Foreign Corrupt Practices Act | FCPA Compliance and Ethics Blog

June 19, 2013

What is Board Responsibility For Compliance?

Filed under: Board of Directors,compliance programs,Department of Justice,FCPA,FCPA Guidance,FCPA Professor,New York Times,Wal-Mart — tfoxlaw @ 1:01 am
Tags: best practices, compliance, compliance programs, Department of Justice, DOJ, FCPA, FCPA Professor, Foreign Corrupt Practices Act, NYT

Ed. Note-this article was originally posted in the FCPA Professor.

The nightmare of every corporate director is to wake up to find out that the company of the Board he or she sits on is on the front page of the New York Times (NYT) for alleged illegal conduct. This nightmare came true for the Directors of Wal-Mart when the New York Times, in an article entitled “Vast Mexico Bribery Case Hushed Up by Wal-Mart After Top-Level Struggle”, alleged that Wal-Mart’s Mexican subsidiary had engaged in bribery of Mexican governmental officials and that the corporate headquarters in Bentonville, Arkansas, had covered up any investigations into these allegations.

Recently the NYT reported that shareholders were asking questions of the Wal-Mart Board regarding its response these allegations. In a story, entitled “More Dissent in a Store Over Wal-Mart Bribery Scandal”, Stephanie Clifford reported Wal-Mart shareholders are still asking questions of the Board regarding its role in the ongoing scandal. Some of these questions include “whether the company is holding current and former executives financially responsible for breaching company policies” and concerns about the company’s supply chain vendors. This shareholder dissatisfaction held several groups of large shareholders to indicate that they would vote against the company’s current Board of Directors at its annual shareholder meeting.

Clifford quoted from a report by Institutional Shareholder Services (ISS), a proxy advising firm, which said that investors have also complained about “being in the dark about the nature and extent of the alleged violations (and knowledge of them within the company)” and the company’s “timetable for completion of its investigation and disclosure of its results”. There were also questions raised about the remediation efforts of Wal-Mart. The ISS report went on to add that “Shareholders should vote against these directors to send a clear message to the board that such poor oversight does not come without repercussions.”

The publicity and costs to Wal-Mart have been well documented. The FCPA Professor has consistently stated that he views this scandal as largely a failure of corporate governance. In a post entitled, “Wal-Mart One Year Later” he said, “Corporate governance, or lack thereof, is what made the NY Times April 2012 remarkable. This is the reason why Wal-Mart generated all the buzz it did a year ago this week and I’ve consistently held the view that the Wal-Mart story is a corporate governance sandwich with the FCPA as a mere condiment.” I thought about the Professor’s observations on this failure in light of Clifford’s article and wondered what the Board’s legal obligations might be.

I. Some Case Law

As to the specific role of ‘Best Practices’ in the area of general compliance and ethics, one can look to Delaware corporate law for guidance. The case of In Re Caremark International Inc. Derivative Litigation 698 A.2d 959 (Del.1996) was the first case to hold that a Board’s obligation “includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards.” The Corporate Compliance Blog, in a post entitled “Caremark 101”, said that the Caremark case “addressed the board’s duty to oversee a corporation’s legal compliance efforts. As part of its duty to monitor, the Board must make good faith efforts to ensure that a corporation has adequate reporting and information systems. The opinion described this claim as “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment,” with liability attaching only for “a sustained or systematic failure to exercise oversight” or “[a]n utter failure to attempt to ensure a reporting and information system.”

In the case of Stone v. Ritter 911 A.2d 362, 370 (Del. 2006), the Supreme Court of Delaware expanded on the Caremark decision by establishing two important principles. First, the Court held that the Caremark standard is the appropriate standard for director duties with respect to corporate compliance issues. Second, the Court found that there is no duty of good faith that forms a basis, independent of the duties of care and loyalty, for director liability. Rather, Stone v. Ritter holds that the question of director liability turns on whether there is a “sustained or systematic failure of the board to exercise oversight – such as an utter failure to attempt to assure a reasonable information and reporting system exists.”

Andrew J. Demetriou and Jessica T. Olmon, writing in the ABA Health Esource blog, said that “This standard aims to protect shareholders by ensuring that corporations will adopt reasonable programs to deter, detect and address violations of law and corporate policy, while absolving the Board from liability for corporate conduct so long as it has exercised reasonable responsibility with respect to the adoption and maintenance of a compliance and reporting system. Although the standard protects the Board, consistent with most jurisprudence under the business judgment rule, it also requires that the Board follow through to address problems of which it has notice and this may include adopting modifications to its compliance program to address emerging risks.”

Lastly, I recently heard Jeff Kaplan discuss the oversight obligations of the Board regarding the compliance function. In addition to the above cases, he discussed the case of Louisiana Municipal Police Employees’ Retirement System et al. v. David Pyott, et al., 2012 WL 2087205 (Del. Ch. June 11, 2012) (rev’d on other grounds, No. 380, 2012, 2013 WL 1364695 (Del. Apr. 4, 2013), which was a shareholder action that went forward against a Board based upon a claim that the Board knew of compliance risk based on the company’s business plan. The Delaware Court pointed out the possibility that “The appearance of formal compliance cloaked the reality of noncompliance, and directors who understood the difference between legal off-label sales and illegal off-label marketing continued to approve and oversee business plans that depended on illegal activity.” Kaplan believes that this case more generally, supports the need for risk-based oversight by board.

II. FCPA Guidance and US Sentencing Guidelines

A Board’s duty under the Foreign Corrupt Practices Act (FCPA) is well known. In the Department of Justice (DOJ)/Securities and Exchange Commission (SEC) FCPA Guidance, under the Ten Hallmarks of an Effective Compliance Program, there are two specific references to the obligations of a Board. The first in Hallmark No. 1, entitled “Commitment from Senior Management and a Clearly Articulated Policy Against Corruption”, states “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3 entitled “Oversight, Autonomy and Resources”, where it discusses that the Chief Compliance Officer (CCO) should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The DOJ’s Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment?

Board failure to head this warning can lead to serious consequences. David Stuart, a senior attorney with Cravath, Swaine & Moore LLP, noted that FCPA compliance issues can lead to personal liability for directors, as both the SEC and DOJ have been “very vocal about their interest in identifying the highest-level individuals within the organization who are responsible for the tone, culture, or weak internal controls that may contribute to, or at least fail to prevent, bribery and corruption”. He added that based upon the SEC’s enforcement action against two senior executives at Nature’s Sunshine Products, “Under certain circumstances, I could see the SEC invoking the same provisions against audit committee members—for instance, for failing to oversee implementation of a compliance program to mitigate risk of bribery”. I would not be a far next step for the SEC to invoke the same provisions against audit committee members who do not actively exercise oversight of an ongoing compliance program.

There is one other issue regarding the Board and risk management, including FCPA risk management, which should be noted. It appears that the SEC desires Boards to take a more active role in overseeing the management of risk within a company. The SEC has promulgated Regulation SK 407 under which each company must make a disclosure regarding the Board’s role in risk oversight which “may enable investors to better evaluate whether the board is exercising appropriate oversight of risk.” If this disclosure is not made, it could be a securities law violation and subject the company, which fails to make it, to fines, penalties or profit disgorgement.

From the Delaware cases, I believe that a Board must not only have a corporate compliance program in place but actively oversee that function. Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask the tough questions. The specific obligations set out regarding the FCPA drive home these general legal obligations down to the specific level of the statute.

The Wal-Mart case has driven home the need for focused Board of Directors oversight of a company’s compliance program. But it is more than simply having a compliance program in place. The Board must exercise appropriate oversight of the compliance program and indeed the compliance function. The Board needs to ask the hard questions and be fully informed of the company’s overall compliance strategy going forward. If the Wal-Mart Board had fulfilled its legal obligations regarding compliance, the company might not have found itself on the front page of the New York Times.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Leave a Comment

June 14, 2013

Lunch with the FCPA Compliance & Ethics Blog – Phil Wedemeyer and the Audit Perspective in Compliance

Filed under: Audit,Best Practices,Board of Directors,Books and Records,compliance programs,FCPA,Financial Times,Internal Audit — tfoxlaw @ 1:01 am
Tags: best practices, Board of Directors, compliance programs, FCPA, Foreign Corrupt Practices Act, FT, Internal Audit

One of my weekend reading pleasures is the Saturday section in the Financial Times (FT) entitled “Lunch with the FT”. Each week, this column highlights a weekly interview with leading cultural and business figures. In addition to an excellent interview with fascinating people, the column discusses the food served and lists the prices of all items purchased. The column is so smartly done that even the Men In Blazers talk about it in their weekly podcasts on all things soccer.

