How Do You Determine the Gold Standard For Compliance Programs?

What is the gold standard for scientific minds? You might not do better than Albert Einstein who was born on this date in 1879. While most lay persons remember Einstein for his theory on special relativity, and his attendant mathematical calculation that mass and energy were equivalent and could be calculated with an equation, E=mc²; Einstein actually won his 1921 Nobel Prize for an earlier paper which theorized that light is made up of individual quanta (photons) that demonstrate particle-like properties while collectively behaving like a wave. The theory was an important step in the development of quantum theory.

Many compliance practitioners often wonder about how their Foreign Corrupt Practices Act (FCPA) compliance program might compare with companies which are believed to have gold-standard compliance programs. Yesterday, in an article in the FCPA Blog entitled “Is This The World’s Best Compliance Disclosure?”, Dick Cassin wrote about the recent disclosure by Baker Hughes Incorporated in its 2012 10K filing, relating to FCPA compliance. Once upon a time, way back in 2007, Baker Hughes had the largest FCPA fine in the history of the world ever, that being $44MM. It was also under a three-year Deferred Prosecution Agreement (DPA) and a corporate monitor. Baker Hughes not only made it out from under the DPA and monitor but it is now recognized as having a gold standard compliance program.

Baker Hughes bases its compliance program on three core concepts. The first is its “Core Values of Integrity, Performance, Teamwork and Learning”. The second is the standards contained in the company’s Business Code of Conduct. The third concept is the laws of the countries where it operates. The Baker Hughes compliance program is referred to within the company as “C2” or “Completely Compliant.” The “Completely Compliant” theme is intended to establish the proper Tone-at-the-Top throughout the company. Based upon this, company employees “are consistently reminded that they play a crucial role in ensuring that the Company always conducts its business ethically, legally and safely.”

The 10K went on to list some of the highlights of the Baker Hughes compliance program. They included:

• Comprehensive internal policies over such areas as facilitating payments; travel, entertainment, gifts and charitable donations connected to non-U.S. government officials; payments to non-U.S. commercial sales representatives; and the use of non-U.S. police or military organizations for security purposes.
• Comprehensive employee compliance training program covering substantially all employees.
• Due diligence procedure for commercial sales, processing and professional agents, an enhanced process for classifying distributors and are creating a formal policy to guide business personnel in determining when subcontractors should be subjected to compliance due diligence.
• A special compliance committee, which is made up of senior officers, that meets no less than once a year to review the oversight reports for all active commercial sales representatives.
• Continued reduction of the use of commercial sales representatives and processing agents, including the reduction of customs agents.
• Use of technology to monitor and report on compliance matters.
• A program designed to encourage reporting of any ethics or compliance matter without fear of retaliation including a worldwide Business Helpline operated by a third party and currently available toll-free in 150 languages to ensure that our helpline is easily accessible to employees in their own language.
• Expansion in the use and scope of our centralized finance organization including further implementation of our enterprise-wide accounting system and company-wide policies.
• The corporate audit function has incorporated additional anti-corruption procedures in audits of certain countries.
• Continued refinement and enhancement of procedures for FCPA risk assessments and legal audit procedures.
• Ensuring that the company has adequate legal compliance coverage around the world, including the coordination of compliance advice and training across all regions and countries where we do business.
• Centralization of the company’s human resources function, including creating consistent standards for pre-hire screening of employees, the screening of existing employees prior to promoting them to positions where they may be exposed to corruption-related risks, and creating a uniform policy for new hire training.

There are three areas from the Baker Hughes disclosure which I wish to highlight as components that a small to medium sized company should be able to implement at a relatively low cost. The first is the compliance oversight committee. The oversight committee puts a ‘second set of eyes’ on the compliance issues it reviews, whether it is third parties or additional compliance issues. The second is more involvement from the HR function regarding screening of potential hires and screening of employees for promotion to positions which might expose them to additional corruption related to risks. I would add that you should also use such screening to help make selections for moving employees into senior management positions, where their tone and attitudes towards compliance can grow in importance.

The third area is the company’s embracing of compliance as a key corporate culture. You can call your program “C2” or “Completely Compliant”, like Baker Hughes does, or give another name to the program. However the key is to remind employees of the crucial role that they play ensuring that your entity always conducts its business in an ethical manner. Much like reminding employees that safety is everyone’s responsibility; you can and should remind employees that doing business within the parameters of your Code of Conduct and your compliance program is something they should recognize as their responsibility as well.

If you are a small to medium size company your FCPA risk profile may not warrant the gold standard compliance program that Baker Hughes has put in place. However you should endeavor to put a program in place based upon the risks that you assess as applicable to your company. The Baker Hughes program gives you some guidance as to what the gold standard is and some solid ideas of components that you might implement.

One last thing, the Chief Compliance Officer (CCO) of Baker Hughes is Jay Martin. Jay regularly speaks at compliance conferences across the country. He has been quite generous to give his experiences in going through the compliance process at Baker Hughes. I am sure that he would be willing to speak to you as well.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Lessons from Bill Belichick for the Compliance Practitioner

I recently read “War Room: The Legacy of Bill Belichick and the Art of Building the Perfect Team” by Michael Holley which is about Bill Belichick, the rise of the New England Patriots and the sophisticated player evaluation system that Belichick and others installed in New England. The book also talked about Belichick disciples Scott Pioli and Thomas Dimitroff who took this player evaluation system to new General Manager positions at Kansas City and Atlanta respectively. Neither disciple has had the sustained success that Belichick has maintained for a full decade now. In fact Pioli was fired this year from his position after three straight losing seasons in Kansas City. Dimitroff has achieved a bit more success, with Atlanta winning its first playoff game under his regime this year.

One of the things that struck me about the Belichick player evaluation system and how it was used by all three men for their respective teams is that is a building block system. It takes a system and builds that system, building block by building block until the overall system is completed. This is then fine-tuned and updated through continuous monitoring, assessment and review. For the compliance practitioner, I found this approach to have several valuable lessons.

The values of a risk assessment are well known. It is something that should be a part of every compliance program. I recently wrote in praise of the mock audit where an in-house team performs a preliminary assessment of a utility plant to get that facility ready for a more formal federal or state regulatory mandated audit. The concepts of monitoring and reviewing are also well known if often being confused. Monitoring is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. Auditing is a more limited review that targets a specific business component, region or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records.

