Ryan Braun and Building Employee Trust in Your Compliance Program

Most people who have a modicum of interest in baseball now know that Ryan Braun was successful in the appeal of his 50 game suspension by Major League Baseball (MLB) for testing positive for performance enhancing drugs; i.e.: elevated levels of testosterone. The suspension had been levied based upon tests taken late last season, at the conclusion of which Braun was awarded the National League’s Most Valuable Player (MVP) award for the most sterling season, with a Batting Average of .332 with 33 home runs and 111 RBIs while leading the Brewers to the National League (NL) Central title. Although the entire process is required to be confidential under the MLB collective bargaining agreement with the players’ union, both the test results and notice of Braun’s appeal were leaked to the press by person or persons unknown.

Braun won his award because the sample of his urine that was tested was not handled in compliance with the MLB/Players’ Union agreed upon testing protocol. The worker who took the sample did not deliver it to FedEx on the same day the sample was taken from Braun because he said it was Friday night, after 8 PM and all the FedEx offices were closed. (A quick note here that anyone who has ever been an associate at a law firm knows just how bogus that excuse is as there is ALWAYS a FedEx office open. My suggestion is next time to try the airport.) Instead the employee of the drug testing company took the sample home and kept it in his refrigerator over the weekend. This failure to deliver the sample, as required by the agreed upon testing protocol, was enough to allow a tripartite panel of arbitrators to overturn the suspension by a 2-1 vote.

As equally important as it is to have a written process in place, it is as important to follow this process. In the realm of individual rights this is called procedural fairness and it is one of the things that will bring credibility to your Compliance Program. Following an agreed upon process is called the Fair Process Doctrine and this Doctrine generally recognizes that there are fair procedures, not arbitrary ones, in a process involving rights. Considerable research has shown that people are more willing to accept negative, unfavorable, and non-preferred outcomes when they are arrived at by processes and procedures that are perceived as fair. Adhering to the Fair Process Doctrine in two areas of your Compliance Program is critical for you, as a compliance specialist, or for your Compliance Department to have credibility with the rest of the workforce.

This is particularly true in the realm of discipline in your compliance program. If you define a process that is to be followed by all employees when an event occurs, then the company must also follow its procedures in the investigation and administration of discipline. Discipline must not only be administered fairly but it must be administered uniformly across the company for the violation of any compliance policy. Simply put if you are going to fire employees in South America for lying on their expense reports, you have to fire them in North America for the same offense. It cannot matter that the North American employee is a friend of yours or worse yet a ‘high producer’. Failure to administer discipline uniformly will destroy any vestige of credibility that you may have developed.

In addition to the area of discipline, which may be administered after the completion of any compliance investigation, you must also place compliance firmly as a part of ongoing employee evaluations and promotions. If your company is seen to advance and only reward employees who achieve their numbers by whatever means necessary, other employees will certainly take note and it will be understood what management evaluates, and rewards, employees upon this. I have often heard the (anecdotal) tale about some Far East Region Manager which goes along the following lines “If I violate the Code of Conduct I may or may not get caught. If I get caught I may or may not be disciplined. If I miss my numbers for two quarters, I will be fired”. If this is what other employees believe about how they are evaluated and the basis for promotion, you have lost the compliance battle.

So, just as Lin-sanity can inform your compliance program, the Ryan Braun suspension and reversal can also inform your compliance program. To build a solid compliance program, trust by your employees that they will be treated fairly is required. Companies can build trust by living their stated values as set out in their company Code of Conduct and compliance program. As reported in the New York Times (NYT), MLB has come “out firing against Braun, with Rob Manfred, the executive vice president for labor relations, saying in a statement that the league “vehemently disagrees” with” the arbitration ruling. If MLB wants to have any credibility it must follow its own agreed upon testing procedures. So quit whining, if you set up a procedure, you had best follow it. The Procedural Fairness Doctrine requires nothing less.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Risk Assessments under the UK Bribery Act

In the February 10, 2012 edition of the Houston Business Journal, in an article entitled “In order to solve a problem, it must first be identified”, author Harvey Mackay wrote “People don’t usually buy products and services. They buy solutions to problems.” He notes that successful sales people “tailor their products and services to meet a demand”. However, in compliance the ‘demand’ that often needs to be satisfied is risk. In your role as a compliance professional, you need to be able to identify risk and then design a system to manage it. If you review a proposed transaction and concluded it would violate the Foreign Corrupt Practices Act (FCA) and then reported that to senior management, you may well be told that it is the job of compliance to manage compliance risks, now go back and figure out a way to manage that risk so that the transaction can be done within the law. The question is how to determine the compliance risk so that it can be managed. The answer is by performing a risk assessment.

In three enforcement actions in early 2011, the Department of Justice (FOJ) indicated FCPA compliance risk areas which should be evaluated for a minimum best practices FCPA compliance program. In both Alcatel-Lucent and Maxwell Technologies, the Deferred Prosecution Agreements (DPAs) listed the following seven areas of risk to be assessed.