Since imitation is the most sincere form of flattery, today I will inaugurate a “Lunch with FCPA Compliance and Ethics Blog” series of posts. While it will not be a weekly feature, nor will I detail the costs for lunch, I will commit to you the cost will be in line with that of a Foreign Corrupt Practices Act (FCPA) or UK Bribery Act compliance program business entertainment lunch. My inaugural guest is Phil Wedemeyer, who is a retired former partner of a Big Five accounting firm (when there was a Big 5); the former Director of the Office of Research and Analysis at the Public Company Oversight Accounting Board and currently sits on the Board of Directors of two corporations; one public, where Phil is the Chairman of the Audit Committee, and one private. As you might guess from someone with such a professional background, Phil tends to view things through the prism of an audit perspective.

This week Phil and I sat down for a couple of Houston’s finest cheeseburgers to catch up. Phil asked me what might be happening on the FCPA front and I told him that I thought the news about the National Security Agency (NSA) information collection programs was going to make the job of the compliance practitioner more difficult. Many of America’s allies are up in arms over not only the collection of information but the revelation that such collection of information can be used in monitoring FCPA compliance across the globe. I think this will mean that companies will face greater data privacy laws and have more difficulty not only getting information out of foreign countries and into the US for evaluation but even in collecting types of data and information.

Great Board Oversight Required?

Phil had another take on it, which I found equally interesting. He questioned whether this information about the US government could put an additional burden on not only the compliance practitioner but on a board of directors? When I asked him what he meant by this, he questioned if a company had reliable information that the US government was employing oversight techniques to search for evidence of bribery and corruption (or non-compliance with other laws or regulations) beyond more traditional law enforcement techniques (e.g., whistleblowers, self-disclosure and competitor reporting); should this cause that company to increase its oversight of compliance with the FCPA? In particular, more comprehensive government monitoring activity could increase the chances of discovery of the types of illegal activities at lower levels of the company that is one of the primary objectives of whistleblower procedures and that may not always be known to upper level management. Further, if so, would this change in risk put a director on notice that they need to perform additional oversight of the compliance function?

Transaction Analysis

Phil also inquired about any trends that I might have seen over the past six to 12 months on FCPA enforcement. I told him that one of the things I have seen is the introduction of transaction monitoring, beginning with the Morgan Stanley declination. I then discussed the Eli Lilly enforcement action and particularly the bribery scheme used in Poland where charitable contributions were made to a charity run by the head of a provincial health service. This led to sales spiking in that province rather dramatically. These cases, and some others, have led me to advocate that companies engage in transaction monitoring from the compliance perspective to identify any anomalies.

Phil’s observation here was once again based on his auditing background. He said that, in considering variations in operating results as a director, he asks two questions of management: What happened and how do you know? In answering these questions, it is clearly important that management understands the business cause of significant sales increases and that there could be other issues involved in the situation that may require consideration by the compliance practitioner. Phil thought analysis of variations needs to occur at the level at which the sales increase was material. As an example, he conjectured that, in the Lilly scenario, such a sales spike would likely not be material to the company’s consolidated financial statements or, for that matter, to the European business unit. However, such a sales increase would most probably be material for the country of Poland and certainly for the province in which the sales increase occurred.

Once the material level is determined, direct questions should be asked and answered at that level. Explanations of a sales increase as being the result of the appointment of a new head of business development or a more aggressive sales manager should not simply be taken at face value. Questions such as what techniques were used; what was the marketing spend; how much was spent on business entertainment or other specific categories; were charitable donations made to any non-core business charities and other questions might help to get at the true underlying reason for a sales spike. Further, a company should review its findings in subsequent periods for confirmation. So, for example, if a sales increase legitimately appears to be due to the efforts of a new person in the territory or region, is that same increase sustained in later periods. The answer to such a question might identify red flags indicating the need for further review.

One of the key things that I learned from my lunch is the need for the compliance practitioner to talk to other non-compliance professionals to get their perspectives on how they view issues. So, just as I had lunch with Phil Wedemeyer, you could take out the head of your internal audit group for a lunch and chat; or HR; or IT. The list of possibilities is lengthy. I hope that you have enjoyed my inaugural, Lunch with the FCPA Compliance and Ethics Blog as much as I have bringing it to you.

———————————————————————————————————————————————————————-

I will be discussing transaction monitoring on a free Webinar entitled, “A Winning Strategy for Automating FCPA Compliance” hosted by SAP, next Wednesday, June 19 at 2 PM EDT. For registration and information, click here.

———————————————————————————————————————————————————————-

© Thomas R. Fox, 2013

Leave a Comment

June 13, 2013

Why Can’t We Be Friends? Compliance and HR

Filed under: Best Practices,Bribery Act,Compliance Week,Culture,Ethical Leadership,Ethics,FCPA,Human Resources,Training,Training — tfoxlaw @ 1:01 am
Tags: Bribery Act, compliance programs, ethical leadership, ethics, ethics and compliance, FCPA, Foreign Corrupt Practices Act, HR

I have long been an advocate of the compliance function working with the Human Resources (HR) function in any company to help achieve greater compliance under anti-corruption laws such as the Foreign Corrupt Practices Act (FCPA) and UK Bribery Act. I think that HR is uniquely situated to ‘connect the dots’ in many areas of compliance. My thoughts on this subject were echoed in a recent article in the June issue of Compliance Week Magazine, in an article by Jaclyn Jaeger, entitled “How Compliance and HR Can Get It Together”. Jaeger quoted Alex Weisgerber for the following, “Boards are increasingly asking their executive teams to identify and address major people risks.” He further stated that “The HR-compliance partnership can help anticipate this request and set the organization’s human capital risk management agenda proactively.”

However, Jaeger wrote that in some companies this cooperation towards the goal of greater compliance has been found to be lacking. There may be several factors which lead to a more asymmetrical approach by these functions, particularly due to “gaps in communication and collaboration between compliance and HR.” She quoted Weisberger that “The two groups simply haven’t found many opportunities to collaborate in supporting organizational performance.” While I disagree with this statement, Jaeger’s article does detail some of the steps the compliance practitioner can take to bring these two corporate functions into alignment.

Jaeger quotes Shanti Atkins, for the following, “The first challenge to overcome is the “deeply held stereotypes that legal, compliance, and HR typically have of each other.” It’s important to talk about those if we are to get past them.” But perhaps more importantly is the notation held in many legal departments and compliance functions that “the HR function is not a strategic player in the company—that its central function is to manage paperwork, schedule training sessions, and mediate mundane spats such as who hogs the best space in the parking lot.”

As mentioned above, I have long advocated that HR is uniquely situated to connect the dots and along this line of thought, Jaeger wrote that “Getting employees to function as a coherent, engaged unit has to do with people, not policies—and people issues are exactly where HR excels, or course. HR has its finger on the pulse of employee culture, Atkins says because it is the primary channel employees use to complain when there is a problem—and those problems are usually a warning sign of wider compliance-related issues.” What are some of the areas that HR can assist the compliance function with? I believe that there are five key areas. They include the following.

Training

A key role for HR in any company is training. This has traditionally been in areas such as discrimination, harassment and safety, to name just a few, and based on this traditional role of HR in training this commentator would submit that it is a natural extension of HR’s function to expand to the area of FCPA compliance and ethics. There is a training requirement set forth in the US Sentencing Guidelines. Companies are mandated to “take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subdivision (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.”

Employee Evaluation and Succession Planning

What policy does a company take to punish those employees who may engage in unethical and non-compliant behavior in order to meet company revenue targets? Conversely, what rewards are handed out to those employees who integrate such ethical and compliant behavior into their individual work practices going forward? One of the very important functions of HR is assisting management in setting the criteria for employee bonuses and in the evaluation of employees for those bonuses. This is an equally important role in conveying the company message of adherence to a FCPA compliance and ethics policy. In addition to employee evaluation, HR can play a key role in assisting a company to identify early on in an employee’s career the propensity for compliance and ethics by focusing on leadership behaviors in addition to simply business excellence. If a company has an employee who meets, or exceeds, all his sales targets, but does so in a manner which is opposite to the company’s stated FCPA compliance and ethics values, other employees will watch and see how that employee is treated. Is that employee rewarded with a large bonus? This requirement is codified in the Sentencing Guidelines with the following language, “The organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.”

Hotlines and Investigations

One of the requirements for a company under the Sentencing Guidelines is that they “… have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.” This requirement is met by having a hotline. One of the traditional roles of HR in the US is to maintain a hotline for reporting of harassment claims, whether based on EEOC violations or other types of harassment. It is a natural extension of HR’s traditional function to handle this role.

