Top Ten 2011 Enforcement Actions-Corporate Division

As December is a time for reflection on the past twelve months, I have been considering the FCPA Enforcement Action year. I submit for your consideration my Top 10 FCPA Enforcement Actions for 2011 in the Corporate Division. Happy and Safe New Year to all and we will see you next week in 2012 with our list of Top FCPA issues from 2011.

1.         Alcatel-Lucent ($137MM) or non-cooperation will cost you.-the company lost between $10MM to $20MM in penalty reduction because its initial investigative counsel did not fully cooperate with the DOJ after self-disclosure.

2.         AON-($16.2MM)(NPA) or it’s still not a good thing to send that foreign official to Disneyland-the world wide insurer Aon was issued an NPA for setting up a “educational fund” which paid for travel and entertainment of Nicaraguan insurance officials and then not recording it properly.

 

3.         Armor Holdings ($10.29MM)(NPA) or you can step back from the abyss-the company which had 92 separate instances of disguising bribes yet was able to obtain a NPA, through self-disclose, cleaning house, remediation and implementing a best practices compliance program.

4.         Bridgestone ($28MM)-don’t double down a FCPA violation by adding Anti-Trust violations–the company was found to have engaged in both bribery of foreign officials by using such corrupt acts in furtherance of bid-rigging.

5.         JGC ($218.8MM)-and then there were none–the final corporate conclusion of the infamous Bonney Island, Nigeria Bribery Scandal. Joining with previously settled defendants, Halliburton, Technip and Snamprogetti/ENI to bring a total settlement amount of over $1.5 billion. Four of the top 6 FCPA settlements of all-time came out of this enforcement action and that does not even count the $147MM in disgorgement agreed to by Jeffery Tessler.

6.         Johnson and Johnson ($77MM)-enhanced compliance obligations, the new normal?-not only did J&J agree to implement a minimum best practices compliance program, it also agreed to “enhanced compliance obligations”.

7.         Maxwell Technologies ($14.3 MM) –start you day with a risk assessment–one of several cases where the DOJ specified some of the parameters of the risks you should assess to inform your compliance program. Further the implementation or enhancement of any anti-corruption compliance program should occur after and not before you complete your risk assessment. (Same holds true for the UK Bribery Act)

8.         SciClone ($2.5MM to date) or the plaintiff’s bar finds compliance–not an enforcement action but the settlement of a shareholder derivative action during the pendency of a FCPA investigation, where the company agreed to implement a best practices compliance program. Settlement of the enforcement action is yet to come.

9.         Tenaris ($8.9MM) or the SEC joins the DPA party-the first instance of the SEC entering into a Deferred Prosecution Agreement for the settlement of civil FCPA violations.

10.       Watts Water ($3.7MM) or it is a good thing to keep up with the news-the company’s General Counsel read about an enforcement action involving a non-related company in a different industry but with the same sales model as his company and wondered if it the same sales model might be a FCPA problem for his company. It was.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Fruit, Teddy Bears, Checking Accounts and Compliance

I recently opened a new business checking account at my local bank. To open the account, I visited with the bank officer I have done business with over the past couple of years. She asked how my law practice was doing and then inquired into why I wanted to open up another checking account. After reviewing the corporate documentation and EIN that I brought along with me, she approved the new account. As we discussed my compliance practice she related that her bank has new procedures to screen for money laundering issues and one of the preliminary assessments is an interview with the bank officer who opens up each back account. In other words, the process I had just gone through to open up my new checking account.

I was pondering the level of inquiry that my bank now uses in its Anti-Money Laundering (AML) program when I came across an article in the December 19, 2011 edition of the Los Angeles Times (LAT)  entitled “Cartels use legitimate trade to launder money, US and Mexico say” by Tracy Wilkinson and Ken Ellingwood. They described a process whereby teams of money launderers working for cartels use dollars to purchase a commodity from the US and then export the commodity to Mexico or Colombia. A key is that “Paperwork is generated that gives a patina of propriety” which means that drug money is given the appearance of legitimate proceeds from a legitimate commercial transaction. One Immigration and Customs official interviewed said, “It’s such a great scheme. You could hide dirty money in so much legitimate business, and they do. You can audit their books all day long and all you see is goods being imported and exported.”

The key is that the commodities being purchased are so innocuous that large bulk purchases will rarely, if ever, draw any official scrutiny. The goods purchased can be red tomatoes or bolts of cotton fabric. In either case, the commodity itself does not matter, as the simple fact of purchasing in the US, shipping into, and reselling in Mexico allows the drug cartels to “transfer earnings back home to pay bills and buy new drug supplies while converting dollars to pesos in a transaction relatively easy to explain to authorities.”

There have been some interdictions in this system, however. In 2010, US authorities arrested several executives of Angel Toy company, who the government alleged were conspiring with Mexican drug cartels to launder drug money through a scheme to purchase Teddy Bears (of all things), for shipment back to and for resale in Mexico. The plan was straightforward, just under $10K of cash for each shipment of Teddy Bears, which were then resold in Mexico.

