Is a Major Bribery Prosecution Coming in Canada Under the CFPOA?

“What did the President know and when did he know it?” That is the iconic question from the Watergate Hearings asked by Senator Howard Baker of various witnesses. In the case of the Canadian engineering company SNC-Lavalin Group Inc. (SNC), it appears that its chief executive knew something was amiss and had known so for quite some time.

In an article in the March 27, 2012 edition of the Wall Street Journal (WSJ), entitled “Big Builder’s Chief Resigns”, reporters Caroline Van Hasselt and Satish Sarangarajan detailed the ongoing turmoil at SNC. In an article in the New York Times (NYT), entitled “Chief of Canadian Firm Steps Down After the Inquiry”, reporter Ian Austen reported that the chief executive of the firm, Pierre Dunhaime, resigned on Monday, March 26, after the “release of a report indicating that he had authorized that $56 million in improperly documented payments to unidentified agents.” The WSJ reported that the company “still had unanswered questions about the payments and had referred the matter to the Royal Canadian Mounted Police [RCMP]…”

Both newspaper articles reported on the release Monday of a copy of the company’s internal investigation, although the NYT article stated that it “appeared to raise more questions than it answered.” It appeared from the WSJ articles that Dunhamie had personally approved these payments to unknown agents to secure work for SNC projects. Apparently these agents were hired without any formal vetting process. Further the company reported that it was taking a charge to earnings for separate amounts of $33.5 million and $22.5 million, which had been incorrectly recorded on the company’s books and records. These payments had been made from 2009 until 2011.

Interestingly the company’s Chief Financial Officer (CFO) had objected to these payments because, as reported by the WSJ, “the agents identities weren’t properly disclosed and their fees would be charged to other projects.” The NYT reported that the payments to “agents who broker and manage contracts with foreign governments.”

So what does all this mean under relevant Canadian law? It could mean quite a bit. Canada has its own law prohibiting bribery and corruption of foreign governmental officials, the Canadian Corruption of Foreign Public Officials Act (CFPOA) which was enacted in 1999. The criminal provisions of the CFPOA are almost identical to those found in the US Foreign Corrupt Practices Act (FCPA) but it has no equivalent to the books and records component and there is no civil component which is enforced by the US Securities and Exchange Commission (SEC). The CFPOA only contains a criminal component, similar to that which is enforced by the US Department of Justice (DOJ). The FCPA has a longer jurisdictional reach than the CFPOA, where the test for jurisdiction requires that the cases involved have a “real and substantial” link to Canada. This means that a portion of the illegal activities must have been committed in Canada or have a real impact on Canadians.

Under CFPOA, there are clearly questions raised that would be similar to those raised under a FCPA analysis. What due diligence, if any, was done on the agents? What services, once again if any, were performed by the agents? The fact that the agents are still not known to the company or what the $56 million payment was for, or where it went, are problematic as well? Why did the company executive approve these payments over the objections of the CFO? While there is no books and records equivalent under CFPOA, mis-characterizing payments and expenses would seem to indicate a desire to hide the true nature of the payments.

SNC had strong relationships with members of the former ruling family in Libya, the Qaddafi’s, and had done ongoing work for the country before the regime fell. A consultant for the company was reported by the NYT to have traveled to Libya during the allied forces bombing and “produced a five-page report that was critical of the NATO-led bombing campaign in support of Libyan rebels.” In view of these relationships, could some of this $56 million have been paid as bribes in Libya?

As noted, the matter has been turned over to the RCMP for further action. In a guest post on this blog, entitled “Why Does It Appear Anti-Bribery Enforcement Is Lacking in Canada?” our colleague Cyndee Todgham Cherniak wrote that Canada’s criminal justice system does not include grand juries. As a result, the job of the RCMP is to gather sufficient information to cause the Crown to lay charges. Canada does not use grand juries as an investigatory tool. When there is a Canadian investigation, the RCMP is not inclined to talk about it. Appropriately, they declined comment for both articles.

Many questions are left unanswered by the company report. But as we might say down here south of the border, it is time for several people to “lawyer up”.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

To Give or Not To Give and If So How, Under the FCPA

To give or not to give? That is certainly a question but it may also include the question of the value of the gift. Under the Foreign Corrupt Practices Act (FCPA) and UK Bribery Act gifts and entertainment continue to bedevil compliance practitioners, business unit personnel and compliance programs in general. Yesterday at the Dow Jones Global Compliance Symposium there was a panel discussion on gifts that raised some interesting approaches.

Rules Based Approach

One company had a fairly typical US rules based approach which set the dollar value of gifts and entertainment in two general categories; they are gifts and entertainment for foreign governmental officials and gifts and entertainment for non-foreign governmental officials. Interestingly the company also had a third category which was gifts and entertainment that its own employees could accept. The limits were lower for the foreign governmental official than the non-governmental official. If an employee desired to go over the specified limit, then Compliance Department approval is required. However, the Compliance Officer said that if the gift or entertainment request was reasonably detailed and a clear business purpose was articulated in the request, she would usually approve the request if the amount of money did not appear to be unreasonable.

