FCPA Compliance and Ethics Blog

June 30, 2015

Another Great Bassist Gone and Tone at the Bottom


Chris SquireAs readers of this blog know, I am a huge fan prog rock fan. So it was with deep sadness and melancholy that I read Chris Squire passed away this weekend. He was a co-founder and bassist for the seminal rock group Yes. The band was one of founders of the musical genre known as ‘progressive rock’ or simply prog rock. According to his obituary in the New York Times (NYT) he was “the only member to have played on every one of Yes’s albums and participated in every one of its tours”. The NYT went on to say that “Mr. Squire’s propulsive and often melodic bass playing was a key element of the Yes sound. A self-taught virtuoso, he has been cited as an influence by many other rock bassists.”

I found some of the tributes from his former band mates to be the most touching and telling of Squire. Bill Bruford, the band’s original drummer, said in statement quoted in the article, “He had an approach that contrasted sharply with the somewhat monotonic, immobile bass parts of today. His lines were important; counter-melodic structural components that you were as likely to go away humming as the top line melody; little stand-alone works of art in themselves.”

Daniel Kreps, writing in Rolling Stone online, in an article entitled “Jon Anderson, Rick Wakeman Remember Yes’ Chris Squire”, quoted Yes co-founder Anderson for the following, “He was an amazingly unique bass player – very poetic – and had a wonderful knowledge of harmony. We met at a certain time when music was very open, and I feel blessed to have created some wonderful, adventurous, music with him. Chris had such a great sense of humor… he always said he was Darth Vader to my Obi-Wan. I always thought of him as Christopher Robin to my Winnie the Pooh.” Keyboardist Rick Wakeman was quoted in the same article “We have now lost, who for me, are the two greatest bass players classic rock has ever known. John Entwistle and now Chris,” Wakeman wrote. “There can hardly be a bass player worth his salt who hasn’t been influenced by one or both of these great players. Chris took the art of making a bass guitar into a lead instrument to another stratosphere and coupled with his showmanship and concern for every single note he played, made him something special.””

As most rock aficionados know, rock music is basically a dialogue between the bass guitar and the drums. With this base line set, the lead guitars and keyboards can go soaring off. That was certainly the formula for Yes. But as it really does not work unless the bass guitar lays the foundation for the entire band, I thought that a tribute to Squire might be a good way to visit one of the points of doing compliance not discussed often enough. While Tone-at-the-Top is almost ubiquitous, one thing not talked about consistently is the tone on the front lines of an organization. Even with a great ‘Tone-At-the-Top’ and in the middle, you cannot stop. One of the greatest challenges for a compliance practitioner is how to affect the ‘tone at the bottom’.

In a MIT Sloan Management Review article, entitled “Uncommon Sense: How to Turn Distinctive Beliefs Into Action”, authors Jules Goddard, Julian Birkinshaw and Tony Eccles looked at this issue when they explored the “often overlooked, critical source of differentiation is [a] company’s beliefs.”

One of the questions that the authors’ answer is: how to tap into this belief system? They posit a structured manner to obtain this information. By using these techniques, they believe that companies can rethink their “basic assumption and beliefs” and identify new directions for their organization. The authors listed seven approaches that they have used which I believe that the compliance practitioner can use to not only determine ‘Tone at the Bottom” but to impact that tone. They are as follows:

  1. Assemble a group. You need to assemble a group of employees who are familiar with the challenges of doing business in a compliant manner in certain geographic regions. Include both long-time employees and those who are relatively new to the organization. The authors also suggest that if you have any employees who have worked for competitors or for other organizations in your industry you include them as well.
  2. Ask questions. You should ask the members of this group to articulate their basic assumptions about your compliance model, about the management model, about your company’s business model and the future of the industry in general. Ask them to do this individually and not as a group.
  3. Categorize the responses. Now comes the work by the compliance practitioner or compliance team, as the authors believe that these assumptions will usually fall into two groups. The first is assumptions that everyone agrees upon, and these are the common beliefs. The second is those assumptions that only a few of the participants will identify – this is what the authors call the “uncommon beliefs”.
  4. Develop tests for common beliefs. For those beliefs that are labeled common – you should consider how you know these to be true? The authors caution that simply because the group may believe that the company operates in a common industry or that we “do it because it has always been done this way” is not necessarily a “hard fact.” Consider what check you could perform to verify the common belief that you desire to test. The authors note that the purpose here is to “identify the ‘common nonsense’ beliefs that everyone holds that are not actually hard laws of nature.”
  5. Develop tests for uncommon beliefs. Here the authors suggest that you need to consider why some people think that these beliefs are true. What is the information or experience that they have drawn upon? Is there any way for you to test these uncommon beliefs?
  6. Reassemble the original group. You should reassemble the original group and have them consider the beliefs that were articulated by them individually in the context of your compliance model and how both your company and your industry do business. Lead a discussion that attempts to identify any assumptions or beliefs that “are quite possibly wrong, but worth experimenting with anyway.”
  7. List of Experiments to perform. The authors believe that the outcome of the first six steps will be “a list of possible experiments [tests] to conduct” to determine the validity of the common and uncommon beliefs. These tests can be accomplished in the regular course of business, through a special project with a special team and separate budget. You should agree on the testing process and review your testing assumptions throughout the process. This process can and should take some time so do not set yourself such a tight time frame that it cannot be fully matured.

The bottom line is that not only must a company ‘talk-the-talk’ of compliance but it must also ‘walk-the-walk’ of compliance. Donna Boehme says that it’s really about the culture of compliance in your organization. Put another way, as Mike Volkov said, in an article entitled “Mood in the Middle Versus Tone at the Top”, “Even when a company does all the right things at the senior management level, the real issue is whether or not that culture has embedded itself in middle and lower management. A company’s culture is reflected in the values and beliefs that exist throughout the company.” You must find a way to articulate and then drive the message of ethical values and doing business in compliance with such anti-corruption laws from the top down, throughout your organization.

So thanks for the tunes and memories Chris while I Keep Calm and Listen to Prog Rock.

Keep Calm and Listen to Prog Rock

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

June 29, 2015

Bristol Palin, Abstinence and the Compliance Defense

AbstinenceToday Bristol Palin informs the debate on the efficacy of a compliance defense to the Foreign Corrupt Practices Act (FCPA). A noted expert on many areas around ethical behavior and family values, Ms. Palin was credited by Mary Elizabeth Williams in a Salon article, entitled “Bristol Palin’s pregnancy announcement is her coming out”, as being the “world’s least successful spokesperson for abstinence” when she announced last week, that, for the second time, she was pregnant out of wedlock. Ms. Palin had previously been a spokesperson for the Candie’s Foundation on, you guessed it, prevention of unwanted pregnancy through abstinence. How does Ms. Palin’s announcement inform the debate on a compliance defense to the FCPA? Quite simply, much like abstinence, the compliance defense is not effective if you say you have one but only if you are doing compliance.

This rather sad fact that although both abstinence and a compliance defense are simple in concept but perhaps not easy to accomplish in the real world was further driven home last week in a Wall Street Journal (WSJ) article by Joel Schectman, entitled “Russian Uranium Probe Reaches Into Small-Town Ohio”, where he reported that “A widening U.S. bribery probe involving Russian uranium has reached from Moscow to a company in the heart of America’s Rust Belt. U.S. authorities are investigating whether an executive in Bremen, Ohio—a rural community with about 1,500 residents roughly 40 miles southeast of Columbus—bribed Russian energy officials to win his company millions of dollars in contracts to supply shipping containers for uranium, according to people familiar with the matter.”

