FCPA Compliance and Ethics Blog

August 8, 2014

Nixon Announces Resignation; GSK Just Resigns

Nixon Resignation SpeechOn this day, 40 years ago, President Richard Nixon announced that he would resign the Office of the President, effective the next day on August 9 at noon. I can still remember my father instructing us to watch the resignation speech on television because, as he put it, it was history in the making. Before a nationally televised address to the country, Nixon said, “By taking this action,” he said in a solemn address from the Oval Office, “I hope that I will have hastened the start of the process of healing which is so desperately needed in America.” His action was hastened along by the Articles of Impeachment voted by the House of Representatives relating to his involvement with the Watergate Affair. With his resignation, Nixon was finally bowing to pressure from the public and Congress to leave the White House.

Yet, even before this truly historic speech and spectacle the next day of Nixon helicoptering off the South Lawn of the White House, Nixon had transformed the America we all lived in. One area that resonates up to this day is his opening with China. If it had not been for Nixon and his Secretary of State Henry Kissinger’s efforts, we might have waited a long time for an opening with China. But Nixon went there and opened China up to do business with the US and indeed the rest of the western world.

Unfortunately one of the much later fallouts from this visit and opening of China has been the corruption investigation by Chinese authorizes against western companies but most publicly the British pharmaceutical giant, GlaxoSmithKline PLC (GSK). And, more unfortunately, the bad news for GSK continues to trickle out into the press.

Next week, Shanghai’s No. 1 Intermediate People’s Court is scheduled to open a trial against Peter William Humphrey, a 58-year-old British national, and his wife, Yu Yingzeng, a 61-year-old American, on charges of illegally purchasing personal information about Chinese nationals. While the trial had originally been planned to be closed to the public, last month Chinese officials announced that the trial would be ‘open’ although the degree of openness is not completely clear.

Not only will the trial be open but the couple’s son, Harvey Humphrey, was allowed visited his parents in their detention center in Pudong, Shanghai, for the first time since their arrest. The visit came after some fierce lobbying by the US and UK consulates. As reported in the online publication FiercePharma, in an article entitled “GSK private eyes’ son allowed first visit to parents in China jail as trial nears”, their son said, “They didn’t quite believe I was coming. They were quite overwhelmed. My mum was shocked. My dad held himself together,” the younger Humphrey told the paper. “It’s a bit unusual for the Chinese to do this. I feel something has changed in the Chinese approach to my parents.” Son Harvey had written to the GSK’s Chief Executive Officer (CEO) Sir Andrew Witte last December to “take a few minutes to raise my father’s case” during a visit to the country, he told the Financial Times (FT), “I understand everything is complicated in China but it seems my parents are paying a big price”. But at this point there is no word on what if any involvement GSK might have in his parent’s defense.

It may be that GSK is way too busy right now worrying about all the other issues surrounding bribery and corruption. In an article in the Wall Street Journal (WSJ), entitled “FBI, SEC Start Glaxo Inquiries Over China”, Christopher M. Matthews and Hester Plumridge reported that in late July “Glaxo received an anonymous email claiming its employees in Syria bribed doctors and pharmacists over the past five years to promote products including painkiller Panadol and toothpaste Sensodyne. The bribes took the form of cash payments, speaking fees, trips, free dinners and free samples, said the email, which was reviewed by The Wall Street Journal. The email cited names and dates. Syrian health officials allegedly received bribes from Glaxo employees to fast-track registration of its Sensodyne dental products, including cash payments and a trip to a 2011 conference in Rome, the email maintains. Glaxo employees also were involved in smuggling a narcotic product from Syria into Iran, the email alleges. The product in question, pseudoephedrine, is a raw ingredient of Glaxo’s congestion medicine Actifed.”

GSK once again reiterated its previously announced position that it was firmly against the payments of bribes by its employees. In response to the allegations of bribes paid in Syria the WSJ article said, “Glaxo said it would thoroughly investigate all claims made in the Syria email, and said it has asked the sender for more information. The company said it has zero tolerance for unethical behavior, adding, “We welcome people speaking up if they have concerns about alleged misconduct.”” Too bad GSK didn’t seek more information about its Chinese operations when the company’s internal investigation came up with no evidence of bribery and corruption.

Much more problematic for GSK is the fact that both the SEC and DOJ have opened formal investigations into allegations of bribery and corruption by the company. The WSJ piece notes, “Federal Bureau of Investigation agents have been interviewing current and former GlaxoSmithKline employees in connection with bribery allegations in China, according to a person familiar with the matter, as fresh claims of corruption surfaced against Glaxo’s operations in Syria. The interviews have taken place in Washington, D.C., in the past few months and are part of a Justice Department investigation into Glaxo’s activities in China, the person added. The U.S. Securities and Exchange Commission also is investigating the company’s business in China, according to people familiar with the matter.”

As readers of this blog will recall from previous posts, in 2012 GSK pled guilty and paid $3 billion to resolve fraud allegations and failure to report safety. The press release noted that the resolution was the largest health care fraud settlement in US history and the largest payment ever by a drug company for legal violations. The criminal plea agreement also included certain non-monetary compliance commitments and certifications by GSK’s US president and Board of Directors, which specifically included an executed five-year Corporate Integrity Agreement (CIA) with the Department of Health and Human Services, Office of Inspector General. The plea agreement and CIA included provisions which required that GSK implement and/or maintain major changes to the way it does business, including changing the way its sales force is compensated to remove compensation based on sales goals for territories, one of the driving forces behind much of the conduct at issue in the prior enforcement action. Under the CIA, GSK is required to change its executive compensation program to permit the company to recoup annual bonuses and long-term incentives from covered executives if they or their subordinates, engaged in significant misconduct. GSK may recoup monies from executives who are current employees and those who have left the company. Additionally, the CIA also required GSK to implement and maintain transparency in its research practices and publication policies and to follow specified policies in its contracts with various health care payors.

The importance of the CIA for this anti-corruption investigation is that it not only applied to the specific pharmaceutical regulations that GSK violated but all of the GSK compliance obligations, including the Foreign Corrupt Practices Act (FCPA). In addition to requiring a full and complete compliance program, the CIA specified that the company would have a Compliance Committee, to include the Compliance Officer and other members of senior management necessary to meet the requirements of the CIA; the Compliance Committee’s job was to oversee full implementation of the CIA and all compliance functions at the company. These additional functions required a Deputy Compliance Officer for each commercial business unit, Integrity Champions within each business unit and management accountability and certifications from each business unit. Training of GSK employees was specified as a key component. Further, the CIA specifically state that all compliance obligations applied to “contractors, subcontractors, agents and other persons (including, but not limited to, third party vendors)”.

GSK is now under investigation, either internally or by anti-corruption regulators across the globe in at least four countries. Unlike other companies that have found systemic issues of bribery and corruption or systemic failures in internal controls, the allegations of bribery and corruption are not 10-15 years old. So today we commemorate Nixon’s resignation; and for GSK it may simply mean just resignation.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

July 9, 2014

Mid-Year FCPA Report, Part I

Mid Year ReportAs we are now past the halfway mark of 2014, I thought it might be a good time to look at the year in review, so over the next couple of days, I will be reviewing what I believe to be some issues and developments to the Foreign Corrupt Practices (FCPA) world. In this Part I, I will look at an enforcement action which brought a company to No. 5 on the list of highest FCPA settlements, to a company which seemingly came back from the edge of very bad FCPA conduct and finally some individual prosecutions and one interesting settlement in a SEC action against individuals. 

Alcoa

In one of the more long-running international bribery and corruption sagas, Alcoa Inc. settled a FCPA action by having one of its subsidiary’s plead guilty to bribing officials in Bahrain to win contracts to supply the raw materials for aluminum to Aluminum Bahrain BCS or Alba. As reported by the FCPA Professor, “Alcoa entities agreed to pay approximately $384 million to resolve alleged FCPA scrutiny (a criminal fine of $209 million and an administrative forfeiture of $14 million to resolve the DOJ enforcement action and $175 million in disgorgement to resolve the SEC enforcement action – of which $14 million will be satisfied by the payment of the forfeiture in the criminal action).” Alcoa now sits as No 5 on the list of all-time FCPA settlements and has the distinction of paying the largest disgorgement.