1.         Geography – Where does your Company do business.

2.         Interaction with types and levels of Governments.

3.         Industrial Sector of Operations.

4.         Involvement with Joint Ventures.

5.         Licenses and Permits in Operations.

6.         Degree of Government Oversight.

7.         Volume and Importance of Goods and Personnel Going Through Customs and Immigration.

However, the British government has gone further in providing guidance around the parameters of a risk assessment. The UK Ministry of Justice (MOJ), in Principle III of the Six Principles of an Adequate Procedures compliance program, discusses risk assessment. It mandates that a company should assess “the nature and extent of its exposure to potential external and internal risks of bribery on its behalf by persons associated with it.” Further a risk assessment should be performed on a periodic basis, it should be reasoned and it should be documented. From this risk assessment, a company should then be able to “promote the adoption of risk assessment procedures that are proportionate to the organisation’s size and structure and to the nature, scale and location of its activities.”

The MOJ has collected the risks which should be assessed into five broad groups and they are country, business sector, transaction, business opportunity and business partnership:

1. Country risk. This is evidenced by perceived high levels of corruption, an absence of effectively implemented anti-bribery legislation and a failure of the foreign government, media, local business community and civil society effectively to promote transparent procurement and investment policies.
2. Sector risk. Some sectors are higher risk than others. Higher risk sectors include the extractive industries and the large scale infrastructure sector.
3. Transaction risk. Certain types of transaction give rise to higher risks, for example, charitable or political contributions, licenses and permits, and transactions relating to public procurement.
4. Business opportunity risk. These risks might arise in high value projects or with projects involving many contractors or intermediaries; or with projects which are not apparently undertaken at market prices, or which do not have a clear legitimate objective.
5. Business partnership risk. There are some relationships which involve higher risk, for example, the use of intermediaries in transactions with foreign public officials; consortia or joint venture partners; and relationships with politically exposed persons where the proposed business relationship involves, or is linked to, a prominent public official.

Additionally, the MOJ believes that the areas of risk that are assessed should enable a company to accurately identify and prioritize the risks it faces, whatever its size, activities, customers or markets, as these usually reflect a few basic characteristics. They listed these as:

• Oversight of the risk assessment by top level management. More than simply tone at the top but is management truly committed to installing and maintaining a culture of compliance.
• Appropriate resourcing – this should reflect the scale of the organization’s business and the need to identify and prioritize all relevant risks. Have your designated persons with authority to make compliance decisions and back that up with the budget required to do so.
• Identification of the internal and external information sources that will enable risk to be assessed and reviewed. Who are you are going to use for the risk assessment?
• Due diligence enquiries. Is your due diligence sufficient, if not, what are you going to do to resolve this issue?
• Accurate and appropriate documentation of the risk assessment and its conclusions. Document, Document, Document.

So the key is to assess the risk. From both the DOJ and MOJ, there is specific guidance of the quality of risks that should be assessed. A risk assessment is a key tool to use to identify the types of problems that the compliance group needs to solve, or at least manage. A risk assessment should not be an annual exercise that your company goes through. You can use the guidance from the DOJ or MOJ in a wide variety of circumstances, down to the granular transactional level. Or as Harvey Mackay might say, to solve a problem, you first need to identify that problem.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

How Lin-sanity Informs Your Compliance Program: Lesson II

Lin-sanity still reigns. How can you make this determination? I will give you two signs to consider. First Spring Training is in full force and here I am not only thinking about the NBA but also writing about the NBA. Second, I ordered the NBA League Pass package so that I can watch Jeremy Lin play each night the Knicks are on television. (Sam Rubenfeld is smiling somewhere.) But Lin-sanity still continues to inform the compliance practitioner and compliance programs.

How does Lin-sanity continue to inform your compliance program? That question came to mind as I was reading the Saturday edition of the New York Times (NYT) in an article, entitled “The Evolution of a Point Guard”, by reporter Howard Beck. In his article Beck destroyed the myth that Jeremy Lin emerged literally “overnight” as a star in the NBA. Beck wrote that this part of the Lin Legend is “altogether flawed, or at least woefully incomplete.” In my last piece on Lin-sanity and compliance I wrote about the analyst who saw the seeds of Lin’s play in his years at Harvard. Beck goes further to point out that the Lin who graduated from Harvard, got cut from both the Warriors and the Rockets is very different from the Lin who is now starting for the Knicks. How is Jeremy Lin different? Through hard work in his profession, the craft of basketball.

What work did Lin do that led to Lin-sanity? Beck went into extensive detail to report on the shooting drills he put in with an old coach to improve his jump shot; the personal fitness coach he worked out with to increase muscle size and speed; the tape of elite NBA guards he studied to learn how to set up and execute a pick and roll; the Developmental League time he put in to learn how to better read defensive double teams; and finally the lonely gym work to develop a 3-point shot. All of this hard work led to, as Beck quoted, a former coach of Lin’s saying that “He’s in a miracle moment, where everything has come together.”

Our last lesson learned from Lin-sanity was to look and think outside the box for compliance resources within your company. Lin-sanity Lesson Learned II is that the initial implementation or enhancement of a compliance program is only the beginning. It is after that time, the hard work really begins. So Jeremy Lin obviously, at least to one analyst, had some amount of talent coming out of college, but Lin-sanity did not begin until he put in all the hard work that Beck detailed in his article, you as a Chief Compliance Officer (CCO) or other person tasked within your company to implement or enhance a compliance program, must work equally hard to make the program truly best practices.

