FCPA Compliance and Ethics Blog

November 27, 2013

How Straight From The Lion’s Mouth Informs Your Hotline

The symbol of Venice is the Lion of St. Mark. The use of this symbol led to the maxim ‘straight from the lion’s mouth’. This adage came about because the Republic of Venice had its own hotline system where citizens could report misconduct. A citizen could write down his concern on paper and literally put the message into the mouth of statues of lion heads placed around the City. This system was originally set up to be anonymous but later changed to require that a citizen had to write his name down when submitting a message.

I thought about this early form of hotline and how its use portended the hotline systems used today to help companies identify compliance issues which might arise under an anti-corruption law such as the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. Obviously the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) recognize the importance of an internal company reporting system, such as a hotline. In the FCPA Guidance it states, “An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation. Companies may employ, for example, anonymous hotlines or ombudsmen.” I have often heard Chief Compliance Officers (CCOs) speak about how they are able to not only hear about but address employee’s concerns through confidential reporting where it is clear there will be no tolerance for retaliation.

So, once again, using Venice as inspiration for a compliance topic, today I would like to review some best practices regarding a compliance hotline.

  1.  The hotline should be developed and maintained externally. It seems axiomatic that em­ployees tend to trust hotlines maintained by third parties more than they do internally maintained systems. Through the submitting of reports via an external hotline there is a perceived extra layer of anonymity and impartiality compared to a sys­tem developed in-house. A third party provider is also more likely to bring specialist expertise that’s difficult to match within the organization.
  2. The hotline supports the collection of detailed infor­mation. As with most everything else, information is power. If a CCO can gather and re­cord information throughout a complaint life cycle, the company will have greater insight into the situation and a company can protect itself more effectively from accusations of negligence or wrongdoing. A hotline reporting system should provide consolidated, real-time access to data across all departments and locations, plus analytic capabilities that allow you to un­cover trends and hot spots. All reported materials should be consolidated in one comprehensive, chronologi­cally organized file, so a CCO can monitor ongoing progress and make better, more informed decisions.
  3. The hotline must meet your company’s data retention poli­cies. Retaining data in a manner consistent with your internal data retention policies is important. A hotline should offer a secure, accessible report retention database, or you may be faced with making your own complicated and costly arrangements for transmitting and storing older reports to a permanent storage location.
  4. The hotline should be designed to inspire employee confidence. Retaliation or perceived unfairness to those making hotline complaints will destroy the effectiveness of the internal reporting process and poison the corporate culture. A hot­line must be seen to offer the highest levels of protection and anonymity. To encourage employee participation, the hotline should allow them to bring their concerns directly to some­one outside their immediate chain of command or workplace environment – especially when the complaint concerns an immediate superior. The hotline should also enable employees to submit a re­port from the privacy of an off-site computer or telephone. It may seem like a small convenience, but giving employees the freedom to enter a complaint from a location that is safe can make a huge difference to participation rates.
  5. The hotline offers on-demand support from subject matter experts. Opening lines of communication can bring new issues to your compliance group. It is therefore important that once those reports are entered into the system, a person or function has the responsibility to follow up in a timely manner. One of the biggest mistakes you can make is to sit on a hotline complaint and let the employee reporting it fester. Additionally, with the short time frames set out in the Dodd-Frank Whistleblower timelines for resolution before an employee can go the SEC to seek a bounty, the clock is literally clicking.
  6. The hotline provides inbuilt litigation support and avoidance tools. A company must make certain that its hotline is preconfigured to meet the legal requirements for document retention, at­torney work product protection procedures, and attorney privilege. Developing these tools in-house can add signifi­cantly to your costs, and maintaining a hotline without one exposes your organization to unacceptable risk.
  7. The hotline supports direct communication. A hotline should open the lines of communication and give you a di­rect sight-line into the heart of your company. Look for a system that enables you to connect directly, privately, and anonymously with the person filing a complaint. Direct communication also signals to employees that their complaints are being heard at the highest levels.

Like other risk management issues, hotlines must also be managed effectively after implementation and roll-out. Here are some practical tips which will help you make your hotline an effective and useful tool.

Get the word out. If employees do not know about the hotline, they will not use it. Allocate a portion of your time and budget to promoting the corporate hotline through multiple channels. Put up posters and distribute cards that employees can keep in their wallets or desk drawers. Deliver in-person presentations where possible. And do not think of the promotional initiative as a one-time effort. It is important to remind employees regularly, through in-person communications, via e-mail, or through intranets, newsletters, and so on, that this resource is available to them. Some hotlines offer promotional materials to help make the job easier; make sure you ask what type of promotional support may be available.

Train all your employees. Getting employees to use the system is one half of the challenge; ensuring they use it properly is the other half. This is where training becomes essential. Make sure people understand what types of activities or observations are appropriate for reporting and which are not. HR and compliance staff will need training too, to help them understand how the hotline impacts their day-to-day activities. Company leaders also need to understand the role the hotline plays in the organizational culture, and the importance of their visible support for this compliance initiative.

Take a look at the data. Use the data derived from or through the hotline to identify unexpected trends or issues. Examples might be what percentage of employees use the hotline and what issues are they submitting? A healthy hotline reporting system will yield reports from .5 to 2 percent of your employee base. If your reporting patterns are higher or lower, it may indicate mistrust of the hotline, misuse, or a widespread compliance issue. Isolate the data by location and department to identify micro-trends that could indicate problems within a subset of your corporate culture. Analyzing the data can help you stay a step ahead of emerging issues.

Response is critical to fairness in the system. Seeing a hotline system in action in this way can go a long way toward dispelling employee fears of being ostracized or experiencing retaliation because if they see that their concerns are heard clearly and addressed fairly, they will learn to view the hotline as a valuable conduit. If your compliance group responds promptly and appropriately to hotline complaints, you can ensure robust participation and ongoing success. Even when a complaint proves to be unfounded, it can still provide an opportunity to open a dialogue with employees and clear up any misunderstandings. Responding to reported issues also gives compliance officers a chance to prove that issues can be resolved or addressed while protecting the privacy and anonymity of the whistleblower.

As my stay in Venice draws to an end, I am reminded how much the western world has to thank the Republic of Venice for. From the forms of republican democracy that the US Founding Fathers drew from to helping to establish a world-wide trade and banking system which still reverberates today. But, if you look closer, ancient Venice had many good government techniques which also still inform the modern world. Straight from the lion’s mouth to your company’s compliance hotline is just one of them.

A most Happy Thanksgiving to all.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

November 26, 2013

Venice and Compliance: Doing It the Old Fashioned Way

One of the things that has fascinated me about Venice is how so little of the 21st century has impacted it. Take construction for example. All materials have to be brought to the city via boat, off-loaded and then lifted by hand or by a handmade machine to the upper stories of a building where the residences are located as no one lives on the ground floor. If the building is on the water, the ground floor is now underwater. If the building is not on the water, the ground floor is used for a commercial establishment. But unlike other large metropolitan areas, there is no room for cranes or other large mechanical lifting devices. I thought about this today when I saw workmen lifting up materials through a block and tackle pulley system which has been in use since antiquity. Not only were these guys doing it the old fashioned way, they were getting the job done.