Regarding investigations, HR can bring broad benefits to any FCPA compliance and ethics program through an efficient investigation process. It is recognized that a Legal or Compliance Department may wish to take over and complete an investigation process. However, HR can bring a consistency in both the process and any discipline which is imposed. Such consistency reinforces the senior management’s message of commitment by the company to FCPA compliance and ethics. Such a function by HR can lead to an understanding of emerging risks. Lastly, it may be that employees are more willing to speak up to HR and the building of trust can be utilized to assist in overall risk mitigation.

Background Screening

A key role for HR in any company is the background screening of not only employees at the time of hire, but also of employees who may be promoted to senior leadership positions. HR is usually on the front lines of such activities, although it may be in conjunction with the Legal Department or Compliance Department. This requirement is discussed in the Federal Sentencing Guidelines for Organizations (FSGO) as follows “The organization shall use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program.”

When the Government Comes Calling

While it is true that a company’s Legal and/or Compliance Department will lead the response to a government investigation, HR can fulfill an important support role due to the fact that HR should maintain, as part of its routine function, a hard copy of many of the records which may need to be produced in such an investigation. This would include all pre-employment screening documents, including background investigations, all post-employment documents, including any additional screening documents, compliance training and testing thereon and annual compliance certifications. HR can be critical in identifying and tracking down former employees. HR will work with Legal and/or Compliance to establish protocols for the conduct of investigations and who should be involved.

Lastly, another role for HR can be in the establishment and management of (1) an Amnesty Program or (2) a Leniency Program for both current and former employees. Such programs were implemented by Siemens during its internal bribery and corruption investigation. The Amnesty Program allowed appropriate current or former employees, who fully cooperated and provided truthful information, to be relieved from the prospect of civil damage claims or termination. The Leniency Program allowed Siemens employees who had provided untrue information in the investigation to correct this information for certain specific discipline. Whichever of these programs, or any variations, that are implemented HR can perform a valuable support role to Legal and/or Compliance.

Doing More with Less

While many practitioners do not immediately consider HR as a key component of a FCPA compliance solution, it can be one of the lynch-pins in spreading a company’s commitment to compliance throughout the employee base. HR can also be used to ‘connect the dots’ in many divergent elements in a company’s FCPA compliance and ethics program. The roles listed for HR in this series are functions that HR currently performs for almost any company with international operations. By asking HR to expand their traditional function to include the FCPA compliance and ethics function, a US company can move towards a goal of a more complete compliance program, while not significantly increasing costs. Additionally, by asking HR to include these roles, it will drive home the message of compliance to all levels and functions within a company; from senior to middle management and to those on the shop floor. Just as safety is usually message Number 1, compliance can be message Number 1A. HR focuses on behaviors, and by asking this department to include a compliance and ethics message, such behavior will become a part of a company’s DNA.

If your company does not integrate HR into several ongoing roles for FCPA compliance I believe that is high time you did so. Jaeger’s article points out several steps you can take to bring these two functions into greater collaboration. From my perspective, HR can be a valuable partner for compliance and one that you should begin to take advantage of now.

© Thomas R. Fox, 2013

Leave a Comment

June 11, 2013

FCPA Enforcement as a Security Issue and Implications for the Compliance Practitioner

Filed under: compliance programs,Data Privacy,Department of Justice,Enforcement Actions,External investigations,FCPA — tfoxlaw @ 1:01 am
Tags: Data, Data Privacy, Department of Justice, DOJ, FCPA, FCPA Blog, FCPA enforcement, Foreign Corrupt Practices Act

One of the things that has long puzzled me is what led to the significant rise in the enforcement of the Foreign Corrupt Practices Act (FCPA) beginning in the 2003-2004 time frame? One of the more consistent theories that I have heard proffered, by Dan Chapman, Dick Cassin, Alexandra Wrage and others is that after 9/11, the Bush administration viewed corruption as a security issue. I admit that I was not totally sold on this theory until last week when, the FCPA Blog, in an article entitled “NSA spying also linked to FCPA enforcement”, reported that the National Security Agency (NSA) has engaged in economic espionage for the benefit of the United States and perhaps others. The FCPA Blog quoted a story from the American Spectator, entitled “Rise of the Surveillance State”, by James Bovard. One of the items which Bovard discussed is the program monikered ‘Echelon’, which he described as “a spy satellite system run by the National Security Agency along with the United Kingdom, Australia, New Zealand, and Canada. Echelon reportedly scans millions of phone calls, e-mail messages, and faxes each hour, searching for key words.”

Apparently this program is also used for FCPA enforcement. Bovard wrote that “A February report by the European Union alleged that Echelon has been used for economic espionage. Former CIA Director James Woolsey told a German newspaper in early March that Echelon collects “economic intelligence.” One example Woolsey gave was espionage aimed at discovering when foreign companies are paying bribes to obtain contracts that might otherwise go to American companies. Woolsey elaborated on his views in a condescending March 17 Wall Street Journal oped, justifying Echelon spying on foreign companies because some foreigners do not obey the U.S. Foreign Corrupt Practices Act. To add insult to injury, Woolsey noted there’s no reason for U.S. companies to steal backward Europe’s secrets.” Isn’t that a comforting thought when the US claims the Chinese are stealing secrets through computer hacking.

But what are the implications for the compliance professional? For a more Orwellian prediction, John Batchelor, in an article entitled “ NSA Scandals: FCPA Compliance Game Changer?”, has this chilling predeiction, “Currently it takes months or years to develop a solid FCPA case and most of those end up with fines and some type of penalty. Could that change to a new way of enforcement where the government targets a company, identifies corruption, gathers evidence, and instead of going through the motions, simply calls them to schedule a meeting, slapping a fine and a series of actionable tasks for the company in question? It’s not happening now, but that is a question.” It would seem to do away completely with the concept of due process so I would discount this scenario as unlikely.

However, Batchelor does point out that such government oversight might well occur in countries which are known or perceived to be high risk for corruption. He says, “Under the FCPA we focus on anti-bribery, however, with our current emphasis on national security, I think there is a serious question to ask for any company that operates in high CPI areas where terrorist cells or money laundering outfits to terrorist cells operate.” From this premise, Batchelor poses several topical inquiries which you should consider now. They include: “How well do you know your agents? How well do you know their relationships? How well do you know the companies they are affiliated with? Are there red-flags that low-level DPL type screenings might not uncover?”

I believe that the revelations which came out last week will make the compliance professional’s job more difficult but that difficulty may well be due to the backlash against not only the massive collections of data that the US government is obtaining through its surveillance programs but also the arrogance shown in statements like former CIA Director Woolsey, in the statement quoted in the American Spectator article. I believe that there three general areas which will negatively affect US compliance professionals.

First, is in the area of data access. Edward Luce, in a Financial Times (FT) article entitled “Obama has hurt himself and business over privacy”, said that the “US is losing credibility in its goal of trying to stop the internet from balkanizing into separate national frameworks.” While Luce discussed this in terms of the US criticism of “the great firewall of China”; a US investor might think about the Securities and Exchange Commission’s (SEC’s) struggle to get China to agree to allow auditors to provide data to the US consistent with US securities laws, or laws which the SEC enforces, such as the books and records component of the FCPA.

Second, what about data privacy? I think that the acknowledgement of the US surveillance programs will lead other countries to toughen up their data privacy requirements. This means that the compliance professional will be faced with an even more bewildering set of data privacy requirements to deal with to accurately access a company’s compliance program. For the intelligence angle, Luce quoted Ira Hunt, the CIA’s chief technology officer for the following, “Since you can’t connect the dots you don’t have…we fundamentally try and collect everything and hang on to it forever.” However, we now know that this surveillance also was used for other law enforcement issues such as enforcement of the FCPA. While foreign governments cannot legislate privacy as to the data collected by the US government, they certainly can do so vis-à-vis US companies doing business in their jurisdictions or home-domiciled foreign companies which are subject to the FCPA through a US subsidiary.

Indeed this very issue is now in the forefront of EU-US trade negotiations. In another article in the FT, entitled “Data scandal clouds trade talks”, Hannes Swoboda, leader of the socialist members of the European Parliament was quoted as saying, “With all the information that we’ve found out in the recent days about how easily the US spies on people’s private data I think it will be difficult for the Americans to oppose a strong data protection agreement.” The article notes that many of the rules proposed for EU data protection are opposed by US companies because “their business models would be damaged.”

Lastly, what about jurisdiction and the FCPA? Currently if a banking transfer goes thought the US banking system, FCPA jurisdiction attaches. While it has not yet been tested, several commentators have spoken about information which might be saved on servers based in the US. So what if information appears on Google or through a Google-search or on Facebook? Now take the next step and ask, if there is data mining, which strikes pay dirt, could that create or even portend jurisdiction?

