The Royal Wedding and the End of the ‘Halliburton’ Opinion Release

Today is a Royal wedding in England and in honor of the happy couple and the English House of Windsor we will take a look at the Foreign Corrupt Practices Act (FCPA) in the context of a merger and acquisition (M&A) of a British company.

Until recently, many FCPA practitioners had based decisions in the M&A context on Department of Justice’s (DOJ) Opinion Release, 08-02 (08-02), which related to Halliburton’s proposed acquisition of the UK entity, Expro. However, the recently released Deferred Prosecution Agreement (DPA) of Johnson & Johnson (J&J) may have changed the perception of practitioners regarding what is required of a company in the M&A arena related to FCPA due diligence, both pre and post-acquisition. In this post we will review the genesis of 08-02, the risk based approach that it advocated and the vigorous time frames, which it set forth, to accomplish the agreed to compliance investigations and opine on how these may have changed.

08-02 began as a request from Halliburton to the DOJ from issues that arose in the pre-acquisition due diligence of the target company Expro. Halliburton had submitted the following request to the DOJ specifically posing these three questions: (1) whether the proposed acquisition transaction itself would violate the FCPA; (2) whether through the proposed acquisition of Target, Halliburton would “inherit” any FCPA liabilities of Target for pre-acquisition unlawful conduct; and (3) whether Halliburton would be held criminally liable for any post-acquisition unlawful conduct by Target prior to Halliburton’s completion of its FCPA and anti-corruption due diligence, where such conduct is identified and disclosed to the Department within 180 days of closing.

I.                08-02 Conditions

 Halliburton committed to the following conditions, if it was the successful bidder in the acquisition:

1. Within ten business days of the closing. Halliburton would present to the DOJ a

comprehensive, risk-based FCPA and anti-corruption due diligence work plan which would address, among other things, the use of agents and other third parties; commercial dealings with state-owned customers; any joint venture, teaming or consortium arrangements; customs and immigration matters; tax matters; and any government licenses and permits. The Halliburton work plan committed to organizing the due diligence effort into high risk, medium risk, and lowest risk elements.

a. Within 90 days of Closing. Halliburton would report to the DOJ the results of its high risk due diligence.

b. Within 120 days of Closing. Halliburton would report to the DOJ the results to date of its medium risk due diligence.

c. Within 180 days of Closing. Halliburton would report to the DOJ the results to date of its lowest risk due diligence.

d.  Within One Year of Closing. Halliburton committed full remediation of any issues which it discovered within one year of the closing of the transaction.

Many lawyers were heard to exclaim, “What an order, we cannot go through with it.” However,  we advised our clients not to be discouraged because 08-02 laid out a clear road map for dealing with some of the difficulties inherent in conducting sufficient pre-acquisition due diligence in the FCPA context. Indeed the DOJ concluded 08-02 by noting, “Assuming that Halliburton, in the judgment of the Department, satisfactorily implements the post-closing plan and remediation detailed above… the Department does not presently intend to take any enforcement action against Halliburton.”

II.             Johnson & Johnson “Enhanced Compliance Obligations”

In the recently released J&J DPA, there is an Attachment D, which is entitled, “Enhanced Compliance Obligations.” This is a list of compliance obligations in which J&J agreed to undertake certain enhanced compliance obligations for at least the duration of its DPA. With regard to the acquisition context, Johnson and Johnson agreed to:

7. J&J will ensure that new business entities are only acquired after thorough FCPA and anticorruption due diligence by legal, accounting, and compliance personnel. Where such anticorruption due diligence is not practicable prior to acquisition of a new business for reasons beyond J&J’s control, or due to any applicable law, rule, or regulation, J&J will conduct FCPA and anticorruption due diligence subsequent to the acquisition and report to the Department any corrupt payments, falsified books and records, or inadequate internal controls as required by … the Deferred Prosecution Agreement.

 8. J&J will ensure that J&J’s policies and procedures regarding the anticorruption laws and regulations apply as quickly as is practicable, but in any event no less than one year post-closing, to newly-acquired businesses, and will promptly: For those operating companies that are determined not to pose corruption risk, J&J will conduct periodic FCPA Audits, or will incorporate FCPA components into financial audits.

a. Train directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners, and relevant employees thereof, who present corruption risk to J&J, on the anticorruption laws and regulations and J&J’s related policies and procedures; and

b. Conduct an FCPA-specific audit of all newly-acquired businesses within 18 months of acquisition.

These enhanced obligations agreed to by J&J in the M&A context would seem to be less time sensitive than those agreed to by Halliburton in 08-02. In the J&J DPA, the company agreed to following time frames:

a.    18 Month-conduct a full FCPA audit of the acquired company.

b.    12 Month-introduce full anti-corruption compliance policies and procedures into the acquired company and train those persons and business representatives which “present corruption risk to J&J.”