However, now money launderers use even more sophisticated tactics such as “overvaluing and undervaluing invoices and customs declarations.” There is even a new term “trade-based money-laundering” used to denominate the schemes. It was reported that in another recent operation, which was estimated to launder over $1MM every three weeks, money launderers were exporting from the US to Mexico polypropylene pellets that are used to make plastic. However, the money-launderers inflated the value declared on the high-volume shipments and this eventually attracted suspicion of US bank investigators, “who shut down the export operation by discontinuing letters of credit that the suspected launderers were using.”  One official noted, “You generate all this paperwork on both sides of the border showing that the product you’re importing has this much value on it, when in reality you paid less for it. Now you’ve got paper earnings of a million dollar and the million dollars in my bank account — it’s legitimate. It came from this here, see?”

Transactional based due diligence and internal controls are mandatory components of Foreign Corrupt Practices Act (FCPA) minimum best practices compliance program. In addition to due diligence on agents, distributors or others in the sales distribution chain, companies need to perform due diligence on those to whom they sell. If someone from Mexico suddenly comes to your business and wants to buy widgets with cash, this needs to send up a huge Red Flag.

And what about my little new business checking account? The transaction and process drove home to me that there are many ways to perform the various levels of due diligence required. In my case, it was a bank officer questioning me on why I needed a new checking account. In other words, why did I need to transact the business of her company, namely a checking account at a financial institution? It was not an intrusive interview, asking impertinent or difficult enquiries, they were basic questions performing a basic level of due diligence. If you inculcate compliance in your organization everyone works towards the same goal, doing business in a compliant manner. The bottom line is that there are many tools and many ways to protect your business, follow that law and do business in an ethical manner.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Facebook’s Settlement With The FTC Is A Wake Up Call For Businesses To Review And Update Their Website Privacy Policy And Agreements

Ed. Note-there are many forms of compliance convergence. Today we have a guest post from Michelle Sherman, a frequent contributor on compliance and  social media issues. 

The Federal Trade Commission (“FTC”) is working hard to make sure consumers are not being misled about how websites and social networking sites are using their personal information.  Companies that do not follow their own privacy policies are finding themselves the subject of FTC complaints.  It is therefore even more important for businesses to review and update their “privacy policy,” “terms of use,” and other legal agreements on their websites.  This review should also include any company apps.

1.         When Businesses Do Not Comply With The Terms Of Their Website Privacy Policy, Then They May Be In Violation Of Section 5(a) Of The FTC Act

The recent consent decrees that the FTC entered into with Facebook, Google and online advertiser ScanScout highlight the need for businesses to make sure they are acting in accordance with their privacy policies.  Businesses are well advised to take the following actions:

(1) Ensure that the published policies on their websites for terms of use and privacy reflect what information the businesses are collecting from consumers, and that the disclosures are clearly stated without unnecessary and lengthy legalese;

(2) Examine how the businesses are using personal information or anticipate using it, and that these uses are being fully disclosed to consumers; and

(3) Take reasonable measures to safeguard consumer information.  Because of the risks of cyberhacking, it is also worthwhile to conduct an audit on how consumer information is being safeguarded, and what information is being stored and for how long a period.  The FTC settled a complaint against Twitter for its alleged failure to take reasonable safeguards to protect users’ accounts against hackers.

In all of these complaints, the FTC alleged that the respondents made false or misleading representations about their privacy policies in violation of Section 5(a) of the FTC Act.  The FTC Act prohibits unfair or deceptive acts or practices.  15 U.S.C. § 45(a).

The consent decrees entered into by Facebook, Google and ScanScout in order to avoid more costly litigation and possibly stiffer penalties are similar in some key respects, and include some terms that will increase their costs of doing business.  As is sometimes the case with the FTC, the FTC conditioned the settlements on these businesses agreeing to change their business practices in ways that may place them at a competitive disadvantage to their competitors because some of the additional privacy measures they must now take are not required under current law.

2.         Lessons To Be Learned From The FTC Settlements With Facebook And Others

It is instructive to know how these businesses allegedly violated the terms of their privacy policies with users because the same may be true for many companies.

(a)  Facebook Complaint

In its complaint against Facebook, the FTC alleged:

(1) Facebook told its users that third-party apps that users installed – such as Farmville by Zynga– would have access only to user information that they needed to operate.  In fact, the apps could access nearly all of the users’ personal data.

(2) Facebook told users that they could restrict sharing of data to limited audiences – for example, with “Friends Only.”  In fact, selecting “Friends Only” did not prevent their information from being shared with the third-party applications their friends used.

(3) Facebook promised users it would not share their personal information with advertisers.  Facebook did according to the FTC.

(4) Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible, when in fact Facebook allowed access to the content according to the FTC.

(5) Facebook also claimed that it complied with the U.S. – EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union, but it did not.