As an American, I understand the need for enhancing security protocols after 9/11. It is an irritation, but only that, similar to taking off my shoes to go through security, all courtesy of Richard Reid, ‘the Shoe Bomber’. Further, these US government surveillance programs, which have been ongoing though both a GOP and Democratic administration, were authorized by an overwhelming majority of both houses of the US Congress and has judicial oversight. But many outside the US may not see the same needs and protections that I see in place. Luce said in his article, “Washington’s reassurances are irrelevant to the 3.4bn non-Americans who are online…But foreigners might not be comforted to learn that their privacy is protected by a secret US court, which is overseen by a select group of US lawmakers who are themselves sworn to secrecy.”

I think that the job of the compliance practitioner just got a lot tougher.

© Thomas R. Fox, 2013

Leave a Comment

June 6, 2013

We Say Good-Bye to the Secretary of Defense and Total Says Hello to Two Monitorships – Total Part III

Filed under: FCPA,Monitors,compliance programs,SEC,Best Practices,Department of Justice,FCPA Guidance — tfoxlaw @ 1:01 am
Tags: FCPA, compliance, ethics and compliance, DOJ, SEC, Department of Justice, Foreign Corrupt Practices Act, compliance programs, best practices

Today I finalize my review of the Total SA (Total) Foreign Corrupt Practices Act (FCPA) enforcement action. However, before I do so, I would like to commemorate this date and one person who left us this week. The date is of course, D-Day, June 6, 1944 which signaled the end of Nazi Germany, at least on the Western Front. There are fewer and fewer veterans of that invasion alive so I ask that you honor them in your own way today. The person who left us this week was Deacon Jones, nicknamed the ‘Secretary of Defense’ and left end of the Los Angeles Rams vaunted ‘Fearsome Foursome”. For my money he was the greatest defense end of all-time and his unit’s name was also the greatest moniker given to any defense in the long history of pro football.

In addition to the minimum best practices compliance regime which Total agreed to institute, it agreed to two separate ongoing oversight programs. The first is under the Cease and Desist Order (the Order) entered into with the Securities and Exchange Commission (SEC) which mandates a Compliance Consultant. The second is an Independent Compliance Monitor, whose role is described in Attachment D of the Deferred Prosecution Agreement (DPA) with the Department of Justice (DOJ). What makes this arrangement unusual is that there are two oversight persons (or entities), with different focuses reporting to two separate agencies.

Compliance Consultant

The Compliance Consultant could be either (a) a French nation; (b) a French law firm; or (c) a French accounting firm and term of the Compliance Consultant will be three years. Compliance Consultant is mandated (the “Mandate”) to evaluate “the effectiveness of Total’s internal controls, record-keeping, and financial reporting policies and procedures as they relate to Total’s current and ongoing compliance with the books and records, internal accounting controls and antibribery provisions of the FCPA.”

The Compliance Consultant is required to prepare an initial report which is to be delivered to the Total Board and the relevant French Authority. This French Authority will transmit these annual reports to the SEC, consistent with French law. Total is required to accept and adopt all recommendations in the annual report within 120 days after receiving the report or object in writing to “any recommendations Total considers unduly burdensome, inconsistent with local or other applicable law or regulation, impractical, unduly expensive, or otherwise inadvisable.” The Compliance Consultant’s annual reviews for years 2 and 3 is designed to “(a) complete the review; (b) certify whether the compliance program of Total, including its policies and procedures, is reasonably designed and implemented to detect and prevent violations within Total of the anti-corruption laws; and (c) report on the Compliance Consultant’s findings…”

If the Compliance Consultant discovers “questionable or corrupt payments or corrupt transfers of property or interests may have been offered, promised, paid, or authorized by any entity or person within Total, or any entity or person working directly or indirectly for Total, or that related false books and records may have been maintained”, such conduct is to be reported to Total’s General Counsel (GC) or Audit Committee for further action. If such conduct is a significant violation of law, the Compliance Consultant is required to report it to the French Authority.

Independent Corporate Monitor

The Independent Corporate Monitor’s (Monitor) term is also for three years but the only requirement listed for the Monitor is that he or she has “demonstrated expertise in helping companies comply with the Foreign Corrupt Practices Act”. In addition to monitoring Total’s compliance with both US and French anti-corruption laws, the Monitor is to assess the effectiveness of the company’s internal controls, record keeping and financial reporting policies and procedures as they relate to the FCPA. Most interestingly, the Monitor is to make an assessment of the Total Board of Directors and the senior management’s commitment to and the effective implementation of the best practices compliance program as described in the DPA’s Attachment C (discussed in yesterday’s blog post).

Similar to the Compliance Consultant, the Monitor is required to prepare an initial report, “setting forth the Monitor’s assessment and recommendations reasonably designed to improve the effectiveness of Total’s program, policies and procedures for ensuring compliance with anti-corruption laws”. This report is also to be delivered to the Total Board and the relevant French Authority. This French Authority will transmit these annual reports to the DOJ, consistent with French law. Total is required to accept and adopt all recommendations in the annual report within 120 days after receiving the report or object in writing to “any recommendations Total considers unduly burdensome, inconsistent with local or other applicable law or regulation, impractical, unduly expensive, or otherwise inadvisable and has the obligation to “propose in writing to the Monitor an alternative policy, procedure, or system designed to achieve the same objective or purpose. The Monitor’s annual reviews for years 2 and 3 is designed to “(a) complete the review; (b) certify whether the compliance program of Total, including its policies and procedures, is reasonably designed and implemented to detect and prevent violations within Total of the anti-corruption laws; and (c) report on the Monitor’s findings…”

If the Monitor discovers “questionable or corrupt payments or corrupt transfers of property or interests may have been offered, promised, paid, or authorized by any entity or person within Total, or any entity or person working directly or indirectly for Total, or that related false books and records may have been maintained” such conduct is to be reported to Total’s General Counsel (GC) or Audit Committee for further action. If such conduct is a significant violation of law, the Monitor is required to report it to the DOJ or if such report is prevented under French law, then to the relevant French Authority, which can transmit the matter to the DOJ.

Discussion

At Compliance Week 2013, there were several panels which dealt with corporate monitorships. All of the panelists at the sessions made clear that it is quite a bit of work for a company to get through an external monitorship and something to be avoided if at all possible. While it may be difficult to know precisely why Total received not one but two monitors; it would appear that the company did not engage in the robust remediation efforts that several large US entities did while they were under investigation and before their FCPA matters were resolved. Eli Lilly, Parker Drilling and Pfizer all come to mind as companies which worked very hard during the pendency of their FCPA investigations to institute a best practices compliance program.

This would also seem to be a clear example of Paul McNulty’s Maxim No. 3 of “What did you do when you found out about it?” McNulty said this was the third question that he would pose to a company when he was at the DOJ. Once again, this thinking was echoed in the FCPA Guidance released last November, which said that three keys were to “prevent, detect and remediate” any FCPA violation.

On one final note, Bloomberg reported that the indicted the Chief Executive Officer (CEO) of Total, who the Paris Prosecutor has recommended, together with the company itself, face trial on corruption charges, denied that Total paid bribes for contracts. Christophe de Margerie was quoted as saying, “What we did wasn’t illegal according to French law,” on LCI television yesterday, “We didn’t pay bribes, we didn’t pay Iranian authorities. Our contracts weren’t illegal.” Total had no comment.

© Thomas R. Fox, 2013

Leave a Comment

June 5, 2013

Return to the Baker’s Dozen in a Best Practices Compliance Program – Total Part II

Filed under: Best Practices,compliance programs,Deferred Prosecution Agreement,Department of Justice,Enforcement Actions,FCPA,SEC — tfoxlaw @ 1:01 am
Tags: best practices, compliance, compliance programs, Department of Justice, DOJ, FCPA, Foreign Corrupt Practices Act, SEC

Yesterday I reviewed the facts surround Total SA’s (Total) lengthy bribery scheme to win contracts in Iran. At this point, the settlement documents consist of the Deferred Prosecution Agreement (DPA), which was filed by the US Department of Justice (DOJ), and the Securities and Exchange Commission’s (SEC) Cease and Desist Order (the Order). Today begins a two-part discussion of Total’s obligations going forward under the settlement documents. In the DPA, there are two Attachments which speak to its ongoing obligations under its settlement with the DOJ. Attachment C is entitled “Corporate Compliance Obligations” and Attachment D is entitled, “Independent Corporate Monitor”. Today I will review the 13-point best practices compliance program in the context of lessons learned for the compliance practitioner going forward and tomorrow I will discuss the Monitor as required under the DPA and the Compliance Consultant as required under the Order.

