The Drugstore Cowboy and Compliance

One does not have to look very far in the business world to come across the phrase “Know Your Customer.” A company certainly needs to know if an entity that it may sell products or provide services to will pay for those items. Running a Dun & Bradstreet credit check is routinely performed to ascertain if a counter-party is a good credit risk. But how much more should a company do in regards to its customers? Clearly banks, other financial institutions and even casinos need to assess a customer from the perspective of anti-money laundering (AML). Is there a reason grounded in the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act that would suggest that customers should go through background scrutiny from the anti-bribery/anti-corruption compliance perspective?

I thought about internal controls regarding due diligence requirements on customers, effective compliance programs and third party validation of credentials when reading an article in June issue of Wired Magazine, entitled “Drugstore Cowboy”, by Jake Pearson. I found this article to be a very cautionary tale for those companies which need to consider just whom they are doing business with or for. The story involved an undercover sting operation by the US government against Google. The operation involved a convicted felon, one David Whitaker, who convinced law enforcement authorities that Google had assisted him, in violation of its own internal protocols and US laws, to sell illegal “black market steroids and human growth hormones” online. Whitaker told federal officials that “Google employees had actively helped him advertise his business, even though he made no attempt to hide its illegal nature.” Based upon his experience, Whitaker believed that Google must be “helping other rogue Internet pharmacies too.”

On paper, it appeared from the article that Google has a systems designed to ferret out sites which used words or had other indicia that they were selling illegal drugs. There was an initial screening by a Google sales representative. There was an automated program which searched for key words that might indicate illegal drugs were being sold. There was a review of the website itself to see of other factors were present which might show that illegal products were being sold. Finally, Google used a third party verification service, to attest that any site selling pharmaceutical products was properly licensed.

Based upon his experiences, the government set Whitaker up with an alias, fake company, bank account and phone lines and then monitored and watched him to see if his claims were true. He was told to see if Google would actively assist him to sell advertising for a non-existent company called “SportsDrugs.net, a website that sold HGH and steroids from Mexico, with no doctor’s prescription.” The plan that Whitaker used was straightforward.

1. Establish a fake identity. Whitaker made cold calls to representatives of Google to get set up as an account in the company’s system.
2. Submit the site. The feds designed the sting operation so that it would be obvious the false company was selling illegal drugs. So it offered HGH and steroids, had pictures of the drugs and even had a ‘Buy Now’ button to make clear that no doctor’s prescription was required. The Google sales representative passed the fake sales site along for “policy review, an automated process that Google uses to vet all advertisers.”
3. Scrub the site. After the fake sales company was initially rejected by the policy review process, a Google representative agreed to help “tweak it” so that it would pass through the Google approval process. The Google sales representative advised Whitaker to rename the site, remove the pictures of the illegal drugs and delete the ‘Buy Now’ button from the site.
4. Rework the site. After the suggested changes were made by Whitaker, his fake site was approved by Google. Thereafter the items which had been removed from the website, including both the photos of illegal drugs and ‘Buy Now’ button were added back into the site, all with the assistance of the Google sale representative.
5. Raise the stakes. In this phase, the undercover sting operation widened. After their initial success with SportsDrugs.net; the feds created other fake websites for Whitaker, all of which purported to sell illegal drugs. The other sites included one selling “RU-486, better known as the abortion pill, which is normally taken under close supervision of a doctor.”  Another site sold the psychotropic drugs Xanax and Valium, both without any need of a doctor’s prescription. In a final example the feds created a ‘Trojan Horse’ site; in which a pharmacy site that held a valid license also had sales for “three clearly disreputable online pharmacies.”

The chilling thing I found in this article was it reported that in each one of the false scenarios, Whitaker was reported to have explained to the Google representative the true nature and purpose of the site. All of the information that Whitaker conveyed made clear that these sites were designed to sell drugs which are illegal in the US, without a doctor’s prescription. In just over the span of three months, the undercover operation spent over $200,000 with Google.

Google ended up settling with the US government for a fine of $500 million. Although Pearson did not quote the US Assistant District Attorney, who headed the investigation and enforcement action, Peter Neronha, was quoted as telling the Wall Street Journal (WSJ) the “culpability went far higher than the sales reps that Whitaker worked with. Indeed, he said, some of the company’s most powerful executives were aware that illegal pharmacies were advertising on the site.” Google itself would not comment for the Pearson article.

From the account in the Pearson piece it would appear that Google had a system in place to check and make sure that it was not advertising sites which sold illegal drugs but that system, both human and automated, was worked around. For the anti-corruption compliance practitioner, I think that there are several key lessons which can be learned from this tale.

Train, Train, Train. If you sell services, which can be used to facilitate illegal conduct, you need to train your sales force to watch out for signs of that illegal activity. The initial Google sales representative who was contacted by Whitaker should have been the first line of prevention to stop the issue before it came up for the company.