However using the Belichick model as a guide, I also think that it also points to less formal, but equally useful reviews of the process and system of compliance. Of course you can take a look and self-assess your overall program, particularly if you benchmark it against the US Sentencing Guidelines, Seven Elements of an Effective Compliance Program or the FCPA Guidance’s Ten Hallmarks of an Effective Compliance Program. So I think you should take the opportunity to perform informal testing throughout the year. My colleague Mary Jones told me that she would occasionally pull third party representative invoices and review them to determine if they were billing as per their contract with Global Industries and whether the descriptions for services raised any red flags. This allowed her to catch any problems early in the cycle but also gave her the chance to informally determine if the training she was putting on was effective or if it needed to be modified in any manner.

Sitting on the flip side of continued updating is how this building block system can help a compliance practitioner when they are faced with what may appear to be an insurmountable compliance related task. I have often heard stories where an Associate General Counsel (AGC) is tasked with putting together a vendor compliance program or other task that simply seems so large it is difficult to even get one’s arms around it before the task is due to be completed. It may be a full policy and procedure update, writing a new set of internal controls or any other task that simply seems monumental.

The Belichick player evaluation system provides a guide which is to construct your overall system, building block by building block. You can think about constructing your compliance program in the same manner. The added benefit to this approach is that comports with what I believe to be one of the key takeaways from the Department of Justice (DOJ)/Securities and Exchange Commission (SEC) FCPA Guidance, that being that a company should assess its risk and then manage those risks, starting with the highest risks and moving on from there. Another way to put it might be construct your compliance program, building block by building block, beginning with the high risk and use that as the foundation to construct your overall program.

Getting back to the AGC tasked with the Supply Chain task, one approach might be to risk rank the vendors based on the following approach:

1. Government Services Providers – Any vendor who represents your company before a foreign government, such as a freight forwarder, logistics company, import/export services provider or customs broker.
2. High Risk Supplier – Any supplier who meets one of the following criteria: (A) Is based in or supplies goods/services from a high risk country; (B) Is more of a business partner, similar to a joint venture partner; (C) It has been convicted of, or is alleged to have been involved in, illegal conduct and has failed to undertake effective remedial actions.
3. Low Risk Supplier – Any supplier who meets the following criteria: (A) Is based in a low risk country where the goods or services are delivered, it has no involvement with any foreign government, government entity or Government Official; or (B) Is subject to the US Foreign Corrupt Practices Act (FCPA) and/or Sarbanes-Oxley (SOX) compliance.
4. Nominal Risk Supplier – Is a supplier who meets the following criteria: (A) Supplies goods or services which are non-specific; (B) For any particular job or assignment; and (C) The value of each transaction is less than $10,000.
5. Supplier of General Goods and Services – Is a supplier who: (A) Supplies goods or services which are widely available to the public; and (B) Does not fall under the definition of Minimal Risk Supplier.

Based upon this risk ranking, you can set your compliance process, building block by building block. You start with the highest risk ranking and move down from there. Indeed this is what I believe the FCPA Guidance suggests when it says the following, “Individual companies may have different compliance needs depending on their size and the particular risks associated with their businesses, among other factors. When it comes to compliance, there is no one-size-fits-all program. Thus, the discussion below is meant to provide insight into the aspects of compliance programs that DOJ and SEC assess, recognizing that companies may consider a variety of factors when making their own determination of what is appropriate for their specific business needs. Indeed, small- and medium-size enterprises likely will have different compliance programs from large multi-national corporations”. That means you can use a system like the one I laid out above or come up with your own system but make it one that works for your company and your risk profile.

If you focus on the risks to your company, I think that you can use the model of Bill Belichick and the New England Patriots as a guide. Build from the ground up by assessing your risk and then managing that risk. When you have completed the part of your compliance program which deals with the highest risk that you have assessed move on to the next risk or level of risk and begin the process of constructing a compliance system to assess that level of risk. But do not forget the second part of the Belichick formula. You do not have to wait until an annual assessment to revamp your system. You can take more informal input from a variety of sources to tweak your program and move it forward. Constant evaluation and improvement are the hallmarks of any successful system and you should incorporate these concepts into your compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

How Odysseus Can Inform Compliance Enhancement

What are your thoughts on Odysseus? Is he a villain or a hero? The ancient philosophers had many differing views on him. One view that struck me was held by Antisthenes, a disciple of Socrates. Antisthenes used the actions of Odysseus as a defense against those who attacked the discipline of philosophy as mere sophistry; that is focusing on words not deeds. Antisthenes presented Odysseus as someone whose words themselves were good deeds. Further, the actions of Odysseus showed his abilities as a team player, a cooperative hero. Recently, I thought about the concept of Odysseus and words as good deeds in the context of the post-acquisition requirements of the Foreign Corrupt Practices Act (FCPA).

Although not specifically stated in the recently released Department of Justice (DOJ)/Securities and Exchange Commission (SEC) FCPA Guidance, enforcement actions from 2011 and 2012 would seem to indicate that a company should have an integration completed in 12-18 months after the underlying transaction is concluded. I considered the post-acquisition integration issue when reading an article in the MIT Sloan Management Review Winter 2013 issue, entitled “Building Your Company’s Capabilities Through Global Expansion”, by authors Donald Lessard, Rafael Lucea and Luis Vives. The thesis of the article was that for companies to create and sustain global competitive advantages, they need to adopt a systematic approach to exploiting, renewing and enhancing their core capabilities.

While the focus of the article was on marketing and sales, as I read the article I came to believe that it has implications beyond marketing into the post-acquisition integration required by the DOJ under the FCPA. I believe that the framework which the authors have developed can be a way for companies to think through both FCPA post-acquisition integration but also which compliance enhancements need to be introduced in foreign operations. This second point is significant because one issue that seems to bedevil compliance practitioners is how to integrate and enhance your compliance program across the globe. There are both language and cultural differences which make a ‘one-size-fits-all’ approach sometimes problematic. The article also provides some valuable insight into how a company might make its US centric FCPA compliance program a value add for its foreign operations.

The authors provide a framework under which they believe a company can evaluate the potential for enhancing its current sources into capabilities for development in foreign markets and work for post-acquisition integration. So using the authors’ framework, I will adapt it into the compliance space.

