Do As I Say, Not as I Do: IMF and Ethics at the Top

In an article in Monday’s New York Times (NYT) entitled “At I.M.F, a Strict Ethics Code Doesn’t Apply to Top Officials”, Graham Bowley reported that there are two separate sets of ethics guidelines; one for the 2400 “rank-and-file staff and another for the 24 elite executive directors who oversee the powerful organization.” The article sets forth this dichotomy and is a very useful review for any company subject to the US Foreign Corrupt Practices Act (FCPA) or UK Bribery Act on what NOT to do regarding their anti-bribery and anti-corruption program.

I.                Tone at the Top

What precisely is the Tone at the Top of the IMF? From the article it is hard to determine. The article does note that there is a detailed staff code of conduct and a “plethora of policies and procedures” apparently related to anti-bribery and anti-corruption. It was reported that the staff code of conduct specifically states that a close personal relationship with a subordinate is a potential conflict of interest and must be reported. This requirement is not found in the Executive Board code of conduct. So while the Tone at the Middle and below may be strong and robust, it is not clear if such tone exists at the Top of the IMF.

II.             Who Does the Code of Conduct Apply to?

The article reported that the IMF’s Independent Evaluation Office carried out a study of the IMF’s ethics policies in 2007. The author of this study, Katrina Campbell, is quoted in the Times as saying “There are a lot of controls in place when it comes to staff, but not for the leadership.” Her study criticized the Board’s conduct as vague, noting that it “reads, for the most part, as a set of recommendations, rather than rules.” Further, the Board lacked effective enforcement procedures. So what are its rules and regulations for the staff and aspirations for the Board? Indeed it may be that the Managing Director of the IMF is even “ambiguous” in terms of this standard.

III.            Investigation of Board Members

The IMF code of conduct for the staff allows an ethics advisor to fully investigate any complaints of violations of the code of conduct, at least as it relates to the 2400 member staff. This is not true for the executive board. Any investigation of the board must be handled by an outside consultant who reports only to the Ethics Committee of the Board. While it may not be unusual for a Board to have an Ethics Subcommittee to direct such investigations or receive the reports from outside lawyers or other consultants, a 2007 internal IMF report said that the Ethics Committee had “never met to consider any issues other than its own procedures” and there is no record that it has met since that time. Bowley notes that such lack of meetings to consider any issues flies in the face of at least one complaint made to the IMF internal ethics hotline involving the conduct of a Board member, where it is not clear that this hotline report was even investigated.

If there is one thing that the Times article makes clear, it is that there must be one ethics and compliance standard for everyone in the company. There must be consistent treatment of all employees, whether in an investigation or in any discipline thereafter. If a complaint is made through a hotline report, whether anonymous or not, it must be thoroughly and fairly investigated. If your company is a UK or US company, anything less will put your company in very hot water with the US Department of Justice or UK Serious Fraud Office.

Of course you could just implement the adage, “always practice what you preach.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Observations on the FCPA Gun Sting Trial

Last week I was in Washington DC and had the opportunity to visit the Federal District Courthouse, where the first of the Gun Sting defendants currently in trial. Chris Matthews is reporting daily for MainJustice and although I think Chris is a great reporter, unfortunately I do not have a subscription to MainJustice so I cannot read what he has been writing about this trial. So the following are my observations are from sitting in the trial for a short time.

I am not going to reveal the name of the defendant which they were discussing at the time I sat in court but one of the federal Prosecutor’s was direct examining an FBI agent, who was an undercover operative in the sting operation, on some recorded conversation where he was present. The Prosecutor was proving up the transcripts of wiretaps and video recordings of the defendant in question. The direct examination was straight forward with the Prosecutor reading the transcript, then asking the FBI agent if he was present and if the FBI agent heard the defendant state the lines of transcript submitted and, if so, then requesting admission and publication to the jury. Riveting stuff or perhaps not.

My first observation is really that from my wife, who sat in with me. She is English and had never seen a US criminal trial live and in person. So her first reaction was something along the lines of “Is this it?” followed by “How does the jury stay awake?” It was immediately before lunch so that may have been one reason the jury was awake.

Needless to say I found it riveting. But I found it riveting for the same reason that my wife found it somewhat tedious. My explanation to her was that it was a slow, methodical presentation of the evidence. The Prosecution puts building block up after building block, in an inexorable march towards an impenetrable case based upon the admitted evidence. The simple act of reading line after line of conversations where the defendant either heard about requests to pay a bribe or actually agreed (or seemed to agree – not to supplant my opinion for the jury’s role as the trier of fact) to pay monies for a bribe. This seemed to me to be one of the trial tactics of the Federal Prosecutors Galleon insider trading case; that is, to build such a powerful case based upon the defendant’s own words, gesture or agreements that it simply cannot be explained away.