Payments were made through shell corporations, agents and distributors. As reported in the Wall Street Journal (WSJ), in an article entitled “Alcoa Snared in Bahrain Bribery Case”, although one of its subsidiaries, Alcoa World Aluminum, pled guilty to violating the FCPA, its parent Alcoa issues a statement that “neither the Department of Justice nor the SEC alleged or found that anyone at Alcoa “knowingly engaged in the conduct at issue.”” According to the WSJ article, the bribery scheme had been in place since at least 1989. Further, at least one in-house counsel had raised concerns in 1997 that the contracts around the bribery scheme when she wrote in an email to Alcoa’s corporate headquarters stating “The contract looks odd. Are these factors OK from an anti-trust and FCPA perspective?” I guess sometimes actual knowledge is really not actual knowledge.

Hewlett-Packard (HP)

In what can only be described as one of the most stunning failures of internal controls to be seen in the annuls of FCPA enforcement actions, HP resolved a matter through a guilty plea, a Deferred Prosecution Agreement (DPA) and a Non-Prosecution Agreement (NPA), for three separate bribery schemes in three countries. For a deal in Russia, HP paid a one-man agent approximately $10MM, which was simply a conduit to pay bribes. In Poland, HP’s Country Manager literally carried bags of cash in the amount of $600K to a Polish government representative for contracts. Finally, in HP’s Mexico subsidiary, according the to the Securities and Exchange Commission (SEC) Press Release, HP “paid a consultant to help the company win a public IT contract worth approximately $6 million. At least $125,000 was funneled to a government official at the state-owned petroleum company with whom the consultant had connections. Although the consultant was not an approved deal partner and had not been subjected to the due diligence required under company policy, HP Mexico sales managers used a pass-through entity to pay inflated commissions to the consultant.”

As noted by Mike Volkov, “In total the three HP entities paid $76 million in criminal penalties and forfeitures. In a related filing, the SEC and HP entered into a civil settlement under which HP agreed to pay $31 million in disgorgement, prejudgment interest, and civil penalties.”

The enforcement action is also notable for two other factors. The first is that HP did not self-disclose the conduct even after German authorities raided the company’s Germany subsidiary’s offices in connection with the Russia transaction. HP seemingly made a dramatic comeback in the eyes of the Department of Justice (DOJ), which leads to the second point of note. That involved the overall penalty assessed against HP. What are we to make of the criminal fines levied against the Russian and Polish subsidiaries of HP? The US Sentencing Guidelines for the Polish subsidiary suggested a fine range of $19MM to $38MM, yet the final fine was $15MM. The US Sentencing Guidelines for HP’s Russian subsidiary suggested a fine range of $87MM to $174MM, yet the final fine was $58MM.

What does it all mean? It would seem that a company could come back from the brink of very bad facts and no self-disclosure. How did HP do it? The resolution documents only reference HP’s ‘extraordinary cooperation’ and installation of a best practices compliance program. My hope is that HP will publicize the steps it took so that the rest of us might learn how they accomplished the results they received.

Individual Indictments, Arrests and Settlements

As reported in the FCPA Blog, there were a number of individuals who fell under FCPA criminal scrutiny in the first half of 2014.

PetroTiger

Joseph Sigelman, the former co-CEO of PetroTiger Ltd., was charged with conspiracy to violate the FCPA and to commit wire fraud, conspiracy to launder money, and substantive FCPA and money laundering offenses. He is accused of bribing an official at Ecopetrol SA, Colombia’s state-controlled oil company, and defrauding PetroTiger by taking kickbacks. As reported by Joel Schectman in the WSJ, two other PetroTiger executives, Sigelman’s co-CEO, Knut Hammarskjold and the company’s former General Counsel (GC), Gregory Weisman, have already pled guilty to the charges.

It is alleged that Sigelman bribed an official in Colombia to help win an oil contract worth $39 million and of seeking kickback payments during the acquisition of another company, in exchange for a better price. Most interestingly, even after the company conducted an internal investigation, which uncovered the conduct and self-disclosed its findings to the DOJ, Sigelman has said he will go to trial and contest the charges.

Firtash and His Associates

In what may be an early preview of the corrupt doings of the old guard in Ukraine, there were a number of individuals arrested or indicted in connection with an alleged scheme to pay $18.5 million in bribes to officials in India to gain titanium mining rights. They include team leader, Dmitry Firtash, a Ukrainian national, who was arrested in Vienna, Austria, March 12, 2014, and the following were indicated with Firtash and charged with conspiracy to violate the FCPA, and who are still at large: Andras Knopp, a Hungarian businessman,; Suren Gevorgyan a Ukrainian national,; Gajendra Lal, an Indian national and permanent resident of the US; Periyasamy Sunderalingam, a Sri Lankan. K.V.P. Ramachandra Rao, a member of parliament in India and former official of the state of Andhra Pradesh, has been charged along with the other five defendants with one count each of a racketeering conspiracy and a money laundering conspiracy, and two counts of interstate travel in aid of racketeering. Although he was not charged under the FCPA, the DOJ has asked India to arrest him.

Direct Access Partners

Continuing the investigation into the first investment bank, Direct Access Partners LLC (DAP), to be charged with FCPA violations, there were two more individuals charged, in addition to the four from 2013 who all pled guilty. Benito Chinea, former CEO of DAP, was charged in federal court in New York for bribery involving Venezuela’s state bank and Joseph Demeneses, a former managing director, was also charged in the 15-count indictment of paying kickbacks to a vice President of the Venezuelan Nation Bank BANDES, in exchange for the bank’s bond-trading business.

Noble Energy Executives

While it is not entirely clear if these cases belong in the first half or second half of the their, the Securities and Exchange Commission (SEC) rather unceremoniously dropped its enforcement action against one former and one current Noble Energy executives. The SEC had claimed that former Noble Corporation CEO Mark A. Jackson along with James J. Ruehlen, had bribed customs officials to process false paperwork purporting to show the export and re-import of oil rigs, when in fact the rigs never moved. These actions led to allegations that Jackson and Ruehlen directly violated the anti-bribery provisions, internal controls and false records provisions relating to the FCPA. For all of these claims the SEC sought injunctive relief and monetary damages.

But as reported in the FCPA Blog, “A docket entry from July 1 for the U.S. federal district court in Houston said all deadlines in the SEC’s civil FCPA enforcement action against two former Noble executives have been vacated “pending final settlement documents.”” Both defendants agreed not to violate or aid and abet any violation of the FCPA going forward. Pretty stout stuff when you consider that all US citizens have that obligation going forward, whether they agree to it in a court filed documents or not.

Tomorrow we continue with Part II.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

 

 

June 18, 2014

SEC Sanctions Company for Whistleblower Retaliation

WhistleI drove my daughter to the airport today for her summer exchange program in Spain. On the way she asked me what I was going to blog about tomorrow and I told her whistleblowers. She was not familiar with that term so I explained it to her and her response was ‘Oh you mean a snitch’ which she then followed up with ‘Dad, nobody likes a tattletale.’ I digested these cheery thoughts for a few moments and I realized if that is what a 17 year old thinks about a person who tries to inform the appropriate parties of concerns, we still have quite a ways to go in this area.

In Compliance Week, Joe Mont reported that the Securities and Exchange Commission (SEC) brought its first enforcement action for a company’s retaliation against a whistleblower. On Monday of this week, the SEC “charged an Albany, N.Y.-based hedge fund advisory firm with engaging in prohibited transactions and then seeking retribution against the employee who reported the illicit trading activity.”

The hedge fund in question, “Paradigm Capital Management and owner Candace King Weir agreed to pay $2.2 million to settle the charges. According to the SEC’s order instituting a settled administrative proceeding, Weir conducted transactions between Paradigm and a broker-dealer that she also owns while trading on behalf of a hedge fund client. Advisers are required to disclose that they are participating on both sides of the trade and must obtain the client’s consent. Paradigm also failed to provide effective written disclosure to the hedge fund and did not obtain its consent as required prior to the completion of each principal transaction. The SEC’s order adds that Paradigm’s Form ADV was materially misleading because it failed to disclose the CFO’s conflict as a member of the conflicts committee.”

