performed in large part to verify the information that you receive back from a proposed third party. So what if you can longer use avenues previously open to you in markets such as China? Perhaps there are other ways to manage this issue. Areddy and Burkitt also interviewed Jerry Ling, a partner at Jones Day, for the following “companies will need to analyze Chinese accounting documents themselves and conduct more in-person interviews with anyone they want to know more about in China.”

Ling’s point dovetails directly into what I heard from the DOJ representative. There is nothing about the Chinese law, or any other country’s law, which prevents you from asking some basic questions that are found in the Step 2 Questionnaire cited above. You can always ask who the owners of a company are, whether they are direct or beneficial. You can always ask if a company, its owners or its senior management have been involved in any incidents involving bribery and corruption and you can always ask if the company has a Code of Conduct and/or compliance program and whether its owners or senior management are aware of the FCPA and have had training on it.

Assuming the company will answer your questionnaire, the difficulty you may find yourself in now is verifying the information that you receive. In Ronald Reagan parlance, you may trust but you may not be able to verify it. Ling said in the WSJ article that “The challenge now for clients is that it’s hard to get good information.”

However, due diligence is but one step in the management of any third party in a FCPA compliance program. Just as when risk goes up and you increase your management around that risk, the situation is similar in here. Putting it another way, if you cannot obtain private information such as personal identification numbers during the due diligence process, you can put greater management around the other steps that you can take. Further, there has been nothing reported which would suggest that publicly filed corporate licenses or other information that might show ownership can no longer be accessed. Court records and public media searches also seem to still be available.

But what if you simply cannot determine if the information you are provided regarding ownership is accurate or even truthful? You can still work to manage the relationship through your commercial terms by setting your commission or other pay rates at a reasonable amount of scale. If you are dealing with a commissioned sales representative, you can probably manage this area of the relationship by setting the commission in the range of 5%. You can also manage the relationship by reviewing invoices to make sure there is an adequate description of the services provided so that they justify whatever compensation the third party is entitled to receive under the contract. You may also want to schedule such a third party for an audit ahead of other parties to help ensure adherence to your compliance terms and conditions.

There may be times when you cannot verify the true or ultimate beneficial owner of a third party. That does not have to be the end of the analysis. If that situation arises, you may want to see if there are other risk mitigation tools at your disposal. Put another way, if such a red flag arises, can it be cleared? Can it be managed? If your company is looking a major deal for multi-millions and your agent will receive a six or seven figure commission, the risk of not knowing with certainty may be too great because in such a case, an unknown owner could be a government official who has awarded the contract. But if your agent receives a considerably smaller commission and hence there is a considerably small amount of money to constitute a bribe, you may be able to manage that risk through a close and effective relationship management process.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 20, 2014

Voyager II Launches and The FCPA Professor’s New Book

The Foreign Corrupt Practices Act In A New EraMany readers of this blog will recall that the Foreign Corrupt Practices Act (FCPA) is 37 years old this year. Perhaps less might remember that also 37 years ago, NASA launched Voyager II, which was an unmanned spacecraft. It was the first of two such crafts to be launched that year on a “Grand Tour” of the outer planets, organized to coincide with a rare alignment of Jupiter, Saturn, Uranus and Neptune. Aboard Voyager II was a 12-inch copper phonograph record called “Sounds of Earth.” Intended as a kind of introductory time capsule, the record included greetings in 60 languages and scientific information about Earth and the human race, along with classical, jazz and rock ‘n’ roll music, nature sounds like thunder and surf, and recorded messages from then President Jimmy Carter and other world leaders. Being good engineers, NASA conveniently included instructions on how to play the record, with a cartridge and needle provided.

In light of the age of the FCPA and our celebration of reaching for the stars, today I wanted to celebrate a volume from one of the FCPA’s most prolific commentators, Mike Koehler, the FCPA Professor. The author of numerous legal and scholarly articles and his eponymous daily blog, The FCPA Professor, he joined the thin ranks of those authors with hard bound volumes concerning the FCPA with his edition, The Foreign Corrupt Practices Act In A New Era.

As you would expect from the FCPA Professor he has lengthy sections on the genesis of the FCPA and its legislative history; general legal principals as they relate to FCPA enforcement and interpretation as well as the specifics of the text of the FCPA itself; and a review of enforcement actions. He also gives his insights as to why there was such an explosion of FCPA enforcements, beginning in 2004 and continuing right up until the present. He provides some pointers on FCPA compliance programs and ends the book with a discussion of FCPA reform. Of course, as you would expect from the FCPA Professor, the entire work is chocked full of quotations, citations and endnotes.

I would like to highlight some of my favorite discussions in the book. In Chapter 5 entitled FCPA Enforcement, he identifies “Three Buckets” of FCPA financial exposure. They are “(i) pre-enforcement actions professional fees and expenses; (ii) fine, penalty and disgorgement amounts in an actual FCPA enforcement action; and (iii) post-enforcement action professional fees and expenses.” With this tripartite description he lays out what a company might reasonably expect if it finds itself embroiled in an FCPA investigation and enforcement action. The message I got from this Chapter was that you had better have a strong compliance program in place because it is going to be a long hard and costly slog going forward if you don’t.

In Chapter 6, entitled Reasons for the increase in FCPA enforcement, The Professor sets out his thoughts on why there has been such an explosion of growth in FCPA enforcement. While both the use of Non-Prosecution Agreements (NPAs) and Deferred Prosecution Agreements (DPAs) are noted along with the passage and implementation of Sarbanes-Oxley (SOX); there are other reasons cited in the section entitled (appropriately enough) ‘Provocative Reasons’. These include that FCPA enforcement is “lucrative for the US government”; “the emergence and rapid rise of a lucrative industry called FCPA Inc.” (full disclosure – I am a card carrying member of FCPA Inc.); and the revolving door of lawyers who go into government service, enforce the FCPA and then leave government service to defend clients under government scrutiny for FCPA issue.

As the ‘Nuts and Bolts’ guy, I was very interested in Chapter 8, entitled FCPA Compliance and best practice. Fortunately he left some room for folks like me to go into the weeds of a compliance program but he did state, “While FCPA risk cannot be eliminated, it can be effectively managed and minimized when doing business in the global marketplace, and one positive result of the increase in FCPA enforcement in this new era has been the related increase in ‘soft’ enforcement of the FCPA through compliance policies and procedures.” He went on to define ‘soft enforcement’ as “a law’s ability to facilitate self-policing and compliance to a greater degree than can be accomplished through ‘hard’ enforcement alone. This was music to my ears. He also gave some practical approaches to implementing or enhancing your compliance program that I found to be quite useful for the compliance practitioner.

The Professor ends his book with a renewed call for FCPA reform. While he recognizes that, post Walmart, the impetus in Washington for amending the FCPA has all but died out; he does lay out all his reasons for the creation of a compliance defense amendment to the FCPA. Another cornerstone of his call for reform is to abolish NPAs and DPAs from the Department of Justice’s (DOJs) prosecutorial arsenal. Both of these issues bear serious weight and scrutiny and the FCPA Professor lays out his thoughts on each. Whatever your position on these issues is, you need to read up on what the Professor has to say to fully form your own internal debate.

