Proactive Use of Systemic Compliance Successes in an FCPA Enforcement Action

We recently looked at an article which reviewed the Department of Justice’s (DOJ) Foreign Corruption Practices Act (FCPA) enforcements with an eye towards the failures of internal controls. This analysis provided a valuable summary of several “lessons learned” regarding the compliance failures of those companies caught up in FCPA enforcement actions. One of the frustrations I hear from compliance professions is that they have a good idea of what not to do but are less sure of more proactive steps which their company’s might glean from published enforcement actions.

Fortunately this void has been filled by our colleague William Athanas with his article, “Demonstrating “Systemic Success” in FCPA Compliance: Identifying and Maintaining Evidence to Respond to Government Investigations . . . Before They Begin” recently published in the ABA Global Anti-Corruption Task Form site. He believes that by analyzing what went right, that companies can equip themselves with powerful evidence to respond to government inquiries and create readily identifiable benchmarks to measure the ongoing effectiveness of their FCPA compliance programs.

Athanas believes that underlying DOJ FCPA enforcement is based one of two bedrocks. Either (1) the company under investigation “has made a conscious choice to elevate profitability over compliance, essentially making foreign bribery an unwritten part of its strategic plan;” or (2) the company in question “has effectively disregarded any obligation to ensure that it conducts its activities within the boundaries of the law, opting instead to avoid putting any safeguards in place to prevent FCPA violations.” Even if these underlying assumptions are not correct, a company must do more than show it did not have a culture built on bribe payments. It must offer tangible proof that it acted “with genuine commitment to conducting themselves within the parameters of the law, even when doing so resulted in significant financial harm or verifiable lost opportunities.”

So how does a company provide such information to the DOJ? First the company must have documented, documented and then documented its compliance process and procedures. This documentation must show that the company’s compliance program had real “teeth” and lend credence to a company’s assertion that its compliance measures are robust and real – not just paper tigers. Athanas makes several specific suggestions of documentable events of compliance which a company can use. He suggests:
• Detection of potential FCPA violations before they occurred and remedial measures taken.
• Obtain periodic certifications of FCPA compliance from foreign business partners and termination of those when certifications were refused or revealed violations.
• Exercise of audit rights.
• Regular assessment and enhancement of a company’s compliance program.
• Books and Records audits and appropriate action taken based on such compliance audits.
• Recognition of red flags in the due diligence process and either clearing of the Red Flag or termination based upon further investigation.
• Follow up on hotline reports.

The author suggests, depending on the severity of the FCPA violations, that a company may consider disclosing “external” unlawful conduct to investigators. This could demonstrate that a compliance program has robust in both theory and practice and may support the notion that FCPA violations represent isolated, unsanctioned actions of rogue employees, rather than the manifestation of an unwritten company policy or the existence of a culture of corruption. Such a position could, in turn, allow the corporation to make a far more forceful argument that the sanctions exacted should be at the lower end of the spectrum.

Lastly Athanas emphasizes a cornerstone of any compliance program, three cornerstones actually. They are document, document and then document. If you compliance program does not document its successes there is simply no evidence to present that it has succeeded. In addition to providing to your company support to put forward to the DOJ, it is the only manner in which to gage the overall effectiveness of your compliance program. Put another way, if you do not document it, you cannot measure it and if you cannot measure it, you cannot refine it. Athanas ends by noting that compliance should be treated as a journey and not a destination.

This paper provides helpful information for the FCPA compliance practitioner which can be used when things may appear at their bleakest, during a FCPA investigation. Because your company should be documenting its compliance program, the information the author suggests should be collected on an ongoing basis so the incremental cost of “putting more arrows on your quiver” should not be something to dissuade your company from engaging in this exercise.

You will find this article on a new website, the ABA Global Anti-Corruption Task Force Website. As noted by the FCPA Professor,

The ABA’s Global Anti-Corruption Task Force, co-chaired by Andrew Boutros (Department of Justice) and Markus Funk (Perkins Coie), has launched a new website. The website “provides up-to-date, practitioner-oriented information and analysis on global anti-corruption matters” and the opportunity to publish peer-reviewed articles.

We commend this site to you.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.
© Thomas R. Fox, 2011

UK Bribery Guidance Released: An Initial Look at the Quick Start Guide

The long awaited final Guidance on the UK Bribery Act was released today. It provides a wealth of guidance for the compliance professional whether a company is located in the UK, US or anywhere else in the world. This will be the first of several articles we will present on the Guidance. We will begin with the Quick Start Guide. Other releases today were the Guidance and Joint Prosecution Guidance.

