FCPA Compliance and Ethics Blog

May 31, 2013

Climbing Everest and Your Compliance Process

What is your compliance process? I thought about that question when I read an article in this month’s National Geographic Magazine entitled “Maxed Out on Everest” by Mark Jenkins. Jenkins wrote about the more raw numbers of persons who are challenged to climb the world’s tallest peak. This has led to more-than 200 person waiting lines to get through certain pinch points, two hour waits which can become deadly, and literally tons of trash left from climbing teams which now stand testament to the environmental effects of these expeditions. Jenkins gave his list of six prescriptions to address these and other issues. They were (1) fewer climbing permits, (2) small ascent teams, (3) require certification of outfitters, (4) require experience to climb the mountain, (5) leave no trace of human waste and garbage on the mountain and (6) remove dead bodies from the mountain.

I also thought about the process question when I read two articles in yesterday’s New York Times (NYT) which spoke about the process of how decisions were made in two very different areas.

Banks Behaving Badly

The first NYT article, entitled “Documents Show Obama Officials in Tension Over British Banks”, by Ben Protess offered “a rare behind-the-scenes glimpse into the Obama administration’s decision-making as it prepared to take actions against two big British banks”, HSBC and Standard Chartered. Both banks agreed to large fines, assessed by the US government for their money-laundering operations; Standard Chartered fined $327MM (in addition to a separate fine of $340MM by the state of New York) and HSBC, fined a whopping $875MM by the feds. Apparently there were tensions between the Department of Treasury (Treasury) with the Department of Justice (DOJ) over the federal law-violation fine and also tensions between Treasury and the state of New York Department of Financial Services (DFS) over its action to fine Standard Charted separately for its violations of New York state banking regulations.

Protess reported that there were tensions by the US Treasury Department and the state of New York over its separately fining Standard Charted “In a sign that the British cases pitted authorities against one another, the Treasury Department raised concerns last year that New York’s banking regulator acted against Standard Chartered without sufficiently notifying federal authorities, the documents show. Treasury officials explained the concerns in an internal memo to Mr. Geithner. The memo, internal e-mails show, was prepared for Mr. Geithner as “talking points” ahead of an October meeting with George Osborne, Britain’s chancellor of the Exchequer. In a September letter to Mr. Geithner, Mr. Osborne had expressed significant “concerns” about New York’s action, given that the United States and Britain typically collaborate closely on such cases.”

Protess reported that an internal Treasury memo said that the DFS “notified federal authorities “only hours before its public announcement.” But Protess went on to write “But people close to the case argue that federal authorities were aware that Mr. Lawsky was poised to act. Three months before filing the case, Mr. Lawsky’s office informed Treasury and other federal officials that it planned to soon take action against Standard Chartered for illegally funneling money for Iranian banks and corporations, the people close to the case said.”

Treasury’s disagreement with DFS apparently paled in its disagreement with the DOJ as Protess wrote that “some discussions have taken a more hostile tone as the Justice Department faces scrutiny for not indicting HSBC. The Justice Department has explained that it follows guidelines requiring prosecutors to weigh indictments of businesses with “collateral consequences” like job losses and, in the case of big banks, a threat to the economy. And in a recent letter to Congress, the department explained that it has “contacted relevant government agencies to discuss such issues,” including federal regulators.”

When Treasury joined the DOJ in announcing the settlement back in December 2012 of the federal matter, “a media outlet ran an overnight article in which a professor speculated that Mr. Geithner had not criminally prosecuted HSBC to avoid putting it out of business. By dawn that day, Treasury officials e-mailed one another about the article. Shortly after, National Public Radio retracted the quote and issued a statement saying that Treasury had not been involved in the decision not to indict HSBC.”

So was Treasury a part of the process or wasn’t it?

Rutgers Still Clueless?

For those of you following the saga of the Rutgers men’s basketball team, you might have thought that the New Jersey university could not do much worse than it did in the handling of the Mike Rice scandal. However, it appears that you would be wrong as Rutgers University continues to provide the compliance practitioner with lessons to be learned. To recap, Coach Rice was videotaped physically abusing players. He was initially disciplined but after the videotape was released by ESPN, he was fired. Almost immediately thereafter, Rutgers Athletic Director (AD) and General Counsel (GC) resigned over their roles in the matter.

Now Rutgers is back in the news for its hiring of a new AD, Julie Hermann. In a NYT article, entitled “Members of Rutgers Panel See Flawed Hiring Process”, reporter Steve Eder discusses the process which led Rutgers to hire someone who had been sued successfully for gender discrimination and as detailed in an article in the New Jersey Star-Ledger that former University of Tennessee volleyball players had accused Hermann of verbally abusing them while she was their coach in the 1990s. In a letter  obtained by the Star-Ledger, players alleged that Hermann called them “whores, alcoholics, and learning disabled,” and that she coached “through humiliation, fear, and emotional abuse.”

Hermann was also sued in a second lawsuit where, Mary Banker “an assistant track and field coach, claimed she was fired as retaliation for complaining to Hermann and the university’s human resources department about sexual discrimination by the head coach. Lawyers for Louisville said that Banker was fired for underperformance, not in retaliation for her complaints. A judgment in favor of Banker was overturned this year, and the case is pending before the Kentucky Supreme Court.”

Eder reported that “the leaders of the search committee sent an e-mail to the group’s members assuring them that the process that led to Hermann’s hiring had been fair and transparent.” He wrote that “Kate Sweeney and Dick Edwards, the leaders of the Rutgers search panel, wrote an e-mail Tuesday to the other committee members to defuse growing criticism of Hermann’s selection.” He quoted from their email, “You all had the opportunity to examine Julie’s credentials, to spend some time with her when she was on campus, and to provide us with your thoughts regarding her candidacy as Rutgers’s next Director of Intercollegiate Athletics.”

However this statement was contradicted when “at least two committee members claimed that the leaders had whitewashed a process that felt secretive and rushed, leaving them uncomfortable with the university’s selection of Hermann. One member said that concerns over a lawsuit an employee had filed against Hermann were not fully addressed, and that he did not spend enough time with her to feel comfortable that she was the right person to lead an athletic department still reeling from a scandal involving an abusive coach.”

Eder quoted Ken Schmidt, one of the committee members, who wrote to the group, “At this time, please do not try to rewrite the facts. I suspect you will find others that share my opinion.” Schmidt was also quoted as saying, “There was very little information about the candidates disseminated to the larger committee.” A second committee member Ron Garutti, wrote: “Please, let’s not present this as any kind of exemplary process. Subsequent events have proven otherwise.” Garutti also added, ““Please, let us not at this late date attempt to convince ourselves and the public that there was sufficient time to delve deeply” into candidates’ documents.”

So what exactly was the hiring process that Rutgers used to fill its AD position?

The NYT articles and the National Geographic article drove home what my process-analyst wife reminds me about, that being that it is all about the process. Develop a process and then follow the process but also validate the process with additional information and the ‘second set of eyes’ principle.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

May 29, 2013

Kroll and Compliance Week Survey Anti-Bribery and Anti-Corruption

Not many people realize that the US has elected one president who served as a prisoner of war. That man was Andrew Jackson, who was captured by the British during the Revolutionary War. Now, can you name the American President who killed another man in a duel? If you guessed Andrew Jackson you are right and if you knew that today is the anniversary you receive extra credit and can proceed directly to Final Jeopardy.