The compliance officer reported some numbers from her company’s Ethics’ Helpline from the past year. Almost one-third of the calls which came into the Helpline were categorized as inquiries rather than reports of issues which were investigated. Of this group of inquiries, the largest single group, almost 25%, were questions about gifts and entertainment issues. So even with this rules based-bright line approach there were still many questions from the employee base on gifts and entertainment.

Values Based Approach

The second company took a different approach. Although it is a US company, it took a more European-centric, values based approach. It allowed the regions to set their own top end values to gifts and entertainment, based upon the nuances and risks of the geographic area. There was not the trichotomy of categories as listed above. The company compliance representative said that in their values based system, there was greater monitoring of employee gifts and entertainment by the compliance department and that they engaged in more training for employees on gifts and entertainment issues.

This monitoring was more extensive than in the rules based company. If an employee went above the overall company limit, the matter was investigated through an independent review of the amount spent; who it was spent on and the business purpose. This was then all written up and the independent investigator made a determination if a compliance issue violation had arisen. While this post-event work seems costly and disruptive to the business, the company representative said that it worked for her company.

Proportionality

One of the interesting discussions was on the issue of proportionality. Proportionality in the context of gifts and entertainment in anti-corruption compliance programs generally relates to the types of gifts or entertainment appropriate to be provided to a high level company official. One rule of thumb mentioned was if the entertainment provided was typical for a company executive and that executive could routinely pay for it, this was indicia that it was reasonable if provided from one senior level executive to another. There was mention of another company which had one gifts and entertainment policy for high level company officials and another policy for regular employees. All of this means that is may well be acceptable for your company President to entertain another company President at Wimbledon or other similar event.

Warning

Another panelist cautioned the audience to remember who would be reviewing gifts or entertainment in an investigation. He said that the view of Department of Justice (DOJ) attorneys, who might review such information in the context of a FCPA investigation, as to what is reasonable or even ‘modest’ is usually very different than the view of sales persons. Lastly, there was caution suggested about raising the limits of your gifts and entertainment policies if they are under review at this time. The panel believed that that current enforcement atmosphere makes such a move problematic at best.

The panel was quite good in setting out the parameters and types of gifts and entertainment policies. The message to me seemed to be the following: decide on a policy which works for your company and then follow it. But verify and verify. And finally, document, document and document.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

The FCPA Enforcement Process: Negotiating the Penalty

I recently explored the issue of ‘extraordinary cooperation’ in the context of a Foreign Corrupt Practices Act (FCPA) enforcement proceeding and some of the concrete steps that a company could take to reduce its overall penalty assessed by the Department of Justice (DOJ). However there is an additional step which a company should engage in before it receives its final penalty amount. This step is the negotiation with the DOJ over the amount of the penalty. Never having gone through such an exercise, I have often wondered what factors a company might put forward for DOJ consideration in this process. So I put that question to three persons with whom I shared a panel at the Dow Jones Global Compliance Symposium: Rich Plansky, Managing Director, Kroll; Eric Situarchuk, Partner, Morgan, Lewis and Bokius and Gary Giampetruzzi, Assistant General Counsel, Pfizer.

Credibility

Plansky emphasized that it all begins with credibility. This credibility must begin in the initial self-disclosure, if such is made and it must continue throughout the investigation process. A company must engage in a credible investigation through the use of skilled and independent investigative counsel and it must use investigation techniques that the DOJ will recognize as sufficient such as in areas such as computer imaging and document retention. He said that a company must turn over all its findings, both good and bad to the government.

Collateral Consequences and Additional Costs

Sitarchuk said that he would emphasize two points in negotiation with the DOJ. The first is the collateral consequences if a proposed penalty is viewed as too high. The consequence of a penalty which is too high, after a company self-reports and cooperates throughout the pendency of an investigation, could be that it deters other companies from self-reporting FCPA violations to the DOJ. The second point would be to discuss the total impact in cost to the company of the incident. So if a public company is involved, this line of argument could include such things as the costs for defending, settling any shareholder lawsuits which might follow on an FCPA enforcement action and other documented and relevant costs. There may also be other non-monetary consequences he would bring up as well, such as potential debarment or other legal remedies that the company may be facing in the US or abroad.

Best Practices

Giampetruzzi said that he believes it is important to emphasize the company’s new compliance regime and commitment to compliance, which can be based in the remedial measures taken by the company to upgrade its compliance program. He noted that arguing the company’s ethical culture during a regime under which an incident arose is not the tack to take but to emphasize what the company did to remedy the problem that arose. In this context, a company can show the steps they have taken and how they meet or exceed a minimum best practices compliance program.