The Quick Start Guide notes that they key points of the Bribery Act are:
• The Bribery Act only deals with bribery and not other forms of white collar crime.
• A company will only be vicariously liable for the acts of third parties if such illegal conduct was performed on behalf of a company.
• A company does not need to put anti-bribery procedures in place if it has no risk of bribery.
• Corporate hospitality is not prevented by the Bribery Act.
• Facilitation payments are still illegal Bribery Act, just as they were under prior UK law.

The Quick start notes that a company does not commit the offence of failing to prevent bribery if it can show that it had ‘adequate procedures’ in place to prevent bribery. The scope and parameters of adequate procedures will depend on the bribery risks a company face and the nature, size and complexity of a business. So, a small or medium sized business which faces minimal bribery risks will require relatively minimal procedures to mitigate those risks.
The Quick Start lists six general guidelines designed to assist a company to determine what steps it will need to take to determine the scope of its adequate procedures decide what, if anything, a company need to do differently:
1. Proportionality. The action a company should take should be proportionate to the risks a company face and to the size of a the business. So a company might need to do more to prevent bribery if it is a large organization, or if a company is operating in an overseas market where bribery is known to be commonplace, compared to what a company might do if it is a small organization, or is operating in markets where bribery is not prevalent.
2. Top Level Commitment. Those at the top of an organization are in the best position to ensure their organization conducts business without bribery. A company will want to show that it has been active in making sure that all employees (including any middle management) and the key people who do business with a company understand that it does not tolerate bribery.
3. Risk Assessment. Think about the bribery risks a company might face. For example, a company might want to do some research into the markets which it operates and the third parties it deals deal with, especially if a company are entering into new business arrangements and new markets overseas.
4. Due Diligence. Knowing exactly who a company is dealing with can help to protect a business from taking on people who might be less than trustworthy. A company may therefore want to ask a few questions and do a few checks before engaging others to represent a company in business dealings.
5. Communication. Communicating anti-bribery policies and procedures to staff and to others who will perform services for a company enhances awareness and helps to deter bribery by making clear the basis on which an organization does business. A company may, therefore, want to think about whether additional training or awareness appropriate or proportionate to the size and type of its business.
6. Monitoring and Review. The risks a company faces and the effectiveness of procedures may change over time. A company may want, therefore, to keep an eye on the anti-bribery procedures so that they keep pace with any changes in the bribery risks a company may face when, for example, a company enters new markets.
The Quick Start goes on to provide guidance on risk assessment, due diligence and the use of third party consultants in the creation of anti-bribery policies and procedures. Every practitioner needs to be aware of these releases and should review them to determine their impact your company.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.
© Thomas R. Fox, 2011

SEC Sweeps Sovereign Wealth?

Ed. Note-today we host a Guest Blog from our Colleague Mary Shaddock Jones, Assistant General Counsel and Director Of Compliance at Global Industries, Ltd.

I recently read an article by Cadwalader, Wickersham & Taft, LLP regarding the Security and Exchange Commission’s (“SEC”) delivery of letters of inquiry to at least 10 hedge funds, banks and private equity funds requesting information about the firms’ interactions with sovereign wealth funds.  From all accounts, the SEC may be looking into whether or not the financial institutions interaction with the sovereign wealth funds was conducted in accordance with the Foreign Corrupt Practices Act (“FCPA”).

By now, no one paying attention to the FCPA should be surprised by yet another industry wide investigation.  Beginning in 2007 we saw industry wide investigations in the oil and gas industry with both the U.N. Oil for Food Program in Iraq and the use of an international freight forwarding company in West Africa.  In addition, the Medical Device and Pharmaceutical industries have both been part of an industry wide sweep.  Every industry, every company, every individual and every board member that operates internationally must WAKE UP!

Since the Sarbanes-Oxley (“SOX”) Act became law on July 30, 2002, U.S. reporting companies have to investigate and self report any potential violations of U.S. law, including the FCPA.  On top of all of this the Dodd-Frank legislation has broad application across industries based on the authority granted to the Securities and Exchange Commission (SEC) and applies to all SEC registrants as well as entities regulated by the Commodities Futures Trading Commission (CFTC). The Dodd-Frank Act permits whistleblower awards of 10-30 percent of the amount of monetary sanctions in cases where they exceed $1 million. To receive the monetary award, the information provided must be “original,” essentially meaning that it must be obtained from the whistleblower’s independent knowledge or analysis only and not known to the Commission from any other source.  The information can apply to any type of securities law violation including insider trading, fraudulent financial reporting, and Foreign Corrupt Practices Act (FCPA) violations. It is well published that in the last several years FCPA fines and penalties have as large as hundreds of millions of dollars for an individual case.  10-30 percent of hundreds of millions is a lot of money!