1. Are the compliance capabilities developed relevant to the users in the foreign jurisdiction or in the acquired entity? Do the compliance enhancements or post-acquisition integration bring value to these diverse entities?
2. Are the compliance capabilities you are using as the basis for the enhancements or post-acquisition integration appropriate for these internal markets? Do they help or hinder the capture of value in the company?
3. Are the compliance capabilities that you have develop in the US transferrable to the foreign operations or acquired entities? Can you deploy these compliance enhancements to foreign operations or post-acquisition integration without sacrificing too much value creation?
4. Are the new enhancements that the company will develop through acquisition or foreign operation expansion of its compliance program complementary to existing capabilities within the company?
5. Are any of the compliance capabilities, that will be used in the enhancements or post-acquisition integration, complementary to existing compliance capabilities that currently exist in either of those two groups?
6. Are any of the compliance capabilities that currently exist in the foreign operations or acquired entities, transferable back to the US?

The initial goal should be that any compliance program augmentation, whether for an acquired company or a foreign operation, should result in “an overall enhancement of the company’s capabilities” and global position. This means that while it may initially appear that the compliance group of a company is the Land of No; such should not the case for the compliance enhancement or integration to succeed. The authors believe that a company should build on its existing capabilities to show that the new processes or policies will create greater value. The example I give in training is expense reports. I ask whether anyone does not have to fill out an expense report to be reimbursed. The answer is always the same; everyone has to fill out an expense report. I then go on to explain that the FCPA will require you to list who you took to dinner or provided a gift to, what their title is and how much you spent. In other words, the obligation of an individual employee to provide the basic information to be used by others is not much in addition to the information they are currently providing.

My colleague Jay Rosen of Merrill Brink often says that translation services are only part of the equation when his company translates a compliance program or policy. It is important to understand not only the cultural context but have cultural sensitivity to issues. The classic examples are mooncakes or the tradition of giving small gifts when meeting a person for the first time in the Far East. It is viewed as a ritual which has deeper and and greater meaning more than simply a handshake. While many companies worried about this issue or even prohibited the giving of such small gifts, the FCPA Guidance has made clear that the DOJ/SEC are not looking for violations relating to such small gifts unless they are a part of an overall systemic failure of your compliance program.

In the business world it is not always words v. deeds. Another way to look at it might be consider entrepreneurial people v. process people. Entrepreneurial people tend to make things happen in an organization. They can wear many hats at once. Process people tend to have a deeper focus in a particular area. You need a balance of both in an organization.

The authors have provided a framework for you to consider in your post-acquisition compliance program integration. Further, it provides a context for you to enhance your compliance program in foreign operations. Much like Antisthenes views on Odysseus, you can translate the words of compliance into the doing of compliance.

============================================================================================

Compliance Week needs your help! Compliance Week and Kroll Advisory have teamed up to undertake a major survey on corporate anti-corruption programs, and are asking compliance executives to participate. The survey itself—the 2013 ‘Global Anti-Bribery Benchmarking Report’—can be found here:

http://surveys.harveyresearch.com/se.ashx?s=0D146E2D11F8D225

The survey should take no more than 20 minutes to complete. It asks about the bribery risks you have, procedures you use to train employees and vet third parties, the size of  your compliance team, and more. Rest assured, all submissions will be secure and anonymous. The deadline to submit information is end of business on Friday, March 15.

Results of the survey will first be presented at the Compliance Week 2013 annual conference in Washington, May 20-22 (www.ComplianceWeek.com/conference), and later published in a special supplement of the Compliance Week magazine.

Anyone with questions can contact Compliance Week editor Matt Kelly at mkelly@complianceweek.com.

============================================================================================

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Wrestling as an Olympic Sport and Declinations under the FCPA

What do the US, Russia and the Islamic Republic of Iran have in common? Answer: Precious little. However one thing that they do have in common is their vehement opposition to the absolutely idiotic, boneheaded and stupid decision by the International Olympic Committee (IOC) to drop wrestling from the Olympic Games. Wrestling dates back to the ancient Greek Olympic Games and it is just inconceivable that the IOC would drop one of the very few sporting events that has endured for 2,500 years. If these three countries can agree on something, do you think that the IOC should listen?

What do the FCPA Professor, the US Chamber of Commerce and Tom Fox have in common when it comes to the Foreign Corrupt Practices Act (FCPA)? Answer: Not much. But one thing we do have in common is a belief that the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) should release information regarding FCPA matters that it declines to prosecute. For my part, the reason that the DOJ/SEC should release this information is that it is a solid base of information that a compliance practitioner can use to help improve a FCPA based compliance program.

What is a Declination?

First, continuing the good faith debate as to what is a ‘declination’, I first need to provide my definition. Last week, the FCPA Professor wrote, in a post entitled “The Need For An FCPA Lingua Franca”, of his belief in the need for a clarification of precisely what is a declination. He wrote, “I am guided by my definition of a declination as being an instance in which an enforcement agency has concluded that it could bring a case, consistent with its burden of proof as to all necessary elements, yet decides not to pursue the action.” The Professor further states that “anything less ought not be termed a “declination” and noted that it is really no different that saying a police officer “declined” to issue a speeding ticket in an instance in which the driver was not speeding. This is not a declination, it is what the law commands, and such reasoning applies in the FCPA context as well.” The Professor also cited to a WilmerHale client release which discussed the DOJ/SEC FCPA Guidance and had the following line which relates to the definition of a declination, “It is also disappointing that some of the examples do not make clear that the conduct met each of the elements of a statutory violation, since the concept of a declination is supposed to be reserved for instances in which the offense is chargeable but the government declines in its own discretion to bring a case.”

I believe that a broader term approach, as I think that the term ‘declination’ should encompass all the situations where the DOJ or SEC turns down the opportunity to bring a FCPA case; whether that be a criminal matter enforced by the DOJ or a civil action brought by the SEC. I do not find the lack of a speeding ticket analogy to be appropriate in the FCPA/declination discussion. The reason is that the DOJ/SEC usually relies on either a self-disclosure or outside source of information before it begins an investigation. If there is a self-disclosure that means that competent white collar counsel, who probably are ex-DOJ/SEC prosecutors, think that there is a reasonable basis for an actionable FCPA issue to lie. To use the speeding ticket analogy, regarding FCPA matters, if I saw a police officer with a radar gun checking speeds and I thought that I had gone over the speeding limit, I could self-report what I believed to be a violation. He or she might say something along the lines of “Mr. Fox, you may have a good-faith belief that you traveled over the speed limit but I did not have my radar gun on your car so I will not write you up.” Or the police officer might say, “Mr. Fox, you may have a good-faith belief that you traveled over the speed limit but I had my radar gun on your car and you were not going over the speed limit so I am not going to write you up.” Lastly, the officer might say, “Mr. Fox, you may have a good-faith belief that you traveled over the speed limit and I had my radar gun on you and I clocked you as going over the speed limit but because you were going 66 in a 65 and you came over here and told me about it I am not going to write you up.” So even if I had engaged in a speeding violation, there may be several reasons why I did not get a ticket.

