The Great Pumpkin and the Alternative Universe

For Halloween last year, I wrote a blog post where I derided Linus and his forlorn quest to have his pumpkin patch named the most sincere by the Great Pumpkin. In response I received this rather terse message from my colleague Doug Cornelius:

Are you trying to say that the Great Pumpkin is not real? 

Just wait ’til next year, Tom Fox. You’ll see! 

Next year at this same time, I’ll find a pumpkin patch that is real sincere! And I’ll sit in that pumpkin patch until the Great Pumpkin appears. He’ll rise out of that pumpkin patch and he’ll fly through the air with his bag of toys. 

The Great Pumpkin will appear! And I’ll be waiting for him! 

I’ll be there! I’ll be sitting there in that pumpkin patch… and I’ll see the Great Pumpkin. Just wait and see, Tom Fox. I’ll see that Great Pumpkin. 

I’ll SEE the Great Pumpkin! 

Just you wait, Tom Fox. 

If Doug Cornelius, who is always right about the Patriots and most everything else, sends me such a scathing note, I thought he must also be right about the Great Pumpkin as well. So this year, I am in the same running with Linus to have the most sincere pumpkin patch and the picture you see in the corner is one that I have adopted as my own. It certainly looks sincere to me.

I thought about my new-found wisdom, appreciation of the Great Pumpkin and the sincerity of my pumpkin patch when I read a recent article in the New York Times (NYT) DealB%k column, entitled “In Turnabout, Former Top Regulators Assail Wall Street Watchdogs”, by Jesse Eisinger, where he reported on his visit to an “alternative universe” populated by former top Department of Justice (DOJ) and Securities and Exchange Commission (SEC) officials who have all now joined the private sector and are white collar defense lawyers. This alternative universe was facilitated through the Bruce Carton’s recenetly held 2014 Securities Enforcement Forum, where the ‘Director’s Panel had the following luminaries: “Robert Khuzami, President Obama’s first enforcement director who now plies his trade at Kirkland & Ellis; Linda Chatman Thomspen, who served as the George W. Bush-era S.E.C. and now works for Davis Polk & Wardell; William R. McLucas, the long-serving agency enforcement director who is now at WilmerHale; and George S. Canellos, who just left the Obama S.E.C. for Milbank Tweed. (The well-known Stanley S. Sporkin, who served the agency in the 1970s, rounded the panel out.)” All had served as Directors of the SEC. Current SEC enforcement director Andrew Ceresney chaired this “alternative universe” panel.

Why was this an “alternative universe”? These former regulators complained that the SEC is being too tough on their clients and indeed other regulators are being unfair to large banks! As reported by Eisinger, “The conference turned into a free-for-all of high-powered and influential white-collar defense lawyers hammering regulators on how unfair they have been to their clients, some of America’s largest financial companies.” I am also certain that they were SHOCKED, SHOCKED to find that gambling occurred in Rick’s Café American.

What were some of the criticisms from this “alternative universe”? First and foremost was aggressive SEC enforcement specifically focused on the ‘broken windows’ theory to corporate crime. The panel’s luminaries “argued that the commission has focused too much on smaller infractions”. Too bad the Layne Christensen Foreign Corrupt Practices Act (FCPA) SEC enforcement action had not come out before this conference; imagine how much fun the panel would have with a $4 reference as the amount of a bribe payment to show nefarious conduct. Nothing speaks to sincerity like strictly enforcing the law.

The next criticism was over the SEC moving towards “administrative proceedings to push its cases”. Eisinger said, “The critics liken it to getting a hometown judge instead of putting cases to the test of judges and juries.” But he went on to note that these same banks require customers and others go to arbitration to resolve disputes and the arbitrators on these panels are usually ex-financial sector employees. Oops. I guess what is good for the goose is not good for the gander or as Eisinger said, “When the government does it, they scream foul.” I would certainly point out to the Great Pumpkin that it is certainly sincere to argue that you should receive better treatment than your customers.

The next series of complaints was leveled by Brad S. Karp, the chairman of Paul, Weiss, which centered on the fact that the banks had to navigate many different types of regulators such as the SEC, DOJ, state attorneys general, the New York state financial regulator and others. Boy that sure seems unfair, I mean banks are like the most sincere pumpkin patches around, they want to do business in all those locations but they do not seem to want oversight in all the places they do business. I wonder what these same defense lawyers would same about domestic enforcement of the FCPA and other countries enforcement of their own domestic anti-bribery/anti-corruption laws? For a hint they might want to purchase a copy of my eBook GSK in China. I guess the message here is that there are lots of very sincere pumpkin patches across the world and the Great Pumpkin really has a hard time figuring out which one is the most sincere. Santa Claus has a comparatively much easier job with simple Nice and Naughty lists.

Interestingly Karp also expounded on some of the defense tactics that he uses when the government comes knocking. “First, he pushes to move the charges to a subsidiary. Second, he tries to lower the charge. Third, he said, he focuses “on the powerful individuals in an organization” meaning that lawyers need to put top management first as they prepare a defense.” Does that sound like the results of any FCPA enforcement actions you might have read about lately? Certainly nothing but sincerity in those defense tactics.

However, you cannot argue with the results achieved by this star-studded cast of former government prosecutors in defense of their clients. Eisinger stated, “These strategies have been employed to glittering success. The guilty pleas and admissions have been largely by subsidiaries or been rendered toothless. Entities have admitted to charges that were narrow or unspecific and did not open them up to further private litigation. And, of course, no powerful individuals at any of the large, fine-paying companies have been criminally charged.” Once again, does that sound like the results of any FCPA enforcement actions you might have read about lately? Certainly nothing but sincerity in those defense results.

And finally for all those who decry the ‘revolving door’ of government prosecutors going out into the private sector and being too soft in defense of their clients because, you know, they used to enforce the same laws; Eisinger ended his piece with a dismantling of that argument. He wrote, “Former top officials, whose portraits mount the walls, weigh in on matters of enforcement. Now working for the private sector, they assail regulatory “overreach”…And given what they say in public imagine what goes on behind closed doors.” As a lawyer, I can proudly attest to that kind of sincerity, you sincerely represent the one who pays your bills!

As I near the end of this Halloween piece I fear I have come to the realization that my adopted pumpkin patch may not be the most sincere in the US, let alone the planet. I also fear that once again this year Linus may not be awarded with the one piece of recognition he so earnestly desires as well. I think that the Great Pumpkin will most probably find that the recent 2014 Securities Enforcement Forum where “The conference turned into a free-for-all of high-powered and influential white-collar defense laws hammering the regulators on how unfair they have been to their clients” is certainly the most “sincere” Pumpkin Patch on the planet this year. If you are sitting outside tonight you might well see the Great Pumpkin himself in this “alternative universe”.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Compliance at the front lines in Ukraine-interview with Timur Khasanov-Batirov

Ed. Note- a couple of weeks ago, I had a guest post from Timur Khasanov-Batirov about some of the challenges in the doing of compliance in his native Ukraine. He certainly had an interesting and most welcome perspective. I asked Tim if he might tell us a bit more about his background and talk about some of the things a US or other western company needs to consider when opening a business enterprise in Ukraine or eastern Europe for the first time. This interview is his response. 

1. Where did you grow up and what is your university or college training in?

I grew up in Tashkent, a vibrant southern megalopolis of the former Soviet Union. The city is known for mixture of various cultures and traditions. Probably that is the reason why I feel myself comfortable working in different countries and corporate environments.

I was fortunate to get scholarships for my legal studies twice. Thanks to Muskie Program I got a chance to do LLM program in the University of Minnesota Law School. Our library being in 2003 time among Top 10 in the nation (hope it is still in the list) was a perfect source to frame personal attitude to corporate ethics. The memory of the Program and Land of 10 000 Lakes will be enshrined in my heart.

2. What jobs have you held after graduation from college?

My path is associated with embedding international standards into ‘fabrics’ of organizations I worked for. You must develop processes which improve efficiency and engage people in doing right things. I like to hear these words or to repeat them to myself. Sounds like music. Having such melody in my head (which hopefully is not too strange) I made my way with roles of in house counsel at US owned mobile operator, regional business trainer for CIPA Network, and legal advisor to various international corporations. I like to remember intensive period spent in capacity of attorney at Baker and McKenzie. Work for the Firm has polished an important technique for compliance person. I mean the skill to align legal requirements of different jurisdictions to produce a solid legal advice.