What does all of this mean to every industry, every company and every individual and every board member of a public company that operates internationally?  Don’t wait for the SEC and/or DOJ to come knocking at your door with their broom.  Start at the top: review your risks, review your compliance program, and review your internal controls.  Do you have a clean house?   If not, spring cleaning should be on the top of your to-do list!

There was an excellent article written on February 8, 2011 by Elizabeth Ising and Amy Goodman from the law firm of Gibson Dunn & Crutcher, LLP in Boardmember.com reflecting the top 11 Legal and Regulatory Tips for Board of Directors in 2011.  Not surprising, the top three tips were: (1) Understand the company’s business and industry and be active in strategic planning; (2) Engage in regular risk oversight; and (3) Encourage robust compliance programs that have adequate resources.

During hard economic times, companies are looking to be as efficient in their operations as possible.  There is nothing wrong with this strategy- in fact it is admirable.  However, don’t lose sight of the fact that an FCPA investigation, much less any fine or penalty, will cost your company millions of dollars. I work in the energy industry and I have experienced what happens to companies during these sweeps. If you do not have a robust compliance policy and procedure in place and/or can not document it, you may be in for a long and costly ride. So put your money to good use and invest upfront in a solid compliance program before the dust storm enters your house.

Mary Shaddock Jones is Assistant General Counsel and Dir. Of Compliance at Global Industries, Ltd. Mary can be reached at maryj@globalind.com. The views and opinions expressed here are her own and not necessarily those of her employer.

 

The Use of Audit Analytics in a Best Practices FCPA Compliance Program

We recently wrote, and provided a list of examples, Red Flags in the anti-corruption, anti-bribery, anti-money laundering context and in the area of international economic sanctions.  As we indicated, we do not believe that the mere presence of a Red Flag means that a transaction is violative of the Foreign Corrupt Practices Act (FCPA) or even that the transaction must not go through. The presence of a Red Flag does mean that there should be additional follow up, due diligence and investigation to ensure that any party or transaction which raises a Red Flag is valid. This investigation must be thoroughly documented and in a form which readily creates an audit trail should your company need to provide such data to the Department of Justice (DOJ) or other investigatory body.

We recently read an article by ACL Services entitled “Don’t Get Bitten by the FCPA”, which advocated the use of audit analytics to assist in the creation of an effective compliance program. They promote audit analytics as a core component as it demonstrates a consistent process and follow up for any issues which are identified as Red Flags. It also provides the necessary documentation to enable your company to continue to compare and update its  compliance program and provides a readily assessable written record to present to any DOJ official.

The authors also noted several issues which make implementation of such a system challenging. Your compliance program must understand business culture and local language. The system you utilize should support language characters from writing systems outside the United States (think Chinese here). Your audit team should also have access to local resources on business operations, language and culture. The culture of gift giving is wider in some Asian countries than in the US, so special care must be taken to identify and understand such issues.

The centralization of data is critical. Many companies may have different Enterprise Resource Planning (ERP) systems across the world. The laws of many countries vary in terms of the capture and correlation of data and if such information can be transmitted outside a country’s borders. While such issues can be overcome with multiple servers or other hosting solutions, it may increase the difficulty of capturing such data.

The authors provide a framework for the deployment of analytics. They begin with suggesting the prioritization of risk. Recognizing that a risk assessment is now viewed a mandatory first step in any effective FCPA or Bribery Act compliance program; you must prioritize your risks with regards to any issues raised as Red Flags. The authors list a four step approach, which includes:

1. Define the Red Flags and compliance questions which are the most important to your overall anti-corruption and anti-bribery program.
2. Obtain the data which you need to answer the issue(s) raised by the Red Flag.
3. Run analyses, push results out to the right people and automate the process.
4. Build from these steps to evolve your system.

The authors end the paper with some questions which we believe every organization should ask itself on an ongoing basis to help keep a compliance program dynamic and not static. These questions include:

• Does your company perform any type of data analysis to address audit or compliance objectives?
• Has your company reviewed how audit analytics could be applied to help with an overall FCPA control assessment strategy?
• Has your company investigated how (or even if) your foreign business partner data is captured?
• How decentralized is your employee expense and payment system?
• How often does your company validate its FCPA controls?

This white paper provides an excellent overview of using the tool of audit analysis analytics in your FCPA or Bribery Act compliance program. We recommend it to you as method to analyze your company’s program and to assist in documenting your compliance procedures.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

FCPA Lessons Learned-Failures in Internal Controls

We often write and speak on some of the lesson learned from enforcement actions brought by the Department of Justice (DOJ) under the Foreign Corrupt Practices Act (FCPA). We believe that companies can not only learn from the mistakes of others in implementing or enhancing their compliance program but can glean information on the DOJ’s current thinking on the best practices for a compliance program.