Regarding the whistleblower, the SEC order reflected, “after Paradigm learned that the firm’s head trader had reported potential misconduct to the SEC, it engaged in a series of retaliatory actions that ultimately resulted in his resignation. Paradigm removed him from his head trader position, tasked him with investigating the very conduct he reported to the SEC, changed his job function from head trader to a full-time compliance assistant, stripped him of his supervisory responsibilities, and “otherwise marginalized him,” the order says.”

The Dodd-Frank Whistleblower provisions not only allowed payment of a bounty for information, which leads to a SEC enforcement action, but also protects employees from retaliation. Sean McKessy, chief of the SEC’s Office of the Whistleblower, said in a statement “For whistleblowers to come forward, they must feel assured that they’re protected from retaliation and the law is on their side should it occur. We will continue to exercise our anti-retaliation authority in these and other types of situations where a whistleblower is wrongfully targeted for doing the right thing and reporting a possible securities law violation.”

The difficulties faced by whistleblowers on Wall Street have been well documented. In an article in the Financial Times (FT), entitled “Wall Street Whistleblowers”, William D. Cohen wrote about three such persons. Oliver Budde, a former legal advisor for Lehman Brothers, who was quoted as saying “When the tone at the top is ‘anything goes’ anything will go.” Eric Ben-Artzi, a former analyst at Deutsche Bank, who was quoted as saying “They accused me of trying to bring down the bank.” Peter Sivere, a former compliance officer at JP Morgan Chase, who was quoted as saying “I wish I had known that the house always wins.” All three men had tried to blow the whistle internally but were not only rebuffed but suffered retaliation.

For his article, Cohen interviewed the three men. He found that all of them had “made allegations of wrongdoing at their banks, made strenuous efforts to report what they had discovered through internal and external channels and all three were either fired from their jobs after trying to share the information they had stumbled upon or quit in frustration.” But, equally importantly, Cohen believes that their stories, “and the details of what happened to them are important. Not only do they illustrate the existential risks that whistleblowers take when they attempt to point out wrongdoing that they uncover at powerful institutions. They also matter because their stories show just how uninterested these institutions genuinely remain – despite the lip service of internal hotlines and support groups – in actually ferreting out bad behaviour.”

The article also quoted Jordan Thomas, a former SEC enforcement official now in private practice at the firm of Labaton Sucharow, where he heads the firm’s whistleblower practice. Thomas thinks that the anonymous reporting provisions of the Dodd-Frank Whistleblower provisions will help protect whistleblowers. He said, “Essentially most whistleblower horror stories start with retaliation and to be retaliated against, you have to be known. The genius of Dodd-Frank was it created a way for people with knowledge to report without disclosing their identity to their employers or the general public. That has been a game changer because now people with knowledge are coming forward with a lot to lose, but they have a mechanism where they can report this misconduct without fear of retaliation or blacklisting.” Thomas also said “the fact that the SEC could award $14m to a single whistleblower whose identity has remained unknown, despite efforts by the media to uncover it, sends a powerful message that whistleblower identities will be protected.”

One person who is uncomfortable with this anonymous reporting is Beatrice Edwards, director of the Government Accountability Project. She pointed to a recent SEC payout to an anonymous whistleblower, where “The SEC didn’t even reveal the nature of the wrongdoing the whistleblower uncovered, so both the company’s shareholders and the public remain in the dark about what was specifically uncovered and where. All that is known is that the SEC did bring a major enforcement action against a financial institution that resulted in a large penalty and the corresponding $14m award to the whistleblower.” Edwards argued that “the SEC is a disclosure agency, so they should have to establish that [not revealing the information] is really required in order to protect the whistleblower, if they’re going to in a sense subvert their mission . . . They really are not able to justify why they are silent about the name of the company or the nature of the fraud.”

Perhaps the SEC bounty program and the Paradigm Capital Management enforcement action will change the way that company’s view and treat whistleblowers. I certainly hope so because a company’s own employees are its best source of information about what is going on inside the company. As to my daughter’s perception about whistleblowers, I asked her if her school had any type of reporting system if a student saw or was subject to inappropriate behavior. She said that you are supposed to report it to a school counselor. When I explained that was a whistleblower system she relented somewhat. But then she added, No one should rat out their friends. Just like the SEC, I guess we have a ways to go.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

May 29, 2014

May Flowers for GSK? The Corruption Investigation Deepens

Chelsea Flower ShowApril showers bring May flowers, at least that is the old truism. One place it is decidedly correct is at the RHS Chelsea Flower Show, which began its run as one of the, if not the greatest, annual flower shows in the world in May 1862. The event draws some 157,000 people during its five-day run each May. The event has royal patronage and there is always a large contingent of royalty who visit the show.

Unfortunately one group of Englishmen and women who will not be stopping by to ‘smell the roses’ this year are those from the increasingly embattled UK company GlaxoSmithKline PLC (GSK). Yesterday the UK Serious Fraud Office (SFO) announced that it had “opened a criminal investigation into the commercial practices of GlaxoSmithKline plc and its subsidiaries.” To top off this bouquet of May flowers from the SFO, in the same Press Release the SFO said, “Whistleblowers are valuable sources of information to the SFO in its cases. We welcome approaches from anyone with inside information on all our cases including this one – we can be contacted through our secure and confidential reporting channel, which can be accessed via the SFO website.” It then proceeded to provide the SFO’s secure reporting website.

In an article in the New York Times (NYT), entitled “GlaxoSmithKline Under Investigation by Serious Fraud Office”, Chad Bray reported that the SFO “is investigating Glaxo’s business activities in “multiple jurisdictions,” according to a person familiar with the investigation who was not authorized to speak publicly.” As most readers will recall, “Chinese authorities have been investigating the drugmaker’s business practices related to payments to doctors and other health care professionals since last year and questions have been raised in recent months about the company’s practices in Iraq and Poland.”

James Titcomb, reporting in The Telegraph, in an article entitled “SFO opens criminal investigation into GlaxoSmithKline”, went further when he noted that GSK has been in contact with the SFO “in recent months in the wake of claims that it funnelled hundreds of millions of pounds to doctors and officials in countries around the globe to boost sales of its drugs.” Moreover, “Chinese police have accused the company of dispensing 3bn yuan (£285m) in bribes under the leadership Mark Reilly, the former head of its Chinese business. Authorities in the country say the bribes resulted in billions of pounds in “illegal revenue” for the company.”

On the Chinese side of the investigation, the NYT article reported that during the month of May, “Chinese authorities accused Mark Reilly, the former head of Glaxo’s operations in China, of ordering employees to bribe doctors and other hospital staff to use the drug maker’s products, resulting in more than $150 million in illegal revenue. Two other Chinese-born Glaxo executives were also charged in the matter.”

When news of the Chinese investigation broke last summer, GSK claimed that “Certain senior executives of GSK China who know our systems well, appear to have acted outside of our processes and controls which breaches Chinese law,” Glaxo said in July, after meeting with the Chinese authorities. “We have zero tolerance for any behavior of this nature.” [Read: Rogue Employees] However it appears the Chinese authorities have not fallen for this age-old attempt at corporate misdirection. But Andrew Ward, reporting in a Financial Times (FT) article entitled “SFO opens criminal inquiry into GSK, said that the Chinese authorities had engaged in a “ten-month investigation” which had identified 46 current or former GSK employees as “suspects”. Rogue indeed.