All three panelists made clear that the working relationship you establish during the entire process is critical to the end result. Recognizing the different interests that each party represents and speaking towards satisfying those interests is an important role for any lawyer in the process, whether DOJ lawyer, outside counsel representing the company or in-house counsel involved in the process. The final result is a negotiation but the negotiation does not begin simply when the DOJ proposes a number for the penalty. It begins and continues throughout the process.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

The Biomet SEC Complaint: Lessons for Internal Audit

On March 26, 2012, both the Securities and Exchange Commission (SEC) and the Department of Justice (DOJ) announced the resolution of enforcement actions against Biomet Inc. a US entity, which manufactures and sells global medical devices around the world. It is headquartered in Fort Wayne, Indiana. The Company admitted to a lengthy run of bribery and corruption of doctors to purchase its products. The FCPA Blog reported that the “company will pay a criminal fine of $17.3 million to resolve charges brought by the DOJ. It also agreed with the SEC to settle civil charges by paying $5.5 million in disgorgement of profits and pre-judgment interest.” In this post I will review the SEC Complaint and discuss the facts it posited regarding the Company’s internal auditors to draw out some lessons for an Internal Audit Department’s role in Foreign Corrupt Practices Act (FCPA) compliance programs.

Bribery and Corruption Facts

The Company engaged in an eight (8) year scheme to bribe and corrupt doctors in the countries of Argentina, Brazil and China to induce the physicians to purchase Biomet products. The SEC complaint reported that “2000 to August 2008, Biomet Argentina employees paid bribes to doctors employed by publicly owned and operated hospitals in Argentina in exchange for sales of  Biomet’s medical device products. The doctors were paid approximately 15-20 percent of each sale.” In Brazil, the SEC Compliant reported that from 2001 until 2008, Biomet’s “Brazilian Distributor, paid bribes to doctors employed by publicly owned and operated hospitals to purchase Biomet’s implants. Brazilian Distributor paid the doctors bribes in the form of “commissions” of 10-20 percent of the value of the medical devices purchased.” In China, Biomet subsidiaries and its Chinese distributor paid from 5% up to 25% commissions to doctors for the sale of its products which were used during surgeries and also paid for Chinese surgeons to travel for training “including a substantial portion of the trip being devoted to sightseeing and other entertainment at Biomet’s expense.”

Biomet Bribery Box Score

Country	Bribe Rate	Total Amount Paid	Loss or Write Off
Brazil	10 to 20%	$1.1	$4.2MM
China	5 to 25%	Not reported	Not reported
Argentina	15 to 20%	$466,000	Not reported
Costs			Fine or Profit Disgorgement
DOJ Fine			$17.3MM
SEC Profit Disgorgement			$5.5 MM
Documented Cost			$29.7 MM

Internal Audit

The SEC Compliant reported that the Company’s Internal Audit was not only aware of the bribery program but discussed it in Memorandum to the Company’s home office, including the head of the Company’s Internal Audit Department. For instance in Argentina, the Company’s head of Internal Audit noted, as early as 2003, “circulated an internal audit report on Argentina to Senior Vice President and others in Biomet in Indiana in which he stated, “[R]oyalties are paid to surgeons if requested. These are disclosed in the accounting records as commissions.” The internal audit report described the payments to surgeons, but only in the context of confirming that the amount paid to the surgeon was the amount recorded on the books.” However, the Company’s Internal Audit Department, took no steps to determine why royalties were paid to doctors or why the payments to the doctors were 15-20% of sales. Internal Audit did not obtain any evidence of services which the doctors might have performed entitling them to the payments. The SEC Complaint noted that Internal Audit “concluded that there were adequate controls in place to properly account for royalties paid to surgeons without any supporting documentation” and Internal Audit’s only “recommendation was to change the journal entry from “commission expenses” to “royalties.”

Biomet’s Director of Internal Audit is reported to have “instructed an auditor to code improper payments being made to doctors [in China] in connection with clinical trials as “entertainment.” The Director of Internal Audit also reported that Biomet’s “Brazilian Distributor makes payments to surgeons that may be considered as a kickback. These payments are made in cash that allows the surgeon to receive income tax free . . . . In the consolidated financials sent to Biomet, these payments were reclassified to expense in the income statement.”

The SEC Complaint also noted that “Biomet’s books and records did not reflect the true nature of those payments. The Company’s payments were improperly recorded as “commissions,” “royalties”, “consulting fees”, “other sales and marketing”, “scientific incentives”, “travel” and “entertainment.” The SEC Compliant concluded with the following “False documents were routinely created or accepted that concealed the improper payments.”

Lessons Learned for Internal Audit

The SEC Complaint had some very clear guidance for the role of Internal Audit in detecting bribery and corruption in a best practices FCPA compliance program. First and foremost, if there are any types of commission payments being made, Internal Audit needs to review the documentation supporting why such payments are being made. A review of contracts or other legal requirements which may obligate a company to make such payments should be a basic undertaking in any internal audit. After an internal auditor has determined if commission payments are legally authorized, the internal auditor should review evidence that such commission payments have been earned. In other words, is there any evidence in the company’s books and records that the person or entity performed services which might have entitled them to such commission payments?