So there is no longer a risk based approach as set out in 08-02 and the tight time frames are also relaxed. Once again we applaud the DOJ for setting out specific information for the compliance practitioner through the release of the J&J DPA. As many have decried 08-02 is a standard too difficult to satisfy in the real world of time constraints and budget cuts, the “Acquisition” component of the J&J DPA should provide those who have made this claim with some relief.

For a copy of Opinion Release 08-02, click here.

For a copy of the Johnson & Johnson Deferred Prosecution Agreement, click here.

We would be remiss if we did not wish Prince William and his bride, Kate, best wishes in their new journey together. No one puts on pomp and circumstance like the Brits so sit back, relax and enjoy the nuptials with a nice cup of tea.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

How to Use Your FCPA Audit

As we have noted, the key to any testing, whether in the form of an audit or assessment, of your Foreign Corrupt Practices Act (FCPA) compliance program is not to be afraid of the results. If there are components which need to be enhanced, you will have the opportunity to do so. If additional or supplemental training is called for take the opportunity to provide it. In short, do not be afraid of the results and use Paul McNulty’s maxims of “what did you find” and “what did you do about it”. After you have completed the FCPA audit, what steps should you take? This post will explore some of the issues related the evaluation and response.

Evaluate – The Triage Committee

Initially you must evaluate the results of your testing. If a significant issue has arisen, such as a possible violation of the FCPA or other serious infraction of your compliance program, you should carve this issue out and refer it to the appropriate group within the company. In the Johnson & Johnson Deferred Prosecution Agreement (DPA) Attachment D – Enhanced Compliance Obligations is the concept of a compliance oversight committee, which is termed as the “Sensitive Issue Triage Committee” whose responsibility is to review and respond to any FCPA issues that may arise. This Triage Committee can be a valuable resource to refer such matters for further investigation. If your company does not yet have such a committee, this referral can be made to the Legal or Compliance department, who can initiate a more formal or detailed investigation. You may also wish to bring in specialized outside investigation counsel, early on, to assist with the evaluation and investigation of any such significant issues.

After carving out the significant issues that require immediate and/or further investigation, you should review the overall results. You will need to bring together the relevant audit team members you have used. This should have included the compliance, legal and internal audit or other financial controls team members to review the overall effectiveness of your internal controls, including the books and records review. All interviews should be summarized and analyzed. If deficiencies were found, you should determine if additional or more focused training is warranted.

Response Plan

After your evaluation is complete, you need to prepare a detailed Response Plan, including the detail of how you intend to implement the proposed responses. Here we would suggest that all corrective and preventive action plans be closed within 90 days of completion of the audit. The goal is to drive each region or business unit audited to adhere with your company’s compliance program, as we believe that this provides the best path to positive change over the long term.

You should set out the time frame to accomplish the tasks which may need remediation. There should be specific assignments of responsibility made to handle the designated tasks. If required or called for you should have interim progress made on the tasks assigned. Finally, there should be a final report on the results of your implementation plan.

Discipline

An ongoing question in this phase is whether or not to administer discipline. Some feel that if discipline is administered as a result of audit findings, the result will be less than forthcoming cooperation in the next round of audits and assessments. However, I am a firm believer that if disciplinary action is warranted it needs to be applied consistently. This means that if information was received in any manner other than under an amnesty program and discipline is warranted, you should discipline employees for compliance violations just as you would if the information came in through a mechanism other than an audit. As with any corporate discipline, it should be administered fairly, in accordance with company policy. One thing to keep in mind is that discipline must be meted out consistently, across the company on a world- wide basis, for example if you terminate employees in South America for intentional misrepresentations on travel and entertainment accounts, you must do the same for US employees.

Disclosure

The final question we will explore is who should get the report? There is usually dynamic tension between the Legal Department, which desires to restrict access, and the Compliance group, which believes it can be used as a teaching tool from which to learn valuable lessons. Initially, the Final Report should be reviewed and approved by all Triage or compliance oversight committee members as it should be sent to the Company’s Board of Directors or Audit Committee. You will also need to share the full report with the local management of the region or business unit which was audited. Any individuals who receive discipline, sanctions, or any type of counseling for issues that were uncovered by the audit should also receive the report portions which relate to them.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Conducting Pre-Acquisition FCPA Due Diligence