As I watched this most basic level of construction, I thought about some of the things the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have said about what a compliance department should be doing. For instance, in last year’s Pfizer Deferred Prosecution Agreement (DPA), in the Enhanced Compliance Obligations, it said that Pfizer’s compliance department should, in part, “maintain “significant” resources for the compliance function. It shall have (b) An anti-corruption program department providing centralized assistance and guidance regarding the implementation, updating and revising of the FCPA Procedure, the establishment of systems to enhance compliance with the FCPA Procedure, and the administration of corporate-level training and annual anti-corruption certifications”. Further, in last year’s joint DOJ/SEC FCPA Guidance, under Hallmark Five of an Effective Compliance Program, it said that “In addition to the existence and scope of a company’s training program, a company should develop appropriate measures, depending on the size and sophistication of the particular company, to provide guidance and advice on complying with the company’s ethics and compliance program, including when such advice is needed urgently. Such measures will help ensure that the compliance program is understood and followed appropriately at all levels of the company.”

I often write about the nuts and bolts of an effective compliance program but one of the most basic things that an effective compliance program must have is a compliance department present to ask the basic questions of compliance to and receive an answer from. I think to the DOJ and SEC this means a couple of things. First, and foremost, there must be the requisite number of resources dedicated to the compliance function. This means that a compliance department must be staffed with an appropriate number of compliance professionals to do the day-to-day basic work of compliance. Head count is always important in any corporation but there must be some minimum number of people in the compliance department to answer the phone or respond to email.

But, equally important to this resource is issue what the Pfizer DPA calls “providing centralized assistance” and what the FCPA Guidance says is “to provide guidance and advice on complying with a company’s ethics and compliance program”. In other words, it is up the corporation to have someone there to answer the phone but once they are in that seat in the compliance department, they have to actually pick up the phone and respond. It is the responsibility of a compliance practitioner to provide the guidance to company personnel who call or email in with questions. Following compliance policies and procedures is always important but to have a live person to answer questions or walk a non-compliance person through the process is a must.

In other words, if someone calls, not only does a compliance person have to be there, someone has to pick up the phone. How many times has a compliance department been called on a Friday afternoon to find that no one is there to answer the phone? But if someone is there, they have to actually pick up the phone and provide an answer. Mike Volkov has often inveigled against the compliance function being “The Land of No”; but the situation I am discussing is where a compliance department does not or will not provide the basic answers to a person working out in the field.

Sometimes the most basic and the most obvious is overlooked. Using an old block and tackle pulley to haul up building materials by hand may seem quaint and old fashioned, and perhaps it is, but it still gets the job done. The same concepts are a part of a best practices compliance program; someone must be around the answer the phone when it rings on Friday afternoon and that person who is around must pick up the phone and provide some answers to the question(s) posed.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

November 25, 2013

Venice, the US Navy and Red Flags

Today’s post comes from Venice where I am spending a week. It is one of the most unique and beautiful cities on earth. It was a great maritime power for over 1000 years. At the height of its power, it was the richest city on earth, worth almost 10 times more than the entire country of France in 1300. Even today, it is still dominated by the sea in all aspects, from the transportation of its daily food stuffs, to the flooding which is regular occurrence due to the fact the city is sinking into the Adriatic.

Venice’s maritime heritage sets the scene for today’s post which is about the ongoing corruption scandal in the US Navy. The scandal has led the Navy to taking action against seven officers over a criminal investigation into ship supply contracts for the Navy in the Pacific. The supply contracts where all with a company named Glenn Defense Marine Asia. As reported by the New York Times (NYT), the allegations are that the company, led by a Malaysian named Leonard Glenn Francis, won over $200 MM in contracts “to provide fuel, food and other services to warships by submitting extremely low bids.” The company then used bribery and corruption of Navy officers to help inflate the company’s billing and to “cover his tracks.” Apparently complaints were raised by Navy contracting officials as early as 2009 about the company, yet it was awarded three new contracts in June 2011, giving Glenn Defense Marine Asia “control over supplies and dockside services for its [the US Navy’s] fleet across the Pacific.”

For the compliance professional, this scandal involving the US involves some clear and unfortunately stark lessons learned regarding the warning signs of corruption, i.e. Red Flags.

Background Investigation

For any Foreign Corrupt Practices Act (FCPA) compliance program, a mandatory staple is to know with whom you are doing business. This is referred to as due diligence. A variety of sources are reviewed during the due diligence process, including background checks on third parties who do business with a company through the sales chain and supply chain. It turns out that Mr. Francis had spent time in jail on handgun charges. More significantly, the Navy encountered problems with Glenn Defense Marine Asia in its initial contracts with the company.

Rates and Pricing

Most compliance practitioners review contract rates to make sure that the rates do not create such a large amount of money to facilitate the payment of bribes or to create the incentive to pay bribes to win contracts. However, contract pricing and rates can be a significant indicator that something may not be quite right with a third party. In the case of Glenn Defense Marine Asia, it was its low-ball bidding which should have raised a red flag. In the bidding for the 2011 Pacific-wide supply contract, another company, DaeKee Global Company bid $67.9MM, while Glenn Defense Marine Asia bid only $21.6MM. Another NYT article quoted Robert Burton, a former acting administrator for the Office of Federal Procurement who said, “That type of huge price discrepancy is certainly a red flag.” He was further quoted to say, “Contracting officers should have raised questions.” Glenn Defense Marine Asia’s business plan was then to overcharge the US Navy using inflated prices and submit billing for delivery of non-existent goods and services.

Lavish Gift-Giving

To take this next step, the company needed the active assistance of US Naval officers. Once Glenn Defense Marine Asia was able to secure the contract to supply the Pacific-wide stores, it went to work on the naval officers now caught up on the criminal investigation. In one email the company said that “We gotta get him hooked on something” when discussing how to corrupt one naval officer to help Glenn Defense Marine Asia get over-charges paid to make up for the low bid on the contract. The company used lavish gifts and entertainment to cultivate officers who could send additional work in the direction of the company and approve the payment of inflated billing or billing for non-existent work. The gifts ranged from tickets to concerts, first class travel across the globe and payments of up to $100,000 in cash.

While most companies have compliance programs in place to deal with the lavish gift-giving and perform background due diligence on entities with which they do business they do not often focus on pricing. This scandal involving Glenn Defense Marine Asia and the US Navy makes clear that if a potential third party representative using an extra-ordinary low rate to entice your company to do business with it, something may be amiss. As Burton was pointed out in the NYT article, a huge price discrepancy is itself a red flag. If pricing is so low, as not to make business sense, it means the price difference will be made up somewhere else. In the case of the US Navy it was through over-charging for goods and services and billing for non-existent bills and services. If the same happens with a foreign government or state owned enterprise subject to the FCPA, it could well be that your company would be in hot water for going with the lowest bidder to represent your company. This does not mean that your company cannot do business with the lowest bidder, but it does mean that if a bid is so low as to defy commercial expectations, there needs to be further analysis to determine why the bid is so low.