In a recent white paper, entitled, “Staying out of the Headlines: Strategies to Combat Corruption Risk” jointly produced by the consulting firm of Protiviti and the law firm of Covington and Burling, the authors reviewed 286 FCPA cases and analyzed the internal control weaknesses which led to FCPA enforcement actions. From this review, the authors derived a Top Five of Control Weaknesses. This article will review these findings and the authors’ guidance on how a company might use this information to assist it to enhance its FCPA compliance program.

1. Inadequate Contract Pricing Review

The authors found that in 110 cases they reviewed, the internal controls were insufficient to confirm whether contract pricing was artificially inflated or otherwise altered. This enhanced the risk that a foreign business representative could inflate the price of goods and either keep the spread or use it to bribe a foreign governmental official. The types of internal controls weaknesses noted by the authors included:

• Inflated contract prices were used to generate and conceal kickbacks.
• Commissions were disguised as legitimate business expenses.
• Unwarranted additional fees were added to contract prices.

To remedy this contract pricing issue, the authors recommended that companies review their procurement policies from a FCPA compliance perspective. Companies should also engage in a competitive bidding process for purchases from third parties. Lastly invoices from third parties should provide sufficient detail to support the goods or services provided and back up for all expenses.

2. Inadequate Due Diligence and Verification of Foreign Business Representative

It is well known that companies are responsible for the actions of their business representatives and that this is a large source of FCPA exposure. Based upon their review, the authors found several examples of weaknesses in internal controls which led to FCPA enforcement actions. These weaknesses included:

• Monthly payments made to foreign business representatives where no written contract was in place.
• Contracts with foreign business representatives with prior histories of improper payments.
• Lack of vigorous due diligence based upon a valid risk analysis.

While noting the difficulties in the area of foreign business relationships, the authors proffer several steps to help ameliorate the risk. These steps include (1) a risk assessment and ranking of requisite due diligence based on this assessment; (2) collection, processing and analysis of information in a concise and effective manner; (3) confirm the business purpose, and indeed business need, for the third parties; (4) have a high level management review of all high risk foreign business partners; (5) include in your written contract, FCPA terms and conditions, including an affirmation of FCPA compliance; and (6) manage the foreign business partner relationship with an internal management sponsor.

3. Ineffective Accounts Payable Payment and Review

This area involves the review and appropriate authorization of funds prior to disbursement. The authors noted that vendor set up and management procedures were not well documented in the cases they reviewed and that company processes across wide geographic areas may not have the appropriate “checks and balances.”  The authors found the following internal control weaknesses in this area:

• Inappropriate payments made to agents under the guise of commissions, fees or legal services.
• Payments for professional services where no back up was provided by the vendor.
• Services were paid under contracts where such services were not addressed.

As remedies for these issues, the authors suggested that the classification of payments is critical. Additionally supporting documentation must be a part of any request for payment but there must be an appropriate review and approval process followed for any disbursements. Finally purchase orders must be matched with contracts for validation prior to payment.

4. Ineffective Financial Account Reconciliation and Review

The books and records component of the FCPA, together with the accounting control provisions mandate that documentation on transactions must not only record the transaction but also adequately describe it to alert the reviewer to possible violations. In their white analysis, the authors found several examples of ineffectual financial account reconciliation and review, which included:

• Inflated revenues through improper schemes.
• Recording of false entries by a subsidiary that was rolled up to a parent.
• False invoices were paid.
• Improper recordation of payments in various ledger accounts.
• Lack of appropriate documentation for disbursements.

The authors advised that companies should enhance financial reconciliation and review for FCPA compliance. Policies and procedures must be established and followed to help ensure accurate bookkeeping and accounting. Lastly, all transactions must have and be supported by appropriate documentation.

5. Ineffective Commission Payment Review and Authority

The authors noted instances of the lack of procedures to verify the payments of commissions to foreign business partners. These failures led to instances of bribery of a foreign governmental official by the foreign business partner. From their review the authors noted some of the following internal control weaknesses which led to a high number of enforcement cases in this area:

• Mission creep by foreign business partners in that the duties they carried out were not assigned within or by the contract.
• Misleading information was presented to company internal auditors regarding the amount of commissions paid by foreign business partners.
• Commission payments were inflated so that foreign business partners could provide kickbacks to foreign government officials.

To assist in this area the authors stressed the need for a review of all relevant information prior to making a commission payment. This would start with a review of the contract to ascertain if the agent was entitled to a commission, the amount of the commission and whether the work described met the contractual strictures. Care should be taken that all payments are made to the named contract counter-party and not an unnamed third party. The payment location should be verified to make certain no offshore payments are made. Lastly the authors suggest training for any third party representatives to ensure their understanding of the requirements of the FCPA and any other relevant anti-bribery and anti-corruption laws applicable.

