FCPA Compliance and Ethics Blog

July 29, 2013

What Is Due Diligence?

What is due diligence? When did due diligence begin? What does it really mean to perform due diligence? Further, how do you tie the information that you obtain in the due diligence process into your ongoing compliance program? I thought about those questions in the context of two very different types of information that I recently came across.

The first is Professor Donald Kagan’s 24 lecture series on Ancient Greece. Kagan, a professor at Yale, is considered to be one of the pre-eminent American scholars on Ancient Greece. I downloaded this lecture series on iTunes U, from the selection of Open Yale courses. For a non-Eli, such as myself, to have access to the lectures of Professor Kagan is a treat beyond words.

The Athenian democracy had many interesting features. The entire citizenship of Athens elected its leaders annually. One of the interesting features of the Athenian democracy was that before each election there would an exhaustive background investigation into each candidate, including their financial dealings, legal proceedings, military service and other relevant factors which might provide information on their character and fitness to hold office. After their one year tenure, there would be an audit of the former office holders’ finances to determine if anything was askance or if there was evidence of bribery and corruption. All of that sounds like a fairly robust program to determine the qualifications of a leader beforehand and then a backend determination if there was any indicia of bribery and corruption which could be further investigated if required.

Lest you think that there was no management of politicians during their term, there were 10 votes annually on whether a leader was doing his job. If there was a majority vote against the politician, he would have to go court to defend himself by proving that he was performing his job correctly and going to court in ancient Athens, meant a trial before the entire body of eligible voters. If the politician lost, he was thrown out before the end of his one year term. If he won, he reassumed his elected duties.

So the ancient Athenians had pre-election due diligence, management of the relationship during their annual term and then a post-relationship audit. Not too bad a system, particularly when you consider that it was developed over 2500 years ago.

The second item of interest was an article in the New York Times (NYT), High & Low Finance column of Floyd Norris, entitled “Intersection of Fraud and Traffic Violations”. The article was quite fascinating. It reported on a study by Robert Davidson, who teaches accounting at Georgetown University, along with Aiyesha Dey, of the University of Minnesota, and Abbie Smith, of the University of Chicago. Norris reported that “Their results are reported in a paper, “Executives’ ‘Off-the-Job’ Behavior, Corporate Culture and Financial Reporting Risk,” which is to appear in the Journal of Financial Economics.”

The bottom line is that if your company’s Chief Executive Officer (CEO) “likes to drive too fast, watch out. He may be more likely to commit fraud.” However, (and perhaps counter-intuitively) “If he lives too high on the hog, worry about whether he is paying enough attention to work to catch fraud being committed by his subordinates. And there may be a greater chance that the company is making mistakes in its accounting, though not fraudulently.”

The authors used some interesting investigative techniques for their paper. First they examined “fraud cases that the Securities and Exchange Commission [SEC] filed over the years — covering frauds that began between 1992 and 2004.” Next, the “researchers looked for other companies that were as similar as possible to the companies that were caught. Those companies were of similar size, had similar balance sheets and similar prefraud stock market performance as the fraudulent companies and were in the same industries.” This netted them “109 companies where fraud was detected and 109 similar ones where it was not.” The next step was the one that I found the most interesting, “The academics then hired private investigators to check out the bosses. They looked for past criminal records, including traffic violations, and they searched public records to see which cars, homes and boats the chief executives owned.”

Norris reported that while “The statistics are far from conclusive — 109 is not a large number — but they may take on a little more weight from the decision of the researchers to investigate an additional 164 chief executives. They came from 94 companies that were forced to restate their financial statements but were not accused of fraud by the S.E.C., and from 70 others chosen at random from the universe of companies that did not have fraud or accounting errors.” Norris believes what the report “could indicate is that people who are willing to violate one set of social norms are more likely to be willing to violate far more serious ones.”

I do not think that his last statement would be too controversial. However, the research went further. The authors of the report “also set out to if what they called unfrugal chief executives run companies that are fundamentally different from those run by bosses who spend less on themselves. To determine that required decisions on just what constituted unfrugal behavior. They settled on a definition involving ownership of homes, boats and cars, which is available from public records. Chief executives were deemed to be unfrugal if they owned a car that listed for more than $75,000, a boat that was more than 25 feet long or a house worth more than twice the average cost of a home near the company’s headquarters.”