Where might the US Department of Justice (DOJ) or Securities and Exchange Commission (SEC) be on these issues? Clearly, these would seem to be areas of at least inquiry under the US Foreign Corrupt Practices Act (FCPA), but consider the following about GSK, in July of 2012 GSK pled guilty and paid $3 billion to resolve fraud allegations and failure to report safety data in what the DOJ called the “largest health care fraud settlement in U.S. history” according to its press release. The DOJ press release went on to state “GSK agreed to plead guilty and to pay $3 billion to resolve its criminal and civil liability arising from the company’s unlawful promotion of certain prescription drugs, its failure to report certain safety data, and its civil liability for alleged false price reporting practices.” The press release noted that the resolution was the largest health care fraud settlement in US history and the largest payment ever by a drug company for legal violations.

You would think that any company that has paid $3 billion in fines and penalties for fraudulent actions would take all steps possible not to engage in bribery and corruption. Indeed as part of the settlement GSK agreed to a Corporate Integrity Agreement (CIA). This CIA not only applied to the specific pharmaceutical regulations that GSK violated but all of the GSK compliance obligations, including the FCPA.

In addition to requiring a full and complete compliance program, the CIA specified that the company would have a Compliance Committee, inclusive of the Compliance Officer and other members of senior management necessary to meet the requirements of this CIA, whose job was to oversee full implementation of the CIA and all compliance functions at the company. These additional functions required Deputy Compliance Officers for each commercial business unit, Integrity Champions within each business unit and management accountability and certifications from each business unit. Training of GSK employees was specified. Further, there was detail down to specifically state that all compliance obligations applied to “contractors, subcontractors, agents and other persons (including, but not limited to, third party vendors)”. So while GSK may have separate FCPA liability to be investigated by the DOJ; it may be more of an issue that the company could be in violation of its CIA.

GSK has of course averred that it is fully cooperating with all of the various investigations into its alleged bribery and corruption. Further, as reported in Ward’s FT article, “GSK said it was “committed to operating its business to the highest ethical standards”. The company had “previously denied any systemic problem with corruption and said the latest Chinese allegations were “deeply concerning to us and contrary to the values of GSK”.”

So I guess the GSK team probably missed the Chelsea Flower Show this year. ON the other hand, maybe they might be like former BP President Tony Hayward, who during the first few of weeks of the worst oil spill in the history of the world ever, went yachting…

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

May 28, 2014

What Does an Effective Compliance Program Look Like? – The Regulators Perspective

Compliance ProgramWhat does an effective compliance program look like? Is it one that follows the Ten Hallmarks of an Effective Compliance Program as set out in the 2012 FCPA Guidance? How about one that uses the Six Principals of Adequate Procedures relating to the UK Bribery Act as its guideposts? Or should a company follow the OECD Good Practice Guidance on Internal Controls, Ethics, and Compliance? More importantly, for anti-corruption enforcement under the Foreign Corrupt Practices Act (FCPA), what does the Department of Justice (DOJ) or Securities and Exchange Commission (SEC) look for when assessing a compliance program?

Over the years, we have heard various formulations of inquiries that regulators might use when reviewing a compliance program. While not exactly a review of a compliance protocol, one of my favorites is what I call McNulty’s Maxims or the three questions that former United States Deputy Attorney General, and  Baker & McKenzie LLP partner, Paul McNulty said were three general areas of inquiry the he would assess regarding an enforcement action when he was at the DOJ. They are: first: “What did you do to stay out of trouble?” second: “What did you do when you found out?” and third: “What remedial action did you take?”

Paul’s former partner at Baker & McKenzie, Stephen Martin, who still runs Baker & McKenzie Compliance Consulting LLC, said that an inquiry he might make was along the lines of the following. First he would ask someone who came in before the DOJ what the company’s annual compliance budget was for the past year. If the answer started with something like, “We did all we could with what we had ($100K, $200K, name the figure), he would then ask, “How much was the corporate budget for Post-It Notes last year?” The answer was always in the 7-figure range. His next question would then be, “Which is more business critical for your company; complying with the FCPA or Post-It Notes?” Unfortunately, it has been Martin’s experience that most companies spent far more on the Post-It Notes than they were willing to invest into their compliance program.

Last week at Compliance Week 2014, Andrew Ceresney, Director of the Division of Enforcement of the SEC, gave one of the Keynote Addresses. In his remarks he talked about the importance that the SEC is putting into compliance. He said “I start from the premise that the companies that have done well in avoiding significant regulatory issues typically have prioritized legal and compliance issues, and developed a strong culture of compliance across their business lines and throughout the management chain. This is something I observed firsthand while in private practice and have come to fully appreciate from my perch at the SEC.”

But, more importantly, he said that he has “found that you can predict a lot about the likelihood of an enforcement action by asking a few simple questions about the role of the company’s legal and compliance departments in the firm.” He then went on to detail some rather straightforward questions that he believes can show just how much a company is committed to having a robust compliance regime.

  • Are legal and compliance personnel included in critical meetings?
  • Are their views typically sought and followed?
  • Do legal and compliance officers report to the CEO and have significant visibility with the board?
  • Are the legal and compliance departments viewed as an important partner in the business and not simply as support functions or a cost center?

Beyond simply going into the DOJ or SEC and claiming that your company is very ethical and does business in compliance with the FCPA, how can a company demonstrate the above? This is where the Tom Fox Mantra of Document, Document and Document comes into play. No matter how much input the compliance function has into the above suggested inquiries if the inputs are not documented, it is if they did not exist. So for meetings, you should keep attendance sheets or notations. A compliance representative can put a short, three to four sentence memo into the file about the recommendations and the response thereto. If the compliance department advise was not followed, there should be a business reason documented for the decision. Moreover, if there is a rejection of the compliance function advise and the course of action leads to some type of FCPA issue, it may well be assumed the company knew or should have known that the course of action taken could reasonably lead to a FCPA issue if not full blown violation. As to the issues of compliance visibility at the Board level, once again the documentation of any presentation and their substance can provide evidence to answer the query in the affirmative. But the key to all of these questions is if there is documentation to prove the assertions that they actually occurred.

Near the end of his presentation, Cerensey said that “Far too often, the answer to these questions is no, and the absence of real legal and compliance involvement in company deliberations can lead to compliance lapses, which, in turn, result in enforcement issues. When I was in private practice, I always could detect a significant difference between companies that prioritized legal and compliance and those that did not. When legal and compliance were not equal partners in the business, and were not consulted as a matter of course, problems were inevitable.”

McNulty’s Maxims, Martin’s question on budget and now Cerensey’s questions all provide significant guideposts to how regulators think about FCPA compliance programs. For me, I think the point is that companies which actually Do Compliance are easy to spot. For all the gnashing of teeth about how hard it is to comply with what the DOJ and SEC want to see in FCPA compliance, when the true focus can be distilled into whether a company actually does compliance as opposed to saying how ethical they are, I think it simplifies the inquiry and the issues senior management and a Board of Directors really needs to pay attention to.

For a copy of the full text of Director Cerensey’s remarks, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

May 15, 2014

Nolan Ryan’s First No-Hitter and Checking In On the FCPA Professor

LearnAs the Houston Astros continue their journey into complete non-relevance, both to myself and the greater southeast Texas TV watching audience, today we celebrate one of the Astros greatest players, Nolan Ryan. On this day, 41 years ago, Ryan pitched the first of his seven No-Hitters. Ryan played with the Astros from 1980-1988. Of course the idiocy of current Astros management did not begin with the current owner, as the team basically cut Ryan in 1988, saying that he was “washed up” at the tender age of 41. He simply went on to play for the Texas Rangers for another six years, where he only went on to pitch No-Hitters six and seven and record another 1000 strikeouts.

While I cannot determine at this point if the FCPA Professor will have a similarly sterling 26 year career that Ryan accomplished, he recently has done a couple of things that I certainly believe continue to demonstrate his All-Star work in the fields of law and compliance. As clearly denominated by his moniker, the FCPA Professor, he teaches law with a specialization in the arena of the Foreign Corrupt Practices Act (FCPA). While myself and others bemoan to him that he needs to get out on the speaking circuit so that we can hear more of this critique and analysis of FCPA enforcement and to learn from him, I was interested to see he is correcting this by leading his first FCPA Institute this summer over two days, July 16 and 17. The event will be held in Milwaukee and hosted by the law firm of Foley and Lardner.