The rather amazing thing about this report is not that bribery and corruption had occurred in the past century or even the past decade but that bribery is reported to have begun in 2011 by Westerman Company and continued at least through 2013 after the entity was acquired by Worthington Industries Inc. Indeed the article identifies the company executive “Barry Keller, a Bremen native who has spent more than three decades at Westerman, working his way up from the shop floor to senior management” as the person involved in paying the bribes. Further, it does not even appear that the bribery scheme itself was too sophisticated or unique. According to Schectman, it involved paying a Russian middleman who “arranged for the bribe payments to be channeled through a maze of secret accounts in Cyprus, Latvia and Switzerland, where they were collected by higher-ranking officials at Rosatom, Tenex’s parent.” The bribes were funded via “5% of a Westerman contract, and would be paid through a consulting invoice”.

Keller’s involvement brings up a key reason why I think having a compliance defense will not increase the doing of compliance. He was the head of the company and then head of the business unit. Is it really possible that a company that did business internationally, with a foreign state owned enterprise and was a US public company did not understand that it needed to have a FCPA compliance program in 2011? Even aside from the fact that the bribery is alleged to have begun when Westerman was an independent entity, did Worthington bother to perform any pre-acquisition due diligence in the FCPA arena when they purchased Westerman in 2012? If Worthington did bother to engage in any pre-acquisition due diligence prior to buying Westerman, how about when it integrated the newly acquired entity into its ongoing compliance program, trained Westerman employees and performed a full FCPA forensic audit of Westerman as surely it identified Westerman’s sales to “Tenex, part of state-owned Russian nuclear company Rosatom” as potentially high risk?

From Schectman’s article it does not appear that Worthington determined internally that there was any FCPA violation in its operations as he quotes the company’s General Counsel (GC), Dale Brinkman, for the following statement “We first learned of [the investigation] in November, and we are fully cooperating with the Justice Department.” That does not sound much like a company that has appropriate internal controls or keeps books and records in accordance with public accounting requirements under the FCPA. But as with abstinence, saying you engage in it is easy.

I think the lesson to be learned from the Worthington matter, and the clarion call for a compliance defense appended to the FCPA, is that adding a compliance defense to the FCPA will not increase compliance with the FCPA. Corporations take their lead from the top on their priorities. If there is not senior management desire to do business in compliance, it does not matter what the benefits of having a compliance defense bring. In 2015, if a company is doing business outside the US with foreign government officials or officials of state owned enterprises, someone in the business, i.e. their lawyers, their auditors or their Board of Directors, knows that they must do business in compliance with the FCPA. I would argue that it was just as well known in 2011 when Westerman Companies is alleged to have begun its bribery scheme. Having a compliance defense will not help drive compliance if the business owner, business leader or senior management is not committed to doing business in compliance with the FCPA.

For even if such a company does institute a compliance defense, it is the doing of compliance which makes a compliance program effective, not having a written program. A key is how a company incentivizes conduct. For doing compliance in any effective way, a company must commit time and resources to the effort. No ‘out of the box’ solution will allow a company to do compliance because the doing of compliance means dealing with an intersecting matrix of employees, technology and third parties. This means that there must be money spent on compliance. In addition to the resource issues, if the company bases its salary, compensation and benefits to employees solely or even largely on sales only; that is what will be emphasized in a company. If, however, there are incentives built into the compensation structure, it will emphasize the importance of the doing of compliance in the day-to-day work of a company.

Bristol Palin has announced she does not want to be ‘lectured’ about her current pregnancy. Maybe her unique intellect has allowed her some insight into the irony of her situation (or then again perhaps not). However she was right about one thing. If you want to ensure that you do not get pregnant, abstinence is about the best way to do so. But abstinence only works if you are doing abstinence, not simply saying you are abstinent. The same is true for adding a compliance defense to the FCPA. A compliance defense only works if you are doing compliance.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

June 26, 2015


Filed under: Brazil,Clean Companies Act,Raphael Gomes — tfoxlaw @ 12:01 am

IMG_3310Ed. Note-it is always gratifying and a little flattering when someone else uses your mantra. So when today’s Guest Post author sent me a blog with ‘Document Document Document’ in the title, I was sold. Today Raphael Gomes, from the law firm of Chediak Advogados, discusses the need for documentation under the Brazilian Clean Company Act. 

It was only 14 months after Law No. 12.846/2013, Act, entered into force that Brazil finally issued regulations regarding its corporate anti-bribery statute, the so-called Clean Company Act. President Dilma Rousseff issued Decree No. 8.420/2015 on March 18th, which provides for further regulations around the Clean Company Act, with focus on 5 areas: (i) procedural rules for the administrative enforcement of the Act against organizations; (ii) calculation of the penalties; (iii) leniency agreements; (iv) integrity (compliance) programs; and (v) sanctioned, banned, or restricted companies lists (CEIS and CNEP).

As to anti-bribery compliance programs, referred to as integrity programs under the Clean Company Act, the Decree defines the 16 elements of a complete program that will be taken into account in its evaluation by the enforcement authorities, which we have outlined in our post “Compliance Programs under the Brazilian Clean Company Act.

About a month after the Decree was issued, the Federal Comptroller’s Office (Controladoria-Geral da União – CGU), the administrative body responsible for enforcing the Clean Company Act at the federal administration level, issued additional regulations regarding (i) the process for evaluation of the investigated company’s compliance program (Reg. 909 – Portaria CGU nº 909); (ii) procedural rules for the administrative enforcement proceeding or “PAR” (Reg. 910 – Portaria CGU nº 910); the rules for determining the company’s annual gross revenues for calculation of the monetary fines (CGU IN 01/2015); and (iv) the rules around the government’s restricted parties lists CEIS and CNEP (CGU IN 01/2015).

Pursuant to Article 18 of Decree 8420, a company that demonstrates to have a robust, effective compliance program in place shall receive a reduction in the monetary fines of up to 4% of the company’s gross annual revenues for the year preceding the opening of the PAR. This is the major mitigation factor under the Brazilian anti-bribery statute, twice as valuable as voluntary disclosure, and potentially three times as valuable as cooperation. In practice, in some cases the credit for a company’s compliance program may represent a discount of more than 99% of the monetary fine, lowering it to 0.1% of the gross annual revenues, the minimum fine allowed under the Clean Company Act.


Reg. 909 is of particular interest to the Compliance professional, for it provides guidance as to how the investigated company’s compliance program is to be evaluated by the Brazilian Federal authorities, for determining the percentage of credit the company is entitled to. It is a real eye-opener and makes us realize how global compliance and anti-bribery laws and best practices are becoming more and more aligned. Tom Fox constantly reminds us of his mantra: Document, document and document. Well, it looks as though Brazilian enforcers, particularly the CGU, have been reading Tom’s blog and have taken this mantra of his to heart.

In Reg. 909 the CGU sets forth that programs will be evaluated having two basic documents prepared by the company (the Profile Report and the Program Conformity Report) as the basis and starting point for their review. It further provides for that the company shall produce evidence that the program works and is a part of the company’s routine, and demonstrate how the program has worked to help the company prevent, detect, and remediate the very misconduct that is the object of the enforcement action.

The Profile Report should describe:

  • the industry sectors and geographies in which the company operates;
  • organizational structure, including internal hierarchy, decision-making process, boards, departments, and divisions;
  • the number of direct and indirect employees;
  • touch points with the government (national or foreign), highlighting:
  • the importance of licenses, permits, or authorizations to its activities,
  • the quantity and value of contracts with the government, and
  • the frequency and relevance of the use of third party intermediaries in its interactions with the government;
  • equity interests relating to subsidiaries, controlled, parent, and affiliated companies, as well as to JVs or consortia. 