Another role delineated in the SEC Complaint for Internal Audit is to correctly classify payments so that the books and records of the company accurately reflect them as expenses. As noted, the Director of Internal Audit instructed that bribes paid during clinical trials of the Company’s products should be reclassified as ‘expenses’. Further, while specifically stating that Biomet was assisting Brazilian physicians to evade the payment of taxes on income, he directed that such bribes be classified on the Company’s books and records once again as ‘expenses.’

Of course the costs in the Bribery Box Score listed above does not reflect the 3+ years of investigative costs, loss of sales in the three countries which it pulled out from or the anticipated cost of its upcoming three year monitorship. All I can say with certainty is that the cost for non-compliance is much higher than the cost of complying with the FCPA. The SEC Compliant gives clear guidance from what it expects from internal audit in a FCPA compliance program. I recommend that these steps be implemented much sooner rather than later.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

What is ‘Extraordinary Cooperation’ in an FCPA Enforcement Action?

In the recent BizJet Deferred Prosecution Agreement (DPA), which detailed a litany of corrupt payments made and approved at the highest level of the company to obtain and retain business in Mexico and Panama, the company received a monetary fine of more than 30% under the low end of the amount suggested by the US Sentencing Guidelines. How did the company obtain this fine reduction? Through what the Department of Justice (DOJ) termed “extraordinary cooperation”. I have often wondered what the term “extraordinary cooperation” meant so when I attended a panel at the recent 2012 Global Ethics Summit, entitled “Engaging with the Government: What’s Changed?” I put that question to panelist Ty Cobb, a partner in the Washington DC office of Hogan Lovells.

As a general rule, Cobb noted that ‘extraordinary cooperation’ will not be the definition given by the company but by the DOJ. This is an important discussion to have with your client very early on to set a proper expectation. A company must be credible at all times, it cannot selectively report facts but must report both good and bad facts to the DOJ. Lastly, each matter is a separate negotiation and must stand on its own feet. He said that a company does not have to completely roll over to every request made by the DOJ as there can and should be negotiations by investigative or other specialized counsel who interact with the DOJ throughout the process.

Cobb also provided some guidance on the specific steps which might lead to a penalty reduction.

Did you go high enough?

First what did the company do to the persons involved in the bribery and corruption? Was there discipline to the parties? How high up did the company go to discharge or discipline those involved in the bribery and corruption? Did discipline or discharge go up to the highest levels of the company if persons at those levels were involved in the bribery or corruption?

Did your retraining go down low enough?

Here Cobb focused on retraining of employees. He said that it was important that your post incident training go down to an appropriate level of employees in the company. While he did not say how low that level might be, clearly the better approach would be to over-include rather than under-include for training. This seems to imply that full and significant training must be provided to more than simply high risk employees.

Provide access to documents and individuals

A company’s investigative team will probably have to review thousands if not millions of pages of documents and electronic communications. Obviously a summary of the relevant documents and electronic communications will need to be provided to the DOJ but if the government wants access to the full set of documents, that will also be required. Access to employees for DOJ interviews will also be required. This can be tricky as it may intersect with ‘did you go high enough’ listed above regarding termination. Many companies desire to terminate employees determined to be involved in such conduct immediately but if you do so, they may not cooperate with an internal investigation. It may also make it difficult for your company to make such terminated employees available to the DOJ for interview.

Best practices program going forward

One of the things consistently mentioned in DPAs and Non-Prosecution Agreements (NPAs) is that a company which reaches such an agreement with the DOJ always agrees to institute a rigorous compliance program going forward. As the compliance programs listed in Attachment C (or Attachment B to a NPA) are monikered as minimum best practices this would seem to indicate that the companies involved went beyond the minimum. DPAs, such as the Johnson and Johnson (J&J) DPA, go so far as to create and embrace “Enhanced Compliance Obligations” which detail compliance policies and procedures which go beyond the minimum best practices.

Self Monitorships

The BizJet DPA also includes a concept which has appeared in several recent DPAs. BizJet agreed that it would report “at no less that twelve-month intervals during the three year term” [of the DPA] to the DOJ on “remediation and implementation of the compliance program and internal controls, policies and procedures” as set forth in the DPA. The initial report was required to be delivered one year from the date of the DPA and would also include BizJet’s proposals “reasonably designed to improve BizJet’s internal controls, policies and procedures for ensuring compliance with the FCPA and other applicable anti-corruption laws.”

Cobb’s observations, together with the information that can be gleaned from the BizJet DPA, provide some general parameters that a compliance practitioner may use to understand more completely what the term ‘extraordinary cooperation’ might be defined from the perspective of  the DOJ. The DOJ has consistently rewarded companies which provide such cooperation with penalties below those suggested by the US Sentencing Guidelines. However, such cooperation is not a walk in the park and as someone who has worked at a company during a very intensive post-DPA monitorship, I can attest that such cooperation is far beyond ‘normal’ cooperation and truly is ‘extraordinary’. Yet at the end of the day, the internal cost appears to be well worth it.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

To Boldly Go…Where the Board Needs to Go

Belatedly, we boldly go where no Canadian actor has ever gone before, to celebrate yesterday’s birthday of William Shatner, Captain Kirk of the original Starship Enterprise. I thought about Captain Kirk and his leadership of the Enterprise in the context of a panel at Ethisphere’s 2012 Global Ethics Summit. In a moderated keynote session, entitled “View from the Board”, moderator Stephen Jordan lead the panel in an exploration of issues relating the Board of Directors responsibility in a company’s compliance program.