I understand that this was the prosecution’s case and it was direct testimony. The defense counsel is already going after the undercover FBI agent on cross-examination this week. Additionally the defendant has raised the defense of entrapment and other substantive and jurisdictional defenses. But the slow plodding forward by the prosecution of the defendant’s own words and actions may well have a powerful effect on the jury. My colleague Howard Sklar often says that if you have to raise jurisdictional defenses or claim that you were entrapped, you are already in a place you do not want to be in. He may well be right in this assertion.

Another strong impression that I had while watching this slow, steady march of evidence was how much of a game changer the Gun Sting case is for the Foreign Corrupt Practices Act (FCPA) world. Watching this direct examination was the direct result of using organized crime fighting techniques in a very mundane white collar case. My civil side clients need to be very aware of what is happening around them, both from any solicitations for bribes by any customers and any comments by competitors regarding such actions. While in the past such comments may have been laughed off, any competitor which makes any such comments must be taken very seriously and immediately denied and refuted by your sales team. Your company can simply not afford, literally or figuratively, to be caught up in any similar circumstances.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Engage and Education: A Different Model for a Compliance Risk Assessment

One of the panels I attended this week at Compliance Week 2011 was co-chaired by Andy Hinton, Chief Compliance Office (CCO) of Google, and Leonard Shen, CCO of PayPal. In this presentation Shen discussed an interesting manner in which to structure the risk assessment to encompass several different compliance tasks. This approach is not the right approach for every company but for those initiating their compliance journey, or a company considering a significant upgrade due to some systemic issue; this approach may be a more effective approach than the traditional risk assessment where a team of lawyers, CPAs and internal auditors assess a company’s compliance environment.

In a company which is initiating its compliance program, it can be perceived as a sea change of culture. However, Shen indicated that he had used an approached which worked to alleviate those types of concerns which also provided enough information to perform a robust assessment which could be used to form the basis of an effective compliance program. He termed this type of approach as one to “engage and educate.” While the approach had a two word name, it actually had three purposes; (1) to engage the employees in what would form the basis for an enhanced compliance program; (2) to educate the employees generally in compliance and ethical behavior; and (3) through the engagement of employees, to gather information which could be used to form the basis of a risk assessment.

A.    Engagement

Shen and his compliance team traveled to multiple company locations, across the globe, to meet with as many employees as possible. A large number these meetings were town hall settings, and key employee leaders, key stakeholders and employees identified as high risk, due to interaction with foreign governmental official touch-points, were met with individually or in smaller groups. Shen and his team listened to their compliance concerns and more importantly took their compliance ideas back to the home office.

From this engagement, the team received several thousand employee suggestions regarding enhancements to the company’s compliance program. After returning to the US, Shen and his team winnowed down this large number to a more manageable number, somewhere in the range of a couple of hundred. These formed the basis of a large core of the enhancements to the existing company compliance program.

After the enhanced compliance program was rolled out formal training began. During the training, the team was able to give specific examples of how employee input led to the changes in the enhanced program. This engaged the employees and made them feel like they were a part of, and had a vested interest in, the company’s compliance program. This employee engagement led to employee buy-in.

B.    Education

During the town hall meetings, and the smaller more informal group meetings, Shen and his team were doing more than simply listening, they were also training. However, the training was not on specific compliance provisions; it was more generally on overall ethics and how the employees could use compliance as a business tool. As pointed out by another speaker at Compliance Week 2011, most ethical standards of a company are not found in an existing compliance program, they are found in the general anti-discrimination guidelines and ethical business practices such anti-competitiveness and use of customer confidential information prohibitions. Often these general concepts can be found in a company’s overall Code of Conduct or similar statement of business ethics; workplace anti-discrimination and anti-harassment guidelines can be found in Human Resource policies and procedures. Concepts such as anti-competitiveness and use of customer and competitor’s illegally obtained confidential information may be found in anti-trust or other business practice focused guidelines.

Shen and his team’s aim on the education component of “Engage and Education” was to have the company employee’s start thinking about doing business the ethical way. It was ethical concept based training designed to be in contrast to a rules based approach, where employees believe they are taught the rules, and then try to see how close they can get to the line of violating the compliance rule without actually stepping over the line. Moreover, by having this general ethical business training, it laid the groundwork for the enhancement of the company’s compliance program and the training that would occur when the enhancement was rolled out.

C.    Risk Assessment

A third key component of the “Engage and Educate” program is the risk assessment component. Shen’s approach here was not the traditional control testing model, where documents are pulled and tested against a standard. Shen and his team listened, listened and listened. They listened to their employees concerns and they listened to the compliance issues they raised. As they were listening they began to ask questions about what was done and why. The questioning was not in an adversarial, interrogation mode but ferreting out the employees concerns while having the employees educate the team on the actual procedures that were used in several areas identified as key high risk areas.

Shen emphasized that this was an assessment and not an audit so no detailed forensic work was needed or used. However, by listening, and gently questioning, Shen and his team were able to garner enough information to create a risk assessment profile which informed and became the basis of their compliance program enhancement. Shen and his team did not identify to the company employees that they were engaged in a formal risk assessment. He believed that in many ways, he and his team were able to garner more useful information with which to inform their compliance program enhancement.