Once again, the report findings seemed interesting. The researchers found that “Unfrugal chief executives are no more likely to commit fraud than their colleagues, but they are more likely to run companies where others commit fraud, and they are more likely to run companies that are forced to restate their financial statements.” In other words, they were playing with their expensive toys and not watching the shop.

Norris concludes his piece with the following, “I don’t think any of this proves that a traffic ticket should disqualify someone from running a public company. And it appears that most fraud is committed by chief executives who have no previous record of criminal behavior, so that is hardly the only thing a board should monitor. But the evidence may indicate that boards should routinely run background checks on top officers and on those being considered for such positions. If someone does have a bunch of traffic tickets, or worse, that could be an indication that deeper consideration is needed before that person is given control of a public company.”

I think that Norris has correctly articulated one of the key issues for any compliance practitioner in the due diligence process. What is the analysis that you should use? The FCPA Guidance provides a list of red flags which should be very large warning signs for a company in creating a business relationship with a third party. But beyond this well-known list of red flags, which information is relevant in assessing a third party, corporate CEO or other executive or simply a new hire. Does the fact that someone had a business failure and filed bankruptcy or has a low credit score mean they are prone to corruption? Or does that mean they have an entrepreneurial bend that would be an asset in a company? How about if they went through a major health issue and their health care provider and insurance carrier got into such a dispute over payment it affected the person’s credit score? What about multiple marriages, does that demonstrate a lack of stability?

So while Norris’ article does raise perhaps more questions than it has answers, you can take some solace in knowing that the due diligence process you have in your company is not new. The ancient Greeks used in 500 BCE.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

January 14, 2013

The HSBC AML Settlement – Lessons Learned for the AML Compliance Practitioner

I recently wrote about banks behaving badly. Currently, Exhibit A in that list is HSBC. In December, 2012, the UK banking giant HSBC agreed to pay a fine of $1.92 billion for its transgressions involving money laundering. Today I want to look at the violations which the company engaged in and its resolution.

I.                   HSBC AML Violations

Regarding the HSBC AML claims there were four major areas of money laundering violations by HSBC. As listed in the Statement Facts to the Deferred Prosecution Agreement (DPA) they read:

10. There were at least four significant failures in HSBC Bank USA’s AML program that allowed the laundering of drug trafficking proceeds through HSBC Bank USA:

  1. Failure to obtain or maintain due diligence or KYC information on HSBC Group Affiliates, including HSBC Mexico;
  2. Failure to adequately monitor over $200 trillion in wire transfers between 2006 and 2009 from customers located in countries that HSBC Bank USA classified as “standard” or “medium” risk, including over $670 billion in wire transfers from HSBC Mexico;
  3. Failure to adequately monitor billions of dollars in purchases of physical U.S. dollars (“banknotes”) between July 2006 and July 2009 from HSBC Group Affiliates, including over $9.4 billion from HSBC Mexico; and
  4. Failure to provide adequate staffing and other resources to maintain an effective AML program.

We will review each of these in more depth to provide guidance to the AML compliance practitioner on the steps that their financial institution needs to take.

a.      HSBC Bank USA Failed to Conduct Due Diligence on HSBC Group Affiliates

One of HSBC Bank USA’s high risk products was its correspondent banking practices and services. Correspondent accounts were established at banks to receive deposits from, make payments on behalf of, or handle other financial transactions for foreign financial institutions. They are considered high risk because the US bank does not have a direct relationship with the clients and, therefore, has no diligence information on the foreign financial institution’s customers who initiated the wire transfers. To mitigate this risk, the Bank Secrecy Act (BSA) requires financial institutions to conduct due diligence on all non-US entities for which it maintains correspondent accounts. There is no exception for foreign financial institutions with the same parent company.

HSBC Bank USA was required under the BSA to conduct due diligence on all foreign financial institutions with correspondent accounts, including HSBC Group Affiliates, which it failed to do, from at least 2006 to 2010.  The decision not to conduct due diligence was guided by a formal policy memorialized in HSBC Bank USA’s AML Procedures Manuals.

b.      HSBC Bank USA Failed to Adequately Monitor Wire Transfers

From 2006 to 2009, HSBC Bank USA monitored wire transfers using an automated system called the Customer Account Monitoring Program (“CAMP”). The CAMP system would detect suspicious wire transfers based on parameters set by HSBC Bank USA under which various factors triggered review, in particular, the amount of the transaction and the type and location of the customer. However, HSBC Bank USA knowingly set the thresholds in CAMP so that wire transfers by customers located in countries categorized as standard or medium risk, including foreign financial institutions with correspondent accounts, would not be subject to automated monitoring unless the customers were otherwise classified as high risk.