I thought about the somewhat surprising history on Jackson when I read the recently released the “2013 Anti-Bribery and Corruption Benchmarking Report-A joint effort between Kroll and Compliance Week” (the “Survey”). Much like Jackson himself, the Survey had some interesting and somewhat disturbing findings as well regarding companies and their third parties. The findings were troubling because I think that most compliance practitioners recognize that their highest compliance risks under the Foreign Corrupt Practices Act (FPCA) and UK Bribery Act revolve around third parties. Some of the highlights of the survey are as follows.

I.                   Risks

While 43% of respondents said their bribery and corruption risks have increased in the last two years, another 39% said those compliance risks have remained mostly the same and, finally, 7.7% reported that they believe their compliance risks have actually fallen. Regarding future corruption risks, the respondents were split with half saying they expect compliance risks to rise in the next 12 months, and half do not. The single most common reason given for increasing compliance risks was expansion into new markets, followed by more vigorous enforcement of current anti-bribery laws. The Survey reported the “good news is that 57% of respondents say they conduct an enterprise-wide assessment of bribery and corruption risk annually. The bad news: the other 43% conduct such an assessment less than once a year, and 16.9% say they’ve never conducted a corruption risk assessment at all. A solid majority of companies also say they have some sort of documented approach to managing bribery and corruption risks; 37.7 say they have a “well-defined, documented process dedicated solely to global bribery risks,” and another 42.7% say they treat corruption risks as part of a larger documented process to address all compliance risks.”

II.                Due diligence

The Survey indicated that most companies have a good understanding of the need to, and performance of due diligence on third parties or acquisition targets. It found that 87% perform at least some sort of due diligence on third parties, and the criteria that help a compliance department decide how much diligence to perform generally seem risk-based. The top criteria were, in order, the nature of the work a third party would provide; the amount of contact the third party has with foreign officials; and where the third party is domiciled. A variety of tools were used to perform due diligence. These tools included: certifications from the third party that it has no corruption problems; reviews by your company’s legal or finance team; and data collected by your local business-unit leaders. Reference checks, on-site interviews, and research from professional investigators were some of the less-used techniques.

III.             Third parties

The Survey found that many companies are still struggling with ongoing anti-corruption monitoring and training for their third parties. Regarding training, 47% of the respondents said that they conduct no anti-corruption training with their third parties at all. The efforts companies do take to educate and monitor third parties are somewhat pro forma. More than 70% require certification from their third parties that they have completed anti-corruption training; 43% require in-person training and another 40% require online training. Large companies require training considerably more often than smaller ones, although when looking at all the common training methods, fully 100% of respondents say their company uses at least one method, if not more.

An astonishing 47% of all respondents said they conduct no anti-corruption training with their third parties at all. The numbers are even higher for companies based outside of North America (51%) and those with less than $1 billion in annual revenue (55%). Violet Ho, senior managing director for Kroll’s practice in greater China, was quoted as saying, “A lot of companies have very good intentions of doing a thorough job looking at their third parties,” Ho says. “But ultimately when you are a very large organization with more than 10,000 vendors, it’s not financially viable. You do not really have the time or resources to look deep into each and every one of them.” Another factor that Ho noted was significant is that companies often do not even know how many third parties they use, which makes training all of them impossible. Moreover, corporations typically have much less bargaining power with third parties, especially when they are located in far-flung jurisdictions. The result: if a company is using only one vendor to source an item and asks that vendor to promise to follow some anti-corruption code of conduct, the vendor feels emboldened to refuse.

Lastly, Ho stated “Trying to reach all third parties with a generic, headquarters-issued policy is a waste of time and money. Such policies tempt employees and third parties to find loopholes, and they ignore important regional differences. On-the-ground workers, are focused on revenue and profit, not compliance. Those goals aren’t mutually exclusive, but they do require coordination for a policy’s effective implementation—which adds all the more pressure on compliance officers to articulate why strong anti-corruption programs are good for business.” Clearly this Survey shows the challenges around third parties.

IV.              Effectiveness

For all a company’s efforts at risk assessment, due diligence, and monitoring third parties, the ultimate question for a compliance officer is simply does my system work? Questions about effectiveness, therefore, get to that core issue of whether all the compliance activities outlined above actually make the business less vulnerable to corruption risk. The Survey found that the responses in their anti-corruption procedures depended on how close to home the tasks actually are. 73% rated their training of domestic employees as “effective” or “very effective.” That figure dropped to 63.8% for foreign employees, and only 30% for third parties.

Melvin Glapion, Kroll managing director in EMEA, said that this phenomenon was the “downward and outward” problem. He explained that this meant that companies tend to overestimate how seriously messages sent from corporate headquarters are received elsewhere. Cultural differences abound, and many employees don’t see how anti-bribery policies apply to them in their daily jobs. Worse, the person doing compliance checks is often less senior than the executives he or she is monitoring.

Companies with less than $1 billion in revenue were actually more confident in their procedures’ effectiveness than larger businesses, the survey showed. Glapion was quoted as saying “that may be because smaller organizations have less bureaucracy and fewer third parties, or they may feel that they are not necessarily in the firing line.”

The Survey appears to indicate that companies still have a long way to go in certain areas, particularly third parties. The Survey provides the compliance practitioner with a good benchmark to look at the overall company program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

May 28, 2013

Risk Assessments in an Anti-Money Laundering Compliance Program

Today we celebrate that noted British comedian who made his fame in America – Bob Hope.  He had a successful film career largely thanks to the series of seven “Road” movies he made with Bing Crosby and Dorothy Lamour, including Road to Singapore (1940), Road to Morocco (1942), Road to Utopia (1946) and Road to Rio (1947). Hope is also known for his entertainment of US military forces overseas. In 1941, after America’s entrance into World War II, Hope began performing for US troops abroad; he would play shows for more than a million American servicemen by 1953. Some 65 million people watched him perform for troops in Vietnam on Christmas Eve in 1966, in his largest broadcast. Hope also became a legend for his countless TV specials, which he would perform over the course of some five decades. He hosted the Academy Awards ceremony a total of 18 times, more than any other Oscars’ host.

What does Bob Hope have to do with compliance? First he was a comedian and second he reinvented himself several times. The anniversary of his birthday reminded me of an article written by Carole Switzer, the co-founder and President of the Open Compliance and Ethics Group (OCEG), for Compliance Week Magazine entitled “Analyze This: The Value of Business Risk Assessments.” In her article, one in a continuing of her series of GRC Illustrated articles, Switzer says that anti-money laundering (AML) compliance programs, like therapy are “difficult to define and relatively easy to avoid.” She quoted Larry David, co-creator of Seinfeld and creator of “Curb Your Enthusiasm” for the following thought on therapy, “I know enough about myself now to know that I really don’t need to know anymore.” Unfortunately, as Switzer notes, many companies have the same problem when it comes to their AML programs.

Switzer discusses a recent report by the UK Financial Services Authority (FSA) which highlighted four general reasons that UK banks failed to have effective AML programs. The same four reasons hold true for non-banking sector US companies in the area of AML.