Monitor, Monitor, Monitor. There should be several types of monitoring. If a business name comes through your system and it is rejected, there should be a monitoring mechanism in place to note if it reappears later or is approved through some other means, as was done in this situation. Similarly, if the name of a business owner comes up in connection with another company, there needs to a mechanism in place to perform a cross check. The sales representatives should also be monitored to determine if they are manipulating the system.

Incentives, Incentives, Incentives. While not discussed in the Pearson article, what do you want to bet that the Google sales representatives were compensated, at least in part, with a commission based upon the number of GoogleAds that they sold? If your compensation structure or other incentive structure rewards people who use shortcuts, then there will always be employees who take them.

Audit, Audit, Audit. Remember the part of the story about how the Google sales representative would advise Whitaker how to scrub his website of key words, search terms and other information which would indicate that it was selling illegal pharmaceuticals only to reinsert those on the site after the scrubbed site had been approved? You need to audit to determine if any illegal conduct has begun after the contract is signed. And if you do not have audit rights, you have a very slim chance of actually performing an audit.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Use of Forensic Accounting to Avoid a Compliance Meltdown

On this date in 1979, the worst accident in the history of the US nuclear power industry began when a pressure valve in the Unit-2 reactor at Three Mile Island fails to close. Cooling water, contaminated with radiation, drained from the open valve into adjoining buildings, and the core began to dangerously overheat. While plant workers were exposed to unhealthy levels of radiation, no one outside Three Mile Island had their health adversely affected by the accident. Nonetheless, the incident greatly eroded the public’s faith in nuclear power. In the more than two decades since the accident at Three Mile Island, not a single new nuclear power plant has been ordered in the United States.

One of the recognized aspects of a best practices compliance program is auditing. In many ways, auditing is thought of as one of the ways to avoid a compliance meltdown. However, in a recent article in the Texas Lawyer, entitled “How Forensic Accountants Differ from Auditors”, author Elizabeth M. Junell discussed how a forensic accountant can assist an in-house lawyer in a manner of different ways than auditors from a company’s internal audit function. I found that her article had some interesting points for the compliance practitioner.

Junell says that forensic accountants collect and analyze accounting and internal-controls evidence. They use this information to produce a fact-based report that can inform the decision-making process in inquiries, investigations and dispute resolution. The by-products of a forensic accountant’s work can include remediation strategies to help a company mitigate and remedy procedural or internal-controls gaps that allowed the underlying issue to occur. Inquiries into accounting and internal controls raise a host of technical issues requiring specialized knowledge that forensic accountants are uniquely positioned to provide. Junell contrasts these areas with that of internal audit, which she believes more often looks at process to determine if it has been adhered to in a procedure. This leads to internal auditors examining evidence to determine whether people followed prescribed processes or internal controls; this occurs, for example, in an operational Sarbanes-Oxley (SOX) or Foreign Corrupt Practices Act (FCPA) compliance audit.

Junell writes that forensic accounting differs from auditing in both its objective and skill sets. The objective of a forensic accounting assignment is to collect, analyze and report on the evidence or facts surrounding a particular act that often has litigious, fraudulent or criminal implications. Auditors also collect and analyze evidence, but an independent auditor’s objective is to attest to the credibility of assertions that are under examination, such as the material accuracy of financial statements for which the audited company’s management is responsible. However, she argues that a key role of the forensic accountant is to identify a concern and to notify company management about the issue or issues discovered.

From there Junell believes that management should determine if further investigation is warranted. If further investigation is decided upon by management, then Junell considers that “this is where objective shifts and one of the forensic accountant’s strongest skills comes in: an investigative mind that drives him or her to answer questions about what occurred, when and how it happened, and who was involved.” She expects that, at times, a forensic accountant will be required to gather facts about why an event may have occurred so that they look for answers to such questions or for other red flags in the evidence.

One of the discussions that I found interesting in her article was how a compliance practitioner might use a forensic accountant. On the initial level, a decision should be made about whether a forensic accountant should be retained as an outside consultant or hired as an employee. Junell articulates that if such professional is brought in as an employee, the position should sit in the legal department rather than the company’s internal audit department. She recognizes that in the past, many companies have used existing internal auditors to do forensic accounting work as a way to reduce costs and because the perceived similarities in the skill set and work product. She believes that this view is becoming outdated and that more companies are placing the forensic accountant position into the legal and compliance department because of the legal implications surrounding the work. Further, by placing the forensic accountant in the compliance department, it allows the maintenance of an objective approach to any assignment, since, as Junell believes, “he or she will not be governed by management or influenced by potential biases within” a company.

Lastly is the issue of privilege. If a forensic accountant is assigned to the internal audit group, you can kiss away even the chance of claiming privilege. Junell argues that by assigning the forensic accountant to the legal and compliance department one might have “more privilege protection than assigning him or her to internal audit or another department.”