As I have often remarked about the FCPA Professor, you may disagree with him but your FCPA knowledge and experience will be enriched by reading anything he puts out there for the rest of us to consume. However, after the publication of this book, I will have to add that it should become one of the standard texts for any FCPA compliance practitioner, law student studying the FCPA or anyone else interested in anti-bribery and anti-corruption. It should be on your FCPA library bookshelf. It certainly now sits proudly on mine.

You can purchase a copy of The Foreign Corrupt Practices Act In A New Era by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 19, 2014

A Surprise in Progressive Rock – FCPA Internal Investigations

Prog RockThis past weekend I saw some great bands and heard some great music. On Friday night I finally got to see Yes perform two fabulous albums, Close to the Edge and Fragile complete uncut and straight through. To say I was blown away would be putting it mildly. But there was one great revelation that I received from the show and that was the opening band, Syd Arthur. They are an English band, from Canterbury, and very much the inheritors of the prog rock mantle from bands such as Yes. Their sound was simply amazing and if you are into progressive rock at all, I would suggest you check them out.

I thought about my surprise on finding a more current and certainly younger band so proudly carrying the prog rock mantle when I returned back to Houston and was contacted by a reporter asking for my comments about the appeal of Shell v. Writt to the Texas Supreme Court. For those compliance practitioners amongst you who may have placed this state court libel action to the recesses of your mind or never even heard about it; it is something you should pay attention to as the case has some clear implications about the manner in which companies conduct and use internal investigations.

The case has a long involved Foreign Corrupt Practices Act (FCPA) history. It involves Panalpina and its customer Shell. David Smyth, in his great blog Cady Bar the Door, reported, in a post entitled “Texas Court of Appeals Has Put Some FCPA Internal Investigations in an Awkward Spot”, the Department of Justice (DOJ) contacted Shell about its dealings with Panalpina. Sometime later, “Shell agreed to conduct an internal investigation into its dealings with Panalpina. As Shell’s “managing counsel” later testified, “Shell agreed to conduct the internal investigation with the understanding that it would ultimately report its finding to the DOJ . . . .” A DOJ Fraud Section attorney wrote a follow-up letter noting, “[I]t is our understanding that Shell intends to voluntarily investigate its business dealings with Panalpina Inc. and all other Panalpina subsidiaries and affiliates.”” Unfortunately for all involved, “Shell submitted an investigative report that pointed the finger at Writt.  Specifically, Shell said Writt had been involved in illegal conduct in a Shell Nigerian project by recommending that Shell reimburse contractor payments he knew to be bribes and failing to report illegal contractor conduct he was aware of.”

Writt sued Shell for libel and Shell defeated Writt at the trial court on the basis that it had an “absolute privilege to say what it did in its investigative report to the DOJ.” In Texas absolute privilege applies because the unfettered flow of information to the judicial system and administrative proceedings is favored over the worry that someone might be wrongly named in such information.

However, a Texas Court of Appeals reversed the trial court ruling holding that absolute privilege does not apply where a party voluntarily turns over information to a prosecutor before a judicial proceeding is initiated or contemplated.

As Smyth explained, “In the court’s view, DOJ was acting purely in a prosecutorial and non-judicial capacity.  Shell submitted its investigative report on February 5, 2009, and DOJ did not file a criminal complaint against the company until November 2010, 20 months later.  As the court said, “Just because the DOJ ultimately filed a judicial proceeding against Shell does not establish that it was proposing that one be filed when it contacted Shell on July 3, 2007 or received Shell’s report on February 5, 2009.””

Shell has appealed this matter to the Texas Supreme Court. Under Texas law, an appeal to the Texas Supreme Court is discretionary and at this point, the Texas Supreme Court has not indicated whether it will accept the case. Interestingly the US Chamber of Commerce submitted a letter brief, on behalf of its members, urging the Texas Supreme Court to accept the case for review. In its penultimate paragraph it states, “At the end of the day, it is an unavoidable truth that any business that wishes to be a good corporate citizen by reporting its FCPA violations to regulators will necessarily implicate its own employees of wrongdoing. Thus, any rule that imposes costs on a company implicating its employees in wrongdoing will necessarily chill voluntary reporting of FCPA violations and impose unfair burdens on those companies who nonetheless choose to self-report.”

One of the more interesting arguments made by the Chamber was that there is currently enough incentive for companies to get investigations right. While noting that the Court of Appeals had worried about the “concern that absolute immunity from suit might motivate parties to “deflect blame” for FCPA violations onto its employees “without fear of consequence””; the Chamber said, “But there are more effective ways to prevent false reports. For example, false statements to government officials are already a crime punishable under 18 U.S.C. § 1001. Moreover, a false report against an employee would also implicate the business itself. After all, corporations act through their employees. Far from deflecting blame, then, a false accusation of an FCPA violation against an employee would incriminate the company as well.”

The real problem with this argument is that it leaves no remedy for any employee who is wrongly accused (libeled in legal parlance) in an internal FCPA investigation report. It has always been against the law to give false reports to government officials so nothing is new in that argument. One might argue that the civil justice system is better to evaluate such wrongful claims. But Smyth points to another reality when he ended his piece with the following, “FCPA investigations these days are a different animal, and probably deserving of different treatment by the courts.  As of now, a company conducting an internal FCPA investigation in Texas has to ask, what do we do if one of an investigation reveals one of our employees as a bad actor?  Do we say as much in the report we turn over to the government, as the government surely expects? If we do, are we signing on for libel litigation by the employee?”

Whatever the Texas Supreme Court decides, this case points to the need to do your best to get it right. That means having an investigation protocol that you can follow. It may mean having outside counsel handle an investigation when it is appropriate. If you conclude that one or more of your employees has violated the FCPA, you need to be able to back up that assertion with facts, evidence and reasonable inferences therefrom.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 18, 2014

How Can Global Corporations Afford (or Afford Not) To Employ Professional Language Solution Providers

Jay RosenEd Note-I recently asked Jay Rosen, Vice President, Language Solutions at Merrill Brink International, if he could help me understand how to think through the the hiring of a language service provider. He graciously wrote the following post.

It seems like a daily occurrence that news organizations and blogs (this one included) report that global corporation XYZ, Inc. has run afoul of FCPA statutes somewhere in the world. The next few paragraphs will recount the jurisdiction where the alleged infraction has occurred and if known at this juncture, the details of the bribery scheme. At this point, if you are well read on this subject, the rest of the article plays out by rote.

Let’s hit the pause button and rewind this story to the beginning. How did XYZ, Inc. get into this position and what steps could have been taken to better communicate the Company’s ethics and compliance policies and procedures to its global employee base? While this would certainly not prevent a rogue employee(s) from committing these alleged infractions, professionally translated and localized ethics and compliance communications provide a proactive solution to insulate global companies from similar situations.

The question of whether or not to engage a professional Language Solutions Provider (LSP), read translation company, usually is driven by the following factors:

  • Cost/Quality
  • Confidentially
  • Change
  1. If I can afford an LSP, how do I choose among the ones out there for quality?