This white paper is an excellent source of information the lack of internal controls which have led other companies into FCPA troubles. It provides some solid recommendations for the specific controls that a company should put into place. We commend the authors for their research and suggestions for best practices moving forward.

——————————————————————————————————————————————————————

Stephen Martin and I will be continuing our FCPA presentations, hosted by World Check next week. All of the events are free and CLE is provided. If you are in one of these areas I hope you can join us.

Tuesday, April 5-Portland. For details, click here.

Wednesday, April 6, Seattle. For details, click here.

Thursday, April 7, Denver. For details, click here.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

ANTI-CORRUPTION COMPLIANCE: A BUSINESS APPROACH

Ed. Note-today we present a guest post from our colleague, Michael Volkov, Partner, Mayer Brown LLP

With Department of Justice officials ginning up DOJ’s aggressive enforcement of the Foreign Corrupt Practices Act, and the impending effective date of the UK Bribery Act, companies are scrambling to revise their compliance programs to address anti-corruption risks. DOJ’s message has been heard loud and clear: companies know they have to review their compliance programs and make sure they are effective.

For those companies wondering how to design and implement an anti-corruption compliance program, DOJ has provided a basic outline of the basic elements of a program. DOJ’s guidance adds to the principles outlined in the US Sentencing Guidelines. The legal and consulting community have welcomed DOJ’s guidance.

Companies can start with DOJ’s basic checklist. Of course, the specific design of the program will depend on numerous factors such as the company’s risk profile, the countries in which the company operates, and the nature and extent of interactions with foreign government officials. The programs should differ based on the company culture and the specific circumstances in which they operate. Cookie-cutter compliance programs should be avoided and are a recipe for disaster. DOJ attorneys see through them in a nanosecond as empty promises.

Companies should take their time in designing and implementing a compliance program. The entire program can take a year or even more to implement completely, depending on the size of the company. There is no need to rush and implement a program without carefully considering each element. It is okay to roll out elements in stages. Also, there is no need for companies to compete amongst themselves as to which company has the “best” compliance program. All too often, I hear from one company asking if they should change their policy because they “heard” that another company is applying a more stringent rule, particularly in the area of gifts, hospitality, or entertainment.

Compliance programs should not be designed in a vacuum or follow some rote formula. Of course, lawyers tend to seek and recommend “safe harbors.” Lawyers and other compliance professionals need to take a business practical approach. What does that mean? It means learning the company’s business operations, the needs of the sales and accounting staff, and the overall management structure, so that compliance can occur at the same time that business expands.

The key to an effective program is not just “a tone from the top” but extends to “buy-in” from the company. Compliance officials need to develop a working relationship with employees, and not an adversarial one. If lawyers and compliance staff are seen as problem solvers, figuring out a way to fix a deal or make it work, while flexibly meeting legal requirements, sales personnel will be more inclined to come back and seek help again.

Systematic breakdowns in compliance programs resulting in the mega enforcement cases against companies reflect a complete failure of compliance – one element of which is the absence of any “buy-in” or consistent communications between lawyers and compliance officers and business people in the company. With a new business practical approach, such results can be avoided.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The editor of this blog can be reached at tfox@tfoxlaw.com.

Is a Commercial Enterprise Owned by Foreign Government by Covered by the FCPA?

One of the factors to determine just who is a foreign governmental official under the Foreign Corrupt Practices Act (FCPA), is whether a foreign government is involved. There are currently a triumvirate of pending cases where the defendants have challenged a basic Department of Justice tenet that businesses owned by foreign governments are “instrumentalities thereof” foreign governments and thereby covered under the FCPA. The three cases are the CCI case in Central District of California, the Lindsey Manufacturing case, also in the Central District in California and the John O’Shea case, currently in the Southern District of Texas.

As reported by the FCPA Professor and the FCPA Blog on Wednesday, the Department of Justice was denied the right to file a Declaration from the US State Department in the Lindsey Manufacturing case. As reported by the FCPA Blog the Declaration of Clifton M. Johnson, Assistant Legal Adviser for Law Enforcement and Intelligence in the Legal Adviser’s Office said that “the judge should not grant the defendants’ motion to dismiss because it would adversely impact U.S. foreign policy. [Johnson] asserted that the FCPA was consistent with the OECD anti-bribery convention and that the “foreign official” and state-owned entity coverage of the FCPA must be maintained.” The FCPA Blog opined that this ruling could be a “key defeat in the battle over who’s a “foreign official” under the FCPA”.