Shen’s “Engage and Educate” approach worked for his company at that point in time. It may not work for other companies as a traditional risk assessment but it does provide a different model if your company is beginning to create their compliance program, or is looking into a major enhancement. I recommend that you consider it.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Three Lines of Defense for FCPA Compliance: Lessons from a Holistic GRC Model

In a session at Compliance Week 2011 entitled, “Implementing a Compliance Program in a Global Business Using a Holistic GRC Model”, the speakers, John Farrell and James Littley, both of KPMG and Robert Brewer, Chief Compliance Officer of Office Depot presented a model to consider for a Foreign Corrupt Practices Act (FCPA) compliance system. Overall it was an excellent session and they presented an interesting concept for the FCPA compliance practitioner under the general rubric of “A Holistic GRC (GoveranceRiskCompliance) Model to Drive Compliance Programs Effectiveness –Three Lines of Defense.”

Their thesis was that a properly constructed compliance program, in any area, such as the FCPA, Export or Customs Control, Immigration Control or any similarly regulated area has three lines of defense to prevent a compliance incident. They identified the three lines of defense as (1) the Risk Content Owners line of defense; (2) the Risk Process Owners line of defense; and (3) the Risk Content and Content Monitoring Owners line of defense.

I.                Risk Content Owners

This first line of defense is the business owners who are on the front lines for any company. Their roles include management of day-to-day business risks and to recommend actions to manage and treat that risk. This group also is tasked with complying with the company’s risk management process. Where appropriate, this group will implement risk management processes where applicable and this group will execute risk assessments and identify emerging risk.

The key roles/responsibilities for this first line of defense are:

• The company’s Enterprise Risk Management (ERM) Steering Committee should be made up of Vice Presidents who manage risks daily in their individual departments and Business Units.

• Each ERM Heat Map risk is assigned to the Executive Committee members who are either most impacted by the risk or who have the most opportunity to influence the risk.

• The ERM Steering Committee and Executive Committee are responsible for prioritizing risks and identifying emerging risks.

• The Board of Directors is responsible for oversight of how well management is managing the risks of the company.

II.             Risk Process Owners

This second line of defense is typically the company legal department and compliance department. Not only are these the standard setters in an organization but they may also be charged with certain monitoring tasks. This group should establish policy and process for risk management. This group is the strategic link for a company in terms of risk. It should provide guidance and coordination among constituencies. It should identify enterprise trends, synergies, and opportunities for change. This group should also initiate change, integration, operationalization of new compliance best practices. Typically this group is the liaison between third line of defense and first line of defense. Lastly this group will oversee certain risk areas and in terms of certain enterprise objectives such as compliance with regulations such as FCPA, Export Control, etc.

The key roles/responsibilities for this second line of defense are:

•The ERM Manager should establish quarterly cross-functional meetings and reporting processes to drive regular discussion of risks at the Vice President and Executive levels.

•There should be a linkage of ERM to the Company’s Strategic Plan.

•There should be a linkage of ERM to Annual Audit Risk Assessment, development of the Audit Plan and resource to audit teams as they perform audits.

•The ERM Manager must keep abreast of current events, audit issues, SOX compliance, legal issues, loss prevention and data security issues and upcoming legislation in order to facilitate dialog on important topics at the ERM Steering Committee and Executive Committee.

III.           Risk Content and Monitoring Owners

This third and final line of defense is generally thought of as the Assurance Providers and consists of senior management, Internal Audit and up to the Board of Directors. Its roles include either working with or through senior management and/ or the company’s Board of Directors. This line of defense will is tasked to rationalize and systematize risk assessment and governance reporting so that it is not only transparent but useful and stored in a manner that can be retrieved if a regulator comes calling. It will provide oversight on risk management content/ processes, followed by second line of defense. Finally it will provide assurance that risk management processes are adequate and appropriate.

The key roles/responsibilities for this third line of defense are:

•All risk focused functions report up through the Chief Compliance Officer, therefore cooperation and leveraging of information between these groups must be robust. These functions include: Internal Audit, Loss Prevention, Enterprise Risk Management and Insurable Risk Management.

•The ERM Manager should aggregate & synthesize information gathered from across the organization and reports it up to the Executive Committee and the Audit Committee or Compliance Committee of the Board of Directors quarterly.

•Internal Audit should consider ERM risks related to each area under audit and tests mitigating controls when appropriate.