The first thing to cover here is how are translations priced?

Translations are completed on an outsourced basis by professionally educated, qualified, and selected linguistic resources. It is important to note that the industry standard is to bill on a per word basis (e.g. X number of words at Y cents per word). This pricing model will become glaringly apparent when Corporations look at alternative methods to translate documents in-house with an eye to saving money.

Proposed Internal Translation Solutions

Here are several ideas that are usually considered in lieu of engaging professional translation resources:

  • Becky down the hall speaks French
  • We can use someone in our Paris Office
  • The Forensic accountant working with us in Beijing

On first blush the three suggestions above all seem like good ideas that will potentially save money and lead to quality results. Unfortunately these three courses of action fall short by:

  • Not providing the necessary quality ensured by professional translation resources
  • End up costing the client both opportunity costs and greater total translation costs and
  • Do nothing to mitigate the risk of not having an independent outsourced LSP translating (and certifying) your documents (if necessary).

Becky down the hall speaks French

Although Becky does speak French, she has other duties in the organization that must be put aside for her to work on translating documents. Should this project take 3 – 4 hours and if Becky has a bill rate of $400/hour, this solution ends up wasting precious time and costing the end client ~ $1,600 instead of the a few hundred dollars to professionally produce an accurate translation.

We can use someone in our Paris office

As in the example above, this option also creates lost opportunity cost and further taxes billable resources in another time zone. This would require the company to utilize internal resources and having to deal with colleagues not under their direct local control and working in various global markets.

The forensic accountant working with us in Beijing

In this case, we have someone working far out of their core expertise and comfort zone – forensics – and having to wear the hat of a professional translator. Price also comes into play as these forensic resources start billing around $250/hour and could be higher.

Bottom line, what initially appears to be a viable and cost effective solution, ends up sacrificing quality, escalating costs and potentially increasing risk by internally generating substandard translations.

  1. If I use an LSP, how do I ensure confidentiality of the information contained in my documents? 

Confidentiality, especially in the FCPA arena, is a valid concern and must be considered when engaging a qualified LSP. Professional LSPs will require their linguists to sign a Confidentiality or Non-Disclosure Agreement. This agreement will be on file with the LSP and a copy of the agreement can easily be shared.

In terms of global data privacy restrictions, it is good to discuss this in advance with the LSP and depending on what jurisdiction your matter is based in, evaluate the LSP’s experience and comfort level in handling data privacy concerns.

In terms of looking at the individual linguists, a professional LSP will hire translators with the following credentials:

  • Minimum 4 year college degree
  • Subject Matter Expertise (SME)
  • Additional testing by the LSP

These three areas serve to validate the choice of an independent LSP as the translators employed will meet the minimum of a 4 year degree and quite often will have post-graduate or professional degrees such as JD’s or PhD’s. Furthermore, LSPs can provide Subject Matter Experts (SMEs) with specific sector knowledge such as IP/patents, cross-border litigation or FCPA, ethics and compliance experience. Finally the additional testing required by LSPs ensures that clients are receiving top-notch and best of breed translation solutions.

  1. How do I risk disrupting the status quo to change my current translation/localization workflow?

So far we have covered two out of three issues to consider in the choice of whether or not to engage an outsourced LSP.

  • Cost/Quality
  • Confidentiality

And finally we will look at another “C” – Change. While this may not initially be perceived as an important factor, this often affects whether an organization decides to employ an outsourced LSP. From a global perspective it is imperative that a Code of Business Conduct and a Company’s policies and procedures are accurately translated from the English source document to the multiple localized versions for global employees.

If in the past this decision has been left to local in-country resources, it may have unintentionally altered or subverted the meaning of the source English language policies and could have potentially created confusion as to the meaning and global reach of a Company’s business policies.

Additional pushback may emanate from current in-country LSPs who have provided these services in the past.   While it makes sense to encourage local buy-in to your Company’s policies and procedures, this can be ensured by asking local ethics and compliance leaders to participate in the translation review process.

By carefully considering cost/quality, confidentiality and change, a global organization can properly assess the impact that hiring a qualified LSP will have on their risk exposure and better position such organizations to quickly react to a changing global investigative and regulatory environment.

Jay Rosen (jay.rosen@merrillcorp.com) is a Vice President, Language Solutions at Merrill Brink International, based in Los Angeles. For further information, please see his article on Translation considerations for global internal investigations, ethics and compliance matters.

August 15, 2014

Lauren Bacall Whistling or How to Structure Customer Due Diligence

BacallYesterday we honored Robin Williams whom we lost earlier this week. Today we honor Lauren Bacall. She will always be a part of that great team of Bogey and Bacall. Most of us were introduced to her in the movie To Have and Have Not. I thought she was one of the most sultry and sexy icons of the 40s screen sirens. As Manohla Dargis wrote in her article for the New York Times (NYT) entitled, “That Voice and the Woman Attached,” that “When she opened her mouth in “To Have and Have Not” — taking a long drag on a cigarette while locking Humphrey Bogart in her gaze — she staked a claim on the screen and made an immortal Hollywood debut. But in 1944 at the exquisitely tender age of 19, she was also projecting an indelible screen persona: that of the tough, quick-witted American woman who could fight the good fight alongside her man.” She later married Bogart and together they were certainly Hollywood, if not American royalty, going forward. And she probably did more for the art of whistling than any person on Earth.

Yesterday I wrote about the Foreign Corrupt Practices Act (FCPA) investigation into certain transactions in Venezuela by Derwick Associates (Derwick) and a US company ProEnergy Services (ProEnergy). ProEnergy supplied turbines that Derwick resold to the Venezuelan government and then installed in that country. I wondered if US companies now need to become more concerned with not only who they do business with but how their customers might be doing business. In the parlance, you may now need to ramp up your ‘Know Your Customer’ information to continue throughout a seller-purchaser relationship.

Doug Cornelius, in a post on his Compliance Building blog, entitled “Proposed Regulations on Customer Due Diligence”, discussed “The U.S. Treasury Department’s Financial Crimes Enforcement Network has proposed revisions to its customer due diligence rules. Of course, the proposed rule would affect financial institutions that are currently subject to FinCEN’s customer identification program requirement: banks, brokers-dealers, and mutual funds.” While, investment advisers and private fund managers are not specifically mentioned in the proposed new regulation, Cornelius noted, “FinCEN suggested that it may be considering expanding these customer due diligence requirements to other types of financial institutions.” In other words, this new proposed regulation would not be directly applicable to a large number of US commercial enterprises doing business outside the United States.

However, the proposed regulation did provide some insight into how US companies, not otherwise subject to it, might think about ways to approach such an inquiry. Referencing an inquiry into anti-money laundering issues (AML) Cornelius wrote that AML programs should have four elements:

  1. Identify and verify the identity of customers;
  2. Identify and verify the identity of beneficial owners of legal entity customers;
  3. Understand the nature and purpose of customer relationships; and
  4. Conduct ongoing monitoring to maintain and update customer information and to identify and report suspicious transactions.