The Glenn Defense Marine Asia/US Navy scandal presents some tangible lessons for the anti-corruption compliance practitioner. Just as Venice grew wealthy through smart trading, it is incumbent to know who you are doing business with, watch out for red flags and manage your business relationships after the contract is signed.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

November 22, 2013

The SEC Talks About Chief Compliance Officers

Recently, the SEC’s Division of Trading and Markets provided guidance on the potential liability of compliance and legal personnel at registered broker-dealers through a series of answers to eight Frequently Asked Questions (FAQs). Following the recent and controversial Urban case and public comments made by SEC Commissioners since, then there have been many questions in the industry about when a Chief Compliance Officer (“CCO”) becomes a “supervisor” for purposes of liability under Sections 15(b)(4) and 15(b)(6) of the Exchange Act. These Compliance FAQs aim to address some of those industry concerns. Although these FAQ’s deal with compliance officers at registered broker-dealers, I think they can provide some insight into how the SEC views a CCO in an anti-corruption compliance context. I site to the SEC’s FAQ in full, although the end notes have been removed.

Question 1.

Is a chief compliance officer or any other compliance or legal personnel a supervisor of broker-dealer business personnel solely by virtue of the compliance or legal position?

Answer: No. Compliance and legal personnel are not “supervisors” of business line personnel for purposes of Exchange Act Sections 15(b)(4) and 15(b)(6) solely because they occupy compliance or legal positions. Determining if a particular person is a supervisor depends on whether, under the facts and circumstances of a particular case, that person has the requisite degree of responsibility, ability or authority to affect the conduct of the employee whose behavior is at issue.

Question 2.

What does it mean to have the requisite degree of responsibility, ability or authority to affect the conduct of another employee?

Answer:

A person’s actual responsibilities and authority, rather than, for example, his or her “line” or “non-line” status, determine whether he or she is a “supervisor” for purposes of Exchange Act Sections 15(b)(4) and 15(b)(6). Among the questions to consider in this regard:

Has the person clearly been given, or otherwise assumed, supervisory authority or responsibility for particular business activities or situations?

Do the firm’s policies and procedures, or other documents, identify the person as responsible for supervising, or for overseeing, one or more business persons or activities?

Did the person have the power to affect another’s conduct? Did the person, for example, have the ability to hire, reward or punish that person?

Did the person otherwise have authority and responsibility such that he or she could have prevented the violation from continuing, even if he or she did not have the power to fire, demote or reduce the pay of the person in question?

Did the person know that he or she was responsible for the actions of another, and that he or she could have taken effective action to fulfill that responsibility?

Should the person nonetheless reasonably have known in light of all the facts and circumstances that he or she had the authority or responsibility within the administrative structure to exercise control to prevent the underlying violation?

Question 3.

Can compliance and legal personnel provide advice and counsel to business line personnel without being considered supervisors of the business line personnel for purposes of the Exchange Act?

Answer: Yes. Compliance and legal personnel play a critical role in efforts by broker-dealers to develop and implement an effective compliance system throughout their organizations, including by providing advice and counsel to business line personnel. Compliance and legal personnel do not become “supervisors” solely because they have provided advice or counsel concerning compliance or legal issues to business line personnel, or assisted in the remediation of an issue. If their responsibilities or authorities extend beyond compliance and legal functions such that they have the requisite degree of responsibility, ability or authority to affect the conduct of business line personnel, additional inquiry may be necessary to determine if they could be considered supervisors of the business line personnel.

Question 4.

Can a broker-dealer establish and implement a robust compliance program without its compliance and legal personnel being considered to be supervisors for purposes of the Exchange Act?

Answer: Yes. Broker-dealers have a duty to build effective compliance programs that are reasonably designed to ensure compliance with applicable laws and regulations. Among the things that firms should consider including in their programs are robust compliance monitoring systems, processes to escalate identified instances of noncompliance to business line personnel for remediation, and procedures that clearly designate responsibility to business line personnel for supervision of functions and persons.

Broker-dealers should consider clearly defining compliance and advisory duties and distinguishing those duties from business line duties in order for persons who perform only compliance and legal functions to avoid becoming supervisors of business line employees. Management at broker-dealers can greatly benefit from the participation and input of compliance and legal personnel.

Question 5.

Can compliance or legal personnel participate in a management or other committee without being considered supervisors of business activities or business personnel for purposes of the Exchange Act?

Answer: Yes. Compliance and legal personnel play a critical role in efforts by broker-dealers to develop and implement an effective compliance system throughout their organizations, including by participating in management and other committees. Compliance and legal personnel do not become “supervisors” solely because they participate in, provide advice to, or consult with a management or other committee. As explained above, the determination whether a particular person is a supervisor depends on whether, under the facts and circumstances of a particular case, that person has the requisite degree of responsibility, ability or authority to affect the conduct of the employee whose behavior is at issue.

Question 6.

Can compliance or legal personnel provide advice to, or consult with, senior management without being considered supervisors of business activities or business personnel for purposes of the Exchange Act?

Answer: Yes. Compliance and legal personnel play a critical role in efforts by broker-dealers to develop and implement an effective compliance system throughout their organizations, including by providing advice and counsel to senior management. Compliance and legal personnel do not become “supervisors” solely because they provide advice to, or consult with, senior management. In fact, compliance and legal personnel play a key role in providing advice and counsel to senior management, including keeping management informed about the state of compliance at the broker-dealer, major regulatory developments, and external events that may have an impact on the broker-dealer. In this regard, compliance and legal personnel should inform direct supervisors of business line employees about conduct that raises red flags and continue to follow up in situations where misconduct may have occurred to help ensure that a proper response to an issue is implemented by business line supervisors. Compliance and legal personnel may need to escalate situations to persons of higher authority if they determine that concerns have not been addressed.

Question 7.

What is the status of the initial decision in the Theodore W. Urban matter?

Answer: Under the Commission’s rules of practice, if a majority of the Commissioners do not agree on the merits (as was the case in Urban), the initial decision “shall be of no effect.”

Question 8.

What responsibilities does a person working in a compliance or legal capacity have if he or she is a supervisor for purposes of the Exchange Act?

Answer: Once a person has supervisory obligations, he or she must reasonably supervise with a view to preventing violations of the federal securities laws, the Commodity Exchange Act, the rules or regulations under those statutes, or the rules of the Municipal Securities Rulemaking Board. That person must reasonably discharge those obligations or know that others are taking appropriate action. It is not reasonable for a person with supervisory obligations to be a mere bystander to events that occurred, or to ignore wrongdoing or “red flags” or other suggestions of irregularity.

Exchange Act Section 15(b)(4)(E) provides an affirmative defense to potential liability for failure to supervise if a firm has established procedures and a system for applying those procedures that would reasonably be expected to prevent and detect, insofar as practicable, a violation, and the supervisor has reasonably discharged his or her duties pursuant to the procedures and system, without reasonable cause to believe that the procedures and system were not being complied with.