This tri-parte model is an excellent way for a company to not only think through how to design an overall GRC structure but an outline to assess how well it may be doing in any one specific compliance area such as the FCPA. The first line of defense should be driven down to the Business Unit level. This will allow, indeed require, the Business Unit to buy into the overall compliance program. The legal/compliance department is the key bridge that writes and leads implementation of the overall compliance training through training but also assesses whether the compliance program is effective and remains robust. The role of senior management is to provide overall leadership and deployment of resources throughout this entire process. We recommend that you consider integrating this type of analysis into your company or using it as an assessment tool.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Factors to Use in a Foreign Government Instrumentality Analysis under the FCPA

In a guest post on this Blogsite yesterday, my colleague Michael Volkov, criticized the two district courts which have passed on the question of whether a state owned enterprise (SOE) can be an “instrumentality thereof” under the Foreign Corrupt Practices Act (FCPA). The two cases were the Lindsey Manufacturing case and the Carson case. Volkov stated, “By deciding these cases using fact specific standards, the courts have failed to clarify this issue by adopting a more focused and simple inquiry.  Unfortunately, the courts have now obscured even more the application of the FCPA.” No doubt inspired by my “This Week in the FCPA” partner, Howard Sklar, I will take a contrarian view from Mike.

I.                The Defendants’ Claims

The issue was presented as starkly as possible to both courts. The defendants in both cases argued that employees of state-owned enterprises could never be ‘foreign officials’ under the FCPA. The defendants made five general arguments, which were

First, in the absence of an express definition, the Court must give the term its ordinary meaning as used in the statute. As used in the FCPA, the term “instrumentality” refers to a governmental unit or subdivision that is akin to a “department” or an “agency,” the two terms that precede it in the statute.

Second, the Government’s proposed interpretation would lead to absurd results. Among other things, if it were adopted, the Government’s definition would transform persons no one would consider to be foreign government employees – specifically citing the example of employees of the US company CITGO, because it is owned by the Venezuelan national oil company PDVSA.

Third, the extensive legislative history of the FCPA makes clear that Congress did not intend the statute to cover payments made to employees of state-owned business enterprises. Rather, the FCPA was aimed at preventing the special harm posed by the bribery of foreign government officials.

Fourth, as other statutes and proposed legislation make clear, Congress knows how to define the term “instrumentality” in terms of government ownership of a commercial enterprise where it desires to do so. But it did not do so in the FCPA.

Fifth, in construing statutes, courts should avoid interpretations resulting in unconstitutional vagueness. Adopting the Government’s amorphous and expansive interpretation of “instrumentality” here would result in exactly the type of unconstitutional vagueness that must be avoided.

But courts made quick and direct refutations of the defendants’ points 2-5. The major guidance provided by courts was in creating an inquiry to define the term instrumentality in response to defendants’ Point 1. We therefore turn to the respective courts holdings on what factors should go into an analysis to determine if a state-owned enterprise is a foreign government instrumentality under the FCPA.

II.             Court Ruling in Lindsey Manufacturing

The court in Lindsey Manufacturing responded to the defendants’ claims by pointing to various characteristics of foreign government ‘instrumentalities’ that would provide coverage under the FCPA. The court listed five non-exclusive factors:

• The entity provides a service to its citizens, in many cases to all the inhabitants of the country.
• The key officers and directors of the entity are government officials or are appointed by government officials.
• The entity is financed, at least in large measure, through governmental appropriations or through revenues obtained as a result of government-mandated taxes, licenses, fees or royalties, such as entrance fees to a national park.
• The entity is vested with and exercises exclusive or controlling power to administer its designated functions.
• The entity is widely perceived and understood to be performing official functions.

In Lindsey Manufacturing the foreign governmental entity at issue was the Mexican national electric company CFE. The trial court found that the entity had all of the characteristics listed in the five non-exclusive factors. It was created as a public entity; its governing Board consisted of high ranking government officials; CFE described itself as a government agency and it performed a function that the Mexican government itself said was a government function, the delivery of electricity. (I would also note that the US entity CITGO does not meet this test, so much for the absurd result prong.)

III.           The Carson Case

In the Carson case, the court denied the “foreign official” challenge ruling that “the question of whether state-owned companies qualify as instrumentalities under the FCPA is a question of fact.”  The court cited the following factual inquiries to determine whether a business entity constitutes a government instrumentality” including (1) The foreign state’s characterization of the entity and its employees; (2) The foreign state’s degree of control over the entity; (3) The purpose of the entity’s activities; (4) The entity’s obligations and privileges under the foreign state’s law, including whether the entity exercises exclusive or controlling power to administer its designated functions; (5) The circumstances surrounding the entity’s creation; and (6) The foreign state’s extent of ownership of the entity, including the level of financial support by the state (e.g., subsidies, special tax treatment, and loans). The Court specifically noted that the factors were non-exclusive and no single factor is dispositive. Later in its opinion the court added additional guidance with the following, “Admittedly, a mere monetary investment in a business by the government may not be sufficient to transform the entity into a government instrumentality. But when a monetary investment is combined with additional factors that objectively indicate that the entity is being used as an instrumentality to carry out governmental objectives, that business entity would qualify as a governmental instrumentality.” Lastly, as it is a factual inquiry, the question will go to the jury.