The DPA and Total’s Corporate Compliance Obligations

The information included in Total’s Corporate Compliance Program provides the Foreign Corrupt Practices Act (FCPA) compliance practitioner with the most current components that the DOJ believes should be included in a FCPA compliance program. Hence, this information is a valuable tool by which companies can assess if they need to adopt new or modify their existing internal controls, policies, and procedures in order to ensure that their FCPA compliance program maintains: (a) a system of internal accounting controls designed to ensure that Total makes and keeps fair and accurate books, records, and accounts; and (b) a rigorous anti-corruption compliance code, standards, and procedures designed to detect and deter violations of the FCP A and other applicable anti-corruption laws. Total’s obligations are:

1. Written Compliance Code. Total should develop and promulgate a clearly articulated and visible corporate policy against violations of the FCPA, including its anti-bribery, books and records, and internal controls provisions, and other applicable foreign law counterparts (collectively, the “anti-corruption laws”), which policy should be memorialized in a written compliance code.

2. Tone at the Top. The Company will ensure that its Board of Directors and senior management provides strong, explicit, and visible support and commitment to its corporate policy against violations of the anti-corruption laws and its compliance code.

3. Anti-Corruption Policies and Procedures. Total should develop and promulgate compliance standards and procedures designed to reduce the prospect of violations of the anti-corruption laws and the Company’s compliance code, and the Company should take appropriate measures to encourage and support the observance of ethics and compliance standards and procedures against foreign bribery by personnel at all levels of the company. These anti-corruption standards and procedures shall apply to all directors, officers, and employees and, where necessary and appropriate, outside parties acting on behalf of the Company in a foreign jurisdiction, including but not limited to, agents and intermediaries, consultants, representatives, distributors, teaming partners, contractors and suppliers, consortia, and joint venture partners (collectively, “agents and business partners”), to the extent that agents and business partners may be employed under the Company’s corporate policy. The Company shall notify all employees that compliance with the standards and procedures is the duty of individuals at all levels of the company. Such standards and procedures shall include policies governing:

gifts;
hospitality, entertainment, and expenses;
customer travel;
political contributions;
charitable donations and sponsorships;
facilitation payments; and
solicitation and extortion

4. Use of Risk Assessment. Total should develop these compliance standards and procedures, including internal controls, ethics, and compliance programs on the basis of a risk assessment addressing the individual circumstances of the Company, in particular the foreign bribery risks facing the Company, including, but not limited to, its geographical organization, interactions with various types and levels of government officials, industrial sectors of operation, involvement in joint venture arrangements, importance of licenses and permits in the company’s operations, degree of governmental oversight and inspection, and volume and importance of goods and personnel clearing through customs and immigration.

5. Annual Review. Total should review its anti-corruption compliance standards and procedures, including internal controls, ethics, and compliance programs, no less than annually, and update them as appropriate, taking into account relevant developments in the field and evolving international and industry standards, and update and adapt them as necessary to ensure their continued effectiveness.

6. Sr. Management Oversight and Reporting. Total should assign responsibility to one or more senior corporate executives of the Company for the implementation and oversight of the Company’s anti-corruption policies, standards, and procedures. Such corporate official(s) shall have direct reporting obligations to the Company’s Legal Counsel or Legal Director as well as the Company’s independent monitoring bodies, including internal audit, the Board of Directors, or any appropriate committee of the Board of Directors, and shall have an adequate level of autonomy from management as well as sufficient resources and authority to maintain such autonomy.

7. Internal Controls. Total should ensure that it has a system of financial and accounting procedures, including a system of internal controls, reasonably designed to ensure the maintenance of fair and accurate books, records, and accounts to ensure that they cannot be used for the purpose of foreign bribery or concealing such bribery.

8. Training. Total should implement mechanisms designed to ensure that its anti-corruption policies, standards, and procedures are communicated effectively to all directors, officers, employees, and, where necessary and appropriate, agents and business partners. These mechanisms shall include: (a) periodic training for all directors and officers, and, where necessary and appropriate, employees, agents, and business partners; and (b) annual certifications by all such directors and officers, and, where necessary and appropriate, employees, agents, and business partners, certifying compliance with the training requirements.

9. Ongoing Advice and Guidance. The Company should establish or maintain an effective system for:

Providing guidance and advice to directors, officers, employees, and, where necessary and appropriate, agents and business partners, on complying with the Company’s anti-corruption compliance policies, standards, and procedures, including when they need advice on an urgent basis or in any foreign jurisdiction in which the Company operates;
Internal and, where possible, confidential reporting by, and protection of, directors, officers, employees, and, where necessary and appropriate, agents and business partners, not willing to violate professional standards or ethics under instructions or pressure from hierarchical superiors, as well as for directors, officers, employees, and, where appropriate, agents and business partners, willing to report breaches of the law or professional standards or ethics concerning anticorruption occurring within the company, suspected criminal conduct, and/or violations of the compliance policies, standards, and procedures regarding the anticorruption laws for directors, officers, employees, and, where necessary and appropriate, agents and business partners; and
Responding to such requests and undertaking necessary and appropriate action in response to such reports.

10. Discipline. Total should have appropriate disciplinary procedures to address, among other things, violations of the anti-corruption laws and the Company’s anti-corruption compliance code, policies, and procedures by the Company’s directors, officers, and employees. Total should implement procedures to ensure that where misconduct is discovered, reasonable steps are taken to remedy the harm resulting from such misconduct, and to ensure that appropriate steps are taken to prevent further similar misconduct, including assessing the internal controls, ethics, and compliance program and making modifications necessary to ensure the program is effective.

11. Use of Agents and Other Business Partners. To the extent that the use of agents and business partners is permitted at all by the Company, it should institute appropriate due diligence and compliance requirements pertaining to the retention and oversight of all agents and business partners, including:

Properly documented risk-based due diligence pertaining to the hiring and appropriate and regular oversight of agents and business partners;
Informing agents and business partners of the Company’s commitment to abiding by laws on the prohibitions against foreign bribery, and of the Company’s ethics and compliance standards and procedures and other measures for preventing and detecting such bribery; and
Seeking a reciprocal commitment from agents and business partners.

12. Contractual Compliance Terms and Conditions. Total should include standard provisions in agreements, contracts, and renewals thereof with all agents and business partners that are reasonably calculated to prevent violations of the anticorruption laws, which may, depending upon the circumstances, include: (a) anticorruption representations and undertakings relating to compliance with the anticorruption laws; (b) rights to conduct audits of the books and records of the agent or business partner to ensure compliance with the foregoing; and (c) rights to terminate an agent or business partner as a result of any breach of anti-corruption laws, and regulations or representations and undertakings related to such matters.

13. Ongoing Assessment. Total should conduct periodic review and testing of its anticorruption compliance code, standards, and procedures designed to evaluate and improve their effectiveness in preventing and detecting violations of anticorruption laws and the Company’s anti-corruption code, standards and procedures, taking into account relevant developments in the field and evolving international and industry standards.

Discussion

Interestingly, the Total DPA returns to the 13 point minimum best practices compliance regime that had been articulated by the DOJ prior to the FCPA Guidance. In the Non-Prosecution Agreement (NPA) sustained by Ralph Lauren in April, there was an 18 point compliance program set forth, which had all of the elements present in the Total compliance program plus one additional one which was a section relating to Ralph Lauren’s compliance obligations during mergers and acquisitions. However I think that the gist is that Total’s compliance obligations supplements the Ten Hallmarks of an Effective Compliance Program set out in the FCPA Guidance.

For the compliance practitioner, the opportunity is to use either the Total DPA (or Ralph Lauren NPA) in conjunction with the Ten Hallmarks to evaluate your own compliance program. Both the Ten Hallmarks and the Total DPA/Ralph Lauren NPA discuss the need for annual evaluations of a compliance program. You need to assess where your program is in light of legal developments, compliance developments, new product or services offerings your company may have developed and any new geographic territories that present updated compliance risks for your company.

© Thomas R. Fox, 2013

Leave a Comment

June 4, 2013

Total Switches to Settle Rather Than Fight

Filed under: Department of Justice,Enforcement Actions,FCPA,FCPA Professor,FCPABlog — tfoxlaw @ 1:01 am
Tags: Department of Justice, DOJ, FCPA, FCPA Blog, FCPA Professor, Foreign Corrupt Practices Act, Total S.A.

For anyone who grew up in the 1960s, I am sure that you remember the touchstone slogan for Tareyton cigarettes, “I’d rather fight than switch”. The television ad always showed someone with a black eye and a Tareyton cigarette in his or her fingers. I was reminded of that old advertising slogan last week when the US Department of Justice (DOJ) and Securities and Exchange (SEC) commission both announced their settlement with the French energy giant TOTAL SA (Total), over its violation of the Foreign Corrupt Practices Act (FCPA).