What is the relationship between leadership and culture? Panelist Sheila Penrose, Chairman of the Board at Jones Lang LaSalle and Board member of the McDonald’s Corporation, said that she views the Board of Directors as the “curator of a company’s culture.” As a Board member she wants to know if there is a clear framework to determine and measure certain key facets of a compliance program. These key facets include: (1) tone of the company towards doing business in a compliant manner; (2) the effectiveness of the company to understand new compliance issues as they arise; and (3) the process and dynamics of the company’s compliance program. Her view of a Chief Compliance Officer (CCO) is that he or she should have “good professional judgment” and be able to communicate to the Board about their judgment of ethical behavior in the company.

Presentations to the Board

Regarding presentations to the Board of Directors, Penrose said that she desired to have two general types. The first is training the Board of Directors on emerging issues that the company might face from the compliance context and to direct how the Board of Directors might think about these issues, particularly in regard to how they would affect the risk profile of the company. The second is a report of the trends emerging from internal reporting on compliance issues. This could include hotline reports or surveys that the compliance group performs to determine if there are any emerging or systemic issues relating to compliance that should be addressed. From these metrics Penrose said that she is always keen to know if there are any lessons to be learned which can be applied to future situation or to stop certain behaviors.

The second panelist, Daniel Tishman, Board member of AECOM Technology Corporation, said the initial issue to determine is the type of Board. Is it the Board of a new or relatively new entity, populated with friends of the Chief Executive Officer (CEO) and with persons who either work in or have significant experience in the core business of the company? Conversely, is it the Board of a more mature company? If it is the former, Tishman believes a CCO will have to provide much more basic compliance education to the Board.

As to the types of presentations he prefers, Tishman focused his answer on the types of information that he expects if a serious compliance issue has arisen, which may well be a violation of a substantive anti-corruption law such as the Foreign Corrupt Practices Act (FCPA) or the UK Bribery Act. He said there are four points that he would like to receive guidance on or through. First, he demands prompt reporting to the Board. Second, all reporting must have complete transparency to the Board. Third, he expects proactive action by the CCO, rather than simply waiting for instructions. Lastly, Tishman would expect to be told if any event is a one-off or a systemic problem, coupled with a fair appraisal if the event is a true crisis or is it is more of a “regular issue”.

Metrics

Both panelist discussed metrics as a key component of Board reporting. Tishman said that he prefers to receive metrics which focus on new or emerging areas for the company. So if the company is opening up with a new product line or service, or is moving into a new geographic area, he wants to see the compliance risks assessed and reported to the Board of Directors.

Penrose advocated metrics to measure three areas: (1) measures of magnitude; (2) measures of direction; and (3) measure of penetration. By measures of magnitude, she said that she desired information on how well the company’s compliance regime had been communicated throughout the target audience of employees and third parties, or “exposure”. The measures of directions are designed to present information on trends that compliance is seeing within the company, an example she gave was a review and summary of hotline reporting. The final measure of penetration was designed to drill down further than the measure of magnitude to provide metrics on how well the compliance program had penetrated down into the employee base and third parties with whom the company might be working with to obtain or retain business.

And what of Captain Kirk, his leadership and lessons learned for the compliance profession? He did not have to deal with a Board of Directors, in the form of Star Fleet Command, too often so that probably is not a helpful analogy. However, Kirk did lead from the front and that is what a CCO must do. Penrose said that she expects her CCO to “manage by walking around” to go out into the field and get the message of compliance to the troops. If you are the CCO, or compliance professional, you need to either be on the Away Team or lead the Away Team and boldly go where no CCO has gone before.

To get yourself in a Star Trek frame of mind, cue the iconic original television series opening theme here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Three Keys to the Role of a Chief Compliance Officer

There is an ongoing debate in the compliance world about whether a company can or should combine or separate the role of the Chief Compliance Officer (CCO) from that of the General Counsel (GC). However, before a company can answer this question, it must meet No. 6 of the Department of Justice’s (DOJ) minimum best practices requirement for a Foreign Corrupt Practices Act (FCPA) based compliance program. Requirement No. 6 reads:

The company will assign responsibility to one or more senior corporate executives for the implementation and oversight of the company’s anti-corruption policies, standards, and procedures. Such corporate official(s) shall have direct reporting obligations to independent monitoring bodies, including internal audit, Company’s Board of Directors, or any appropriate committee of the Board of Directors, and shall have an adequate level of autonomy from management as well as sufficient resources and authority to maintain such autonomy.