As noted in a Sydley and Austin client alert, “the Compliance FAQs address the question of what a person working in a compliance or legal capacity should do if he or she is also a supervisor for purposes of the Exchange Act. According to the staff, once a person has supervisory obligations, he or she must “reasonably supervise with a view to preventing violations of the federal securities laws…. It is not reasonable for a person with supervisory obligations to be a mere bystander to events that occurred, or to ignore wrongdoing or ‘red flags.’” The existence of an effective compliance program is essential for protecting compliance and legal personnel from liability once they act in a supervisory capacity. As the Compliance FAQs point out, an affirmative defense to potential liability for failure to supervise exists, but only if the firm “has established procedures and a system for applying those procedures that would reasonably be expected to prevent and detect…a violation, and the supervisor has reasonably discharged his or her duties pursuant to the procedures and system.

Compliance officers need to sit up and take notice of these FAQs.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

November 21, 2013

Edison, the Phonograph and Supply Chain Audits

Today we celebrate Thomas Edison. It is not his birthday but the 127th anniversary of Edison announcing his first recording invention, the phonograph. According to This Day in History “Edison stumbled on one of his great inventions–the phonograph– while working on a way to record telephone communication at his laboratory in Menlo Park, New Jersey. His work led him to experiment with a stylus on a tinfoil cylinder, which, to his surprise, played back the short song he had recorded, “MARY HAD A LITTLE LAMB”. Public demonstrations of the phonograph made the Yankee inventor world famous, and he was dubbed the “Wizard of Menlo Park.”” For any audiophile, the phonograph was one of the greatest inventions of all-time.

I thought about Edison and the evolution of his invention in the context of how the audit requirement has been viewed under the Foreign Corrupt Practices Act (FCPA). In my last corporate position, my company was at the cutting edge because we required compliance related audits for vendors in the supply chain. This was cutting edge in 2007-08. However, now an audit for adherence to FCPA compliance requirements has become a standard best practice in the management of business relationships with third party vendors which work with a company through the supply chain. In several settlements of enforcement actions through both Deferred Prosecution Agreements (DPA) and Non-Prosecution Agreements (NPA and, in last year’s FCPA Guidance, the Department of Justice (DOJ) made it clear that a best practices FCPA compliance program includes the right to conduct audits of the books and records of the agents, business partners and supplier or contractors to ensure compliance with the foregoing. Many companies have yet to begin their audit process for FCPA compliance on vendors in their supply chain. I thought this might be a good time to review some of the items you should consider in this area.

I.                   Right to Audit

Initially it should be noted that a company must obtain the right to audit for FCPA compliance in its contract with any third party vendor in the supply chain. Such an audit right should be a part of a company’s standard terms and conditions. A sample clause could include language such as the following:

The vendor shall permit, upon the request of and at sole discretion of the Company, audits by independent auditors acceptable to Company, and agree that such auditors shall have full and unrestricted access to, and to conduct reviews of, all records related to the work performed for, or services or equipment provided to, Company, and to report any violation of any of the United States Foreign Corrupt Practices Act, UK Bribery Act or any other applicable laws and regulations, with respect to:

a.                  the effectiveness of existing compliance programs and codes of conduct;

b.                  the origin and legitimacy of any funds paid to Company;

c.                   its books, records and accounts, or those of any of its subsidiaries, joint ventures or affiliates, related to work performed for, or services or equipment provided to, Company;

d.                  all disbursements made for or on behalf of Company; and

e.                   all funds received from Company in connection with work performed for, or services or equipment provided to, Company.

II.                Structure of the Audit

 In the December 2010 issue of the Industrial Engineer Magazine, authors Aldowaisan and Ashkanai discussed the audit program utilized by the Kuwait National Petroleum Company (KNPC) for its supply chain vendors. Although the focus of these audits is not to review FCPA compliance, the referenced audits are designed to detect and report incidents of non-compliance, which would also be the goal of a FCPA compliance audit. Utilizing ISO 19011 as the basis to set the parameters of an audit, the authors define an audit as a “systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.” The authors list three factors, which they believe contribute to a successful audit: (1) an effective audit program which specifies all necessary activities for the audit; (2) having competent auditors in place; and (3) an organization that is committed to being audited. In a webinar hosted by Securities Docket, entitled “Follow the Money: Using Technology to Find Fraud or Defend Financial Investigations”, noted fraud examiner expert Tracy Coenen described the process as one to (1) capture the data; (2) analyze the data; and (3) report on the data.

There is no one specific list of transactions or other items which should be audited, however some of the audit best practices would suggest the following:

  •  Review of contracts with supply chain vendors to confirm that the appropriate FCPA compliance terms and conditions are in place.
  • Determine that actual due diligence took place on the third party vendor.
  • Review FCPA compliance training program; both the substance of the program and attendance records.
  • Does the third party vendor have a hotline or any other reporting mechanism for allegations of compliance violations? If so how are such reports maintained. Review any reports of compliance violations or issues that arose through anonymous, hotline or any other reporting mechanism.
  • Does the third party vendor have written employee discipline procedures? If so have any employees been disciplined for any compliance violations? If yes review all relevant files relating to any such violations to determine the process used and the outcome reached.
  • Review expense reports for employees in high risk positions or high risk countries.
  • Testing for gifts, travel and entertainment which were provided to, or for, foreign governmental officials.
  • Review the overall structure of the third party vendor’s compliance program. If the company has a designated compliance officer to whom, and how, does that compliance officer report? How is the third party vendor’s compliance program designed to identify risks and what has been the result of any so identified.
  • Review a sample of employee commission payments and determine if they follow the internal policy and procedure of the third party vendor.
  • With regard to any petty cash activity in foreign locations, review a sample of activity and apply analytical procedures and testing. Analyze the general ledger for high-risk transactions and cash advances and apply analytical procedures and testing.

III.             Conclusion

 As noted the above list is not exhaustive. For instance, there could be an audit focus on internal controls or segregation of duties (SODs). Any organization which audits a business partner in its supply chain should consult with legal, audit, financial and supply chain professionals to determine the full scope of the audit and a thorough and complete work plan should be created based upon all these professional inputs. At the conclusion of an audit, an audit report should be issued. This audit report should detail incidents of non-compliance with the FCPA compliance program and recommendations for improvements. Any reported incidents of non-compliance should reference the basis of any incidents of non-compliance such as contractual clauses, legal requirement or company policies.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

November 20, 2013

Plato, Aristotle and Codes of Conduct

It was once observed that all western philosophy is but a mere footnote to the works of Plato. However others believe that his student Aristotle merits equal standing. I recently read a review of the new book by Arthur Herman “The Cave and the Light” in the Wall Street Journal (WSJ) by reviewer Roger Kimball. In his review, Kimball said that the book seeks to “explain the metabolism of history with a single master idea: the perpetual struggle or ‘creative tension’ between the ideas of Plato – which he says emphasize the idea at the expense of the actual – and those of Aristotle, whose philosophy remains rooted in experience and everyday life.”