There are several recent examples where companies, bought both businesses and there pre-existing violations of the Foreign Corrupt Practices Act (FCPA), in large part because the acquiring companies failed to perform sufficient FCPA due diligence it the overall pre-acquisition due diligence. These examples include the Alliance One matter resolved this past summer with a $4.2 million fine for pre-acquisition conduct and $10 million in profit disgorgement. There was also the $240 million fine levied against Saipem for conduct of an acquired subsidiary of ENI, Snamprogetti, where the conduct at issue occurred over 2 years prior to the acquisition. One of the strongest examples is that of eLandia International Inc., which acquired Latin Node Inc., in 2007. Thereafter, it discovered potential FCPA violations, which it self-reported to the DOJ. As reported in the FCPA Blog, in addition to a $2 million fine, eLandia also disclosed that its purchase price for Latin Node “was approximately $20.6 million in excess of the fair value of the net assets” mostly due to the cost of the FCPA investigation, the resulting fines and penalties to which it may be subject, the termination of Latin Node’s senior management and the resultant loss of business. eLandia eventually wrote off the entire investment by placing Latin Node into bankruptcy and shuttering the acquisition.

There are several steps that a company should take when performing pre-acquisition FCPA due diligence. Yesterday at the Hanson Wade FCPA conference in Houston, some of these steps were discussed. While these steps are not an exhaustive list, they do provide a company with some guidance on specific issues to investigate to protect themselves from buying not only a new company but a FCPA enforcement action. These steps include:

1. Charity Begins at Home. Review high risk geographic areas where your company and the target do business. If there is overlap, seek out your own sales and operational people and ask them what compliance issues are prevalent in those geographic areas. If there are compliance issues that your company faces, then the target probably faces them as well.
2. Get Sales Lists. Obtain from the target a detailed list of sales going back 3-5 years, broken out by country. If you can obtain a further breakdown by product or services get that as well. You do not need to investigate de minimis sales amounts but focus your FCPA due diligence inquiry on high sales volumes in high risk countries.
3. Get List of Foreign Business Representatives. If the target uses a sales model of third parties, obtain a complete list, including JVs. It should be broken out by country and amount of commission paid. Review all underlying due diligence on these foreign business representatives, their contracts and how they were managed after the contract was executed. But your focus should be on large commissions in high risk countries.
4. Talk. You will need to speak to the target company personnel who are responsible for its compliance program to garner a full understanding of how they view their compliance program.
5. T&E Records. You will to review the travel and entertainment records of the target’s top sales personnel in high risk countries. You should retain a forensic auditing firm to assist you with this effort. Use the resources of your own company personnel to find out what is reasonable for travel and entertainment in the same high risk countries which your company does business.
6. Disclosure. While always an issue fraught with numerous considerations, there may be others in the M&A context such as any statutory obligations to disclose violations of  any anti-bribery or anti-corruption laws in the jurisdiction(s) in question; what effect will disclosure have on the target’s value or the purchase price that your company is willing to offer.
7. Compliance Convergence. While you are performing the FCPA due diligence, you should also review issues for anti-money laundering and export control issues.

While not discussed in the presentation, we also believe that after the due diligence is completed, and if the transaction moves forward, the acquiring company should attempt to protect itself through the most robust contract provisions that it can obtain, these would include indemnification against possible FCPA violations, including both payment of all investigative costs and any assessed penalties. An acquiring company should also include reps and warranties that the entire target company uses for participation in transactions as permitted under local law; there is an absence of government owners in company; and that the target company has made no corrupt payments to foreign officials. Lastly, there must be a rep that all the books and records presented to the acquiring company for review were complete and accurate.

The clear trend in FCPA enforcement is an increased and aggressive level of enforcement activity under the both the DOJ and Securities and Exchange Commission. Businesses must be particularly heedful in the engaging in the mergers and acquisitions process, whether acquiring other companies or being acquired. Due diligence in these situations is critical and must encompass the full range of FCPA compliance issues.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

 

© Thomas R. Fox, 2011

Documentation Can Provide Credibility in a FCPA Investigation

I am privileged to speak across the country on current Foreign Corrupt Practices Act (FCPA) best practices with Stephen Martin, General Counsel of Corpedia. The FCPA Tour is sponsored by World-Check. For those of you who do not know Stephen Martin, he is a former prosecutor in the Department of Justice (DOJ) and has worked at some of America’s largest corporations while handling significant compliance matters. This background allows him to bring a substantial white collar prosecution and defense perspective to our presentations as I have only practiced on the civil side.

All companies which come before the DOJ when an incident or investigation arises claim that they have the best compliance program that they can afford in place. However, if a company cannot demonstrate the ‘robustness’ of its program it might as well be for naught. I have written several posts on three of the most important components of a FCPA best practices compliance program; which are: documentation, documentation and documentation. I believe that it is true that the only manner in which to gage the overall effectiveness of your compliance program is through documentation. Put another way, if you don’t document it, you cannot measure it and if you cannot measure it, you cannot refine it. Nevertheless, there is one more important aspect to documentation. It is through the access of this documentation that a company put forward support that its compliance program is robust.