Regarding the Conformity Report, Article 4 of Reg. 909 provides for that the legal entity shall provide information on the structure of the program, describing what elements of the program (listed on Article 42 of Decree 8420) where implemented, how they were implemented, and explaining the importance of the implementation of each element vis-à-vis the company’s peculiarities, as per the Profile Report .

The effectiveness of the company’s program may be evidenced by means of official documents, e-mails, written correspondence, statements, internal memos, minutes of meetings, reports, manuals, computer screen shots, video and audio recordings, photographs, purchase orders, invoices, accounting records, or any other documents, preferably in digital format.

Apparently, the Brazilian enforcers expect the companies to heavily invest in documenting all they can about their compliance programs, and intend to rely on document review for most of the process of evaluation of a company’s program. Not only does Reg. 909 require for the two reports mentioned above to be submitted along with the company’s administrative defense, but it also makes it crystal clear that being able to provide complete, clear, and organized documentation to demonstrate the effectiveness of the program will be key for companies to secure credits that may add up to four percent of a company’s annual revenues.

In paragraph 2 of article 4 of Reg. 909, the CGU expressly lists documents that should be created, copied, archived, retrieved, and submitted to the authorities in an organized fashion, in digital format, in case of an investigation.


The Brazilian Clean Company Act lists many conducts that are regarded as harmful to the public administration, which conducts include, inter alia, fraud and related misconduct involving government procurement, obstruction of government inspections or investigations, and, of course, bribery. The Act provides for strict liability for companies that benefit from violations, which renders it more likely than it was before the law passed for any company to be faced with investigations of potential violations, be it for conduct of its own employees or that of its third party intermediaries.

In such an environment, it is natural for companies not only be willing to put a robust compliance program in place, to prevent, detect, deter, and remediate instances of wrongdoing, but also to wish to secure the maximum credit of 4% when facing an enforcement action, in case all else fails.

Upon being notified by the enforcement authorities of the investigation, with the opening of the PAR, the company shall have a window of 30 days to submit the defense (article 16 of Reg. 910), including the defense arguments and evidence relating to the concrete facts and merits of the case. The defense shall also include the Profile Report, the Program Conformity Report and all the supporting documentation.

What one should look to avoid is that, in the middle of a perfect storm, in which the company’s compliance and legal professionals will have to deal with managing the crisis, interacting with the company’s PR and Investor Relations teams, informing all stakeholders, on a daily or weekly basis, of the issues at hand, the defense strategy, action plan and progress, with a very limited window of time to gather all information they can about the specifics of the case and prepare a defense, is to have to dedicate time, resources, and efforts to tasks that could have been dealt with in advance, under no time pressure.

We would therefore deem it advisable for companies operating in Brazil to prepare and have in their files, ready for submission at any time, both the Profile Report and the Program Conformity Report, along with all the evidence they can gather in advance, in an organized manner and in digital format, evidencing the effectiveness of its program. It is the Compliance Officer’s responsibility to work with the IT department to ensure that the company has a document archive and retrieval process in place to guarantee that documentation pertaining to the compliance program is safely stored in one centralized repository.

Your compliance program, documented and presented in a complete, clear, and organized manner, along with evidence of its effectiveness, may be worth up to 4% of your company’s annual revenues. Make sure you are ready to earn it.

And remember:

What does Thomas Fox say? Document, Document, and Document.


Rafael Mendes Gomes is the partner in charge of compliance and anti-bribery at Chediak Advogados, with offices in São Paulo and Rio de Janeiro, Brazil. The firm offers legal assistance to both Brazilian and international clients across different industries and business sectors.


You can access Chediak Advogados Compliance and Anti-bribery web page here.

June 25, 2015

Custer’s Last Stand and Risk Management

Custer's Last StandOn this day in 1876 one of the greatest failures in risk management took place when Lieutenant Colonel George Armstrong Custer and his entire 7th Cavalry were wiped out at the Battle of the Little Big Horn. Custer had split his command into three wings and he took his battalion of 200 or so men down the center of what he thought would be little resistance. Instead he found that he was facing a far superior force of 3000 largely Sioux warriors who quickly overwhelmed and defeated Custer’s command, with all US troops being killed. There is now some debate on whether all the cavalrymen were actually killed by the Native Americans or took their own lives, saving the last bullet for themselves, in western parlance.

Historians have debated over time the reason for Custer’s defeat. Was it arrogance; bad intelligence; faulty command, just plain stupidity or even a wish for martyrdom by Custer? Whichever the cause, it was the worse defeat of the US Army by Native Americans in the Western campaigns of the later 1800s. Today, it might be termed as a faulty assessment and management of the risks involved.

I thought about Custer and his defeat when I read a recent article in the Harvard Business Review (HBR), entitled “Strategy How to Live With Risks. It presented risk, risk assessments and risk management in a new light, a key acumen being that risk management should be used as a “protection shield, not an action stopper.” It was based upon a research paper by the CEB, entitled “Reducing Risk Management’s Organizational Drag”, which I thought it had some interesting insights for the Chief Compliance Officer (CCO) or compliance practitioner.

The first insight is that, in many instances, companies are assessing risks that are in the rear-view mirror. The author pointed to the Sarbanes-Oxley (SOX) Act, passed in response to the Enron and Worldcom accounting scandals in noting, “In the wake of the 2008 financial crisis many large banks changed their business models, and other companies implemented systems to better manage credit risks or eliminate overreliance on mathematical models.” This type of mentality can lead to what the author says, is “a variation on what military historians call “fighting the last war.” As memories of the recession fade, leaders worry that risk management policies are impeding growth and profits without much gain.” The author went on to quote Matt Shinkman of CEB, a member based advisory company, for the following insight “Firms are questioning whether the models they put in place after the financial crisis are working—and more fundamentally questioning the role of risk management in their organizations.”

This retrospective look back is coupled with what the author says is a decision making process which “is too slow, in part because of an excessive focus on preventing risk” and not managing risk; in other words, companies were slowed down even further by something termed “organizational drag”. Companies need to find new mechanisms to assess and manage risk going forward. The best way to do so, many companies have indicated, is through reorganizing or reprioritizing risk management and the article presented “three best practices” in doing so.

Strike the Right Balance Between Risk and Reward

Recognizing that risk management is often simply ‘just saying no’, the HBR articcle suggests that “Today’s risk managers see their role as helping firms determine and clarify their appetite for risk and communicate it across the company to guide decision making. In some cases this means helping line managers reduce their risk aversion.” The interesting insight I found here is that if an asset is low performing it may be because the management is so risk averse. This may present a CCO or compliance practitioner with an opportunity to increase growth through other risk management solutions that they could implement.

Focus on decisions, not process

This insight is one that CCO and compliance practitioners should think about and try and implement. Recognizing that risk assessments are important, the author believes that risk managers should focus more on decisions concerning risk rather than the process of determining risk. This means, “In addition to relying on paperwork or process, risk managers are turning to tools (such as dashboards that show risks in real time) and training that help employees assess risk. They are also helping companies factor a better understanding of risk into their decision making.”

By having a seat at the senior management’s table, a CCO or compliance practitioner can help identify risk issues early on in planning. This allows a COO to help craft a risk management solution, or even better yet show colleagues how to “spot potential problems and managers see how their projects fit into the company’s overall portfolio of projects, each with its own set of risks.” The author again quoted Shinkman, “This is less about listing risks from a backward-looking perspective and more about picking the right portfolio of risky projects.”