3. How did you get into the field of compliance?

Back to 2006 I got awesome assignment. As person responsible for Legal & Controls at international FMCG company in Kazakhstan I was asked to lead the project on obtaining ISO 9001 quality management standard. After one year of deliberations and resistance we came to finishing tape with almost 60 described business processes and allocated responsibilities among key managers. So the next step looked natural for me. It should be compliance which assembles risk management, law, and communications into single and powerful managerial tool.

In 2007 compliance philosophy was ‘terra incognita’ in the former Soviet Union. Almost everyone was convincing me that the concept would never survive in that region. Today it is obvious that compliance is extensively developing. I have no regrets about taken decision.

4. What are some of the biggest compliance challenges that you face in your current role?

As in house compliance person and participant of the regional professional community I enjoy the opportunity to monitor challenges from different angles. The good thing is that the idea of ethical conduct is becoming popular among business leaders, legal and audit professionals. You can feel tremendous difference in attitudes to compliance at the corporate boardroom in last 5 years.

There is some progress with setting adequate regulatory environments by the countries in the region. In the very same time local enforcement practices are expected to become more consistent with relevant laws.

There is a curious phenomenon worth mentioning. Issues which have been raised by local professional community these days include questions associated both with early stage of compliance development along with inquiries associated with advanced level like for instance questions on the best ways to protect whistleblower from retaliation in a long term period. Thus from my prospective the main challenge in the region is the necessity to manage compliance risks based on sophisticated Western framework in a business environment where compliance is a relatively new concept.

There is also challenge which I believe is on the agenda for our profession globally. It is about integrating compliance into corporate strategic planning. I am also sure that our mission is to change minds of the corporates. Here comes to mind the meme of the day by Matt Kelly which depicts Kermit saying ‘I saw the manager to fire you for calling the hotline. But that’s none of my business’.

5. What advice would you provide to an American or western European company doing business in Ukraine or eastern Europe for the first time regarding compliance?

I would highlight Top 6 practical actions:

Code of Ethics

To ensure that the Code of Ethics will work in the region please check if it is translated into local language(s). Just have in mind that English is a second language for your employees (in the best case). Local JV partners, distributors, and agents might not speak English at all. The reality shows importance of getting professional translation to avoid phrases ‘lost in translation’. It happens when the Code is written in heavy legal language or translation is not reflecting the real meaning of the text.

Based on my practice I would recommend investing some money in publishing hard copies of the Code rather than relying on the e-version only. At minimum hard copies of the Code should be distributed to C-level staff and key managers. It is vital to appoint a person (normally a Compliance officer) who could be approached by the employee for explanation of the Code’s provisions.

Regulatory Standards

The team should consist of experts who are aware of both FCPA/UKBA requirements and nuances of local regulatory developments. I suggest having folks who will be able not only to update you on new Ukrainian anticorruption laws or regional pitfalls like ban on facilitation payments but to independently manage such risks in the organization.

Assessment of the Program by Top Management

It might be disputable but I would advise using the US Sentencing Commission Guidelines Manual as a comprehensive tool for detailed self-assessment of the Regional Compliance initiatives. I also believe there are just 4 simple questions answers on which can precisely illustrate the situation with corporate ethics for the Top management:

• How we evaluate efficiency of the compliance activities?
• Does Compliance Officer have resources and adequate power to prevent unethical behavior?
• Are we sure that our internal investigations are effective and impartial?
• At what extent top management is engaged in compliance program?

 

Whistleblower line

It could be a sophisticated web-based system with global coverage in ideal case or just sole person which acts as a contact for personnel (looks provocative but still could be effective) to raise concern. The mechanism of tipping should exist in the form which your budget and corporate structure allows. Local experiences confirm that the effectiveness of the line will rise when personnel is duly communicated about actions taken as result of corporate investigations.

Consultants and Intermediaries

You may want to review contracts concluded in the region with consultants, distributors or corporate representatives. There are two reasons why it could be a good idea. Firstly, you will be able to check whether there are any FCPA risks if your representative interacts on your behalf with the local authorities. Secondly, what we see in this region is that contractual arrangements on ‘providing services’, ‘marketing activities’ and so on are often become veils for occupational fraud.

Conflicts of Interest

Conflict of interest or simply situation when decision of the employee might be impaired by his personal interest poses two risks. The first risk is of FCPA nature. The second type of risk is in the area of occupational fraud. Widespread practice at emerging markets includes getting expensive gifts from the counterparties or contracting affiliated entities. I would recommend launching the internal system on declaring conflicts of interest which could be done by utilizing for instance the corporate intranet platform.

 

Doing Compliance-The Book

I have consistently tried to bring a ‘Nuts and Bolts’ approach to my writing about compliance. Last year when describing some of my writing on the building blocks of a Foreign Corrupt Practices Act (FCPA) compliance program to my friend Mary Flood, she said “That’s great but what about actually doing compliance?” Fortunately for me, she did not ask how as there is no telling just how much hot water answering that question would have gotten me into! Her idea about writing a book which a compliance practitioner could use as a one-volume reference for the everyday work of anti-corruption compliance was the genesis of my most recent hardbound book, Doing Compliance: Design, Create, and Implement an Effective Anti-Corruption Compliance Program. I am pleased to announce that the book is hot off the presses and now available for purchase through Compliance Week in the US and Ark Publishing in the UK.

Just as the world becomes more flat for business and commercial operations, it is also becoming so for anti-corruption and anti-bribery enforcement. Any company that does business internationally must be ready to deal with a business environment with these new realities. My book is designed to be a one-volume work which will give to you some of the basics of creating and maintaining an anti-corruption and anti-bribery compliance program which will meet any business climate you face across the globe. I have based my discussion of a best practices compliance program on what the Criminal Division of the US Department of Justice (DOJ) and Enforcement Division of the Securities and Exchange Commission (SEC) set out in their jointly produced “FCPA – A Resource Guide to the U.S. Foreign Corrupt Practices Act”, the FCPA Guidance, the ‘Ten Hallmarks of an Effective Compliance Program.” The FCPA Guidance wisely made clear that there is no ‘one-size-fits-all’ approach when it stated, “Individual companies may have different compliance needs depending on their size and the particular risks associated with their businesses, among other factors.” Thus, the book is written to provide insight into the aspects of compliance programs that DOJ and SEC assesses, recognizing that companies may consider a variety of factors when making their own determination of what is appropriate for their specific business needs.

This book does not discuss the underlying basis of the FCPA, the UK Bribery Act or any other anti-corruption or anti-bribery legislation. I have assumed the reader will have a modicum of knowledge of these laws. If not, there are several excellent works, which can provide that framework. The book is about doing business in compliance with these laws. As with all Americans, I appreciate any list that is deca-based, so the format of 10 hallmarks resonates with me. I have used this basic ten-part organization in laying out what I think you should consider in your anti-corruption and anti-bribery compliance program. In addition to presenting my own views in these areas, I also set out the views of both FCPA practitioners and commentators from other areas of business study and review. The book includes the following:

Chapter 1 – Where It All Begins: Commitment from Senior Management and a Clearly Articulated Policy against Corruption  It all begins at the Top, what should management say and do? ‘Tone at the Top’ is a great buzz word but how does a company truly get the message of compliance down through the ranks? This chapter discusses the techniques management can use to move the message of compliance down through middle management and into the lower ranks of the company.

Chapter 2 – Some Written Controls: Code of Conduct and Compliance Policies and Procedures  The Cornerstone of your anti–bribery/anti-corruption compliance program is set out in your written standards and internal controls which consist of a Code of Conduct, Compliance Policy and implementing Procedures. This chapter discusses what should be in the written basics of your compliance program and how best to implement these controls.

Chapter 3 – For the CCO: Oversight, Autonomy, and Resources The role and function of a Chief Compliance Officer (CCO) in any compliant organization cannot be overstated. Simply naming a CCO is no longer enough to meet even the minimum requirements of best practices. One of the key areas that the DOJ will review is how is a CCO allowed to fulfill his role. Does the position have adequate resources? Does it have autonomy and support in the corporate environment? Does the Board of Directors exercise appropriate oversight? This chapter reviews the Compliance Function, Oversight, Autonomy and Resources and relates structuring the compliance function in an organization.

