Consumer Protection and Your Business

Ed. Note-today we have a guest post from Karen Schirmer, a Senior Advisor at Chartwell.

You’ve been hearing for a while now that the regulatory environment has been changing, and you follow the Consumer Financial Protection Bureau (“CFPB”) alerts to see if this new regulator will be looking at your type of business sometime in the near future. But you haven’t done anything new to prepare for greater consumer protection scrutiny because you’re too busy preparing for the upcoming state or bank examination. If this describes your organization, we understand that being proactive with limited funds and resources can be difficult. Nonetheless, consumer protection laws exist on the state and federal level, and states, banks, and other regulators are all taking a broader approach to their reviews. In this article, we will provide you with simple best business recommendations on how to get started with your consumer protection program.

Examine your collateral and marketing for consumer transparency

The most frequently cited violations of consumer protections have been unfair, deceptive, or abusive acts or practices (“UDAAP”) due to the lack of transparency of fees, unclear terms and conditions, and misleading statements deemed harmful to consumers. It is important that the consumer understands what the product or service is and the costs and terms of the products or services being purchased.   This includes all fees and fee limits, including inactivity, dormancy or service fees. Marketing, Packaging, Terms and Conditions, and overall Website language are places that have high risk of creating confusion for the consumer. These are good places to start your project review. Focus on the wording of your marketing and other collateral: is it in an active voice, using strong verbs and the simplest tense possible? Are explanations in everyday words, rather than excessive acronyms, abbreviations, or multiple negatives? Are several qualifiers used in explanations? If so, see if those explanations may be made more direct. Short, concise sentences are best. Look for consistency in terminology – if a transaction fee is the same as an activity fee, pick one term (this may be guided by regulation), define it, and use it throughout.

When evaluating either new or existing financial services products for consumer transparency, your standard of proof should be low, such as “likelihood” of being misled. A reasonable consumer’s overall or “net” impression counts, and omissions of key facts can lead a consumer to the wrong overall impression.

The format and proximity of material information is very important. Consumer disclosures and other key information, such as product function, terms and conditions, privacy and complaint notices should be in at least 8pt font (your product may need to follow a particular font requirement, per regulation) and whenever possible, clearly described on the first or second page, and linked in multiple places. It is prudent to identify any structural aspects of a product or terms and conditions that a consumer might not understand or would find surprising and add highlights or clarifications as appropriate.

Engage your privacy and data security teams 

With several high-profile data security breaches occurring in 2014, consumer confidence and trust in many financial products has eroded, and spending habits have changed accordingly.

The message is that companies offering financial products and services should look into strengthening their security infrastructure with data loss prevention, network security, encryption, and strong authentication and defensive measures. Other internal best practices include having a detailed data security policy that is communicated through training to employees and 3^rd party stakeholders, and assigning controls and control owners to test security measures on a regular basis.

Privacy and transparency are interrelated. Companies must provide users with clear and complete information regarding any collection, use and disclosure of the collected data. Further, internal departments that have access to or may want to use the data must receive training on the limited uses for and protection of the data.

Enhance the consumer experience 

The consumer experience starts with the presentation of a product choice or choices, and the consumer is able to select options in an informed manner. Lack of understanding on the part of the consumer of the risks, costs or conditions of the product or service often leads to complaints.

Once the consumer has signed up for a product or service, it is important that the consumer may access his/her account information easily. The consumer should have ample free access to account information.

A consumer’s experience with a product is directly impacted by the quality of a company’s customer service function. The telephone number(s) for complaints of various types should displayed in multiple places (i.e. websites, receipts, postings, Terms and Conditions).

Effective and timely resolutions of complaints is critical in an environment where consumer protection gets strong attention from state Attorney General’s offices and Federal Agencies. Companies should have policies and procedures that include the following:

1. A policy statement in support of consumer protection;
2. An ongoing process of identifying consumer protection laws;
3. A compliance management system to track the applicable requirements of the laws on a per business or per product basis;
4. A written process specifically for complaints that raise compliance issues;
5. A written process for using complaint data to fix practices and take corrective action; and
6. A records-management process that includes the maintenance of complaint records, litigation, investigation, policies, procedures and reports of complaints resulting in operational changes. Responses and timeframes are tracked

Consumer protection is more than just providing disclosures. Your consumer protection review can be done in layers. Seek a commitment from senior management and/or Board of Directors, implement strategic projects such as the ones described above, add in training and on-going monitoring and you will be well on your way to having strong consumer protection compliance program.

Karen Schirmer has 12 years of experience directing Compliance teams, and drafting programs that identify requirements, risks, controls and methods of control validations. During her work as Compliance Director for Western Union, Inc. and Integrated Payments Systems Inc., she conducted independent reviews, and coordinated regulatory examinations.  As part of the First Data leadership team for 10 years, she drafted and directed the operations of the 2012-2013 Global Corporate Compliance Program.  For more information, please contact Karen at karenschirmer@chartwellcompliance.com.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, her affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication.

Five Step Process for Transaction and Continuous Controls Monitoring

Most Chief Compliance Officers (CCOs) and compliance practitioners understand the need for transaction monitoring. Whether it be as a part of your overall monitoring of third parties, employees, or to test the overall effectiveness of internal controls and compliance, transaction monitoring is clearly a part of a best practices compliance program. Further, while most compliance practitioners are aware of the tools which can be applied to transaction monitoring, they may not be as aware of how to actually engage in the process. Put another way, how do you develop a methodology for building a transactional monitoring process that yields sustainable, repeatable results?

I recently put that question to one of the leaders in the field, Joe Oringel, co-founder and principal at Visual Risk IQ. He explained to me that their firm has dissected data analytics and transaction monitoring into a five-step process they call QuickStart, which facilitates applying the process iteratively across a two to four month time frame. These iterations allow for, and reinforce the methodology’s repeated and practical application and reapplication. The five steps are (1) Brainstorm, (2) Acquire and Map Data, (3) Write Queries, (4) Analyze and Report, and (5) Refine and Sustain.

Brainstorm

Under this step, the transactional monitoring specialist, subject matter expert (SME), such as one on the Foreign Corrupt Practices Act (FCPA) or other anti-corruption law, and the compliance team members sit down and go through a multi-item list to better understand the objectives and set the process going forward. The brainstorming session will include planning the monitoring objectives and understanding the data sources available to the team. Understanding relationships between the monitoring objectives and data sources is essential to the monitoring process. During brainstorming, the company’s risk profile and its existing internal controls should be reviewed and discussed. Finally, there should be a selection of the transaction monitoring queries and a prioritization thereon. This initial meeting should include company representatives from a variety of disciplines including compliance, audit, IT, legal and finance departments, sales and business development may also need to be considered for this initial brainstorming session.

While the rest of the steps may seem self-evident in any transaction monitoring process, it is the brainstorming step which sets the Visual Risk IQ approach apart. This is because business knowledge is critical to sustaining and improving the transaction monitoring process. And because the process is iterative, periodic meetings to further understand the business pulse allow the most useful data to be monitored through the system. 