I thought about his dichotomy when I recently came across the Words of Wisdom (WOWLW) blog, which is penned by the Capital Markets Group of the law firm of Latham & Watkins. As stated in the FCPA Guidance, “A company’s code of conduct is often the foundation upon which an effective compliance program is built.” As the Department of Justice (DOJ) has repeatedly noted in its charging documents, the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf. The WOWLW blog took a different tack and reviewed the requirements of the Securities and Exchange Commission (SEC) regulations for a Code of Conduct.

Under SEC regulations, it is a requirement under Form 10-K, Reg S-K Item 406, that a company must disclose whether it has adopted a Code of Ethics that applies to the company’s principal executive officer, principal financial officer, principal accounting officer, controller or persons performing similar functions. If the company has not adopted such a Code of Ethics, it must explain why not in writing. As WOWLW noted, “Unsurprisingly, almost all public companies have adopted a code of ethics within the meaning of the SEC regulations.”

The article details the required content to be found in a Code of Conduct. It said that “Item 406(b) defines a ‘code of ethics’ to mean written standards reasonably designed to deter wrongdoing and promote:

  • honest and ethical conduct (including matters regarding “actual or apparent conflicts of interest between personal and professional relationships”);
  • full, fair, accurate, timely and understandable public disclosure;
  • compliance with applicable laws and regulations;
  • prompt internal reporting of violations; and
  • accountability for adherence to the code.”

This requirement also “specifically contemplates that companies may bifurcate their codes of ethics for this purpose:

  • a company “may have separate codes of ethics for different types of officers”; and
  • a code of ethics “may be a portion of a broader document that addresses additional topics or that applies to more persons” other than the officers required to be covered.”

The article noted that a compliant company is able to disclose its codes of conduct in one of three ways, which they stated are as follows:

  • file the code as an exhibit to the Form 10-K;
  • post the code on the company’s website (disclosing that fact and the web address in the Form 10-K);
  • or expressly undertake in the Form 10-K to provide a free copy upon request and explain how to make a request.

Moreover, businesses which have bifurcated their codes of ethics as described above are only required to “file, post or provide the portions of a broader document that constitutes a code of ethics” and made applicable to covered officers.

The SEC also requires certain disclosures of amendments and waivers to codes of conduct. Specifically, “Item 5.05 of Form 8-K requires companies to disclose within 4 business days any amendment or waiver of the Item 406 code of ethics, either:

  • via Form 8-K filing; or
  • on the company’s website, so long as the company previously stated in its most recently filed Form 10-K both the company’s intention to disclose any amendment on its website and the website address (in this scenario, the information must remain posted to the website for at least 12 months, and the company must retain the information for another 5 years).”

This requirement for disclosure does not reach to “technical, administrative or other non-substantive amendments. In addition, companies must disclose amendments to or waivers of their codes of ethics only if specifically required by Item 406(b) (i.e., as one of the five subjects listed above) and applicable to the covered officers” in the company.

Interestingly, if there is an implicit waiver of a company’s Code of Conduct, it must also be reported: A waiver regarding a Code of Conduct is required “as the approval by the company of a material departure from a provision of the code of ethics. This also includes “implicit waivers,” defined under Instruction 2(ii) of Item 5.05 as a failure to act within a reasonable time after an executive officer knows of a material departure from the code of ethics. Implicit waivers, as with express waivers and amendments, require disclosure only if related to the covered officers and the provisions specifically referenced in Item 406(b). Companies may also disclose implicit waivers via website if they satisfy the requirements described above. Of course, codes of ethics sometimes describe situations where board approval is specifically contemplated, and an approval process in accordance with the provisions of the code would not constitute a “departure” that would implicate a waiver.”

In addition to the SEC disclosure requirements, both NASDAQ and NYSE listing rules require listed companies to have a code of conduct whose scope is broader that the code of ethics for the purposes of SEC reporting.

Kimball’s review of The Cave and the Light points out the ongoing tension between Plato’s spirituality and Aristotle’s pragmatism. I think the dichotomy from the FCPA Guidance and the SEC regulations, as set out by WOWLW points to a more unified thesis. Kimball ends his piece by noting that Aristotle’s sentiments are around the future and not the past. But he adds that in Plato’s allegory of the caves he noted that those who leave the cave must return. The same may be said for the Code of Conduct which the Latham & Watkins Capital Markets Group has

It was once observed that all western philosophy is but a mere footnote to the works of Plato. However others believe that his student Aristotle merits equal standing. I recently read a review of the new book by Arthur Herman “The Cave and the Light” in the Wall Street Journal (WSJ) by reviewer Roger Kimball. In his review, Kimball said that the book seeks to “explain the metabolism of history with a single master idea: the perpetual struggle or ‘creative tension’ between the ideas of Plato – which he says emphasize the idea at the expense of the actual – and those of Aristotle, whose philosophy remains rooted in experience and everyday life.”

I thought about his dichotomy when I recently came across the Words of Wisdom (WOWLW) blog, which is penned by the Capital Markets Group of the law firm of Latham & Watkins. As stated in the FCPA Guidance, “A company’s code of conduct is often the foundation upon which an effective compliance program is built.” As the Department of Justice (DOJ) has repeatedly noted in its charging documents, the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf. The WOWLW blog took a different tack and reviewed the requirements of the Securities and Exchange Commission (SEC) regulations for a Code of Conduct.

Under SEC regulations, it is a requirement under Form 10-K, Reg S-K Item 406, that a company must disclose whether it has adopted a Code of Ethics that applies to the company’s principal executive officer, principal financial officer, principal accounting officer, controller or persons performing similar functions. If the company has not adopted such a Code of Ethics, it must explain why not in writing. As WOWLW noted, “Unsurprisingly, almost all public companies have adopted a code of ethics within the meaning of the SEC regulations.”

The article details the required content to be found in a Code of Conduct. It said that “Item 406(b) defines a ‘code of ethics’ to mean written standards reasonably designed to deter wrongdoing and promote:

  • honest and ethical conduct (including matters regarding “actual or apparent conflicts of interest between personal and professional relationships”);
  • full, fair, accurate, timely and understandable public disclosure;
  • compliance with applicable laws and regulations;
  • prompt internal reporting of violations; and
  • accountability for adherence to the code.”

This requirement also “specifically contemplates that companies may bifurcate their codes of ethics for this purpose:

  • a company “may have separate codes of ethics for different types of officers”; and
  • a code of ethics “may be a portion of a broader document that addresses additional topics or that applies to more persons” other than the officers required to be covered.”

The article noted that a compliant company is able to disclose its codes of conduct in one of three ways, which they stated are as follows:

  • file the code as an exhibit to the Form 10-K;
  • post the code on the company’s website (disclosing that fact and the web address in the Form 10-K);
  • or expressly undertake in the Form 10-K to provide a free copy upon request and explain how to make a request.

Moreover, businesses which have bifurcated their codes of ethics as described above are only required to “file, post or provide the portions of a broader document that constitutes a code of ethics” and made applicable to covered officers.