Chapter 4 – The Cornerstone of Your Compliance Program: Risk Assessment It all begins here, as a risk assessment is the road map to managing your compliance risk. The implementation of an effective compliance program is more than simply following a set of accounting rules or providing effective training. Compliance issues can touch many areas of your business and you need to know not only what your highest risks are, but where to marshal your efforts in moving forward. A risk assessment is designed to provide a big picture of your overall compliance obligations and then identify areas of high risk so that you can prioritize your resources to tackle these high-risk areas first. This chapter discusses what risks you should assess, the process for doing so and using that information going forward.

Chapter 5 – Getting Out on the Road: Training and Continuing Advice Once you have designed and implemented your compliance program, the real work begins and you must provide training on the compliance program and continuing advice to your company thereafter. This means that another pillar of a strong compliance program is properly training company officers, employees, and third parties on relevant laws, regulations, corporate policies, and prohibited conduct. However merely conducting training usually is not enough. Enforcement officials want to be certain the messages in the training actually get through to employees. The expectations for effectiveness are measured by who a company trains, how the training is conducted, and how often training occurs. This chapter discusses getting the message of compliance out to your employees.

Chapter 6 – Do As I Do & As I Say: Incentives and Disciplinary Measures Any effective compliance program will use a variety of tools to help ensure that it is followed. This means that you must employ both the carrot of incentives and the stick of disciplinary measures to further compliance. How can you burn compliance into the DNA of your company? Discipline has long been recognized as an important aspect of a compliance regime but more is now required. This chapter relates structuring compliance into the fabric of your company through hiring, promotion of personnel committed to compliance and how to reward them for doing business ethically and in compliance with the FCPA.

Chapter 7 – Your Greatest Source of FCPA Exposure: Third Parties and How to Manage the Risk Third Parties are universally recognized as the highest risk in any compliance program. Indeed it is estimated that well over 90% of all FCPA enforcement actions involve third parties. Therefore it is important how to manage this highest risk for an anti-corruption program. This chapter provides a five-step process for the investigation and management of any third party relationship; from agents in the sales chain to vendors in the supply chain.

Chapter 8 – How Do I Love Thee: Confidential Reporting and Internal Investigations In any company, your best source about not only the effectiveness of your compliance program but any violations are your own employees. This means that you must design and implement a system of confidential reporting to get your employees to identify issues and then have an effective internal investigation of any issues brought to your attention. Your own employees can be your best source of information to prevent a compliance issue from becoming a FCPA violation. This chapter provides the best practices for setting up internal reporting and investigating claims of compliance violations.

Chapter 9 – How to Get Better: Improvement: Periodic Testing and Review Once you have everything up and running you still need to not only periodically oil but also update the machinery of compliance. You do this through the step of continuous improvement, which is the use of monitoring and auditing to review and enhance your compliance regime going forward. A company should focus on whether employees are staying with the compliance program. Even after all the important ethical messages from management have been communicated to the appropriate audiences and key standards and controls are in place, there should still be a question of whether the company’s employees are adhering to the compliance program.

Chapter 10 – Should I or Shouldn’t I? Mergers and Acquisitions The last thing you want to bring in through an acquisition is another company’s FCPA violation for which your company must pay the piper; also known as buying a FCPA violation. Effectively managing your mergers and acquisitions (M&A) process can help you to identify risk areas in a potential acquisition and then remediate any issues in the post-acquisition integration phase. This chapter gives you the most recent pronouncements on how to avoid FCPA exposure in this key area of corporate growth and to use the M&A function to proactively manage compliance.

Chapter 11 – A Few Words about Facilitation Payments One of the key differences between the US FCPA and UK Bribery Act is that the US law allows facilitation payments. However, in today’s interconnected world, to allow one part of your company to make facilitation payments while UK subsidiaries or others covered by the UK Bribery Act are exempted out from your standard on facilitation payments has become an administrative nightmare. This chapter explores what is a facilitation payment, how the policing of your internal policy has become more difficult and some companies which have been investigated regarding their facilitation payments. It also provides guidelines for you to follow should your company decide to allow them going forward.

So with thanks to Mary Flood for the idea, Matt Kelly, the Editor of Compliance Week for the publishing platform and Helen Roche & Laura Slater and the rest of the team at Ark Publishing for getting me through the publishing process in a professional manner, I am published to announce that Doing Compliance: How to Design, Create, and Implement an Effective Anti-Corruption Compliance Program is now available for purchase.

You can purchase a copy of Doing Compliance: How to Design, Create, and Implement an Effective Anti-Corruption Compliance Program in the US by clicking here. You can purchase a copy of Doing Compliance: How to Design, Create, and Implement an Effective Anti-Corruption Compliance Program in the UK by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com. © Thomas R. Fox, 2014

Bunkie Hunt and the Marketing of Compliance

Nelson Bunker ‘Bunkie’ Hunt died last week. In a state filled with oversized egos and personalities (i.e. ‘Texas-Rich’), Bunkie was one of the true giants. He was a son from the first marriage of the famous Texas oilman-legend H. L. Hunt. Well over 6 feet tall, he also neared 300 pounds in girth when that meant something and let’s just say, it wasn’t all muscle. Bunkie’s greatest notoriety came when he tried to personally corner the world’s silver market in 1980 when he bought up fully one-third of the world’s silver. He drove the price from the mid-teens to over $50 per ounce. However when it became known that he personally was buying up the silver, the market collapsed and the price dropped to less than $11 per ounce and Bunkie was nearly wiped out. That led to one of the greatest Texas-Rich lines of all-time, “A billion dollars ain’t what it used to be.” While I have no personal knowledge precisely on that point, I certainly believe that truism.

Bunkie’s attempt may have failed simply because he did not market correctly what he was trying to accomplish so today I wanted to use his audacious attempt to corner the entire world’s second most precious commodity to continue the discussion of how a compliance officer might work to internally market the compliance function throughout a company. I recently read an article by Raymond L. Panneton, in the Texas Lawyer. It was entitled “Be the Brand: 5 Tips for Marketing a Practice” and provided Panneton’s thoughts on how a lawyer or law firm “might properly distinguish yourself from your competition”. Bunkie’s response was simply to try and buy up all the world’s silver to establish his identity. Alas a Chief Compliance Officer (CCO) or compliance practitioner may not have quite the resources that Bunkie had before his forlorn effort. So I have adapted Panneton’s marketing prescriptions for the compliance practitioner. 