Clearly any FCPA based due diligence would focus on point 2. Cornelius zeroed in on it when he wrote “The definition of “beneficial owner” is proposed as have two prongs”:

  • Ownership Prong: each individual who, directly or indirectly, through any contract, arrangement, understanding, relationship or otherwise, owns 25% or more of the equity interests of a legal entity customer, and
  • Control Prong: An individual with significant responsibility to control, manage, or direct a legal entity customer, including an executive officer or senior manager (g., a Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Managing Member, General Partner, President, Vice President, or Treasurer); or (ii) any other individual who regularly performs similar functions.

He also noted, “For identifying ownership of an entity, FinCEN has proposed a form of certification.” But he found such a “certification to be overly simplistic. It only asks for individuals with ownership in the entity. This would clearly miss ownership of the account holder by other entities who could be “bad guys.” The certification also only requires one senior officer.  That makes it too easy to appoint a straw man as executive officer to hide the underlying control by a “bad guy.”” But the FinCen proposed notice itself states “these existing core requirements are already laid out in the BSA [Bank Secrecy Act] as minimum requirements”.

I was equally interested in points 3 and 4. Under point 3, an entity subject to the regulation needs to “Understand the nature and purpose of customer relationships”. The proposed regulation further explained “to gain an understanding of a customer in order to assess the risk associated with that customer to help inform when the customer’s activity might be considered “suspicious.”” Such an inquiry could help a business to “understand the relationship for purposes of identifying transactions in which the customer would not normally be expected to engage. Identifying such transactions is a critical and necessary aspect of complying with the existing requirement to report suspicious activity and maintain an effective AML (or anti-corruption compliance) program.”

The final point 4 relates to ongoing monitoring. Once again consider the position of the US Company, ProEnergy, in the referenced FCPA investigation. What can or should it have done in the way of ongoing monitoring of its customer. The proposed regulation states “industry practice generally involves using activity data to inform what types of transactions might be considered “normal” or “suspicious.”

Furthermore, FinCEN understands that information that might result from monitoring could be relevant to the assessment of risk posed by a particular customer. The proposed requirement to update a customer’s profile as a result of ongoing monitoring (including obtaining beneficial ownership information for existing customers on a risk basis), is different and distinct from a categorical requirement to update or refresh the information received from the customer at the outset of the account relationship at prescribed periods”. Lastly the proposed regulation states, “Finally, as noted above with respect to the obligation to understand the nature and purpose of customer relationships, monitoring is also a necessary element of detecting and reporting suspicious activities”.

There does not have to be a direct bribe or other corrupt payment made by a US company to have liability under the FCPA. FCPA enforcement is littered with companies that have paid bribes through third parties. However, as the Fifth Circuit said in Kay v. US, “[W]e hold that Congress intended for the FCPA to apply broadly to payments intended to assist the payor, either directly or indirectly,” [emphasis mine]. ProEnergy would seem to be at the far edge of potential FCPA liability but if it knew, had reason to know, or even perhaps should have known about some nefarious conduct by its customer, it does not take too many steps to get to some FCPA exposure. The proposed FinCEN rules on customer due diligence for financial institutions might be a good starting point for other commercial entities to consider.

If all of the above is a bit too heavy for a Friday, well view this clip on how to whistle by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 10, 2014

Where to Now St. Peter? – Due Diligence Going Forward in China

Tumbleweed ConnectionWhatever you might think of where his career went, Elton John had some great early stuff. I still rank Tumbleweed Connection right up there as one of my favorite albums of all-time. And while it was packed with some great tracks, one of my most favorite was Where to Now St. Peter? It was the opening track on Side 2 and dealt with whether a dying soldier would end up in heaven or hell. While perhaps having quite the spiritual overtones, I did think about this song when I read about the convictions on Saturday of Peter William Humphrey, a 58-year-old British national, and his wife, Yu Yingzeng, a 61-year-old naturalized American, on charges of illegally purchasing personal information about Chinese nationals.

In a one day trial the couple was convicted of illegally purchasing information on Chinese citizens. In an article in the Financial Times (FT), entitled “China court hands GSK investigator jail term and orders deportation”, Gabriel Wildau and Andrew Ward reported that husband Humphreys received a two and a half year jail term which was “just short of the three-year maximum”. In an article in the Wall Street Journal (WSJ), entitled “China Convicts Two Corporate Investigators”, James T. Areddy and Laurie Burkitt reported that he was also ordered to pay a fine of approximately $32,500 and will be deported from the country when his jail term is completed. Wife Yingzeng received a two year jail term and was ordered to pay a fine of approximately $23,000 but will be allowed to remain in the country after her sentence is completed.

In a New York Times (NYT) article, entitled “In China, British Investigator Hired by Glaxo, and Wife, Sentenced to Prison”, David Barboza reported that the couple “acknowledged that from 2009 to 2013, they obtained about 250 pieces of private information about individuals, including government-issued identity documents, entry and exit travel records and mobile phone records, all apparently in violation of China’s privacy laws.” According to the NYT article, wife Yu claimed that she did not know her actions where illegal and was quoted as saying, “We did not know obtaining these pieces of information was illegal in China. If I had known I would have destroyed the evidence.” According to the WSJ, the privacy law which was the basis of the conviction, was enacted in 2009 “to make it illegal to handle certain personal medical records and telephone records” but that the law itself “remains vague” on what precisely might constitute violation.

From the court statements, however, it did appear that the couple had trafficked in personal information. As reported by the WSJ, “In separate responses over more than 10 hours, My Humphreys and Ms. Yu denied that their firm trafficked in personal information, saying they had hired others to obtain personal data when clients requested it.” From the documents presented by the prosecution, it would seem clear that the couple had obtained my items which were more personal in nature. They were alleged by prosecutors to have “used hidden cameras to gather information as well as government records on identification numbers, family members, real-estate holdings, vehicle owner, telephone logs and travel records.”

Recognizing the verdicts under Chinese laws are usually predetermined and the entire trials are scripted affairs, there is, nonetheless, important information communicated to the outside world by this trial. First and foremost is, as reported in the NYT article is a “chilling effect on companies that engage in due diligence work for global companies, many of whom believe the couple may have been unfairly targeted.” The WSJ article went further quoting Geoffrey Sant for the following, “It impacts all attempts to do business between the U.S. and China because it will be very challenging to verify the accuracy of company or personal financial information.” In other words, things just got a lot tougher to perform, what most companies would expect to be a minimum level of due diligence.

Second is the time frame noted in the court statements as to the time of the violations, from 2009 to 2013. Many had assumed that Humphreys and Yingzeng’s arrests related to their investigation work on behalf of the British pharmaceutical giant GlaxoSmithKline PLC (GSK) which was trying to determine who had filmed a sex tape of the company’s head of Chinese operations, which was then provided to the company via an anonymous whistleblower. This would seem to beg the question of whether the couple would have been prosecuted if they not engaged in or accepted the GSK assignment.