The Professor’s stated goal in leading this first Institute is “to develop and enhance fundamental skills relevant to the FCPA and FCPA compliance in a stimulating and professional environment with a focus on learning. Information at the FCPA Institute is presented in an integrated and cohesive way by an expert instructor with FCPA practice and teaching experience.” Some of the topics, which will be covered, include the following:

  • An informed understanding of why the FCPA became a law and what it seeks to accomplish;
  • A comprehensive understanding of the FCPA’s anti-bribery and books and records and internal controls provisions and related enforcement theories;
  • Various realties of the global marketplace which often give rise to FCPA scrutiny;
  • The typical origins of FCPA enforcement actions including the prominence of corporate voluntary disclosures;
  • The “three buckets” of FCPA financial exposure and how settlement amounts in an actual FCPA enforcement action are typically not the most expensive aspect of FCPA scrutiny and enforcement;
  • Facts and figures relevant to corporate and individual FCPA enforcement actions including how corporate settlement amounts are calculated;
  • How FCPA scrutiny and enforcement can result in related foreign law enforcement investigations as well as other negative business effects from market capitalization issues, to merger and acquisition activity, to FCPA related civil suits; and
  • Practical and provocative reasons for the general increase in FCPA enforcement.

In other words, it is what you have come to expect from the FCPA Professor; well-thought out reasoned analysis, practical knowledge and learning, and provocative thinking and assessment. For more information on the FCPA Institute, click here.

However, as I will not be able to attend the Professor’s FCPA Institute since I will be hosting my daughter’s annual summer trek to the heat and humidity of Houston, I was equally pleased to see another offering by the FCPA Professor which comes out this summer and indeed it appears in book stores next month. It is his long awaited volume, entitled The Foreign Corrupt Practices Act in a New Era, where the Professor takes a look at the FCPA’s new era of enforcement and confronts the FCPA statutory text, legislative history, judicial decisions, enforcement agency guidance, and resolved FCPA enforcement actions. The contents include the following: Prologue Introduction and Overview; Chapter 1. Before the New Era: The Story of the FCPA and Its Early Enforcement; Chapter 2. FCPA Foundational Knowledge; Chapter 3. The FCPA’s Anti-Bribery Provisions; Chapter 4. The FCPA’s Books and Records and Internal Controls Provisions; Chapter 5. FCPA Enforcement; Chapter 6. Reasons for the Increase in FCPA Enforcement; Chapter 7. The FCPA’s Long Tentacles; Chapter 8. FCPA Compliance and Best Practices; Chapter 9. FCPA Reform; and Conclusion. Of course there is a handy Index as well.

The Professor has some early high praise for his work including the following kudos:

From Michael Mukasey, Former U.S. Attorney General, says “Professor Mike Koehler has brought to this volume the clear-eyed perspective that has made his FCPA Professor website the most authoritative source for those seeking to understand and apply the FCPA. This is a uniquely useful book, laying out systematically the history and rationale of the FCPA, as well as its evolution into a structure governed as much by lore as by law. It will be valuable both to those who counsel international corporations, whether in connection with immediate crises or long-term strategies; and to those who contemplate what the FCPA has become, and how it can be improved.”

From Daniel Chow, Associate Dean for International and Graduate Programs, The Ohio State University Michael E. Moritz College of Law, USA, says of the book “This is the single most comprehensive academic treatment of the Foreign Corrupt Practices available. Professor Koehler’s book will become the authoritative standard for the field. The book not only treats the history of the FCPA, but analyzes the statute’s elements in detail, discusses current cases, and makes proposals for reforms where the current law is deficient. The book is written in a clear, accessible style and I will use it often as a resource for my own scholarly work.”

From Richard Alderman, Former Director of the UK Serious Fraud Office, states “An excellent and thought-provoking book by a great expert. Backed up by rigorous analysis of cases, Professor Koehler constantly challenges those involved in anti-corruption work by asking the question “why?” He puts forward many constructive and well-argued suggestions for improvements that need to be considered. I have learned a lot from Professor Koehler over the years and I can thoroughly recommend this book.”

And from Tom Fox – “if the FCPA Professor writes about it you need to read it. While you may disagree with him, your FCPA perspective and experience will be enriched by the exercise.”

So if you are like me and cannot make it up to Milwaukee in July, go to Amazon.com and pre-order a copy of the FCPA Professor’s book, which is scheduled to ship next month. To order click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

May 2, 2014

Gehrig’s Streak Ends and Compliance Week 2014 Is Near

lou GehrigToday we celebrate greatness in two areas. The first is in baseball as on this day in 1939, “New York Yankees first baseman Lou Gehrig benches himself for poor play ending his streak of consecutive games played at 2,130. “The Iron Horse” was suffering at the time from amyotrophic lateral sclerosis (ALS), now known as “Lou Gehrig’s Disease.” Gehrig joined the Yankees in 1923, but he didn’t see any action until 1925, when he backed up star first baseman Wally Pipp. According to legend, Gehrig stepped in at first base when Pipp benched himself with a headache, and Pipp never made it back on to the field. Gehrig didn’t miss a game for the next 13 years.” Gehrig’s record of playing in 2,130 straight games was intact until broken by Cal Ripken, Jr.

In the area of conference excellence around all things compliance, there is the upcoming Compliance Week 2014. While the conference has not had as many appearances as Gehrig’s long streak, this is the 9th annual event. As usual, Matt Kelly and his team over at Compliance Week have put together a star-studded and first-rate program for a wide variety of compliance practitioners. From the US government there is Kara M. Stein, Commissioner of the Securities and Exchange Commission (SEC). Interested in the future of the audit committee, there will be Jay Hanson, Board member from the Public Company Accounting Oversight Board (PCAOB), together with others to talk on that subject. For export control there will be representatives from the Department of Commerce and Department of Justice (DOJ) to bring you the latest on export control enforcement issues. Finally, both Patrick Stokes from the DOJ and Kara Brockmeyer from the SEC will be there to discuss Foreign Corrupt Practices Act (FCPA) enforcement from the perspectives of their agencies.

As usual there will be many sessions aimed at the compliance practitioner. Are you interested in developing a strong corporate culture? If so there will be a panel to discuss how to do so from working with your board to determine what your culture should be to building ethics and compliance programs (and control systems) that amplify those values rather than undermine them. An often-discussed topic is the management of compliance in joint ventures (JVs) and in a panel you will hear from three compliance officers telling their approaches to JVs: from risk assessments before the deal to monitoring and cooperation during the partnership to practical tips on investigations should misconduct in a JV partner come to light.

If there are specific geographic areas that you are concerned about there will be conversations about India, the Middle East, Africa, China and Latin America. In these sessions, held in smaller groups to facilitate conversations and questions, there will be discussions that focus on ethics and compliance risks in geographic hotspots around the world. Wondering which regulators matter most in a specific area? What training tactics work best for local workforces? Which cultural differences can cause the biggest risks or mis-steps? All those questions and more are prime fodder for these sessions.

There are a couple of very interesting sessions aimed at providing data on compliance trends. In one, there will be a joint Deloitte and Compliance Week review of their findings of this year’s Compliance Trends report – a survey conducted this spring to benchmark compliance operations at the modern enterprise. Hear about current budget and staffing levels, as well as emerging trends in reporting structures, use of GRC (Governance, Risk management and Compliance) technology, risks confronting the enterprise, and strategies to address them. In a second, there will be a review of the joint Kroll and Compliance Week 2014 Anti-Bribery and Corruption Report – one of the most comprehensive reviews of corporate anti-corruption practices you’re ever likely to find. In this session Kroll executives present the findings and lead a discussion on what those findings say about current (and not necessarily best) practice in FCPA compliance.

There will be several sessions, which deal with training. An interesting one is entitled, “Employee Training – Four Statistics That Will Surprise You” and will provide you with information on best practices on how to align roles, risks, and priorities strategically, to make the most efficient use of limited training time while protecting the organization. The discussion will be framed around four key statistics that you can use to drive training decisions and true program effectiveness. Another interesting angle will be through the prism of social media in a session which will consider the new risks social media brings, and the best ways to square its advances in communications and IT with your existing compliance program, whether that’s through new policies, new technology, or a mix of both.