It was the slogan’s inverse which gave me pause in reading about Total for as recently as June 2012, the FCPA Blog asked, as the title of a blog post, “Will Total S.A. Fight Back?” In this post Dick Cassin, who reported that Total had been in discussion with the DOJ and SEC since 2010, said that the “French oil giant Total said it rejected ‘out-of-court settlement solutions’ with the DOJ and SEC that would end their longstanding FCPA investigations. And while Total said it is still talking with the agencies, it also said it’s free not to settle, ‘in which case it would be exposed to the risk of prosecution in the United States. ‘” Cassin explored some of the reasons that Total might rather fight than settle but at the end he noted, “What will happen now? A court battle would bring a deluge of scrutiny from the press and regulators around the world. At a minimum, that would imperil Total’s stock price and lead to years of litigation by aggrieved shareholders, customers, lenders, and other stakeholders. So settlement seems likely.”

So I guess Total decided that its interests mandated that it switch and settle rather than fight. What could have been the reasons for doing so? In this post, I will review some of the facts as set forth in the Criminal Information (Information)and the Deferred Prosecution Agreement (DPA), both of which were filed by the DOJ and the SEC’s Cease and Desist Order (the Order) which may have led Total to settle. In tomorrow’s posting, I will discuss the lessons learned for the compliance practitioner.

Who Was Involved

As reported by both the FCPA Blog and the FCPA Professor, Total engaged in a nearly decade long, breathtaking bribery scheme. In this scheme, Total paid approximately $60MM to an un-named Iranian Official of the National Iranian Oil Company (NIOC), who steered two major projects Total’s way. According to the FCPA Professor, in a post entitled “Total Agrees To Pay $398 Million To Resolve Its FCPA Scrutiny”, the Iranian Official in question was described in the Information as “the Chairman of an Iranian engineering company that was more than 90% owned by the Government of Iran and substantially controlled by the Government of Iran.” The Information further states that “from at least early 2001, the Iranian Official was the head of an Iranian organization concerned with fuel consumption, which was a wholly owned subsidiary of NIOC, and was a government advisor to a high-ranking Iranian official.”

The Projects

The projects were the Sirri A and E oil and gas fields and South Pars gas field. Total was granted concessions to these fields within days or weeks of inking contracts with the Iranian Official’s sham entity for receipt of the bribes. The original contract was between Total and “Intermediary 1” and was entitled “Umbrella Agreement.” The specific terms for payment were set out in a document which hung off this Umbrella Agreement, which was entitled, “Consulting Services Request”. Under this Consulting Services Request, Intermediary 1 was paid approximately $26MM over 2 years. Thereafter, another sham entity, “Intermediary 2” was set up and assigned the Umbrella Agreement by the parties. Intermediary 2 received its own “Consulting Services Request”, under which it received approximately $44MM in payments.

The Bribes

As I said, the bribe amounts were simply breathtaking. Below is the Bribery Box Score

Bribes Paid To	Contract(s) Under Which Bribes Were Paid	Date Bribe Paid	Bribe Amounts Paid (figures approx. based upon currency conversions)	Projects Awarded to Total Based Upon Bribes Paid
Intermediary 1	Umbrella Agreement.Consulting Services Request 1:(a) $6MM;(b) $500K for expenses;(c) $25MM as capital X reached specified levels;(d) Amount = to 5% above cap X, if exceeded; and(e) % of revenue from sale of O&G developed from site.			July 13, 1997, Total awarded Sirri Fields A&E
		7-10-95	$500K
		10-03-95	$6.07MM
		6-12-97	$10MM
		7-11-97	$4.64MM
Intermediary 2	Umbrella Agreement transferred to Intermediary 2.Second Consulting Services Request 2:(a) $10MM;(b) $30MM as capital X reached specified levels;(c) payment of either (i) Amount = to 4% above cap X, if exceeded or (ii) $60MM; and(d) an additional $10MM.			On Sept. 28, 1997 Total awarded Phases 2 & 3 of South Pars project
		12-12-97	$6.15MM
		8-28-98	$4.18MM
		9-1-98	$4.18MM
		6-9-99	$1.89MM
		3-17-03	$9.3MM
		11-29-04	$7MM
		Additional Payments with no specified date	$7MM
TOTAL AMOUNT OF BRIBES PAID			Approximately $60MM

The Charges

According to the FCPA Professor, the Information has the following about violations of the FCPA books and records provisions, “… Total knowingly falsified and caused to be falsified books, records, and accounts, required to, in reasonable detail, accurately and fairly reflect the transactions and dispositions of Total, to wit: Total (a) mischaracterized the unlawful payments under the various consulting agreements as ‘business development expenses’ and (b) improperly characterized the unlawful consulting agreements as legitimate consulting agreements.”

The Information also specifies the FCPA internal controls charges. They included:

“(a) failed to implement adequate anti-bribery compliance policies and procedures; (b) failed to maintain an adequate system for the selection and approval of consultants; (c) failed to conduct adequate audits of payments to purported consultants; (d) failed to establish a sufficiently empowered and competent corporate compliance office; (e) failed to take reasonable steps to ensure the company’s compliance and ethics program was followed; (f) failed to evaluate regularly the effectiveness of the company’s compliance and ethics program; (g) failed to provide appropriate incentives to perform in accordance with the compliance and ethics program; (h) concealed the consulting agreements’ true nature and true participants; (i) performed no due diligence concerning the named or unnamed parties to these agreements; and (j) lacked controls sufficient to provide reasonable assurances that the consulting agreements complied with applicable laws.”

The Penalties

In a blog post entitled “Total SA pays $398 million to settle U.S. bribe charges” the FCPA Blog reported that “In the fourth biggest FCPA case ever, French oil giant Total S.A. agreed Wednesday to pay $398 million in penalties and disgorgement for bribing an Iran official to gain access to oil and gas fields. Total will pay a criminal penalty to the DOJ of $245.2 million. It received a three-year deferred prosecution agreement that requires appointment of an independent compliance monitor. In its settlement with the SEC, Total will disgorge profits of $153 million.” For those of you keeping score at home that is Number 4 on the list of greatest FCPA fines in the history of the world AND Number 2 on the list of the biggest profit disgorgements in FCPA history. Something to be proud of, or perhaps not.

While the raw number of nearly $400MM does seem eye-catching, perhaps even more interesting is that the DOJ assessed a fine nearly at the bottom of the fine range. After the calculations were made under the US Sentencing Guidelines (USSG), there was a fine range of between a low end of $235.2MM up to $470.4MM. My curiosity here is based upon something NOT in the DPA, where the DOJ assessed Total’s conduct under the USSG ‘culpability score’. Under USSG §8C2.5 an organization can receive a reduction in its culpability score in three ways. First, a company’s overall score can be subtracted “three points from the organization’s culpability score if the organization had an effective compliance and ethics program as defined in §8B2.1 in place at the time of the offense.” Second, the culpability score can be reduced “by five points if the organization self-reported the offense to the appropriate governmental authorities, fully cooperated in the investigation, and clearly demonstrated recognition and affirmative acceptance of responsibility for its conduct.” If the organization did not self-report, but fully cooperated in the investigation, and accepted responsibility for its conduct, the culpability score is reduced by two points. Third, and finally, “if the organization did not self-report or cooperate, but clearly demonstrated recognition and affirmative acceptance of responsibility for its conduct, the culpability score is reduced by one point.” [citations omitted]

It would appear that while Total fully cooperated and recognized the error of its ways, it did not have nor put in place an effective compliance program. Also it would appear that Total did not self-report its FCPA violations. So I guess the question is: what did Total do to warrant receiving a fine at near the bottom end of the possible range?

Jurisdiction

I find jurisdictional arguments to be similar to arguments about pregnancy. Just as one is not ‘a little bit pregnant’, there is not just ‘a smidgen of jurisdiction’. It either exists or it does not. From the Information, it states that “Total owned a number of subsidiaries that conducted business in the United States. Total’s American Depository Shares were registered with SEC and traded on the New York Stock Exchange as American Depository Receipts (“ADRs”). Accordingly at all relevant times, Total was an “issuer” within the meaning of the FCPA. Total also funded one of the bribe payments from “account at Banker’s Trust in New York, New York.” Maybe Total was more than just ‘a little pregnant’.

So what could have led Total to switch to settling rather than fighting? Perhaps it finally understood that if you list your shares in the US, your company will be subject to US laws. And of course, do not bribe foreign governmental officials using money wired from US banks.

Or maybe, just maybe, Total decided it was in their corporate interests to settle rather than go to trial.