1. Identify a passion. Frankly, if compliance is just a job for you, you are probably in the wrong field. You can know all the building blocks of compliance but if you cannot influence your company, you have lost the battle for compliance. Moreover, employees know who is just biding time in the compliance function while on their way to bigger and better corporate positions and who really cares. Passion in infectious and the foundation of any successful compliance program is the enthusiasm that a compliance professional can bring to the job.
2. Send consistent messages. I think this means a couple of things in the compliance practitioner context. First, and foremost, the message of compliance must be consistent throughout an organization. That means up and down the chain of command. If the top says this is our message that is the message that has to go through the middle and into the bottom of an organization. I think this point also illustrates that the Fair Process Doctrine applies to your marketing as well. Both disciplines and incentives must be consistently meted and handed out evenly. If you fire salesmen in Brazil for cheating on expense accounts, you must also fire the same folks in the US if they engage in the same conduct. Equally with incentives, if someone in Western Europe does a great (compliance) job, you have to reward the folks in other geographic areas who engage in the same conduct.
3. Build a network. Panneton says, “Networking is a critical aspect of building a brand.” Not only can the same be said for the compliance function but it is actually mandatory for our profession. At the end of the day, the greatest strength of any compliance practitioner is the ability to influence. To do so, you must constantly network, network and network at all levels of your organization. If the first time you are meeting the head of Internal Audit, IT or (name the function) is when you need something you are much more than late. You may well likely not get the assistance that you need at that point in time. The same is true for the Regional Manager in East Asia. If the first time they are hearing your voice is the first time they are speaking with you, you are way behind the 8-Ball already.
4. Market the brand. Here Panneton states clearly, “Marketing should be a daily routine.” Amen, Brother. To paraphrase Alec Baldwin in Glengarry Glen Ross, ‘ABC – Always Be Compliant’. Get out there and spread the message. Get out of the corporate office; go to Africa, go to East Asia, go everywhere to spread the brand of compliance across your company’s regions. Marketing communicates to the troops that you care about them and you will listen to their concerns. Nothing speaks louder in a company than when someone from the home office comes out to the provinces to speak and listen to employees concerns. There is always an added benefit to such marketing, this being that people are much more likely to tell you something in person rather than pick up the phone. However, they are much more likely to pick up the phone and call you if they have met you sometime previously. The key is that you have marketed the brand and you have established a personal relationship in doing so.
5. Be creative. As a lawyer, I often say that you are only limited by your imagination. The same is true for a compliance practitioner. Panneton counsels that “When building and marketing a brand, think outside the box.” If your company allows internal use of social media (not applicable for companies stuck in the 1900s), have a great compliance website and use that internal social media platform to get the message of compliance out. Come up with an elevator speech about what compliance is and how it moves your company forward through both transparency and accountability. If you are a good writer, pen short pieces for your company newsletter or magazine. If you are a good speaker, talk at business subdivision annual events. In other words, get the word out. But the point is to think creatively. Talk to your IT department, talk to your marketing folks, talk to your communication group; in short talk to anyone within your organization you might give you some ideas about getting your message of compliance out. And never forget, the Department of Justice (DOJ) specifically mentioned 35 email reminders sent to convicted Foreign Corrupt Practices Act (FCPA) felon Garth Peterson by the Morgan Stanley compliance department as one of the reasons that the employer, Morgan Stanley received a Declination when Managing Director Peterson was prosecuted.

Panneton ends his piece by noting, “Branding is not something that is taught in law school, it is learned through trial and error.” The same is true in the compliance world, particularly for us recovering lawyers. However, I believe a little effort will go quite a long way. Perhaps you can outdo Bunkie and actually corner the world’s silver market all by your lonesome if you have a personal wealth of $16 billion and the right marketing message.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Critiquing FCPA Enforcement and the GSK Domestic Corruption Conviction

Recently the FCPA Professor posted a blog, entitled “Look in the Mirror Moments”, in which he used written commentary by the US Secretary of the Treasury to the Chinese government about the Chinese governments anti-trust investigations as a mechanism to explore critiques of Foreign Corrupt Practices Act (FCPA) enforcement. In this post, he compared certain aspects of FCPA enforcement to the Chinese corruption enforcement action against GlaxoSmithKline PLC (GSK). Leaving aside the differences in anti-trust enforcement (price-fixing, monopolistic behavior and illegal collusion) and anti-corruption enforcement (bribery), I wanted to review his critiques through the prism of the known facts of the GSK enforcement action.

The FCPA Professor had the following comments about FCPA enforcement, in comparison with the Chinese corruption enforcement action against GSK. He said,

“Without in any way trying to comprehensively compare the overall U.S. legal system to the overall Chinese legal system, the following attributes of FCPA enforcement must at least be acknowledged. 

The vast majority of corporate FCPA enforcement actions lack transparency and the resolution documents (whether a non-prosecution agreement, deferred prosecution agreement or civil administrative order) are the result of an opaque process ultimately controlled by the same office prosecuting or bringing the action. 

As to the swiftness of FCPA enforcement actions, one can only assume that the majority of general counsels and board of directors of companies under FCPA scrutiny would be jumping for joy if the scrutiny – from start to finish – would resolve itself in 15 months rather than the typical 3-5 years (and in some instances more) of FCPA scrutiny lingering.”

The difficulty I have with both of these points is that one cannot separate the Chinese enforcement action against GSK from the Chinese legal system that produced it. Let’s start with the ‘jumping for joy’ prong. The initial difference to note is that the Chinese enforcement action was a domestic prosecution based upon Chinese domestic law for bribery and corruption of Chinese. It was not a US (or UK) company violating US (or UK) laws. This means that the relevant documents and witness were in the locality where the investigation was performed. Even when a key witness, GSK China Country Manager Mark Reilly was in the UK, he voluntarily returned to China to give evidence but was prevented from leaving the country without being charged with a crime. So as far as is known, there were no government-to-government requests for information, no Letters Rogatory or use of any other international discovery mechanism to obtain evidence.

Moreover, the procedural protections in place under US (and UK) criminal procedure simply do not exist in China. There is no right to counsel, no right against self-incrimination, no right to confront witness and not even a right to know what the charges against you might be. These lack of rights were certainly borne out in the speed in which the Chinese investigative authorities were able to obtain evidence and public confessions from GSK principals involved in the bribery and corruption. The first 30-day timeline of the GSK investigation went as follows:

• June 28, 2013 – Local Police announced they have place GSK officials under investigation for economic crimes.
• July 11, 2013 – Public Security Ministry issued statement accusing GSK of bribery.
• July 15 , 2013 – Four senior company execs ‘detained’. Finance chief barred from leaving country.
• July 16, 2013 – GSK General Counsel (GC) placed under ‘house arrest’ along with 30 other employees. One of the four GSK China executives who were detained, admited to bribery allegations on Chinese state television.
• July 22, 2013 – GSK formally apologized for breaking Chinese law regarding domestic bribery and corruption.
• July 26, 2013 – Peter Humphrey, a UK citizen and his wife, a naturalized US citizen, both hired by GSK in an ancillary matter related to the GSK corruption scandal were arrested but not told of the charges against them.

A little over one year later, in July, 2014 the trial of Humphrey and his wife was announced. Orignially it was to be held in secret with both Humphrey and his wife still not told of the formal charges against them. However after diplomatic protests by both the US and UK governments, Humphrey and his wife were both convicted and sentenced in an open trial, albeit lasting only one day, on August 8, 2014. The charges against them were announced at trial. Thereafter, GSK pled guilty in a secret one-day trial GSK was fined approximately $491MM and China Country Manager Mark Reilly and four other GSK China business unit executives were found gulity. They were all sentenced to jail but given suspended sentences.

How did the Chinese government develop its evidence so quickly? One of the defendant’s, admitted, on state run televison, his involvement in the bribery scheme only 18 days after the investigation was announced by Chinese authorities. Indeed, GSK itself made a public apology only 24 days after the announcement by the Chinese authorities it was under investigation. We now know that GSK was informed by a whistleblower of allegations of bribery and corruption as early as January 2013 yet in June GSK announced it had not found anything to substantiate these allegations.

I believe the answer is found in the differences in the Chinese and US legal systems. It all starts with the following: in China you are presumed guilty while in the US (and the UK), you are presumed innocent until proven guilty. In an article in the New York Times (NYT), entitled “Presumed Guilty in China’s War on Corruption”, Andrew Jacobs and Chris Buckley wrote that the “war on corruption often operates beyond the law in a secret realm of party-run agencies”. The process “Known as Shuanggui, it is a secretive, extralegal process that leaves detainees cutoff from lawyers, associates and relatives.” Moreover, even as a case moves through the Chinese criminal justice system, defendants’ counsel “have limited access to evidence, witnesses, and their clients.” It does not get any better when a defendant actually goes to court because “Lawyers say Chinese courts rarely allow them to call defense witnesses, while prosecutors frequently withhold cruical evidence.” Finally, of the 8,110 officials charged with corruption “in the first half of this year, 99.8 percent were convicted”. To this rather amazing trial court conviction rate, I would add the the prosecution does even better on appeal, never losing to a convicted defendant.

Does that sound like a system in which you would jump for joy if you were caught up in, even knowing that the time from announcment of investigation until 99.8% chance of conviction awaited you? Even if the government investigation only took 14 months? In the US, corporations have the same rights as individuals at trial; to cross-examine witness, to be made aware of the charges against it, those charges must be brought with specficity, right to counsel, right to an open trial and right to appeal. These rights are all enshrined in the US Constitution. Those rights are not present for individuals or corporations under Chinese law or jurisprudence.