I found Junell’s article to have some interesting points about how a compliance practitioner and compliance department can use a forensic accountant to help create a best practices program. It might be something that you would like to consider for your compliance regime. The lesson from Three Mile Island is not that it just might keep you from having a compliance meltdown but that since that time, think about the number of nuclear plants which have been built.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Welcome to Howard’s Nightmare and How to Deal with It-(spoiler alert-Internal Controls)

Ed. Note-as most of you will recognize, Henry Mixon is a frequent guest commentator, focusing on internal controls as a part of a best practices compliance program. He recently called me and said that he thought he could provide some information which might help my This Week in FCPA co-host Howard Sklar get some sleep by suggesting a way to deal with his “Nightmare Scenario”. I asked Henry to write up a blog post and this is what he delivered.

In his Nightmare Scenario posted on his OpenAir Blog, Howard Sklar wrote about a very bad dream in which a $5 payment to a customs official in a foreign country by a business development employee might result in the employer filing an 8-K to report a violation of the FCPA.  The employee who paid the USD 5 to the customs agent included the payment in his expense report as “tips.”

Howard references the examples in SEC Staff Accounting Bulletin 99 in which a transaction can become material for SEC reporting purposes, even though it falls well below the typically-used percentage thresholds used by auditors and preparers of financial statements. Two of the considerations from the Staff Accounting Bulletin which can transform a small misstatement into a material one are:

• whether the misstatement affects the registrant’s compliance with regulatory requirements, and
• whether the misstatement involves concealment of an unlawful transaction.

I agree with Howard’s concerns about the potential impact of transactions typically considered immaterial. The risk of the 8-K being required may not result from a single USD 5 payment, but can certainly result from a pattern of individually immaterial illegal payments made over time.

When processing reimbursement for transactions occurring outside the US, I believe a different mindset for internal controls is needed.  First, the amount of a transaction is not as important as the nature and whether the transaction has proper business purpose. Many approvers in US companies do not focus on that important difference.

Second, internal controls in many US companies do not focus on the prevention of illegal payments, but instead focus on detection.

Expense report reviewers should be trained to look for Red Flags and to question suspicious items, or items for which proper business purpose is not clearly documented, regardless of perceived materiality.  For example, standard procedure for expense reports is to describe who, what, where, when, and why.  Failure to provide such transparent description should be a Red Flag, whether the requested reimbursement is for meals, hotel, taxi, car rental or any other “common” expense report items.

I would certainly never advise a client to develop internal controls specifically designed to deal with very small dollar items.  However, in the FCPA world, controls should be designed on the basis of the risk profile of the transaction, not the dollar amount. Expense reports of employees traveling to high corruption risk locations outside the US should be high on any risk profile.

Relatively small amounts paid frequently can result in violations of meaningful proportions, especially if all adopt the belief that small illegal payments are permitted and concealment can be rationalized.

In particular, creating the wrong mindset in the business development function can lead to Nightmare Scenario II:  illegal payments made when they result directly in obtaining or retaining business, rather than a payment made to a customs official to be allowed to cross a border.

If nobody questions the concealed illegal payment to a customs official, might an employee see opportunity, and rationalize misbehavior, when a potential customer asks for a bribe in exchange for business advantage?

So, while Nightmare Scenario might not occur for one payment made to be allowed to cross a border, how many payments to government officials concealed in expense reports are required before Nightmare Scenario II becomes reality?

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. 

The Biomet SEC Complaint: Lessons for Management on the Prevention of Corruption

I am in the UK this week. Today I have a presentation with thebriberyact.com guys, Barry Vitou and Richard Kovalevsky, QC. So this week, my blog posts will have an English theme.

Today, we begin with a melancholy tribute to the Liverpool Football Club, which advanced into the FA Cup final by beating Everton on Saturday. The tribute is melancholy as Sunday, April 15 was the 23^rd anniversary of the worst sporting disaster in UK history, the Hillsborough disaster which occurred during the semi-final FA Cup tie between Liverpool and Nottingham Forest football clubs on April 15, 1989 at the Hillsborough Stadium in Sheffield, England. The crush resulted in the deaths of 96 people, with a total of 766 other persons being injured. All of them were fans of Liverpool Football Club. The official inquiry into the disaster, the Taylor Report, concluded that “the main reason for the disaster was the failure of police control.” May you never walk alone.

In today’s post we revisit the Biomet Deferred Prosecution Agreement. As you may recall, one of the major failings of the company, which led to the violations of the Foreign Corrupt Practices Act were those of the company’s Internal Audit Department. I asked my colleague Henry Mixon, CPA and FCPA internal controls specialist, for his reaction to the recent posting regarding lessons for Internal Audit in the recent Biomet matter.  The following is his response.

While I agree there is a lesson for Internal Audit in the SEC Complaint in the Biomet matter, I also believe there is an even more important a lesson for management.