(b)        Google Complaint

Google is also faulted for making use of its users’ data in ways that was contrary to what Google was telling users about the launching of Google’s Buzz social network through its Gmail web-based email product.  The FTC alleged that “Google led Gmail users to believe that they could choose whether or not they wanted to join the [Buzz] network, [but] the options for declining or leaving the social network were ineffective.”  Google was apparently trying to immediately ramp up its social network in order to compete with Facebook.  The Buzz launch ended up being a public relations nightmare for Google with thousands of consumers reportedly complaining that they were concerned about public disclosures of their email contacts from which Google tried to create immediate Buzz connections for users.  In some cases, use of the emails disclosed ex-spouses, therapists, employers or competitors.

According to the FTC, Google breached its privacy policy when it launched Buzz, its social networking site, because Google’s policy told Gmail users that “[w]hen you sign up for a particular service that requires registration, we ask you to provide personal information.  If we use this information in a manner different than the purpose for which it was collected, then we will ask for your consent prior to such use.”  According to the FTC, Google used Gmail users’ information for a different purpose without telling them by starting a social networking site with the information.

            (c)  Online Advertiser ScanScout Complaint

The FTC is not just pursuing these actions against social media behemoths such as Facebook and Google.  In November 2011, the FTC reached a settlement with an online advertiser ScanScout.  ScanScout is an advertising network that places video ads on websites for advertisers.  ScanScout collects information about consumers’ online activities (aka behavioral advertising) in order to post video ads targeted to the people visiting the website.  In ScanScout, the FTC alleged that there was a discrepancy between the online service and their website privacy policy:

“[F]rom at least April 2007 to September 2009, ScanScout’s website privacy policy discussed how it used cookies to track users’ behavior.  The privacy policy stated, ‘You can opt out of receiving a cookie by changing your browser settings to prevent the receipt of cookies.’  However, changing browser settings did not remove or block the Flash cookies used by ScanScout….  The claims by ScanScout were deceptive and violated Section 5(a) of the FTC Act.”

In the ScanScout action, the company Tremor Video, Inc. is also subject to the settlement order because ScanScout merged with Tremor Video.  This settlement also highlights the importance of doing an audit of a target company’s social media activity before acquiring or merging with it so your company will have more information concerning the legal risks of the deal.

3.         Business Costs Of Not Updating Your Privacy Policy And Following It

In each of these cases, the FTC is making the settling party do some things that are more than they would have been required to do in the normal course of business, thereby, making it more challenging and expensive for them to do business.

These consent decrees require the settling party to do the following:

(1) Tell users what information is being collected and for what purpose, with the right to “opt out” of the targeted advertising (ScanScout);

(2) Obtain consumers’ affirmative express consent before enacting changes that override their privacy preferences (Facebook; Google);

(3) Establish and maintain a comprehensive privacy program to address privacy risks associated with new and existing products and service, and protect the privacy and confidentiality of consumers’ information (Facebook; Google); and

(4) Every two years, for the next 20 years, obtain independent, third party audits certifying that the privacy program meets or exceeds the requirements of the FTC order (Facebook; Google).

4.         Conclusion

Considering that the vast majority of consumers simply click through the legal agreements to get to the applications on a website, there is no real downside to companies spending a little time and money to ensure that their privacy policy, terms of use and other legal agreements reflect their current practices.  Similarly, updating these agreements should be a routine part of changing how the company is collecting and using information from its users.  It should be coordinated between marketing, IT and legal with each checking off on the updates being accurate.  And, finally, the website should clearly indicate that the privacy policy and/or agreements have been updated so users have the option to review any changes.  If experience is any indicator, virtually all users will continue to visit the website notwithstanding the updated policy or agreements.

 Michelle Sherman is special counsel at Sheppard Mullin Richter & Hampton where she practices business litigation and consults with businesses on legal and regulatory compliance issues relating to social media and the Internet.  Michelle is the editor and contributing author to the law firm’s Social Media Law Update blog.

Coalition for Excellence in Compliance Releases Restricted Party Screening and Other Export Compliance Best Practices

Ed. Note-I often talk about compliance convergence. Today we host a guest post from our colleague and fellow UT Longhorn, Doug Jacobson. This article originally appeared in Doug’s blog, International Trade Law News. In his blog Doug discusses news, analysis and information on export control, sanctions, customs law, FCPA, anti-dumping and other international trade issues. We reprint his article, with his permission, in its entirety.

The Coalition for Excellence in Export Compliance (CEEC) (pronounced “seek”), a voluntary group of experienced export compliance professionals from leading companies, law firms, research organizations and consulting firms, recently released a series of detailed and practical standards containing best practices on a wide range of important topics for export and sanctions compliance programs.

CEEC’s mission is to provide a uniform set of best practices that companies and trade compliance professionals could use to provide clarity over the existing patchwork of official and unofficial guidance regarding export and sanctions compliance requirements and programs. The best practices are not tied to any particular country’s laws or requirements and are intended to be applicable worldwide.

To date, CEEC has issued best practices covering a wide range of topics, including: screening, training, classification, personnel, management commitment, license determinations and use, and intangible exports. Additional compliance-related best practices topics will be issued by CEEC in the near future.