But the FCPA Professor also critiqued the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) in FCPA enforcements with the following observation: The vast majority of corporate FCPA enforcement actions lack transparency and the resolution documents (whether a non-prosecution agreement, deferred prosecution agreement or civil administrative order) are the result of an opaque process ultimately controlled by the same office prosecuting or bringing the action.When a company enters into negotiation with the DOJ and SEC it is with legal counsel in tow. Even if we in the general public are not privy to these negotiations over the terms and conditions of enforcement actions I am confident that there is some give and take. Further, while I only have personal knowledge of one negotiation for the specific terms of a Deferred Prosecution Agreement (DPA), the lawyer representing the company made clear it was a negotiation. It was not a Diktat with sentencing simply pronounced by the DOJ. Does the office which handles the investigation also handle the settlement negotiation? Yes but that is what prosecutors do each and every day in every city, county, town, hamlet, state and federal jurisdiction in this country.

Just as it takes two to tango, it takes two to negotiate. The DOJ does not negotiate with itself. Another party is sitting across the table and that other party is the company involved in the FCPA investigation. Why is that company there in the room negotiating? Because the company has assessed its interest and determined that it would be better off settling than going to trial. This is in the face of DOJ failures in the trial court in the Gun Sting cases, the O’Shea trial and the trial court overturning the verdict in the Lindsey Manufacturing conviction. Simply because there is a negotiation between the DOJ and a private party does not make it some nefarious process, even if the prosecutors hold the upper hand.

As far as the fines and penalites, there has been nothing to suggest the basis of the $491MM fine assessed against GSK. That amount is a bit less than the amounts initially reported that GSK China paid out as bribes, somewhere over $500MM. At least in the US, there are the Sentence Guidelines which form some basis of the calculation. Of course there is always some prosecutorial discretion to lessen a fine or penalty below the suggested amount. We have seen that occur this year with the HP enforcement action and recently Asst. Attorney General Leslie Caldwell suggested that Alcoa could have been fined over $1bn for its conduct, while the actual fine was $384MM. It is appropriate for prosecutors to have such discretion.

While the DOJ is also critiqued that DPAs (and Non-Prosecution Agreement [NPAs]) are essentially the same as going to trial with a near 100% success rate, I think this belies the number of declinations that the DOJs gives out. Unfortunately (and here the FCPA Professor and I do agree); there is not enough information given out about declinations; either regarding the raw numbers or the specific reasons for a declination. Only if a company agrees or is required to make such information public does it become known. Nevertheless, there is the recent example of Layne Christensen, which received a declination. In an article in Compliance Week, entitled “How Two Companies Got Regulators to Drop FCPA Charges”, Jaclyn Jaeger reported on the reasons the company sustained this result of receiving a declination through interviews with Christensen GC, Steve Crooke, its Chief Compliance Officer (CCO), Jennafer Watson and its outside counsel Russ Berland. Jaeger detailed the specific steps the company took and we can all see the effect it had upon the DOJ, through the declination to prosecute the company.

The debate about the costs of FCPA enforcement actions, the proper role of DPAs/NPAs and length of time of investigations is a healthy one and living in the open society that we have in the US, one that we will continue to have. Since I am not a prosecutor (or ex-prosecutor), I cannot look in the mirror at FCPA enforcement but I can review the facts of the DOJ and SEC’s FCPA enforcement, contrasted with the Chinese domestic bribery and corruption proseuction of GSK and believe that there is no basis for comparing the two systems, as they are so different in too many fundamental aspects.

I can however say one thing with absolute certainly; wherever you do want to be, a Chinese jail is not high on the list.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Hammer Films’ Frankenstein and the Monster of Corruption in Brazil

Today we celebrate the initial two Hammer Films Frankenstein entries into the horror pantheon. These classic films, from the 1950s, were the The Curse of Frankenstein and The Revenge of Frankenstein. In both films Peter Cushing played the monster’s creator, Dr. Frankenstein. In the first film Christopher Lee played the monster and Michael Gwynn was cast in the role for the second movie, but he was in a purely human form, not the disfigured creature that Lee played. In both films, Cushing played the Baron as inherently evil, dismembering medical patients and even murdering people to obtain body parts for his experiments. The Baron did not have the internal conflict that E.E. Clive brought to the role in the Universal classics Frankenstein and Bride of Frankenstein. Further, neither Lee nor Gwynn brought the pathos to the role of the monster that Boris Karloff was able to imbue into the character. Notwithstanding these criticisms, I hardily recommend both films for your October FrightFest viewing pleasure.

I thought about the nefariousness that Cushing brought to the role of Dr. Frankenstein when I read a recent article about the ongoing bribery and corruption scandal in Brazil and how it may affect the country’s Presidential election. These issues were explored in a piece in the New York Times (NYT), entitled “Scandal Over Brazilian Oil Company Adds Turmoil to the Presidential Race”, by Simon Romero. In the article, Romero details the bribery scandal involving a former official of Petrobras, the Brazilian national oil company, named Paulo Roberto Costa. Mr. Costa was the person who oversaw the company’s refining operations. He has admitted to having engaged in the receipt of bribes for at least a 10 year period “equivalent to 3 percent of the value of the deals from the Brazilian construction companies that obtained the contracts” to build refineries. This amounted to literally millions being “stashed in bank accounts in Switzerland and the Cayman Islands.”

Costa who “was first arrested in March as part of a money laundering investigation by the federal police, has already agreed to surrender the $25 million fortune he hid in offshore accounts, his yacht and his luxury car, in addition to paying a fine of more than $2 million.” He “inflated budgets for new projects” by 3% and then had that amount kicked back to him as bribes. Costa’s allegations were “corroborated Mr. Costa’s claims through an associate, Alberto Youssef, a black-market money dealer who testified that he helped launder funds in the scheme. Mr. Youssef, who has also accepted a plea deal, testified that more than a dozen of Brazil’s largest construction companies had paid hefty bribes to obtain lucrative Petrobras contracts.”

The political angle comes from the following allegation by Costa, “He testified that a portion of the money was then handed to João Vaccari Neto, the treasurer of the Workers Party. Mr. Costa said that other top political allies of President Rousseff, including the leaders of both houses of Congress, Henrique Eduardo Alves and Renan Calheiros, also benefited from the kickbacks, according to a report by Veja, a Brazilian magazine.” Interestingly President Rousseff “has also effectively acknowledged the prevalence of corruption inside the executive suites of Petrobras, while denying that she had known about the kickbacks when they were taking place.” She was quoted for the following, ““If anything happened, and everything indicates that it did, I can guarantee that all of the bleeding that eventually may have existed has been stanched,” Ms. Rousseff told the newspaper O Estado de S. Paulo in an interview.” She also went in the other direction, as “She has railed against the public disclosures of his testimony, calling them the equivalent of a “coup” aimed at thwarting her re-election bid. The judge in the case, Sergio Moro, has responded by saying that the law requires that evidence in the case be made public.”

The scandal has the potential to be devastating to the country. Romero said, “If their testimony is proven true, the oil scandal would dwarf previous corruption cases in Brazil, including a vote-buying scheme that resulted in the imprisonment of senior figures from the Workers Party in 2013. Their convictions and punishment were viewed as a precedent-setting shift in a political culture in which impunity has long prevailed.” Moreover, “the scandal has hurt the campaign of Ms. Rousseff, who has overseen Petrobras for more than a decade. As a cabinet minister and protégé of Brazil’s former president Luiz Inácio Lula da Silva, she was chairwoman of the board at Petrobras during the period when Mr. Costa said he assembled the bribery scheme within the company. She no longer sits on the board at Petrobras, but chooses its top executives.”

There are several lessons learned for the compliance practitioner. The first is the mechanism for funding the bribery scheme via overcharging. This requires vigilance and oversight from the corporate office by persons who understand the bidding process and the costs involved in any project. Another internal control should relate to the ability to pay rebates for overcharges. Yet another consideration demonstrated is that sometimes your customer can get you into corruption hot water under such laws as the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. Now that the scandal has become so public, companies doing business with Petrobras are on notice of potential issues. Not only should they consider them when doing business with Petrobras but also companies need to review and possibly revisit their internal controls over these issues.