In the Biomet matter, the SEC was critical of the manner in which Internal Audit dealt with certain transactions which involved payments to customers and potential customers of Biomet.

For sure, Internal Audit should have investigated the payments further.  Without more facts, what Internal Audit did, and the possible alternative scenarios, is speculative.

However, the problem I see is this.  Even if Internal Audit had pursued the Red Flags to a different resolution, their findings would not have had the desired result of an effective Compliance Program — the prevention of bribes, not the detection of bribes.

The SEC focuses on correct accounting and disclosure.  Controls to detect and correct errors and irregularities before they impact published financial statements have been the mainstay of controls over financial reporting for many years. Had Internal Audit thoroughly pursued the transactions at issue, the correct accounting would likely have been determined and the impropriety of the true nature of the payments would have been confirmed and possibly corrected before the financial statements were published.

What would have remained was the need for an expensive independent investigation to quantify the magnitude of the issue and a management decision what to do after the magnitude has been determined, i.e. e., whether to self report to the DOJ.

However, no amount of investigation and documentation by Internal Audit would have changed the primary issue – the bribes had not been prevented.

In the author’s, management of all companies should be more proactive in developing measures to prevent bribes, rather than relying on measures to detect them.

Well-designed prevention controls do not need to be more expensive or time consuming than detective controls. In any event, the cost of such prevention will most surely be less than the total cost of failure to prevent bribes.

In the author’s opinion, when it comes to compliance with anti-bribery laws, the conventional model of detection and correction will not get the job done.

Henry Mixon can be contacted at hmixon@mixon-consulting.com  

———————————————————————————————————————————————————————-

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. 

McNulty’s Maxims, the Deepwater Horizon and FCPA Internal Controls

I often write about what I call Paul McNulty’s three maxims of a Foreign Corrupt Practices Act (FCPA) compliance program: 1) What did you do to prevent it?; 2) What did you do to detect it?; and 3) What did you do to remedy it? I had generally thought that the internal controls component of a minimum best practices FCPA compliance program applied to maxim number 2, detection. However, in a recent guest post regarding internal controls entitled “Controls to Prevent Violations of Anti-Bribery Laws, my colleague Henry Mixon explained that “A specific focus is needed to ensure there are control procedures in place to ensure compliance with” maxim number 1, prevention.

This concept was driven home in a December 15, 2011 article in the Houston Chronicle by reporter Jennifer Dlouhy, entitled “Blowout preventers fall short, report says”. This article discusses a 136 page report by the National Academy of Engineering and National Research Council (“the Report”) on the Deepwater Horizon disaster. One of the findings of the report was that the industry’s trust in blowout preventers, as they are currently designed and utilized, is misplaced. The Report noted that there were several studies which had questioned the reliability of blowout preventers to do what it was designed to and provided several technical reasons for this finding.

For those of you not in the oil and gas industry a blowout preventer is a piece of equipment which is designed to be the last line of defense if the well blows by cutting through the pipe and blocking the oil or gas from escaping upwards and being ignited by the drilling rig. Generally, it has to be activated by someone or some automatic control system to take its preventative action. In other words, it is not viewed as a detection device but as a prevention device.

This article specifies that the design of blow out preventers is as the name implies to prevent an accident. I was reminded that the FCPA and UK Bribery Act require a specific focus on preventive controls. While there should be detect controls as well if your company only has detect controls, your compliance program does not meet the minimum best practices. In his recent post Henry Mixon focused on the use of internal controls to prevent bribery and corruption.

Some examples of this use of internal controls which can be preventative controls are the following:

1. Petty Cash disbursements should be reviewed by more senior management before rather than reconciled after the fact of disbursement.
2. Controls are needed over
   1. movement of inventory because bribes can be made through mechanisms other than cash.
   2. gifts, entertainment, hospitality, political contributions, and charitable contributions.
   3. An effective Delegation of Authority such as the requirement of dual signatures for hand- written checks.
   4. Offline processing and maintenance of key information related to vendors and disbursements.
   5. Employees, both contract and permanent, require controls in payroll processing to ensure employees’ statuses as current/former, or a relative of a, Government Official, is identified in pre-hire diligence and that effective oversight is established regarding the hours actually worked, the type of work performed, and the compensation paid.
   6. Vendor master file controls to ensure no vendors are paid unless there has been appropriate due diligence performed.

The Report on the Deepwater Horizon disaster makes clear that the energy industry must find a way to prevent a similar event in the future. The lessons from McNulty’s maxims also make it clear that for a best practices compliance program, you must have sufficient preventative controls in place to prevent bribery and corruption. Henry Mixon details some of the specific reasons that internal controls can be used as prevention control and the specifics on how to do it.