CEEC’s best practices on Restricted Party Screening  contains valuable guidance on restricted party screening programs and ways to implement screening programs. For example, CEEC’s restricted party screening best practices provides recommendations on the types of parties to be screened, how and when screening should be conducted, the structure of restricted party screening programs, the lists to check and how matches and potential matches to restricted party lists should be handled.

With respect to the types of parties to be screened, CEEC’s screening best practices note that both domestic and international transactions should be screened, since certain restrictions may apply to domestic transactions, domestic transactions may be part of an international transaction, and reputational concerns may exist. The screening best practices provide a detailed list of the types of parties that should be screened (to the extent applicable), including customers, suppliers, freight forwarders, banks, agents, ship to parties, etc.

CEEC’s screening best practices indicate that a “software tool should be used for screening” and that it should “employ a “fuzzy logic” algorithm to identify close as well as identical matches.” Of course, because restricted party list changes are often effective immediately, the “the automated screening tool must promptly update all applicable watch lists as these lists are changed and updated by issuing authorities.”

As for the structure of a restricted party screening program, CEEC’s screening best practices recommend that the screening process should be documented, and it could be “advantageous to centralize the screening program” in order to “minimize duplicative work and promote uniformity.”

Regarding the lists to check, CEEC advises that a “risk analysis should be done to determine which lists (by country, type, etc.) are needed for the organization to use for screening.” For example, it “may be appropriate to use different lists for different businesses, different categories of transactions, or different geographic locations.”

CEEC’s screening best practices provides specific information and guidance on the frequency of screening and at what point in the screening process screening should be done. For example, the best practices recommend that new business partners should be screened prior to the first transaction or other business dealing and that organizations “should consider implementing procedures to screen at the time the business partner is entered into the organization’s database, when background or credit checks are run, when quotes or proposals are requested, or at some other time, as appropriate.” The best practices indicate that “the intervals in between database screenings should be measured and limited in order to mitigate the risk of doing business with a restricted/prohibited/denied party.”

Finally, with respect to screening matches and potential matches, CEEC’s best practices state that an organizations’ restricted party screening process “must allow for a transaction to be halted unless and until any screening matches are cleared. To minimize business disruption, potential matches should be cleared as promptly as possible and the determination “should be documented.” When an actual match to a restricted party list occurs, the CEEC best practices advise that “depending upon the nature of the list, the legal applicability in the jurisdiction, and an evaluation of reputational concerns, the process must allow for determination by an authorized person whether the transaction may proceed . . . and this decision should be documented.”

CEEC members encourage comments and suggestions for improving the best practices and CEEC’s website contains a contact page for the submission of comments on their efforts to date.

============================================================================================

We wish a Happy Holidays to all and in spite of what Rick Perry may say, you can say Merry Christmas out loud.

Boards of Directors and Compliance: Four Areas of Inquiry

In an article in the December 2011 issue of Compliance Week Magazine, entitled “Board Checklist: What Every Director Should Know”, author Jaclyn Jaeger reported on a panel discussion at the Association of Corporate Counsel’s 2011 Annual Meeting, held in October. The discussion was centered on four core areas upon which Directors should focus their attention: (1) structure, (2) culture, (3) areas of risk and (4) forecasts. The article focuses on each of these areas together with some questions proposed by panel participant Amy Hutchens, General Counsel and Vice President of Compliance and Ethics at Watermark Risk Management International, which she suggested a Board should ask of the company’s Chief Compliance Officer (CCO) or General Counsel.

Structure Questions

This area consists of questions which will aid in determining the fundamental sense of a company’s overall compliance program. The questions should begin with the basics of the program through to how the program operates in action. Hutchens believes that such inquiries should allow each Board member to communicate the main elements of a compliance program. With those concepts in mind, Hutchens suggests that Board members ask some of the following structure questions.

• Who oversees the operation of the program?
• What is in the Code of Conduct? Is each Board member aware of corporate standards and procedures?
• How are complaints being received?
• Who conducts investigations and acts on the results?
• What corporate resources are being devoted to the compliance and ethics program?
• How much money is allocated to the program?
• What types of training is required? How effective is it?
• Have any compliance failures been detected? If so, how was such detection made?
• If a company’s compliance program is less mature, what are the charter compliance documents?
• If a company’s compliance program is more mature, there should be queries regarding the roles of the General Counsel vs. a Chief Compliance Officer. If a CCO is required, where would such person sit in the organization and what is the CCO reporting structure?

Culture Questions

This area of inquiry should focus on the culture of the organization regarding compliance. Board members should have an understanding of what message is being communicated not only from senior management but also middle management. Equally important, the Board needs to understand what message is being heard at the lowest levels within the company. Hutchens suggests that Board members ask some of the following culture questions.

• When did the company last conduct a survey to measure the corporate culture of compliance?
• Is it time for the company to resurvey to measure the corporate culture of compliance?
• If a survey is performed, what are the results? Have any deficiencies been demonstrated? If so, what is the action plan going forward to remedy such deficiencies?
• Did any compliance investigations arise from a cultural problem?
• Regardless of any survey results, what can be done to improve the culture of compliance within the company?
• If there were any acquisitions, were they analyzed from a compliance culture perspective?
• Are there any M&A deals on the horizon, have they been reviewed from the compliance perspective?