IV.            Conclusion

I do not find these factors set out by either court obscure or vague. I believe that both courts provided guidance to the compliance practitioner in the form of a guideline or checklist that can be used to determine if a counter-party has these characteristics of a foreign government instrumentality. In fact, these are factors (or ones similar as they are non-exclusive) that a compliance officer should have been using to make a determination of a counter-party’s status even before these cases came down the pike. With CFE, the decision seems very straight forward. In the Carson case, there were several entities which had employees to which bribes were paid. These entities included CNOOC, PetroChina, China Petroleum Material and Equipment Corp., National Petroleum Construction Corp., Dongfang Electric Corp., Gouohua Electric Power and Petronas. Some of these companies clearly meet the Carson test, some may take additional research. The moniker “Know Your Customer (KYC)” is one that is well known in marketing circles and should becoming equally as well known in the compliance arena.

Mike and I hope to post several point-counter-point blogs over the next couple of weeks setting out our respective positions on other issues. I hope that you will find them both enjoyable and informative.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Failing to Clarify: The Courts Try to Define “Foreign Official” in FCPA Cases

Ed. Note-today we have a guest post by our colleague Michael Volkov, noted FCPA specialist and partner in the firm of Mayer Brown LLP

The role of our courts is to define and uphold our laws.  Our Nation’s history is filled with important court decisions which have demonstrated the critical role that our Judicial Branch can play in American history – whether it was Marbury v. Madison, or Brown v. Board of Education, the courts are well equipped to be the “final arbiter of the law.”

Unfortunately, this summer we are watching as our courts are failing to step up and resolve an important controversy surrounding the scope of the FCPA.  At the heart of this controversy is the scope of the FCPA and how it applies, if at all, to state-owned or state-controlled private enterprises.

The FCPA defines the term as “any officer or employee of a foreign government or any department, agency or instrumentality thereof . . . or any person acting in an official capacity for or on behalf of any such government or department, agency or instrumentality.  Relying on this definition, the Justice Department  treats employees of state-owned or state-controlled entities as “foreign officials,” focusing on whether the entity is controlled by a foreign government.

In three separate cases, Lindsey Manufacturing, O’Shea and Carson, defendants filed motions to dismiss challenging the DOJ’s interpretation of “foreign official” under the FCPA.  Two of these cases have now been resolved and the Justice Department’s position has been upheld.  While doing so, the courts have launched separate fact-specific tests to “guide” actors in resolving how the law applies to state-owned enterprises.

In rejecting the defendant’s motion to dismiss in Lindsey Manufacturing, the court  found that CFE (the Mexican electric company) had “various characteristics of government agencies and departments,” such as: (1) it exclusively provides a service, the supply of energy, which the Mexican government recognized as an exclusive government function; (2) the key officers and directors are or are appointed by government officials; (3) it is financed largely through governmental appropriations; and (4) it was created by statute as a “decentralized public entity.”

In Carson, the court denied the “foreign official” challenge ruling that “the question of whether state-owned companies qualify as instrumentalities under the FCPA is a question of fact.”  The court cited the following factual inquiries to determine whether a business entity constitutes a government instrumentality” including (1) The foreign state’s characterization of the entity and its employees; (2) The foreign state’s degree of control over the entity; (3) The purpose of the entity’s activities; (4) The entity’s obligations and privileges under the foreign state’s law, including whether the entity exercises exclusive or controlling power to administer its designated functions; (5) The circumstances surrounding the entity’s creation; and (6) The foreign state’s extent of ownership of the entity, including the level of financial support by the state (e.g., subsidies, special tax treatment, and loans).

By deciding these cases using fact specific standards, the courts have failed to clarify this issue by adopting a more focused and simple inquiry.  Unfortunately, the courts have now obscured even more the application of the FCPA.

Aside from the defendants who lost their motions, the big losers are now compliance professionals who have to interpret and apply the law to their companies.  Out of an abundance of caution, companies will be forced to treat more and more entities as state-owned enterprises and their employees as “foreign officials” for purposes of the FCPA.  The result – higher compliance costs.

The courts have now given businesses even more ammunition to support lobbying efforts to amend the law and clarify the definition of “foreign official.”   Congress will listen; whether it will act remains to be seen.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The editor can be reached at tfox@tfoxlaw.com.

Jonathan Marks Tweets and Why You Should Be On Twitter

Yesterday my Fraud Examiner colleague Tracy Coenen posted a blog entitled, “Why I’m quitting Twitter (and you should too)”. My blog today will set forth the reasons why the compliance practitioner should refrain from quitting Twitter, actively participate and why the greater compliance world benefits from participation from experts like Tracy Coenen. So Tracy, do not quit!

Twitter is an excellent resource for anyone in the compliance community. It provides real time reporting and more importantly excellent resources for the compliance practitioner. AND BEST OF ALL IT IS FREE!

Why should you participate on Twitter? My experience is that it is one of the most efficient ways to get your name out in the field you practice. Whether it is law, forensic accounting, finance or selling flowers, it does not matter. The key is to stay focused on your area of specialty. If you tweet about where you are or that you are the Mayor of some such place it will not assist you professionally.