If your compliance program only uses internal controls to detect after-the-fact violations, you may need to call Paul McNulty and have him represent you. Then you may well be in the position of having McNulty call the Department of Justice and self-report a FCPA violation. I am relatively sure that such a call is not one that you would like to make, or have counsel make on your behalf.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Henry II Revisited: The Fair Process Doctrine as a Key Component of a Compliance Program

In a recent post entitled “Will No One Rid Me of this Meddlesome Priest?” I highlighted ‘Tone at the Top’ by discussing the words of Henry II leading to the subsequent murder of Thomas Becket. One of the things I learned on my recent vacation to England was that Henry II developed many of the procedural safeguards which became the basis of Anglo-American jurisprudence. While English Kings, at least after William the Conqueror, had always been able to issue Writs to direct the King’s subjects to perform tasks, Henry II developed certain standardized Writs which could be utilized to determine disputes between the King’s subjects, in a more fair and judicial manner. So today we will honor Henry II by discussing how he helped to bring procedural fairness to English law and how that relates to modern day compliance program.

Two of the most famous were the Writ of Novel Disseisin, which would allow a person to contest property ownership through a trial on the merits, decided by a jury. The second was a Writ of Mort D’Ancestor which allowed heirs to contest property distribution after a person’s death. As with the Writ of Novel Disseisin, it would be issued in the King’s name to the County Sheriff, who would seize the property in question. The matter would then go through a legal process culminating in a trial by jury to determine rightful ownership. Both of these Writs allowed a manner of procedural fairness to come into disputes which heretofore had not been present in English law.

Procedural fairness is one of the things that will bring credibility to your Compliance Program. Today it is called the Fair Process Doctrine and this Doctrine generally recognizes that there are fair procedures, not arbitrary ones, in a process involving rights. Considerable research has shown that people are more willing to accept negative, unfavorable, and non-preferred outcomes when they are arrived at by processes and procedures that are perceived as fair. Adhering to the Fair Process Doctrine in two areas of your Compliance Program is critical for you, as a compliance specialist or for your Compliance Department, to have credibility with the rest of the workforce.

A. Internal Investigations

The first area is that of internal company investigations. If your employees do not believe that the investigation is fair and impartial, then it is not fair and impartial. Further, those involved must have confidence that any internal investigation is treated seriously and objectively. I have recently written about several aspects of internal investigations, in order to emphasize how to handle internal whistleblower complaints in light of the Dodd-Frank implications. One of the key reasons that employees will go outside of a company’s internal hotline process is because they do not believe that the process will be fair.

This fairness has several components. One would be the use of outside counsel, rather than in-house counsel to handle the investigation. Moreover, if company uses a regular firm, it may be that other outside counsel should be brought in, particularly if regular outside counsel has created or implemented key components which are being investigated. Further, if the company’s regular outside counsel has a large amount of business with the company, then that law firm may have a very vested interest in maintaining the status quo. Lastly, the investigation may require a level of specialization which in-house or regular outside counsel does not possess.

B. Administration of Discipline and Employee Promotions

However, as important as the Fair Process Doctrine is with internal investigations, I have come to believe it is more important in another area. That area is in the administration of discipline after any compliance related incident. Discipline must not only be administered fairly but it must be administered uniformly across the company for the violation of any compliance policy. Simply put if you are going to fire employees in South America for lying on their expense reports, you have to fire them in North America for the same offense. It cannot matter that the North American employee is a friend of yours or worse yet a ‘high producer’. Failure to administer discipline uniformly will destroy any vestige of credibility that you may have developed.

In addition to the area of discipline which may be administered after the completion of any compliance investigation, you must also place compliance firmly as a part of ongoing employee evaluations and promotions. If your company is seen to advance and only reward employees who achieve their numbers by whatever means necessary, other employees will certainly take note and it will be understood what management evaluates, and rewards, employees upon. I have often heard the (anecdotal)tale  about some Far East Region Manager which goes along the following lines “If I violate the Code of Conduct I may or may not get caught. If I get caught I may or may not be disciplined. If I miss my numbers for two quarters, I will be fired”. If this is what other employees believe about how they are evaluated and the basis for promotion, you have lost the compliance battle.

So we should thank Henry II for showing us that he was more than simply about ‘Tone at the Top’. His changes in English jurisprudence helped lead us down the road to procedural fairness in the law and today in the workplace. You should thank him and remember that people will be more loyal if they think they have been treated fairly, even if the results are not exactly what they wanted.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.
© Thomas R. Fox, 2011

Setting the “Tone at the Top” for FCPA and UK Bribery Act Compliance

Ed. Note-today we share the third in a series of Guest Posts by Michael Potorti, CPA on the role of an auditor in FCPA/UK Bribery Act Compliance.

In any organization, employees look to Management to set the example for them to follow. Almost all employees want to believe in a company and maximize their efforts to drive the Company forward to be the best it can be in a particular industry. They look to their leaders for guidance and advice and pay particularly close attention when Town Halls are held and Company-wide communications are released. I have consulted for many companies and I have witnessed this first hand – a common thread, if you will.

