FCPA Compliance and Ethics Blog

July 26, 2012

FCPA and Bribery Act Hotlines: Staying Out of Hot Water with Other Jurisdictions

It is finally here. Today is the Opening Ceremony of the Games of the XXX Olympiad in London. The first Olympics I can remember watching were the 1964 Games in Tokyo. I was enthralled with watching the world’s greatest athletes compete and the boyhood joy about the Games still exists for me. And, for my money, the best sporting event will be held in world’s greatest city. It should be a great show for the next two weeks. They are a must watch for me and I hope that you will enjoy them as much as I intend to.

Today’s compliance thoughts relate to the Olympics in another way. I recently came across not only a must read article for the compliance practitioner but also a must save article. In the International Lawyer, Winter 2011*Volume 45*Number 4, I came across an excellent article, entitled “How to Launch and Operate a Legally-Compliant International Workplace Report Channel” or in Foreign Corrupt Practices Act (FCPA) parlance, a hotline. It was authored by Donald Dowling of the law firm of White and Case. Dowling provides a very useful guide to help navigate the challenges of setting up a multi-national whistleblower’s hotline, such as is required under the FCPA and UK Bribery Act. The majority of his article “analyzes the six categories of laws that can restrict whistleblower hotlines abroad, focusing on compliance.” You should obtain a copy of this article and keep it for reference in regards to your company’s hotlines. It is available on the White and Case website, by clicking here.

1.      Laws Mandating Whistleblower Procedures

This group of laws “comprises mandates that require setting up whistleblower hotlines in the first place.” This includes the US Sarbanes-Oxley (SOX) as well as other jurisdiction laws which generally protect whistleblowers from retaliation but do specifically require any hotlines be set up on a company wide basis. Dowling also found a couple of countries, Norway and Liberia, which require general receiving and processing of “public interest disclosures.”

2.      Laws Promoting Denunciations to Government Authorities

This category of laws generally related to legal requirements for the reporting of illegal acts to government authorities in two ways. First, these laws encourage whistleblowing to government which then compete with employer hotlines by enticing internal whistleblowers to divert denunciations from company compliance experts and over to outside law enforcers who indict white collar criminals. This first approach is found in Dodd-Frank, which offers bounties. Second, these “laws that require (as opposed merely to encourage) government denunciations rarely except corporate hotline sponsors. These laws therefore force hotline sponsors to divulge hotline allegations over to law enforcement.” This second approach is found in SOX which “requires an employer to offer internal hotline procedures”.

3.      Laws Restricting Hotlines Specifically

This category is exemplified by European data protection laws which act to restrict companies’ freedom to launch and operate reporting programs. Dowling believes that these laws are based upon the fact that Europeans “see hotlines as threatening privacy rights of denounced targets and witness”. Also this would seem to be in response to the totalitarian past from the World War II era. The author identifies what he termed “the four biggest hurdles” set up to frustrate hotlines in EU jurisdiction. They are “(1) restrictions against hotlines accepting anonymous denunciations; (2) limits on the universe of proportionate infractions on which a hotline accepts denunciations; (3) limits on who can use a hotline and be denounced by hotline; and (4) hotline registration requirements.

4.      Laws Prohibiting Whistleblower Retaliation

This category will be familiar to US compliance practitioners through the applications of US laws such as SOX, Dodd-Frank and numerous state whistleblower statutes. Additionally, the author lists numerous foreign jurisdictions which have such laws. But here he believes that the key is communication because in many countries and foreign jurisdictions, there is no tradition of protection of persons who make reports against superiors so that an “employer needs to overcome worker fear of reprisal for whistleblowing.”

5.      Laws Regulating Internal Investigations

Typically laws on internal investigation do not impact hotlines because a hotline is a “pre-investigation tool.” However, the author believes that No. 4 above, communication by the employer is critical to complying with laws that enact procedural safeguards for persons under investigation. Heavy-handed communications about a hotline could blow back against employers in claims by employees that “an employer rigged the investigation process.” So companies should ensure that communications about hotlines do not convey an “overzealous approach to complaint processing and investigations.”

6.      Laws Silent on, but Possibly Triggered By, Whistleblower Hotlines

Here the author recognizes that the title of this category “is necessarily vague and determining which laws fall into it is difficult.” Nevertheless, he writes that the most “likely candidates are data protection laws silent on hotlines and labor laws imposing negotiation duties and work rules.” Regarding the former, the author argues that hotlines are not databases but conduits for the transmittal of information. He acknowledges that EU data privacy laws reject this distinction and treat hotlines as if they were databases where information is stored. He does not identify other jurisdictions which yet take this aggressive approach but he believes this may become a trend. The labor law issue is also tricky and may turn on the interpretation of whether the institution of a hotline is viewed as substantive change in working conditions under a union-management labor agreement and therefore subject to collective bargaining.