But as Elton John asked, “Where to now St. Peter?” You should always remember that performing due diligence is but one of five steps in the management of the third party life cycle. If you cannot perform due diligence at a level that you do in other countries or that you could even have done in China before the Humphreys and Yu trial, you can beef up the other steps to help proactively manage your third parties. I often say that your real work with third parties begins when the contract is executed because then you have to manage the relationship going forward. So, if you cannot perform the level of due diligence you might like, you can put more resources into monitoring the relationship, particularly in the area of invoice review and payments going forward.

In a timely article found in this month’s issue of the SCCE magazine, Compliance and Ethics Professional, Dennis Haist and Caroline Lee published an article, entitled “China clamps down on bribery and corruption: Why third-party due diligence is a necessity” where they discussed a more robust response to the issue as well. They note that the retention of third party’s to do business in China is an established mechanism through which to conduct business. They advise “For multinationals with a Chinese presence, or plans to enter the market in the near future, now is the time to pay close attention to the changing nature of the business landscape as it relates to bribery and corruption.” Further, they suggest that “In order to ensure compliance with ABAC [anti-bribery/anti-corruption] regulatory scrutiny, multinationals must demonstrate a consistent, intentional and systematic approach to third-party compliance.” But in addition to the traditional background due diligence, they believe that companies should consider an approach that moves to proactively managing and monitoring third parties for compliance. Lastly, at the end of the day if a regulator comes knocking from the Department of Justice (DOJ) or Serious Fraud Office (SFO), you will need to demonstrate the steps you have put in place and your active management of the process.

In the FT, WSJ and NYT articles it was clearly pointed out that the invisible elephant in the room was GSK. Also it is not clear what the personal tragedy that Humphreys and Yu have endured will mean for GSK or the individuals caught up in that bribery scandal going forward. Humphreys had previously said that he would not have taken on the GSK sex tape assignment if it had been disclosed to him that the company had sustained allegations of corruption by an internal whistleblower. Perhaps one lesson may be that in the future companies will have to disclosure more to those they approach to perform such investigative services.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 8, 2014

Nixon Announces Resignation; GSK Just Resigns

Nixon Resignation SpeechOn this day, 40 years ago, President Richard Nixon announced that he would resign the Office of the President, effective the next day on August 9 at noon. I can still remember my father instructing us to watch the resignation speech on television because, as he put it, it was history in the making. Before a nationally televised address to the country, Nixon said, “By taking this action,” he said in a solemn address from the Oval Office, “I hope that I will have hastened the start of the process of healing which is so desperately needed in America.” His action was hastened along by the Articles of Impeachment voted by the House of Representatives relating to his involvement with the Watergate Affair. With his resignation, Nixon was finally bowing to pressure from the public and Congress to leave the White House.

Yet, even before this truly historic speech and spectacle the next day of Nixon helicoptering off the South Lawn of the White House, Nixon had transformed the America we all lived in. One area that resonates up to this day is his opening with China. If it had not been for Nixon and his Secretary of State Henry Kissinger’s efforts, we might have waited a long time for an opening with China. But Nixon went there and opened China up to do business with the US and indeed the rest of the western world.

Unfortunately one of the much later fallouts from this visit and opening of China has been the corruption investigation by Chinese authorizes against western companies but most publicly the British pharmaceutical giant, GlaxoSmithKline PLC (GSK). And, more unfortunately, the bad news for GSK continues to trickle out into the press.

Next week, Shanghai’s No. 1 Intermediate People’s Court is scheduled to open a trial against Peter William Humphrey, a 58-year-old British national, and his wife, Yu Yingzeng, a 61-year-old American, on charges of illegally purchasing personal information about Chinese nationals. While the trial had originally been planned to be closed to the public, last month Chinese officials announced that the trial would be ‘open’ although the degree of openness is not completely clear.

Not only will the trial be open but the couple’s son, Harvey Humphrey, was allowed visited his parents in their detention center in Pudong, Shanghai, for the first time since their arrest. The visit came after some fierce lobbying by the US and UK consulates. As reported in the online publication FiercePharma, in an article entitled “GSK private eyes’ son allowed first visit to parents in China jail as trial nears”, their son said, “They didn’t quite believe I was coming. They were quite overwhelmed. My mum was shocked. My dad held himself together,” the younger Humphrey told the paper. “It’s a bit unusual for the Chinese to do this. I feel something has changed in the Chinese approach to my parents.” Son Harvey had written to the GSK’s Chief Executive Officer (CEO) Sir Andrew Witte last December to “take a few minutes to raise my father’s case” during a visit to the country, he told the Financial Times (FT), “I understand everything is complicated in China but it seems my parents are paying a big price”. But at this point there is no word on what if any involvement GSK might have in his parent’s defense.

It may be that GSK is way too busy right now worrying about all the other issues surrounding bribery and corruption. In an article in the Wall Street Journal (WSJ), entitled “FBI, SEC Start Glaxo Inquiries Over China”, Christopher M. Matthews and Hester Plumridge reported that in late July “Glaxo received an anonymous email claiming its employees in Syria bribed doctors and pharmacists over the past five years to promote products including painkiller Panadol and toothpaste Sensodyne. The bribes took the form of cash payments, speaking fees, trips, free dinners and free samples, said the email, which was reviewed by The Wall Street Journal. The email cited names and dates. Syrian health officials allegedly received bribes from Glaxo employees to fast-track registration of its Sensodyne dental products, including cash payments and a trip to a 2011 conference in Rome, the email maintains. Glaxo employees also were involved in smuggling a narcotic product from Syria into Iran, the email alleges. The product in question, pseudoephedrine, is a raw ingredient of Glaxo’s congestion medicine Actifed.”

GSK once again reiterated its previously announced position that it was firmly against the payments of bribes by its employees. In response to the allegations of bribes paid in Syria the WSJ article said, “Glaxo said it would thoroughly investigate all claims made in the Syria email, and said it has asked the sender for more information. The company said it has zero tolerance for unethical behavior, adding, “We welcome people speaking up if they have concerns about alleged misconduct.”” Too bad GSK didn’t seek more information about its Chinese operations when the company’s internal investigation came up with no evidence of bribery and corruption.

Much more problematic for GSK is the fact that both the SEC and DOJ have opened formal investigations into allegations of bribery and corruption by the company. The WSJ piece notes, “Federal Bureau of Investigation agents have been interviewing current and former GlaxoSmithKline employees in connection with bribery allegations in China, according to a person familiar with the matter, as fresh claims of corruption surfaced against Glaxo’s operations in Syria. The interviews have taken place in Washington, D.C., in the past few months and are part of a Justice Department investigation into Glaxo’s activities in China, the person added. The U.S. Securities and Exchange Commission also is investigating the company’s business in China, according to people familiar with the matter.”