What are some of the things that you should do after implementation or enhancement? You should begin by reviewing your risk assessment to determine the nature and quality of the compliance risks that were defined. Use that list as a starting point to put in the hard work of remedying or better yet managing those risks. Some of the areas that you may need to remediate, while you are going through the initial implementation or enhancement phase of the compliance program, may be one or more of the following.

Foreign Business Representatives

A usual high risk is found by the use of agents, resellers, or other non-employee sales representatives in your company’s sales chain. You need to design a database where you collect information on all such foreign business representatives, such as contract term, underlying due diligence performed, commissions or other payments made to them over the past five years, nature of product sold or service provided and geographic territory. From this database you should risk rank these foreign business representatives and begin the process of remedial due diligence. If your sales model is distributors, you may need to review and assess your contractual rights and requirements for sales to certain end users for your products.

Supply Chain

There may be many persons or entities that represent your company that are located in the Supply Chain, rather than the sales chain. This could include freight forwarders, visa processors, customs clearance companies, law firms, licensing representatives or any other service provider who might interact with a foreign governmental official on behalf of your company. In addition to the information that you should collect in a database, similar to the one described for Foreign Business Representatives above, you should also go back and audit invoices from such government service providers, to determine if there are any issues existing from before the go-live date of your compliance implementation or enhancement.

Internal Controls

Your compliance program should consist of policies and procedures. However, it should also have the appropriate internal controls in place to effectively implement these policies and procedures across the organization. This means that policies from every department of the company may be impacted. Groups disparate as Human Resources, Finance, Accounting, IT, Treasury and others, will all have corporate policies that need to be reviewed and assessed through a Gap Analysis of your internal controls. Any discovered deficiencies will need to be remedied so that writing policies may well be a large part of your compliance effort going forward.

Human Resources

HR is key in any compliance program implementation, enhancement or ongoing evolution. One of the reasons that HR is so critical is that it is the group within your company which will be charged with identifying, evaluating and developing persons with strong ethical values who could become the leaders of your company tomorrow. As a compliance officer you will need to spend significant time with HR representatives to detect, train and promote such persons within your company to leadership and senior management positions in the years ahead.

There will certainly be other areas of your company which will need attention during your initial compliance program implementation or enhancement. It most certainly will seem like an overwhelming task. But here is where the Jeremy Lin example really kicks in. You do not have to create and perfect everything at once. Each step in the compliance journey builds on the prior step. The point is to keep moving. Your best practices compliance program will not emerge overnight, but as with Jeremy Lin, if you keep doing the things you need to do to make your compliance program more robust, you may well bring everything together to create a world class compliance program for your organization.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Innovation and Compliance

Can compliance be innovative? Or can innovation inform your compliance program? Can some of the techniques and strategies of the world’s most innovative companies be brought to bear in the field of anti-corruption and anti-bribery?

I thought about those questions, and perhaps some others, while reading the March issue of Fast Company, with a cover title of “The World’s 50 Most Innovative Companies”. In his column, “From the Editor”, Robert Safian wrote about the “The Lessons of Innovation.” He said in reviewing the Top 50 most innovative company, he drew eight key themes. As I read these I thought about them and their relationship to compliance. So with a tip of the hat to Mr. Safian, here is my compliance spin on his eight key themes of corporate innovation.

1.      Compliance should be a strategy, not a tactic. Starbucks recognized that profit alone is a “fairly shallow aspiration, and it’s not enduring.” Most people want to do business with companies which do not engage in bribery and corruption. Indeed the UK Bribery Act enshrines this in its Six Principles of an Adequate Procedures by stating that a company should only conduct business with other ethical companies.

2.      Big companies need to be as nimble as small companies. Safian notes that the top four companies: Apple, Google, Facebook and Amazon.com all continue to “drive the agenda across the global economy.” This should also be true of your compliance program. You need to use the tools available to you to update your risk assessment if you move into new business lines, products or geographical areas. Similarly if one of your competitors comes under anti-corruption scrutiny, you should review any similar practices that your company might have, such as its sales model or vendors in the Supply Chain.

3.      Technology is disruptive in unexpected places. Here Safian gives the example of LegalZoom, which is “challenging the definition of a law practice” by providing useful legal forms and documents to consumers. In the compliance arena, the number of technological innovations is as broad as it is deep. Companies like Catelas and VisualRisk IQ have developed software products which can allow review and assessment of a large number of data points or other quantitative data. You can even get apps for smartphones which allow submission of expense requests directly to your compliance department.

4.      Compliance is a competitive advantage. Apple has never been publicly reported as going through a Foreign Corrupt Practices Act (FCPA) investigation. What is their stock price today and is it still undervalued? Even when it recently received negative publicity regarding its manufacturing facilities in China, it responded quickly and brought in an outside monitor to assess and report. Apple also annually assesses its third party vendors and makes that report public. Do you think that keeps vendors on their collective toes? You bet it does.

5.      Use of social media makes compliance better. My former speaking cohort, Stephen Martin, then General Counsel for Corpedia, often spoke about Code of Conduct 3.0, which is a web-based interactive tool which helps guide employees through a Code in an interesting and stimulating manner. The same is true of training. You no longer need to simply have a video conference to deliver compliance training around the world. Companies like Click4Compliance have interactive, web-based solutions that you can utilize. I noted above about the smartphone app which allows employees from around the world to submit expense requests to the compliance department and receive an instant response back from an assigned compliance team member.