(a) Denial. The FSA reported that one-third of the banks “failed to review their business-risk assessment program on a regular basis. Additionally, about one-third of the companies scrutinized also failed to alter their risk assessments in response to new developments and insights, such as when allegations of major corruption were levied against a customer or when a country’s risk profile spiked due to regime change.”

(b) Grandiose delusions (imagine a bank with grandiose delusions!). The FSA found that too many “customer-facing “relationship managers” could override customer risk scores produced by the risk-assessment program—without sufficient evidence to support the decision to disregard the score.”

(c) Borderline suspicious. Bank personnel did not understand how the AML risk assessment was generated and indicated that they were “confused” regarding what score indicated that a customer was a high risk.

(d) Avoidance coping. The FSA noted that institutions “inappropriately low risk weightings for high-risk factors, “sometimes overtly”; while “other banks chose to ignore well-known high-risk indicators and other adverse information from a variety of sources, “such as links to certain business activities commonly associated with higher levels of corruption.”

Fortunately Switzer laid out her thoughts on what an effective business risk assessment program should contain. From this risk assessment, you can identify where your company should focus its AML resources, determine how changes might affect your company, and where your program may need enhancement. She is quite clear that without an effective risk assessment, “your AML program will be inefficient as well as ineffective.” She sets our five steps to take.

  1. Define the Risk. Switzer says that “At the forefront of any good business risk assessment program is an executive vision. The executive sponsorship must ask themselves diffi­cult, critical questions.” This is largely because while there are certainly known risks to a business there are also risks you and your company may not be aware of so it is important to define what you know but leave it flexible enough to cover the unknown when it becomes known to you. Switzer lists some of the questions that you might begin with, which include: What are the inherent risks in our current business? What controls do we have in place? How much risk, after the business risk assessment process is instituted, remains? Should we close business locations? Should we add additional controls? Should we put spending restrictions in place? Are other industries at the same level of risk?
  2. Gather Intelligence. In this step, after executive sponsorship has set the strategy in motion, you must gather intelligence to truly understand the exposure across the organization’s products, services, and customer base. The AML team should consult local business and compliance leaders to gain key insight. The specific steps include: (1) Develop the business risk assessment questionnaire. (2) Determine what controls are currently in place. (3) Review the external risk. (4) Understand the magnitude of each risk factor. (5) Gather and normalize all data for review.
  3. Review the Findings. Once a full business assessment has been conducted and all the data collected, a full analysis of the data is performed at multiple levels. The overall picture of risk is reported to business line, regional leaders, and enterprise leaders. Switzer’s specific steps include (1) Creation of full evaluation reports of all measured data. (2) Involve AML staff, regulators, and critical business leaders in your review. (3) Utilize external, unbiased consultation to determine product and service risk for remediation.
  4. Decide How to Proceed. Switzer advises that after you come to an understanding of your exposure and risk, your vision has been set, and you have gathered data and reviewed it, you can set a course to move ahead. However, she cautions that “continual review of the plan’s impact on the business, even at this stage, is critical.”
  5. Implement the Plan. At this final step, after your company has defined its strategy, determined, by measurement, the exposure to AML risk, understood and evaluated the areas of potential risk and then “determined a path to accept, resolve and eliminate, it’s time to go to work setting the plan into motion—however, just because you are now implementing doesn’t mean you can relax. Constant scrutiny, learned best practices, and ongoing monitoring are critical.”

Switzer concludes by stating that “Risk assessment programs must evolve quickly as risks and crimes do. Building in a good system of correction and monitoring that can flex with your organization is critical.” So just as Bob Hope reinvented himself as the tastes of society changed, your risk assessment should be a “living, breathing process.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

May 27, 2013

Board Responsibility under the FCPA – A Herculean Task?

The nightmare of every corporate director is to wake up to find out that the company of the Board he or she sits on is on the front page of a national newspaper for alleged illegal conduct. This nightmare came true for the Directors of Wal-Mart when the New York Times (NYT), in an article entitled “Vast Mexico Bribery Case Hushed Up by Wal-Mart After Top-Level Struggle”, alleged that Wal-Mart’s Mexican subsidiary had engaged in bribery of Mexican governmental officials and that the corporate headquarters in Bentonville, Arkansas, had covered up any investigations into these allegations.

I.                   Legal Standard

What are the obligations of a Board member regarding the US Foreign Corrupt Practices Act (FCPA)? Are the obligations of the Audit Committee under the FCPA at odds with a director’s “prudent discharge of duties to shareholders”? Do the words prudent discharge even appear anywhere in the FCPA? Under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The US Department of Justice (DOJ) Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program?; and (2) Are Directors provided information sufficient to enable the exercise of independent judgment?

As to the specific role of ‘Best Practices’ in the area of general compliance and ethics, one can look to Delaware corporate law for guidance. The case of Stone v. Ritter holds for the proposition that “a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate exists.” From the case of In re Walt Disney Company Derivative Litigation, there is the principle that directors should follow the best practices in the area of ethics and compliance.

Board failure to heed this warning can lead to serious consequences. David Stuart, a senior attorney with Cravath, Swaine & Moore LLP, noted that FCPA compliance issues can lead to personal liability for directors, as both the Securities and Exchange Commission (SEC) and DOJ have been “very vocal about their interest in identifying the highest-level individuals within the organization who are responsible for the tone, culture, or weak internal controls that may contribute to, or at least fail to prevent, bribery and corruption”. He added that based upon the SEC’s enforcement action against two senior executives at Nature’s Sunshine, “Under certain circumstances, I could see the SEC invoking the same provisions against audit committee members—for instance, for failing to oversee implementation of a compliance program to mitigate risk of bribery”.

II.                When Things Get Bad

While generally the role of a Board should be to keep really bad things from happening to a Company, once really bad things have occurred the Board needs to take charge and lead the effort to rectify the situation or perhaps even save the company. While giving oversight to risk management through an Audit Committee or a Compliance Committee is a good first step, such a committee needs to have sufficient independence from the management which got the company into such hot water.

In a recent White Paper entitled “Risk Intelligence Governance – A Practical Guide for Boards the firm of Deloitte & Touche laid out six general principles to help guide Boards in the area of risk governance. These six areas can be summarized as follows:

  • Define the Board’s Role – There must be a mutual understanding between the Board, Chief Executive Officer (CEO) and senior management of the Board’s responsibilities.
  • Foster a culture of risk management – All stakeholders should understand the risks involved and manage such risks accordingly.
  • Incorporate risk management directly into a strategy – Oversee the design and implementation of risk evaluation and analysis.
  • Help define the company’s appetite for risk – All stakeholders need to understand the company’s appetite, or lack thereof, for risk.
  • How to execute the risk management process – The risk management process must maintain an approach that is continually monitored and had continuing accountability.
  • How to benchmark and evaluate the process – Systems need to be installed which allow for evaluation and modifying the risk management process as more information becomes available or facts or assumptions change.