What did I do? I began my social media journey focusing on Twitter. Beginning in January, 2010, I reposted every tweet I could find on the Foreign Corrupt Practices Act (FCPA). I did not post original content because I was learning the Twitter ropes and was not sure what to do. I stayed focused on the area of the FCPA which led to me being named in February as one of the Top 15 “Must Follows” in the area of Securities Law (FCPA) by Bruce Carton, author of the Securities Docket Blog and his list was posted in Compliance Week.

I then decided to see if I could begin to send articles to different blogs and websites for posting. I always send an email introducing myself and they all come back with something along the lines of the following, “We know who are and thanks for re-tweeting our tweets.” To date they have all said yes to me sending in a contribution for consideration. So I was able to make a name for myself through Twitter. Of course I had to follow up with substantive content and perhaps I could have sent blind submissions but Twitter was the tool which introduced me to the wider compliance world.

How else can one use Twitter to meet and develop substantive business? In December 2010, I noticed a tweet by Jonathan Marks where he mentioned that he had developed a 13-step action plan for FCPA compliance programs. I thought that this was an interesting item but there was no link to the document or information, so I took the direct approach and Direct Messaged Jonathan, on Twitter, to ask if he would be willing to share with us the 13-step action plan, which he was willing to do.

I met Jonathan (virtually) through LinkedIn and his hosting of the LinkedIn group ‘Fraud Pentagon.’ Through his profile I was able to discover Jonathan’s interesting professional journey, he is the Partner In-Charge of the Fraud, Ethics and Anti-Corruption practice at Crowe Horwath and has worked with the US Attorney’s office, the FBI, the IRS Criminal Investigation Division and US Customs officials during his career. Jonathan has also served as the Chief Audit Executive at several public companies and is a Certified Public Accountant, Certified Fraud Examiner and is certified in financial forensics.

I spoke to Jonathan to find out how he developed this plan and he told me that from his meetings with clients, on the issue of compliance over the years, he wanted to develop a non-legalistic approach that he could easily convey to clients. After the interview and his sharing of his 13-step program I wrote a blog about the program by which a company could review its FCPA compliance program, assess where the program is in terms of best practices, and then use the same action plan as a guide for implementing some or all of the best practices.

The response to the blog posting was so great that Jonathan wrote a White Paper on his 13-step program which I assisted him with some of the drafting. All of this happened because he tweeted about his 13-step program. In other words, one little tweet led to all of the above.

How does all of this relate to Ms. Coenen and her pronouncement? I say to Tracy, do not stop tweeting – WE NEED YOU. One other reason to continue to participate in Twitter is the absolute wealth of information that is available to any chosen profession. However, I can speak only to the compliance world and in that world there is significant information available to all AT NO COST. If you are in a company on a budget, and who is not, you can obtain the best practices of FCPA compliance, Bribery Act compliance, fraud and forensic accounting compliance by participating on Twitter. Tracy’s tweets are substantive and if she retweets someone else’s tweets, I am confident that it is substantive as well.

Twitter is but one tool and to any professionals a quiver of tools it is a significant and useful tool (did I mention that it is FREE?) for both marketing and research. I do agree with Tracy that I cannot point to one client I have obtained exclusively from Twitter. It is always some combination of Twitter/LinkedIn/Blogging/Speaking/White Papers and word of mouth. But it is a significant tool and, in my opinion, a tool that you should not forsake.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Compliance Convergence: Export Control

Previously we have written about Compliance Convergence, which noted Compliance Expert Howard Sklar, the author of Open Air Blog, has termed as “the merging of control programs such as anti-bribery and anti-corruption, with anti-money laundering, and export control.”, in regard  to the Foreign Corrupt Practices Act (FCPA) and touched on briefly with regards to anti-money laundering laws and regulations. Today we will turn our attention to Howard’s third prong in Compliance Convergence, that of Export Control.

Generally speaking, a Company must comply with all applicable export control laws in the country of origin of the products including, in some instances, the components contained within the products and technologies they are exporting; and all applicable international sanctions that may not be directly addressed in national law (e.g., United Nations sanctions programs). Witness the recent sanctions entered into by the US, UN and EU regarding trade with Libya.

What are some of the lists that a company must check for each overseas transaction? They include the US Department of State’s International Traffic in Arms Regulations (ITAR), which control the export and re-export of military products and technologies. The ITAR site contains a list compiled by the State Department of parties who are barred by §127.7 of ITAR (22 CFR §127.7) from participating directly or indirectly in the export of defense articles, including technical data or in the furnishing of defense services for which a license or approval is required by ITAR.

The Bureau of Industry and Security (BIS) has two lists which a Company must review. These include 1) the Denied Persons List, which provides a list of individuals and entities that have been denied export privileges. Any dealings with a party on this list that would violate the terms of its denial order are prohibited; and 2) the Unverified List which provides a list of parties where BIS has been unable to verify the end use in prior transactions. The presence of a party on this list in a transaction is a “red flag” that should be resolved before proceeding.