One of the points which Stephen emphasizes is that when dealing with prosecutors, whether from the DOJ; Securities and Exchange Commission (SEC) or state prosecutors, you and your company’s credibility are paramount. This means more than simply self-disclosure and cooperation. Stephen drives home this point when discussing your company’s documentation of its compliance program. In addition to your documentation, documentation, documentation; your company must be able to access your documentation and then be able to produce it in a reasonable time upon request. This means that if it takes your company four weeks to produce a list of agents, distributors and other sales representatives; you will lose credibility with a DOJ prosecutor because the lengthy time it takes to round up such information is a clear sign that a company does not have robust books and records.

Whether your company is a multi-billion dollar entity or one with $250 million annual sales, you must be able to access the documentation of your FCPA compliance system. It certainly helps if your database is computerized and you can access it via several different search parameters. However, if your company keeps all its agents, distributors and sales agent due diligence in a binder, tabbed and indexed on a shelf of the office of the General Counsel or Chief Compliance Officer, that should enable you to quickly and efficiently produce the information. As I have heard Mike Volkov say, “companies are usually not penalized under the FCPA for the quality of their due diligence but for the lack of doing any due diligence.” So if you can produce your results you will go quite a long way towards establishing credibility with a DOJ prosecutor.

============================================================================================

I am speaking at the upcoming webinars and World-Check FCPA Road Show events:

I. Webinars
Thursday, April 28 at 12 EDT, I am co-hosting a webinar with Mary Shaddock Jones, Assistant General Counsel and Director of Compliance at Global Industries, Ltd., on “Current FCPA Compliance Program Best Practices: Lessons Learned from Recent DPAs”. For information and registration details click here.
Thursday May 12 at 11 AM EDT, I am a co-panelist with Scott Moritz, Managing Director of Navigant, on a webinar hosted by Dow Jones, entitled, “Risk Assessment: The First Step in Any Compliance Program”. For information and registration details click here.

II. World-Check FCPA Road Shows
Co-presenting with Stephen Martin, General Counsel of Corpedia, on “Anti-Corruption/FCPA Developments & Best Practices”
Tuesday, May 3 from 8-10 AM PDT at McCormick & Schmick’s Seafood Restaurant, in Phoenix, AZ. For information and registration details click here.
Wednesday, May 4 from 8-10 AM PDT at San Diego Marriott Del Mar: Santa Fe Ballroom, in San Diego, CA. For information and registration details click here.

I hope you can attend the webinars, and if you are in Phoenix or San Diego, come out to hear and meet to myself and Stephen Martin.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.
© Thomas R. Fox, 2011

National Electric Company Covered by the FCPA

On April 20, 2011 the District Court released its written decision on the defendant’s Motion to Dismiss in the Lindsey Manufacturing case. The FCPA Professor reported on the decision last week and discussed the seemingly unusual request made by the Department of Justice. This request was that the DOJ asked the Court to take judicial notice that the Mexican entity “CFE is a decentralized public entity, not a corporation.” The trial court termed this request “astounding” and declined this request.

Our focus will be on the trial court’s finding that the Mexican entity CFE was an “instrumentality” as defined under the Foreign Corrupt Practices Act (FCPA). The trial court rejected the defendants’ contention that an “instrumentality” under the FCPA must share all the characteristics of a foreign government department or agency. The trial court further rejected the defendants’ contention that “instrumentality” must be defined as to what consistent with department and agency. The trial court held that since “instrumentality” is a different word; it is logical to assume that it means something other than department or agency.

The trial court did provide a non-exclusive list of factors which could determine if an entity is an “instrumentality” under the FCPA. They are:

• The entity provides a service to the citizens – indeed, in many cases to all the inhabitants – of the jurisdiction.
• The key officers and directors of the entity are, or are appointed by, government officials.
• The entity is financed, at least in large measure, through governmental appropriations or through revenues obtained as a result of government-mandated taxes, licenses, fees or royalties, such as entrance fees to a national park.
• The entity is vested with and exercises exclusive or controlling power to administer its designated functions.
• The entity is widely perceived and understood to be performing official (i.e., governmental) functions.

After listing out these factors the trial court found that CFE had all of these characteristics. CFE was created by Mexican statute as a “decentralized public entity”. The governing Board is comprised of high level Mexican government officials. CFE describes itself as a governmental agency. CFE performs a function, the supply of electricity, which is enshrined in the Mexican Constitution as “exclusively a function of the general nation”.