All of these factors can be easily adapted to FCPA compliance and ethics risk management oversight. Initially, it must be important that the Board receives direct access to such information on a company’s policies on this issue. The Board must have quarterly or semi-annual reports from a company’s Chief Compliance Officer (CCO) to either the Audit Committee or the Compliance Committee. This commentator recommends that a Board create a Compliance Committee as an Audit Committee may be more appropriate to deal with financial audit issues. A Compliance Committee can devote itself exclusively to non-financial compliance, such as FCPA compliance. The Board’s oversight role should be to receive such regular reports on the structure of the company’s compliance program, its actions and self-evaluations. From this information the Board can give oversight to any modifications to managing FCPA risk that should be implemented.

There is one other issue regarding the Board and risk management, including FCPA risk management, which should be noted. It appears that the SEC desires Boards to take a more active role in overseeing the management of risk within a company. The SEC has promulgated Regulation SK 407 under which each company must make a disclosure regarding the Board’s role in risk oversight which “may enable investors to better evaluate whether the board is exercising appropriate oversight of risk.” If this disclosure is not made, it could be a securities law violation and subject the company, which fails to make it, to fines, penalties or profit disgorgement.

III.             What the Board wants to know from compliance

In an article in the May issue of Compliance Week Magazine, entitled “What the Board Wants to Know from Compliance”, author Joe Mont explored some of the issues he believes that a Board will want to know about their company’s compliance program. Mont quoted Michael Bramnick, senior knowledge leader for LRN, who said, “Boards really only want an answer to the question: ‘How do we know it is working?’ In other words, is a company’s compliance program living “up to the hallmarks of an effective compliance program in the eyes of the government.”

A.     Questions About Process

Mont believes that Boards should “want more information on the processes to carry out the compliance function, rather than details on specific compliance issues”. He quotes Dennis Beresford, professor of accounting at the University of Georgia’s Terry College of Business, for the following “Boards want to know that there is a single individual or project management office keeping track of all this stuff and making sure that it is being handled properly. They want the comfort of knowing that there is a system in place that keeps track of compliance requirements.”

B. Questions About Internal Reporting

Another area of Board interest is compliance hotlines. In this area, Mont believes that Boards desire “to know details about who answers the calls or e-mails that come in, how they are trained, if the process is outsourced, and assurances that the hotline is truly anonymous, with no use of caller-ID or GPS tracking. Other common questions from the board include: How are calls classified and routed? Who gets notified for what types of calls? How is the investigative process divided among various functions?” If the company hotline is used, this may show that “employees are comfortable enough to speak up and that, when they do, about good things or bad, they are listened to, there is follow-up, and trends are evaluated and reported back to them.”

C. Questions About Accountability

Responsibility is yet another topic that Mont believes Boards need to stay abreast on as “directors want more details on who’s responsible for what. Boards want assurance that the compliance function has developed a charter that makes it clear to them where obligations fall across management so it can assess accountability.” He quotes Bramnick who stated that “Effective boards let management do their job running the business on a day-to-day basis, and they understand that their job is to set long-term strategy,” he says. “It is not for them to be looking at every contract.”

D.  Questions About Strategic Planning

Jaclyn Jaeger, writing in the December 2011 issue of Compliance Week Magazine, in an article entitled Board Checklist: What Every Director Should Know, wrote about a panel discussion at the Association of Corporate Counsel’s 2011 Annual Meeting. In the article she quoted panel participant Amy Hutchens, General Counsel and Vice President of Compliance and Ethics at Watermark Risk Management International, on the need for strategic planning by the Board. Hutchens believes that “a truly effective and informed board knows where the company stands not only at the present moment, but also has the strategic plan for how the compliance and ethics program can continue to grow.” Similarly, Stephen Martin, a partner at Baker and McKenzie, suggests that such knowledge is encapsulated in a 1-3-5 year compliance game plan. However, a compliance program should be nimble enough to respond to new information or actions, such as mergers or acquisitions, divestitures or other external events. If a dynamic changes, “you want to get your board’s attention on the changes which may need to happen with the [compliance] program.”  Hutchens believes that such agility is best accomplished by obtaining buy-in from the Board through it understanding the role of forecasting the compliance program going forward.

Mont quoted Bramnick that “Boards have really a Herculean task in today’s regulatory climate.” But more than simply the regulatory climate, shareholders are taking a much more active role in asserting their rights against Board members. It is incumbent that Boards seek out and obtain sufficient information to fulfill their legal obligations and keep their company off the front page of the New York Times, Wall Street Journal or Financial Times, just to name a few, to prevent serious reputational damage.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

May 24, 2013

SFO & the Bribery Act: Sector sweeps, facilitation payments & London listed companies

Ed. Note-today we post an article which was up on the site, thebriberyact.com. It discusses some recent remarks by SFO Director David Green. We are thankful to our colleagues Barry Vitou and Richard Kovalevsky QC for allowing us to post it. As always, the guys continue to ‘Shine a Light’.

News reaches us of a private small round table session put together by Transparency International and attended by some from the US FCPA white collar community (we understand Mark Mendelsohn attended) and our very own David Green CB QC, Director of the Serious Fraud Office.

Here’s the skinny based on our source.

The headline message promulgated by David Green will be not be news to those who have been following Mr. Green’s hard hitting public pronouncements in the UK (or reading this website) though as ever, it’s always important to be able to read between the lines.

The clue’s in the name

Mr. Green emphasized that the SFO is reverting to type and will focus on prosecution of Serious Fraud.

The advisory and guidance role of the SFO, something Mr. Green’s predecessor branched out into, was shuttered on the (not so) new Director’s arrival at the SFO over a year ago.  We understand that this was something that some hapless souls learnt the hard way when they stumbled into the SFO looking for some help!

Nevertheless, while we understand the rationale we think it’s a shame the SFO is no longer extending the olive branch of advice and guidance.

It seemed to us that there was something to be gained from a channel of communication between corporations and the SFO outside of the usual dynamic of prosecutor and prosecuted.  The DoJ engage in something along these lines with their Opinion Release procedure (which to be fair the SFO has never offered).  However, we digress…

Facilitation payment Guidance tossed in the garbage

Mr. Green also publicized his junking of the facilitation payment guidance and the presumption against prosecution for Self Reporting companies.

It’s fair to say that many have, in our view, misconstrued this to mean that Civil Recovery Orders are off the table and that we are now back to ‘cat and mouse’ and the binary decision of whether to prosecute or not.  This is silly, in particular when one of the first things Mr. Green did on arrival at the SFO was to approve a civil recovery order in respect of Oxford University Press.

Listen carefully.  Mr Green says that a true Self Report (namely a corporate telling the SFO something that it does not already know or would not find out about, but for the Self Report) will weigh very heavily in the balance when weighing the public interest about whether or not to prosecute.

In our view Civil Recovery Orders (which Oxford University Press should demonstrate anyway) are not dead and buried – though that does not fit the narrative of those whose marketing relies on scaring potential customers.

As we recently reported the publication of the guidance around Civil Recovery Orders was not for nothing.  Cue, Civil Recovery Orders still very firmly on the menu – but only in the right circumstances.

In a hurry but not going to rush

At the US meeting Mr. Green signaled a desire to bring headline cases and as soon as possible.  The truth is that this is not just a desire but a political reality.  Mr. Green is on a 4 year contract at the SFO and is already a quarter of the way through his tenure.