When it comes to FCPA and UK Bribery Act compliance, what better way to kick off your efforts than by having Executive Management use these forums and communications to drive the point home that ALL employees must comply. It sets the “Tone” that the Company takes pride in doing business ethically and will not tolerate offenses.

Here are some suggestions for setting the “Tone at the Top”:

1) Get Executive Management’s Buy In – to clarify that this is not “just another thing the Company needs to comply with”, meet with Management to educate them on the FCPA/UKBA. Give examples of recent judgments against companies that include hefty fines and jail time for some Executives. Ensure that the audience includes the Board of Directors and Executive Management.

2) Work with the Legal and Compliance Departments to include FCPA/UKBA compliance in the Company’s General Ethics Policy – these departments will be involved in the process to imbed FCPA/UKBA compliance within the organization so it is key to get their views on where the major risks are and what employees are expected to do going forward. Specific language should be inserted into the Ethics Policy and Standard Operating Procedures should be developed/amended to provide guidance on how to comply with the FCPA/UKBA.

3) Communication from CEO – a Company-wide communication should be issued by the CEO that points to Company guidance and encourages Mid-Management and all employees to cooperate with the imbedding of related internal controls and training efforts. The communication should specifically state that the Company expects that all employees will comply with the FCPA/UKBA and that Executive Management will have zero tolerance for offenders. A separate communication should be developed and distributed publically to all 3rd Party Agents, vendors, etc. stating the Company’s commitment to compliance.

4) Set up a Steering Committee – the committee should include Board Members and Executive Management and exist to monitor Project efforts to imbed internal controls and provide targeted training within the organization. Project status should be provided on a regular basis so that the Committee can help with any “roadblocks” or bottlenecks that develop. The Committee can also provide any new information to the Project team (i.e. newly uncovered instance of fraud) so efforts can be amended as necessary.

Executive Management must be on-board with the effort to make employees aware of the FCPA/UKBA and their impact on the Company for instances of non-compliance. Proactive efforts could save the Company huge cost and negative publicity in the long run.

Micheal Potorti can be reached at mpotorti@mp-audit.com. 

The Auditor’s Role in FCPA and UK Bribery Act Compliance

Ed. Note-today we have a guest post from Michael Potorti, CPA of MP Audit

Executive Management is increasingly turning to their Internal Audit Department to assess the risk of FCPA and UK Bribery Act non-compliance on their business and develop ways to mitigate those risks. In the absence of an Internal Audit function, companies are turning to outside counsel and CPAs to provide a roadmap to compliance. 

Counsel can interpret the law, update Management on Government cases/trends and identify high areas of risk within an organization. In addition to the legal advice, companies need experienced auditors to design the controls necessary to target these risk areas. Auditors are also needed to test the design and effectiveness of controls implemented as well as periodically monitor these controls to determine the sustainability of an effective internal control environment.

OK, we now know what we have to accomplish but how do we get there? Here are a couple of recommended steps:

1. Perform a Risk Assessment – look at the company as a whole using a Risk Based Approach – interview Executive Management, local management, etc. to get their views on where the risks lie – we don’t want to flood the organization with controls that have little value

2. Setting the “Tone at the Top” – Executive Management must be on-board with the effort and issue a company-wide communication stressing the importance of compliance and full cooperation with counsel/auditors

3. Create a “Gap” Analysis – target the risk areas identified and interview related employees to determine current control procedures (if any) – detail deficiencies so we can create specific controls to mitigate risk

4. Share Deficiencies with Management- it is important to establish and confirm existence of these deficiencies and develop Action Plans to remediate – management should stress importance of remediation with employees

5. Assign Ownership for Deficiency Remediation – local management and employees close to the deficiency should be responsible for developing controls (with auditor assistance) and implementing them within a certain pre-determined timeframe

6. Test Newly Created Controls for Effectiveness – auditors should perform a walkthrough of activity to ensure the control is designed and operating properly – adjustments should be made if necessary

7. Develop Standard Operating Procedures (SOPs) – controls should be aggregated and documented in SOPs which must be reviewed/signed off on by management and should be mandatory reading for related employees and new hires

8.  Monitor – perform periodic testing on the related controls to determine if they are still operating effectively – adjustments should be made if necessary to conform to any changes to the business environment (i.e. job descriptions and/or structure of company changes).

This preventive effort and the related controls implemented could save the organization from millions in fines, shareholder lawsuits and damage of reputation.

Micheal Potorti can be reached at mpotorti@mp-audit.com. 

———————————————————————————————————————————————————————

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication.  

What are the Essentials for a FCPA/Bribery Act/OECD Compliance Program?