Make employees the first line of defense

The author channels his inner Howard Sklar (water is wet) by stating, “Decisions don’t make themselves, people make them”. However from that insight, the author believes that “smart companies work to improve employees ability to incorporate appropriate levels of risk when making choices.” But this means you must not only adequately train your employees to spot the appropriate risk but you, as CCO must provide them with tools to manage the risk. The author wrote, “Companies are also trying to identify which types of jobs or departments face a disproportionate share of high-risk decisions so that they can aim their training at the right people. They’re focusing that training less on risk awareness and more on simulations or scenarios that let employees practice decision making in risky situations. Finally, risk managers are becoming more involved in employee exit interviews, because people leaving an organization often identify risks that others aren’t able or willing to discuss.”

The article ends by noting that the goal is “to transform risk management from a peripheral function to one with a voice integrated into the day-to-day management” of an organization. That is also viewed as a component of CCO 2.0 and a more mature model of improvement. By focusing on training employees on how to spot Foreign Corrupt Practices Act (FCPA) compliance risks and then providing them with the tools to adequately manage that risk, CCOs can deliver greater value.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

June 24, 2015

Pink Flamingos and the Compliance Audit

FeatherstoneThe creator of one of the most ubiquitous symbols of mid-century Americana died earlier this week. Don Featherstone, the creator of the pink plastic lawn flamingo, the ultimate symbol of American lawn kitsch, has died. He was 79. Featherstone, a trained sculptor with a classical art background, created the flamingo in 1957 for plastics company Union Products, modeling it after a bird he saw in National Geographic. Millions of the birds have been sold. Whether you think of the Pink Flamingo as a symbol of Miami Vice, Jon Waters and Devine or for something less salacious, here is to Featherstone, a true original.

While Featherstone created one of the ultimate symbols of the second half of the 20th century for a generation of South Floridians, the Japanese company Takata Corporation (Takata) continues to be in the news for much less prestigious reasons. As reported in the New York Times (NYT), in an article entitled “Senate Panel Says Tanaka Cut Audits on Safety”, Hiroko Tabuchi and Danielle Ivory said “In the middle of what would become the largest automotive recall in US history, the Japanese airbag manufacturer Takata halted global safety audits to save money”. Interesting (or perhaps ominously might be a better word) Takata responded by saying it had not halted safety audits for products but rather for worker safety. Doesn’t that give you some comfort?

A US Senate committee report found that “Takata halted global safety audits at its manufacturing plants in 2009, a year after Honda had started recalling a small number of cars to replace the airbags.” These audits were later restarted in 2011 but when they found safety issues related to airbag manufacturing in two key plants, “those findings were not shared with Takata’s headquarters in Tokyo, the report said, citing internal emails from Takata’s safety director at the time.” Moreover, “when the safety director returned to the plant months later to conduct a follow-up audit, employees appeared to scramble to create the appearance of a safety committee within the plant.” Finally, and perhaps most damningly, the report cited an internal Takata email which said, “No safety committee, as such, has been formed” at the plants in question.

Foreign Corrupt Practices Act (FCPA) compliance in many ways follows some of the paths laid out by corporate safety departments some 20-30 years ago when safety became much more high profile in US corporations. The safety committee and safety audits became mainstays of any best practices in the area of safety for a company. These techniques inform any anti-corruption best practices compliance program, either under the FCPA, UK Bribery Act or any other anti-corruption regime. Indeed audits are specifically delineated in the FCPA Guidance as a way to assist in the continuous monitoring of your compliance regime. Such an audit can be thought of as a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which the compliance criteria are fulfilled. There are three factors which are critical and unfortunately with Takata seemed to be lacking in its safety audit protocol: (1) an effective audit program which specifies all necessary activities for the audit; (2) having competent auditors in place; and (3) an organization that is committed to being audited.

Auditing can take several different forms in an anti-compliance program. As a matter of course, you should audit the compliance program in your own organization. A forensic audit can collect and analyze accounting and internal-controls evidence in your compliance regime. This information can be used to produce a fact-based report that can inform the decision-making process in inquiries, investigations and dispute resolution. The by-products of a forensic audit can include remediation strategies to help a company mitigate and remedy procedural or internal-controls gaps that allowed the underlying issue to occur. Further, an internal audit can review a compliance process to determine if employees are following prescribed processes or internal controls, in an operational Sarbanes-Oxley (SOX) or FCPA compliance audit.

In addition to the collection and analysis of evidence, an auditor’s objective is to attest to the credibility of assertions that are under examination, such as the material accuracy of financial statements for which the audited company’s management is responsible. Obviously one of the functions of such an audit is to determine if further investigation is warranted.

Now imagine if this scenario had been followed by Takata. The lack of a safety committee is a glaring omission at any manufacturing facility. Simply noting this and reporting it up the chain could have gone some way towards preventing the situation the company now finds itself in; with a worldwide recall of up to 32 million vehicles. The same is true for a compliance audit. Just as monitoring can provide information to you on a more real-time basis; a compliance audit compliments this real-time oversight with a much deeper dive into what has happened on a historical basis.

The recent BHP Billiton FCPA enforcement action is certainly one to look at in this context. Although there was a committee set up to review gifts and travel requests for the company’s 2008 Olympic hospitality program, the committee did not fulfill this charge. It was alleged in the Securities and Exchange Committee (SEC) settlement documents that this committee was never intended to pass muster on the applications for tickets and travel for government officials but was simply there to provide guidance.

Once again this situation points out the difference between having a paper compliance program in place and the actual doing of compliance. Even with an appropriate oversight structure in place BHP Billiton did not do the work of compliance by evaluating the applications for travel and tickets to the Beijing Olympics but left it to the devices of the business unit employees who were making the requests and ultimately most directly benefited from the gifting.

Another area ripe for audit in your compliance program is your third parties. While there is no one specific list of transactions or other items which should be audited when it comes to your third parties below are some of the areas you may wish to consider reviewing:

  • Contracts with supply chain vendors to confirm that the appropriate FCPA compliance terms and conditions are in place.
  • Determine that actual due diligence took place on the third party vendor.
  • Review the FCPA compliance training program for any vendor; both the substance of the program and attendance records.
  • Does the third party vendor have a hotline or any other reporting mechanism for allegations of compliance violations? If so how are such reports maintained? Review any reports of compliance violations or issues that arose through anonymous, hotline or any other reporting mechanism.
  • Does the third party vendor have written employee discipline procedures? If so have any employees been disciplined for any compliance violations? If yes review all relevant files relating to any such violations to determine the process used and the outcome reached.
  • Review expense reports for employees in high risk positions or high risk countries.
  • Testing for gifts, travel and entertainment which were provided to, or for, foreign governmental officials.
  • Review the overall structure of the third party vendor’s compliance program. If the company has a designated compliance officer to whom, and how, does that compliance officer report? How is the third party vendor’s compliance program designed to identify risks and what has been the result of any so identified?
  • Review a sample of employee commission payments and determine if they follow the internal policy and procedure of the third party vendor.
  • With regard to any petty cash activity in foreign locations, review a sample of activity and apply analytical procedures and testing. Analyze the general ledger for high-risk transactions and cash advances and apply analytical procedures and testing.