The SEC also requires certain disclosures of amendments and waivers to codes of conduct. Specifically, “Item 5.05 of Form 8-K requires companies to disclose within 4 business days any amendment or waiver of the Item 406 code of ethics, either:

  • via Form 8-K filing; or
  • on the company’s website, so long as the company previously stated in its most recently filed Form 10-K both the company’s intention to disclose any amendment on its website and the website address (in this scenario, the information must remain posted to the website for at least 12 months, and the company must retain the information for another 5 years).”

This requirement for disclosure does not reach to “technical, administrative or other non-substantive amendments. In addition, companies must disclose amendments to or waivers of their codes of ethics only if specifically required by Item 406(b) (i.e., as one of the five subjects listed above) and applicable to the covered officers” in the company.

Interestingly, if there is an implicit waiver of a company’s Code of Conduct, it must also be reported: A waiver regarding a Code of Conduct is required “as the approval by the company of a material departure from a provision of the code of ethics. This also includes “implicit waivers,” defined under Instruction 2(ii) of Item 5.05 as a failure to act within a reasonable time after an executive officer knows of a material departure from the code of ethics. Implicit waivers, as with express waivers and amendments, require disclosure only if related to the covered officers and the provisions specifically referenced in Item 406(b). Companies may also disclose implicit waivers via website if they satisfy the requirements described above. Of course, codes of ethics sometimes describe situations where board approval is specifically contemplated, and an approval process in accordance with the provisions of the code would not constitute a “departure” that would implicate a waiver.”

In addition to the SEC disclosure requirements, both NASDAQ and NYSE listing rules require listed companies to have a code of conduct whose scope is broader that the code of ethics for the purposes of SEC reporting.

Kimball’s review of The Cave and the Light points out the ongoing tension between Plato’s spirituality and Aristotle’s pragmatism. I think the dichotomy from the FCPA Guidance and the SEC regulations, as set out by WOWLW points to a more unified thesis. Kimball ends his piece by noting that Aristotle’s sentiments are around the future and not the past. But he adds that in Plato’s allegory of the caves he noted that those who leave the cave must return. The same may be said for the Code of Conduct which the Latham & Watkins Capital Markets Group has discussed.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

discussed.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

November 19, 2013

KISS and Compliance – Keep It Simple, Sunshine

One of the things that commentators incessantly complain about when it comes to the enforcement of the Foreign Corrupt Practices Act (FCPA) by the Department of Justice (DOJ) is that there are still companies which violate the law. They are simply shocked, shocked to find that bribery and corruption is still going on after all these years. Some complain that the DOJ uses Deferred Prosecutions Agreements (DPAs) to run up their enforcement statistics in a facile manner rather than going after bad guys for real jail time. Others believe that if the DOJ stopped enforcing the FCPA against companies and went after individuals, then people would sit up and finally take notice and begin to follow the now 36-year old law. Another group says that it is really the fault of the DOJ for not telling companies how to do business ethically and in compliance with the law. A final group falls into the category of that it is simply human nature to engage in bribery and corruption; it always has been and always will be and we should not be trying to legislate or criminalize human nature.

However I recently saw an article which suggested that there might be another reason: the complexity of compliance systems. In an article in the Financial Times (FT), entitled “The failures that lead to financial explosions”, John Kay looked to the discipline of engineering and the complexity of systems as a mechanism to review the failures of financial systems. His conclusion was that complexity will always lead to accidents. Put another way, Keep It Simple, Sunshine.

Kay began his story by reviewing the accident at Three Mile Island back in 1979. This accident was the worst nuclear plant failure in the US. The problem began with a “minor defect in the secondary cooling system” but several backup systems failed to due to unrelated problems. This caused a hydrogen explosion which allowed radiation to leak but the safeguard of the building itself as a containment structure saved a catastrophic failure.

Charles Perrow studied the accident and its causes and opined that there will continue to be similar accidents which he termed “normal accidents” because of the complexity of the systems involved; both mechanical and human. Perrow said that “The fundamental problems lie in system design, not the components or the people who try to make these systems work. Two features render systems particularly prone to failure: interactive complexity, which means that everything depends on everything else; and tight coupling, which means that there is little slack to permit self-repair or recovery.”

In the context of a compliance program, it may mean that less is more. The lesson for the compliance practitioner is that the “attempt to design a system for zero failure is impractical. The crucial issues are those of system design. Shorter, simpler, linear chains of intermediation are needed, and loose coupling that gives every part of the system loss absorption capacity and resolution capability.”

Based on the foregoing I would say that it all begins with clear lines of authority and reporting at the top. This means that the Chief Compliance Officer (CCO) needs to get in front of the governance authority of the company. Mike Volkov and Donna Boehme both continually talk about the authority and independence of the CCO. But Perrow’s perspective would appear to suggest that equally important is the clear line of reporting by the CCO to the relevant Board of Director committee.

However, this clear linear chain traverses downward as well. Company employees need to know who to call when they have a question regarding compliance. This means clear lines of reporting up to the compliance function. This also means appropriate staffing for the compliance function. The Pfizer DPA specified that the company staff with sufficient resources and maintain an anti-corruption program office providing centralized assistance and guidance regarding the implementation, updating and revising of the FCPA Procedure, the establishment of systems to enhance compliance with the FCPA Procedure, and the administration of corporate-level training and annual anti-corruption certifications. While the FCPA Guidance focuses more on adequate staffing, I think what needs to be understood is the direct centralized assistance and guidance function of a company’s compliance group to company employees.

I believe that this concept of ‘less is more’ also goes to an overall compliance policy and attendant procedures. I have read some compliance policies and procedures that were clearly written by lawyers for lawyers. They have relevant citations and are heavily footnoted. But these have little to no use for the average employee who is trying to do the right thing by reading, understanding and trying to implement such a program. The FCPA Guidance spoke to that issue when it stated, “the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.” This also means that it should be comprehensible by your employee base, across the globe. The FCPA Guidance stated on this point, “it would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it.”

Kay ends his piece by stating, “The lesson for financial services is that the attempt to design a system for zero failure is impractical. The crucial issues are those of system design. Shorter, simpler, linear chains of intermediation are needed, and loose coupling that gives every part of the system loss absorption capacity and resolution capability. The direction of travel in the past two decades has been the opposite – the multiplication of interactive complexity through the explosion of trading between financial institutions, and ever tighter coupling as timescales are shortened and capital is used “more efficiently”. Finance needs to learn from engineers with experience of complex systems in the face of “normal accidents”.”

I think that the compliance world could also learn from Perrow’s research and Kay’s article. By making compliance programs more direct, with clearer and simpler lines of communication and authority, it could go a long way towards preventing violations of the FCPA. The same is true for the components of a compliance program designed to prevent or detect that well-worn ‘rogue employee’ who is determined to violate the law at all costs.

Of course, the simplest, most direct compliance program is the one stated by Greg Anders at the House Judiciary Committee in June, 2011. He said if companies do not want to violate the FCPA, they can simply not engage in bribery. It doesn’t get much simpler than that.