In a recent article entitled, “Bribery and Corruption Compliance: the Playing Field Levels”, Timothy Coleman and Paul Lomas, attorneys from the law firm of Freshfields Bruckhaus Deringer discuss what they term the “tectonic shift” in anti-bribery and anti-corruption compliance internationally. The authors posit that increased enforcement of the US Foreign Corrupt Practices Act (FCPA); the release of the Organization of Economic Cooperation and Development (OECD) Good Practice Guidance on Internal Controls, Ethics and Compliance (OECD Good Practices); and the impending July 1 implementation date of the UK Bribery Act, have all acted to place “new burdens” on companies to have the highest standard of anti-bribery corruption programs in place.

The requirements of the FCPA are interpreted through the US Sentencing Guidelines, various Deferred Prosecution Agreements and Department of Justice Opinion Releases. The Bribery Act is interpreted through Guidance released by the UK Ministry of Justice. The OECD Good Practices contain its own commentary on interpretation. Using these documents, collectively called “the Sources” we will discuss the authors’ ten essential elements an anti-bribery and anti-corruption compliance program. The ten elements formulation is as follows:

1. Risk Assessment-as all three of the Sources, speak to the need for risk assessments, the authors recommend that a company annually assess its risk for bribery and corruption and use this assessment as a guidelines to take steps to reduce the overall risk of such conduct.
2. Implementation Generally-while the OECD Good Practices does not specifically address this element, it is contained within the FCPA and Bribery Act. The FCPA most generally says that an anti-corruption policy should be implemented while the Bribery Act more specifically recommends the embedding of “reasonable policies and procedures throughout the organization with an eye towards practical business issues.”
3. Participation-this means involvement by all levels of an organization; including (a) appropriate ‘tone at the top’; (b) senior level involvement; (c) individual responsibility and (d) company-wide culture.
4. Policies and Procedures-all three Sources require that written policies and procedures form the cornerstone for any anti-corruption and anti-bribery program. Care should be taken that it be written in plain English and not “by lawyers-for lawyers.”
5. Enforcement-this is defined as internal company enforcement and here the authors point to not only ongoing monitoring, auditing and assessment but also granularity down to the individual employee level. There should be both a ‘carrot and stick’ approach so that employees are disciplined for compliance failures but also rewarded (and seen to be rewarded) for doing business through appropriate compliance avenues.
6. Reporting and Response-under the FCPA, an anonymous reporting Hotline should be a component of a company’s overall compliance program. The Bribery Act calls it a ‘speak up’ line but whatever it is called, there should be recognized reporting mechanisms in place that allow an employee to report allegations of bribery and corruption and protections in place to guard against retaliation for such reporting.
7. Third Party Compliance-all robust anti-bribery and anti-corruption programs discuss the risk of third parties. They all agree that this risk must be properly evaluated, investigated and managed going forward. Appropriate due diligence must be performed and compliance terms and conditions are important with all third parties. General oversight after the contract is signed is also a key element.
8. Training-all the Sources of guidance state that training of a company employees, with an annual certification, is an important part of an effective anti-bribery and anti-corruption program. The Bribery Act extends this training to third parties.
9. Periodic Review-it is important for a company to engage in a review on no less than an annual basis. The Sources list several areas that should be assessed. A company should determine if its overall program in effective both internally and externally. Additionally, if there are new best practices a company should assess whether those concepts should be brought into its anti-bribery and anti-corruption program. If a company moves into a new business areas or a new geographic area, these new risks should be assessed, evaluated and managed as well.
10. Record Keeping and Internal Controls-both the FCPA and Bribery Act have language that makes clear that not only must books and records adequately reflect a company’s expenses but that internal controls are key defense and preventative measure against bribery and corruption.

The authors then advocate a three step implementation plan for an anti-bribery and anti-corruption program. This three step approach being with (1) Strategic Planning-where risks are assessed and then resources are dedicated to ameliorating or managing the risks; (2) Written Compliance Policy-every company should commit its entire anti-bribery and anti-corruption program to writing and distributed company-wide and to appropriate third parties; and (3) Implementation Plan-after risks are assessed a company-wide implantation plan should be created to begin to implement the policy beginning with the highest risks first and moving step-by-step throughout the company.

We congratulate the authors for a thoughtful paper which is great use to the compliance practitioner. If your company is implementing a compliance program, this article lays out a clear road map that you can follow. However the paper is equally of value to the company which needs to assess or review its overall anti-bribery and anti-corruption program. The authors use of the FCPA interpretations, the Bribery Act Guidance and OECD Good Practices are references point throughout the piece which provide an excellent resource for the compliance practitioner to gauge an ongoing compliance program. We welcome the authors’ contribution.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Warren Buffet, Berkshire Hathaway and the End of Armageddon-Some Lessons Learned

We have previously written about the importance of getting your investigation right before publicly announcing the results.  In other words, do not allow your CEO, as Renault did, to go on national television and decree that three (former) executives had foreign bank accounts filled with money from the sale of company trade secrets, unless you have such facts in your possession. This lesson has been recently driven home here in the US by the Oracle of Omaha, Warren Buffet with his remarks at the time of the resignation of company executive David Sokol.