We believe however that the point may be much simpler in the Lindsey Manufacturing case. Unlike the CCI case, this case deals with alleged bribery and corruption regarding the Mexican electric utility company, Comisión Federal de Electricidad (CFE). In the CCI case, the defendants are have alleged to violated the FCPA in regards to bribery and corruption of various telecom companies, most generally in Asia. (The O’Shea case also involves allegations of bribery involving CFE.)

The Lindsey case is the first case in which the DOJ has filed any briefing on the issue of who is a foreign governmental official. In its Opposition to the Defendants’ Motion to Dismiss, the DOJ notes that under the Mexican Constitution,

the supply of electricity is solely a government function. Specifically, Article 27 provides: It is exclusively a function of the general Nation to conduct, transform, distribute, and supply electric power which is to be used for public service. No concessions for this purpose will be granted to private persons and the Nation will make use of the property and natural resources which are required for these ends.

The DOJ goes on to point out that the CFE is effectively controlled by the government of Mexico by the appointment of CFE’s Governing Board, as well as the Director General. The DOJ concludes that the “CFE is part of the Mexican government, mandated by its constitution, formed by its laws, owned in its entirety by the people of Mexico” and is constituted to serve the people of Mexico. It would not seem that you can have a much more clear cut case that whatever legal form the CFE might take, it is a part of the government of Mexico.

The defendants accept the argument that the CFE is a government owned enterprise but claim that this disqualifies the CFE “as an entity properly addressed by [the FCPA].” The defendants response seems to boil down to the following, “commercial operations of a foreign government that provide power supply are not instrumentalities” within the meaning of the FCPA. Therefore their employees cannot be foreign officials.

The correct question appears to be precisely before the trial court. A hearing on the defendants’ Motion to Dismiss is currently scheduled for today, at 9:30 AM PDT. If you are attending please tweet away your observations!

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.
© Thomas R. Fox, 2011

Some Red Flags

Most compliance practitioners have heard the term “Red Flags.”  Red Flags are generally defined as circumstances which could place a reasonable person on notice that illegal or improper conduct has or may occur. A Red Flags does not mean that an action or transaction should immediately be terminated. It does mean that you should engage in an appropriate level of additional due diligence and investigation before moving forward.

In his blog posting yesterday entitled “On Anti-Money Laundering“, our colleague Howard Sklar, discussed a new anti-money laundering initiative from the Asset Forfeiture and Money Laundering Section of the Department of Justice. Howard has previously spoken of “compliance convergence” or the merging of control programs such as anti-bribery and anti-corruption with anti-money laundering. Inspired by Howard’s post and his use of “compliance convergence” this post will list some possible Red Flags that you should consider in three control areas: anti-bribery and and anti-corruption; anti-money laundering and with a nod towards the ever changing economic sanctions being levied against Libya, Red Flags regarding international economic sanctions.

I. Anti-Bribery and Anti-Money Laundering

• Doing business in a high risk county
• Allegations that the party has made facilitation payments to government officials.
• Refusal to warrant compliance with the FCPA or other recognized anti-bribery or anti-corruption law.
• Reluctance to participate in due diligence.
• Allegations of illegal or unethical conduct.
• Convictions for illegal conduct.
• Any suggestion that laws or regulations or company compliance policies need not be followed.
• Any suggestion that unethical conduct is custom or the norm in  country.
• Refusal to follow your code of conduct.
• Use of shell companies.
• Ownership by or close relationship to a governmental official
• Refusal to identify a principal of beneficial owner.
• Recommendation of use by a governmental official
• Refusal to sign a contract.
• Lack of experience in the field.
• Requirement of an usually high commission.
• Insistence on payment in cash.
• Insistence on payment in third party country or to an unrelated third party.
• Request for advances.
• Sharing of compensation with undisclosed parties.
• Refusal to provide adequate invoices.
• Offering to provide false invoices.

II.       Anti-Money Laundering

• Named as a Designated Party, SDN or on any similar list.
• Connections to countries identified as non-cooperative with international efforts against money laundering.
• Providing false or misleading information.
• Refusal to disclose the nature and source of assets.
• Refusal to identify a beneficial owner.
• Acting as the agent for an undisclosed principal.
• Company address is not a physical site but a PO box.
• Use of a shell company.
• Lack of concern regarding risks or transaction costs.
• Structuring transactions to avoid reporting requirements.
• Offering to engage in transaction with no or little business justification.
• A request that funds be transferred to an undisclosed third party or in another jurisdiction.
• Any transaction designed to evade taxes.