The trial court’s ruling does seem logical. Although the District Court in the Lindsey Manufacturing case is the first to rule on this issue, the CCI case was the first case where a similar Motion to Dismiss was filed. As the state owned entities in the CCI case are not the CFE there may be a different District Court ruling. We eagerly await the outcome of that Motion to Dismiss.

For a copy of the District Court’s ruling, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Listen to Create a Compliance Charter

In an article entitled “Learning to Work with Green Activists” published in this month’s Harvard Business Review, Chairman, President and Chief Executive Officer (CEO) of Duke Energy, James E. Rogers, writes about his experiences early in his tenure where he embarked on “100 Days of Listening” during the first few months on the job. His initial idea was to meet with as many company stakeholders as he could before taking substantive action in his new position as CEO to Public Service Indiana (PSI), the predecessor of Duke Energy. After some consideration and (apparent) gnashing of corporate teeth, he decided to add a group to this list which was not traditionally viewed as a group of PSI stakeholders – environmental activists. The results from this last decision have an interesting application to the maintenance of a corporate compliance program.

From listening to these various environmental groups, Rogers decided that PSI needed to integrate environmental risks into the company’s decision making calculus. To facilitate that effort Rogers decided to create an environmental charter. This ten-point charter has been used as a guidepost when PSI, and now Duke Energy, approaches environmental issues. We reviewed this environmental charter and believe that it is a very useful approach for a company to take in the area of compliance, so with a tip of the hat towards Rogers’ work at PSI and Duke Energy, we use it as the basis of a Compliance Charter for today’s post.

1. Incorporate compliance risk and assessment into your company’s overall planning process.
2. Compare and consider the compliance consequences of choosing certain suppliers and contractors when purchasing supplies or services.
3. Maintain and enhance internal procedures for both routine and emergency compliance issues which may arise; periodically conduct formal reviews and report the results to the Board of Directors.
4. Educate all company employees on the importance of not only their own personal compliance conduct, but that of the overall company as well.
5. Make compliance responsibility and innovation a guideline for measuring employee performance.
6. Make available to employees, suppliers and customers the company’s compliance program and its lessons learned.
7. Use technology to leverage individual behavior in the area of compliance.
8. Pursue methods to prevent, detect and deter violations of your company’s compliance program.
9. Promote sound compliance practices within your industry.
10. Maintain open and constructive relationships with others in the compliance field and business regulators in countries where you do business.

We hope that this list will provide you with some ideas that you can incorporate into your compliance program. But more importantly we hope that Rogers’ experiences will remind you that a key part of any successful corporate program is listening.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Want to hear more from Thomas Fox, add these webinars and World-Check FCPA Road Show events to your calendar:

I. Webinars

1. Thursday, April 28 at 12 EDT, I am co-hosting a webinar with Mary Shaddock Jones, Assistant General Counsel and Director of Compliance at Global Industries, Ltd., on “Current FCPA Compliance Program Best Practices: Lessons Learned from Recent DPAs”.  For information and registration details click here.
2. Thursday May 12 at 11 AM EDT, I am a co-panelist with Scott Moritz, Managing Director of Navigant, on a webinar hosted by Dow Jones, entitled, “Risk Assessment: The First Step in Any Compliance Program”.  For information and registration details click here.

II. World-Check FCPA Road Shows.

Co-presenting with Stephen Martin, General Counsel of Corpedia, on “Anti-Corruption/FCPA Developments & Best Practices”

1. Tuesday, May 3 from 8-10 AM PDT at McCormick & Schmick’s Seafood Restaurant, in Phoenix, AZ. For information and registration details click here.
2. Wednesday, May 4 from 8-10 AM PDT at San Diego Marriott Del Mar: Santa Fe Ballroom, in San Diego, CA.  For information and registration details click here.

I hope you can attend the webinars, and if you are in Phoenix or San Diego, come out to ‘listen’ to myself and Stephen Martin.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Fancy a Brew? Internal Controls under the UK Bribery Act

My colleague Henry Mixon of Mixon Consulting has an interesting observation regarding internal controls under the UK Bribery Act. Unlike the Foreign Corrupt Practices Act (FCPA), the Bribery Act does not have a books and records component written into the law. However, even without this books and records component, robust internal controls may be more important under for the reason that they must be present and functioning if a company is to assert an “Adequate Procedures” defense available under the Act.

Buried within “Principle Five of the Guidance” is the requirement that (a) a company has appropriate financial controls to prevent and detect violation of anti-bribery policies; and (b) that these financial controls be communicated to both employees and relevant third parties. With this total lack of ‘guidance’ for companies subject to the Bribery Act to fall back upon, we believe companies can look to internal controls developed for the FCPA for some guidance. However, the internal controls put in place for the Bribery Act will need to address the specifics of that the Bribery Act. Clearly the two major differences will be lack of distinction between public officials and the jurisdictional nature of the Bribery Act will require a company’s internal controls to be global in scope.