Between 2000 and 2009, HSBC Bank USA, specifically disregarded numerous publicly available and industry-wide advisories about the money laundering risks inherent to Mexican financial institutions. These included the following:

  1. The U.S. State Department’s designation of Mexico as a “jurisdiction of primary concern” for money laundering as early as March 2000;
  2. The U.S. State Department’s International Narcotics Control Strategy Reports from as early as 2002 stating that Mexico was and continues to be one of the most challenging money laundering jurisdictions for the United States;
  3. The April 2006 Financial Crimes Enforcement Network (“FinCEN”) Advisory concerning bulk cash being smuggled into Mexico and deposited with Mexican financial institutions;
  4. The federal money laundering investigations that became public in 2007-08, involving Casa de Cambio Puebla, a Mexican-based money services business that had accounts at HSBC Mexico, and Sigue, a U.S.-based money services business, that had accounts at HSBC Mexico; and
  5. The federal money laundering investigation into Wachovia for its failure to monitor wire transactions originating from the correspondent accounts of certain Mexican money services businesses, which became public in April 2008.

 c.       HSBC Bank USA Failed to Monitor Banknotes’ Transactions with HSBC Group Affiliates

HSBC Bank USA’s Banknotes business (“Banknotes”) involved the wholesale buying and selling of bulk cash throughout the world. The Banknotes business line was a high risk business because of the high risk of money laundering associated with transactions involving physical currency and the countries where some of its customers were located. In an attempt to mitigate these risks, Banknotes’ AML Compliance monitored customer transactions.  The purpose of transaction monitoring was to identify the volume of currency going to or coming from each customer and to determine whether there was a legitimate business explanation for buying or selling that amount of physical currency.

Despite the high risk of money laundering associated with the Banknotes business and FinCen advisories to the contrary, the HSBC Banknotes’ AML compliance consisted of one, or at times two, compliance officers. Unlike the CAMP system for wire transfers, Banknotes did not have an automated monitoring system, and, as a result, the Banknotes’ compliance officers were responsible for personally reviewing the transactions of approximately 500 to 600 Banknotes customers. These attempted reviews were deemed wholly insufficient.

d.      HSBC Bank USA Failed to Provide Adequate Staffing and Other Resources to Maintain an Effective AML Program

HSBC’s conduct regarding its AML policy was found to be completely wanting. Not only did the Bank fail to fill senior compliance officer positions after personnel left the Bank but it actually reduced the resources available to the compliance program by cutting funding in 2007. In 2008, the Chief Operating Officer (COO) for Compliance conducted an internal review of the AML compliance program and found it to be “behind the times” and noted that the program was under-resourced and understaffed. Despite these findings the Bank did not begin to address the resource problems until late 2009.

II.                HSBC Remedial Measures

The Department of Justice (DOJ) listed the remedial actions which HSBC engaged in that led, in part, to successfully avoiding a Criminal Indictment by the DOJ.

  1. Change in Leadership and increase in resources. The Bank hired a new leadership team. In 2011, the Bank spent more than $244 on its compliance program. The Bank substantially increased the personnel in its compliance function from 92 full time employees and 25 consultants in 2010 to 880 full time employees and 267 consultants as of May 2012.
  2. Claw Backs. The Bank ‘clawed back’ compensation from senior company executives.
  3. Compliance Function. The Compliance Department was separated from the legal department and given direct reporting lines to the Board of Directors.
  4. Exiting high risk business lines. The Bank exited the Banknotes business and ended 109 high risk business relationships.

The HSBC investigation and enforcement action took years and cost the Bank millions of dollars. The Bank ignored not only its internal compliance requirements but also outside information about the high risk nature of many of its business relationships. Banks must review their compliance programs to determine if any of the factors present in the HSBC matter are risks to their business models and remediate them as soon as possible to avoid a similar fate.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