Acquire and Map Data

The second step is to obtain the data. There may be a need to discuss security considerations, whether or how to redact or mask sensitive data, and ensure files are viewable only by team members with a “need to know”. Balancing, which consists of comparing the number of records, checksums, and controls totals between the source file (as computed by the file export) and then re-calculated number of records, checksums, and control totals (as computed by a file import utility). Balancing is performed to make sure that no records are dropped or somehow altered, and that the files have integrity. Somewhat related is making sure that the version of the files used is the “right” one. For example if you are required to obtain year-end data year-end close could be weeks after the closing entries have been actually recorded, depending on the departments engaged in the year end processes.

Types of systems of record could include Enterprise Resource Planning (ERP) data from multiple transaction processing systems, including statistics on numbers and locations of vendors, brokers and agents. You may also want to consider watch lists from organizations such as the Office of Foreign Asset Control (OFAC), the Transparency International – Corruption Perceptions Index (TI-CPI), lists of Politically Exposed Persons (PEPs) or other public data source information. Some of the data sources include information from your vendor master file, general ledger journals, payment data from accounts payable, P-cards or your travel and entertainment system(s). You should also consider sales data and contract awards, as correlation between spending and sales as these may be significant. Finally, do not forget external data sources such as your third party transactional data. All data should initially be secured and then transmitted to the transaction monitoring tool. Of course you need to take care that your transaction monitoring tool understands and properly maps this data in the form that is submitted.

Write Queries

This is where the FCPA SME brings expertise and competence to assist in designing the specific queries to include in the transaction monitoring process. It could be that you wish to focus on the billing of your third parties; your employee spends on gifts, travel and entertainment or even petty cash outlays. From the initial results that you receive back you can then refine your queries and filter your criteria going forward. Some of the queries could include the following:

• Business courtesies to foreign officials;
• Payments to brokers or consultants;
• Payments to service intermediaries;
• Payments to vendors in high risk markets;
• Round dollar disbursements;
• Political contributions or charitable donations; and
• Facilitation payments.

Analyze and Report

In this process step, you are now ready to begin substantive review and any needed research of potential exceptions and reporting results. Evaluating the number of potential exceptions and modifying queries to yield a meaningful yet manageable number of potential exceptions going forward is critical to long-term success. You should prioritize your initial results by size, age and source of potential exception. Next you should perform a root cause analysis of what you might have uncovered. Finally at this step you can prioritize the data for further review through a forensic review. An example might be if you look at duplicate payments or vendor to employee conflicts. Through such an analysis you determine if there were incomplete vendor records, whether duplicate payments were made and were such payments within your contracts terms and conditions.

Refine and Sustain

This is the all-important remediation step. You should use your root cause analysis and any audit information to recalibrate your compliance regime as required. At this step you should also apply the lessons you have learned for your next steps going forward. You should refine, through addition or deletion of your input files, thresholds for specific queries, or other query refinements. For example, if you have set your dollar limits so low that too many potential exceptions resulted for a thoughtful review, you might raise your dollar threshold for monitoring. Conversely if your selected amount was so low that it did not generate sufficient transactions, you could lower your parameter limits. Finally, you can use this step to determine the frequency of your ongoing monitoring.

Oringel concluded by emphasizing the iterative nature of this process. If you can establish your extraction and mapping rules, using common data models within your organization, you can use them to generate risk and performance checks going forward. Finally, through thoughtful use of transaction monitoring parameters, you can create metrics that you can internally benchmark your compliance regime against over time to show any regulators who might come knocking.

For further information on this process, contact Joe Oringel at Joe.Oringel@VisualRiskIQ.com

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Lincoln Assassinated and HSBC’s Continued Self-Inflicted Woes

Today is the 150^th anniversary of the first successful Presidential assassination attempt. It was on this day in 1865 that John Wilkes Booth shot President Abraham Lincoln at Ford’s Theater in Washington DC. Booth was not a lone gunman but led a group of Confederate sympathizers who attacked or planned to attack leading US government officials. Co-conspirator Lewis T. Powell burst into Secretary of State Seward’s home, repeatedly stabbing him and seriously wounding him and three others, while George A. Atzerodt, assigned to kill Vice President Johnson, lost his nerve and fled.

HSBC continues to stay in the news, unfortunately largely for the wrong reasons in the realm of anti-corruption, facilitating tax evasion and money laundering. In an article in the New York Times (NYT), entitled “HSBC Is Deemed Slow To Carry Out Changes”, reporters Jessica Silver-Greenberg and Ben Protess noted that earlier this month, federal prosecutors made a quarterly count filing as a part of their report on the bank’s Deferred Prosecution Agreement (DPA) “faulting the bank for weaknesses in spotting suspicious transactions and for enabling a corporate culture resistant to change.”

The filing itself was based upon the corporate monitor’s Michael Cherkasky’s “confidential 1000 page report submitted to prosecutors in January. That report, people briefed on the matter said, offered a more scathing assessment of the bank’s progress.” The monitor has been “evaluating HSBC’s global operations for cracks in its money-laundering controls. As such, he has reviewed the bank’s various business lines, including its sprawling operations in China.”

In the technology area, the filing noted the “bank’s technology systems, despite some improvement, still suffer from “fragmentation” and “lack of connectivity” the Justice Department filing said. With its creaky framework, the filing said, “the collection and analysis” of data could suffer.” This lack of technology to both check on customers or potential customers and then review the transactions they might engage in were a prime deficiency noted in the original 2012 enforcement action where “prosecutors found that HSBC facilitated money laundering on behalf of Mexican drug cartels, allowing at least $881 million in tainted money to course through its United States branches.”

But perhaps the more troubling finding in the prosecutors filing was around the culture at the bank. There was not specific criticism of the tone at the top of the bank or with senior management but with the employees’ attitudes towards meeting the obligations under the DPA. The filing said that “Change at the bank was met with resistance” providing at least one example; “When presented with negative findings from auditors, the filing said, managers at the bank’s United States unit for global banking and markets “inappropriately pushed back.” Ultimately, the resistance caused an internal audit report “to be more favorable to the business than it would have been otherwise.”

Interestingly HSBC itself pushed back against the government’s filing, at least in the press. The article noted that “In response to the filing, Stuart Levey, the bank’s chief legal officer said, “The Justice Department recognized in its letter that HSBC has made material progress toward meeting the most stringent compliance standards imposed to date upon a global financial institution.” Levey also said that “the bank was continuing to meet all its obligations under the deferred-prosecution-agreement and that its leaders “are making progress toward that objective and appreciate the monitor’s ongoing work.””

Monitor Cherkasky’s report and the Department of Justice (DOJ) filing bring up a couple of interesting points for speculation. The first is the continuing dialogue and debate on the effectiveness of DPAs and whether they actually do achieve their stated goals of changing corporate culture and behavior. The NYT article said that the DOJ filing, which came under the name of the President’s Attorney General-designee, as head of the US Prosecutor’s office, comes “at a time when prosecutors are grappling with repeat offenders on Wall Street”. Moreover, “the filing underscores the Justice Department’s efforts to stem the pattern of corporate recidivism.” Just how hard should the DOJ come down on HSBC? There are other more aggressive steps the DOJ could take, even at this point. These include “extending the five-year deferred-prosecution agreement or singling out culpable employees by name.” Indeed the article cited to a recent speech by the head of the DOJ’s criminal division, Deputy Assistant Attorney General Leslie Caldwell, where she said, “the government has “a range of tools” to deal with corporate recidivism, including extending the term of a deferred-prosecution agreement while prosecutors investigate accusations of new criminal conduct.”