The compliance function still is behind the safety function in terms of maturity. Because of this there are many lessons which a Chief Compliance Officer (CCO) or compliance practitioner can draw upon from our colleagues in safety. The safety audit is certainly a technique that can be drafted into your compliance program. But as the ongoing Takata air bag debacle demonstrates, your audit only works if you actually perform it. In other words, the protocol is simple, everyone understands you need to audit, but try and cut costs or corners and you will pay for it in the long run.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

June 23, 2015

Fraud and the Detection of the Sources for Bribery


Detection of FraudIn a recent White Paper authored by Peter Smith for OFS Portal, entitled “Procurement and Fraud in the Supply Chain”, where he examined “fraud linked to procurement and supply chain activities.” Smith focuses on where fraud can occur in the procurement process. From this starting point, he suggests “mitigating actions that organisations can take to protect themselves against fraud.” I found this article to be an excellent review of Supply Chain (SC) activities which the Chief Compliance Officer (CCO) or compliance practitioner could put to good use in reviewing their company’s Foreign Corrupt Practices Act (FCPA) anti-corruption and anti-bribery regime.

A. The Problem – How Does Fraud Happen?

Smith starts by classifying fraud in way which will assist the reader in understanding how it occurs. He believes there are “three critical factors to consider: the perpetrator(s), the plan and the point of failure.” The perpetrator is the one “behind the fraud and either executes it directly or through others.” In the anti-corruption world of the FCPA, this can be through an agent or a supplier who is working to help execute the fraud.

Interestingly, in the area of these third parties (and hence the greatest area of risk for FCPA compliance practitioners to consider) Smith notes that “The plan and point of failure factors are linked in that often the plan relies on the point of failure. In other words, most frauds take advantage in some weakness in the process, technology, policy or systems of combination of those.” Smith writes that there are three key phases “in the procurement life-cycle that can be considered; (1) the supplier selection phase; (2) the contract negotiation and award phase; and (3) the contract delivery management phase.”

Phase I – Supplier Selection and Qualification

This phase should be well known to the compliance practitioner as a part of the third party life-cycle management step denominated as due diligence. But Smith asks that you consider factors other than simply whether someone is on the Denied Parties List (DNP) or is a Politically Exposed Person (PEP). He suggests that you consider misrepresentation by the third party in the nature of “concealing the true nature of its business, history or ownership when it bids for the work.” He also points out that through collusion and cartels, persons or entities can work to control a market. If you did any work with Petrobras over the years, you will certainly recognize that many if its approved suppliers operated in this manner. Given what we now know about how corrupt Petrobras was, this is not too surprising.

But Smith also suggests that employees may be involved in skewing the selection process towards a corrupt agent or other partner. He recommends reviewing the bid process to see if there was bias in the competition, which would push an otherwise arms-length award to a corrupt partner. This could occur through biased competition through specification, where an employee would “construct a specification that makes it likely or inevitable that a particular supplier will win the competitive process.” The next is biased competition through tailoring the evaluation process which gives weight to the specific strengths of a corrupt third party. Finally, Smith points out that there can be biased competition through information leakage when a company employee will leak confidential information to a third party to give them an advantage in the bidding process.

Phase II – Contracting

Smith says the “next critical point at which fraud can take place is during the contract negotiations and in agreeing the detailed terms and conditions.” Moreover, Smith believes this stage is critical if often overlooked because “the seeds are often sown at the contracting stage.” Scenarios can include where there is a certain level of ‘local content’ required “but without any clear contractual mechanism to explain how it will be measured or policed.” As any CCO or other FCPA compliance practitioner would recognize, local content is one of the easiest ways to get into FCPA high risk so managing that risk is critical. I found Smith’s concern with setting out the clear legal terms and conditions around any such requirement as a good way to manage the high risk.

Phase III – Contract Delivery and Management

Here Smith laid several different fraud schemes which could facilitate a bribery plan. The first is fake invoices which can rely on “poor processes within an organisation” to spot. However this scheme can also rely on a company insider to approve such fabrications. Next is “volume over-invoicing”. In this scheme, while a supplier does supply some goods or services, the invoice is raised for more than has been delivered. If there is a scheme to create a pot of money to be used to fund bribes, there will need to be an internal company accomplice to “smooth the way by authorizing receipts or invoices.” Next there is “price-related over-invoicing” the third party will over-price the goods or services, above what is allowed under the contract. Another scheme set out by Smith is “invoice diversion” where “a legitimate payment that should go to a certain supplier is diverted to a third party fraudulently.” Another scheme can simply be to ease the contract terms and conditions which allow the third party to receive a benefit with nothing in return being delivered back to the company. Finally, there is what Smith details as one of the “toughest frauds to detect”, that being the delivery of lower quality products than is contractually specified.

B.The Solution – How to Reduce Fraud

Smith believes that fraud prevention can be built around a troika of concepts. (1) You need to have “effective procurement and spend management policies in place. (2) You must “use appropriate and robust processes”. (3) Finally “applying the right technology to support and manage those processes.” In his paper he followed the same outline on how to reduce the instances of fraud.

Phase I – Supplier Selection and Qualification

While a clear procurement policy is the starting point, it is only the starting point. Having a transparent process is important as well as adequate supplier qualification details. He notes that multiple sign-offs should be in place to ensure that one person does not control the entire process. This should also be incorporated into the communications trail with the competitors to ensure that no one third party receives confidential information. Obviously an appropriate level of due diligence should be applied to confirm that not only are the third party’s who they represent themselves to be but that they are also qualified to do the work or deliver the services. Finally, there should be controls around onboarding “so that firms who are actually going to be suppliers go through more rigorous checks before they are accepted onto” the Vendor Master List.

Phase II – Contracting

Obviously the starting point for any business relationship should be a well-drafted contract. However, for larger organizations Smith believes that “a contracts database or contract lifecycle management system is essential.” To the greatest extent possible there should be standard compliance and legal terms and conditions, coupled with an “appropriate level of sign-off and approvals management for contracts.” Finally, segregation of duties (SOD’s) “to make sure that there are checks and balances and that no one person holds too much power in the process.”

Phase III – Contract Delivery and Management

As I often say in the lifecycle management of third parties, the real work begins when the contract is signed. Smith believes that many of the routes of fraud, “can be closed off by taking a few precautions” which include some of the following steps. First and foremost is “no purchase order, no pay” but this also means there should be an invoice from the vendor which is matched to the contract for accuracy. Once again checks and balances, SOD’s for sign-offs and approvals must be built into your payment system. There should be controls around changes to the contract and, more importantly, changes to any payment details. Lastly, ongoing oversight and monitoring through controls analytics and auditing should be employed on the back end to verify delivery of goods or services.

I found Smith’s White Paper to be an excellent review for the CCO or compliance practitioner around not only the mechanism of how fraud occurs but a review of the techniques for fraud prevention. While his concepts may seem like a review for the compliance practitioner, it also allows you to think through how corruption might take place in your organization. The briber has to get the money from some source and Smith’s White Paper can give you insights on where you might look.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015


June 22, 2015

George Carlin and Erga Omnes: the Petrobras Bribery Scandal Expands

George CarlinOn this date in 2008 George Carlin died. If you grew up in the late 1960s or early 1970s and you had anti-parental or anti-establishment inklings, which of course all teenagers do, you knew about George Carlin. In the early 1960s, Carlin was a relatively clean-cut, conventional comic. But around 1970, he reinvented himself as an eccentric, biting social critic and commentator. In this new incarnation, Carlin began appealing to a younger, hipper audience. He grew out his hair and added a beard together with a wardrobe in the stereotypically hippie style.