August 7, 2012

Anti-Money Laundering For the Non-Banking Entity

While many companies which operate under anti-bribery laws such as the UK Bribery Act or anti-corruption laws such as the US Foreign Corrupt Practices Act (FCPA), have compliance programs in place to review business relationships, I have found that one of the areas which most non-banking companies do not sufficiently focus on is anti-money laundering (AML). Money laundering is conduct designed to disguise the proceeds of criminal activity. These include making illegal or improper payments to Foreign Government Officials, the misappropriation, theft or embezzlement of public funds by any party as well as by or for the benefit of Government Officials, paying kickbacks to employees of private companies, creating a scheme to defraud third parties and, in the United States, misusing the mails (whether it is the US mail, private or commercial couriers) and the wires in interstate or international commerce. Money laundering can arise when there is an effort to evade reporting requirements by engaging in a series of funds transfers that individually are below the amount requiring disclosure. Funds may also be laundered by transfers among bank accounts or through the purchase of apparently legitimate assets. Even though they have been “laundered,” these funds still represent the proceeds of criminal activity, and knowingly receiving, transferring, transporting, retaining, using, or hiding such criminal proceeds is illegal.

Legitimate businesses may be targets for persons or entities who want to make the proceeds of criminal activity appear to be legitimate. For example, companies that offer to do business with a company may be “fronts” for money laundering or other criminal activity. Similarly, agents, customers or other parties may seek to have a company wire their fees to jurisdictions other than the ones in which they reside to avoid the laws and requirements of their home country. It is, therefore, essential for a company to “know” the parties with whom it conducts business and perform the due diligence required by the company Code with respect to all potential Business Partners, Representatives, Agents, Distributors and others in the sales chain. A company should also take care with its business relationships in the supply chain such as vendors that are viewed as high risk under the FCPA or UK Bribery Act.

So what are some of the ways a company can facilitate money-laundering? In an article in the Los Angeles Times (LAT) entitled “Cartels use legitimate trade to launder money, US and Mexico say” by Tracy Wilkinson and Ken Ellingwood, the authors described a process whereby teams of money launderers working for cartels use dollars to purchase a commodity from the US and then export the commodity to Mexico or Colombia. A key is that “Paperwork is generated that gives a patina of propriety” which means that drug money is given the appearance of legitimate proceeds from a legitimate commercial transaction. One Immigration and Customs official interviewed said, “It’s such a great scheme. You could hide dirty money in so much legitimate business, and they do. You can audit their books all day long and all you see is goods being imported and exported.”

The key is that the commodities being purchased are so innocuous that large bulk purchases will rarely, if ever, draw any official scrutiny. The goods purchased can be red tomatoes or bolts of cotton fabric. In either case, the commodity itself does not matter, as the simple fact of purchasing in the US, shipping into, and reselling in Mexico, allows the drug cartels to “transfer earnings back home to pay bills and buy new drug supplies while converting dollars to pesos in a transaction relatively easy to explain to authorities.”

There have been some interdictions in this system, however. In 2010, US authorities arrested several executives of Angel Toy company, who the government alleged were conspiring with Mexican drug cartels to launder drug money through a scheme to purchase Teddy Bears (of all things), for shipment back to and for resale in Mexico. The plan was straightforward, just under $10K of cash for each shipment of Teddy Bears, which were then resold in Mexico.

However, now money launderers use even more sophisticated tactics such as “overvaluing and undervaluing invoices and customs declarations.” There is even a new term “trade-based money-laundering” which is being used to denominate the schemes. It was reported that in another recent operation, which was estimated to launder over $1MM every three weeks, money launderers were exporting from the US to Mexico polypropylene pellets that are used to make plastic. However, the money-launderers inflated the value declared on the high-volume shipments and this eventually attracted suspicion of US bank investigators, “who shut down the export operation by discontinuing letters of credit that the suspected launderers were using.” One official noted, “You generate all this paperwork on both sides of the border showing that the product you’re importing has this much value on it, when in reality you paid less for it. Now you’ve got paper earnings of a million dollars and the million dollars in my bank account — it’s legitimate. It came from this here, see?”

In an article in the Wall Street Journal (WSJ), entitled “Sands Probed in Money Moves”, reporters Kate O’Keefe, Justin Scheck, Alexandra Berzon and James Grimaldi, reported that US authorities are investigating Las Vegas Sands Corp. and several of its executives regarding allegations of violations of US money-laundering laws by failing to alert authorities to millions of dollars transferred to its casinos by two Las Vegas high rollers. The specific allegations involve an examination of the Sand’s “handling of money received several years ago from a Chinese-born Mexican national, Zhenli Ye Gon, later accused of drug trafficking and Ausaf Umar Siddiqui a former California executive subsequently convicted of taking illegal kickbacks.