6. Data is power. If you don’t document it, you can’t measure it. If you don’t measure it, you can’t assess it. If you don’t assess it, you can’t improve it. That is how an engineer tends to look at things. In the compliance world, if you don’t document it, it never existed (Cue drum roll for: document, document and document). Both are true. You have to document things to prove that you actually did them. But if you do not have data, you cannot determine if your compliance program is successful or improve it.

7.      Money is flowing. Here, Safian does not mean necessarily that more funding is available. However, in the compliance world what I believe that this means is forces, other than legal compliance, for example: the US Department of Justice (DOJ) or the UK Serious Fraud Office (SFO) enforcements are beginning to drive compliance. Insurance companies have developed insurance coverage for FCPA investigations; D&O insurers are requiring companies to have a compliance program to cover directors and officers sued in shareholder derivative actions based upon admitted FCPA violations; and perhaps most interestingly, banks and other financial institutions are reviewing anti-corruption compliance programs to determine if they meet minimum best practices and then writing maintenance of these programs into their loan covenants.

8.      Copycats are history. Saflan notes that emerging market entrepreneurs aren’t just following the successes of others, they are creating new, distinct models”. In the compliance arena I believe that ‘out-of-the-box’ solutions are no longer best practices. Companies need to assess their specific compliance risks and then design programs to specifically manage those compliance risks. If your company uses a sales model of agents, one type of compliance management strategy may need to be employed. However, if your company is a manufacturing company, which sells through distributors, another compliance management strategy may be required. Do not simply purchase a compliance program off the shelf. Either design it to fit the needs (and realities) of your business model or work with an expert who can do so.

The innovation angle is not one that is usually in the front of the line at compliance conferences or in thinking through compliance programs. But if you listen to Lanny Breuer, Chuck DuRoss or any other DOJ speaker, they continually talk about evolving best practices in anti-corruption compliance. Any reader of Deferred Prosecution Agreements (DPAs) over the past 18 months is well aware of the changes in focus that the DOJ has in these documents. Certainly, many of the compliance techniques are driven by the compliance challenges in the individual companies. But if your company has engaged in mergers and acquisitions, why would it not follow the ‘enhanced’ compliance guidance found in the Johnson & Johnson DPA and train all high risk employees within 12 months of acquisition and perform a full compliance audit, within 18 months of acquisition? So my conclusion is that innovation in the compliance arena is key. As compliance programs mature and as companies mature in their approach to compliance, innovation will continue to lead best practices.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Code of Conduct – The Cornerstone of Your FCPA Compliance Program

The cornerstone of a Foreign Corrupt Practices Act (FCPA) compliance program is the US Federal Sentencing Guidelines (FSG). They contain seven (7) basic compliance elements that can be tailored to fit the needs and financial realities of any given organization. From these seven compliance elements the Department of Justice (DOJ) has crafted its minimum best practices compliance program which is now attached to every Deferred Prosecution Agreement (DPA) and Non-Prosecution Agreement (NPA). The FSG assumes that every effective compliance and ethics program begins with a written standard of conduct; i.e. a Code of Conduct. What should be in this “written standard of conduct? The starting point, as per the FSG, reads as follows:

Element 1

Standards of Conduct, Policies and Procedures (a Code of Conduct)

An organization should have an established set of compliance standards and procedures. These standards should not be a “paper only” document, but a living document that promotes organizational culture that encourages “ethical conduct” and a commitment to compliance with applicable regulations and laws.

 In each DPA and NPA over the past 18 months the DOJ has said the following as item No. 1 for a minimum best practices compliance program.

1. Code of Conduct. A Company should develop and promulgate a clearly articulated and visible corporate policy against violations of the FCPA, including its anti-bribery, books and records, and internal controls provisions, and other applicable foreign law counterparts (collectively, the “anti-corruption laws”), which policy shall be memorialized in a written compliance code.

In an article in the SCCE Complete Compliance and Ethics Manual, 2^nd Ed., entitled “Essential Elements of an Effective Ethics and Compliance Program”, authors Debbie Troklus, Greg Warner and Emma Wollschlager Schwartz, state that your company’s Code of Conduct “should demonstrate a complete ethical attitude and your organization’s “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” Your Code of Conduct must be aimed at all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.” This would also include all “management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.”

There are several purposes identified by the authors which should be communicated in your Code of Conduct. Of course the overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this in a Code by communicating what is required of them, to provide a process for proper decision-making and then to require that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company “upholds and supports proper compliance conduct.”

The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena to do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. To that end suggest that your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasis it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

As I often say, the three most important things about your FCPA compliance program are document, document and then document. The same is true of communicating your company’s Code of Conduct. You need to do more than simply put it on your website and tell folks it is there, available and that they should read it. You need to document that all employees, or anyone else that your Code of Conduct is applicable to, has received, read, and understands the Code. For employees, it is important that a representative of the Compliance Department, or other qualified trainer, explains the standards set forth in your Code of Conduct and answers any questions that an employee may have. Your company’s employees need to attest in writing that they have received, read, and understood the Code of Conduct and this attestation must be retained and updated as appropriate.