Carlin’s comedy also became counter-culture, not Cheech and Chong, hippy-dippy dopers, but with pointed jokes about religion, politics yet with frequent references to drugs. His second album with his new routine, FM/AM, won a Grammy Award for Best Comedy Recording. My favorite cut was the 11 O’Clock News. But it was his third album Class Clown that had, what I believe, to be the greatest comedy monologue ever, the profanity-laced routine “Seven Words You Can Never Say on Television.” When it was first broadcast on New York radio, a complaint led the Federal Communications Commission (FCC) to ban the broadcast as “indecent.” The US Supreme Court later upheld the order, which remains in effect today. The routine made Carlin a hero to his fans and got him in trouble with radio brass as well as with law enforcement; he was even arrested several times, once during an appearance in Milwaukee, for violating obscenity laws.

Interestingly I thought about Carlin and his pokings of the Establishment (AKA The Man) when I read several articles over the weekend about the recent spate of arrests around the Petrobras bribery and corruption scandal. In article in the Wall Street Journal (WSJ), entitled “Brazil Probe Sweeps Up Corporate Magnates” Will Connors, Rogerio Jelmayer and Paul Kiernan reported that “Brazilian officials arrested the heads of two Latin American construction giants, alleging they helped to mastermind a cartel that stole billions of dollars from state-run oil company Petrobras with the help of corrupt politicians to whom they paid kickbacks.” Also arrested with the heads of the two companies, Marcelo Odebrecht, head of Odebrecht SA and Chief Executive Officer (CEO) of Andrade Gutierrez, Otávio Azevedo.

The WSJ article reported that “Odebrecht is Latin America’s largest construction conglomerate, with business in the U.S., Europe and Africa, and whose head, Marcelo Odebrecht, is a household name in Brazil. Andrade Gutierrez has business in 40 countries. The privately owned companies are deeply involved in the development of stadiums and infrastructure for the 2016 Summer Olympics in Rio de Janeiro.” Moreover, Odebrecht is reported to have “a presence in 21 countries”. Obviously a question is if the company had engaged in bribery and corruption in Brazil, did they do so in any of the other countries in which they are doing business?

Interestingly, these arrests “come months after the heads of other construction companies were detained by Brazilian authorities.” Indeed in a BBC article in , entitled “Petrobras scandal: Top construction bosses arrested in Brazil”, David Gallas said, “Odebrecht had been named by former Petrobras executives as one of the companies that allegedly paid bribes in exchange for contracts with the oil firm, but until now the firm had not been targeted by investigators.” The WSJ article quoted Brazilian prosecutor Carlos Fernando dos Santos Lima who said at a news conference that the executives from the two companies had not been arrested earlier as the entities, “had a more sophisticated system for making the alleged bribe payments, using foreign bank accounts in Switzerland, Monaco and Panama, so it took longer to prove their case.” David Fleischer, a Brasilia based political analyst, quoted in the WSJ article was even more circumspect. He said, “The prosecutors are very careful. If you’re going after big fish you want to make sure you can take them down.”

Brazilian police said the arrests were “Erga omnes” which the WSJ translated from Latin as “towards all”. I thought about that statement in light of the ongoing debate about enforcement of the Foreign Corrupt Practices Act (FCPA) here in the US. On one side is the Chamber of Commerce and their allies who raise the ever-burgeoning cry that the Department of Justice (DOJ) needs to prosecute the invidious ‘Rogue employees’ who violate the FCPA. You will notice they never want the DOJ to look at the executives who might facilitate payment of bribes in the first place; whether through faux commitment to doing business in compliance, failing to properly allocate resources to compliance and ethics, simply rewarding those employees who git ‘er done no matter what the circumstances or (my favorite) putting a paper program in place and calling it a best practices compliance program.

Indeed those progenitors of relaxed enforcement want the DOJ to back off and let them do business the old fashioned way. However, if the bribery and corruption news from the first half of this year has told the world anything, it is about the dire effects of allowing such illegal conduct to take place and warning against slacking off laws which mandate doing business without bribery and corruption. In another WSJ article, entitled “Roots of a Brazilian Scandal That Weighs Heavily on the Nation’s Economy, Politics”, Marla Dickerson noted, “The scandal has crippled Petrobras, Brazil’s largest and most important company. In late April, the company wrote off more than $16 billion related to losses from graft and overvalued assets. The company’s woes have all but paralyzed the nation’s oil and gas sector. Hurt by slumping oil prices and strapped for cash, Petrobras has slashed investments, sparking a wave of credit downgrades, bankruptcies and layoffs among its suppliers that the weighed on Brazil’s economy.”

I wonder what George Carlin might have thought about all of this. He might have said that what else would you expect but I am relatively certain he would have done so while also sticking his thumb in the eye of The Man. 

For a YouTube version of the 11 O’Clock News, click here.

For a YouTube version of the 7 words you can never say on television, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015


June 19, 2015

Tribute to John David Crow and an Innovation Strategy for Your Compliance Program

John David CrowJohn David Crow died Wednesday. Until Johnny Football, he was the only football player from Texas A&M University to win the Heisman Trophy. He played under the legendary Paul ‘Bear’ Bryant at A&M and for all of Bryant’s success, Crow was the his only player to win the award given annually to the nation’s best collegiate football player. Crow had a productive professional football career making the Pro-Bowl four times. He was also the Athletic Director at A&M from 1989 to 1993. So here’s to John David Crow, one of the Junction Boys and one of the greatest players in the history of Texas A&M. Finally, let me say something I almost never say, Gig ‘Em, John David.

I thought about John David Crow and his legacy of greatness when I read an article in the June issue of the Harvard Business Review (HBR), entitled “You Need an Innovation Strategy”, by Gary P. Pisano. While Pisano’s article dealt more generally with innovation in marketing, I found it highly relevant for the Chief Compliance Officer (CCO) or compliance practitioner, particularly in the context a Foreign Corrupt Practices Act (FCPA) compliance program. Earlier this week, the Department of Justice (DOJ) announced the resolution of a FCPA investigation involving IAP Worldwide Services, Inc. (IAP) via a Non-Prosecution Agreement (NPA). In the NPA, the company committed to implementing and enhancing a best practices FCPA compliance program. Listed at element 18 of its compliance program is the following: “The Company will conduct periodic reviews and testing of its anti-corruption compliance code, policies, and procedures designed to evaluate and improve their effectiveness in preventing and detecting violations of anti-corruption laws and the Company’s anti-corruption code, policies, and procedures, taking into account relevant developments in the field and evolving international and industry standards.”[Emphasis supplied]

This means that the DOJ expects innovation in your compliance program to keep up with evolving international and industry standards. This requires you to implement an innovation strategy. While Pisano’s article does not specifically focus on compliance, I found that its concepts would help a CCO or compliance practitioner sustain the mandate for innovation in a compliance regime. Pisano’s article begins by stating the problem that many companies face is that “innovation remains a frustrating pursuit.” While acknowledging that failure to execute is an issue, Pisano believes the issue is deeper than simply a failure to execute, he believes there is a “lack of an innovation strategy.”

I found some of his basic definitions most useful for the compliance practitioner to think through innovation in the compliance function. Pisano wrote, “A strategy is nothing more than a commitment to a set of coherent, mutually reinforcing policies or behaviors aimed at achieving a specific competitive goal. Good strategies promote alignment among diverse groups within an organization, clarify objectives and priorities, and help focus efforts around them. Companies regularly define their overall business strategy (their scope and positioning) and specify how various functions – such as marketing, operations, finance, and R&D – will support it. But during my more than two decades studying and consulting for companies in a broad range of industries, I have found that firms rarely articulate strategies to align their innovation efforts with their business strategies.”