There will be a couple of sessions dealing with investigations. In one, I will lead a panel, entitled “Investigations Gone Global, Not Haywire”, where we will focus on how can you run an effective investigation in some of the most difficult spots in the world, where local law may conflict with what you need to do. We will explore local stumbling blocks to your investigation, and offer ideas on how to complete the job nonetheless. Another session will help you scope out your internal investigation by considering some of the most difficult parts of scoping (parameters for e-Discovery, for example), and techniques to help determine scope more effectively (say, using the audit team to help map out the issue).

Finally, one session looks timely and intriguing. It will focus on supply chain compliance issues and will look at misconduct in the supply chain – conflict minerals, human trafficking, bribery, and more – is one of the most dangerous risks a company faces: It can erupt anywhere, cause enormous reputational harm, and leave boards scrambling for answers. You will hear about the clues you have, in the vast databases of modern businesses, and how to draw out the answers you need – about which risks are looming, which require policy response, and which require the board’s attention. Lastly, I will be leading a conversation on the FCPA enforcement trends we have seen in 2014.

I have been authorized to offer readers of this blog, who register for Compliance Week, a discount off of the standard rate..  To register, please use this link and discount code CW14FOX (case sensitive) to receive the special pricing of $1,495 (rate applies to new registrations only; please read Compliance Week Terms of Sale about refunds or substitutions). Event website: http://conference.complianceweek.com.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

April 15, 2014

Implementing Compliance Incentives In Your Company

IncentiveSeveral readers have asked why I have not written anything about the Houston Astros this year. The answer is two-fold. The first is that I really do not care. However, the more I thought about it, the real reason is that they are not relevant. Just how not relevant are the bumbling hometown (former) loveables? Last week they achieved the noteworthy accomplishment of obtaining a Nielson rating of 0.00 for a second consecutive season. I am not aware of any other major league team, which has been on television for a game where no one was recorded as watching for the entire game, for two straight seasons. Pretty amazing when you think about it.

However, one thing that is relevant in the context of any best practices anti-bribery compliance program is incentives. The Department Of Justice (DOJ) and Securities Exchange Commission (SEC) could not have been clearer in the FCPA Guidance about their views on the need for incentives to help drive behavior that is ethical and in compliance with the Foreign Corrupt Practices Act (FCPA) when they stated “DOJ and SEC recognize that positive incentives can also drive compliant behavior.” In the Guidance, the SEC cited to the following:

[M]ake integrity, ethics and compliance part of the promotion, compensation and evaluation processes as well. For at the end of the day, the most effective way to communicate that “doing the right thing” is a priority, is to reward it. Conversely, if employees are led to believe that, when it comes to compensation and career advancement, all that counts is short-term profitability, and that cutting ethical corners is an acceptable way of getting there, they’ll perform to that measure. To cite an example from a different walk of life: a college football coach can be told that the graduation rates of his players are what matters, but he’ll know differently if the sole focus of his contract extension talks or the decision to fire him is his winloss record.

A recent article in the Spring 2014 issue of the MIT Sloan Management Review, entitled “Combing Purpose with Profits”, by authors Julian Birkinshaw, Nicolai J. Foss and Siegwart Lindenberg, presents some interesting steps on how a company might work towards achieving the goals articulated by the DOJ and SEC. The key thesis of the authors is if you want to motivate employees you have to have purpose. In their article they presented case studies from three entities: the Tata Group, Handelsbanken and HCL Technologies. From these three cases studies they came up with six core principles, which I will adapt for the compliance function in an anti-corruption compliance program.

  1. Compliance incentives don’t have to be elaborate or novel. The first point is that there are only a limited number of compliance incentives that a company can meaningfully target. Evidence suggests the successful companies are the ones that were able to translate pedestrian-sounding compliance incentive goals into consistent and committed action.
  2. Compliance incentives need supporting systems if they are to stick. People take cues from those around them, but people are fickle and easily confused, and gain and hedonic goals can quickly drive out compliance incentives. This means that you will need to construct a compliance function that provides a support system to help them operationalize their pro-incentives at different levels, and thereby make them stick. The specific systems which support incentives can be created specifically to your company but the key point is that they are delivered consistently because it signals that management is sincere.
  3. Support systems are needed to reinforce compliance incentives. One important form of a supporting system for compliance incentives “Is to incorporate tangible manifestations of the company’s pro-social goals into the day-to-day work of employees.” Make the rewards visible. As stated in the FCPA Guidance, “Beyond financial incentives, some companies have highlighted compliance within their organizations by recognizing compliance professionals and internal audit staff. Others have made working in the company’s compliance organization a way to advance an employee’s career.”
  4. Compliance incentives need a “counterweight” to endure. Goal-framing theory shows how easy it is for compliance incentives to be driven out by gain or hedonic goals, so even with the types of supporting systems it is quite common to see executives bowing to short-term financial pressures. Thus, a key factor in creating enduring compliance incentives is a “counterweight,” by which we mean any institutional mechanism that exists to enforce a continued focus on a nonfinancial goal. This means that in any financial downturn compliance incentives are not the first thing that gets thrown out the window and if my oft-cited hypothetical foreign Regional Manager misses his number for two quarters, he does not get fired. So the key is that the counterweight has real influence; it must hold the leader to account.
  5. Compliance incentive alignment works in an oblique, not linear, way. The authors believe that “In most companies, there is an implicit belief that all activities should be aligned in a linear and logical way, from a clear end point back to the starting point. The language used — from cascading goals to key performance indicators — is designed to reinforce this notion of alignment. But goal-framing theory suggests that the most successful companies are balancing multiple objectives (pro-social goals, gain goals, hedonic goals) that are not entirely compatible with one another, which makes a simple linear approach very hard to sustain.” What does this mean in practical terms for your compliance program? If you want your employees to align around compliance incentives, your company will have to “eschew narrow, linear thinking, and instead provide more scope for them to choose their own oblique pathway.” This means emphasizing compliance as part of your company’s DNA on a consistent basis — “the intention being that by encouraging individuals to do “good,” their collective effort leads, seemingly as a side-effect, to better financial results. The logic of “[compliance first], profitability second” needs to find its way deeply into the collective psyche of the company.”
  1. Compliance incentive initiatives can be implemented at all levels. Who at your company is responsible for pursuing compliance incentives? If you head up a division or business unit, it is clearly your job to define what your pro-social goals are and to put in place the supporting structures and systems described here. But what if you are lower in the corporate hierarchy? It is tempting to think this is “someone else’s problem,” but actually there is no reason why you cannot follow your own version of the same process. We have seen quite a few mid-level managers make a real difference, and often quite quickly, using the principles outlined here.

The author’s have set out several steps that you can implement into your compliance program to enhance incentives to facilitate anti-corruption. There have been many who have criticized the FCPA Guidance. While I am certainly not one of them, I do not think there can be any argument that it does not present the DOJ and SEC views on a minimum best practices compliance program. So if the DOJ and SEC think incentives in your compliance program are important, I suggest to you, they are important. The article, which is the basis of this blog post, provides an excellent start for the exploration of some ways to inculcate anti-bribery and anti-corruption incentives into not only your compliance regime but also, more importantly, the DNA of your company.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

April 14, 2014

The HP FCPA Settlement

FCPA SettlementLast week the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) jointly announced the conclusion of a Foreign Corrupt Practices Act (FCPA) enforcement action against Hewlett-Packard Company (HP). In the settlement, HP agreed to pay $108MM in fines, penalties and disgorgements for criminal and civil acts. To say that it was one of the more perplexing FCPA settlements would seem to be an understatement. While some will read the settlement documents and see conduct which did not merit such a high total amount of fines and penalties, I am not from that camp.