III.    International Economic Sanction

• Connections to US or UN sanctions or embargoes, including SDN, Denied Persons, Entity and Debarred Lists.
• Requests that goods be exported to countries on an international boycott list.
• Inaccuracies in any shipping documentation and invoicing.
• Abnormal packing, marking or routing of goods.
• Inconsistencies between goods and services of that usually offered by the company.
• Declination of routine installation or training services.
• Promised delivery dates and locations are vague or out of the way location.
• A freight forwarding firm is listed as the final destination.
• Shipping route is out of the ordinary.

As no one list of Red Flags can be exhaustive or final, you may wish to add Red Flags more specific to the risks appropriate to your company, such as those based upon the industry in which you conduct business, the locations where your company does business or other risk factor. If there are any additional ones you feel our readers should be aware of please list them in the Comments Section.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Internal Controls under the UK Bribery Act and FCPA

Although much is still unclear about the implementation date, or the manner in which the UK Bribery Act will be enforced, it is clear that one of the important compliance functions which a company should implement is appropriate internal controls. The previously released Consultative Guidance had the following language regarding internal controls, “Businesses should also consider how their existing internal company procedures can be used for bribery and corruption prevention. For example, financial and auditing controls, disciplinary procedures, performance appraisals, and selection criteria can act as an effective bribery deterrent.”

Internal controls are a key component of any best practices compliance program, whether based upon the Foreign Corrupt Practices Act (FCPA); OECD Good Practices or another local law. Appropriate controls are always needed for the reason that if a compliance program relies simply on the issuance of compliance policies, and on the honesty of a company’s employees, a company may get lucky and avoid a violation but a it will not have an effective compliance program.

Internal controls means more than simply financial and auditing controls. As noted by the UK Bribery Act Consultative Guidance, internal controls should also be applied to other areas of a company’s overall program. Internal controls can provide a check on employee training, certification and testing; issues related to employee performance, such as performance appraisals and disciplinary procedures; and third party due diligence and administrative procedures.

As recently as last week, yet another enforcement action was announced by the Securities and Exchange Commission (SEC) for violation of the books and records component of the FCPA. The SEC agreed to a settlement related to a finding that IBM’s internal controls were inadequate. Improper payments were made to South Korean officials and improper travel and entertainment was paid for Chinese officials. All the payments were by subsidiaries for which IBM was held responsible.

Within the FCPA, the requirements of the books and records provision requires that a company keep detailed books and records which fairly reflect the company’s transactions and disposition of assets. While many companies are familiar with external auditors, who consider materiality to financial statements when determining an audit scope and where the audit focus is the fairness of the presentation of financial statements in all material aspects. They are also experienced with audits for Sarbanes-Oxley (SOX) purposes, which allow exclusion of coverage for immaterial processes and locations and the focus is more directed to the avoidance of material misstatements in the financial statements. However, this materiality issue does not arise under the books and records provisions of the FCPA. Put another way – there is NO materiality consideration – either in the transaction amount or the size of the operations.

Effective controls generally mean that a company’s controls are designed to meet specific objectives. A company’s internal control system should include measures to ensure that controls are consistently and accurately performed. A company should maintain internal accounting controls which provide reasonable assurance that:

• Transactions are properly authorized;
• Transactions are accurately recorded;
• Accountability for assets is maintained; and
• Unauthorized access to assets is prevented.

It is important that a company assesses its internal accounting controls at regular intervals. This means that a company should compare the recordkeeping for assets to an inventory of the actual physical assets. If there are discrepancies, remedial action should be taken. Some examples of this can be physical inventory counts, fixed asset counts and cash reconciliation.

Last week’s SEC enforcement action against IBM drove home yet again the importance of adequate books and records in any FCPA compliance program. Internal controls are a key element in providing sufficient records. An overlooked part of the UK Bribery Act is that all companies subject to its rules and regulations must have an adequate internal controls program, encompassing areas much broader than adequate books and records. These areas should be assessed and remedial action taken to correct any deficiencies as  part of a company’s ongoing assessment and compliance program update.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Barriers to Ethical Behavior: Problems and Remedies

I recently attended the Ethisphere 2011 Global Ethics Summit. At this event, the host Ethisphere announced its annual ranking of this country’s most ethical corporations. Interestingly in an effort to correlate ethical behavior and good business news, Ethisphere reported that these companies averaged earnings which exceeded the S&P average over the past three years. From this position, Ethisphere urged that good ethics is good business because companies which engage in good ethical practices have better earnings than those which do not operate in such an ethical manner.

However, just as Ethisphere and other organizations strive to have companies understand that good ethical practices are in actuality good business practices, other people and organizations are studying how ethical lapses can occur. In an article in the April edition of the Harvard Business Review, entitled, “Ethical Breakdowns” authors Max Bazerman and Ann Tenbrunsel explored the question of why good people allow bad things to happen is the business setting. They begin their article by noting that they believe “the vast majority of managers mean to run ethical organizations”  and while there are some “out and out crooks,” the majority of ethical lapses in companies occur because of either the blinders of leadership or that business leadership may “unknowingly encourage” unethical behavior in their companies.