——————————————————————————————————————————————————————-

Episode 24 of the FCPA Ethics and Compliance Report is now available. In this episode, I interview Maurice Gilbert, founder of Corporate Compliance Insights and President of Conselium on what goes into a compliance position posting and how you can prepare to be a candidate for such a job opening. You can check it out here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

November 18, 2013

Sammy Baugh in 1943: Do It the Right Way

2013 is the 70th anniversary of one of the greatest individual seasons in pro football. In 1943, Sammy Baugh, playing for the Washington professional football team, had what Sports Illustrated said one of the greatest season’s a player has ever sustained. Playing at time when football players played both ways and usually the entire game, Sports Illustrated detailed the following of Baugh’s accomplishments:

  • He completed 55.6 percent of his passes, best in the NFL that year.
  • He threw 23 touchdowns passes, second in the NFL—and third-highest all-time to that point.
  • As a defensive back, he had 11 interceptions, which broke another league record.
  • He averaged an NFL-leading 45.9 yards a punt, often flipping the field with a well-timed quick kick.
  • Five of his boots were longer than 70 yards.
  • He had arguably the greatest single-game performance in history: In a 42-20 win over the Detroit Lions on Nov. 14, Baugh fired four touchdown passes, intercepted four passes and got off an 81-yard punt, the longest of the year in the NFL.

Baugh won and he won doing things the right way. I thought about his accomplishments when I read a recent article, entitled “Decisiveness Is a Double-Edged Sword”, in the Corner Office section of the New York Times (NYT) by Adam Bryant in his interview of David Cote, the Chairman and Chief Executive Officer (CEO) of Honeywell International Inc. In the article Cote explained that “Your job as a leader is to be right at the end of the meeting, not at the beginning.” Cote explained that he had a “reputation for being decisive. Most people would say that being decisive is what you want in a business leader. But it’s possible for decisiveness to be a bad thing. Because if you’re decisive, you want to make decisions — give me what you’ve got, and I’ll make a decision. I’d say that the lower you are in an organization, you can get away with a lot of that and you’ll be applauded for it.”

I found Cote’s approach a good way to explain the role of top corporate leadership in a Foreign Corrupt Practices Act (FCPA) compliance program. When I meet with a new client I explain to the President or CEO what his or her role is in a compliance regime. It is to be a leader and not simply to set the right tone for doing business ethically and in compliance but also ‘walking the walk’ of compliance. In other words, continually reminding the troops to do business the right way.

Further, you have to turn your pride and emotions aside at times because “it’s important to be smart and to think about what’s important.” Cote said that one of the most important behaviors at Honeywell is that you have to get results “and you have to get them the right way.” I thought about the way that Cote phrased it, “and you have to get them the right way.” Cote wants his team to make their quarterly numbers but he wants it done the right way “with the right kind of processes” and those right kinds of processes are financial and compliance controls to help the company to do business the right way going forward.

I once worked for a company where a regional manager was alleged to have said the following: If I violate the Code of Conduct, I may or may not get caught. If I violate the Code of Conduct and get caught, I may or may not be disciplined. If I miss my numbers for two quarters, I will be fired. And guess what – that regional manager never missed his quarterly numbers. Further, he was promoted for his “great” work.

What type of message do you think that this un-named regional manager’s aphorism, his quarterly numbers and, most importantly, the company’s treatment of him going forward sent throughout the region? It was pretty clear that making your numbers is all that top management wanted communicated down through the organization. Conversely, I have heard a compliance professional from another company in the same sector say that it is the business unit’s leader’s responsibility to make the numbers within the structure of the company’s compliance regime. It is not up to the compliance function to figure out how the operations manager should do business but the other way around.

But, equally significant, is the difference in focus between Cote and this un-named regional manager. Cote’s has a long term perspective in place and is thinking long term. He is considering something beyond, weeks, months, the next quarter or even the next two quarters. What Cote said in the NYT piece is that one of the reasons he desires to have the right financial and compliance controls in place is so that “we can make the quarter three years from now and five years from now.” Our un-named regional manager has no such focus; he is only looking at the next sale in front of him because if he does not make his numbers he will be fired. I do not think there can be a stronger message from management than to make your numbers “the right way”.

Just as Slinging Sammy Baugh had a season for the ages some 70 years ago, your compliance program can achieve the goals of doing business the right way if you have a CEO like David Cote. He believes that it is important to get your decisions right and to do business the right way. That is a message that can be translated from senior management down to the middle and the bottom of a company. That is what a compliance practitioner can ask of his or her leaders.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

November 15, 2013

The Texans Are 2-7: What is Missing from Your Compliance Program?

I usually do not write about the Houston Texans because (1) unlike the sad sack Astros, they are not often relevant enough to care about and (2) they usually are relatively well-run. They continue to be not relevant this year, coming into this week’s game with a sterling 2-7 record. However, they showed themselves not be too well run this week when they summarily dismissed from the team  safety Ed Reed, after he publicly said that the Texans were “out-coached and out-played” last week following the team’s seventh straight loss. As my friend and colleague Richard Lummis is fond of saying “No sh– Sherlock.”

For those of you who do not know Ed Reed, he is in his 12th season of playing in the National Football League. He is a two-time Super Bowl Champion, a nine-time Pro Bowler, a former NFL Defensive Player of the Year and a sure-fired first ballot Hall of Famer. In other words, he not only knows pro football but he is winner. Reed played his first 11 seasons with the Baltimore Ravens and was signed as a Free Agent by the Texans to bring some professionalism and winning attitude to the club. He had surgery in the offseason which slowed him down to the point he longer started but he still has the attitude and credentials of a winner. So what does it say about the Texans when a player of Reed’s stature speaks the truth and is summarily cut the next day. How many top notch free agents or top talent would want to play with an organization that punishes people who publicly complain about losing?

I thought about Reed and the Texans when I read a post from the noted site JDSupra entitled, “What’s the One Thing Missing From Your Corporate Compliance Program?” They put that question to various compliance attorneys writing on JD Supra, asking each to commit to just one essential element that, in their experience, they regularly see missing from corporate programs; IE., programs that are required to address myriad regulatory issues to do with privacy and data security, insider trading, bribery and corruption, and other such matters across numerous jurisdictions. I found the replies quite interesting and perhaps some insights which the Texans can use.

From Jeremy B. Zucker, Co-chair, International Trade and Government Regulation practice at Dechert LLP: “For a compliance program to be truly effective, personnel must take ownership of their behavior and take pride in being part of the team. To achieve this, a truly effective compliance program must demonstrate that a values-based approach is relevant to the daily conduct of business…”

From Charles F. Connolly, partner in Akin Gump’s white collar practice in Washington, D.C.: “…the key question enforcement authorities ask when evaluating a company’s compliance program is ‘does it work?’  The only way to answer that question proactively is to review – and test – the program on a regular basis.”

From Joe Bermudez, partner at Wilson Elser: “Crisis management policies, protocols and procedures are a necessary element for any company’s compliance program. Often overlooked because companies refuse or fail to consider the contingencies involved with catastrophic or tragic events, an effective crisis management plan may be the difference between a company surviving a crisis event and not…The issue is not when a crisis will strike, the issue is whether the company is prepared to survive the event.”