What about situations other than self-disclosure, such those involving a whistle-blower, information which came from other companies in the same industry, such as those companies involved with  the freight forwarder Panalpina, or other situations where information comes to the DOJ/SEC and they eventually decide not prosecute. Marc Alain Bohn, writing a piece in the FCPA Blog entitled “Revisiting the Definition of ‘Declinations’”, said that “there are likely many considerations that inform an agency decision not to pursue a case. Given the agencies’ aggressive interpretations of the jurisdiction and knowledge elements of the FCPA—something the FCPA Professor has frequently drawn attention to it is likely rare that an agency’s decision not to pursue an enforcement action is based on its determination that there were insufficient facts to do so. This is particularly true in the case of issuers, against whom the agencies can more easily build FCPA-cases by focusing upon violations of the statute’s accounting provisions.” Because of these facts and other, Bohn urged a broader form of definition of declination than the FCPA Professor. Bohn gives the following definition, “I think it is appropriate to apply the short-hand label “declination” more broadly to each instance where the DOJ or SEC has notified a company that it does not intend to bring an enforcement action.”

Publicizing of Declinations

The concept that the US Chamber of Commerce, the FCPA Professor and myself do agree on, is the need for the DOJ/SEC to publicize declinations. I have argued for some time that by publicizing declinations, it would provide great value to the compliance practitioner. I believe this to be particularly true in the situation where a company has self-disclosed what it believes to be evidence of a FCPA violation. I believed this before the Morgan Stanley declination was released last year and I believed this before the FCPA Guidance had a section discussing six matters that the DOJ/SEC had declined to prosecute. The two releases of declinations have only made my belief stronger regarding the usefulness of declinations to the compliance practitioners.

I outlined some of the reason I think that declinations can be such a useful tool, in an article for the Washington Legal Foundation, entitled “DOJ Should Release FCPA Declinations Opinions”. I wrote that this is because “The substantive portions of declinations, excised of company-specific information, would greatly increase FCPA enforcement transparency. This, in turn, would inspire greater FCPA compliance through a better understanding of how DOJ interprets the law with the specific facts presented to it.” Further, “In the declination process, DOJ is handling a much broader and more significant amount of information. A self-disclosing company has investigated or will investigate a matter, most likely with the aid of specialized outside FCPA investigative counsel. DOJ has the opportunity to review the investigation and suggest further or other lines of inquiry. Company personnel are made available for DOJ interviews, if appropriate. In short one would have actual facts and detailed oversight by DOJ, which in the case of a declination to prosecute, would provide substantive guidance on why it did not believe a FCPA violation had occurred in the face of a company’s good faith belief that it had violated the FCPA.”

From the Morgan Stanley declination we learned the importance of (1) annual FCPA training; (2) annual certification; (3) transaction monitoring; (4) compliance reminders; and (5) documentation of all of these factors. From the FCPA Guidance, we learned that the companies which received declinations had the following six factors:

1. The company was alerted to possible corruption via its own internal controls or compliance program.
2. The company self-disclosed to the DOJ/SEC.
3. The Company conducted a thorough investigation and shared the results with the DOJ/SEC.
4. The illegal conduct was not pervasive throughout the company, no systemic failure/over-riding of internal controls and the amount of money paid as bribe was relatively small.
5. The Company immediately took corrective action against the bad actors.
6. The extent the compliance program was expanded.

We learned some very specific, useful pieces of information from the declinations that have been issued. I hope that more will be issued by the DOJ/SEC in the future. It appears that the sport of Olympic wrestling, the FCPA and politics can indeed make for some strange bedfellows.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Interview with Mary Jones-LSU Tiger Fan Extraordinare

Ed. Note-we continue our series of interviews with thought leaders in the compliance arena. Today we post an interview with frequent contributor and lifelong LSU Tiger fan, Mary Shaddock Jones

———————————————————————————————————————

1.         Where did you grow up and what were your interests as a youngster?

I grew up in Lake Charles, Louisiana.  My interests as a youngster have remained with me through adulthood.  I love photography, fishing, hunting and hanging out with my family.

2.         Where did you go to college and what experiences there led to your current profession?

I went to Louisiana State University for both my undergraduate and law degree.  I knew law was for me when I made a 100 out of 100 on one of two tests given by a business law professor as an undergraduate.  He had taught both my father and my brother.  He was a legend at LSU (not the law school).  I was the only person he ever taught who scored a perfect 100 on his midterm test.  I wasn’t a popular student in the class after that- as I totally blew the curve.  But from that moment on, I loved the law.  I graduated and went straight to law school.

3.         Can you tell us about your corporate, in-house career and how got into FCPA compliance? 

I have had an interesting career and one that I have thoroughly enjoyed.  I started out in private practice, but was hired within a few years to work at Hollywood Marine (Barge and Towing Company).  I worked with them as General Counsel for 6 years.  After we had our second child, I decided that I should try and spend more time at home with them.  I learned that I wasn’t cut out for the rigor of being a stay-at-home mom.  Anyone who says moms who stay home “don’t work”- have never tried it).  So I was recruited by one of my best friends to work with her at First Wave Marine (shipyard).   After a few years, I was given the opportunity to work at McDermott, International as the Director of Insurance overseeing their worldwide insurance program.  I first became really aware of FCPA while at McDermott.  In 2005 our children were entering middle school.  We decided it was the prime time to move back to my hometown of Lake Charles-before they entered high school.  So in 2005, my husband and I both resigned from our jobs and moved without jobs to Lake Charles.  We took a huge risk, but felt like this is where God really wanted us to be.  So we took the plunge.  I had planned on going back into private practice at that time with a focus on marine work.  I had worked for a barge and towing company, a shipyard and an oil and gas construction company.  I was ready to tackle maritime law on my own.   I knew that the one client I really needed to secure was Global Industries, since they were one of the largest marine construction companies in the Lake Charles area.  I met with the General Counsel, who ended up being my friend and mentor- Russ Robicheaux.  Instead of opening up my own law firm- Russ hired me as Assistant General Counsel and the rest is history.   Unfortunately, in 2010 the Executive Management wanted all to consolidate its management team back in Houston.  Our children were in high school and unwilling to move and I was unwilling to live apart from my family or commute- so in June 2011, I resigned from Global Industries and started my own law firm.   Starting from scratch at 52 was a challenge- but I have successfully completed a year and a half and have loved every minute of it.