The authors focus on five barriers to conducting in business in an ethical manner. They provide an analysis of each barrier and suggest possible remedy each of the barriers. While the authors note that compliance policies and procedures to implement business ethics are important, they feel that even the best intentioned [compliance] program will fail if it does not take into account biases which can blind management and employees to unethical behavior.

1. Ill Conceived Goals.

The authors define this barrier as a goal or incentive to promote change or a behavior that encourages a negative one. They cite to the example of the Ford Pinto where the Ford Motor Company discovered in pre-production crash tests the “potential danger of ruptured fuel tanks.” Ford then engaged in a thorough and exhaustive cost-benefit analysis on the costs of lawsuits from a defective product and “determined that it would be cheaper to pay off lawsuits than to make repairs.” The authors end by noting that “a host of psychological and organizational factors diverted the Ford executives attention from the ethical dimensions of the problem…”

As a remedy the authors suggest that business leaders must understand the incentive systems which their company has in place and the effect that it has on the workforce. They suggest “brainstorming unintended consequences when devising goals and incentives.” Management should also consider alternative goals may be important to the reward.

2. Motivated Blindness

The authors understand that people most often see what they want to see. But they suggest that this is something further, the companies will overlook unethical behavior when it is their interest to do so. They cite to the example of the failures of the credit rating agencies which contributed to the economic downturn. These credit rating agencies provided AAA credit ratings to “collateralized mortgage securities of demonstrably low quality” and the authors believe this helped drive the crisis in the housing market. The motivated blindness came from the fact that the credit rating agencies were paid by the same companies that they rated so that they “made their profits by staying in the good graces of the companies that they rate.”

These conflicts of interest can be quite powerful, even if a company or an individual employee is aware of them. The authors suggest that a company “root out conflicts of interest” because awareness of them may not be enough to protest a company from such ethical lapses. Executives should look to “remove them from an organization entirely, looking particularly at the existing incentive systems.”

3. Indirect Blindness

Unfortunately a company will often overlook unethical behavior in other companies. This is the classic situation where a company with strong ethical values employees an agent or other third party representatives whose conduct may not meet a company’s ethical standard. In this barrier the authors cite to the example of the drug company Merck which sold two cancer drugs to the company Ovation. Soon after the sale, Ovation raised the prices on the two cancer drugs by “about 1000%” while Merck actually kept producing the two drugs. The authors assume that Merck sold the two drugs to Ovation so that Ovation could raise the price and not Merck.

The authors decry this outsourcing of unethical “dirty work”. Even if Merck did not know that Ovation would increase the price so dramatically the authors believe that any amount of due diligence on Ovation would have revealed that “it had a history or buying and raising the prices on small-market drugs…” Any company which has such a business representative should understand whom it is doing business with and that it cannot outsource unethical behavior or assign a task which might invite unethical behavior.

4. The Slippery Slope

Every law student is taught how to argue down the slippery slope. You start at Point A and pretty soon you have come to the end of western civilization as we know it. However the authors turn this phrase, so that they define it that companies often fail to “notice the gradual erosion” of ethical standards. Under this barrier the authors cite to the example of company auditors who find minor violations by their client company over several years and which by the final year the has become a large violation or error. As the outside auditors overlooked it all along, they might well overlook it when it becomes a violation.

As a remedy for this barrier, the authors maintain that vigilance is necessary. Managers should be on the look-out for even trivial-seeming infractions but the real key is to address them immediately and not let them drag out. Additionally, there should be some type of inquiry to determine if a change in behavior has occurred.

5. Overvaluing Outcomes

The authors’ final barrier is that they believe that many companies will “reward results rather than high-quality decisions.” This can lead to companies rewarding unethical decisions because such decisions have a good outcome. But, as the authors note, this can be “a recipe for disaster over the long term.” The authors believe that companies will judge their employees actions on whether any harm may follow from an action, rather than focus on the ethicality of the decision or action.

The authors believe this final barrier can be overcome by having the possible outcomes of any decision or action analyzed for both good and bad ethical implications. Focusing on the process of decision making is much more important than simply accepting the outcome. Companies should examine behaviors which “drive good outcomes, and reward quality decisions, not just the results.”

The authors conclude by noting that companies should not simply employ “surveillance and sanctioning systems” but train leaders to avoid the types of biases which can lead to the barriers listed in this article. The end by noting that each employee should be trained to ask the following question, “What ethical implications might arise from this decision?” And this advice may be the most important take-away from the article.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011