Unfortunately, the corruption issue may prove more endemic for Brazil and Petrobras. Near the end of his piece Romero quotes Sérgio Lazzarini, an economist at Insper, a São Paulo business school, who has written widely on Brazil’s state capitalism. Lazzarini noted, “It’s Corruption 101: You get control of a state enterprise and then channel resources from it to the parties in your coalition,” and “The situation is endemic, unlikely to change regardless of which president is in power.” Like the evil of Dr. Frankenstein in the Hammer Films, that may be the most lasting commentary on the scandal.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Five Quick and Easy Ways To Sabotage Your Compliance Training

Ed. Note-today we have a guest post from noted ethics and compliance expert, as well as steel guitar player, Chris Bauer.

Okay, you know that you need to have effective compliance training but do you really know what will actually make it effective? The reality is that far too many compliance training program fail on multiple counts. With compliance as critical as it is, that is unacceptable. Thankfully, there are a few areas which, if attended to well, can correct many of the most-frequently seen problems with the development and execution of these programs.

Here are five of the areas I see getting missed time after time in compliance training programs.

Do you actually have a solid, working definition of what compliance is? I see ethics, compliance, and accountability as being ‘cross-defined’ all the time. Do they inter-relate? Absolutely and it’s even a great idea to inter-relate them in your training. However, until you are clear about what you mean by all three of those terms, your training will leave employees confused and confusion is never good for compliance training…

To Do – Find or create definitions for all three of these terms that are clear, concise and, above all, practical. The moment these terms become hazy or academic you have already lost too many of your employees’ ability to build your ideas into their minute-to-minute, day-to-day practices. Also, be sure to use language that fits the culture of your organization. Just because something sounds good in another organization – or another part of your organization – doesn’t mean that it will work for anyone, let alone everyone, in every corner of your company. This is one of the many reasons that ‘one size fits all’ training is rarely effective. Different parts of your organization are likely to need things said and demonstrated in different ways. You have the choice; you can whine about the inconvenience of that or go about creating a great compliance training program.

Is your training practical? An awful lot of compliance training is little more than a coma-inducing parade of Powerpoint slides with the rules, regulations, and, perhaps, a few key updates. Is that information critical? Perhaps so. However, for starters be sure that the information really is critical before overwhelming employees with so much information that they can’t actually retain it.

To Do – Always build in opportunities for employees to ask how your training really applies to what they do on the job. If they can’t fully see the behaviors in which they are and are not to engage – or if they don’t believe those behaviors are possible in their circumstances – your training has missed the mark. Also, remember that employees are unlikely to tell you spontaneously that they don’t think they can do what you’re asking of them. Be active in seeking out feedback on not only their level of understanding of the material but, as importantly, their confidence that they can do what you’re asking of them. If they don’t think they can do it, it is your job to help them figure out how to deal with any roadblocks – real or perceived – they might see.

Are you simply transferring information or are you providing employees with solid ideas and tools to put the rules and regulations into practice? If you want a culture where compliance is topmost in your employees’ minds, they had better be able to first mentally retain and then apply the mandated rules and regulations. If you aren’t helping them apply what you’re telling them, it will have been an entirely academic exercise.

To Do – Here again, everything you train on needs to have clear, ‘do-able’ behaviors attached. Employees have to know exactly what they need to be doing to bring your compliance program to life. It’s not enough for you to believe that they ought to be able to figure it out; they really need to know and they need to hear it from you. (Mind you, they may also have ideas you haven’t thought of yet. Great! Just don’t pretend it isn’t your job to help them figure it out.)

Are you creating information overload? True, there’s a lot out there that your employees will need to know about compliance. However, are you giving so much in each sitting that it simply can’t be retained? Again, if they can’t retain the information – or, at least, find it easily – they certainly can’t put it into practice. Consider providing training in smaller, on-going chunks. Less time-efficient? Maybe. However, that will more than pay off in having your employees actually recall and apply what they’ve been trained on.

To Do – Remember that smaller chunks of information ‘stick’ better. Further, information that clearly has practical applications does the same. Work to avoid simply smothering employees with regulatory and oversight information. Make it real for them by providing it in digestible, easily recalled, practical chunks. Here again, whine if you like about this being inconvenient but the facts remain; you need to attend to this if you really want your compliance training to be effective.

Are you making compliance a tool for your employees’ personal success? I see a lot of organizations doing a fine job of conveying to employees how their bottom line can be wildly, adversely affected by compliance problems. However, they fail to show employees how compliance is important to them personally. Sure, we all want our employees to put our organization first but, really, is that realistic? If your goal is to motivate employees to attend to compliance – and that had better be one of your goals – you’ll get far more bang for your buck if you can help them see how their lives and careers will be easier/better if they keep their mind on compliance.

To Do – Without your employees, your organization would quite literally be nothing. They are already contributing all day, every day, to the success of your organization. Make compliance training – along with every other training your provide – a tool that they can use for their personal success as well. Maybe that success has to do with advancement, maybe it has to do with some kind of incentive. At the rock bottom, it has to do with them keeping their job. The point is that there will always be ways you can think of to help them see that a focus on compliance is as much for their personal benefit as the company’s. Do your homework and figure out what those motivations are for your employees. It will not only make your training a whole lot more effective, it’s a nice thing to help your employees be successful, yes?

It is all-too-easy to overlook all five of the above requirements for effective compliance training. In fact, by ignoring them, it will be far easier for you to create your training program; just throw a bunch of regulatory requirements onto a Powerpoint presentation or webinar and slam through it for as long as it takes. You will, in fact, be telling your employees what they are required to hear. If, however, your goal is to not sabotage your training and actually get employees to take action and create a culture where compliance is top-of-mind, ignore any of the above five concerns at your own risk.

Christopher Bauer is an expert on creating cultures of ethics, compliance, and accountability. Information on his programs as well as his Trust Foundry blog can be found at www.ChristopherBauer.com. Information specific to his programs on professional ethics can be found at www.BauerEthicsSeminars.com. In addition to speaking, training, and consulting on creating cultures ethics, compliance, and accountability, he publishes a Weekly Ethics Thought seen by thousands or readers worldwide. Free subscriptions are available by visiting either of his websites.

Right to Retire Or Termination: Remediation of Leadership To Foster Compliance

Many historians have long given 476 AD as the date of the fall of the Roman Empire. Further, it was from this date forward that Europe began its long slide into the abyss, which came to be known as the Dark Age. However, this view was challenged in 1971 by Peter Brown, with the publication of his seminal work “The World of Late Antiquity”. One of the precepts of Brown’s work was to reinterpret the 3rd to 8^th centuries not as simply a decline of the greatness that had been achieved in the heydays of the Roman Empire, but more on their own terms. It was in the year of 476 AD that the last Roman Emperor, Romulus Augustulus, left the capital of Rome in disgrace. However as Brown noted, he was not murdered or even thrown out but allowed to retire to his country estates, sent there by the conquers of the western half of the Roman Empire, the Goths. Not much conquering going on if a ruler is allowed to ‘retire’, it was certainly a replacement but not quite the picture of marauding barbarians at the gate.

I thought about this anomaly of retirement by a leader in the context where a company or other entity might be going through investigations for corruption and non-compliance with such laws as the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. Yesterday I wrote about three recent articles and what they showed about a company’s oversight of its foreign subsidiaries. Today I want to use these same articles to explore what a company’s response and even responsibility should be to remediate leadership under which the corruption occurs. The first was an article in the New York Times (NYT), entitled, “Another Scandal Hits Citigroup’s Moneymaking Mexican Division” by Michael Corkery and Jessica Silver-Greenberg. Their article spoke about the continuing travails of Citigroup’s Mexican subsidiary Banamex. Back in February, the company reported “a $400 million fraud involving the politically connected, but financially troubled, oil services firm Oceanografía.”

This has led Citigroup to ever so delicately try to oust the leader of its Mexico operations, Mr. Medina-Mora, by encouraging him to retire. While Citigroup did terminate 12 individuals around the Oceanografía scandal earlier in the year, it has not changed the employment status of the head of the Mexico business unit. This may be changing as the article said, “In a delicate dance, Citigroup is encouraging its Mexico chairman, Manuel Medina-Mora, 64, to retire, according to four people briefed on the matter. The bank has been quietly laying the groundwork for his departure, which could come by early next year, the people said. Still, Mr. Medina-Mora’s business acumen and connections to the country’s ruling elite have made him critical to the bank’s success in Mexico. Citigroup and its chairman, Michael E. O’Neill, cannot afford to alienate Mr. Medina-Mora and risk jeopardizing those relationships, these people said.”