As readers of this blog will recall from previous posts, in 2012 GSK pled guilty and paid $3 billion to resolve fraud allegations and failure to report safety. The press release noted that the resolution was the largest health care fraud settlement in US history and the largest payment ever by a drug company for legal violations. The criminal plea agreement also included certain non-monetary compliance commitments and certifications by GSK’s US president and Board of Directors, which specifically included an executed five-year Corporate Integrity Agreement (CIA) with the Department of Health and Human Services, Office of Inspector General. The plea agreement and CIA included provisions which required that GSK implement and/or maintain major changes to the way it does business, including changing the way its sales force is compensated to remove compensation based on sales goals for territories, one of the driving forces behind much of the conduct at issue in the prior enforcement action. Under the CIA, GSK is required to change its executive compensation program to permit the company to recoup annual bonuses and long-term incentives from covered executives if they or their subordinates, engaged in significant misconduct. GSK may recoup monies from executives who are current employees and those who have left the company. Additionally, the CIA also required GSK to implement and maintain transparency in its research practices and publication policies and to follow specified policies in its contracts with various health care payors.

The importance of the CIA for this anti-corruption investigation is that it not only applied to the specific pharmaceutical regulations that GSK violated but all of the GSK compliance obligations, including the Foreign Corrupt Practices Act (FCPA). In addition to requiring a full and complete compliance program, the CIA specified that the company would have a Compliance Committee, to include the Compliance Officer and other members of senior management necessary to meet the requirements of the CIA; the Compliance Committee’s job was to oversee full implementation of the CIA and all compliance functions at the company. These additional functions required a Deputy Compliance Officer for each commercial business unit, Integrity Champions within each business unit and management accountability and certifications from each business unit. Training of GSK employees was specified as a key component. Further, the CIA specifically state that all compliance obligations applied to “contractors, subcontractors, agents and other persons (including, but not limited to, third party vendors)”.

GSK is now under investigation, either internally or by anti-corruption regulators across the globe in at least four countries. Unlike other companies that have found systemic issues of bribery and corruption or systemic failures in internal controls, the allegations of bribery and corruption are not 10-15 years old. So today we commemorate Nixon’s resignation; and for GSK it may simply mean just resignation.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 7, 2014

Continuous Improvement Of Your Compliance Program, Part II

7K0A0246Yesterday, I began a two-part series on continuous monitoring of your anti-corruption compliance program. In Monday’s post, I looked at the regulatory framework for such a requirement. In today’s conclude with some thoughts on how to continually improve and update your Foreign Corrupt Practices Act (FCPA) or UK Bribery Act compliance regime and take a look again at how the regulators might view your program, in some quick, easy and pithy ways.

Anti-corruption, anti-bribery, anti-money laundering (AML) programs policies and procedures and even export control systems are seemingly in a constant state of evolution. Many companies are struggling with the challenge of implementing effective controls and monitoring risks across a spectrum that could include the three above listed compliance areas as well as others. One area that has evolved into a minimum best practices requirement for compliance is that of continuous monitoring.

While many companies will look at continuous monitoring as a software solution that can assist in managing risk, provide reporting metrics and, thereby, insights across an organization, it should be viewed more holistically. You will need to take many disparate systems, usually across a wide international geographic area, which may seem like an overwhelming process. Justin Offen, explained this in his article, entitled “Mission Impossible? Six steps to continuous monitoring”, where he detailed a six-point program to ensure that your “CM solution doesn’t become part of the problem” rather than a solution.

  1. Know your global IT footprint. It is important to understand how continuous monitoring will be incorporated into your company’s overall IT strategy as well as your compliance strategy. This advocates that this inquiry begins with understanding what your current IT structure is and what it is anticipated to be in 3 and 5 years. Once you identify your global IT footprint you can determine which system will be the best fit.
  2. Define scope and necessary resources. You should determine what your goal is, begin by identifying your needs and then prioritize them. You should perform a risk analysis and then rank the risks. Next, you need to understand the amount of talent you have in your organization, identify who can implement and work with the system and determine your budget, which may need to be increased based upon your need for outside experts and unknown contingencies.
  3. Conduct a pilot or proof of concept. A phased rollout can be used as a proof of concept, which can yield greater functioning efficiency throughout your entire program implementation. It should also allow you to chalk up an early success to present to the inevitable nay-sayers in your organization.
  4. Decrease false positives. This is important because improper or incomplete testing may well lead to a larger amount of false positives which you are required to evaluate and clear. From each test, you can further refine your continuous monitoring solution to the specific needs of your organization and increase time and efficiency in your overall continuous monitoring program.
  5. Establish your escalation protocol. You should establish a response protocol when an exception or Red Flag arises. This protocol should include an escalation protocol if the Red Flag suggests that it is warranted or additional investigation determines a wider problem exists. This protocol should include specific individuals and departments that need to be notified, the makeup of your initial and secondary triage team and the accountability for each person in the process, all the way up to the Board.
  6. Demonstrate control through case management. This demonstrates once again the maxim of Document, Document and Document. You need to be ready to “respond with appropriate documentation of any transaction that’s been reviewed, showing the level of review and any additional steps taken.”

The benefits of such a continuous monitoring program are significant; the creation of documentation that can lead to a ‘ready response’ by a company to an issue before it becomes a larger problem, coupled with the ability to recall all steps and information when a regulator comes knocking. Internally, using the pilots or proofs of concepts, the compliance department can bring in other stakeholders to see the value of continuous monitoring within the organization.

You Have a Strategic Plan – Now What Do You Do?

Have you thought about your anti-corruption through the lens of a strategic plan? If not, you might want to use the formulation proffered by Bruce Rector, in an article entitled “Strategic planning needs constant follow-up to be successful”. Recognizing that a strategic plan can serve as guide for your company going forward, it must actually be utilized to garner any use out of it. I believe that the steps he lays out translate, without difficulty, into steps a compliance officer can take to meet the suggestion laid out by Offen above.

  • Review the Goals of the Strategic Plan. This requires that you arrange a time for the Chief Compliance Officer (CCO) and team to review the goals of the Strategic Plan. To the extent possible this should be done in person. The CCO should lead a discussion of the Strategic Plan and determine how this goal in the Plan measures up to its implementation in your company.
  • Design an Execution Plan. The “Keep it Simple Sir” or KISS method is the best to move forward. This would suggest that for each compliance goal, there should be a simple and straightforward plan to ensure that the goal in question is being addressed. Any such plan must be specific with clear goals for all involved, with tasks handed out, deliverables defined and a definite timeline for delivery.
  • Put Accountabilities in Place. In any plan of execution, there must be accountabilities attached to them. Simply having a time line is not enough. This means that the persons tasked with the responsibility of performing the tasks be clearly identified, by both the individual so tasked and the actual task they are assigned to complete. Accountability requires that there be follow-up to confirm that these targets are met. This requires the CCO or other senior compliance department representative to put these in place and then mandate a report requirement on how the task assigned is being achieved.
  • Schedule the Next Review of the Plan. There should be a regular review of the process. While noting that this may seem time consuming, this means the group responsibility gets into a regularity, which will assist the process moving forward more smoothly. It also allows any problems which may arise to be detected and corrected more quickly than if meetings are held at a less frequent basis.

It is a function of the CCO to reinforce the vision and goals of the compliance function, where assessment and updating are critical to an ongoing best practices compliance program. If you follow this protocol, you will put a mechanism in place to demonstrate your company’s commitment to compliance by following through on intentions as set forth in your strategic plan.