The DOJ expects each company to begin its compliance program with a very public and very robust Code of Conduct. If your company does not have one, you need to implement one forthwith. If your company has not reviewed or assessed your Code of Conduct for five years, I would suggest that you do in short order as much has changed in the compliance world.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Compliance Convergence: ICE Enforcement

Compliance convergence can take many forms. In an article entitled “Pass the ICE Test: Nine I-9 Record Keeping Tips” published in the February 6, 2012 edition of the Texas Lawyer, author Karen-Lee Pollak explores one of these important areas of compliance; that being immigration and employment. Federal law requires that all employers must verify new employee’s employment eligibility within three business days of hire. US employers are generally aware of the enforcement actions by US Immigration and Customs Enforcement (ICE) which has shifted its focus to employers, through increased worksite investigations, fines and penalties. Pollak provides nine points of guidance on what lessons employers “can learn to help their companies avoid punitive fines for faulty record keeping.

Lesson No. 1: Make people responsible. Pollak believes that the “key to maintaining an effective I-9 program” is to designate specific supervisors, managers and employees to be responsible” and then provide them with continued training.

Lesson No. 2: Pick sides. There needs to be a clear document retention policy; whatever method is implemented the key is that if the company keeps some documents for some employees, “it must do so for all employees.”

Lesson No. 3: Mark the calendar. There should be a calendaring or tickler system which notifies the relevant personnel when employment verification documentation will be expiring. Ideally, Pollak believes a four month notice should be provided before such documents expire.

Lesson No. 4: Protect the paperwork. Care should be taken in your company’s filing system to keep current employee documentation separate from terminated employees. Further counsel should ensure that the company keeps all I-9 documents “in document retention schedules.”

Lesson No. 5: Schedule an audit. Pollak believes that your system should be independently tested via an audit by an “external auditor or trained employee who is not involved in the day-to-day I-9 process.” This has two benefits; first it should turn up any deficiencies in your program and allow you to correct them. Second, it demonstrates your company’s commitment to a robust compliance regime.

Lesson No. 6: Get ready. Typically there is little or no notice of an ICE audit, subsequently your company needs to be ready for any such eventuality. Pollak advises a company to draft a policy which sets out how your company will respond if the ICE auditors arrive. Other keys are to have your company’s documentation readily accessible and to have employee’s prepared for a surprise audit through training.

Lesson No. 7: Be serious. Pollak believes that a common mistake made by companies when they receive advance notice of an ICE audit is to fail to take the audit seriously. She reiterates that such an audit is very serious business and that no matter how friendly the auditors might seem they are not friends of the company.

Lesson No. 8: Take action. Pollak advises companies to put a process in place to handle a “no match” letter from the Social Security Administration. These letters can be useful tools to put an employer on notice that there is a problem with an employee’s social security number and this is an important step not to be missed.

Lesson No. 9: Take action (II). Pollak advocates that a company should “establish self-reporting procedures for the company to report to ICE any violations or discovered deficiencies.” This will help in any enforcement action going forward.

Many in-house counsel have a wide variety of roles in their employment. For counsel in a smaller company, it may include ICE enforcement issues, as well as anti-corruption compliance and export control enforcement. Pollak has provided some solid, concrete tips for ICE compliance in her article. Many of the points she raised can be used in the broader compliance convergence context as well.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

A Seat at the Table – Compliance in the Contract Tender Process

After all the due diligence on the sales agents and representatives has been completed and they are ready to help you land that large international contract, what is the role of compliance? I would argue that compliance has as central a role to play in any international contract tender process as any other support group in your company; be they legal, tax, HR or another department. If you put compliance at the mix when preparing your response to RFP your company will be much better served than calling them after an issue arises during the contract execution. What are some of the areas that compliance can be of use during contract negotiations?

Subcontractors

It certainly should not surprise anyone to be made aware that your company is legally responsible for its subcontractors in the execution of a contract. This is also true in the anti-corruption context, whether under the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. This means that any direct tier subcontractor, which your company might use to complete an international contract, needs to be thoroughly vetted under your compliance regime as a foreign business partner. The reason for this is the same as an agent, subcontractors are acting on your company’s behalf, and hence your company is responsible for them. If you can perform due diligence on all parties which your company will need to execute the contract in the pre-contract phase, it will make things run more smoothly and efficiently after your company is awarded the contract and moves into the execution phase.

Travel to Company Facilities

As a part of the tender process, your company may be required to bring a foreign governmental official or group of officials to view your US operations. This can occur for a number of legitimate reasons, yet care must be followed under both the FCPA and Bribery Act. Your company can pay bona fide and reasonable expenses that are directly related to either (1) the promotion, demonstration or explanation of products or services; or (2) the execution or performance of a contract. Bona fide promotional expenses may also include trips to manufacturing facilities to observe your company’s production and quality control processes or to conduct inspection and testing called for in a contract of sale.  There can also be to facilities where the training offers a legitimate opportunity to demonstrate products and services. There are some guidelines that need to be followed and they are as follows:

• Any reimbursement for air fare will be for economy class.

• Do not select the particular officials who will travel. That decision will be made solely by the foreign government.

• Only host the designated officials and not their spouses or family members.

• Pay all costs directly to the service providers; in the event that an expense requires reimbursement, you may do so, up to a modest daily minimum (e.g., $35), upon presentation of a written receipt.