Should Mr. Medina-Mora be allowed to retire? Should he even be required to retire? What about the ‘mints money’ aspect of the Mexican operations for Citigroup? Was any of that money minted through violations of the FCPA or other laws? What will the Department of Justice (DOJ) think of Citigroup’s response or perhaps even its attitude towards this very profitable business unit and Citigroup’s oversight, lax or other?

Does a company have to terminate employees who engage in corruption? Or can it allow senior executives to gracefully retire into the night with full pension and other golden parachute benefits intact? What if a company official “purposely manipulated appointment data, covered up problems, retaliated against whistle-blowers or who was involved in malfeasance that harmed veterans must be fired, rather than allowed to slip out the back door with a pension.” Or engaged in the following conduct, “had steered business toward her lover and to a favored contractor, then tried to “assassinate” the character of a colleague who attempted to stop the practice.” Finally, what if yet another company official directed company employees to “delete hundreds of appointments from records” during the pendency of an investigation?

All of the above quotes came from a second NYT article about a very different subject. In the piece, entitled “After Hospital Scandal, V.A. Official Jump Ship”, Dave Phillips reported that two of the four VA Administration executives who engaged in the above conduct and were selected for termination, had resigned before they could be formally terminated. The article reported that the VA “had no legal authority to stop” the employees from resigning. Current VA Secretary Robert McDonald was quoted in the article as saying, “It’s also very common in the private sector. When I was head of Procter & Gamble, it happened all the time, and it’s not a bad thing — it saves us time and rules out the possibility that these people could win an appeal and stick around.” Plus, he said, their records reflect that they were targeted for termination. “They can’t just go get a job at another agency,” Mr. McDonald said. “There will be nowhere to hide.”

The third article was in the Wall Street Journal (WSJ) and entitled, “GM Says Top Lawyer to Step Down”. In this piece, reporters John D. Stroll and Joseph B. White, with contributions from Chris Matthews and Joann Lublin, reported that General Motors (GM) General Counsel (GC) Michael Millikin will retire early next year. Milliken is famously the GC who claimed not to know what was going on in his own legal department around the group’s settlements of product liability claims of faulty ignition switches. Milliken claimed he was kept “in the dark” by his own lieutenants about the safety issues involved with this group of litigation. Does Milliken have any responsibility for the failures of GM around this safety issue? What does his apparent graceful retirement say about the corporate culture of GM and its desire to actually change anything in the light of its ongoing travails? Of course one might cynically point to GM’s failure to even have a Chief Ethics and Compliance Officer as evidence of the company’s attitude towards compliance and ethics. (I wonder how that might look to the DOJ/Securities and Exchange Commission (SEC) if GM goes under any FCPA scrutiny?)

With Citigroup, the Department of Veterans Affairs and GM, we have three separate excuses for companies (and a Cabinet level department) not disciplining top employees for ethical and/or compliance failures. At Citigroup, the excuse is apparently that it does not want to rock the boat from a top producing foreign subsidiary by terminating the head of the subsidiary under investigation. At the Department of Veterans Affairs, the excuse seems to be they can go ahead and resign because we prefer to get rid of them that way. At GM, it is not clear why the GC who claimed not to know what was going on in even his own law department can ride off into the sunset with nary a contrary word in sight. Millikin’s conduct would seem to be the product of a larger cultural issue at GM.

I thought about how the DOJ might look at these situations for companies if a FCPA claim were involved. Even with McDonald’s observations about what happened when he was with Procter & Gamble; does a company show something less than commitment to having a culture of compliance if it allows an employee to retire? What does it say about Citigroup and its culture given the current dance it is having with its head of the Mexico unit? What about GM and its Sgt. Schultz of a GC and his ‘I was in the dark posture’? As stated by Mike Volkov, in his post entitled “Goodbye Mr. Millikin: GM’s Continuing Culture Challenges”, GM does under appear to understand the situation it finds itself in currently over its failures. He wrote, “GM still does not understand the significance of its governance failure…GM should have taken dramatic and affirmative steps to create a new culture – resources and new initiatives should be launched to rid GM of its current culture and replace it with a new speak up culture. It is a daunting task in such a large company but it has to be done. Until GM wakes up, missteps and failures will continue.” One might say the same for Citigroup and the Department of Veterans Affairs as well.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Carlton Fisk, The Homer and Oversight of a Profitable Subsidiary

Today we celebrate one of the great moments in World Series history. At approximately at 12:34 AM on this date in 1975, Carlton Fisk came to bat at the bottom of the 12^th, in Game 6 of the World Series between the Boston Red Sox and Cincinnati Reds. He hit a pitch down the left field line. He stood at the plate, bouncing up and down and flailing at the ball as though he was helping an airplane land on a dark runway. “I was just wishing and hoping,” he said at a ceremony some years later. “Maybe, by doing it, you know, you ask something of somebody with a higher power. I like to think that if I didn’t wave, it would have gone foul.” Whether or not the waving was responsible, the ball bounced off of the bright-yellow foul pole above the Green Monster for a home run. Fenway’s organist played the Hallelujah Chorus from Handel’s Messiah while Fisk rounded the bases. One for the ages indeed as it appeared the Baseball Gods might finally be smiling on the Red Sox nation. Alas, they lost the next game and it was not to be for another 30 years.

I thought about Fisk’s homer and the ultimate heartbreak of Red Sox nation once again in 1975 when I read about several recent issues involving corruption and corporate responsibility for oversight, or perhaps more appropriately, the lack thereof. The first was an article in the New York Times (NYT), entitled “Another Scandal Hits Citigroup’s Moneymaking Mexican Division”, by Michael Corkery and Jessica Silver-Greenberg. Their article spoke about the continuing travails of Citigroup’s Mexican subsidiary Banamex. Back in February, the company revealed “a $400 million fraud involving the politically connected, but financially troubled, oil services firm Oceanografía.”

However, company investigators have unearthed another problem at the Mexico unit. The article reported “An internal investigation, begun by Citigroup in July, found evidence that the security unit was overcharging vendors and may have been taking kickbacks, a person briefed on the investigation said. The internal inquiry also found shell companies that had been set up to look like vendors and receive payments from the Banamex unit.” In a statement reported in the piece, Citigroup’s Chief Executive Officer (CEO) Michael L. Corbat “called the conduct of the individuals in the security unit ‘appalling’”.

What I found most interesting in the article was the response of Citigroup and what its implications might mean for the compliance practitioner, particularly one whose company is under scrutiny for a Foreign Corrupt Practices Act (FCPA) violation by the Department of Justice (DOJ) and Securities and Exchange Commission (SEC). The NYT piece made clear that the Mexico unit is so profitable that it figuratively “mints money” for the company. Moreover, “despite the latest headline-grabbing turmoil at Banamex, Citigroup does not want to cede any ground in Mexico where it dominates a large portion of the retail market.”

What is the responsibility for a US corporate parent when a foreign subsidiary ‘mints money’ for the company? Should the corporate parent pay closer attention to make sure the subsidiary is doing business in compliance with the FCPA and other relevant laws? In the past few posts, I have discussed some of the specific internal controls a compliance practitioner might consider for a company’s international operations. One of the problems Citigroup is facing with the conduct of its Mexico subsidiary is the company’s concern of “lax controls and oversight”. Moreover, there is concern that some part of the ongoing troubles in the Mexico unit relates to its head, Manuel Medina-Mora. Citigroup Chairman Michael O’Neill, was said to have “privately expressed concerns to board members that Mr. Medina-Mora, who is also co-president of the parent company, has not always relayed problems in the region to executives at the bank’s headquarters on Park Avenue, according to the people briefed on the matter. Instead of looping in executives in New York, Mr. Medina-Mora has at times chosen to handle the issues himself.”

How much oversight should a parent corporation have over a subsidiary? At a basic level it would seem that oversight should be enough to prevent and detect illegal conduct. Clearly, a Chief Compliance Officer (CCO) should be considering the entity-wide internal controls for a company. Under the FCPA accounting provisions, issuers can be held liable for the conduct of their foreign subsidiaries, even though the improper conduct occurred outside of the US. The scope of liability is based on the issuer’s incorporation of the subsidiary’s financial statements in its own records and SEC filings.