How about tearing up the DPA and simply criminally prosecuting the bank on the facts it admitted to in the DPA? Caldwell also spoke to that possibility when she said in the same speech, “Make no mistake: The criminal division will not hesitate to tear up a D.P.A. or N.P.A and file criminal charges where such action is appropriate and proportional to the breach.” Since parties are required to agree to facts in any DPA or Non-Prosecution Agreement (NPA) it would seem that tearing up those settlement documents and then prosecuting those companies on the underlying facts would be a relatively straightforward matter.

The other party in this debate is the Attorney General-nominee herself. While at this point it is not clear if the GOP majority will ever let her nomination come up for a vote before the full Senate, what if the Senate Judiciary Committee decides to reopen the hearings on this issue and then shoehorn it into the larger ongoing academic and FCPA Inc. debate on DPAs (and NPAs and other settlement tools). What if the FCPA testified on the “Façade of FCPA Enforcement”? What if Ted Cruz came in to ask why the DOJ is even bothering to prosecute the British banking giant?

At the time of its settlement in 2012, the HSBC fine was the largest for any bank involving money laundering. The monitor’s report and DOJ court filing demonstrate that the settlement is still controversial and the conduct engaged in by the bank many years ago may well continue to resonate up to this day and well into the future.

But the negative news for HSBC did not end with the filing of the DOJ report. As reported in the Financial Times (FT), in an article entitled “French magistrates open formal criminal probe into HSBC”, Emma Dunkley wrote that the parent entity of the bank, HSBC Holdings, “has been placed under criminal investigation by French authorities and made to post €1bn bail over allegations that its Swiss private banking arm helped clients avoid taxes.” This is separate and apart from the investigations into the company’s Swiss banking unit, which has been indicted or is under investigation “over tax evasion allegations in several other countries, including the US, Belgium and Argentina.”

In another article in the NYT, entitled “HSBC Facing Criminal Investigation in French Tax Case”, Chad Bray reported that the bank apologized after released documents “showed that its employees had reassured clients that the lender would not disclose details of their accounts to the tax authorities of their home countries and discussed options to avoid paying taxes on those assets. The bank has acknowledged previous “conduct and compliance failures” in its Swiss business and has said that it has overhauled its private banking business and reduced its client base in Switzerland by 70 percent since its peak.”

The woes of HSBC continue and indeed seem to be increasing. With the fallout from the monitor’s report and other ongoing investigations the bank may be in danger of having its DPA revoked. While HSBC is not the only poster child for Banks Behaving Badly it may find itself as the first bank to have its DPA torn up and either the entity or responsible individuals criminally prosecuted for recidivist behavior.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Brazilian Corruption Scandal Expands Past Petrobras – Is a FCPA Country Sweep Next?

The Brazilian corruption scandal took a new turn last week, when the Brazilian government announced that it was investigating the country’s health ministry and the state-owned bank Caixa Econômica Federal (Caixa). As reported by Rogerio Jelmayer and Luciana Magalhaes in the Wall Street Journal (WSJ), in an article entitled “Corruption Scandal in Brazil Gets Bigger”, the schemes were similar to those used in the Petrobras scandal, where inflated contracts were awarded to contractors who kick backed the overcharges to those in position to award the business.

This expansion of Brazilian government investigation is also the first reported instance of companies outside the energy sector or those doing business with the Brazilian state-owed enterprise Petrobras being investigated by the Brazilian government. Over the years there have been several Foreign Corrupt Practices Act (FCPA) enforcement actions regarding US companies doing business in Brazil. With this expansion of the Petrobras corruption scandal to other government departments and state-owned entities, a new chapter may be opening. This new chapter may bring not only Brazilian domestic bribery and corruption scrutiny but also draw the attention of US or UK regulators, such as the Department of Justice (DOJ), Securities and Exchange Commission (SEC) or the UK Serious Fraud Office (SFO).

In the health ministry the area of contracts under investigation were those for advertising. The WSJ article said, “the cost of advertising contracts was inflated by as much as 10%, prosecutors said, with the surplus also passed along to politicians. The health ministry said all its advertising contracts meet the legal requirements, and it will investigate the allegations and cooperate with police and prosecutors.” It certainly is comforting when the government says it will cooperate with investigators.

But perhaps more interesting was the timing of the allegations against the country’s third largest state-owned bank Caixa. While the allegations around the scope and extent of the bribery were similar to those made against the Brazilian health ministry, the declarations of these new investigations coincided with the announcement last week by the government Finance Minister Joaquim Levy and Caixa Chief Executive Officer (CEO) Miriam Belchior for “an initial public offering [IPO] in the insurance joint venture it has with French insurer CNP Assurances.”

What do you think the comfort level will be for institutional investors about now in this IPO? I wonder if under IPO rules and regulations in Brazil, whether the CEO must certify either the financial statement as accurate or that there is no evidence of corruption in the organization? Even those in Brazil recognize the gravity of these allegations against Caixa. Luis Santacreu, a banking analyst at the Brazilian rating agency Austin Ratings, said that he thought this announcement would make the IPO more difficult and “the allegations against Caixa show it needs to improve its governance.”

These two developments demonstrate the difficulties that international companies may have in doing business in Brazil going forward. It is not difficult to believe that a country sweep on those doing business in Brazil, with the Brazilian government or with Brazilian state-owned enterprises, may well be coming. Given the recent 2014 World Cup and the upcoming 2016 Olympics, it would not seem too great a stretch for the DOJ or SEC to begin to look at US companies with significant amounts of commerce with and in Brazil.

While we have not seen evidence of country sweeps to-date, there has been evidence of industry sweeps in FCPA enforcement. The FCPA Professor, in a blog post entitled “Industry Sweeps”, posted an article from FCPA Dean Homer Moyer, entitled “The Big Broom of FCPA Industry Sweeps”. In his article, Moyer said that an industry sweep is the situation where the DOJ and/or SEC will focus “on particular industries – pharmaceuticals and medical devices come to mind — industry sweeps are investigations that grow out of perceived FCPA violations by one company that enforcement agencies believe may reflect an industry-wide pattern of wrongdoing.” Moyer further wrote, “Industry sweeps are often led by the Securities and Exchange Commission (“SEC”), which has broad subpoena power as a regulatory agency, arguably broader oversight authority than prosecutors. They are different from internal investigations or traditional government investigations, and present different challenges to companies. Because the catalyst may be wrongdoing in a single company, agencies may have no evidence or suspicion of specific violations in the companies subject to an industry sweep. A sweep may thus begin with possible cause, not probable cause. In sweeps, agencies broadly solicit information from companies about their past FCPA issues or present practices. And they may explicitly encourage companies to volunteer incriminating information about competitors.”

As a compliance professional, one of the key takeaways from the Brazilian corruption scandal is that you should take a very hard and detailed look at your company. With the spread of Brazilian investigations around corruption, we can see that these scandals are not be limited to only the energy or energy-related service industry. One of the first things you can begin to do is to review the list of third parties who might work with the Brazilian government or with Brazilian state-owned enterprises. You should begin by asking such questions as:

• What is the ownership of the third party? Is there a business justification for the relationship?
• Is there anyone in the company who is responsible for maintaining the relationship? Is there ongoing accountability?
• How is the relationship being managed?
• Are you engaging in any transaction monitoring?
• Are you engaging in any relationship monitoring?
• What is the estimated or budgeted size of the spend with the third party?