An extra credit line from Whitehall of nearly £4 million last year to deal with LIBOR (and no doubt the same again this year) means that, like it or not (and regardless of what might be said publicly), the political paymasters will be looking for some crowd pleasing banker bashing headline prosecutions in short order.

This will be easier said than done in a legal system where, unlike the US, there is (thank goodness at least for the forseeable future) NO concept of Respondent Superior.


In other news we understand Mr. Green conveyed that he is attracted to sector sweeps with customs duties (in other words what many would understand to be facilitation payments) a possible area of attention.

Frankly sector sweeps MUST be the way to go in any sensible SFO strategy.  Otherwise known as ‘pulling the thread’ the chances are that a corruption investigation will open new lines of enquiry.  As to the issue of facilitation payments, they are a thorny topic but under UK law they are illegal.

London listed? Mind your backs…

Finally we understand David Green explained, broadly speaking, that companies listed in London in his view fall under the regulatory purview of the Serious Fraud Office.  Given the importance of the London markets to the UK economy this is hardly a surprise.

While, some may express consternation by this given the Ministry of Justice guidance (which said that broadly speaking a London listing on its own would not be enough to trigger the jurisdiction of the Bribery Act) we know that privately it has ALWAYS been the SFO view that there WILL almost ALWAYS be additional connections with the UK which give it jurisdiction.  Ultimately this will be a question for the courts if and when it is tested.

The proof of the pudding

Of course the proof of the pudding will be in the eating.  Something David Green QC is only too well aware of.  Expect Mr. Green to act.

The SFO story has now moved on.  Today the real question in the wake of the numerous recently kicked off investigations is:

Has the SFO bitten off more than it can chew?

The answer remains the same, the proof of the pudding will be in the eating.

May 23, 2013

Getting Employees to Care About a Compliance Policy

Putting a compliance policy into practice is not something that most companies do very well. How do you get buy-in for a new or amended compliance policy? How do you determine if a new compliance policy contradicts anything that you currently have in your compliance policy portfolio?

When thinking about such questions regarding compliance policies I am reminded of four questions posed by Stephen Page, in his book “Achieving 100% Compliance Of Policies and Procedures”, wherein he poses the following questions: (1) What is the nature of the policies owner’s function? As these are compliance policies, they are critical to a company doing business in compliance with relevant anti-corruption/anti-bribery laws such as the Foreign Corrupt Practices Act (FCPA) and UK Bribery Act. (2) What is your organization’s overall vision and mission? This question speaks to management’s commitment to doing business ethically and in compliance with legal requirements. (3) What is the content of the policies? This speaks to the connection of the policy goals with other incentives, such as compensation and promotion. (4) What is your company’s receptivity to the policy? This question speaks to training and communication so that employees will understand not only the underlying reason for the policy but drive adherence to the policy.

These and other questions were explored at the recently concluded Compliance Week 2013 event in a session entitled “Case Study: Putting Policies into Practice at Dell”. Kristi Kevern, Director of Operational Compliance and Page Motes, Director, Strategic Programs Office – Global Ethics & Compliance from Dell Corporation, were the two panelists for the event. Kristi discussed how Dell overhauled its entire compliance policy management program and I will discuss her remarks in a later blog. Motes does not come from a compliance background but came from business development. I found her perspective quite different from the usual compliance perspective. From where she sits, she recognizes the need to internally market a new compliance policy; however this marketing plan must begin at the inception of a compliance policy and not after it has been drafted.

Motes said that it is incumbent to obtain buy-in from the business units before a compliance policy is drafted because, after all, it is the business units which will implement a compliance policy. This begins with a business unit sponsor who should have ownership of any new compliance policy. After the initial draft is made, it should be circulated to make sure that the compliance policy is workable and that it is translated from legalese (or accounting-ese) or other technical jargon into plain English. She said that is one of her key roles.

The next step is the internal market. Here Motes believes that a key is to move away from words such as ‘ethics’ to words that denote behaviors. She said that her group would talk about trust, honesty, respect, judgment and responsibility. After rollout the compliance group must train on the new policy and then monitor to ensure that it is followed. Finally, there must be some consequences to an employee if they are trained but fail after multiple warnings to follow a policy.

I thought about Motes’ ideas when I read a recent article in the June issue of Fast Company magazine, entitled “Starbucks’s Leap of Faith” which discussed the company’s rollout and approach to innovation. One of the examples in the article was when Starbucks rolled out its mobile application to allow customers to pay through their smart phones. The company worked with staff on proto-types, then trained and followed up with interviews to determine how the new system was working. Recognizing that there were technical glitches to overcome, the company persevered. Ryan Records, Vice President of Payments, was quoted as saying “it became seamless and flawless and an elegant way to pay” and that payment method now accounts for roughly 10% of the company’s total pay each day.

The Starbucks story drove home to me the key message from Motes. You must work with the business units to operationalize any policy. While it is true that a compliance professional will be the subject matter expert on the requirements of what should go into a compliance policy, but it is equally important on how that information is imparted and getting employees to care about the policy. Page puts it in a slightly different light. He said “From a systems viewpoint, it is often the organization’s infrastructure, and not its people, which is rigid and inflexible, often leading to angry and frustrated employees. If people cannot approach problems, talk openly, or give opinions, then this prevailing attitude can cause withdrawal and people who do not care. The clearer the tie between what an organization is doing and the results, the more energy, commitment, and excitement they will generate during a change process.” I think the latter sentence is what you need to strive for in the realm of compliance policies.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

May 22, 2013

What Are The Essential Elements of a Corporate Compliance Program?

Can you synthesize and reconcile the world’s leading laws, regulations and commentaries on the best practices an anti-bribery and anti-corruption compliance program. I recently saw one such approach by Paul McNulty and Stephen Martin of the law firm, Baker and McKenzie. They have developed what they term the five essential elements of a corporate compliance program. These five elements are based upon the best practices as set out in the seven elements of a corporate compliance program under the US Sentencing Guidelines; the 13 Good Practices by the OECD on Internal Controls, Ethics, and Compliance; the FCPA Guidance’s Ten Hallmarks of Effective Compliance Program and the UK Bribery Act’s Six Principles of an Adequate Procedures compliance program. The five elements are:

  • Leadership
  • Risk Assessment
  • Standards and Controls
  • Training and Communication
  • Oversight

I.                   Leadership

The point means more than simply “Tone-at-the-top”; a successful compliance program must be built on a solid foundation of ethics that are fully and openly endorsed by senior management. There should be an unambiguous, visible and active commitment to compliance. But even more than support or the right tone, compliance standards require that companies must have high-ranking compliance officers with the authority and resources to manage the program on a day-to-day basis. And compliance officers must have the ear of those ultimately responsible for corporate conduct, including the board of directors.

Some of the questions you might think about in connection with the leadership of your compliance program are the following: How is board oversight implemented? Is there an ethics or audit committee reporting to the full board? What is the role of the Chief Compliance Officer? What is the role of the General Counsel? How do the legal and compliance departments interact? Does the CCO have “real power”? Is she or he treated as a second-class citizen?

Equally the Board of Directors has a key role to fulfill. The Board must ensure compliance policies, systems and procedures are in place and it should monitor implementation and effectiveness of the compliance program:

  • Be actively involved
  • Attend Board meetings
  • Review, consider and evaluate information provided
  • Inquire further when presented with questionable circumstances or potential issues
  • Once Board knows of a potential compliance issue it must act.
  • Regularly receive compliance briefings and training.