The US Treasury Department, Office of Foreign Assets Control (OFAC) has regulations which may prohibit a transaction if a party one of these lists. These lists can include both the Specially Designated Nationals (SDN) list and the General Order 3 to Part 736 (page 9) which sets out the general order which imposes a license requirement for exports and re-exports of all items subject to the Export Administration Regulations (EAR) where the transaction involves a party named in the order.

Therefore, a company must ensure that the US government permits it to export (1) its goods; (2) to the buyer; (3) in a particular company. But more is required that simply checking the status of to whom a company might be selling directly to, even if such buyer is located in the US. Writing in the In-House Texas supplement to the March 7, 2011 edition of the Texas Laywer, Jackson Walker attorney Robert Soza, Jr. in an article entitled, “Establish an Effective Export-Compliance Program’ noted that “multiple US export-control requirements come into play if a company’s actions indicate that it knows that its goods will be exported abroad such as delivering a product to a US port.”

Soza goes on to write that the creation and implementation of an export control policy and program “minimizes the risk of non-compliance and may reduce penalties in the result of a violation.” He sets forth his guidelines of what an effective export control compliance program should include.

1.     Top and Middle Management Committee. The tone from management must support the company’s overall export control efforts.

2.     Continuous Risk Assessment. If a company does not currently have a compliance program, it should initiate an evaluation to determine if it has violated any US export controls laws or regulations in prior transactions.

3.     A written policy back up by a procedures manual. The policy should be spelled out in writing with the detailed procedures filled in on how to conduct an effective export control system.

4.     Ongoing training of employees. Training should be provided for all employees with international sales responsibilities, marketing, export and those involved with the hiring of foreign nationals. The training can be live or web-based. The training should be designed to provide employees with the keys which trigger day-to-day regulatory implications.

5.     Ongoing screening of employees, contractors, customers, products and transactions. There must mechanism through software or other methods for the continuous monitoring of these items and individuals. Simply checking any of the above once only provides a snapshot at the time the review was made. In this current compliance and enforcement environment such checks must be made on each transaction and more continually for employees, contractors, customers and products.

6.     Record Keeping (Document, Document, Document). If you do not keep records and document something you cannot measure it and if you cannot measure it you cannot improve. However, when dealing with the government, if you do not document it, you cannot prove it.

7.     Period Audits. After you have put your export control policy in place, your company should engage in an effective continuous export controls assessment and regular spot audits will help to ensure compliance.

8.     An internal program for the reporting of violations and appropriate mechanism for escalation of any export violations. In addition to some type of hotline for the reporting of any export control violations, your company should have a dedicated export control resource expert who can be available to answer question and generally provide assistance to those employees charged internally with export control.

9.     Appropriate corrective actions to hold employees accountable under a progressive disciplinary program and voluntary self-disclosure. A policy has no teeth if there are no repercussions to employees who violate the export control program. If there are violations, the government will expect to see discipline and training based on event.

(Any of this sounding familiar?)

Soza concluded his article by stating:
While it is often difficult to obtain senior management commitment to an export-compliance program [a company] simply cannot afford to sell their products and services internationally without such a program in place. Penalties for failure to comply with these requirements may result in the loss of export privileges, fines and imprisonment, not to mention damaging publicity.

We do not believe that we could have articulated it better. Compliance Convergence in these areas demonstrates that the ostrich days of a sticking your head in the sand regarding export controls are long gone. But just as convergence demonstrates the widening scope of compliance, we believe that it provides opportunities for cross-discipline compliance. Export control needs to talk to the FCPA compliance attorney and let them know the screening they perform on a regular basis. A company’s treasury or finance department needs to communicate its offshore payment policy regarding its prohibition of payment of any invoices in countries other than the home country of the payee or where the work was perform. There is an opportunity to learn from each of these disciplines so take advantage of the Compliance Convergence in your company.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

20 Questions Directors Should Ask about Compliance Committees

What are some of the questions that the Board of Directors should be asking? We posit that a large public company should have Compliance Sub-Committee of Board members. We list 20 questions below which reflect the oversight role of directors which includes asking senior management and themselves. The questions are not intended to be an exact checklist, but rather a way to provide insight and stimulate discussion on the topic of compliance. The questions provide directors with a basis for critically assessing the answers they get and digging deeper as necessary.

The comments summarize current thinking on the issues and the practices of leading organizations. Although the questions apply to most medium to large organizations, the answers will vary according to the size, complexity and sophistication of each individual organization.

Part I: Understanding the Role and Value of the Compliance Committee

1. What are the Compliance Committee’s responsibilities and what value does it bring to the board?

2. How can the Compliance Committee help the board enhance its relationship with management?

3. What is the role of the Compliance Committee?

Part II: Building an Effective Compliance Committee

4. What skill sets does the Compliance Committee require?

5. Who should sit on the Compliance Committee?

6. Who should chair the Compliance Committee?

Part III: Directed to the Board

7. What is the Compliance Committee’s role in building an effective compliance program within the company?

8. How can the Compliance Committee assess potential members and senior leaders of the company’s compliance program?

9. How long should directors serve on the Compliance Committee?

10. How can the Compliance Committee assist directors in retiring from the board?

Part IV: Enhancing the Board’s Performance Effectiveness

11. How can the Compliance Committee assist in director development?

12. How can the Compliance Committee help the board chair sharpen the board’s overll performance focus?

13. What is the Compliance Committee’s role in board evaluation and feedback?

14. What should the Compliance Committee do if a director is not performing or not interacting effectively with other directors?