As quoted in the Wall Street Journal, on when company executive David Sokol resigned back on March 30, Buffet said that he thought Sokol’s actions were not “in any way unlawful” when Sokol purchased stock in a company, Lubrizol, that he later recommended that his employer, Berkshire-Hathaway, purchase. However, the WSJ reported that this past Saturday, Buffet said that Sokol’s purchases violated the company’s insider trading rules and its own Code of Conduct. Further, Buffet was quoted as saying the company had found some “very damning evidence, in my view” about the trades and had turned this over to the Securities and Exchange Commission (SEC). According to today’s New York Times, Sokol’s lawyer denied this claim and was quoted as saying, “At no time did Mr. Sokol violate any law or any Berkshire policy.”

What caused Buffet to change his view on this matter? As reported in the New York Times, on April 27 the Board of Directors “released a scathing report accusing Mr. Sokol of misleading Berkshire about his Lubrizol trades and violating the company’s ethics and insider trading policies.” In other words, it appears that Buffet’s initial statement back in March was made before the facts had been fully investigated. Sound familiar?

So how does all of this relate to the compliance world? We believe that there are at least three lessons to be learned from this matter.

1.     Aim Before You Fire Off

As with L’Affaire Renault, we believe that a company needs to get the best handle on the facts that it can before going public or disclosing to the SEC any allegation of violations of US Securities Laws. Any allegation of conduct by any senior management official, which violates US laws, must be taken seriously but a thorough investigation must occur. Just as Renault fired off too early by proclaiming facts that have never been found to exist, here Buffet claimed there was nothing to be concerned about less than one month before his own company’s Board came to the opposite conclusion after an investigation.

2.     Process and Procedure Apply to Everyone

As also noted in today’s New York Times, this matter “reveals a lack of appropriate corporate governance and controls nonetheless.” My friend Francine McKenna has written an excellent piece on this matter which is entitled, “Slippery People: Corporate Governance at Berkshire Hathaway.” One of her points is that with the decentralized governance and control structure present at Berkshire Hathaway, the company operates “at low levels of internal controls.” In any best practices compliance program, internal controls are a key mechanism to detect violations. Even if a company’s business model is successful due to lack of internal controls, it may fail a compliance examination if there is no oversight of senior executives.

3.     What Did You Do When You Found Out?

Fairly early on in my compliance career I heard Paul McNulty speak and provide his thoughts on how the Department of Justice (DOJ) looks at Foreign Corrupt Practices Act (FCPA) issues. His remarks have stuck with me. He gave his perspective on the three general areas of inquiry the DOJ would assess regarding an enforcement action. First: “What did you do to stay out of trouble? Second: “What did you do when you found out?” and Third: “What remedial action did you take?”

So what did Buffet and by extension, his company Berkshire Hathaway, do when they found out. Initially, they announced Sokol was resigning and Buffet made the statements of support. This is certainly not what the DOJ or SEC expect. If there is evidence of misconduct which could violate Securities Law, they expect that the company would self-report the incident and there would be company sanctions against the employee.

This second point is also critical in setting the “Tone at the Top”. Buffet is viewed by many literally as the “Oracle of Omaha” but the message he sent in his supportive statements in March may well have sent the wrong message to company employees. This message may have been corrected by the release of the Board report last week and by the actions of the company going forward. However the damage may have been done. Berkshire Hathaway may have to work very hard to remedy the company’s own internal perception now.

We can only hope that all of this will drive home to all company’s the need for rigorous enforcement of its own Code of Conduct as a first line defense against FCPA violations. However, this episode shows the vital role that internal controls plays in an overall compliance program. I am always reminded of then President Reagan’s words to General Secretary Gorbachev regarding the agreement to reduce and dismantle each country’s nuclear arsenal, “Trust – but verify.”

===========================================================================================

If you are in Phoenix or San Diego, the World Check FCPA Tour will be in your city this week. Please come out and here about the most current FCPAbest practices.

Tuesday, May 3 from 8-10 AM PDT at McCormick & Schmick’s Seafood Restaurant, in Phoenix, AZ. For information and registration details click here.

Wednesday, May 4 from 8-10 AM PDT at San Diego Marriott Del Mar: Santa Fe Ballroom, in San Diego, CA. For information and registration details click here.

——————————————————————————————————————————————————————

My colleague Howard Sklar had an interesting idea. It was that he and I do a video chat each week on the past week’s stories from the world of compliance. We have begun this journey and the results are “This Week in FCPA“; which can be found here.

Every week, Howard and I will get together and talk about the week’s events in FCPA. This week, we talk about the UK Bribery Act, and how companies should react; we discuss the Johnson & Johnson deferred prosecution agreement and J&J’s added undertakings; and we discuss the recent challenges to the idea that state-owned entities can be foreign officials. We also talk about what contract provisions should be in every contract, and whether audit rights are a good thing or not.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011