4.         You were part of the in-house team that worked on the Global Industries FCPA investigation relating to the Panalpina case. Can you describe what you did and how Global was able to achieve the result that it did in that process?

My job was to run the day to day investigation and interface with the various law firms and accounting firms who were involved in the investigation.  I did a lot of leg work on a daily basis- collecting, organizing and analyzing documents, invoices, contracts, etc from many parts of the world.  One thing I learned with the investigation is that once an FCPA investigation is opened, it often morphs into much more than the one issue that initially sparked the investigation.  It was a full time job.  I interfaced daily with the General Counsel on various matters related to the investigation.  I believe that there are several reasons why the investigation resulted in no action from the DOJ and the SEC.  the General Counsel and I have given numerous seminars on this topic. To fully discuss the reasons would take up much more than my allotted space today! But to summarize- I think there were the following factors:  1) The immediate response that the executive management at Global took once it learned that there was a possible FCPA violation; 2) the comprehensive compliance program that existed at Global both prior to the investigation and improved upon during the investigation; 3) the thoroughness of the investigation by counsel for the Audit Committee; 4) the overall findings related to a very expansive investigation into the use of freight forwarders not only in Nigeria and Angola, but in many parts of West Africa; and 5) the facts that the Company self reported.

5.         While you are not the most rabid LSU fan I have ever met, you are right up there at the top. For those reading this post, who live outside the South, can you explain the intensity of attending a LSU home game in Tiger Pit?

First of all- I am not sure what Tiger Pit is- the correct name is –DEATH VALLEY!  The feeling of being in Tiger Stadium, aka Death Valley is hard to describe.  The stadium is huge so the sheer number of fans is overwhelming.  You have to walk up lots of ramps to get to the inside of the stadium.  When you finally make it to your seat- the view is breathtaking.  And when the Band walks out and plays the fight song! Tears come to my eyes.   Everyone should experience TIGER STADIUM once in their lifetime!

============================================================================================Mary Shaddock Jones has practiced law for 25 years in Texas and Louisiana primarily in the international marine and oil service industries. She was the first woman to earn TRACE Anti-bribery Specialist Accreditation. Mrs. Jones has extensive experience in creating and designing compliance programs to reduce the risks of such violations, including policies and procedures, educational and training materials and programs, contract provisions and due diligence protocols. She implements and works with in-house counsel and compliance vendors to execute compliance policies and training programs tailored to the client’s business structure and the market conditions in the client’s target countries.  She can be reached at 337-513-0897 or via e-mail at msjones@msjllc.com.

============================================================================================

 

Compliance Week Needs Your Help!

Calling all FCPA and anti-corruption enthusiasts, Compliance Week needs your help! Compliance Week and Kroll Advisory have teamed up to undertake a major survey on corporate anti-corruption programs, and are asking compliance executives to participate.

The survey itself—the 2013 ‘Global Anti-Bribery Benchmarking Report’—can be found here:

http://surveys.harveyresearch.com/se.ashx?s=0D146E2D11F8D225

The survey should take no more than 20 minutes to complete. It asks about the bribery risks you have, procedures you use to train employees and vet third parties, the size of  your compliance team, and more. Rest assured, all submissions will be secure and anonymous (even Compliance Week won’t know who submits what specific results). The deadline to submit information is end of business on Friday, March 15.

Results of the survey will first be presented at the Compliance Week 2013 annual conference in Washington, May 20-22 (www.ComplianceWeek.com/conference), and later published in a special supplement of the Compliance Week magazine.

It’s no secret that finding good, reliable benchmarking data on compliance programs is no easy task, so do please help by participating. Anyone with questions can contact Compliance Week editor Matt Kelly at mkelly@complianceweek.com.

Transparency Is The Key to Keeping Everyone Rowing Together for Compliance

One of the concepts articulated in the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) Foreign Corrupt Practices Act (FCPA) Guidance was that every company should assess its own risks for bribery and corruption and manage those risks accordingly. In the introductory section of the Ten Hallmarks of an Effective Compliance Program it states:

Compliance programs that employ a “check-the-box” approach may be inefficient and, more importantly, ineffective. Because each compliance program should be tailored to an organization’s specific needs, risks, and challenges, the information provided below should not be considered a substitute for a company’s own assessment of the corporate compliance program most appropriate for that particular business organization. In the end, if designed carefully, implemented earnestly, and enforced fairly, a company’s compliance program—no matter how large or small the organization—will allow the company generally to prevent violations, detect those that do occur, and remediate them promptly and appropriately.

Last week I focused on the above regarding the issue of having a carefully designed and reasoned approach to your compliance program. Today I will focus on the above quote for another benchmark for your compliance program transparency. In a recent article in the Corner Office section of the New York Times (NYT), entitled “Transparency Is Much More Than a Buzzword”, reporter Adam Bryant interviewed Ryan Smith, co-founder and Chief Executive Officer (CEO) of Qualtrics, a provider of online research survey platforms.

Smith said that his company is “extremely transparent, but not so that we can be cool. And it’s not about an open environment, because that’s not what makes a company transparent. It’s more around the fact that everyone needs to know where we are going and how we are going to get there.” He wants everyone to understand the company’s “objectives and make that available to everyone as we’re evolving, so people aren’t guessing and they’re not internally focused. That’s one obstacle a lot of companies fall into.”

Further, Smith believes that his company should “be transparent because we want to encourage our people to have all the information to keep them focused on what really matters — our objectives and how they’re going to contribute.” He explained that transparency helps everyone in the organization understand what the goals are and how they are working to achieve them. This transparency has an effect on everyone because they understand the environment that they are operating in within the overall company structure. But Qualtrics has taken this to a very high and detailed level. Smith described the following path for transparency, “We have another system that sends everyone an e-mail on Monday that says: “What are you going to get done this week? And what did you get done last week that you said you were going to do?” Then that rolls up into one e-mail that the entire organization gets. So if someone’s got a question, they can look at that for an explanation. We share other information, too — every time we have a meeting, we release meeting notes to the organization. When we have a board meeting, we write a letter about it afterward and send it to the organization.” By doing this Smith believes that “When everyone’s rowing together toward the same objective, it’s extremely powerful. We’re trying to execute at a very high level, and we need to make sure everyone knows where we’re going.”