• Any souvenirs you provide the visiting officials should reflect the business and/or logo and would be of nominal value, e.g., shirts or tote bags.

• Apart from the expenses identified above, do not compensate the foreign government or the officials for their visit, do not fund, organize, or host any other entertainment, side trips, or leisure activities for the officials, or provide the officials with any stipend or spending money.

• The training costs and expenses will be only those necessary and reasonable to educate the visiting officials about the operation of your company.

One of the keys is having any such travel approved by your Compliance Department prior to the travel actually occurring. In addition to the above guidelines there should be a written agenda, reviewed and approved by the compliance representative before the travel occurs. Lastly, all costs associated with the travel and entertainment must be recorded in the Company’s books and records as cost of sales and not an operating expense. The written agenda approved by the compliance representative needs to be maintained and verified by after-action reports so that the entire process is documented.

Testing and Evaluation

If your company manufactures a product, your international customer may well ask to test and evaluate products as a part of the contract tender process. These products may only be provided to support such opportunities. The testing and evaluation of samples should only occur if required by a public tender. Exceptions may be made if the samples are formally requested in writing by the potential government customer in connection with a legitimate contract opportunity. Care should be made so that any product samples are delivered to the foreign governmental agency issuing the tender, not to an individual employee or official, or to a third party. There should be a formal written request identifying the specific number of samples to be tested and evaluated from the potential government customer. The number of samples requested should be reasonable in light of the overall potential contract. All costs associated with the provisioning of sample products for testing and evaluation must be recorded in the Company’s books and records as cost of sales and not an operating expense.

Evaluation of Compliance Risk

Just as other types of risk should be evaluated in any internal contract review process, the compliance risks should also be evaluated. What is the Transparency International – Corruption Perceptions Index ranking of the country or government where the contract will be executed? Are there other sources which can be accessed, such as World Check’s Country Check rating, the Mintz Group’s heat map “Where the Bribes Are”, or the FCPA Database, which aggregates several different types of information but specifically the national anti-corruption and anti-bribery laws applicable to local jurisdictions across the globe. Using these sources and perhaps others, you can put together not only a risk evaluation plan but also a risk mitigation plan for management which they can take into account when the decision of Bid/No Bid or pricing is finalized.

The Compliance Department is more than simply the group which performs the due diligence, trains on compliance and responds to inquiries. It can, and should, play an active role in landing contracts. A mature compliance program can be a great benefit for a company, not only in evaluating risk from the compliance perspective but also preparing the necessary steps so that if a contact is awarded, it can be executed in a time efficient manner. But it must have a seat at the table.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Lin-sanity, the Mintz Group “Where the Bribes Are” Map and Compliance Programs

Lin-sanity has reached near epic proportions, even down here in Texas. Who can resist the underdog story of a twice cut Asian-American, Harvard educated, point guard making it on one of the biggest basketball stages in the world, Madison Square Garden. (Yes one of those brilliant teams that cut Lin was the Houston Rockets, thanks again David Stern for nixing the 3-way Lakers/Hornets/Rockets trade that probably would have kept Lin in Houston.) Although the Knicks finally lost a game after Lin became the starter, or as @srubenfeld tweeted “Well. It had to end, but against the Hornets?”; Lin-sanity still rages. There are many angles to Lin-sanity that we could explore that would apply as lessons in the compliance world; cultural sensitivity and cultural stereotypes being two that spring to mind.

However, today I would like to focus on issues raised in an article from the Friday, February 17, 2012 edition of the New York Times (NYT), entitled “Truck Driver’s Analysis Predicted Lin’s Professional Potential”, by Benjamin Hoffman. In the article Hoffman profiled a FedEx truck driver, Ed Weiland, who moonlights as a contributor to HoopsAnalyst.com. Prior to the NBA draft, Weiland wrote a report for HoopsAnalyst.com, in which he analyzed Lin’s stats from Harvard and concluded that Lin “might be among the best point guards available” in the 2010 draft. How is that for ‘spot-on’?

One of the key points in the NYT article is the increasing number of “seemingly ordinary citizens outdoing the work of people who are paid to analyze players.” I would note that he lives in Bend, Oregon, which, based upon my personal knowledge, I can assure you, is not on the “Top Hoops City in America Map.” Weiland believes that one of the reasons for such success is the “lack of direct relationship to the game.” Hoffman quoted Rany Jazayerli for the proposition that “for insiders, it’s hard to be objective, and even harder to write objectively when you have to deal with the people you’re writing about.” Also, while the pool of journalists covering the sport is finite, the “pool of outsiders tracking a sport is endless. Out of such a pool, some bright people are likely to emerge.”

Tools To Enhance Your Compliance Risk Assessment

So what lessons can the compliance professional draw from Lin-sanity? I would like to put forth two. The first is that there is a wealth of information available which can help you inform your compliance program beyond just the basics. Last week, I was a co-presenter, with Patrick Kelkar of The Mintz Group, on a webinar hosted by Ethics*Point. The featured discussion of the webinar was about The Mintz Group “Where the Bribes Are” heat map, which gives a complete review of all Foreign Corrupt Practices Act (FCPA) enforcement actions, by industry and location, in an interactive map. This tool supplements such standard tools as the Transparency International (TI) Corruptions Perceptions Map with great data. It is available for use free of charge on The Mintz Group website. By using this heat map, you can further evaluate your compliance risks by more than simply geography and then put risk management processes in place if you are moving to a new business line or into a new business area.