This requirement clearly mandates that a company must have one or more senior level executives to oversee the company’s compliance program. At the recent Ethisphere 2012 Global Ethics Summit this issue was explored. Alan Yuspeh, Senior Vice President and Chief Compliance and Ethics Officer for Hospital Corporation of America, said that he believed there were three keys to the role of a company’s head of compliance.

a.      Senior Management

Yuspeh believes that whoever heads compliance at a company must be included in the ranks of the company’s senior management. This is because when such a person speaks, they need to do so as a peer and not as a subordinate, to company management. Senior management status is also important when dealing with the Board of Directors.

b.      Clear Commitment

Here Yuspeh spoke about a clear commitment from the top management of the company to the position of the head of compliance. This is more than simply the ubiquitous “Tone-at-the-Top” as it means a commitment to the position of head of compliance; a commitment to funding and achieving the goals of meeting a minimum best practices compliance program. This means that top management cannot simply cut-off compliance at the knees every time it makes an unpopular decision. Further, the money must be made available to hire the necessary staff, travel and train employees, implement and help to perform the requisite investigations of third parties. If such monies are not made available, your company truly has a paper program.

c.       Keep Compliance Involved

The third element that Yuspeh mentioned was whoever heads compliance must “constantly fight to keep compliance involved” in all appropriate aspects of the company’s business. This is more than compliance simply having a seat at the table. The head of compliance must insure that the compliance function is inculcated down into the DNA of the company. So, just as a Chief Executive Officer (CEO) might ask what is the Legal Department’s view on a certain contract or issue facing the company, the head of a company’s Compliance function should also be thought of as a person who’s group is a “go-to” group within the company for advice.

Smaller companies may not have a Compliance function within their organization but it is clear from the DOJ’s minimum best practices that there must be a person who heads that function within a company. Yuspeh has laid out what he believes the practical guidelines are for a head of compliance within an organization. His comments speak to the requirements of the DOJ as laid out in requirement No. 6. Does the head of compliance in your organization meet these criteria?

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

OCEG Illustrated Series: Managing Corruption Risks

How do you move off dead center? That was a question posed by my colleague Mary Jones in a recent guest blog post. She gave several concrete steps in answer to her own question. This question was further explored in the January issue of the Compliance Week magazine which began a six-part “Anti-Corruption Illustrated” series by Carol Switzer, President of the Open Compliance and Ethics Group (OCEG). OCEG is an organization which “develops standards and guidance to help organizations achieve Principled Performance”; that is, “the reliable achievement of objectives while addressing uncertainty and acting with integrity.” OCEG’s Illustrated Series is a teaching method developed to visually represent how to set up processes and procedures in various areas and disciplines. This Anti-Corruption Illustrated Series is a very useful tool for the compliance practitioner to use in explaining the components of an effective compliance program.

In the first article of her series, Switzer shares her views on how anti-corruption programs enable business agility. In addition to her own thoughts, Switzer moderated and reported on a roundtable discussion of compliance experts who shared their views on managing corruption risks. These experts included Steven Kuzma, Global Leader in Corporate Compliance at Ernst & Young, Jay Martin, Chief Compliance Officer at Baker Hughes, Mike Rost, Vice President at Thompson Reuters GRC and Jim Slavin, Senior Director at SAI Global.

1. Assess the Risk – In this step you identify corruption risk factors that your company may face. These can be based upon several different factors including the nature and location of your company’s business activities; your company’s third party relationships; and your company’s methods for obtaining and retaining business. You should evaluate and then rank these risks based upon your company’s risk appetite and be prepared to respond to internal or external forces that might change this risk assessment.
2. Develop the Program – You should develop “a comprehensive and balanced anti-corruption program that corresponds to the risks identified in the assessment process.” This should include written policies, procedures and internal controls for all levels within your organization. You will need to obtain Board of Directors and senior management endorsement of your strategies and communication of this support.
3. Define and Implement Policies – In this step you should consider the written policies which map to the applicable regulations, obligations and business processes that you have created. Ownership of these requirements within the business is critical to their success and there should be communication to key stakeholders including “staff, third parties, auditors and customers.”
4. Build and Operate Controls – Nest you will need to establish “procedures and controls to prevent, detect, correct, and mitigate the risks” which you have identified and ranked. There needs to be ownership established to monitor these controls with regular documentation, continued assessment and testing of these controls.
5. Train and Educate – You must develop and deliver training to “raise stakeholder awareness and competence regarding anti-corruption goals, policies, procedures and [internal] controls.” This should include identification of “role-specific programs with desired outcomes” with delivery methods to get your message across to the various target audiences.
6. Monitor and Evaluate– Here OCEG suggests a five step process to track and assess policies and controls for effectiveness.
   1. Screen – Monitor vendor, partner and customer records against trusted data sources for red flags.
   2. Identify – Establish helplines and other open channels for reporting of issues and asking questions by employees and appropriate third parties.
   3. Investigate – Use appropriately qualified investigative teams to obtain and assess information about suspected violations.
   4. Analyze – Evaluate data to determine “concerns and potential problems” by using data analytics, tools and reporting.
   5. Audit – Finally, your company should have regular internal audit reviews and inspections of your company’s anti-corruption program; including testing and assessment of internal controls to determine if enhancement or modification is necessary.
   6. Review, Realign and Report – This step requires you to “take timely corrective and disciplinary action for violation” of your company’s program. Your program should be regularly evaluated and aligned with any new or additional corruption risks which are found. Both the Board of Directors and senior management must be informed through regular reporting. Finally, there should be a professional external review on no less than a two year basis to determine your program’s overall sufficiency.