The key to success is something that every CCO or compliance practitioner should take to heart. Paraphrasing Pisano for the compliance practitioner is that the compliance function “should articulate an innovation strategy that stipulates how their [compliance] innovation efforts will support the overall business strategy.” Moreover, “creating an innovation strategy involves determining how innovation will create value for customers [of compliance, i.e. Employees], how the company will capture that [compliance] value, and which types of [compliance] innovation to pursue.”

Pisano posed several questions around this key area of connecting innovation to strategy. Initially he asked, “How will innovation create value for potential customers?” In my formula, customers become employees or others who will make use of your compliance innovation going forward. Here you should focus on the benefit for your end-using customer. Your innovation can make compliance faster, easier, quicker, more nimble and so on. But focus on that creation of value going forward. Pisano’s next question was “How will the company capture a shore of the value its innovations generate?” He suggests companies think through how to “keep their own position in the [compliance] ecosystem strong” through innovation. Pisano next asked, “What types of innovation will allow the company to create and capture value, and what resources should each type receive?” Here Pisano notes two major forms of innovation equally applicable to the CCO or compliance practitioner. They are a change in technology and a change in a business process. Both are equally valid.

Another problem that Pisano addresses is termed “overcoming prevailing winds” and this means that innovation can be driven downward or backward if there is not sufficient management support. This means not only must there be sufficient resource allocations but management must also incentivize the business units to proceed with implementing the innovations, particularly “when an organization needs to change its prevailing patterns.”

Another area Pisano addresses is “managing trade-offs” because it is inherent in any innovation strategy that there will be trade-offs. Here he terms the two key differences as “supply-push” and “demand-pull”. The supply-push approach comes when your innovation is focused on something that does not yet exist, for example if you are initially implementing a FCPA compliance regime. The demand-pull approach works more closely with your existing customer base to determine what they might need and work to implement innovation around those needs.

Interestingly Pisano ends his article with a discussion about “the leadership challenge”. I say interestingly because I would have thought that was required up front as it is the function of senior management to create the capacity for innovation in the first instance. Pisano writes, “There are four essential tasks in creating and implementing an innovation strategy.” Task 1 is to “answer the question “How are we expecting innovation to create value for customers and for our company?” and then explain that to the organization.” Task 2 “is to create a high-level plan for allocating resources to the different kinds of innovation.” Task 3 is “to manage trade-offs. Because every function will naturally want to serve its own interests, only senior leaders can make the choices that are best for the whole company.” Finally, task 4 dovetails with what almost every DOJ/SEC speaker I have ever heard say when they talk about the basics of any best practices compliance program. It is that “innovation strategies must evolve. Any strategy represents a hypothesis that is tested against the unfolding realities of markets, technologies, regulations, and competitors. Just as product designs must evolve to stay competitive, so too must innovation strategies. Like the process of innovation itself, an innovation strategy involves continual experimentation, learning, and adaptation.”

Pisano’s article provides the CCO or compliance practitioner with a framework to think through to help bring the innovation to a compliance program. I would have put leadership first, both in the compliance department and at senior management level. But however you go about it, you must recognize that your compliance program will have to evolve. That is one of the key differences between those who advocate static compliance standards embodied in a written compliance program and those who advocate that it is Doing Compliance that creates an active, vibrant and effect compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

June 18, 2015

The War of 1812 and the IAP Worldwide Services Non-Prosecution Agreement

Battle of New OrleansOn this day, 203 years ago, President James Madison signed a Declaration of War against Great Britain inaugurating the War of 1812. The cause of the war was multi-faceted; the formal reason given was the British impressment of American sailors and the economic blockade of Europe. But the real reason may have simply been the warmongers who had been agitating for war against Britain for several years as an excuse to attack (and hopefully take over) Canada. For those of you who did not study geography too closely, that latter hope was forlorn as Canadians twice repulsed American invasions during the war.

That does not mean the War of 1812 was ultimately unsuccessful for the ‘War Hawks’. America got two great songs out of the war. The first was our National Anthem, the Star Spangled Banner, which celebrated victory over the British at Baltimore. The second was the top hit single of 1959, The Battle of New Orleans, which celebrated Andrew Jackson’s defeat of the British in the Battle of New Orleans, which was fought after the signing of the peace treaty that ended the war. Also that peace treaty, which America and Great Britain signed has remained unbroken to this day.

I thought about this view of the results of the War of 1812 when I read the Foreign Corrupt Practices Act (FCPA) enforcement action involving IAP Worldwide Services, Inc. (“IAP” or “the company”) and its former Vice President (VP), James Rama. The company received a Non-Prosecution Agreement (NPA) as a result of the enforcement action but agreed to a fine of $7.1MM. Rama pled guilty to a single count of conspiracy to violate the FCPA and is awaiting sentencing but his sentence will be capped out at “five years of imprisonment, a fine of the greater of $250,000 or twice the gross gain or loss, full restitution, a special assessment, and three years of supervised release” according to his Plea Agreement.

What it is difficult to determine from the company NPA and Rama Plea Agreement is what conduct the company engaged in which led to the NPA because clearly both the company and Rama engaged in conduct that violated the FCPA. In its Press Release the Department of Justice (DOJ) said, “Based on a variety of factors, including but not limited to IAP’s cooperation, the Criminal Division entered into a non-prosecution agreement with the company.” In the NPA these factors were given some meat with the following boilerplate language, “(a) the Company has cooperated with the Offices, including conducting an extensive internal investigation, voluntarily making U.S. and foreign employees available for interviews, and collecting, analyzing, and organizing voluminous evidence and information for the Offices; (b) the Company has engaged in remediation, including disciplining the officers and employees responsible for the corrupt payments or terminating their employment, enhancing its due diligence protocol for third-party agents and consultants, and instituting heightened review of proposals and other transactional documents for relevant Company contracts; (c) the Company has committed to continue to enhance its compliance program and internal controls, including ensuring that its compliance program satisfies the minimum elements set forth in Attachment C to this Agreement; and (d) the Company has agreed to continue to cooperate with the Offices in any ongoing investigation of the conduct of the Company and its officers, directors, employees, agents, and consultants relating to possible violations under investigation by the Offices.”

Since I cannot determine from beyond the above description what the company did to achieve its NPA, I will use the same analysis that I did in ascertaining what we Americans got out of the War of 1812. For the NPA did go into detail about the bribery scheme used by the company and Rama, which were clearly violative of the FCPA. Rama was a VP of the company until he signed and became an independent contractor to the organization, through his consulting entity, Ramaco. Ramaco was created, in part, to hide the involvement of IAP in the bidding process with the Kuwaiti Ministry of the Interior to provide nationwide surveillance for the country.

The bid for this project had two phases. In Phase I, a consultant would assist the Kuwaiti government to select the final contractor who would implement the nationwide surveillance for the country in Phase II. By hiding its involvement through Ramaco, IAP could reap the benefits of winning both phases, which it did. However the illegals acts of IAP and Ramaco did not end with this subterfuge but were in fact just beginning.

The Phase I contract awarded to Ramaco was worth $4MM. IAP and Ramaco agreed to rebate one-half of the amount, through a Kuwaiti third party agent back to certain representatives of the Kuwaiti government as bribe payments. In addition to this 50% figure of the contract price, IAP and Ramaco understood that this Kuwaiti third party contractor would “inflate its invoices to IAP by charging IAP for the total amount of both the legitimate services that Kuwaiti Company was providing and the payments that Kuwaiti Company was funneling to Kuwaiti Consultant without listing or otherwise disclosing the payments that were funneled to Kuwaiti Consultant.” According to the NPA, these monies were specifically “provided as bribes to Kuwaiti government officials to assist IAP in obtaining and retaining the KSP Phase I contract and to obtain the Phase II contract.”