II.                Risk Assessment

The implementation of an effective compliance program is more than simply following a set of accounting rules or providing effective training. Compliance issues can touch many areas of your business and you need to know not only what your highest risks are but where to marshal your efforts in moving forward. A risk assessment is designed to provide a big picture of your overall compliance obligations and then identify areas of high risk so that you can prioritize your resources to tackle these high risk areas first.

What are some of the areas where you need to assess your risks?

  1. Country Risk – What is the correlation between growth markets and corruption risk and what is the perceived level of corruption? In other words, the Transparency International Corruption Perceptions Index or similar list.
  2. Sector Risk – Has government publicly stated industry is under scrutiny or already conducted investigations in sector? Are there corruption risks particular to the industry?
  3. Business Opportunity Risk – Is the business opportunity a high value project for your company? Are there multiple contractors or intermediaries involved in the bidding or contract execution phase?
  4. Business Partnership Risk – Does this business opportunity require a foreign government relationship? Does a foreign government require you to rely upon any third parties?
  5. Transaction Risk – Will your company be required to make any “compelled giving” through any requirements for political or charitable contributions? Are you required to use any intermediaries to obtain licenses and permits?

In addition to an initial risk assessment to either (1) inform your compliance program or (2) help you to identify high risks and prioritize their remediation, risk assessments should be a regular, systemic part of compliance efforts rather than an occasional, ad hoc exercise cobbled together when convenient or after a crisis. They should be conducted at the same time every year and performed by a consistent group, such as your internal audit department or enterprise risk management team. Such annual risk assessments act as a strong preventive measure if they are performed before something goes wrong as it avoids a “wait and see” approach.

III.             Standards and Controls

Generally, every company has three levels of standards and controls. (1) Code of Conduct. Every company should have a Code of Conduct which should express its ethical principles. However, a Code of Conduct is not enough. (2) Standards and Policies. Every company should have standards and policies in place that build upon the foundation of the Code of Conduct and articulate Code-based policies, which should cover such issues as bribery, corruption and accounting practices. (3) Procedures. Every Company should then ensure that enabling procedures are implemented to confirm those policies are implemented, followed and enforced.

FCPA compliance best practices now require companies to have additional standards and controls, including, for example, detailed due diligence protocols for screening third-party business partners for criminal backgrounds, financial stability and improper associations with government agencies. Ultimately, the purpose of establishing effective standards and controls is to demonstrate that your compliance program is more than just words on a piece of paper.

IV.              Training

Another pillar of a strong compliance program is properly training company officers, employees and third parties on relevant laws, regulations, corporate policies and prohibited conduct. Simply conducting training usually is not enough. Enforcement officials want to be certain the messages in the training actually get through to employees. The Department of Justice’s (DOJ) expectations of effectiveness are measured by who a company trains, how the training is conducted and how often training occurs.

There are several key elements to training. First is that you need to train the right people. You must prioritize which audience to educate by starting your training program in higher risk markets and focus on directors, officers and sales employees who may have direct contact with government officials or deal with state-owned entities. Again, focus initially on training country managers in your company’s high-risk markets, then expand geographically and through the ranks of employees.

Second, in high risk markets and for high risk employees or third parties you should conduct live, annual training. Enforcement officials have made it clear that live, in-person training is the preferred method in high-risk markets and also that it should be regular and frequent. Another benefit of live training is the immediate feedback from employees that would be much less likely to occur during a webinar or other remote training. Lastly, during live training, employees are more likely to make casual mention of a potentially risky practice, giving you the opportunity to address it before it becomes a larger problem.

It is important that you pay attention to what employees say during training. This is because training can alert you to potential problems based on the type of questions employees ask and their level of receptiveness to certain concepts. For example, during training employees might ask specific questions about important compliance considerations such as their interactions with government officials or gift-giving practices. Such questions can raise red flags and uncover issues that should be reviewed and addressed quickly.

V.                 Oversight – including monitoring, auditing and responses

The issue your company should focus on here is whether employees are staying with the compliance program. Even after all the important ethical messages from management have been communicated to the appropriate audiences and key standards and controls are in place, there should still be a question of whether the company’s employees are adhering to the compliance program. These ongoing efforts demonstrate your company is serious about compliance.

Monitoring is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. Auditing is a more limited review that targets a specific business component, region or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. While unique in protocol, however, the two functions are related and can operate in tandem.

Finally, what are your remediation efforts? Your company should remediate problems quickly. A key concept behind the oversight element of compliance is that if a company is policing itself on compliance-related issues, the government will not have to do it for them. Remediation, then, is an important component of oversight. It is not enough to just gather information and identify compliance problems through monitoring and auditing. To fulfill this essential element of compliance, you also have to respond and fix the problems.

I have found that the Baker ‘Five Essentials’ approach is an excellent way to think through your obligations under a wide variety of anti-corruption and anti-bribery requirements. It allows you to put in place a program which should meet virtually any legal requirements you may come up against by doing business anywhere in the world. Lastly, the five-step approach is an excellent way for you to benchmark your current compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

May 20, 2013

An Inspired Choice – Ethical Leadership Under Difficult Circumstances

I am attending Compliance Week 2013 through Wednesday. As usual Matt Kelly and the Compliance Week team have put together a first rate program for the event. There have been, and will be over the next couple of days, some very informative panels, speakers, roundtables and conversations. The conference began today with a talk by Retired Major General Lewis MacKenzie, the former head of the United Nations peacekeeping forces. Although General MacKenzie’s choice as the initial keynote speaker of the conference might not seem self-obvious, I found Matt Kelly’s invitation to the General to speak and his position as the first speaker on the first day of the conference, were both inspired decisions.

The theme of his talk was how to maintain ethical leadership under difficult circumstances. Matt Kelly posed the question to the General of “how do you speak the truth to power?” The General began his remarks by giving his definition of leadership, which as he said was “getting people to do what they don’t want to do and having them enjoy it while they are doing it.” Based on that definition and his remarks below, I came to see why Matt wanted the General to speak to a gathering of compliance professionals on ethical leadership under difficult circumstances.

The General said that it all starts with a leader being him or herself, after they take the reins of leadership. He believes that people usually rise to a high level in an organization because of technical competence, coupled with the relationships they developed along the way. He believes that a leader must strive to maintain those relationships because that is the key to information flow both upwards to the top and down through the organization. A leader must take all pains not to become isolated.

The General believes that relationships work in several critical areas. The first is that a leader can utilize the talents of his subordinates to not only understand but to overcome obstacles. But equally important is that by having a relationship with someone, it may provide an avenue to resolve a matter before it blows up into a full financial reporting issue or even criminal issue. He said that he would try to find out the one thing that his troops were passionate about and he could use that information “as a window into what they think about the organization.”

He designated his next point with the acronym, LWWA, or ‘leading while walking around’. He said that to get people to do things, a leader must get out of the office and talk to people. But he cautioned that it is more than simply talking to people, as he believes a critical skill of a leader is to listen as well. To this skill, he said that rather than hear someone and think about what your response might be, you should actually listen to what they have to say. He found that by listening good ideas could come up to him and then he could implement them and get the credit.