I.                The Four Cornerstones

We have previously set out the four cornerstones of any internal controls regime, and just to refresh they are as follows:

• Transactions are properly authorized;
• Transactions are accurately recorded;
• Accountability for assets is maintained; and
• Unauthorized access to assets is prevented.

As we have also made clear, in prior posts, three key components are: Documentation, Documentation and Documentation. There must be written policies and procedures which are clear, assessable and enforced, however policies alone are not sufficient. There must be evidence of standards for the performance of internal controls; there should also be ongoing monitoring and auditing to ensure that they continue to function effectively.

II.             Infrastructure

Internal control infrastructure should be evaluated and enhanced if needed. This would include the tracking of gifts, entertainment, hospitality and promotional considerations. A similar requirement is found for travel. Any payments to high risk parties or in high risk countries should not only be evaluated with internal controls but elevated for approval to an appropriate level of management for visibility, a delegation of authority issue. All of these considerations need to include an expanded emphasis under the Bribery Act, due to the  lack of distinction of public officials and private actors, so all transactions need to have this level of review.

III.           Beyond the FCPA

Other additional considerations or expanded considerations which a FCPA only based internal controls system may need under the Bribery Act are a mechanism to deal with a company’s interaction with a US governmental official. As the Bribery Act makes illegal the acceptance of a bribe, controls will be needed to cover and document this aspect. Lastly, there should be overall documentation of the company’s compliance program to provide proof of ‘Adequate Procedures’ so that a defense is available under the Bribery Act.

IV.            Some Suggestions

A suggested approach to evaluate your company’s internal controls under the Bribery Act would include an initial bribery-related risk assessment to include:

• Location-specific risks;
• Transaction-specific risks;
• Process-specific risks;
• Inherent risks of your industry; and
• Inherent risks due to the way your company does business.

Thereafter, the following should be considered:

• Gap analysis, including deficiencies in documentation of the performance of controls;
• A controls remediation plan, proportionate to identified risks, gap analysis, and the nature of your business operations;
• An internal controls training plan, including training for Delegation of Authority approvers, persons involved in business development, accounts payable clerks, and others;
• An internal controls monitoring plan;
• Address proof of “adequate procedures”;
• Expand the scope of third party risk assessment (not just foreign public officials and those who interact with them);
• Address risk of requesting/receiving a bribe; and
• Consider anti-bribery controls in the US.

As recently reported in the Wall Street Journal, an astonishing 73% of more than 1,000 business professionals polled by Deloitte Financial Advisory Services LLP said they were not familiar with the provisions of the Bribery Act. With an upcoming implementation date of July 1, 2011, we can only hope that these companies will wake up and smell the [Bribery Act] coffee, or tea, for our English followers.

Henry Mixon is the Principle of Mixon Consulting and can be reached via email at hmixon@mixon-consulting.com. 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Testing your FCPA Compliance Program

One of the areas which has received considerable attention in the compliance world over the past six months is that of assessment. Today, we would like to focus on a smaller facet of assessment which we considered when reading a recent article in the Harvard Business Review, entitled  “Failing By Design” by Columbia Business School Professor Rita Gunther McGrath. Professor McGrath’s article focuses on trials in the business world to experiment on  how companies can learn from errors. She advocates that with a properly managed system, companies can learn through failure. She cites to the term of “intelligent failure” which she believes can help companies evolve.

This idea of learning from failure struck me as a useful lesson in how a company might test  the effectiveness of the components of its compliance system. One area that would seem to be ripe for testing is to set up a test for reporting a compliance violation or incident, either through a company’s hotline or other reporting mechanism. McGrath advocates four principles of intelligent failure.

• Decide what you are trying to do and be specific.
• Be explicit about the assumptions you’re making and have a plan for testing them.
• Design the initiative in small chunks so that your team can learn quickly.
• Create a culture that share, forgives and uses failure as positive learning tool.

Based upon these four principles McGrath then lays out seven tenets which she believes “can help your organization leverage from failure.” We adapt them here for the testing of your compliance program.

1. Decide what success and failure would look like prior to launch. Define what will constitute success, or failure from your test.
2. Convert assumptions into knowledge. Record your assumptions before you begin the testing so that everyone assessing the overall effectiveness will understand the basis of the actions and steps taken throughout the process.
3. Be quick about it, act fast. Here a company needs to understand that if a problem arises, it should be dealt with sooner, rather than later.
4. Contain the downside risk-fail cheaply. This is a direct benefit of testing your compliance program. If you determine that there is a flaw, it can be resolved much more inexpensively if it is discovered early.
5. Limit the uncertainty in your testing. A company needs to sufficiently define the testing so that it can understand, digest and then remedy, if necessary, the results.
6. Build a culture that celebrates intelligent failure. A company has to create a culture which allows the lessons of testing to be learned in a positive manner. If there is a failure discovered through testing, learn from it, do not punish based upon it.
7. Document and share what you learn from the testing. A company needs to share the results of the testing with the appropriate group involved.