The idea that transparency has importance in the compliance function is clear. If everyone understands that compliance and ethics are a value of the company, then everyone can operate in that manner. Smith made clear that at his company and all of the employees need to know where the company is going and how the company should get there. One of the keys that Smith articulates is that a company should focus on transparency so that people “aren’t guessing”. If your company simply focuses on quarterly numbers, the message is that you need to do everything you can to meet your numbers. In other words wherever compliance falls into your company scale of importance, it is not Number 1 or even Number 2.

Throughout the Ten Hallmarks of an effective compliance program is the concept of transparency through communications. Obviously it starts at the top but written policies, procedures and fair administration of your compliance program are key as well. Risk assessment, then monitoring should be used to help employees do business in a more compliant manner through remediation. If you are transparent in this process not only will employees understand better and more fully the purposes behind these practices but they will embrace the solutions going forward. As Smith noted, “We can’t control the way they think. All we can control or have an effect on is the environment around them.”

If Smith can use transparency to get everyone at Qualtrics “rowing together” I believe that you can use this same technique to get employees all moving forward on doing business in an ethical and compliant manner. Remember “Transparency” is the key.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Marine Transportation and Anti-Money Laundering

My recent article on the marine transportation industry and the Foreign Corrupt Practices Act (FCPA) generated some discussion ranging wider than simply the port agent issue regarding interaction with foreign government officials. One of the discussion points was how and where a company should pay the crew. One of the sacrosanct rules that I learned while working at Halliburton was that payments to any third parties had to be made to either (1) the location where the services were delivered or (2) the location where the third party was domiciled. It was called ‘Offshore Payments’ and the legal department was charged with making sure that all contracts specified payments to be delivered into one of the aforementioned locations. The rule was designed to comply with Anti-Money Laundering (AML) rules and regulations. This concept also appears in the FCPA as a red flag if a third party desires to be paid outside either of the locations stated because a corrupt entity or person could use funds already in the banking or financial system to disguise any movement that might reveal the corrupt action, such as a bribe to a foreign governmental official.

Obviously you cannot pay a ship’s crew in the location where the services are delivered if those services are delivered at sea. So that would seem to leave jurisdiction where a crew member is domiciled. But in addition to the home domicile there are other AML issues such as the bank to which the payments are wired into from the US.. The Financial Action Task Force (FATF) Recommendations on the International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation set out several in its White Paper released last year. These included due diligence on payees to determine politically exposed persons and specially designed individuals, record keeping, controls regarding payee banks and financial institutions and reporting of suspicious transactions, among others. In others words, there are many concerns about paying third parties; even those third parties a company might not normally consider in their own compliance regime.

Based upon these conversations, I thought a deeper look into AML issues was warranted. Fortunately Carol Switzer, President of the Open Compliance and Ethics Group (OCEG) just penned another piece in her series in Compliance Week on compliance related issues. This month Switzer has taken a look at AML issues in an article entitled “The Complex Mechanics of Money Laundering” and compended with the article is another of OCEG/Compliance Week, GRC Illustrated Series, where in an illustrated manner, they review how to build an effective AML program.

Switzer explains that there are several laws which deal with AML compliance. They include “the Intelligence Reform & Terrorism Prevention Act of 2004, which amended the BSA; the Money Laundering and Financial Crimes Strategy Act; and the Money Laundering Suppression Act).” There are numerous regulatory and enforcement agencies with domestic AML oversight. They include “the U.S. Department of the Treasury and its Financial Crimes Enforcement Network (FinCEN), to the Security and Exchange Commission to the Dodd-Frank Act’s Consumer Financial Protection Bureau (CFPB) to the New York Stock Exchange, IRS, FBI, and a number of federal banking regulators.”

In the illustrated section following Switzer’s article, it sets out three basic steps which are (1) Define the Risk; (2) Quantify the Risk; and (3) Manage the Risk.

I.                   Define the Risk

It all begins with a comprehensive organizational analysis so that you can understand how much exposure your organization has and where it originates. A company should keep track of the places it does business and how it does business, either directly or through third parties. A company should determine where threats are hiding in its operations and to identify any specific AML issues posed by a particular products or service line. A company should also understand the enhanced risks posed by any specific geographic markets and then identify the risks inherent in different customer types.

II.                Quantify the Risks

Under this prong, a company should determine the quantitative impact of defined risks, both from a customer and asset perspective, while understanding how operating locations may affect these identified risks. Next a business should profile and risk rate customers and assets based on risk attributes including customer geography, business structure, sources of funds, business type, products and services utilized and other factors. From these factors a company should then formulate a comprehensive business risk assessment.

III.             Manage the Risk

Based on steps one and two a company should then implement an AML program consisting of people, processes, and controls proportional to the quantified risks which can ensure compliance, visibility, and protection. This Step III has four subparts.

1. Design: A company should define its internal roles and responsibilities. There should be designated risk categories which will inform the appropriate level of due diligence. A company should build and implement both suspicious activity controls and transaction monitoring.
2. Implement: This step involves the establishment of policies and procedures and training of employees and relevant third parties there. To the extent possible OCEG recommends using technology to monitor, review, escalate, and report suspicious activities using a risk-based and practical approach. Lastly, they recommend that companies should exchange knowledge with industry peers and experts.
3. Test and Analyze: A company should regularly test its controls and monitor personnel and third parties. A company should evaluate the data that it receives. Finally, as with all compliance regimes, there should be a confidential reporting mechanism to report suspicious activities or other violations.
4. Report: A company should report suspicious activity and any AML controls system weaknesses should be scheduled for analysis. A company should also document and file any suspicious activity for both its own internal use and regulatory reporting requirements.

A company must continually capture and update its understanding of threats and system weaknesses to influence continued evolution of an effective AML program. This should be coupled with the continuous evolution of your AML program because the nature of money laundering is ever-evolving as criminals construct new and “improved” methods to hide the proceeds of crime and funds for financing criminal action, making it ever more difficult to monitor and stop.

So how about the payment issue in marine transport industry and the ship’s crew? Most US companies no longer own and crew the ships they use to transport product or cargo and will typically use a charter party. The charterer gives orders for the employment of the vessel and payment of the crew. If your company is in such a position I would suggest that it make the following inquiries of your charter party. 1) Does the charter party have an International Organization for Standardization (ISO) program and policy in place for the hiring and paying of employees?; 2) Does the charter party vet all employees to include license checks; verify bank address to employee address and obtain background checks thereon?; 3) Does your charter party ensure that all banking transactions made to the employees are documented starting with hours worked, signature from masters and payments made to employees home country only?