While a CCO should expect (and the DOJ & SEC for that matter) that internal controls at locations outside the US are of the same effectiveness as internal controls in US business units and at the US corporate office; unfortunately, that might not always be the case. It is often the case that corporate level internal controls are stronger than those in foreign business units. The Citigroup situation with its Mexican subsidiary would seem to be a clear example of the oft-cited reason that many companies were built through acquisitions, resulting in many business units (both in and outside the US) having completely different accounting and internal control systems than US corporate office. There is often a tendency to leave acquired companies in the state in which they were acquired, rather than trying to integrate their controls and conform them to those of current business units. After all, the reason for the acquisition was the profitability of the acquired company and nobody wants to be accused of negatively impacting profitability, especially one that ‘mints money’.

The second example is one a bit closer to home and it is that of the General Motors (GM) legal department. In an article in the Wall Street Journal (WSJ) entitled “GM Says Top Lawyer to Step Down”, John D. Stroll and Joseph B. White, with contributions from Christopher Matthews and Joann S. Lublin, reported that GM General Counsel (GC) Michael Millikin will retire early next year. Millikin was criticized after the GM internal investigation found that he ran the GM legal department in such a hands off manner that he did not know about his legal department’s own settlements for product liability claims involving faulty ignition switches until February of this year. His defense was that his own lawyers “left him in the dark” even though there was evidence that he had been repeatedly warned, “GM could face punitive damage awards related to its failure to address the safety defect.” Missouri Senator Claire McCaskill summed up sentiment about Milliken with her statement “This is either gross negligence or gross incompetence.” In other words if you are a GC or CCO you had better know what is going on in your own department. What would it say about a CCO who did not know that compliance department members were dealing with violations of the FCPA without informing him or her? It would say that the CCO failed to exercise leadership and oversight.

And while you are watching things closely, you may want to check out a clip of Carlton Fisk’s famous homer by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Internal Controls Outside the US – Part IV

This post will conclude a short series I have presented on the issue of internal controls outside the US. I want to conclude by raising some ways in which a compliance professional can work to implement internal controls in a multi-national organization. As with my entire series on internal controls, I rely on internal controls expert Henry Mixon for guidance on this topic. 

Mixon advises that the first step is to convert your company’s Foreign Corrupt Practices Act (FCPA) risks into internal control objectives. The internal control objectives are then given to each business unit with instructions to develop controls, which meet the objectives. This process should allow more of a fine tuning approach within existing systems than the development of specific controls by corporate which all business units must adopt and will give the business unit a sense of buy-in and participation in the process.

Mixon provided an example of how the process might work in the situation where the FCPA risk is that a third party representative may be paid for an invoiced amount before that third party representative has gone through your company’s full third party approval process. Mixon began by noting that your control objective is that internal controls should be in place to ensure that no vendors are added to the vendor master file until the vendor has been approved. If your company has a sophisticated ERP system such as SAP where checks are generated using the vendor master file and signed by the computer, this control objective may be met by adding a field to the vendor master file in which inserts the date the vendor is approved and by programming such a requirement the vendor information cannot be inserted into the check to pay the vendor unless the designated fields are populated. There would also be manual controls over the input of the date to ensure the data is not entered inappropriately. These internal controls would translate into form for changes to the vendor master file which is initiated by the person in charge of vendor due diligence and requires a ‘second set of eyes’ requiring sign off by a second person, such as the controller. Through this mechanism you have created a primary control through your third party approval process and validated that process if a change is made.

What if your location or business unit involved does not have a sophisticated ERP system such as SAP, for instance at another location QuickBooks is used? Mixon suggests that the control objective could be satisfied by using a similar form for changes to the vendor master file combined with the requirement that a report of all changes are printed and submitted to both check signers, along with the applicable approved vendor change request.

One of the banes of any compliance practitioner is the push back they inevitably receive when they attempt to institute something new or different. The same can be true of internal controls. What happens when the compliance function receives push back and will be told the controls are too burdensome and also make operations less efficient? I inquired from Mixon how he might suggest this situation be dealt with going forward. Fortunately for us, this is something that Mixon has observed many times and is very familiar with the issue as many employees see internal controls only as an added burden. Moreover, many business development types will raise the hue and cry that internal controls prevent them from effectively running the business. Finally, there are many groups in any company that may well say that a re-work of internal controls will cost too much money.

One of the areas available to a compliance professional is benchmarking from other company’s compliance experiences. However this can be expanded into solid presentations about why it is important to assess and mitigate FCPA risks using your corporate peers that have been the subject of an FCPA enforcement action. This is some of the best sources of information a compliance practitioner can avail his or herself of to provide good insight into why it was never expected that the company would be subject to FCPA enforcement and insight into the extreme disruption, cost, and anxiety which accompanied the enforcement actions.

Mixon also advises that the premise is that the cost of controls should not exceed the benefits to be obtained, so it really comes down to internally selling a cost benefit analysis. If the selling is done after at least a basic risk analysis, Mixon believes that it should be relatively easy to obtain concurrence that certain risks must be mitigated and that the benefits exceed the expected costs. Furthermore, there are occasions where there are no costs associated with improving controls. A good example is when re-alignment of duties using existing staff achieves an improved set of internal controls. Another example is when manual controls can be converted to electronic controls such that the only cost is the programming and re-training costs.

Another key factor, as with all FCPA compliance initiatives, is ‘Tone at the Top’. This means that you should meet with and present the case for FCPA-focused internal controls to your company’s Executive Leadership Team (ELT), Audit Committee of the Board or other appropriate group of senior executives. The presentation should include, with examples, the importance of identifying and mitigating the FCPA and fraud risks. Some of these might include the following:

• Illustrating the examples of how the controls can prevent bribery as well as many other types of occupational fraud;
• Illustrating that the controls needed are all sound business controls, nothing exotic or out of the ordinary;
• With proper control design, it may be possible to eliminate some existing detect controls in favor of more useful preventive controls or even prescriptive controls;
• As a result of your business changes and resulting changes in assessed risks, it may be that some procedures now being performed are no longer needed and the resources can be shifted to more necessary controls; and
• It may be possible to build in more electronic controls, which can replace existing manual controls.

What if your company does an assessment of the internal controls over financial reporting as part of Sarbanes Oxley (SOX) compliance and that the Chief Financial Officer (CFO), or other appropriate corporate officer, annually certifies the internal controls are effective? How should such a situation be dealt with or conversely how might a compliance professional respond? 

Mixon believes that there are two primary reasons why the assessment under SOX is not sufficient for a Compliance Officer’s purposes. One is the scope of the SOX assessment and the second is the design of the SOX assessment. This means that the SOX process addresses only the internal controls over financial reporting, that is, the controls in place to prepare the financial statements for presentation to third parties. That process does not address the risks or the control needs with respect to FCPA. Mixon cited to the example of internal controls over disbursements, which may be evaluated as being effective if there is a three-way match of the approved purchase order, the vendor invoice, and the receiving report. Those controls do not address the risk that an agent may submit an invoice before the agent has been vetted and the invoice will be paid. It also does not address whether the agent’s invoice was reviewed for proper description of business purpose and for being consistent with the approved contract with the agent.

The second primary reason SOX certification of financial internal controls itself is not enough is the design criteria. SOX allows a materiality threshold. This means that operations outside the US may be excluded from scope due to materiality. It may also mean that some functions are operating below the financial internal controls level. Compliance professionals need to continually remind others that there is no materiality requirement in FCPA enforcement.

I hope that you have benefited from these posts on internal controls outside the US. I clearly believe that the price for noncompliance can easily be substantially greater than the cost to assess and implement good internal controls. But good FCPA internal controls are not some standalone protective measure. They can help to make a company run more efficiently as the internal controls that prevent FCPA violations are the same ones that prevent fraud in the workplace. So the presence of good internal controls saves money by preventing fraud. It is a business best practice to prevent fraud, which includes preventing corruption. I have long wondered about Ethisphere and its annual survey of the world’s most ethical companies because they seem to exceed the Standard & Poor’s (S&P) index of average profits and growth. What I have come to believe is that one of the keys ways such companies do seem to have better than average profitability is that they have better internal controls.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014