The tale of this sordid affair of bribery and corruption occurred over 3 continents with multiple countries involved, evidencing an entire breakdown in company internal controls and a complete lack of a culture of compliance. Yet the settlement documents make great pains to emphasize that few employees were actually involved in the nefarious conduct. How bad was the conduct? Think right up there with BizJet because we had bags of cash delivered to a Polish government official. (But unlike BizJet, the Board of Directors did not approve the bribery scheme and it was not taken across the border.) For the Russian deal, it was shopped through several countries with multiple levels of company review, which did not seem to work or care much about anything except getting the deal done. For Mexico, they just seemed to get a free pass where the contract description for the agent who paid the bribe was “influencer fee”.

Finally, as most readers might remember, HP did not self-report this misconduct to the DOJ or SEC. Apparently, the story of HP’s bribery by its German subsidiary to gain a contract in Russia was broken by the Wall Street Journal (WSJ) article in April 15, 2010. The next day, the DOJ and SEC announced they were investigating the allegations of bribery. However, HP was made aware of the allegations by its German subsidiary in December 2009, when German authorities raided HP’s offices in Munich and arrested one HP Germany executive and two former employees. Yet HP never self-reported. Not exactly the poster child for self-disclosure for any company going forward.

Of course HP’s public response at the time indicated its attitude, when a HP spokesperson was quoted in the WSJ article as saying “This is an investigation of alleged conduct that occurred almost seven years ago, largely by employees no longer with HP. We are cooperating fully with the German and Russian authorities and will continue to conduct our own internal investigation.”

More befuddlement comes from the reported facts around HP Germany. As noted by the WSJ report, one, then current, HP executive was arrested and two former employees were arrested in connection with the investigation by German authorities. There is no mention of them in any of the settlement documents. The WSJ article also reported that investigation-related documents submitted to a German court showed that German prosecutors were “looking into whether H-P executives funneled the suspected bribes through a network of shell companies and accounts in places including Britain, Austria, Switzerland, the British Virgin Islands, Belize, New Zealand, the Baltic nations of Latvia and Lithuania, and the states of Delaware and Wyoming”. While some of these countries were mentioned in the settlement documents there was no mentions of DOJ or SEC investigations into Wyoming, Belize, the British Virgin Islands or New Zealand.

What are we to make of the criminal fines levied against the Russian and Polish subsidiaries of HP? The Polish subsidiary pled guilty to a two count Criminal Information consisting of (1) violating the FCPA’s internal control provisions; (2) violating the FCPA’s books and records provisions. The US Sentencing Guidelines suggested a fine range of $19MM to $38MM, the final fine was $15,450,244.

For the Russia deal, the Russian subsidiary pled guilty to a four count Criminal Information consisting of (1) conspiracy to violate the books and records provisions of the FCPA; (2) violating the FCPA’s anti-bribery provisions; (3) violating the FCPA’s internal control provisions; (4) violating the FCPA’s books and records provisions. The US Sentencing Guidelines suggested a fine range of $87MM to $174MM, yet the final fine was $58,772,250.

Finally, in Mexico HP’s subsidiary, according the to the SEC Press Release, “paid a consultant to help the company win a public IT contract worth approximately $6 million. At least $125,000 was funneled to a government official at the state-owned petroleum company with whom the consultant had connections. Although the consultant was not an approved deal partner and had not been subjected to the due diligence required under company policy, HP Mexico sales managers used a pass-through entity to pay inflated commissions to the consultant.” This was internally referred to by HP as an “influencer fee.” Pretty clear evidence of what it was to be used for, wouldn’t you say? Yet the DOJ did not to criminally prosecute the company’s Mexican subsidiary and entered into a Non-Prosecution Agreement (NPA), HP agreed to pay forfeiture in the amount of $2,527,750.

How did HP accomplish all of this? In a Press Release HP Executive Vice President and General Counsel John Schultz said, “The misconduct described in the settlement was limited to a small number of people who are no longer employed by the company. HP fully cooperated with both the Department of Justice and the Securities and Exchange Commission in the investigation of these matters and will continue to provide customers around the world with top quality products and services without interruption.”

As reported by the FCPA Professor, in his blog post entitled “HP And Related Entities Resolve $108 Million FCPA Enforcement Action”, the HP Russian subsidiary Plea Agreement gave the following factors for the reduction in the fine from the Sentencing Guideline range:

“(a) monetary assessments that HP has agreed to pay to the SEC and is expected to pay to law enforcement authorities in Germany relating to the same conduct at issue …; (b) HP Russia’s and HP’s cooperation has been, on the whole, extraordinary, including conducting an extensive internal investigation, voluntarily making U.S. and foreign employees available for interviews, and collecting, analyzing, and organizing voluminous evidence and information for the Department; (c) HP Russia and HP have engaged in extensive remediation, including by taking appropriate disciplinary action against culpable employees of HP and enhancing their internal accounting, reporting, and compliance functions; (d) HP has committed to continue enhancing its compliance program and internal accounting controls … (e) the misconduct identified … was largely undertaken by employees associated with HP Russia, which employed a small fraction of HP global workforce during the relevant period; (f) neither HP nor HP Russia has previously been subject of any criminal enforcement action by the Department or law enforcement authority in Russia or elsewhere; (g) HP Russia and HP have agreed to continue to cooperate with the Department and other U.S. and foreign law enforcement authorities, if requested by the Department …”

In the same blog post, the Professor reported the following reasons were stated for reduction in the final fine by HP’s Polish subsidiary’s:

“(a) HP Poland’s cooperation with the Department’s investigation; (b) HP Poland’s ultimate parent corporation, HP, has committed to maintain and continue enhancing its compliance program and internal accounting controls …; and (c) HP Poland and HP have agreed to continue with the Department and other U.S. and foreign law enforcement authorities in any ongoing investigation …”

We have witnessed companies, which have engaged in ‘extraordinary cooperation’ with the DOJ during the pendency of their FCPA investigations. BizJet is certainly one that comes to mind. Further, there are clear examples of companies, which extensively remediated during the pendancies of their FCPA investigations, from which they clearly benefited. Two prime examples are Parker Drilling, which not only received a financial penalty below the suggested range but also was not required to have a corporate monitor, while they had C-Suite involvement in its bribery scheme. Weatherford seeming came back from the brink during mid-investigation when they hired Billy Jacobson and turned around not only their attitude towards cooperation with the DOJ but also their efforts toward remediation.

Both of these companies are headquartered in Houston and both have been quite active on the conference circuit talking about their compliance programs so most compliance practitioners are aware that these companies are on the forefront of best practices. Perhaps HP is on some circuit doing that, somewhere. If so, kudos to them. If their remediation work led to a best practices compliance program for the company and their extraordinary cooperation led to the astonishing reduction in penalties to their entities, I certainly tip my cap to them. If their lawyers were great negotiators and made great presentations to the DOJ and SEC, all of which led to or contributed to the final results, a tip of the cap to them as well.

So what is the lesson to be learned for the compliance practitioner? Other than befuddlement, I am not sure. Congratulating HP and its counsel is not a lesson it is an action. If HP now has a best practices compliance program, I hope they will provide the compliance community with the lessons that they learned and incorporated into their compliance program, which allowed them to obtain the fines below the minimum suggested range. If they have incorporated some enhanced compliance components into their program I hope they will share those enhancements too.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

April 4, 2014

Life Cycle Management of Third Parties – Step 5 – Management of the Relationship

Five stepsToday ends my review of what I believe to be the five steps in the management of a third party under an anti-bribery regime such as the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. On Monday, I reviewed Step 1 – the Business Justification, which should kick off your process with any third party relationship. On Tuesday, I looked at Step 2 – the questionnaire that you should send and third party and what information you should elicit. On Wednesday, I discussed Step 3 – the due diligence that you should perform based upon the information that you have received from and ascertained on the third party. On Thursday, I examined Step 4 – how you should use the information you obtain in the due diligence process and the compliance terms and conditions which you should place in any commercial agreement with a third party. Today, I will conclude this series by reviewing how you should manage the relationship after the contract is signed.