If you are in the marine transport industry and use a third party to pay those working on your behalf you need to review the third party’s AML program. The same is true for any other business which uses a third party company to make payments to others outside the US.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

In Praise of the Mock Audit – Lessons from the Power Industry

Last week I attended the Society for Corporate Compliance and Ethics (SCCE) Energy and Utilities Conference here in Houston. As usual, SCCE put on a great event, the speakers and topics were all first-rate. As you might expect at such an event, the informal conversations with other compliance practitioners gave an opportunity to learn about new and different approaches to compliance. At lunch on the second day, I had such a conversation, which to my surprise, was not with a Chief Compliance Officer (CCO) or even compliance practitioner of an energy company but with a Program Manager for a utility concern.

I admit that I normally do not attend any of the breakout sessions for the utilities at the conference and generally when forced to sit through a session focused on the utility industry, it does not take too long for my eyes to roll up inside my head. However after this lunch conversation, I will certainly have to revise my disdain for listening to the utility presentations. The person is a Program Manager in his company’s Power Plant Process group and he told me about the ‘Mock Audit’ that his company performs in its power plants across the country.

He explained that his industry is heavily regulated at both the state and federal level. Power plants are subject to numerous levels of oversight including various ISO standards to which they must comply. ISO is the International Organization for Standardization and it develops and publishes International Standards for various industries and organization. The ISO 9000 standards provide guidance and tools for companies and organizations who want to ensure that their products and services consistently meet customer’s requirements, and that quality is consistently improved. One of the components of ISO 9000 compliance is an internal audit to check how a quality management system is working. But, for the utility industry, there are additional, more formal audits by various state and federal regulatory bodies, including both North American Electric Reliability Corporation (NERC) and the Federal Energy Regulatory Commission (FERC). In other words, the utility industry is subject to numerous rules and regulations which require compliance audits.

To help prepare for these formal internal and external audits, his company employs the Mock Audit. In the Mock Audit, his team will go through the factors which will be reviewed in a formal audit at a power plant. But the thing that struck me was that he said that when goes into a plant, he tells the plant personnel “we all wear the same color shirt” and by this he means they are all on the same team, trying to achieve the same goal of doing business in compliance with the rules and regulations that the power industry is required to operate under. Coming from the energy service industry, the ‘color of one’s shirt’ is a powerful concept. I worked at Halliburton which is known as “Big Red”. Halliburton’s competitor, Schlumberger, is known as “Big Blue”. Once in an employment interview someone asked me if I could work under a person who came from “Big Blue” and I knew instantly what they meant.

The Mock Audit is a mechanism by which a compliance team can go into a facility and not only try to determine what might need remediation but, equally importantly, help the employees in that facility to move towards greater compliance. The team members who perform these Mock Audits are not lawyers but are engineers or other process focused team members. These Mock Audits help to uncover gaps that need closing before any of the regulatory mandated audits by external audit teams. As this Program Manager explained to me, they are a powerful compliance tool.

I thought about this concept of the Mock Audit in the context of ongoing monitoring, annual assessments and auditing under the Foreign Corrupt Practices Act (FCPA). Typically such monitoring and annual assessments are done by lawyers. One thing that I think we as lawyers bring to this process too often is an adversarial relationship. It sometimes feels and sounds like we are trying to find a violation or something wrong regarding a company’s compliance program. We are not there to try and help employees learn from their mistakes (if any) and we do not present ourselves as ‘wearing the same color shirt’. While there certainly is a fine line that must be trod in monitoring and annual assessments, if the compliance practitioner could adopt a bit of the tone of the Mock Audit it might open things up for a more useful and constructive exercise going forward. This is not to say that a more formal compliance audit should be conducted with such a tone, as it is a different type of activity. But, just as the Mock Audit is there to uncover any gaps and help fill those gaps, monitoring or annual assessments can also be used to help close compliance gaps before a biennial formal compliance audit. So what are some of the steps that a compliance practitioner can take?

Wear the Same Color Shirt

I once worked in a corporate legal department where the attitude was very much ‘us against them’. The legal department was viewed as the last bastion between the business guys doing something to put the company at risk. The attitude was not cooperative at all. I would suggest that even if the legal department feels like it has to maintain that attitude, the compliance department is not required to have that attitude, at least not all the time. Just as my new found colleague from the utility industry can help power plant employees to do their work more in compliance with the rules and regulations that they are required to follow, the compliance department can work with employees rather than simply dictate the rules which are to be followed. An annual assessment is the perfect opportunity to learn more about a region or group’s compliance challenges and how those challenges are being met and might be met going forward. But it will not work if it starts out with the us against them or I am here to get you attitude. You have to wear the same color shirt and be on the same team.

Review Your Findings with the Group or Region Being Assessed

One of the more constant complaints that I have heard from business unit folks was that legal and/or compliance did not share the results of any assessments or audits with them. Not only was there no transparency at the end of the process but there seemed to be no simple desire for local participation or input to resolve any outstanding issues uncovered. So another step I gleaned from the Mock Audit is to review any assessment findings with the senior management team of the group or area being assessed. If warranted, the management team from the group or area reviewed should be a part of any corrective action plan that addresses a specific gap in compliance. You can use this opportunity to demonstrate that the overall goal is to drive towards compliance and that use of local input may be one of the best paths to positive change over the long term. As with anything, else if people feel like they have input into the process, they will be more likely invested to make sure the process succeeds. When you return to the corporate office you can collaborate with the group or region until issues are fully addressed.

Conclusion

The recently released Department of Justice (DOJ) and Securities and Exchange Commission (SEC) FCPA Guidance make clear that formal compliance audits, with actionable remediation plans, are a key component of any effective compliance program. But after listening to my colleague from the utility industry, it seems to me that the concept of the Mock Audit is one that may also become a best practice. Whether you call it the Mock Audit, annual assessment or something else, if it is a process designed to help your employees do business in a more compliant manner it is a tool that should not be overlooked.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Manti Te’o and a Second Set of Eyes

One of the strangest news stories over the past couple of months has been the Manti Te’o story. For those few people who have not heard the story, Te’o was fooled (or not) into believing that he was in an online relationship with a non-existent woman named Lennay Kekua, who was falsely reported as dying of leukemia. Te’o, who says he was the victim of a “sick joke” repeatedly played along with the story in the weeks between when he says he learned Kekua was not real and when the story broke. Later, on Dr. Phil, Ronaiah Tuiasosopo, an alleged friend of Teo, claimed that he was the mastermind behind the entire scam so as to profess his love for Te’o.