Areas of Risk

Here Hutchens recommends that Board members “need to know what process is being used to identify emerging risks.” Such risk analysis would be broader than simply a legal/compliance risk assessment and should be tied to other matters, such as “business continuity planning and crisis response plans”.

Another panel participant Jennifer MacDougal, Senior Counsel and Assistance Secretary of Jack-in-the-Box, noted that “the board of directors need to use their expertise and ask the right questions”. Hutchens suggested that in the areas of risk, questions which a Board should ask are some of the following.

• What is the risk assessment process?
• How effective is this risk assessment process? Is it stale?
• Who is involved in the risk assessment process?
• Does the risk assessment process take into account any new legal or compliance best practices developments?
• Are there any new operations that pose substantial compliance risks for the company?
• Is the company tracking enforcement trends? Are any competitors facing enforcement actions?
• Has the company moved into any new markets which impose new or additional compliance risks?
• Has the company developed any new product or service lines which change the company’s risk profile?

 Forecast

Hutchens believes that “a truly effective and informed board knows where the company stands not only at the present moment, but also has the strategic plan for how the compliance and ethics program can continue to grow.” My colleague Stephen Martin suggests that such knowledge is encapsulated in a 1-3-5 year compliance game plan. However, a compliance program should be nimble enough to respond to new information or actions, such as mergers or acquisitions, divestitures or other external events. If a dynamic changes, “you want to get your board’s attention on the changes which may need to happen with the [compliance] program.”  Hutchens believes that such agility is best accomplished by obtaining buy-in from the Board through it understanding the role of forecasting the compliance program going forward.

The four-part approach suggested by Hutchens lays out a clear and logical program for a Board of Directors not only to understand its role in the compliance function but to play an active role. Any best practices compliance program has several moving parts, a CCO to lead the compliance program, a Compliance Department to execute the strategy and an engaged Board of Directors who oversee and participate. We applaud Hutchens approach and commend it for use by a company’s Board of Directors.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Marc Anthony Redux-We Come Not to Praise Daimler, But to Acknowledge It

Yesterday I discussed the apparent inaction of MF Global’s Board of Directors, when the former Chief Risk Officer left the company after “repeated clashes” with company CEO Jon Corzine, over Corzine’s risk strategy. Today we take a look at a Board of Directors which performed its duty in acting to stave off a potential compliance issue. In the December, 2011 issue of the Compliance Week Magazine, entitled, “Daimler Gets This One Right” author Richard Steinberg reviewed the actions of the Daimler Board of Directors regarding its recent termination of the head of Mercedes-Benz United States operations.

First a bit of history on Daimler. For those of you who do not keep score on such matters, Daimler comes in at Number 7 on the all-time Top 10 FCPA enforcement actions, with settlement amount of $185 million. This settlement was based upon actions which Steinberg termed “a massive and pervasive bribery scheme”. He described the scheme as “hundreds of bribes totaling tens of millions of dollars were paid to officials in no less than 22 countries over a 10-year period.” This scheme involved high level executives and was not simply some rogue employees or even a middle management group engaging is such actions. Perhaps the most troubling component of the Daimler bribery scheme for the author was that it also “involved the company’s internal audit office.” As with Siemens, it certainly appears that if the company had an anti-corruption compliance program but was employed German engineering corruption work-around.

In addition to its Top 10 of all-time award, Daimler agreed to a Deferred Prosecution Agreement (DPA) and oversight by an independent monitor, former FBI Director Louis Freeh. Freeh’s role as monitor continues under the terms of the DPA and he is also charged with evaluation of Daimler’s anti-corruption program going forward. Daimler also appointed a German judicial representative to a “new management board position for integrity and legal affairs…” Steinberg concludes be noting that Daimler is “shoring up compliance and control procedures with significantly higher levels of scrutiny.”

All of which brings us to the (now former) head of US operations, Ernst Leib. In October, Daimler announced that he was “no longer with the company.” Why did he leave? Steinberg reports that Leib had engaged in some “serious lapses of integrity” which included having work done on his private residence, with the work being paid for by Daimler funds and taking personal travel using Daimler funds. After these irregularities came to light, Leib was confronted, apparently responding with unsatisfactory answers. Indeed Steinberg obliquely reported that the company also “found out about other issues” and then Leib was gone.

Steinberg believes that the Daimler Board got this one right. This is because character does matter. As Howard Sklar would say “water is wet” but it is worth repeating, a CEO “sets the tone and shapes a company’s [compliance] culture-not only with words, but largely by his or her actions.” Steinberg believes that the new emphasis on compliance at Daimler led to employment separation of Leib from the company and that the action by the Board “drives home the point more effectively than perhaps anything else that has been done” regarding compliance.