While the GlaxoSmithKline PLC (GSK) investigation has reverberated throughout the China, I think that the Brazilian corruption scandals will be with us for some time. As bad as it seems about now, and it certainly appears bad, there are many lessons that the compliance practitioner can not only draw from but use for teaching moments within your company. For if you are doing business with the Brazilian government or with Brazilian state-owned enterprises it may not be “if you are subject to a FCPA sweep” but only “when”.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

International Anti-Corruption Enforcement Efforts

While the US Foreign Corrupt Practices Act (FCPA) is still the most widely recognized and enforcement anti-bribery and anti-corruption law across the globe, there have been a number of initiatives which will lead directly to greater anti-bribery and anti-corruption enforcement. This increased enforcement will lead to increased risks for companies that do not have anti-bribery and anti-corruption compliance programs in place. This post discusses the efforts of other countries to enact and enforce legislation to curb bribery and corrupt across the globe.

China 

Over the past 18 months, GlaxoSmithKline PLC (GSK) was embroiled in a very public, very nasty bribery and corruption investigation. It culminated in the conviction of GSK and the assessment of a $491 million fine, criminal conviction of four senior GSK China subsidiary managers and the criminal convictions of two ancillary GSK-hired investigators. The entry of the Chinese government into the international fight against corruption and bribery is truly a game-changer. While there may be many reasons for this very public move by the Chinese government, it is clear that foreign companies are now on notice. Doing business the old fashioned way will no longer be tolerated. This means that international (read: western) companies operating in China have a fresh and important risk to consider; that being that they could well be subject to prosecution under domestic Chinese law.

The international component of this investigation may well increase anti-corruption enforcement across the globe. First of all, when other countries notorious for their endemic corruptions, for example India, see that they can attack their domestic corruption by blaming it on international businesses operating in their country, what lesson do you think they will draw? Most probably that all politics are local and when the localities can blame the outsiders for their own problems they will do so. But when that blame is coupled with violations of local law, whether that is anti-bribery or anti-price fixing, there is a potent opportunity for prosecutions.

One of the audit failures of GSK was around well known compliance risks in China, including (1) event abuse planning; (2) mixture of legitimate and illegitimate travel; (3) other collusion with travel agencies; and (4) parallel itineraries. So those risks are well known and have been documented. While the cost of monitoring is high and would involve the tedious work of verifying millions of receipts by calling hotels, airlines and office supply stores and scrutinizing countless transactions for signs of fraud; if your compliance risks are known for a certain profile, then you should devote the necessary resources to making sure you are in compliance in that area.

Brazil 

While GSK was a harbinger of international anti-corruption investigations and enforcement actions based on domestic anti-bribery laws; Brazil and its state-owned energy company Petrobras may become the world’s largest corruption investigation. In a New York Times (NYT) article, entitled “Scandal Over Brazilian Oil Company Adds Turmoil to the Presidential Race”, the scandal was detailed by a former Petrobras official, Paulo Roberto Costa. Mr. Costa was the person who oversaw the company’s refining operations. He has admitted to having engaged in the receipt of bribes for at least a 10 year period “equivalent to 3 percent of the value of the deals from the Brazilian construction companies that obtained the contracts” to build refineries. This amounted to literally millions being “stashed in bank accounts in Switzerland and the Cayman Islands.” He “inflated budgets for new projects” by 3% and then had that amount kicked back to him as bribes. The allegations were verified “through an associate, Alberto Youssef, a black-market money dealer who testified that he helped launder funds in the scheme. Mr. Youssef, who has also accepted a plea deal, testified that more than a dozen of Brazil’s largest construction companies had paid hefty bribes to obtain lucrative Petrobras contracts.” Interestingly, Brazilian President Rousseff “has also effectively acknowledged the prevalence of corruption inside the executive suites of Petrobras, while denying that she had known about the kickbacks when they were taking place.”

The scandal has not only engulfed suppliers to Petrobras in Brazil. It has now moved to the international stage. From shipyards in Singapore, which have been alleged to have paid bribes to Petrobras, to Rolls Royce in Great Britain which has been alleged to have paid bribes for the sale of turbine engines; this scandal truly is international in scope and may engulf more companies going forward. In addition to violations of Brazilian law, the US government has reportedly opened an investigation, as Petrobras USA is a US stock-exchange issuing entity and subject to the FCPA. Indeed, in the US there are already multiple shareholder derivative lawsuits against the US entity for mis-representing its true value because of the corruption allegations against the company in Brazil.

The Petrobras scandal continues to make news almost daily and its repercussions continue to reverberate across the globe. The FCPA Blog, in an article entitled “Swiss AG freezes $400 million in Petrobras bribe probe”, stated that in Switzerland alone there are nine open investigations into alleged money laundering tied to Petrobras. In mid-March the Office of the Attorney General of Switzerland (OAG) announced that they had issued an order to freeze $400 million of assets allegedly tied to a Petrobras corruption scheme. The FCPA Blog further stated the OAG announced “The release of over $120 million reflects Switzerland’s clear intention to take a stand against the misuse of its financial center for criminal purposes and to return funds of criminal origin to their rightful owners.”

The domestic Brazilian Anti-Bribery Law, the Clean Company Act, enacted into law in 2014, is uniquely designed for oversight by internal audit. Compliance programs will be evaluated on three prongs: the structure of the program; specifics about the legal entity; and an evaluation of the program’s efficiency. The first prong will include consideration of the existence of mechanisms for reporting suspected or actual misconduct, training, code of conduct, policies and procedures, periodic risk assessments, and application of disciplinary measures against employees (including senior management too) involved in wrongdoing. Under the second prong, the compliance risks associated will be considered. Compliance programs should be tailored to the company’s risks; “one-size-fits-all” programs will not be accepted. The third prong will consist of a case-by-case verification, that it is not simply a paper program.

Finally, and no doubt spurred by the Petrobras corruption scandal, the FCPA Blog also reported, in another article entitled “After protests, Brazil president issues anti-graft regulations”, that Brazilian President Dilma Roussef issued a presidential decree with regulations under the Clean Company Act. The new regulations issued address some of the crucial questions concerning the administrative procedure for imposing corporate liability and assessing fines. It also set out the criteria for determining fines, evaluating compliance programs, and entering into leniency agreements. Finally, the decree also provides that books and records accuracy and completeness will be a key criterion for evaluating compliance programs, no doubt inspired by the FCPA accounting provisions. As the FCPA Blog said, “The regulations under the Clean Company Act are a critical milestone in the effort to restore credibility to Brazil’s federal government, in light of its past commitments to fighting corruption in the corporate world.”

Conclusion 

What does all of the above mean for a global company? It means that some law that prohibits bribery and corruption will cover your business. It will not and does not matter if you are a US, UK or Brazilian company doing business outside of your home country, somewhere a law prohibiting bribery and corruption will cover your actions. Even if you are not covered by the FCPA, the UK Bribery Act or the Clean Company Act, if you are doing business in a local country you can still be subject to prosecution under its domestic anti-bribery laws. This means that there will be greater enforcement going forward and greater cooperation between enforcement agencies.