The Regulators Perspective

What does an effective compliance program look like? Over the years, we have heard various formulations of inquiries that regulators might use when reviewing a compliance program. While not exactly a review of a compliance protocol, one of my favorites is what I call McNulty’s Maxims or the three questions that former United States Deputy Attorney General, and Baker & McKenzie LLP partner, Paul McNulty said were three general areas of inquiry the he would assess regarding an enforcement action when he was at the DOJ. They are: first: “What did you do to stay out of trouble?” second: “What did you do when you found out?” and third: “What remedial action did you take?”

Stephen Martin said that an inquiry he might make was along the lines of the following. First he would ask someone who came in before the DOJ what the company’s annual compliance budget was for the past year. If the answer started with something like, “We did all we could with what we had ($100K, $200K, name the figure), he would then ask, “How much was the corporate budget for Post-It Notes last year?” The answer was always in the 7-figure range. His next question would then be, “Which is more business critical for your company; complying with the FCPA or Post-It Notes?” Unfortunately, it has been Martin’s experience that most companies spent far more on the Post-It Notes than they were willing to invest in compliance.

Andrew Ceresney, Director of the Division of Enforcement of the SEC, speaking at Compliance Week 2014, said that he has “found that you can predict a lot about the likelihood of an enforcement action by asking a few simple questions about the role of the company’s legal and compliance departments in the firm.” He then went on to detail some rather straightforward questions that he believes could show just how much a company is committed to having a robust compliance regime.

  • Are legal and compliance personnel included in critical meetings?
  • Are their views typically sought and followed?
  • Do legal and compliance officers report to the Chief Executive Officer (CEO) and have significant visibility with the board?
  • Are the legal and compliance departments viewed as an important partner in the business and not simply as support functions or a cost center?

Near the end of his presentation, Cerensey said that “Far too often, the answer to these questions is no, and the absence of real legal and compliance involvement in company deliberations can lead to compliance lapses, which, in turn, result in enforcement issues. When I was in private practice, I always could detect a significant difference between companies that prioritized legal and compliance and those that did not. When legal and compliance were not equal partners in the business, and were not consulted as a matter of course, problems were inevitable.”

McNulty’s Maxims, Martin’s question on budget and now Cerensey’s questions all provide significant guideposts to how regulators think about FCPA compliance programs. For me, I think the point is that companies which actually Do Compliance are easy to spot. For all the gnashing of teeth about how hard it is to comply with what the DOJ and SEC want to see in FCPA compliance, when the true focus can be distilled into whether a company actually does compliance as opposed to saying how ethical they are, I think it simplifies the inquiry and the issues senior management and a Board of Directors really needs to pay attention to.

Continuous improvement through continuous monitoring or other techniques will help key your compliance program abreast of any changes in your business model’s compliance risks and allow growth based upon new and updated best practices specified by regulators. A compliance program is in many ways a continuously evolving organism, just as your company is. You need to build in a way to keep pace with both market and regulatory changes to have a truly effective anti-corruption compliance program. The Guidance makes clear that the “DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines. Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improve­ment and sustainability.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 6, 2014

Theme from Shaft and Continuous Improvement of Your Compliance Program, Part I

Isaac HayesThe composer of what I believe to be the absolute coolest movie theme ever was born on this date in 1942, Isaac Hayes. Hayes continually succeeded in many areas. In the 1960s it was with soul music on the great label Stax. In the 90s it was as the voice of Chef on the animated TV series South Park. But for my generation it was for the theme song, and indeed entire soundtrack, to the movie Shaft that I will always remember Hayes for. The success of that soundtrack led not only to nearly four more decades in the public eye, but as I will never forget sight of Isaac Hayes, playing shirtless in heavy chains and sunglasses as he performed the #1 pop single “Theme from ‘Shaft'” on national television the night he was awarded the Academy Award for Best Score.

How Hayes continued to reinvent of himself as a performer informs my blog posts over the next two days as I look at continuous improvement in your Foreign Corrupt Practices Act (FCPA) compliance program. Today, I will review the regulators view on continuous improvement and tomorrow I will provide some specific techniques that you can engage in to help satisfy this prong of the Ten Hallmarks of an Effective Compliance Program.

You should keep track of external and internal events that may cause change to business process, policies and procedures. Some examples are new laws applicable to your business organization and internal events driving changes within a company. Such internal changes could be a company reorganization or major acquisition. This type of review appears to be similar to the Department of Justice (DOJ) advocacy of ongoing risk assessments. The FCPA Guidance (Guidance) specifies, “a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its industry. In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.”

Continuous improvement requires that you not only audit but also monitor whether employees are staying with the compliance program. In addition to the language set out in the FCPA Guidance, two of the seven compliance elements in the Federal Sentencing Guidelines (FSG) call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.

A review plan is an excellent tool for the compliance practitioner because it provides a method for the ongoing evaluation of policies and sets forth a manner to communicate and train on any changes that are implemented. More than simply staying current, this approach will help provide the dynamics that the DOJ continually talks about in keeping your program fresh. Lastly, such a review plan can also guide the compliance practitioner in creating an ongoing game plan for compliance program upgrades and updates that Stephen Martin advocates.

The Guidance makes clear that each company should assess and manage its risks and specifically notes that small and medium-size enterprises likely will have different risk profiles and therefore different attendant compliance programs than large multi-national corporations. Moreover, this is something that the DOJ and Securities and Exchange Commission (SEC) take into account when evaluating a company’s compliance program in any FCPA investigation. This is why a “Check-the-Box” approach is not only disfavored by the DOJ, but, at the end of the day, it is also ineffectual. It is because each compliance program should be tailored to the enterprise’s own specific needs, risks, and challenges.

One tool that is extremely useful in the continuous improvement cycle, yet is often misused or misunderstood, is ongoing monitoring. This can come from the confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis across a wide spectrum of data and information.

Auditing is a more limited review that targets a specific business component, region, or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. Although unique in protocol, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance, if you notice a trend of suspicious payments in recent monitoring reports from AsiaPac, it may be time to conduct an audit of those operations to further investigate the issue.

Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks, and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with local Finance departments in your foreign offices to ask if they’ve noticed any accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries in which they manage. These ongoing efforts demonstrate that your company is serious about compliance.

The DOJ emphasized again with the 2011 Pfizer Deferred Prosecution Agreement (DPA), the need for a company to establish protocols for auditing. It included the following detail on auditing protocols:

  • On-site visits by an FCPA review team comprised of qualified personnel from the Compliance, Audit and Legal functions who have received FCPA and anti-corruption training.
  • Review of a representative sample (appropriately adjusted for the risks of the market) of contracts with and payments to individual foreign government officials as well as other high-risk transactions in the market.
  • Creation of action plans resulting from issues identified during the proactive reviews; these action plans will be shared with appropriate senior management and should contain mandatory remedial steps designed to enhance anti-corruption compliance, repair process weaknesses, and deter violations.
  • A review of the books and records of a sample of third party representatives that, in the view of the FCPA proactive review team, may present corruption risk. Prior to such an investigation, however, the company should have procedures in place to make sure every investigation is thorough and authentic, including document preservation protocols, data privacy policies, and communication systems designed to manage and deliver information efficiently.