Steinberg believes that one of a Board’s most important functions is finding the right person to run a company. However the Board’s responsibility does not end at that point. If there are signs that a CEO’s behavior is outside the norm of acceptable behavior, the Board must ask tough questions and take strong actions. Imagine if the MF Global Board had asked both Jon Corzine and the Chief Risk Officer, Mark Roseman, separately, why Roseman was leaving the company and why Corzine downgraded the authority of Roseman’s successor. Would any answers have raised questions about behavior “outside the norm of acceptable behavior?” Alas we will never know the answer to those questions. But we do know what transpired at Daimler regarding its employment of Ernst Leib, he is no longer with the company. We should acknowledge Daimler for that action and the message it sends to its workforce regarding compliance.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

The Saga of MF Global – Don’t Shoot the Messenger, Fire the Chief Compliance Officer

In a post last week on his site, Corruption, Crime and Compliance, Mike Volkov named the Chief Compliance Officer (CCO) his “Person of the Year”. He did so because “There is no other position in a company which has taken on more significance.” This significance was foretold, in part, by the Department of Justice’s (DOJ) minimum best practices compliance program, where they have listed in each Deferred Prosecution Agreement (DPA) and Non-Prosecution Agreement (NPA) released beginning in 2010 and continuing into 2011,  the following:

“Senior Management Oversight and Reporting. A Company should assign responsibility to one or more senior corporate executives of the Company for the implementation and oversight of the Company’s anti-corruption policies, standards, and procedures. Such corporate official(s) shall have direct reporting obligations to the Company’s Legal Counsel or Legal Director as well as the Company’s independent monitoring bodies, including internal audit, the Board of Directors, or any appropriate committee of the Board of Directors, and shall have an adequate level of autonomy from management as well as sufficient resources and authority to maintain such autonomy.”

In November 2010, the US Sentencing Guidelines were also amended to make the role of the CCO more robust and allow direct reporting to a Board of Directors or subcommittee of the Board. The amendment read “the individual…with operational responsibility for the compliance and ethics program…have direct reporting obligations to the governing authority or any appropriate subgroup… (e.g. an audit committee or the board of directors)”. If a company has the CCO reporting to the General Counsel (GC) who then reports to the Board? Such structure may not qualify as an effective compliance and ethics program under the amended Sentencing Guidelines.

These two bits of guidance came to mind when reading about MF Global over the past few weeks, regarding its Chief Risk Officer, the financial services equivalent of a CCO. As reported on December 15, in a New York Times (NYT) article entitled “MF Global’s Risk Officer Said to Lack Authority” Ben Protess and Azam Ahmed reported that the company replaced its Chief Risk Officer, Michael Roseman, earlier in 2011, after he “repeatedly clashed with Mr. Corzine [the CEO] over the firm’s purchase of European sovereign debt.” He was given a large severance package and left the company. When he left, there was no public reason given. His replacement was brought into the position with reduced authority.

Writing in the December 16, edition of the NYT’s DealB%K, in an article entitled “Another View: MF Global’s Corporate Governance Lesson” Michael Peregrine stated that “compliance officer is the equivalent of a “protected class” for governance purposes, and the sooner leadership gets that, the better.” Particularly in the post Sarbanes-Oxley world, a company’s CCO is a “linchpin in organizational efforts to comply with applicable law.” When a company fires (or asks him to resign), it is a significance decision for all involved in corporate governance and should not be solely done at the discretion of the Chief Executive Officer (CEO) alone.

Both the DOJ minimum best practices and the amendment to the US Sentencing Guidelines, giving the CCO direct access to a company’s Board of Directors, would seem to provide the profile that would mandate that a Board wants to know the reason why a CCO (or Chief Risk Officer) would suddenly resign, particularly after he “repeated clashed” with a CEO over compliance issues. The universal corporate blanket “resigned to pursue other opportunities” is a white-wash that a Board should look beyond, if indeed that reason was given to the MF Board. The bottom line is that when a CCO leaves, particularly if it was due to a clash with the CEO, the Board had better take a close look into the reasons as it may be that the CEO wants to take risks which could put the company at grave risk.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

McNulty’s Maxims, the Deepwater Horizon and FCPA Internal Controls

I often write about what I call Paul McNulty’s three maxims of a Foreign Corrupt Practices Act (FCPA) compliance program: 1) What did you do to prevent it?; 2) What did you do to detect it?; and 3) What did you do to remedy it? I had generally thought that the internal controls component of a minimum best practices FCPA compliance program applied to maxim number 2, detection. However, in a recent guest post regarding internal controls entitled “Controls to Prevent Violations of Anti-Bribery Laws, my colleague Henry Mixon explained that “A specific focus is needed to ensure there are control procedures in place to ensure compliance with” maxim number 1, prevention.

This concept was driven home in a December 15, 2011 article in the Houston Chronicle by reporter Jennifer Dlouhy, entitled “Blowout preventers fall short, report says”. This article discusses a 136 page report by the National Academy of Engineering and National Research Council (“the Report”) on the Deepwater Horizon disaster. One of the findings of the report was that the industry’s trust in blowout preventers, as they are currently designed and utilized, is misplaced. The Report noted that there were several studies which had questioned the reliability of blowout preventers to do what it was designed to and provided several technical reasons for this finding.