For businesses the only response to this plethora of new laws is to implement and enhance a best practices anti-bribery/anti-corruption compliance program and there are several examples that companies can follow to do so. In the US, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) provided their suggestions with their Ten Hallmarks of an Effective Compliance Program; the UK Ministry of Justice (MOJ) has provided commentary on the Six Principles of an Adequate Procedures compliance program and the Organization of Economic Cooperation and Development (OECD) has put forth its Good Practice Guidance on Internal Controls, Ethics, and Compliance.

All of these anti-bribery/anti-corruption regimes set forth easily digested concepts that a company could implement. However, there must be more than simply a paper program in place. A company must actually do compliance for it to be effective. By making compliance a part of normal business practices, it will be possible to prevent, detect and then remediate any bribery or corruption issues that may arise.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Lee Surrenders and Hanson Wade’s Oil & Gas Supply Chain Compliance Conference

Today we celebrate one of the most momentous anniversary’s in the history of the United States, for it was on this day in 1865, 150 years ago, that Confederate General Robert E. Lee surrendered his Army of Northern Virginia to Union Commanding General Ulysses S. Grant at Appomattox Courthouse, effectively ending the American Civil War. Fighting continued for several more weeks to come, however with Lee’s surrender the Civil War had, in all intents and purposes, ended.

Lee and his troops were forced to abandon the Confederate capital of Richmond, they were blocked from joining the surviving Confederate force in North Carolina, and were harassed and outrun by Union cavalry, who took 6,000 prisoners at Sayler’s Creek. With desertions mounting daily the Confederates were surrounded with no possibility of escape. On April 9, Lee sent a message to Grant announcing his willingness to surrender and in the afternoon they met at the home of Wilmer McLean and agreed to the terms of surrender.

Although politicians would later change these terms quite dramatically, Grant is said to have told his officers, “The war is over. The Rebels are our countrymen again.”

Later this month, from April 28-30, Hanson Wade is putting on its annual conference in Houston. It is the “Oil and Gas Supply Chain Compliance” conference, now in its 5^th year, and once again the list of speakers is simply stunning. It includes the following Chief Compliance Officers (CCOs) and senior compliance folks: Dan Chapman, Cameron; Brian Moffatt, Ethos Energy, Jay Martin, Baker Hughes; Marcel De Chermont, Acteon Group, Jan Farley, Dresser-Rand; John Sardar, Noble Energy and a host of other luminaries in the field of Foreign Corrupt Practices Act (FCPA) compliance. Even if you live outside of Houston, the FCPA compliance talent at this event will rival any other event in the US and for such an event not held in Washington DC or New York City, it is simply outstanding.

Some of the panels and topics for discussion include: Applying Culturally Sensitive Approaches To Deliver A Core Compliance Methodology For A Variety Of Countries And Risks; How to Meaningfully Engage Your Business Operations in Taking Greater Compliance Ownership; Avoid The Risk Of Cavalier Behaviour Across The Supply Chain In The Face Of A Challenging Economic Climate; How To Deliver Cost-Effective, Risk Based, Function Specific Compliance Training; several in-depth presentations on Supply Chain and Third Party due diligence. These are but some of the sessions and there are many other excellent panels, sessions and speakers which I have not mentioned.

Recently the Event’s Chairperson, Dan Chapman, Vice President, Chief Ethics and Compliance Officer for Cameron, talked about some of the issues that will be discussed in this year’s conference. Chapman said, “Supply chain is, in my mind, a critical part of compliance and creating awareness throughout the business as to when and where you should apply compliance principles is a key focus. For me the industry has evolved in recent years, and our organizations tend to now have strong legal teams who understand anti-bribery and corruption legislation. Not only this, they now have the ‘tone from the top’. Where I feel that work needs to be done is practically embedding compliance into operational processes, and becoming a true and valuable partner to the business. With the current state of the oil price, we’re likely set for reduced budgets and increased risk, which makes it more important now than ever to share stories, materials and solutions to effectively mitigate compliance risk while enabling business delivery.”

I will be speaking at the conference on internal controls but I am extremely pleased to be co-leading an in-depth workshop on the third day of the event, with Joe Oringel, guest blogger and Managing Director at VisualRisk IQ. In our workshop, you will learn how to implement a system of data-driven monitoring controls and documents to measure the effectiveness of your compliance program and get you through a Securities and Exchange Commission (SEC) investigation. During our 3 hour session we will go into the weeds on the following:

• Understanding what internal controls are required under a best practices compliance program;
• Recognizing what FCPA enforcement actions tell us about internal controls in an anti-corruption compliance program;
• Getting to grips with what the SEC expects you to have in place;
• Competently documenting the effectiveness of your internal controls;
• Understanding best practices and a methodology for the use of data analytics in compliance and ethics organization;
• Prioritizing business and compliance questions that can be answered with analysis of digital data; and
• Identifying a learning plan and resources to enhance your team’s data analytics expertise

I hope that you can attend this most excellent FCPA conference with the two-day sessions on April 28 and 29 and the workshop day on April 30. Very few FCPA conferences focus on Supply Chain and the information that you will receive at this one will be first rate. Finally, Hanson Wade has allowed me to offer a 20% discount to readers of my blog. You can obtain it by entering the code TFLaw20 when you register online. For the conference brochure and full details regarding the agenda and registration, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

The WPA and More Productive Compliance Meetings

On this day 80 years ago, Congress created the Works Progress Administration (WPA), a central part of President Franklin D. Roosevelt’s New Deal. The WPA was established under the Emergency Relief Appropriation Act, as a means of creating government jobs for some of the nations many unemployed. Under the direction of Harry L. Hopkins, the WPA employed approximately 8 million people who worked on 1.4 million public projects before it was disbanded in 1943. Its programs were extremely popular and contributed significantly to Roosevelt’s landslide reelection in 1936.

I have always been amazed at the variety of works that the WPA had a hand in creating, from vast public building projects like the construction of highways, bridges, and dams to the careers of several important American artists, including Jackson Pollock and Willem de Kooning. Many of the most interesting art deco buildings still in use were built during the 1930s through the auspices of the WPA.

While the WPA constructed and led to many good works during its existence, one of the banes of corporate existence is the number of meetings that one must attend. Even worse than the raw number of meetings is the lack of any good that comes out of most meetings. Most meeting organizers have no clue how to run a successful or even useful meeting. I thought about this when I read a recent article in the Houston Business Journal (HBJ), entitled “10 ways to make your next meeting more productive” by Dana Manciagli.

Manciagli began her piece by noting that researchers from the London School of Economics and Harvard University found that business leaders “spend 60% of their time in meetings, and only 15% working alone.” While this statistic alone is troubling enough, when you overlay that with the number of meetings where nothing is accomplished, it is clear to me you have a complete waste of time and resources. I do recognize that some companies have taken accomplishing nothing in meetings as a matter of corporate policy. General Motors (GM) took this to an art form in the well-documented GM Nod, which signified that there was agreement on an issue but that no one would actually do anything about it.

But for those who might want to actually accomplish something in a meeting, Manciagli pointed to Andrea Driessen whom she described as “chief boredom buster” at Seattle-based No More Bored Meetings . How is that for a moniker and company name? Manciagli related Driessen’s top ten tips for developing, running and ultimately having a successful meeting.