I often say that after you complete Steps 1-4 in the life cycle management of a third party, the real work begins and that work is found in Step 5– the Management of the Relationship. While the work done in Steps 1-4 are absolutely critical, if you do not manage the relationship it can all go down hill very quickly and you might find yourself with a potential FCPA or UK Bribery Act violation. There are several different ways that you should manage your post-contract relationship. This post will explore some of the tools which you can use to help make sure that all the work you have done in Steps 1-4 will not be for naught and that you will have a compliant anti-corruption relationship with your third party going forward.

Managing third party relationships is an area that continues to give companies trouble and heartburn. The “2013 Anti-Bribery and Corruption Benchmarking Report – A joint effort between Kroll and Compliance Week” found that many companies are still struggling with ongoing anti-corruption monitoring and training for their third parties. Regarding training, 47% of the respondents said that they conduct no anti-corruption training with their third parties at all. The efforts companies do take to educate and monitor third parties are somewhat pro forma. More than 70% require certification from their third parties that they have completed anti-corruption training; 43% require in-person training and another 40% require online training. Large companies require training considerably more often than smaller ones, although when looking at all the common training methods, 100% of respondents say their company uses at least one method, if not more.

While the FCPA Guidance itself only provides that “companies should undertake some form of ongoing monitoring of third-party relationships”. Diana Lutz, writing in the White Paper by The Steele Foundation entitled “Global anti-corruption and anti-bribery program best practices”, said, “As an additional means of prevention and detection of wrongdoing, an experienced compliance and audit team must be actively engaged in home office and field activities to ensure that financial controls and policy provisions are routinely complied with and that remedial measures for violations or gaps are tracked, implemented and rechecked.”

One noted commentator has discussed techniques to provide this management and oversight any third party relationship. Carol Switzer, President of the Open Compliance and Ethics Group (OCEG), writing in the Compliance Week magazine set out a five-step process for managing corruption risks, which I have adapted for third parties.

  1. Screen - Monitor third party records against trusted data sources for red flags.
  2. Identify – Establish helplines and other open channels for reporting of issues and asking compliance related questions by third parties.
  3. Investigate - Use appropriately qualified investigative teams to obtain and assess information about suspected violations.
  4. Analyze - Evaluate data to determine “concerns and potential problems” by using data analytics, tools and reporting.
  5. Audit - Finally, your company should have regular internal audit reviews and inspections of the third party’s anti-corruption program; including testing and assessment of internal controls to determine if enhancement or modification is necessary.

Based upon the foregoing and other commentators, I believe there are several different roles in a company that play a function in the ongoing monitoring of the third party. While there is overlap, I believe that each role fulfills a critical function in any best practices compliance program.

Relationship Manager

There should be a Relationship Manager for every third party which the company does business with through the sales chain. The Relationship Manager should be a business unit employee who is responsible for monitoring, maintaining and continuously evaluating the relationship between your company and the third party. Some of the duties of the Relationship Manager may include:

  • Point of contact with the Third Party for all compliance issues;
  • Maintaining periodic contact with the Third Party;
  • Meeting annually with the Third Party to review its satisfaction of all company compliance obligations;
  • Submitting annual reports to the company’s Oversight Committee summarizing services provided by the Third Party;
  • Assisting the company’s Oversight Committee with any issues with respect to the Third Party.

Compliance Professional

Just as a company needs a subject matter expert (SME) in anti-bribery compliance to be able to work with the business folks and answer the usual questions that come up in the day-to-day routine of doing business internationally, third parties also need such access. A third party may not be large enough to have its own compliance staff so I advocate a company providing such a dedicated resource to third parties. I do not believe that this will create a conflict of interest or that there are other legal impediments to providing such services. They can also include anti-corruption training for the third party, either through onsite or remote mechanisms. The compliance practitioner should work closely with the relationship manager to provide advice, training and communications to the third party.

Oversight Committee

I advocate that a company should have an Oversight Committee review all documents relating the full panoply of a third party’s relationship with the company. It can be a formal structure or some other type of group but the key is to have the senior management put a ‘second set of eyes’ on any third parties who might represent a company in the sales side. In addition to the basic concept of process validation of your management of third parties, as third parties are recognized as the highest risk in FCPA or Bribery Act compliance, this is a manner to deliver additional management of that risk.

After the commercial relationship has begun the Oversight Committee should monitor the third party relationship on no less than an annual basis. This annual audit should include a review of remedial due diligence investigations and evaluation of any new or supplement risk associated with any negative information discovered from a review of financial audit reports on the third party. The Oversight Committee should review any reports of any material breach of contract including any breach of the requirements of the Company Code of Ethics and Compliance. In addition to the above remedial review, the Oversight Committee should review all payments requested by the third party to assure such payment is within the company guidelines and is warranted by the contractual relationship with the third party. Lastly, the Oversight Committee should review any request to provide the third party any type of non-monetary compensation and, as appropriate, approve such requests.

Audit

A key tool in managing the relationship with a third party post-contract is auditing the relationship. I hope that you will have secured audit rights, as that is an important clause in any compliance terms and conditions. Your audit should be a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which your compliance terms and conditions are followed. Noted fraud examiner expert Tracy Coenen described the process as one to (1) capture the data; (2) analyze the data; and (3) report on the data, which is also appropriate for a compliance audit. As a base line I would suggest that any audit of a third party include, at a minimum, a review of the following:

  1. the effectiveness of existing compliance programs and codes of conduct;
  2. the origin and legitimacy of any funds paid to Company;
  3. books, records and accounts, or those of any of its subsidiaries, joint ventures or affiliates, related to work performed for, or services or equipment provided to, Company;
  4. all disbursements made for or on behalf of Company; and
  5. all funds received from Company in connection with work performed for, or services or equipment provided to, Company.

If you want to engage in a deeper dive you might consider evaluation of some of the following areas:

  • Review of contracts with third parties to confirm that the appropriate FCPA compliance terms and conditions are in place.
  • Determine that actual due diligence took place on the third party.
  • Review FCPA compliance training program; both the substance of the program and attendance records.
  • Does the third party have a hotline or any other reporting mechanism for allegations of compliance violations? If so how are such reports maintained? Review any reports of compliance violations or issues that arose through anonymous reporting, hotline or any other reporting mechanism.
  • Does the third party have written employee discipline procedures? If so have any employees been disciplined for any compliance violations? If yes review all relevant files relating to any such violations to determine the process used and the outcome reached.
  • Review employee expense reports for employees in high-risk positions or high-risk countries.
  • Testing for gifts, travel and entertainment that were provided to, or for, foreign governmental officials.
  • Review the overall structure of the third party’s compliance program. If the company has a designated compliance officer to whom, and how, does that compliance officer report? How is the third party’s compliance program designed to identify risks and what has been the result of any so identified?
  • Review a sample of employee commission payments and determine if they follow the internal policy and procedure of the third party.
  • With regard to any petty cash activity in foreign locations, review a sample of activity and apply analytical procedures and testing. Analyze the general ledger for high-risk transactions and cash advances and apply analytical procedures and testing.

In addition to monitoring and oversight of your third parties, you should periodically review the health of your third party management program. Once again I turn to Diana Lutz and her colleague Marjorie Doyle, and their White Paper entitled “Third Party Essentials: A Reputation/Liability Checkup When Using Third Parties Globally”, where they gave a checklist to test companies on their relationships with their third parties.

  1. Do you have a list or database of all your third parties and their information?
  2. Have you done a risk assessment of your third parties and prioritized them by level of risk?
  3. Do you have a due diligence process for the selection of third parties, based on the risk assessment?
  4. Once the risk categories have been determined, create a written due diligence process.
  5. Once the third party has been selected based on the due diligence process, do you have a contract with the third party stating all the expectations?
  6. Is there someone in your organization who is responsible for the management of each of your third parties?
  7. What are “red flags” regarding a third party?

Perhaps now you will understand why I say that after you prepare the Business Justification; send out, receive back and evaluate the Questionnaire; set the appropriate level of Due Diligence; evaluate the due diligence and execute a contract with appropriate Compliance Terms and Conditions; now the real work begins, as you have to manage the third party relationship.

I hope that you have found this review of the life cycle management of third parties helpful for your compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 4,591 other followers