Switzer’s article and report on the roundtable discussion are very useful tools for the compliance practitioner. Her article includes a removable copy of the OCEG Illustrated Series on managing corruption risk. I heartily recommend it to you.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Mendelsohn and Denniston: A Compliance Dialogue

Last week I attended the 2012 Global Ethics Summit hosted by Ethisphere. The first event was a conversation between Mark Mendelsohn and Brackett Denniston, Senior Vice President and General Counsel of General Electric (GE). They both had some interesting observations on the current state of Foreign Corrupt Practices Act (FCPA) compliance. Dennison believes that the conversation on FCPA compliance has evolved to “What can organizations do to create a culture of compliance on a world-wide basis?” To answer this question he gave three overarching themes.

First it all starts with the ubiquitous “tone-at-the-top” but it means more than simply saying the right things on a regular basis. Denniston believes that senior management must “speak often and be sincere” in communicating this tone. If they are not sincere, he believes that employees will pick up on this immediately and any efforts to instill such a culture of compliance will be doomed to fail. Second, senior management must “walk the talk” through both discipline and a system of rewards. The discipline must be clear and delivered decisively. The rewards must be not only direct financial remuneration but also the internal promotion of persons who do business in an ethical manner, under the Company’s Code of Conduct. Lastly, a company as a whole must have the willingness to listen. He directed these remarks to helplines and other mechanisms where employees can report compliance violations or even raise concerns. He was clear that there must be be directly stated and enforced, that there is a no retaliation policy for all reports made in good faith. This also requires a company to keep accurate measurements of such reports and to design and refine its processes around these metrics.

Mendelsohn asked Denniston what were his three biggest challenges at GE regarding compliance and ethics. Denniston responded that the biggest challenge was in integrating acquisitions into the GE compliance culture. This is challenging in remote sites around the globe particularly in locations which do not have a senior management presence nor are visited by senior management on a regular basis. The second area is improper payments on a global basis. While noting that GE bans facilitation payments, these are still a challenge as are payments made through gifts, entertainment and travel. Lastly, he expanded his answer on the top three challenges to add regulatory compliance in general.

Denniston believes that the key for any company is how they will respond when a compliance issue arises. Within the GE world he said that the thing he worries about is that an issue will arise and the local business team will try to clean the matter and will not disclose it to the home office. From afar, such a response would appear as a cover-up of a reportable FCPA violation, even if no one in the US was involved. It could lead to a conclusion by the Department of Justice (DOJ) or Securities and Exchange Commission (SEC) of an entire failure of a company’s compliance program. Recognizing that the cover-up is always worse than the original event, this would seem to echo Number 3 of Paul McNulty’s Maxims of “What did you do when you found about it [a compliance violation]?”

Picking up on his point about one of the things a company must do is listen to its employees, Denniston re-emphasized that communication is important but that a company must also measure the effect that these communications have. Metrics are an important aspect to creating and maintaining a culture of compliance at GE because it allows the company to base its compliance program enhancements on quantifiable data. He added that this helps dissipate the confusion between quality in the overall company compliance regime and simple regulatory compliance.

In a very interesting response to a Mendelsohn question along the lines of “is there too much FCPA enforcement?” Denniston responded that he did not think so as he believes that the DOJ has “got it right.” However, he does not believe this is the case with the SEC. He said that the problem, in his opinion, is around how much “fuzziness” there is from the SEC on the credit a company will receive for a self-disclosure. This is true even if the SEC has a principle which is consistent; Denniston believes that it does not always play out so clearly in practice.

Dennison ended his remarks in responding to a Mendelsohn question on “the single best compliance innovation at GE, during his tenure?” Being a good lawyer, Denniston had three single best compliance innovations. They were (1) every year GE tried to introduce a substantive improvement to its compliance program. These improvements are generated from a variety of sources, from local business unit employees to his aforementioned metrics to lead to an enhancement. (2) The continued efforts in the company to increase reporting of any compliance issues so that they might be evaluated by an appropriate compliance professional. He gave an example of a geographic region which had an inordinately low number of reports of compliance issues, which Dennison viewed as a negative. He sought to have this number increased by a minimum of 20% annually, which was achieved. In other words, if there are no reports, GE wants to know why there are no reports. (3) He said that there is now the creation of an unanticipated risk list. This has turned into an early warning system of issues that might pop up on the compliance radar, however it also forces all employees engaged in the exercise to come up with compliance issues the company is not currently thinking about in any detail.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

The BizJet DPA: Cooperation is the Key

Last week, the Department of Justice (DOJ) announced the resolution of an enforcement action under the Foreign Corrupt Practices Act (FCPA) involving the Tulsa based company, BizJet. The company is in the business of providing aircraft maintenance, repair and overhaul services (MRO) to customers in the US and internationally. BizJet ran into FCPA trouble regarding its Latin American operations, specifically in the countries of Mexico and Panama. BizJet employees and executives were involved in multi-year running bribery scheme which paid hundreds of thousands of dollars for these MRO contracts. These payments were discussed at the highest levels of the company, including the Board of Directors, and occurred from 2004 until 2010.