1. Be a Know-it-all

Manciagli writes that because it is “natural to disengage when meeting content isn’t relevant. The most effective meeting hosts review all potential agenda segments to determine whether they apply to all attendees. If participants already know a particular content slice, then simply don’t cover that segment for the broader audience. Or if you have vastly different levels of awareness in the room, divide people accordingly to ensure maximum relevance for all.” Of course this means you will need to put some thought into your pre-meeting planning.

2. No Problem? No Meeting!

We have all been subjected to it, the daily, weekly, monthly meeting check-in to see how the project is progressing. But Manciagli believes that “many of these less-than-productive meetings could be canceled or shortened if we identified the problem the meeting is intended to solve. And if we can’t find an identifiable problem, then don’t have the meeting.” Manciagli concludes, “Sometimes, it’s that simple.”

3. Get Real

This is another pre-meeting planning point. Do you try to squeeze 13 action items for discussion and resolution into a 30-minute meeting? Conversely you do not need to book a 60-minute window to handle a couple of points. If you can handle a matter via email or need to go offline, do so.

4. Prioritize, Prioritize, Prioritize!

Like its related cousin, Document, Document and Document, this phase should be more than simply a catchword. It should be an action item in your meeting planning process. Tackle your important issues first to “save time and solve your most pressing problem.”

5. Play “Pass the Pad” To Avoid Late Arrivals

The biggest offender of this rule is, unfortunately, us lawyers. Why, because we are always (in our eyes) the most important. Yet not being able to start because someone is not present or having to repeat points is one of the worst problems there is around efficient meetings. The article notes, “Meeting productivity suffers when people arrive late, and the punctual are penalized.” Her solution is to require the latecomer to take notes in the meeting, writing “People learn quickly that they can either be on time, or become the dreaded note-taker if they are late. As host, you’ll see positive behavior change with little effort on your part.”

6. Be a Meeting Bouncer

Manciagli tactfully writes about that “common meeting malady: the tangent talker.” I would perhaps less tactfully say there are way too many people who like to hear the sound of their own voices way too much. Manciagli suggests a little humor by “naming a tangent officer who monitors and records tangents for later. Use that parking lot! And you can lighten it up by using a toy police badge.” Nothing like a little corporate shame to keep things moving.

7. Make it Multi-Sensory

It is not simply millennials who respond to social media. Most people do better when they are visually engaged. Manciagli suggests using more than simply oral presentations, use other tools, including the following: “Graphic illustration, in which someone draws out ideas in real time; Customer testimonials that emotionally inspire; Quizzes and games; Product demos; Surprise guests; Props that foster kinesthetic learning.”

8. PPPPP

Everyone understands the Five P rule, aka prior planning prevents poor performance. As a meeting host, this means you must absolutely be prepared prior to the meeting. If there are technical issues, you should pass out that information prior to the meeting. Manciagli pointed out that “the more skin we all have in the game, the more likely we are to own and be accountable to group outcomes.”

9. Hire an “Accountant”

Accountability. How many meetings have you attended where there was no accountability? Manciagli believes “Most meetings lack built-in accountability structures.” She gives the tangible hint to “ask everyone to record at least one goal related to the meeting that they’ll commit to completing in the next week or month, and have them check in with one another. Teams gain measurable accountability, and you get recognized for generating stronger results tied to your meetings.”

10. Remember: Humor is No Joke

Humor has a big use in meetings, “The power of humor — if used effectively within the meeting mix — is no laughing matter. Indeed, there is a strong business case to be made for laughing while learning.” It can also lower the stress level in meetings, once again if used properly.

I am sure that you have your own horror stories of aimless, wandering meetings that go nowhere painfully slow. As a Chief Compliance Officer (CCO) or compliance practitioner, one of your most valuable items in a corporation is time. You can set an example about running an efficient and productive meeting and then lead your company down the path laid out in the article. Who knows, the results of what you start in your company may last as long as WPA work.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Rolling Stone’s Rape Story Retraction: Lessons for the Compliance Practitioner

There are only a very few magazine articles that have radically affected me when I read them. Nick Hornby’s account of a group of soccer hooligans, where he chronicled when they traveled to and briefly took over the Italian city of Turin in 1982; Jack McCallum who profiled Jerry Sandusky after he retired from Penn State University and began his fulltime work at the Second Mile organization in 1999; and Sabrina Rubin Erdely’s piece in Rolling Stone last fall about an alleged gang rape and its aftermath on the University of Virginia (UVA) campus. But as much as the first two articles moved me, it was Erdely’s article that sickened me. As a father of a teenaged daughter about to head off to college, I certainly did not want her in any such place.

This weekend, Rolling Stone magazine retracted its story about the rape at UVA and released a full copy of the internal investigation of the story by the Columbia School of Journalism Dean Steve Coll that detailed Rolling Stone magazines reporting missteps and its failures to engage in the most basic of journalistic techniques before it published the story. The New York Times (NYT) had two articles on the story. An article by Jonathan Mahler, entitled “In Report on Rolling Stone, a Case Study in Failed Journalism”, cited that journalism scandals fall into three broad categories. The first is “is pure fabrication, for which high-profile culprits include Jayson Blair (The New York Times), Stephen Glass (The New Republic) and, going back a little further, Janet Cooke (The Washington Post).” Next “is the act of plagiarism (culprits too numerous to list).” But the UVA piece fell into a third category, “lack of skepticism.”

In the second NYT article, entitled “Rolling Stone Article on Rape Failed All Basics, Report says”, reporter Ravi Somaiya wrote, “The Columbia report catalogued a series of errors at Rolling Stone, finding that the magazine could have avoided trouble with the article if certain basic ‘reporting pathways’ had been followed.” What was the central flaw in the way Rolling Stone handled the story? First, and foremost, it did not interview any of the three persons the victim named that she told about the rape. Rolling Stone printed the victim’s tale without bothering to check with them. While it is not clear, apparently Rolling Stone did not even try to substantiate the underlying charge of rape by the victim in any manner other than interviewing her seven times.

Mahler noted, “On the most basic level, the writer of the Rolling Stone article, Sabrina Rubin Erdely, was seduced by an untrustworthy source. More specifically, as the report details, she was swept up by the preconceptions that she brought to the article. As much casting director as journalist, she was looking for a single character with an emblematic story that would speak to — in her words — the “pervasive culture of sexual harassment/rape culture” on college campuses.”

Coll in an interview on NPR said that there was a failure at Rolling Stone magazine up and down the line. There was a failure by the reporter’s editor and the Managing Editor for not insisting on the basic questioning of the holes in Erdley’s stories and failures to follow basic reporting protocols. Also the Fact Checking group at the magazine did not insist strongly enough that its concerns be addressed or those concerns were rejected by the magazine’s management.

What I see is a failure of process. This failure led to repercussions immediately for the fraternity involved, which was falsely accused of having its members gang raping a co-ed and to the tarnishing of UVA. But the long-term repercussions for Rolling Stone magazine and the reporter involved, and even the reporting and conversation around sexual assaults on college campuses. In his article Mahler cited Nicholas Lemann, professor at Columbia and the journalism school’s former dean, who “distributes a document called “The Journalistic Method” in his classes”. This process is similar to “investigating a scientific phenomenon. “It’s all about very rigorous hypothesis testing: What is my hypothesis and how would I disprove it? That’s what the journalist didn’t do in this case.””