The General talked about courage. By this he did not mean the courage to lead a charge up a hill, but rather, he meant the courage to say no and to hear someone who says no to you. He believes it is the job of a leader to set the tone for an organization. A leader must teach his subordinates to have the courage to disagree with him or as he said “disagree without being disagreeable”. If one of the first things you do in a leadership position is belittle or defame publicly someone who disagrees with you, no one will do so in the future.  For a leader to succeed, the General believes that a speak up culture must exist. To do so, a leader must make it acceptable and safe for subordinates to say no.

It is the job of a leader to accept responsibility. In an interesting exercise, the General asked the entire audience of over 500 conference participants to raise their hand if they had ever been criticized for being ‘too responsible’. He then asked anyone in the audience to raise their hand if they had criticized someone else for being ‘too responsible’. No one person raised their hand in response to either query. It is clear that the General believes a leader must take responsibility. Further, there is no ‘but’ which follows the line “I am responsible”. In other words, no ifs, ands, or buts are allowed when it comes to a leader taking responsibility.

The General said that one of the best ways he found to motivate people was to give them a job which had difficult but not impossible objectives to success. This has two benefits. The first was that most people would be motivated to try and achieve the difficult objective. However the second was more long term. By achieving the results, the person or team had something to brag about and it gave them greater confidence going forward. This is particularly true if there is a metric which can be used to demonstrate the overcoming of the obstacle. However, a leader must not set a high or unreasonable objective that it can only be achieved by “breaking the back of the organization.”

The General took some questions from the audience. One that I found applicable to the compliance arena was about resources. Specifically he was asked how to carry out missions with limited resources. He tied his answer back into his thoughts on relationship. He said that people want to contribute their ideas. If you give them a means to do so, in a speak up culture, they can be your best resource. An army has often times to do more with less and must do so on the fly. But this same concept translates to civilian employees who want their company to succeed and can stand ready with ideas to assist you moving forward toward your objective.

If you are a Chief Compliance Officer (CCO) or in a senior leadership position, you should think about the General’s remarks in the context of what you and how you do it, within your organization. Do you have relationships with other key members of senior management so that you can go to them, not only when things are going well, but more importantly when they are not going well or a crisis has arisen? Do you have a speak up culture at your company? If not why not, as that certainly is a part of any best practices compliance program under the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act.

Lastly, think about the General’s remarks on resources. One never has all the resources you need or even think that you want. But use the talent that is available to you. There are other professionals in your company who do not work in the compliance department but are equally dedicated to doing business ethically and in compliance. Human Resources and Internal Audit are but two prime examples. Seek them out and ask their assistance. I think you may be well surprised at the solutions they can provide or suggest to you.

As I said, by the end of General MacKenzie’s talk, I had come to believe that Matt Kelly made an inspired decision not only to invite him to speak to the conference but to be the first speaker out of the box. It has set a great tone for the event.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

May 19, 2013

The Drugstore Cowboy and Compliance

One does not have to look very far in the business world to come across the phrase “Know Your Customer.” A company certainly needs to know if an entity that it may sell products or provide services to will pay for those items. Running a Dun & Bradstreet credit check is routinely performed to ascertain if a counter-party is a good credit risk. But how much more should a company do in regards to its customers? Clearly banks, other financial institutions and even casinos need to assess a customer from the perspective of anti-money laundering (AML). Is there a reason grounded in the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act that would suggest that customers should go through background scrutiny from the anti-bribery/anti-corruption compliance perspective?

I thought about internal controls regarding due diligence requirements on customers, effective compliance programs and third party validation of credentials when reading an article in June issue of Wired Magazine, entitled “Drugstore Cowboy”, by Jake Pearson. I found this article to be a very cautionary tale for those companies which need to consider just whom they are doing business with or for. The story involved an undercover sting operation by the US government against Google. The operation involved a convicted felon, one David Whitaker, who convinced law enforcement authorities that Google had assisted him, in violation of its own internal protocols and US laws, to sell illegal “black market steroids and human growth hormones” online. Whitaker told federal officials that “Google employees had actively helped him advertise his business, even though he made no attempt to hide its illegal nature.” Based upon his experience, Whitaker believed that Google must be “helping other rogue Internet pharmacies too.”

On paper, it appeared from the article that Google has a systems designed to ferret out sites which used words or had other indicia that they were selling illegal drugs. There was an initial screening by a Google sales representative. There was an automated program which searched for key words that might indicate illegal drugs were being sold. There was a review of the website itself to see of other factors were present which might show that illegal products were being sold. Finally, Google used a third party verification service, to attest that any site selling pharmaceutical products was properly licensed.

Based upon his experiences, the government set Whitaker up with an alias, fake company, bank account and phone lines and then monitored and watched him to see if his claims were true. He was told to see if Google would actively assist him to sell advertising for a non-existent company called “SportsDrugs.net, a website that sold HGH and steroids from Mexico, with no doctor’s prescription.” The plan that Whitaker used was straightforward.

  1. Establish a fake identity. Whitaker made cold calls to representatives of Google to get set up as an account in the company’s system.
  2. Submit the site. The feds designed the sting operation so that it would be obvious the false company was selling illegal drugs. So it offered HGH and steroids, had pictures of the drugs and even had a ‘Buy Now’ button to make clear that no doctor’s prescription was required. The Google sales representative passed the fake sales site along for “policy review, an automated process that Google uses to vet all advertisers.”
  3. Scrub the site. After the fake sales company was initially rejected by the policy review process, a Google representative agreed to help “tweak it” so that it would pass through the Google approval process. The Google sales representative advised Whitaker to rename the site, remove the pictures of the illegal drugs and delete the ‘Buy Now’ button from the site.
  4. Rework the site. After the suggested changes were made by Whitaker, his fake site was approved by Google. Thereafter the items which had been removed from the website, including both the photos of illegal drugs and ‘Buy Now’ button were added back into the site, all with the assistance of the Google sale representative.
  5. Raise the stakes. In this phase, the undercover sting operation widened. After their initial success with SportsDrugs.net; the feds created other fake websites for Whitaker, all of which purported to sell illegal drugs. The other sites included one selling “RU-486, better known as the abortion pill, which is normally taken under close supervision of a doctor.”  Another site sold the psychotropic drugs Xanax and Valium, both without any need of a doctor’s prescription. In a final example the feds created a ‘Trojan Horse’ site; in which a pharmacy site that held a valid license also had sales for “three clearly disreputable online pharmacies.”

The chilling thing I found in this article was it reported that in each one of the false scenarios, Whitaker was reported to have explained to the Google representative the true nature and purpose of the site. All of the information that Whitaker conveyed made clear that these sites were designed to sell drugs which are illegal in the US, without a doctor’s prescription. In just over the span of three months, the undercover operation spent over $200,000 with Google.

Google ended up settling with the US government for a fine of $500 million. Although Pearson did not quote the US Assistant District Attorney, who headed the investigation and enforcement action, Peter Neronha, was quoted as telling the Wall Street Journal (WSJ) the “culpability went far higher than the sales reps that Whitaker worked with. Indeed, he said, some of the company’s most powerful executives were aware that illegal pharmacies were advertising on the site.” Google itself would not comment for the Pearson article.