Tomorrow, I will review some specific steps you can take to meet these goals.

For your listening pleasure, close your eyes and listen to the Theme From Shaft, by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 5, 2014

Termination of a Third Party or Breaking Up Should Not Be Hard To Do

7K0A0223One of treats each month for the compliance professional is reading the GRC Illustrated column by Carole Switzer, President of the Open Compliance and Ethics Group (OCEG), in the Compliance Week magazine. Not only does Switzer write a highly informative and useful column but she also includes two standard features. The first is an illustrated guide that lays out visually her counsel and the second is that she also includes interviews from a Roundtable of compliance industry participants. In the July edition Switzer discussed an issue that brings much gnashing of teeth to both compliance practitioners, lawyers from the legal department and business folks alike; the situation where you must terminate a third party relationship.

In the article, entitled “Breaking Up Is Hard To Do”, Switzer relates how ‘to avoid pain by planning for the end of a third party relationship’, together with an illustrated diagram of “Third Party Risk Management in Financial Service”; she couples these with a Roundtable on “Financial Sector Third Party Risk” with participants Walter Hoogmoed, Jr., a Principal at Deloitte, Marie Patterson, VP-Marketing at Hiperos, and Billy Spears, Chief Ethics, Privacy and Compliance Officer at Hyundai Capital America.

Switzer begins by noting that it all should begin with “an exit strategy, a transition plan or a pre-nup—whatever the title, it’s best to begin by planning for the end which, in the case of business at least, will always eventually come. Whether due to contract completion or material breach, turning over responsibility to another party, or abandonment of the contracted activity altogether, contract termination is an inevitable phase in the third-party relationship lifecycle.” Planning for the end is important because,  “The more long term and layered the relationship, the more difficult it will be to disentangle. The deeper the third party is embedded in and uses the confidential information of the company and its customers, the greater the risks presented by failing to design a smooth transition process.”

It should originate with clearly specified contract termination rights but that is only the starting point, “ To work out a smooth transition, the plan must also include internal change management processes and policies, designated transition team members, contingencies, and adequate resources and time allowances.” While speaking to risk from cyber-security, Switzer details some of the points for consideration. You should have clear procedures for “data retention or destruction, termination of access control for shared technology, and removal of system connectedness, including consideration of what fourth parties (your third party’s third parties) may have.” Your corporate values must be protected by “clearly designating the disposition of shared intellectual property and infrastructure assets.” Next you need to think through your transition plan by “ensuring rights to hire or continue use of key contractor employees who have been servicing your account, arranging to bringing new contractors or internal managers up to speed, and filing any regulatory or other required notifications.” Finally, bear in mind that your reputation must be protected during this transition process “by controlling and planning for issuance of public statements and social media postings by terminated contractors or their employees, or the best laid transition plans may be for naught.”

In the Illustrated component to her article, Switzer lays out a five-step integrated risk management process, which is a useful view of the entire cycle:

  1. Plan and Organize. Under this step you should develop a plan to evaluate the level and complexity of risk. Switzer suggests some of the things you should consider are the volume of business engaged in by the third party representative, the nature of the risks involved, the extent to which the third party representative will use sub-contractors and any required legal or regulatory approvals required for the geographic areas which the third party representative will conduct business with or for you.
  2. Perform Due Diligence. Here you should assess each third party’s compliance controls relative to the level of risk you have determined is present. Here the standard inquiries are such items as ultimate beneficial owners, anti-corruption compliance and risk management controls currently in place, incident management and reporting and conflicts of interest.
  3. Manage Contracts. This step involves the ongoing review and assessment of the contractual relationship. If new or greater risks arise and they have not been previously addressed, you may need to add new contract terms to address them going forward. In addition to your standard anti-corruption compliance terms and conditions, you should have key performance indicators (KPIs), confidentiality terms and conditions and sub-contractor requirements.
  4. Conduct Ongoing Monitoring. Under this step, you need to “oversee and pro-actively monitor and review each third party relationship at a level commensurate with risk” and “ensure that issues are identified and appropriately escalated for remediation.”
  5. Manage Terminations. If required, you should follow your established plan for transition to ending the relationship and transitioning to another third party representative. You should also consider the need to “protect information, maintain smooth operations and protect reputation during the transition.”

In her Roundtable, Switzer received some very useful information from the participants in a couple of broad areas. The first was the use of sub-contractors by a company’s third party representatives, which Switzer articulated as ‘fourth parties’. Patterson commented that “If the third party is going to sub-contract work, the bank needs to ensure that the third party has adequate controls in place to assess and manage their sub-contractor risk and that the bank has the ability to terminate their relationship with the third party in the event there is an issue with the fourth party.” Hoogmoed emphasized the ‘interdependences’ of the relationships. He said that “contract provisions should be enhanced for clarity of controls and liability, approvals for serial outsourcing should be implemented, and selective testing for fourth/fifth parties should be considered.” Spears pointed not only to due diligence but also strong contract terms as a key to the management of this issue, “Due diligence coupled with a strong legal contract team are crucial. It is very important to develop a minimum standard, in the contract with the third party, to ensure that the third party only does business with fourth parties that meet the first-party requirements… The provisions should include that no sharing beyond a fourth party is allowable. The last critical point of this is to ensure that the first party adds a mechanism for accountability. This mechanism is what prevents this from becoming a rabbit hole.”

Switzer ended the Roundtable by asking what was the most important part about third party risk management? Spears pointed that “having a solid plan for setting the tone with third parties is the key.” From Hoogmoed’s perspective, it all begins with understanding on risk, or as the FCPA Guidance intones, it all begins with a risk assessment. He said, “Developing some advanced risk tiering and assessment methods will help organizations focus their limited resources on managing the risk, compliance, and controls on the most critical/highest risk relationships. Engaging senior management in the risk analysis and reporting is also very important to balance the appropriate level of risk taking with the costs and investments necessary for the business.” Patterson took a different approach focusing on the feedback that Hiperos has received from their customers, and said, “the most important aspects of the recent guidance all deal with impact. The scope of the guidance has been broadened, both in terms of the expansion of what a “critical” activity is and the redefinition from vendor to third party. The importance of these obligations has been elevated with the explicit inclusion of the board at a much deeper level than previously, and the requirement for independent audit to be involved. And finally, the effort has been expanded significantly to include the entire lifecycle of third party management from planning through termination and every step in between.”

As usual, Switzer’s monthly column provides solid information to the compliance practitioner about what you need to know to inform your compliance regime. This month is no different. Although rarely written about, the termination of a third party relationship can be as important a step as any other in the management of the third party lifecycle. While having the contractual right to terminate is a good starting point, it is only the starting point. You not only need to have a compliance and legal plan in place but a business plan in place as well. For if you do not, you may well find yourself in the same place that Switzer started her article, quoting Neil Sedaka that “Breaking Up Is Hard To Do.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 4,591 other followers