For the compliance practitioner there are several clear lessons to be drawn from this horrific scandal. Most people have somewhere heard the journalistic technique of a second source to confirm information. It was enshrined in a scene from the movie version of All The President’s Men. In any process there must be validation of said process. You can easily remember this as ‘a second set of eyes’ on any process, compliance or other. It acts like a second source in that it validates the original information.

In the more formal world of internal controls, it is called ‘segregation of duties’. This technique acts to require a double check of any action by requiring a second set of eyes to take a look at an issue. In business the separation by sharing of information with more than one individual in one single task is an internal control intended to prevent fraud and errors. In the IT world this is called redundancy. It is generally recognized there are several techniques that can help to enforce the segregation of duties. They include:

• Audit trails recreate the actual transaction flow from the point of origination to its existence on an updated file.
• Reconciliation of accounts and an independent verification process is ultimately the responsibility of users, which can be used to increase the level of confidence that an application ran successfully.
• Exceptions are handled at supervisory level, backed up by evidence noting that exceptions are handled properly and in timely fashion.
• Continuous controls monitoring should be maintained, which record all processed system commands or application transactions.
• Supervisory review should be performed through observation and inquiry.
• Independent reviews, which follow a prescribed procedure to detect errors and irregularities.

In addition to these segregation of duty lessons for the compliance practitioner, the Rolling Stone scandal provides one additional clear, concrete lesson. As Paul McNulty would say in No. 3 of his McNulty’s Maxims What did you do about it? Unfortunately for Rolling Stone the answer to that query appears to be not much. Not only were none of those directly involved in the article even so much as disciplined, Rolling Stone sees no need to change anything in its reporting or editorial process based on the lessons laid out in the Coll Report.

In an article in the online publication Slate, entitled “Despite Damning Report, Rolling Stone Will Continue “To Do What We’ve Always Done.” Are They Serious?”, reporter Hanna Rosin wrote, “Rolling Stone’s editors are “unanimous in the belief that the story’s failure does not require them to change their editorial systems.” Are they serious? Did they read the report?” She also reported that Rolling Stone, “ended by saying they don’t need new ways of doing things; they “just have to do what we’ve always done and just make sure we don’t make this mistake again.” And Coco McPherson, head of fact-checking, said, “I one hundred percent do not think that the policies that we have in place failed. I think decisions were made around those because of the subject matter.””

All I can hope is that companies subject to the Foreign Corrupt Practices Act (FCPA) do a better job of learning from the Rolling Stone fiasco than Rolling Stone appears to have done.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Tribute To Eddie LeBaron and CCO as Compliance Project Sponsor

Today we celebrate Eddie LeBaron, who died last week. LeBaron was a diminutive pro quarterback for 11 seasons in the National Football League (NFL) in the 1950s and 1960s. He was also a lawyer and decorated veteran, having been awarded the Bronze Star during the Korean Conflict. In his New York Times (NYT) obituary, Frank Litsky wrote “In a position where players are now routinely 6 feet 3 inches or taller, LeBaron was 5-foot-7, and his weight never reached 170 pounds. But he had no fear of scrambling.” LeBaron quarterbacked the Dallas Cowboys from 1960 to 1963, before handling the reins of Coach Tom Landry’s offense over to Don Meredith with his retirement. After his retirement he worked as a color analyst for CBS Sports, who covered the NFL in those days. One of the things that I remember from his commentary work was the need for planning in any game plan. It was one of the first things I recall learning about pro football.

One of the skills you may be called upon as a Chief Compliance Officer (CCO) or compliance practitioner is the initiation, integration or enhancement of a Foreign Corrupt Practices Act (FCPA) compliance solution into an organization. Most assuredly, one of the things that is not taught in law school or in any compliance course is project management. As CCO, you may either lead such a project on a day-to-day basis or you may take the role of project sponsor, while delegating the day-to-day running of the project to a compliance practitioner in your group.

I thought about this issue when reading a recent article in the MIT Sloan Management Review, entitled “How Executive Sponsors Influence Project Success”, by Timothy J. Kloppenborg and Debbie Tesch. In their article they note, “The role of a project sponsor is often overlooked. But for every stage of a project, there are key executive sponsor behaviors that can make the difference between success and failure.” I found their article has some excellent tips for the CCO or compliance practitioner who may be facing such a task. The authors break the project life cycle stage into four stages: (1) Initiating Stage; (2) Planning Stage; (3) Executing Stage; and (4) Closing Stage.

I.   Initiating Stage

In this stage there are three key activities that a sponsor should pursue. First, the sponsor needs to set the performance standards. This “can be accomplished in the project charter by stating goals about the project’s strategic value and how it will be measured.” But beyond the written details there must be a “clear understanding of expectations about performance” of which dialogue is critical. Second, the project sponsor must mentor the project manager, whose key responsibility is to explain, “how the project fits into the big picture, defining the performance standards and helping the project manager set priorities.” Finally, the project manager must establish the project priorities, with the “most compelling” questions being “what needs to happen first and how should conflicts by settled?”

II.  Planning Stage

In the Planning Stage the authors believe that there are two critical project sponsor behaviors. The first is to “ensure planning” activities are completed by providing “leadership so that the project manager and team can set goals that align with the vision and broader organizational goals. The second is to “develop productive relationships with stakeholders”. This means frequent meetings and communications. Interestingly, the project sponsor should not only see that “needs are identified and understood” but also make “sure that stakeholders’ emotional concerns are given adequate consideration.” Admittedly this is not something lawyers do particularly well but it is mandatory for the CCO or compliance professional.

III.  Executing Stage

In the Execution Stage the authors identify three elements. First the project sponsor must “ensure adequate and effective communication.” This means that regular communications must occur as the project progresses “to make sure that expectations are met.” However this may require the project sponsor to “stand ready to manage the organizational politics with internal and external stakeholders.” Second, a project sponsor must work to help “maintain relationships with stakeholders.” This element helps facilitate the project manager and project team communications noted in the first element. Here the project sponsor should be “open to direct feedback from team members” to ensure that expectations are met. Finally, the project sponsor should work to “ensure quality” by practicing “appropriate decision-making methods and work to resolve issues fairly.”

IV.  Closing Stage

Finally, in the Closing Stage the authors write that there are two elements that project sponsors should emphasize. The first is to “identify and capture lessons learned.” They should be properly “categorized, stored and distributed in such a manner that future project teams will be able to understand and capitalize on”. The second element is to “ensure that capabilities and benefits are realized.” Capabilities, the authors suggest, “could include employees becoming more committed and more capable”. Further, that processes are “more effective and efficient.” Benefits relates to “verifying that the deliverables that were specified at the beginning were actually provided, work correctly and satisfy customer needs.”

To the extent they know much about project management, most CCOs or compliance practitioners are aware of the “iron triangle” of factors to determine a project success. The authors define these as “cost, schedule and performance.” But the authors’ research has led them to conclude that for a project to be a success it must meet an organization’s expectations. The next evaluative point is did the project come in on time, within budget and to the project’s specifications? Finally, did the project succeed in bringing its touted positive benefits to the organization?