In addition to showing some of the above information, The Mintz Group also has some useful information for what it does not show. For instance, there are only a few FCPA cases in Russia and none in Ukraine, two countries consistently ranked among the more corrupt in TI’s Corruption Perception Index.  From The Mintz Group’s work in the region, the heat map indicates that some foreign companies have chosen not to do business there because of the demands for bribes. That’s the case in other areas of the world as well.

Listening to Your Pool of Talent

One of the things often overlooked, in not only the implementation but the ongoing enhancement of a compliance program, is the wealth of talent that is available to your compliance department in the form of your employee base. I have previously written about the usefulness of the local compliance champion and how companies as diverse as Coca-Cola and Halliburton make use of such local personnel in their overall compliance efforts. However, there are many people in your company who not only want to do business in the right way but want their company to succeed in such efforts. They can be some of your greatest assets and resources. Simply because someone in the field pushes back on an initiative that you might put forward does not mean they are against it. You need to listen to such information because there might well be information in that ‘push back’ that you can utilize in your compliance program going forward.

Almost every American of every stripe pulls for the underdog. At the end of the day, that may be the final reason Lin-sanity is so compelling. Nevertheless if you look closer not only was the talent there, but the underlying information on Lin’s college performance was there, analyzed and made available to you, courtesy of Ed Weiland. Similarly, there is information out there and available to you to continually assess your compliance risks. The Mintz Group heat map of “Where the Bribes Are” is but one tool available to you, at no charge, which allows you to have a more nimble and nuanced compliance program. Additionally I think the second message of Ed Weiland is equally compelling, that being that there are very talented people out there in your organization who are waiting for the opportunity to help make the company a better company by doing business in a compliant manner. While they may not have written a full treatise like Ed Weiland, they are out there waiting for you to listen to them. Do not be afraid to take that opportunity.

============================================================================================

There is a great debate on Tuesday, February 21 at noon EST between my ‘This Week in FCPA‘ colleague Howard Sklar and the FCPA Professor on whether the FCPA needs to be amended to add a compliance defense. It will be great fun and it’s free from at Securities Docket. You can obtain information and register by clicking here.

============================================================================================

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Regulation v. Enforcement of the FCPA – A Renewed Call for Release of Declinations

In his blog post of February 16, 2012, entitled “The Justice Department’s Slippery Slope — Enforcement Versus Regulation”, Mike Volkov takes the Department of Justice (DOJ) to task for “hubris and insensitivity to the business community” in their enforcement of the Foreign Corrupt Practices Act (FCPA). I believe that he correctly notes that companies do want to comply with the FCPA but want more guidance so that they do not have to “read the tea leaves” on what the DOJ may believe is conduct violative of the FCPA.

However, I do not believe the “hubris or insensitivity” of the DOJ is the genesis of this perceived problem. Rather, I would argue that it is the nature of system in place. I need to credit my colleague Doug Jacobson for this next insight. For those of you who do not know him, Doug is a well-experienced international trade lawyer, who blogs at International Trade Law News. Doug’s observation was that the FCPA is similar to a regulatory system which, in this case, is being administered by DOJ lawyers. He contrasted this with his international trade law practice, in which he frequently interfaces with regulators from the Departments of Commerce and Treasury on issues related to trade control. Of course if a legal violation occurs, trade control issues can and do go to the DOJ for enforcement, but as counsel representing companies, he can interact with regulators to develop best practices programs, policies and procedures.

In the FCPA arena, there are no regulators to call upon. If one has a query, one is required to ask the group that enforces the FCPA. Of course the DOJ does have its Opinion Release procedure, which has been sometimes used and is of value to those in the compliance field. In addition to Opinion Releases, the only other DOJ comments on best practices are those which are to be found in Deferred Prosecution Agreements (DPA) and Non-Prosecution Agreements (NPA). We are also now beginning to see a body of case law develop, particularly on the definition of who is a foreign governmental official.

In his post, Volkov cites back to a case from the 1970s for some guidance. He wrote that in the aftermath of the breakup of AT&T, District Court Judge Harold H. Greene, who presided over the implementation of the antitrust decree in the case, and Justice Department lawyers played a critical role in setting telecommunications policy. However, he wrote that “The Bell Operating companies argued that they needed to be regulated by the FCC, not the Justice Department and a federal judge. Moreover, the industry accused the judge, and the Justice Department of slowing the telecommunications industry, and eventually the judge and the Justice Department were removed from the issue when Congress enacted the Telecommunications Act of 1996.”

In his dénouement, Volkov urges the DOJ to “respond to the business community, adopt some prosecutorial policies and make them public, so that companies can implement meaningful and effective compliance programs without fear of unfair prosecutions.” However, as lawyers are charged with enforcement, not regulation, I would urge another tack. I have previously argued that another viable source of information is found in DOJ declinations to prosecute companies which self-report potential FCPA violations. A decision to prosecute, or not to prosecute, is precisely what prosecutors do. In the declination process, the DOJ is handling a much broader and more significant amount of information than is found in an Opinion Release. A self-disclosing company has investigated or will investigate a matter, most likely with the aid of specialized outside FCPA investigative counsel. The DOJ has the opportunity to review the investigation and suggest further or other lines of inquiry. Company personnel are made available for DOJ interviews, if appropriate. In short one would have actual facts and detailed oversight by DOJ, which in the case of a declination to prosecute, would provide substantive guidance on why it did not believe a FCPA violation had occurred in the face of a company’s good faith belief that it had violated the FCPA.