Leave a Comment

June 3, 2013

Meet The Author – Best Practices Under the FCPA and Bribery Act Book Signing

Filed under: Best Practices,Bribery Act,compliance programs,Culture,Ethics,FCPA — tfoxlaw @ 12:00 pm
Tags: best practices, Bribery Act, compliance, compliance programs, DOJ, FCPA, Foreign Corrupt Practices Act, SEC

As readers of this blog know, I recently published my second book, “Best Practices Under the FCPA and Bribery Act“. This book is designed to provide the compliance practitioner with solid information that can be used to implement, review and enhance a US Foreign Corrupt Practices Act (FCPA) or UK Bribery Act based compliance program. This volume is an attempt to provide the compliance practitioner with information that can be used for the ‘nuts and bolts’ of compliance. Using a format similar to the recent US Department of Justice (DOJ) and Securities and Exchange Commission (SEC) guide, “A Resource Guide to the U.S. Foreign Corrupt Practices Act. The Foreign Corrupt Practices Act (FCPA)” [the “Guidance”], I have included some of my thoughts on what you can do to create and maintain a best practices compliance program. I have also included some of my prior articles on how to create and maintain such a compliance program using the Six Principles of Adequate Procedures compliance regime under the UK Bribery Act.

This coming Thursday, June 6, from 5-7 PM, I will be signing copies of my book at the River Oaks Bookstore, 3270 Westheimer Rd Houston, TX 77098. The phone number is (713) 520-0061. It is located directly across from Lamar High School on Westheimer. If you are in town, I hope that you can drop by, pick up a copy and allow me to sign it. If you cannot make it buy, you can always order a copy on amazon.com. For information on the book and to order copies, click here.

Leave a Comment

May 27, 2013

Board Responsibility under the FCPA – A Herculean Task?

Filed under: Best Practices,Books and Records,compliance programs,Compliance Week,FCPA,New York Times — tfoxlaw @ 7:54 pm
Tags: best practices, compliance programs, Compliance Week, ethical leadership, ethics, FCPA, Foreign Corrupt Practices Act, NYT

The nightmare of every corporate director is to wake up to find out that the company of the Board he or she sits on is on the front page of a national newspaper for alleged illegal conduct. This nightmare came true for the Directors of Wal-Mart when the New York Times (NYT), in an article entitled “Vast Mexico Bribery Case Hushed Up by Wal-Mart After Top-Level Struggle”, alleged that Wal-Mart’s Mexican subsidiary had engaged in bribery of Mexican governmental officials and that the corporate headquarters in Bentonville, Arkansas, had covered up any investigations into these allegations.

I. Legal Standard

What are the obligations of a Board member regarding the US Foreign Corrupt Practices Act (FCPA)? Are the obligations of the Audit Committee under the FCPA at odds with a director’s “prudent discharge of duties to shareholders”? Do the words prudent discharge even appear anywhere in the FCPA? Under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The US Department of Justice (DOJ) Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program?; and (2) Are Directors provided information sufficient to enable the exercise of independent judgment?

As to the specific role of ‘Best Practices’ in the area of general compliance and ethics, one can look to Delaware corporate law for guidance. The case of Stone v. Ritter holds for the proposition that “a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate exists.” From the case of In re Walt Disney Company Derivative Litigation, there is the principle that directors should follow the best practices in the area of ethics and compliance.

Board failure to heed this warning can lead to serious consequences. David Stuart, a senior attorney with Cravath, Swaine & Moore LLP, noted that FCPA compliance issues can lead to personal liability for directors, as both the Securities and Exchange Commission (SEC) and DOJ have been “very vocal about their interest in identifying the highest-level individuals within the organization who are responsible for the tone, culture, or weak internal controls that may contribute to, or at least fail to prevent, bribery and corruption”. He added that based upon the SEC’s enforcement action against two senior executives at Nature’s Sunshine, “Under certain circumstances, I could see the SEC invoking the same provisions against audit committee members—for instance, for failing to oversee implementation of a compliance program to mitigate risk of bribery”.

II. When Things Get Bad

While generally the role of a Board should be to keep really bad things from happening to a Company, once really bad things have occurred the Board needs to take charge and lead the effort to rectify the situation or perhaps even save the company. While giving oversight to risk management through an Audit Committee or a Compliance Committee is a good first step, such a committee needs to have sufficient independence from the management which got the company into such hot water.

In a recent White Paper entitled “Risk Intelligence Governance – A Practical Guide for Boards” the firm of Deloitte & Touche laid out six general principles to help guide Boards in the area of risk governance. These six areas can be summarized as follows:

Define the Board’s Role – There must be a mutual understanding between the Board, Chief Executive Officer (CEO) and senior management of the Board’s responsibilities.

Foster a culture of risk management – All stakeholders should understand the risks involved and manage such risks accordingly.
Incorporate risk management directly into a strategy – Oversee the design and implementation of risk evaluation and analysis.
Help define the company’s appetite for risk – All stakeholders need to understand the company’s appetite, or lack thereof, for risk.
How to execute the risk management process – The risk management process must maintain an approach that is continually monitored and had continuing accountability.
How to benchmark and evaluate the process – Systems need to be installed which allow for evaluation and modifying the risk management process as more information becomes available or facts or assumptions change.

All of these factors can be easily adapted to FCPA compliance and ethics risk management oversight. Initially, it must be important that the Board receives direct access to such information on a company’s policies on this issue. The Board must have quarterly or semi-annual reports from a company’s Chief Compliance Officer (CCO) to either the Audit Committee or the Compliance Committee. This commentator recommends that a Board create a Compliance Committee as an Audit Committee may be more appropriate to deal with financial audit issues. A Compliance Committee can devote itself exclusively to non-financial compliance, such as FCPA compliance. The Board’s oversight role should be to receive such regular reports on the structure of the company’s compliance program, its actions and self-evaluations. From this information the Board can give oversight to any modifications to managing FCPA risk that should be implemented.

III. What the Board wants to know from compliance

In an article in the May issue of Compliance Week Magazine, entitled “What the Board Wants to Know from Compliance”, author Joe Mont explored some of the issues he believes that a Board will want to know about their company’s compliance program. Mont quoted Michael Bramnick, senior knowledge leader for LRN, who said, “Boards really only want an answer to the question: ‘How do we know it is working?’ In other words, is a company’s compliance program living “up to the hallmarks of an effective compliance program in the eyes of the government.”

A. Questions About Process

Mont believes that Boards should “want more information on the processes to carry out the compliance function, rather than details on specific compliance issues”. He quotes Dennis Beresford, professor of accounting at the University of Georgia’s Terry College of Business, for the following “Boards want to know that there is a single individual or project management office keeping track of all this stuff and making sure that it is being handled properly. They want the comfort of knowing that there is a system in place that keeps track of compliance requirements.”

B. Questions About Internal Reporting

Another area of Board interest is compliance hotlines. In this area, Mont believes that Boards desire “to know details about who answers the calls or e-mails that come in, how they are trained, if the process is outsourced, and assurances that the hotline is truly anonymous, with no use of caller-ID or GPS tracking. Other common questions from the board include: How are calls classified and routed? Who gets notified for what types of calls? How is the investigative process divided among various functions?” If the company hotline is used, this may show that “employees are comfortable enough to speak up and that, when they do, about good things or bad, they are listened to, there is follow-up, and trends are evaluated and reported back to them.”

C. Questions About Accountability

Responsibility is yet another topic that Mont believes Boards need to stay abreast on as “directors want more details on who’s responsible for what. Boards want assurance that the compliance function has developed a charter that makes it clear to them where obligations fall across management so it can assess accountability.” He quotes Bramnick who stated that “Effective boards let management do their job running the business on a day-to-day basis, and they understand that their job is to set long-term strategy,” he says. “It is not for them to be looking at every contract.”

D. Questions About Strategic Planning

Jaclyn Jaeger, writing in the December 2011 issue of Compliance Week Magazine, in an article entitled “Board Checklist: What Every Director Should Know”, wrote about a panel discussion at the Association of Corporate Counsel’s 2011 Annual Meeting. In the article she quoted panel participant Amy Hutchens, General Counsel and Vice President of Compliance and Ethics at Watermark Risk Management International, on the need for strategic planning by the Board. Hutchens believes that “a truly effective and informed board knows where the company stands not only at the present moment, but also has the strategic plan for how the compliance and ethics program can continue to grow.” Similarly, Stephen Martin, a partner at Baker and McKenzie, suggests that such knowledge is encapsulated in a 1-3-5 year compliance game plan. However, a compliance program should be nimble enough to respond to new information or actions, such as mergers or acquisitions, divestitures or other external events. If a dynamic changes, “you want to get your board’s attention on the changes which may need to happen with the [compliance] program.” Hutchens believes that such agility is best accomplished by obtaining buy-in from the Board through it understanding the role of forecasting the compliance program going forward.