By using the steps the authors have outlined, a CCO can think through the organization and ongoing performance of a project to set it up for success. Equally importantly for the CCO, if the project management has been delegated to compliance team members or with other disciplines inside your organization, such as legal, internal audit, IT or human resources; the continued involvement of a CCO as the project sponsor can be key component. The authors posit, “for every project stage, there are success factors that project sponsors should consider” and that a CCO must engage in an ongoing and continual dialogue with the project manager. Finally, key lessons learned should be captured and used down the road to help facilitate other projects or issues as applicable.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Why Tone at the Top Matters and Join the FCPA Professor in Houston

Over this week I have looked at some issues related to compensation and methods from other disciplines that a compliance practitioner might use to test and then improve a company’s third party management regime. Today, I want to go back to the starting point for any compliance program; that is the Tone at the Top. I was reminded of the absolute necessity of having a management not only committed to following the law but the actual doing of compliance when I read about the guilty verdicts in the Atlanta schools cheating scandal.

In an article in the New York Times (NYT), entitled “Atlanta Educators Are Convicted of Racketeering”, reporter Alan Blinder detailed the guilty verdicts handed down in an Atlanta state Superior Court this week where 11 of 12 defendants were convicted in a lengthy trial. Blinder wrote, “On their eighth day of deliberations, the jurors convicted 11 of the 12 defendants of racketeering, a felony that carries up to 20 years in prison. Many of the defendants — a mixture of Atlanta public school teachers, testing coordinators and administrators — were also convicted of other charges, such as making false statements, that could add years to their sentences.” Most stunningly, the trial judge “ordered most of the educators jailed immediately, and they were led from the courtroom in handcuffs.”

The school district’s top administrator Dr. Beverly Hall, channeling her inner Ken Lay, had the temerity to pass away during the trial so there was no finding as to her conduct. Unrepentant to end she said “she had done nothing wrong and that her approach to education, which emphasized data, was not to blame.” When interviewed back in 2011, Dr. Hall had said, “I can’t accept that there’s a culture of cheating. What these 178 are accused of is horrific, but we have over 3,000 teachers.”

Think about those two statements for a moment. They mimic the same tired excuses used by apologizers in the anti-corruption world. First it was only a small subset of those involved who actually broke the law. In other words, the oldie but goodie rogue employee(s) defense. It did have the notable exception that there were 178 roguies out there lying and cheating. But more than the rogue employee defense, she emphasized that she obtained results, the scores on the State of Georgia’s standardized tests for public schools improved dramatically under her watch. In the Foreign Corrupt Practices Act (FCPA) anti-corruption world that is the same as “we had to do it to compete” argument. It is equally as inane as the rogue employee defense.

Moreover, a State of Georgia investigation “completed in 2011, led to findings that were startling and unsparing: Investigators concluded that cheating had occurred in at least 44 schools and that the district had been troubled by “organized and systemic misconduct.” Nearly 180 employees, including 38 principals, were accused of wrongdoing as part of an effort to inflate test scores and misrepresent the achievement of Atlanta’s students and schools. Investigators wrote in the report that Dr. Hall and her aides had “created a culture of fear, intimidation and retaliation” that had permitted “cheating — at all levels — to go unchecked for years.” How is that for tone from the very top?

I bring you another example from a company I once worked at whose management locked themselves behind bolted doors on a floor in the building not accessible by any employees. And just in case someone did make onto this executive floor, there was an armed police presence as a last ditch security measure. The locked down top floor was after the following security measures were already in place: (1) you had to badge in to get into the parking garage, (2) building access was by card entry, (3) elevator access was by card entry, and (4) floor access was by card entry.

Why would senior executives barricade themselves behind such massive physical protection? Did they do this because crazed competitors were sending in assassins, because the company was so profitable and hence unassailable as a competitor? How about something more nefarious such as international hit squads roaming through international businesses in Houston, picking off key executives? Alas the explanation was not anything so exotic. With all of these security measures in place the reason was to keep mere mortal employees away from senior management. What type of message that does send to employee? Much like the one I had growing up, speak only when spoken to.

The point of all this is that tone does matter. Senior management must be committed and communicate its commitment to not only obeying laws but also complying with laws. In the FCPA world, that means you must have a compliance program in place that meets the Ten Hallmarks of an Effective Compliance Program as set out in the FCPA Guidance.

On a completely different note as a compliance practitioner, if you want to have a shot at some serious professional growth and you are in the Houston area, somewhere else in Texas or anywhere else in the South, I suggest you consider attending the FCPA Professor’s FCPA Institute, which will be held in Houston on Monday, May 4 and Tuesday, May 5. The Professor’s goal in leading this first Texas FCPA Institute is “to develop and enhance fundamental skills relevant to the FCPA and FCPA compliance in a stimulating and professional environment with a focus on learning. Information at the FCPA Institute is presented in an integrated and cohesive way by an expert instructor with FCPA practice and teaching experience.” Some of the topics, which will be covered, include the following:

• An informed understanding of why the FCPA became a law and what it seeks to accomplish;
• A comprehensive understanding of the FCPA’s anti-bribery and books and records and internal controls provisions and related enforcement theories;
• Various realties of the global marketplace which often give rise to FCPA scrutiny;
• The typical origins of FCPA enforcement actions including the prominence of corporate voluntary disclosures;
• The “three buckets” of FCPA financial exposure and how settlement amounts in an actual FCPA enforcement action are typically not the most expensive aspect of FCPA scrutiny and enforcement;
• Facts and figures relevant to corporate and individual FCPA enforcement actions including how corporate settlement amounts are calculated;
• How FCPA scrutiny and enforcement can result in related foreign law enforcement investigations as well as other negative business effects from market capitalization issues, to merger and acquisition activity, to FCPA related civil suits; and
• Practical and provocative reasons for the general increase in FCPA enforcement.

In other words, it is what you have come to expect from the FCPA Professor; well-thought out reasoned analysis, practical knowledge and learning, and provocative thinking and assessment. But this is also your chance to attend a two-day Institute with one of the most original thinkers in the FCPA space. The FCPA Institute will provide insights into the topics more near and dear to my heart as a ‘nuts and bolts guy’. In addition to the above substantive knowledge, FCPA Institute participants will gain in-demand, practical skills to best manage and minimize FCPA risk by:

• Practicing FCPA issue-spotting through video exercises;
• Conducting a FCPA risk assessment;
• Learning FCPA compliance best practices, including as to third parties;
• Learning how to effectively communicate FCPA compliance expectations; and
• Grading a FCPA code of conduct.

In addition, attorneys who complete the FCPA Institute may be eligible to receive those all-important Continuing Legal Education (CLE) credits. The sponsors, King & Spalding, will be seeking CLE credit in CA, GA, NY, TX and if needed in NC and VA. Actual CLE credit will be determined at the end of the program based on actual program time. Attorneys may be eligible to receive CLE credit through reciprocity or attorney self-submission in other states as well.

I hope that you can join the FCPA Professor for this FCPA Institute. I have previously said, “if the FCPA Professor writes about it you need to read it. While you may disagree with him, your FCPA perspective and experience will be enriched by the exercise.” I would now add to this statement that if the FCPA Professor puts on his FCPA Institute you should attend. Not only will you garner a better understanding of the theoretical underpinnings of the law and the plain words of its text; you will also be able to articulate many of the issues which befall companies caught up in a FCPA investigation to your senior management in a way that will help them understand the need for a robust compliance program.

To register for the FCPA Institute, or for more information, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015