For those of you not in the oil and gas industry a blowout preventer is a piece of equipment which is designed to be the last line of defense if the well blows by cutting through the pipe and blocking the oil or gas from escaping upwards and being ignited by the drilling rig. Generally, it has to be activated by someone or some automatic control system to take its preventative action. In other words, it is not viewed as a detection device but as a prevention device.

This article specifies that the design of blow out preventers is as the name implies to prevent an accident. I was reminded that the FCPA and UK Bribery Act require a specific focus on preventive controls. While there should be detect controls as well if your company only has detect controls, your compliance program does not meet the minimum best practices. In his recent post Henry Mixon focused on the use of internal controls to prevent bribery and corruption.

Some examples of this use of internal controls which can be preventative controls are the following:

1. Petty Cash disbursements should be reviewed by more senior management before rather than reconciled after the fact of disbursement.
2. Controls are needed over
   1. movement of inventory because bribes can be made through mechanisms other than cash.
   2. gifts, entertainment, hospitality, political contributions, and charitable contributions.
   3. An effective Delegation of Authority such as the requirement of dual signatures for hand- written checks.
   4. Offline processing and maintenance of key information related to vendors and disbursements.
   5. Employees, both contract and permanent, require controls in payroll processing to ensure employees’ statuses as current/former, or a relative of a, Government Official, is identified in pre-hire diligence and that effective oversight is established regarding the hours actually worked, the type of work performed, and the compensation paid.
   6. Vendor master file controls to ensure no vendors are paid unless there has been appropriate due diligence performed.

The Report on the Deepwater Horizon disaster makes clear that the energy industry must find a way to prevent a similar event in the future. The lessons from McNulty’s maxims also make it clear that for a best practices compliance program, you must have sufficient preventative controls in place to prevent bribery and corruption. Henry Mixon details some of the specific reasons that internal controls can be used as prevention control and the specifics on how to do it.

If your compliance program only uses internal controls to detect after-the-fact violations, you may need to call Paul McNulty and have him represent you. Then you may well be in the position of having McNulty call the Department of Justice and self-report a FCPA violation. I am relatively sure that such a call is not one that you would like to make, or have counsel make on your behalf.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

More Wisdom from the Bribery Act Guys

Ed. Note-today we host our colleague Matt Ellis who reports on the recent World Compliance event where the Bribery Act guys spoke. This article originally appeared in Matt’s blog, FCPAméricas Blog, which we reprint, in its entirety with his permission. 

In FCPAméricas’s last post, it gave highlights from Tom Fox at the World Compliance FCPA Summit 2011 in Houston, TX. At the same seminar, the Bribery Act Guys (UK attorneys Barry Vitou and Richard Kovalevsky QC) offered their own wisdom.

 Transitioning Away from Facilitating Payments

While it is commonly known that, unlike the FCPA, the UK Bribery Act prohibits facilitating payments, the Bribery Act Guys offered insight into how the Serious Fraud Office (SFO) will give companies time to bring their practices into compliance. The SFO has offered a 6-step guidance. The Bribery Act Guys explain that, “If the answers to these questions are satisfactory then the corporate should be shielded from prosecution”:

Whether the company has a clear issued policy regarding such payments;

1. Whether written guidance is available to relevant employees as to the procedure they should follow when asked to make such payments;
2. Whether such procedures are being followed by employees;
3. If there is evidence that all such payments are being recorded by the company;
4. If there is evidence that proper action (collective or otherwise) is being taken to inform the appropriate authorities in the countries concerned that such payments are being demanded;
5. Whether the company is taking what practical steps it can to curtail the making of such payments.

Corporate Hospitality under the UK Bribery Act

The Bribery Act Guys report that, when deciding whether a specific corporate expenditure falls outside of the bounds of reasonable and proportionate hospitality, the SFO will look to see whether:

the company has a clear issued policy regarding gifts and hospitality;

1. the scale of the expenditure in question fell within the confines of such policy and if not, whether special permission for it had been sought at a high level within the organization;
2. the expenditure was proportionate with regard to the recipient;
3. there is evidence that such expenditure had been recorded by the company; and,
4. the recipient was entitled to receive the hospitality under the law of the recipient’s country.

Predictions on UK Bribery Act Enforcement in Coming Months

The Bribery Act Guys have built a good track record with their predictions. They correctly predicted the delay on UK Bribery Act guidance, dismissed suggestions that the Bribery Act would be canned and said that the SFO would survive when others thought it would not.

They have now offered their predictions on enforcement activity. These predictions are timely since the UK Bribery Act just went into force on July 1, 2011 and applies only to conduct occurring after that date (although enforcement may incorporate prior activity if it is part of a ongoing “system” of wrongdoing). Will they get these ones right too?

Proceedings against Foreign Companies. The Director of the SFO, Richard Alderman, has a personal commitment to enforcement similar to that of U.S. Department of Justice Assistant Attorney General Lanny Breuer. Both regulators see their jobs as crusades. As such, Alderman is concerned less with proceeding against “low hanging fruit” and more in pursuing the harder cases that test the limits of the UK Bribery Act, especially with respect to extraterritorial jurisdiction. As a result, the Bribery Act Guys predict several proceedings against foreign companies so that the SFO can “level the playing field,” similar to the approach taken by U.S. enforcement.