All of this would come into play in the testing of the reporting component of a compliance program. You can provide an anonymous tip to your company hotline and determine what the response is at every level, both from the compliance department and other relevant groups, in the organization. From such a start, you can have the relevant players develop an investigation protocol which they would follow. To whom and what notifications should you make and at what point in the testing? All of these questions can be evaluated if you not only perform such a test but learn from it, without pointing fingers of blame. Here it is important to remember that one should “report facts, not assess blame” if company is to learn from any failure or testing.

A few years ago I heard Paul McNutly speak to a group of General Counsel after he had left the position as former United States Deputy Attorney General and was beginning his life in private practice. He gave his perspective on the three general areas of inquiry the Department of Justice (DOJ) would assess regarding an enforcement action. First: “What did you do to stay out of trouble? Second: “What did you do when you found out?” and Third: “What remedial action did you take?” By testing your compliance program and learning from any failures your company can go a long way towards satisfying points two and three.

The key to this testing is not to be afraid of the results. If there are components which need to be enhanced, you will have the opportunity to do so. If additional or supplemental training is called for; then take the opportunity to provide. In short, do not be a afraid of the results and use Paul McNulty’s maxims of “what did you find” and “what did you do about it”.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Is Debarment a Viable FCPA Enforcement Option?

In a provocative law review article entitled “FCPA Sanctions: Too Big to Debar?” South Texas College of Law student Nicholas Wagoner and Professor Drury Stevenson, posit the question: “Are certain private contractors too big to debar?” Their conclusion is “It appears so.” In the article’s abstract it goes on to state:

The federal government is too dependent on a particular set of large, private-sector corporations for equipment and services. In addition to the virtual immunity from debarment enjoyed by these firms when they violate the FCPA, the fines imposed for engaging in foreign corrupt practices comprise a tiny fraction of the potential revenue generated by lucrative contracts with the U.S. and foreign states. When discounted by the low probability of detection, these sanctions are far too low to deter unlawful activity.

Pretty strong stuff.

The article goes on to further  opine that under the current Department of Justice (DOJ) and Securities and Exchange Commission (SEC) policy of corporate sanctions via fines and penalties it actually offers “little deterrence value in the corporate setting” because corporation’s are legal fictions with “no soul to damn and no body to kick.”  The authors argue that corporations view fines and penalties as simply “a cost of doing business” because the risk of losing profitable business outweighs “the cost of getting caught.” Even if a corporation pays a large fine and penalty for a Foreign Corrupt Practices Act (FCPA) violation the fact that the US government would continue to do business with it sends a message that such conduct is “excusable” as long as the company that is caught “can buy its way out of the criminal liability.” The authors’ end this section by noting that they believe the prosecutorial levying of fines and penalties is an invitation for “prosecutorial abuse” due to the large amounts of money involved.

One solution raised by the authors for the issues regarding fines and penalties for companies which violate the FCPA, is debarment and suspension. They urge that debarment would be a significant deterrent for US government contractors and would “increase compliance with the FCPA.”  The authors also suggest that the threat of debarment as a penalty would increase self-disclosure without any increased enforcement efforts if company’s received the “meaningful reward” of a lesser penalty through self-disclosure.

However, just as quickly as the authors suggest the solution, they list several reasons that debarment has not worked in the past. These include issues raised in the abstract cited above, that certain contractors have simply too large a business relationship with the US government to be debarred and that due to the loss of governmental revenues debarment would be “a virtual death knell for the contractor-company.” (Cue the Arthur Andersen theme here.) They also raise other issues including something they entitle “Prosecutorial Finger Pointing” which they seem to define as the DOJ having some reluctance to debar companies and that the DOJ’s testimony at last fall’s Senate hearing that debarments would have low deterrent effect but it might well decrease voluntary disclosures.

The authors also list what they call “Collateral Consequences” of debarment. These include the aforementioned Arthur Andersen, loss of US government flexibility in its contracting process by the removal of contractors through debarment, injured diplomatic relations with foreign allies, threats to national security from the removal of key contractors, risks that debarred companies would miss out on economic opportunities, disproportionate harm to shareholders and other political risks.

The authors conclude by noting that fines and penalties are but one method of FCPA enforcement. They argue that debarment can be a “potent deterrence” and end their article by proposing that a two year debarment for firms caught bribing foreign governmental official in violation of the FCPA would present “remarkable opportunity costs” and would help to foster overall FCPA compliance.