The NPA also specified meetings which were held in the company’s headquarters in Arlington VA and that monies to be paid as bribes were wired out of a company bank account in the US to Kuwait.

All of these facts would lead me to opine that this case was egregious. There was a US company, setting up a scheme to pay bribes through both a US person, who was a former employee, and a foreign third party agent. Meetings to facilitate the scheme were held in the US and monies to fund bribes were wired out of a US bank account. There was nothing reported in the NPA which indicated that the company self-disclosed this FCPA violation. While there were statements of cooperation and remediation going forward, there was nothing other than the standard boilerplate language generally seen in NPAs.

So while the NPA does provide the Chief Compliance Officer (CCO) or compliance practitioner a good set of facts to test against in their organization, that would appear to be about it. Other than, of course, it is always better to cooperate than not. So much like what we Americans got out of the War of 1812, not much substance can be ascertained from the company’s NPA and Rama’s Plea Agreement.

For a YouTube clip of Johnny Horton singing The Battle of New Orleans, on the Ed Sullivan Show, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

June 17, 2015

Never Tick Off a Redbird

Angry RedbirdAt a Press Conference today, Satan officially announced that Hell has frozen over. He made this stunning announcement after the New York Times (NYT) reported that the baseball team with the most World Series wins in the history of the National League (NL), the St. Louis Cardinals, had hacked those paragons of virtue, enormity and the very symbol of baseball greatness, the Houston Astros, to view confidential information. The Cardinals have managed to win 5 World Series in the past 50 years; how many World Series have the Astros won? That would be a big fat nada, ZERO, none, zilch. The NL team with the most World Series wins in the past 50 years was caught hacking into the inner most secrets of one of the worst teams in that same time period. Where are Tom Brady’s deflated balls when you need them?

As reported by Michael Schmidt, in a piece entitled “Cardinals Face F.B.I. Inquiry in Hacking of Astros’ Network, Major League Baseball (MLB) asked the FBI and Department of Justice (DOJ) to investigate the hacking of the Astros “Last year, some of the information was posted anonymously online, according to an article on Deadspin. Among the details that were exposed were trade discussions that the Astros had with other teams. No doubt expecting that nefarious rogue agents of the Chinese government (or worse-the Chinese military) were seeking to wreck havoc on the game once known as ‘America’s pastime’ or “Believing that the Astros’ network had been compromised by a rogue hacker, Major League Baseball notified the F.B.I., and the authorities in Houston opened an investigation. Agents soon found that the Astros’ network had been entered from a computer at a home that some Cardinals officials had lived in. The agents then turned their attention to the team’s front office.” Oops, those darn Chinese; they are never around to blame when you need them.

So move aside New England Patriots, with your petty attempts to manipulate footballs in a championship game. Stop allowing your quarterback to dictate how he uses the tools of his trade, footballs. Do not cheat and call it getting an edge; all of this makes you look like rank amateurs next to the St. Louis Cardinals. Act like a real team and enlist your front office executives to steal information from the worst team in football. For long term pathetic-ness, you might try the Oakland Raiders or just go with the current joke of a team, the Tampa Bay Buccaneers whose No. One draft pick, and now face of the franchise, was one of the most ‘ethically challenged’ college players in recent years. If you really want great information about poor football, steal it from the Jacksonville Jaguars. Bill Belichek, you are only limited by your imagination!

As to the Cardinals, what on earth could the Astros have that they could possibly want? Take the Astros record over the past five years; it’s the worst in baseball. You want a piece of that? How about secret information on the leadership savoir fare of the Astros owner ‘Mr. I am smarter than everyone in the room because I made a $100mm in business’ Jim Crane. Why be one of the best-run sports franchises, when you can mimic the Astros? First you can tell everyone how stupid they are because they do not understand how it is in your interest to try and lose; next why you should cut off over 70% of your fan base from even watching games on television so they will not see your joke of a team play and, finally, how to sue the prior owner who sold you the team for mis-representing the quality of the assets.

But do not stop with the owner. The apparent ire of St. Louis (never under-estimate a pissed off Redbird) was directed at a former Cardinal employee who left to become the General Manager of the Astros, Jeff Luhnow. Apparently the Cardinals were upset that the baseball knowledge in Luhnow’s head was now being used by the Astros. (Did I mention the Astros had baseball’s worst record for the past 5 years?) Of course, perhaps the Cardinals could learn how make an offer to the top draft pick in the annual amateur draft and then withdraw the offer so they could make a lower one, thereby losing two top draft picks. That certainly was a brilliant move by the Astros that you would want to use going forward.

The Cardinals action brings up one of the greatest areas of corporate angst; when a business gets its feelings hurt. Heaven forbid. No doubt having recently seen a recent late night showing of the movie Animal House the Cardinals decided not to get mad; they decided to get even. So with this newfound information gleaned from the Astros, it now clear how the Cardinals have been so successful. Not simply being content to cheat, they broke the law to hack into the confidential information of another baseball team to learn that other team’s secret. Now I know why the Astros have been so bad over the years; they had all their confidential information sucked out of their organization by the evil Cardinals. So that giant sucking sound you hear from south Texas is not American jobs going to Mexico because of NAFTA but all the confidential information being sucked out of the Houston Astros.

What are the lessons for a Chief Compliance Officer (CCO) or compliance practitioner? One lesson is it points to the myriad of reasons that companies and individuals engage in bribery and corruption. It is laughable to think that the St. Louis Cardinals, one of the best-run franchises’ in all of sports (or so we thought); could learn anything from the idiots who run the Astros. Yet here we are; out of spite, vindictiveness or just plain old malevolence, front office executives of the Cardinals engaged in conduct that has drawn the scrutiny of the FBI and DOJ. This points to other motivations than fidelity to monetary gain as a reason for bribery and corruption.

Also, cybersecurity is a compliance concern. What protocols to you have in place to protect your data? How will you respond to a breach? What happens if another member of the cartel your business is in engages in criminal activity against you? Will you demand that they are kicked out of the cartel?

I think it also points up how actually Doing Compliance differs from having a paper compliance program in place. Whether you use the McNulty’s Maxims formulations (What did you do to prevent? What did you do to detect it? What did you do after you found out about it?) or the FCPA Guidance formulation that a best practices compliance program should prevent, detect and remedy violations. I am relatively certain the St. Louis Cardinals had a policy against breaking the law by hacking into the database of another baseball team. With equal certainty, I am sure the Cardinals had no program to prevent or detect such illegal conduct for if they did, it would certainly appear they conveniently looked the other way.

Finally, American businesses need to wise up. Stop all the whining, moaning and complaining about data breaches from Chinese/Russian/Bulgarian/the Galactic Empire/the Borg/(name your Evil Empire); you are most at risk from other US companies. For if the best team in the history of the NL will break the law to steal the trade secrets and confidential information of one of the worst teams, is anyone safe? Further, what are the chances that the Cardinals have been trying to steal trade secrets from winning teams? That would be a number way too high for me to even imagine. Quit crying to Congress that it is unfair for you to be required to protect your own data or that it would cost you money or jobs; secure your data now.

Now for a free tip from my consulting company, Advanced Compliance Solutions-if you have super-secret confidential information, make sure it password protected. But more than simply password protected, change you password every 90 days. That is a good first step in case the St. Louis Cardinals come hacking your company.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Next Page »

Blog at WordPress.com.