15. Should the Compliance Committee have a role in chair succession?

16. How can the Compliance Committee help the board keep its mandates, policies and practices up-to-date?

Part V: Merging Roles of the Compliance Committees

17. How can the Compliance Committee enhance the board’s relationship with institutional shareholders and other stakeholders?

18. What is the Compliance Committee’s role in CCO succession?

19. What role can the Compliance Committee play in preparing for a crisis, such as the discovery of a sign of a significant compliance violation?

20. How can the Compliance Committee help the board in deciding CCO pay and bonus?

We hope these questions may lead to further discussions and debate on the role of the Board in a company’s overall compliance program. We invite any reader to comment on these and add their own questions which may lead to further dialogue and inquiry for a Board or Compliance Committee.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

The SAR Activity Review Report: Lessons for the FCPA Compliance Practitioner

Yesterday my colleague Howard Sklar and I recorded Episode 3 in our  This Week in the FCPA series, check out our video podcast. One of the items we discussed was the release of BSA Advisory Group’s recent publication “The SAR Activity Review, Trends Tips & Issues” Issue 19, In focus: Foreign Corruption. The publication is part of the continuing dialogue among financial institutions, law enforcement officials and regulatory agencies regarding Suspicious Activity Reports (SARs) and other BSA reporting requirements and, as indicated by the title, this issue focuses on foreign corruption. It is an excellent resource for the Foreign Corrupt Practices Act (FCPA) compliance practitioner to use regarding best practice tools for due diligence.

After a lengthy statistical review of the use of SARs and other tools the publication lists some of the specific steps a financial institution should use to combat foreign corruption. Broadly speaking, they are:

• Requiring banks to apply enhanced due diligence to bank accounts and transactions by Politically Exposed Persons (PEPs);
• Attuning financial institutions to assess and evaluate risk so that it can be more carefully managed; and
• Promoting transparency in all transactions.

Any of this sounding familiar?

The need for enhanced due diligence is so banks know when they are dealing with a foreign governmental official. This due diligence must include procedures “reasonably designed to detect and report transactions that may involve the proceeds of foreign corruption.” The publication provides the following list of inquiries which should be made.

• Identify the stakeholder and any beneficial owners;
• From this identification, determine the PEP status;
• Obtain employment information and evaluate for industry and sector risk of corruption;
• Review the stakeholder’s country of residence and evaluate for level of corruption;
• Check references;
• Obtain information on immediate family members to determine PEP status; and
• Make reasonable efforts to review public sources of information.

Although not couched in terms of the compliance lingo “Red Flag”, the report makes it clear that simply identifying a stakeholder as a PEP does not disqualify the candidate. It means that additional investigation must be performed. Therefore, if a PEP comes up in your FCPA compliance program due diligence investigation, as an owner of a Foreign Business Partner, additional investigation must be performed to determine the relationship of this governmental official, the transaction at issue, and any potentials for conflicts-of-interest or self-dealing.

The promotion of transparency requires actual knowledge of the parties who are involved in all transactions. In addition to identifying those owners and any beneficial parties as indicated above, care should be taken to identify any shell companies which a PEP might have ownership or interest in. The report terms this as “Corporate Transparency.” This is a critical analysis which companies should take as part of their overall due diligence effort.

The publication is a very useful tool and provides several case studies of how the SAR and related information are used. These case studies are written by financial institution representatives and law enforcement officials. They all provide very useful information for the FCPA compliance practitioner on how the financial industry is combating foreign government corruption and the application of those tools to a FCPA compliance program.

This publication also brings up the idea of “compliance convergence.” Howard Sklar has discussed this term in a wide range of issues but I define it as merging of control programs, such as anti-bribery and anti-corruption, with anti-money laundering and export control. If a Company does not know with whom it is doing business, any of these three areas can put a company at risk for various forms of illegal conduct. US financial institutions are required to have very robust anti-money laundering compliance programs in place. From the publication discussed herein, it appears many industries and industrial sectors could learn many lessons from their compliance practices.

——————————————————————————————————————————————————————

Interested in hearing more great insight on the current FCPA compliance program best practices. Join us at the following stops this week on the World Check FCPA Tour. (Days of events corrected from yesterday, dates remain correct.)

Thursday, May 19 from 8-10 AM PDT at the Renaissance Meadowlands Hotel, in Rutherford, NJ. For information and registration details click here.

Friday, May 20 from 8-10 AM PDT at Mayflower Renaissance Washington, DC, in Washington, DC. For information and registration details click here.

==========================================================================================

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011