In addition to all information I have only skimmed what is in the body of the text; the author also provides a handy chart which has the following headings:

Jurisdiction Is the authority binding law? Must confine hotline to certain topics only? Are anonymous whistleblower calls ever OK? Is outsourced (vs. in-house) hotline favored? Must disclose hotline to data agency?

So just as the London Olympics is a must watch for me, this article is a must read and a must download for compliance practitioners.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

The Role of a Board in Compliance and Ethics: How We Arrived and Where We Are Going

Yesterday, the Houston Astros traded Wandy Rodriguez, the last remaining member of the 2005 National League (NL) champs. The Astros have traded away their five ‘top’ players over the past three weeks, coincidently turning in a sterling 2-20 run. Whoever they got for their top talent sure has not helped very much. The Astros now sit in dead last place in wins and losses in the current Major League Baseball (MLB) standings at 34-64 with a .347 winning percentage. This translates into a 105 loss season, which is actually a one-win improvement over last season’s 106 losses. But our new owner keeps telling us he has a plan. It’s pretty obvious that it is to have the absolute lowest payroll so he can service his mountain of debt that he incurred from purchasing the team. And did I mention that the Astros are moving to the American League (AL) next year? At least then we will no longer be worst team in the National League…

I thought about my beloved Astros and what their Board of Directors might think about all of this; that is, if they had a Board of Directors. For instance, would a Board of Directors throw in the towel for being competitive in not only this season but for at least three more just to save some money? But the Astros do not have a Board, they only have an owner, so a special thanks to Jim Crane for not only selling out by agreeing to send up to the AL but for ending any chances of the Astros being in the playoffs anytime soon.

Fortunately US public companies do have a Board of Directors and these same Directors have a role in their company’s Foreign Corrupt Practices Act (FCPA) compliance program. Corpedia, in a recent White Paper entitled “The Importance of Board Oversight: The Role That Directors Play in an Organization’s Ethics and Compliance Program”, detailed why a Board of Directors has a role in a company’s FPCA compliance program and provided some guidance as to their views on what may constitute “appropriate Board oversight”.

Responsible Corporate Officer Doctrine

The duty began with the formulation of the Corporate Office Doctrine by the US Supreme Court. Under this Doctrine, officers and directors could be held liable under the following three conditions. First the person in question occupied a position of responsibility and authority in the corporation. Second the individual in question had the power to prevent the violation of law. Third, the person failed to do so. Although the Doctrine was originally narrowly focused, it has been expanded to other areas of the law such as the Sherman Act, securities laws and environmental laws.

Delaware State Court Cases

In the Caremark decision, the Delaware Court of Chancery held as a part of a Board’s duty of good faith, directors have an obligation to ensure that a corporate information and reporting system exists. This was followed up by the case of Stone v. Ritter for the proposition that “a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists.” Lastly, is the case of In re Walt Disney Company Derivative Litigation, from which can be drawn the principle that directors should follow the best practices in the area of ethics and compliance.

US Sentencing Guidelines

US Sentencing Guidelines and Department of Justice (DOJ) Prosecution Standards for guidance as to the obligations of a company’s Board regarding FCPA compliance. These began with the Sentencing Reform Act of 1984, which led to the first sentencing guidelines for corporations. These were modified and evolved under the 2004 Amendments to the Organizational Guidelines and the 2010 Amendments to the Sentencing Guidelines. Under these versions a Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. Additionally the DOJ has added guidance for the prosecution of corporations. In the DOJ US Attorneys’ Manual (2009) they posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program?; and (2) Are Directors provided information sufficient to enable the exercise of independent judgment?

What Constitutes Appropriate Board Oversight?

Corpedia ends its White Paper with suggestions about what types of information a Board of Directors should periodically receive. First and foremost are reports of “suspected misconduct and of the company’s responses to those allegations.” Next, Boards should be involved with the approval process for creation of or amendment to the company’s Code of Conduct and related policies. In addition to those areas, Corpedia suggests that a Board receive information on the following:

  1. The structure and resourcing of the company’s compliance program and whether the Chief Compliance Officer (CCO) has sufficient authority to implement the program.
  2. The structure of the company’s reporting system and the company’s policies regarding response to such misconduct.
  3. The types of compliance training that employees receive.
  4. The company’s risk assessment process and results and the methods developed by the company to prioritize and address the risks identified.
  5. The audit program for the compliance program and investigation protocol for substantive violations.
  6. The perception of whether the company has a culture of compliance, whether  employees fear retaliation for reporting violations and whether the employees believe that the company is truly committed to compliance.

The Corpedia White Paper provides a good review to understand the legal and statutory basis for a Board of Directors’ obligations under the FCPA. Too bad the Houston Astros did not have a similar group looking after the interests of the Astros stakeholders.

Errata-the Astros’ record over the past three weeks is 2-22 not 2-20.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Blog at WordPress.com.