We began this posting by stating this article is “provocative” and we hope that you gleaned some flavor of it. We urge you to read the entire article to fully explore the author’s views. Certainly the article is useful in continuing the FCPA debate on both the appropriate incentives for enforcement, coupled with the appropriate fines and penalties for those companies which violate the Act. We believe the increase in enforcement over the past five years, for both companies and individuals, provides proper incentive for US companies to comply with US law. While we disagree with some of the points set out by the authors in their article, we do believe that debarment as a possible remedy or sanction is one which should be considered as a tool which the DOJ can use in its overall FCPA enforcement efforts. We applaud the authors for their valuable contribution.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

The Role of FCPA Compliance in Contractual Responsibilities

We often discuss the impact of the Foreign Corrupt Practices Act (FCPA) on companies in relation to their third parties. Topics can include due diligence of third parties, contracting terms and conditions, and management of these relationships. However, just as all US companies are subject to the FCPA and therefore are required to implement compliance programs which meet the strictures of the FCPA, many non-US companies are required to have compliance programs in place to meet contractual requirements.

We considered the relationship of these non-US companies when we recently read the article “Compliance Programs Redefined: Elevating Contractual Responsibilities to Their Proper Place” by Steven Lauer, published in CCH, Corporate Governance Guide, Issue 551, March 21, 2011. Indeed when reviewing or discussing FCPA compliance programs, one part of the discussion which is often overlooking by US companies is their own contractual obligations to have such a program in place. Lauer posits that a “compliance program offers a company…a truly positive benefit” in relation to its counter-parties. While his article is not specifically FCPA focused, we found it to be an excellent perspective for companies to consider their overall compliance program.

Lauer believes that there are two general forms of contracting compliance. The first is process and the second is substantive. Process compliance encompasses all events leading up to contract execution. Substantive compliance comes into play after execution when parties are obligated to honor their respective contractual commitments.

An example of process compliance is where one contract may require a company to violate the terms and conditions of a previously executed agreement. Lauer gives the example of a company which enters into a foreign joint venture and pledges certain physical assets but the same company has previously agreed with a lender not to limit the lender’s right to encumber any company assets. A more recent example has been with BP and its attempts to enter into a business relationship with Rosneft. BP’s joint venture partners from TNK-BP, claimed that such agreement violated the terms of their joint venture agreement and successfully sued to enjoin the action in the British courts.

Under the compliance terms and conditions of a Master Service Agreement or Master Construction Agreement, it is not usual for a Company to require a Contractor to make the same FCPA terms and conditions to all of the Contractor’s subcontractors who may perform work under the Master Agreement for the Company. Failure to do so by the Contractor would violate the FCPA compliance terms and conditions of the Master Agreement. This can be problematic for a contractor initially entering the international arena and may not have FCPA compliance program in place.

Lauer acknowledges that compliance with compliance terms and conditions in an agreement are a subset of obligations which a company has to outsiders. Such outsiders can include governmental authorities and lenders. However, contract requirements “may be the most specific and relevant on a day-to-day basis.” Therefore, from the substantive contract compliance prong, a company must ensure proper performance of its agreements and that individuals administering the agreement understand its obligations. Once again in the context of FCPA compliance, it may require a Contractor to require its subcontractors to have compliance program in place; require a Contractor to train its subcontractors employee’s on basic FCPA compliance; and to audit a subcontractor’s FCPA compliance component.

William Athanas has recently written an article advocating the proactive use of the results of a company’s FCPA compliance program, in his article “Demonstrating “Systemic Success” in FCPA Compliance: Identifying and Maintaining Evidence to Respond to Government Investigations . . . Before They Begin.” He makes clear that if your compliance program does not document its successes there is simply no evidence that it has succeeded. Just as this would be true in any Department of Justice investigation, it would be equally true if a Contractor is audited by its contracting counter-parties. So as always, the key is to document, document and document.

Lauer notes that an effective compliance department should not replicate other corporate functions; rather, it creates mechanisms that implement and then track the performance of those other units in respect of those activities regarding a company’s compliance with the various behavioral expectations that apply to its operations. Some of those expectations arise externally and others are created internally. FCPA compliance terms and conditions can arise from these external expectations.

Lauer ends by stating his belief that by creating an ongoing FCPA compliance-assurance mechanism a company can, among other things, strengthen its competitive posture and improve the overall ethical culture of an organization. Further these benefits will serve as more than simply a preventative; it will allow a compliance department to better realize its company’s business objective and continue the company’s revenue stream.

We believe that Lauer’s article points out some issues which are not often considered in regard to FCPA compliance. We hope his article will give you pause for thought on yet another role for your compliance department.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011