BizJet Bribery Box Score

The Deferred Prosecution Agreement (DPA) listed the following instances of recorded bribery, a/k/a the “BizJet Bribery Box Score”.

BizJet Executive or Employee Named	Payment Made To	Amount of Payment	Others Involved
Sales Manager  A	Official 6	Cell Phone and $10K	Executive B and C
Sales Manager A	Official 3	$2K	Executive  B
Executive B, C and Sales Manager A	Official 2	$20K
Executive C	Official 2	$30K	Sales Manager A
Executive B	Mexican Federal Police Chief	$10K	Executive C and Sales Manager. A
Executive C	Official 5	$18K	Sales Manager A
Sales Manager A	Official 4	$50K
Sales Manager A	Mexican Federal Police	$176	Executive C
Sales Manager A	Official 4	$40K
Sales Manager A	Mexican Federal Police	$210K	Executive C
Sales Manager A	Official 5	$6K	Executive C
Executive C	Official 5	$22K

The above bribes were characterized as “commission payments” and “referral fees” on the company’s books and records. Payments were made from both international and company bank accounts here in the United States. In other words, this was as clear a case of a pattern and practice of bribery, authorized by the highest levels of the company, paid through US banks and attempts to hide all of the above by mis-characterizing them in the company’s books and records.

Reduction in Monetary Fine

I set out these facts as listed in the DPA in some detail to show the serious nature of enforcement action. However, the clear import that I found in this is that a company can make a comeback in the face of very bad facts. The calculation of the fine, based upon the factors set out in the US Sentencing Guidelines, ranged between a low of $17.1MM to a high of $34.2MM. The final agreed upon monetary penalty was $11.8MM. This is obviously a significant reduction from the suggested low or high end, or as was noted by the FCPA Blog “BizJet’s reduction was 30% off the bottom of the fine range, and a whopping 65% off the top of the fine range.”

How did BizJet achieve this reduction and avoid an external monitor? As reported by the FCPA Professor, the following were factors:

(a) following discovery of the FCPA violations during the course of an internal audit of the implementation of enhanced compliance related to third-party consultants, BizJet initiated an internal investigation and voluntarily disclosed to the DOJ the misconduct …;

(b) BizJet’s cooperation has been extraordinary, including conducting an extensive internal investigation, voluntarily making U.S. and foreign employees available for interviews, and collecting, analyzing, and organizing voluminous evidence and information for the DOJ;

(c) BizJet has engaged in extensive remediation, including terminating the officers and employees responsible for the corrupt payments, enhancing its due diligence protocol for third-party agents and consultants, and instituting heightened review of proposals and other transactional documents for all BizJet contracts;

(d) BizJet has committed to continue to enhance its compliance program and internal controls, including ensuring that its compliance program satisfies the minimum elements set forth in the” corporate compliance program set forth in an attachment to the DPA; and

(e) “BizJet has agreed to continue to cooperate with the DOJ in any ongoing investigation of the conduct of BizJet and its officers, directors, employees, agents, and consultants relating to violations of the FCPA.

Reports to the DOJ

As mentioned, the company avoided an external monitor. However, it agreed that it would report “at no less that twelve-month intervals during the three year term” [of the DPA] to the DOJ on “remediation and implementation of the compliance program and internal controls, policies and procedures” which were listed in Attachment C to the DPA (the DOJ guidelines for a minimum best practices compliance program). The initial report was required to be delivered one year from the date of the DPA and would also include BizJet’s proposals “reasonably designed to improve BizJet’s internal controls, policies and procedures for ensuring compliance with the FCPA and other applicable anti-corruption laws.”

Cooperation is the Key

Last week I attended the Ethisphere 2012 Global Ethics Summit where Lanny Breuer closed the conference. He did not present a speech but engaged in dialogue with Alex Brigham and took questions from the audience. One of the clear points Breuer emphasized was that if companies will come to the DOJ, make a voluntary disclosure and fully cooperate, it will pay dividends. I believe that this is clearly the case in the BizJet matter. Here you had a multi-year bribery scheme in place, not only approved at the highest levels of the company but with active involvement from senior managers, yet the final monetary penalty was almost 30% below even the lowest in the Sentencing Guideline range. Clearly BizJet benefited through its cooperation with the DOJ and that message should be made clear to any other company which might find itself in such a “fine mess.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012