From the account in the Pearson piece it would appear that Google had a system in place to check and make sure that it was not advertising sites which sold illegal drugs but that system, both human and automated, was worked around. For the anti-corruption compliance practitioner, I think that there are several key lessons which can be learned from this tale.

Train, Train, Train. If you sell services, which can be used to facilitate illegal conduct, you need to train your sales force to watch out for signs of that illegal activity. The initial Google sales representative who was contacted by Whitaker should have been the first line of prevention to stop the issue before it came up for the company.

Monitor, Monitor, Monitor. There should be several types of monitoring. If a business name comes through your system and it is rejected, there should be a monitoring mechanism in place to note if it reappears later or is approved through some other means, as was done in this situation. Similarly, if the name of a business owner comes up in connection with another company, there needs to a mechanism in place to perform a cross check. The sales representatives should also be monitored to determine if they are manipulating the system.

Incentives, Incentives, Incentives. While not discussed in the Pearson article, what do you want to bet that the Google sales representatives were compensated, at least in part, with a commission based upon the number of GoogleAds that they sold? If your compensation structure or other incentive structure rewards people who use shortcuts, then there will always be employees who take them.

Audit, Audit, Audit. Remember the part of the story about how the Google sales representative would advise Whitaker how to scrub his website of key words, search terms and other information which would indicate that it was selling illegal pharmaceuticals only to reinsert those on the site after the scrubbed site had been approved? You need to audit to determine if any illegal conduct has begun after the contract is signed. And if you do not have audit rights, you have a very slim chance of actually performing an audit.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

May 17, 2013

Tell a Story to Drive Compliance

Sometimes a story will help you understand just what you did not understand. Did you know that the Federal Bureau of Investigation (FBI) launched a formal investigation in 1964 into the supposedly pornographic lyrics of the song “Louie, Louie.” That FBI investigation concluded that the lyrics of “Louie Louie” were officially “Unintelligible at any speed”. While this did not quite exonerate the song in the eyes of disapproving parent, it may have contributed to the song becoming one of the most-covered songs in rock-and-roll history. I thought about this oddity of history when reading an article in the most recent issue of In-House Texas, by Michael Maslanka, entitled “Tell Stories to Handle Client Frustration”. In his article he gives stories, as below, to use for 10 memorable scenarios of client frustration. They are certainly just as applicable to the Chief Compliance Officer (CCO) as they are a General Counsel (GC).

No. 1: “We’re in the right. Surely, that counts for something.” A California lawyer with whom I work tells clients, “I understand that you’re in the right. So is the pedestrian who always crosses on the green light and looks both ways. But he still can be flattened by an inattentive bus driver.”

Like stories, analogies can do the heavy lifting of delivering bad news, thus insulating the GC from being shot as the messenger.

No. 2: “We will fight this lawsuit, no matter the cost, for as long as it takes, whatever it takes.” Sometimes C-level executives imagine themselves as Winston Churchill, fighting on the beaches and the landing grounds, never surrendering.

But sooner or later it occurs to them that it’s only a lawsuit, not the fate of western civilization. They then start looking for a way out of the proverbial painted corner. At that point, an in-house counsel can paraphrase Voltaire, who said there were only two times in his life when he went broke: when he lost a lawsuit and when he won one. Stories help clients in many different ways. Allowing them to save face is one.

No. 3: “We can’t rush this decision. We need more time to make it. Issues of integrity and ethics are at stake.” A client seeks certainty, but the law provides only probabilities. This can lead clients to anguish over a decision. The wise counsel will listen for this phrase: “We could do X or Y, but isn’t that a slippery slope?” Sometimes clients say this when they don’t want to make a tough call.

The GC who needs to jostle a client toward a final answer can invoke Oscar Wilde, who famously remarked that morality, like art, requires drawing a line somewhere.

No. 4: Client at mediation: “Their opening offer is seven figures. We’re leaving.” Sometimes storming out is an effective tactic, and sometimes it’s not. To show internal clients that the GC is willing to fight, without getting mired down in pointless chest-thumping and other macho displays, this story from Texas history can help.

In October 1835, relations between Texan colonists and Mexico were tense. The Mexican army marched to Gonzales to ask for the return of a cannon the citizens had borrowed to fight off attacks by Native Americans. The response was a raised flag with a blue cannon on a white background, emblazoned with “Come and take it.”

No. 5: “We’ll look weak if we don’t fight on X issue. We can’t afford to cave in.” A year or so ago, I was working with a GC, deciding whether to risk forcing the EEOC to subpoena some documents. Our arguments for not turning them over voluntarily were weak, so we decided not to take the chance. But the GC’s internal clients wanted to fight. The GC asked them this question: “Is this the hill we want to die on?”

The GC attributed this story to a grizzled non-commissioned officer in Vietnam, who asked it of an inexperienced lieutenant before the start of a battle. Packaging stories in the form of questions is effective and engaging, and engagement leads to better decisions.

No. 6: “We fired the plaintiff in a knee-jerk reaction because he is a jerk. But, we need a reason that sounds better. I don’t want to sound dumb.” When in doubt, resort to the truth, counseled Mark Twain.

Why don’t people use the truth more frequently? Managers want to appear as if they always act wisely and deliberately, not emotionally and in haste. But jurors understand jerks, having certainly worked with one. Embrace truth; eschew elaboration.

No. 7: “But I was so close to the plaintiff. How could she do this to me?” I defended a case that involved a manager accused of sexual harassment. He was so upset by the allegations that he would get up in the middle of the night and re-read the complaint, trying to answer this anguished question.

Sometimes, there’s no answer to find beyond the truth of who the players are. My mother said that people never change; they only reveal themselves.

No. 8: “I can’t change my position. I’ll look like a fool.” Consistency is a virtue. But any virtue, taken to its extreme, becomes a millstone, not a life vest. According to U.S. Supreme Court Justice Felix Frankfurter, upon changing his mind on a legal issue, “Wisdom too often never comes, and so one ought not to reject it merely because it comes late.”

No. 9: “XYZ is wrong. I’ve got to blow the whistle right now.” No column about stories is complete without at least one reference to the Bible. Ecclesiastes 9:4 counsels, “For to him that is joined to all the living there is hope: for a living dog is better than a dead lion.”

Yes, something may be wrong, and a time comes when a person must stand up for what is right. But, all too often, a client only will get to do so one time before facing termination and possible ostracism. So, the client needs to make it count. Ecclesiastes delivers this message better than all the bloviated advice counsel can give.

No 10: “Just tell me what to do. You’re the general counsel.” The client, through the board and the C-suite team, makes decisions — not the legal department. As the Buddha told his disciples, people must be “lights unto themselves.” Counsel only can advise, never direct.

Maslanka ends his piece by stating that “even GCs in the biggest companies, possess zero organization-chart authority to direct those outside the legal department to do things. But, like all lawyers, they have something more powerful: moral authority. Stories help lawyers leverage that authority, because they are not lectures, which are ineffective, but reminders, which are effective.” I would hold that the same is true for the CCO. So, as Maslanka says, “Here’s to stories. Tell one.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Next Page »

Blog at WordPress.com.