Declinations to prosecute are a part of the enforcement process. By releasing declinations to prosecute, the DOJ can maintain its role in enforcement and not become the regulators of the FCPA. I believe that release of this information, redacted in such a manner as to protect the names of the parties involved, would be some of the highest value of compliance information that a practitioner could use to determine what the best practices are and what actions might well constitute a FCPA violation in the eyes of the DOJ. Further, for those who wish to simply water down the statute, in the name of US competitiveness, such information should put to rest the arguments that companies are being unfairly prosecuted for the actions of ‘rogue’ employees.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Attorney-Client Privilege for In-House Counsel

The question of attorney-client privilege (herein “the privilege”) for in-house counsel can be a vexing one, yet one that has significant implications for investigations and enforcement actions under the Foreign Corrupt Practices Act (FCPA) or other anti-corruption legislation. There is a split decision between the US and countries in the European Union (EU) on whether in-house counsel may engage in privileged communications with corporate employers. In a recent article, entitled “In-House Counsel and Corporate Client Communications: Can EU Law after Akzo Noble and U.S. Law after Gucci be Harmonized? Critiques and a Proposal”; published in Volume 45, Number 3 of the International Lawyer, author John Gergacz explored this dichotomy and proposed a simple, yet clear rule to put in place to foster ease of determination of the privilege and promote the goals behind the existence of the privilege.

This question of whether the privilege exists for communications will certainly increase due to the increase in international enforcement actions in the area of anti-corruption and anti-bribery under laws such as the FCPA and UK Bribery Act. It will also arise in investigations involving any other activities which might be subject to both EU and US laws, such as EU competition law and US anti-trust law.

European Union Countries – Status of counsel test

In EU countries, the primary test involves what is the status of the lawyer making the communication. Following a 1982 decision, styled “AM&S Europe v. Commission of European Communities”, the privilege is limited to communications conducted with independent lawyers. Initially, a determination must be made if an attorney is independent, this being defined as to whether or not an attorney was “bound to his client by reason of employment” for example an employee. However, the court decision did not use the term “in-house” counsel but broader formulation of “independent counsel.” While recognizing that this may have left room for interpretation the practice seems to be to deny the privilege when the advice emanates from in-house counsel. Gergacz says that to apply the privilege in the EU is determined by following a two-step process. If this initial threshold of independence is met the analysis turns to the substance of the communication. That is, whether the “communications concerned legal advice and related to the client’s right of defense.”

United States – Type of communication

In all reported jurisdictions in the United States, both in-house counsel and outside counsel communications are eligible for privilege protection. However, within certain states in the US, the analysis is largely centered on the substance of the communication, whether it involves legal advice or more general business advice. This analysis recognizes that in-house counsel may have several “corporate capacities” all of which do not necessarily involve providing legal advice. Gergacz notes that “in practice, in-house counsel may communicate about a number of activities, even though his formal corporate position is to provide legal advice.” He believes that such sentiment has led to a greater scrutiny of in-house counsel communications than those made by outside counsel to a client. This has led courts to be “wary of inadvertently extending privilege confidentiality too far,” when business advice is provided or there are mixed business-legal services delivered.

EU/US Harmonization

Gergacz concludes his article with a proposal to harmonize these two rules for privilege. He believes that both views have merit, with the US recognizing the “equivalence of in-house and outside counsel” and the EU “the concept of counsel independence is noteworthy.” Gergacz’s proposal is that communications with in-house counsel would be privileged if the attorney involved is (1) admitted to a relevant Bar; and (2) has Bar membership status intact that allows him to practice law at the time of the relevant communication.

Gergacz listed three general reasons for his proposal. First, he believes that the proposal is easy to administer as there should not be either court intervention to determine privilege or court review of the communications involved. Simply put, does the lawyer have a license and is it up to date to allow him or her to practice law? Second, he believes that the privilege should be broad enough to encourage candor in communications between attorney and client in the corporate setting, but not so broad as to expand the cloak of confidentiality to “thwart just decisions from being rendered.” Third, and finally, Gergacz writes that in-house counsel often has two roles to fulfill. One is certainly as a lawyer providing legal services, however, it may be that a person who has graduated from a law school or holds a law degree may not be licensed to practice law and may have other roles inside of a corporation. As a practicing lawyer is held to ethical and disciplinary standards whether they are in-house or in private practice, the requirement for Bar membership should satisfy the AM&S line of cases which speak toward ‘independence’ as the key concept for privilege.

I would commend Gergacz’s article to you for a more complete review of the US case law and other issues related to attorney-client privilege. His proposal is certainly an intriguing one and one which deserves rich consideration to simplify this knotty area. In this era of multi-jurisdictional enforcement of laws such as the FCPA and UK Bribery Act, the certainty of whether a communication is privileged or not is an important point for businesses.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012