One of the things that reporters who interviewed Te’o on his relationship with Kekua asked was if Te’o had ever met her in person? Te’o admitted that he had not. After Te’o announced to the world that she had died of leukemia, reporters asked if they could talk to her family, Te’o responded that they wanted to maintain their privacy.

In other words, there was never any validation of the Te’o/Kekua relationship, either by the primary party, Te’o, reporters who worked on the story or anyone else. My wife is a process analyst. She recently said something that struck me as one of the keys to a robust compliance program. She said that you need a ‘second set of eyes’. I asked her what she meant and she responded that if you do not put a second set of eyes on a process, you do not have validation of that process. I thought about that in the context of a Foreign Corrupt Practices Act (FCPA) or UK Bribery Act compliance program and realized having a ‘second set of eyes’ on your process is critical.

I.                   Oversight Committee

This concept of a ‘second set of eyes’ has found favor with the Department of Justice (DOJ), through its use in a Deferred Prosecution Agreement (DPA) with the Monsanto Corporation. In the Monsanto DPA, the DOJ agreed, after the initial due diligence and appropriate review were completed on Foreign Business Partners, for Monsanto to implement certain post contract execution procedures. These requirements can be used as guidelines as to what the DOJ will look for from other US companies who have entered into relationships with Foreign Business Partners; especially in the area of ongoing monitoring of the Foreign Business Partner.

In Appendix B to the DPA, Monsanto agreed to, among other things, “the establishment and maintenance of a committee to supervise the review of (I) the retention of any agent, consultant, or other representative for purposes of business development or lobbying in a foreign jurisdiction”, or an Oversight Committee. It should be noted that Monsanto successfully completed the terms of its DPA and was discharged from further obligations under it in 2008.

The scope of this Oversight Committee is not fleshed out in the DPA. I would suggest that a company should incorporate both a pre-execution function and a post-execution management function in overseeing the full relationship with the Foreign Business Partner. While this oversight would most necessarily focus on FCPA compliance, there should also be a commercial component to this function.

a.      Who Should be on the Oversight Committee?

The Monsanto DPA provides guidance on this point by stating “The majority of the committee shall be comprised of persons who are not subordinate to the most senior officer of the department or unit responsible for the relevant transaction;” this would indicate that senior management should be involved in the Oversight Committee. It would also indicate that more than one department should be represented on the Oversight Committee. This would include senior representatives from the Accounting (or Finance) Department, Compliance & Legal Departments and Business Unit Operations.

b.      What Should the Oversight Committee Review?

The Oversight Committee should review all documents relating to the full panoply of a Foreign Business Partner’s relationship with the company. This would begin with a review of any initial requests to engage a new Foreign Business Partner. The information presented to the Oversight Committee would include the Business Unit’s request to engage the Foreign Business Partner, the costs and benefits. The next step would be to review the due diligence and all background investigative materials on the prospective Foreign Business Partner.

The Oversight Committee should receive copies of, and approve, all due diligence and background investigative materials before a contract is executed with the partner. Particular attention should be paid to the form of the contract. If there are deviations from the company’s standard form of agreement, with regard to the FCPA compliance issues, there should be a full explanation by the Foreign Business Partner or Business Unit. The Oversight Committee should determine if the company is taking on any unwarranted FCPA compliance risk if non-standard FCPA compliance terms and conditions are used.

After the commercial relationship has begun the Oversight Committee should monitor this relationship on no less than an annual basis. This annual audit should include a review of remedial due diligence investigations on the Foreign Business Partner with at least a minimum of a Level One Due Diligence and higher levels of due diligence based upon an appropriate risk rating. There should be an evaluation of any new or supplement risk associated with any negative information discovered from a review of financial audit reports on the Foreign Business Partners. All FCPA compliance training should be reviewed and certifications confirmed. The Oversight Committee should review any reports of any material breach of contract including any breach of the requirements of the Company Code of Ethics and Compliance. As with all things FCPA the three most important words here are Document, Document, Document. If you cannot produce documentary evidence to the DOJ of your annual review and its findings, it is of no use to your company.

In addition to the above remedial review, the Oversight Committee should review all payments requested by the Foreign Business Partner to assure such payments are within the company guidelines and is warranted by the contractual relationship with the Foreign Business Partner. Lastly, the Oversight Committee should review any request to provide the Foreign Business Partner any type of non-monetary compensation and, as appropriate, approve such requests.

The oversight of Foreign Business Partners is one of the key tools that a company can use to prevent and detect any violation of its own Code of Ethics and Compliance and the FCPA. The proper structure of the Oversight Committee and its full engagement with all aspects of a company’s relationship with a Foreign Business Partner is one of the areas that the DOJ will look for in a successful FCPA compliance program.

An Oversight Committee is a literally a ‘second set of eyes’ which can be utilized by a company to manage its relationships. An Oversight Committee does not replace any of the other key components of an effective FCPA compliance program but it does provide an additional level of protection, back-up and transparency for all activities with a Foreign Business Partner. It should be employed by companies as an additional protection against any type of FCPA compliance and ethics violation “slipping through the cracks” to become a much larger problem down the road.

II.                Monitoring

Another way to think about a ‘second set of eyes’ is through ongoing monitoring of a compliance program. Two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit and respond quickly to allegations of misconduct. These highlighted activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.

Many companies fall short on effective monitoring. This can sometimes be attributed to confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. Auditing is a more limited review that targets a specific business component, region or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it’s effectively monitoring. A robust program should include separate functions for auditing and monitoring. While unique in protocol, however, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance if you notice a trend of suspicious payments in recent monitoring reports from a particular country, it may be time to conduct an audit of those operations to further investigate the issue.

Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with local finance departments in your foreign offices to ask if they’ve noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries they manage. Additionally, the global compliance committee should meet, or communicate, as often as every month to discuss issues as they arise. These ongoing efforts demonstrate your company is serious about compliance.

III.             Conclusion

The Manti Te’o story provides some significant lessons for the compliance practitioner. Putting a ‘second set of eyes’ on any process, including compliance is the only way to validate the process. If any reporters had been able validate any of the Te’o story before it was revealed to be a hoax it might have led to a very different ending, rather than the one that Te’o maintained all through his senior year at Notre Dame, when he was a candidate for the Heisman Trophy. To sum it all up, I go back to President Ronald Reagan, as he told Mikhail Gorbachev, “Trust, but verify”. A ‘second set of eyes’ will not only help to validate your compliance process but go a long way to keeping your compliance program out of hot FCPA or Bribery Act water.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013