Mont quoted Bramnick that “Boards have really a Herculean task in today’s regulatory climate.” But more than simply the regulatory climate, shareholders are taking a much more active role in asserting their rights against Board members. It is incumbent that Boards seek out and obtain sufficient information to fulfill their legal obligations and keep their company off the front page of the New York Times, Wall Street Journal or Financial Times, just to name a few, to prevent serious reputational damage.

Leave a Comment

May 22, 2013

What Are The Essential Elements of a Corporate Compliance Program?

Filed under: Adequate Procedures,Best Practices,Bribery Act,compliance programs,Department of Justice,Ethical Leadership,FCPA,FCPA Guidance,Paul McNulty,Stephen Martin — tfoxlaw @ 5:56 am
Tags: best practices, Bribery Act, compliance programs, Department of Justice, DOJ, ethical leadership, FCPA, Foreign Corrupt Practices Act

Can you synthesize and reconcile the world’s leading laws, regulations and commentaries on the best practices an anti-bribery and anti-corruption compliance program. I recently saw one such approach by Paul McNulty and Stephen Martin of the law firm, Baker and McKenzie. They have developed what they term the five essential elements of a corporate compliance program. These five elements are based upon the best practices as set out in the seven elements of a corporate compliance program under the US Sentencing Guidelines; the 13 Good Practices by the OECD on Internal Controls, Ethics, and Compliance; the FCPA Guidance’s Ten Hallmarks of Effective Compliance Program and the UK Bribery Act’s Six Principles of an Adequate Procedures compliance program. The five elements are:

Leadership
Risk Assessment
Standards and Controls
Training and Communication
Oversight

I. Leadership

The point means more than simply “Tone-at-the-top”; a successful compliance program must be built on a solid foundation of ethics that are fully and openly endorsed by senior management. There should be an unambiguous, visible and active commitment to compliance. But even more than support or the right tone, compliance standards require that companies must have high-ranking compliance officers with the authority and resources to manage the program on a day-to-day basis. And compliance officers must have the ear of those ultimately responsible for corporate conduct, including the board of directors.

Some of the questions you might think about in connection with the leadership of your compliance program are the following: How is board oversight implemented? Is there an ethics or audit committee reporting to the full board? What is the role of the Chief Compliance Officer? What is the role of the General Counsel? How do the legal and compliance departments interact? Does the CCO have “real power”? Is she or he treated as a second-class citizen?

Equally the Board of Directors has a key role to fulfill. The Board must ensure compliance policies, systems and procedures are in place and it should monitor implementation and effectiveness of the compliance program:

Be actively involved
Attend Board meetings
Review, consider and evaluate information provided
Inquire further when presented with questionable circumstances or potential issues
Once Board knows of a potential compliance issue it must act.
Regularly receive compliance briefings and training.

II. Risk Assessment

The implementation of an effective compliance program is more than simply following a set of accounting rules or providing effective training. Compliance issues can touch many areas of your business and you need to know not only what your highest risks are but where to marshal your efforts in moving forward. A risk assessment is designed to provide a big picture of your overall compliance obligations and then identify areas of high risk so that you can prioritize your resources to tackle these high risk areas first.

What are some of the areas where you need to assess your risks?

Country Risk - What is the correlation between growth markets and corruption risk and what is the perceived level of corruption? In other words, the Transparency International Corruption Perceptions Index or similar list.
Sector Risk - Has government publicly stated industry is under scrutiny or already conducted investigations in sector? Are there corruption risks particular to the industry?
Business Opportunity Risk - Is the business opportunity a high value project for your company? Are there multiple contractors or intermediaries involved in the bidding or contract execution phase?
Business Partnership Risk - Does this business opportunity require a foreign government relationship? Does a foreign government require you to rely upon any third parties?
Transaction Risk - Will your company be required to make any “compelled giving” through any requirements for political or charitable contributions? Are you required to use any intermediaries to obtain licenses and permits?

In addition to an initial risk assessment to either (1) inform your compliance program or (2) help you to identify high risks and prioritize their remediation, risk assessments should be a regular, systemic part of compliance efforts rather than an occasional, ad hoc exercise cobbled together when convenient or after a crisis. They should be conducted at the same time every year and performed by a consistent group, such as your internal audit department or enterprise risk management team. Such annual risk assessments act as a strong preventive measure if they are performed before something goes wrong as it avoids a “wait and see” approach.

III. Standards and Controls

Generally, every company has three levels of standards and controls. (1) Code of Conduct. Every company should have a Code of Conduct which should express its ethical principles. However, a Code of Conduct is not enough. (2) Standards and Policies. Every company should have standards and policies in place that build upon the foundation of the Code of Conduct and articulate Code-based policies, which should cover such issues as bribery, corruption and accounting practices. (3) Procedures. Every Company should then ensure that enabling procedures are implemented to confirm those policies are implemented, followed and enforced.

FCPA compliance best practices now require companies to have additional standards and controls, including, for example, detailed due diligence protocols for screening third-party business partners for criminal backgrounds, financial stability and improper associations with government agencies. Ultimately, the purpose of establishing effective standards and controls is to demonstrate that your compliance program is more than just words on a piece of paper.

IV. Training

Another pillar of a strong compliance program is properly training company officers, employees and third parties on relevant laws, regulations, corporate policies and prohibited conduct. Simply conducting training usually is not enough. Enforcement officials want to be certain the messages in the training actually get through to employees. The Department of Justice’s (DOJ) expectations of effectiveness are measured by who a company trains, how the training is conducted and how often training occurs.

There are several key elements to training. First is that you need to train the right people. You must prioritize which audience to educate by starting your training program in higher risk markets and focus on directors, officers and sales employees who may have direct contact with government officials or deal with state-owned entities. Again, focus initially on training country managers in your company’s high-risk markets, then expand geographically and through the ranks of employees.

Second, in high risk markets and for high risk employees or third parties you should conduct live, annual training. Enforcement officials have made it clear that live, in-person training is the preferred method in high-risk markets and also that it should be regular and frequent. Another benefit of live training is the immediate feedback from employees that would be much less likely to occur during a webinar or other remote training. Lastly, during live training, employees are more likely to make casual mention of a potentially risky practice, giving you the opportunity to address it before it becomes a larger problem.

It is important that you pay attention to what employees say during training. This is because training can alert you to potential problems based on the type of questions employees ask and their level of receptiveness to certain concepts. For example, during training employees might ask specific questions about important compliance considerations such as their interactions with government officials or gift-giving practices. Such questions can raise red flags and uncover issues that should be reviewed and addressed quickly.

V. Oversight – including monitoring, auditing and responses

The issue your company should focus on here is whether employees are staying with the compliance program. Even after all the important ethical messages from management have been communicated to the appropriate audiences and key standards and controls are in place, there should still be a question of whether the company’s employees are adhering to the compliance program. These ongoing efforts demonstrate your company is serious about compliance.

Monitoring is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. Auditing is a more limited review that targets a specific business component, region or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. While unique in protocol, however, the two functions are related and can operate in tandem.

Finally, what are your remediation efforts? Your company should remediate problems quickly. A key concept behind the oversight element of compliance is that if a company is policing itself on compliance-related issues, the government will not have to do it for them. Remediation, then, is an important component of oversight. It is not enough to just gather information and identify compliance problems through monitoring and auditing. To fulfill this essential element of compliance, you also have to respond and fix the problems.

I have found that the Baker ‘Five Essentials’ approach is an excellent way to think through your obligations under a wide variety of anti-corruption and anti-bribery requirements. It allows you to put in place a program which should meet virtually any legal requirements you may come up against by doing business anywhere in the world. Lastly, the five-step approach is an excellent way for you to benchmark your current compliance program.

Leave a Comment

FCPA Compliance and Ethics Blog

June 19, 2013

What is Board Responsibility For Compliance?

June 14, 2013

Lunch with the FCPA Compliance & Ethics Blog – Phil Wedemeyer and the Audit Perspective in Compliance

June 13, 2013

Why Can’t We Be Friends? Compliance and HR

June 11, 2013

FCPA Enforcement as a Security Issue and Implications for the Compliance Practitioner

June 6, 2013

We Say Good-Bye to the Secretary of Defense and Total Says Hello to Two Monitorships – Total Part III

June 5, 2013

Return to the Baker’s Dozen in a Best Practices Compliance Program – Total Part II

June 4, 2013

Total Switches to Settle Rather Than Fight

June 3, 2013

Meet The Author – Best Practices Under the FCPA and Bribery Act Book Signing

May 27, 2013

Board Responsibility under the FCPA – A Herculean Task?

May 22, 2013

What Are The Essential Elements of a Corporate Compliance Program?

January

Blogroll

Pages

Admin

Read by Email

Follow “FCPA Compliance and Ethics Blog”