1. Alderman’s Successor Might Seek to Bring in Money. After Alderman departs in Spring 2011, his successor might look to bring easier, lucrative cases. The SFO is highly underfunded, a fact that has impeded its ability to fully flex its muscles. Revenue from cases can change that.
2. Focus on Individuals. Like U.S. authorities, the SFO will focus on prosecuting individuals. For example, if a company discloses prior bribery of an acquiree discovered in acquisition due diligence, it can obtain a clean bill of health going forward. The individuals authorizing the scheme for the seller, on the other hand, will likely be prosecuted. Likewise, the target may also be subject to enforcement proceedings to recover the benefits of the proceeds of crime.
3. The Announcement of First Major Cases Will Take Time. It will likely take at least a year for major SFO prosecutions to be announced. This is because, broadly speaking, the SFO only announces actions at a very advanced stage or after it has concluded the investigation.

When the SFO Can Use UK Subsidiaries to Assert Jurisdiction over U.S. Parents

For the UK Bribery Act offenses of bribing, receiving a bribe, and bribing a foreign public official, it is, generally speaking, harder to assert jurisdiction over an overseas parent (unless the activity takes place in the jurisdiction). But for the offense of failing to prevent bribery, the SFO has more leeway in asserting jurisdiction over the parent through its UK subsidiary, even if the subsidiary is not directly involved in the scheme.

The SFO takes the view that, the less autonomous the UK subsidiary’s operations are from those of the U.S. parent, the more authority the SFO has to bring a case, even if the bribe was committed in a third country by an entirely different subsidiary. In other words, the more common the management and services functions between the UK subsidiary and the U.S. parent, the stronger the jurisdictional basis for proceeding against the parent. The extent of the connection will likely be tested in the courts.

============================================================================================

Matt Ellis, Principle and Founder of the law firm of Matteson Ellis Law, PLLC. He blogs at the  FCPAméricas Blog, a blog that explores corruption issues throughout Latin America and speaks to the companies and business-people in the region seeking to comply with international anti-corruption norms. He can be reached via phone at 1.855.FCPA.LAW.

Is There Room for Law Enforcement in a Workplace Investigation?

Ed. Note-today we are pleased to host an article by our colleague from north of  the Border, Lindsey Walker of i-sight.com. 

When you want a workplace investigation done right, you choose an investigator that has the knowledge and experience to deal with the specific type of case under investigation. This could be someone within your organization, an external investigator, or in some cases, law enforcement. However, when an incident occurs in the workplace, many companies jump the gun and involve law enforcement right away, without considering their options. Failure to select an appropriate investigator could put your company on the line.

Advantages and Disadvantages of Involving Law Enforcement

At the ASIS International 2011 Seminar and Exhibits, James Whitaker, President, The Whitaker Group, LLC and Ed Casey, CPP, Senior Director – Protective Services, Cincinnati Children’s Hospital led a session called “Private Sector Investigations: When (and if) to Involve Law Enforcement”.  Whitaker and Casey outlined some of the advantages and disadvantages of getting law enforcement involved in workplace investigations.

Advantages include:

• The decision complies with company policy or law
• Law enforcement can provide additional resources
• Broader jurisdiction
• No additional cost
• Experience (this can be both an advantage and a disadvantage)

Disadvantages include:

• Loss of control over the investigation
• Possible unwanted publicity
• Timing
• Business disruption
• Experience

It’s important to remember that once you get law enforcement involved in an investigation, you can’t go back. In some cases, you can use the fact that you aren’t getting law enforcement involved as a source of leverage in an investigation – employee admits to wrongdoing, you part ways, end of issue.

Experience Matters

During the presentation, Whitaker and Casey discussed the importance of experience and the fact that the law enforcement agent assigned to your case may or may not have experience dealing with the type of incident under investigation. Involving law enforcement in an investigation is like Forrest Gump’s box of chocolates: “You never know what you’re gonna get.”

Companies are liable for ensuring that investigations are conducted properly, which makes the investigator selection process very important. When selecting the best investigator for the case, whether it’s an internal or external source, you need to take their level of knowledge and experience into consideration. It’s also important to remember that the same person or group may not be the best investigator for every case. Each case varies in complexity, so you need to make sure that the investigator has the skills to get the job done.

When to Get Law Enforcement Involved

Whitaker and Casey suggest involving law enforcement if company policy or the law says so, or if a serious criminal act has occurred. If the investigation involves armed robbery, assault, arson, significant theft or any other type of serious crime, notify law enforcement. In some organizations, it’s company policy to notify law enforcement when an incident is under investigation. Whitaker and Casey recommend familiarizing yourself with local and state requirements and contacting your legal department to find out what steps you should take before getting law enforcement involved.

Lindsey Walker can be reached at LWalker@customerexpressions.com.