From Peter Menard, senior partner in the Corporate Practice Group at Sheppard Mullin: “Forms of policies, procedures and contract provisions are widely available on the Internet to ensure compliance with such diverse regulations as FCPA and other anti-bribery rules, prohibitions on insider trading, protection of confidential personal financial and health records, and import/export controls…Lawyers can draft the most comprehensive policy, but only management can take the policy out of the file cabinet and make it an integral part of the corporate culture…”

From Chester Hosch, partner in the Corporate and Tax Group at Burr Forman: “The one thing lacking in most corporate compliance programs is a culture of unshakable commitment to integrity and ethics. The commitment has to be embraced and encouraged notoriously, unambiguously and completely by senior management. The commitment will manifest itself in adequate funding, effective training and consistent monitoring. In the end, the compliance officer will have absolute confidence top management will remain true to the commitment, no matter the consequences.”

From Bettina Eckerle at Eckerle Law: “In my experience, often companies do not treat their compliance program as living breathing organism that need to be tested, reviewed, changed, brought up-to-date as market conditions, business practices and the regulatory environment evolve.  One should never think one is ‘done’ with what is in place but rather incorporate compliance in the day-to-day ebb and flow of the business.”

From yours truly: Document Document Document

These observations bring to bear a different set of focuses which you should consider in the context of your compliance program. Take each point raised and ask yourself, do we have this concept or protocol in place? If you do, then ask yourself my mantra: Did you Document Document Document it so that if a regulator, from the US to China comes knocking you will be able to demonstrate that you did have such protocol or concept in place.

As to the Texans, I think the thing that they are missing is reality. They should ask themselves about now if they are dedicated to winning or something else. After losing seven straight games it is even obvious to my English wife that they are being out-coached and out-played. Fortunately she cannot be fired from her job for saying so.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

November 14, 2013

Are DPAs Morally Suspect?

7K0A0223You know it is going to be a bad day when you are excoriated in public by a sitting federal district judge. It is even worse when the comments of that federal judge make it into one of the most prominent international business dailies around; the UK based Financial Times (FT). Both of the events occurred this week when US District Judge Jed Rakoff spoke to the New York City Bar Association with his thoughts on the use of Deferred Prosecution Agreements (DPAs) by the Department of Justice (DOJ) to resolve criminal matters involving corporations and his speech was reported by Kara Scannell for the FT in an article entitled “Judge says DOJ agreements are ‘morally suspect’”.

As usual Judge Rakoff pulled no punches when he declared that the DOJ’s “Use of deferred prosecution agreements to resolve criminal investigations without holding individuals accountable is technically and morally suspect.” This criticism was levelled as the “DOJ has signaled to leading banks that it will bring civil charges against them for allegedly mis-selling mortgage backed securities in the lead-up to the financial crisis.” Judge Rakoff noted that the DOJ has “not prosecuted any top Wall Street executive in relation to the financial crisis but has struck deals with companies using deferred prosecution agreement over sanction violations and money laundering without charging any individuals.” Judge Rakoff said that if prosecutors can prove a company violated laws “but do not charge individuals then its application is technically suspect.” He then went on to add that it is “morally suspect because a company is made up of sometimes hundreds of innocent employees.” But Judge Rakoff had further criticisms. He charged that DOJ prosecutors no longer have the “experience or resolve” to pursue individuals and that the current DOJ tactic of only going after individuals is “not the best way to proceed.” Pretty strong words, indeed.

This is not the first time that Judge Rakoff leveled charges at regulators for what he believed were practices “which fell short of legal standards.” Indeed, Judge Rakoff was particularly critical about the shift from the criminal prosecution of individuals to the use of DPAs to allow corporations to settle matters as he charged this change “has led to lax and dubious behaviour on the part of prosecutors.” There was much commentary when the Judge “challenged several Securities and Exchange Commission [SEC] deals that allowed companies and individuals to settle civil fraud charges while not admitting or denying wrongdoing.” These comments and court cases (apparently) led the SEC to change its policy and begin to “require admissions in certain cases that were in the public interest.” Scannell’s article concluded by noting that Judge Rakoff’s dismissed the DOJ claims that “it is hard to prove criminal wrong-doing in the packaging of mortgage-backed securities and that charging entities could have a negative effect on the national economy” as simply “excuses”.

The article on Judge Rakoff’s comments indicated that they were only concerning criminal prosecutions against Wall Street executives. But his comments eerily parallel some of the ongoing debate about the use of DPAs in the Foreign Corrupt Practices Act (FCPA) context. The FCPA Professor has consistently criticized both the use of DPAs and lack of individual prosecutions under the FCPA by the DOJ. He has also said that he believes that the DOJ have become “uncomfortable with traditional notions of corporate criminal liability”. Another commentator, David Uhlmann, has agreed with this notion by the FCPA Professor when stating, “This is about a profound ambivalence in parts of the Department about the very notion of corporate criminality.” Yet another commentator, Anthony Barkow, has said that “getting DPAs and NPAs is easy. It’s a lot easier than charging a company.”

Whether they were answering any of these criticisms or not, I think that the DOJ has certainly made clear that it will prosecute individuals who engage in FCPA violation. I agree with Mike Volkov that 2013 may well go down as “Year of the Individual Prosecution” in the FCPA context. Last spring saw prosecutions against individuals from BizJet, BSGR, Willbros and Alstom. This summer there were prosecutions against individuals in the Direct Access Partners (DAP) matter and only this fall was a prosecution against an individual involved in the Maxwell Technology matter. Based on this, at least in the FCPA context, I would have to say that the DOJ has and will continue to prosecute individuals in the context of foreign bribery.

Additionally, in the area of other types of securities fraud cases, the DOJ has very recently shown that it will aggressively pursue companies for criminal sanctions. Recently SAC Capital pled guilty to criminal fraud charges for insider trading and criminal wire fraud. There was a hefty fine of $1.8bn for this conduct.

Interestingly this week the SEC announced that it had entered into its first DPA. In a SEC Press Release, the agency announced that it had entered into a DPA “with a former hedge fund administrator who helped the agency take action against a hedge fund manager who stole investor assets.” This was due to the cooperation by the Administrator; Scott Herckis, even though Herckis aided and abetted the hedge fund at which he worked with securities law violations. The DPA also specified that Herckis “comply with certain prohibitions and undertakings.  Herckis cannot serve as a fund administrator or otherwise provide any services to any hedge fund for a period of five years, and he also cannot associate with any broker, dealer, investment adviser, or registered investment company.” He also had to “disgorge approximately $50,000 in fees he received for serving as the fund administrator.”

What does all of the above mean for the compliance practitioner? I think that when a federal judge says there should be more individual prosecutions in a certain area and his reasons echo noted commentators, it engages the debate. In the FCPA context, the debate centers around the use of DPAs and NPAs (Non-Prosecution Agreements) to settle matters with corporations. I am on record as favoring the continued use of such instruments by prosecutors to help raise compliance generally. Others feel that more individuals should be prosecuted. One thing I can say with certainty is that if you take a DPA/NPA for FCPA violations into Judge Rakoff’s court, you had better be ready to defend it, from both sides – the prosecution and the defense.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Next Page »

Blog at WordPress.com.