Regarding Mr. Ye Gon, the WSJ reported that in 2006, Ye Gon “made tens of millions of dollars in transfers to Sands accounts from Mexican “casas de cambio,” which are currency-exchange firms that have been the focus of several recent money-laundering probes in the U.S., several people involved in the case said he transferred a total of around $85 million to casinos owned by Sands and other operators, court filings indicate. Prosecutors have told lawyers representing Sands employees that Mr. Ye Gon’s use of Mexican exchange houses to handle such huge transfers was a red flag.” Regarding Mr. Siddiqui, the WSJ reported that Sands received more than $100 million from Mr. Siddiqui, while he had an annual salary of $200,000 with Fry Electronics.

Transactional based due diligence and internal controls are mandatory components of a FCPA minimum best practices compliance program. In addition to due diligence on agents, distributors or others in the sales distribution chain, companies need to perform due diligence on those to whom they sell. If someone from Mexico suddenly comes to your business and wants to buy widgets with cash, this needs to send up a huge Red Flag. It would seem just as unlikely if a customer with a relatively low net worth would come to you and seek to purchase a high cost product with cash. If such an eventuality happened this should also raise a very large Red Flag.

 What Should You Look For-Red Flags

Red flags are circumstances that should alert a reasonable person that illegal or improper conduct is substantially likely to occur and, therefore, further inquiry is necessary. Red flags reflecting possible violations of anti-money laundering laws and regulations include:

1. Legitimacy of the party and/or assets are undeterminable through due diligence or independent verification;

2. The party proffers false, misleading or substantially incorrect information and documentation;

3. The party suggests transactions involving cash or insists on dealing only in cash equivalents;

4. The party refuses to disclose or to provide documentation concerning identity, nature of business, or nature and source of assets;

5. The party refuses to identify a principal or beneficial owner;

6. The party appears to be acting as an agent for an undisclosed principal or beneficial owner, but is reluctant to provide information, or is otherwise evasive, regarding the identity of the principal or beneficial owner;

7. The party is a shell company and refuses to disclose the identity of the party’s beneficial owner;

8. The party has assets that are well beyond its known income or resources;

9. The party requests that funds be transferred to an unrelated third party and is unable to provide sufficient legitimate and independently verifiable justification for such request;

10. The party requests a wire transfer to a jurisdiction other than the one in which the party is located and is unable to provide sufficient legitimate and independently verifiable justification for such request, particularly if located in an “off shore” bank secrecy or tax haven;

11. The party engages in transactions that appear to have been structured so as to avoid government reporting requirements, especially if the cash or monetary instruments are in an amount just below reporting or recording thresholds;

12. The party exhibits unusual concern about compliance with government reporting requirements;

13. The party exhibits a lack of concern regarding risks or other transaction costs;

14. The party wishes to engage in a transaction that lacks business sense, economic substance or apparent investment strategy;

15. The party lacks general knowledge of its industry or lacks adequate facilities or qualified staff to perform the required tasks or work;

16. The party requests that a transaction be processed in a manner that circumvents a company procedure or avoids company documentation requirements;

17. The party is included on list of Specially Designated Nationals, or similar lists, maintained by the US Government and the United Nations or is associated with such individuals and entities;

18. The party is located or has accounts or financial dealings in countries either identified as being non-cooperative with international efforts against money laundering by the Financial Action Task Force, or against whom the US Treasury Department has issued an advisory;

19. The party, or any person associated with the party, is or has been the subject of any formal or informal allegations (including in the reputable media) regarding possible criminal, civil or regulatory violations or infractions; and

20. The independent due diligence conducted by a company uncovers allegations that raise concerns regarding the party’s integrity.

In this age of cross-border criminal activity and cross-border enforcement, companies should be aware of these techniques used to launder money. Company compliance programs need to incorporate transactional due diligence into an overall anti-corruption compliance program. You may not see multi-millions of dollars in cash come into your company as Sands did from Mr. Ye Gon and Mr. Siddiqui but you should run the basic checks as suggested by the list of Red Flags.


A big shout out to the USA Women’s Soccer team for their win in stoppage time of Extra Time over Canada. Also a shout out to Team Canada for a great game and playing their collective hearts out in one of the best matches I have ever seen.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

May 17, 2012

The Value in Conducting Thorough Background Checks on Executives

Filed under: Background Checks,Bribery Act,Red Flag Group — tfoxlaw @ 5:52 am

Ed. Note-today we have a guest post by Scott Lane, President of the Red Flag Group.

Internet giant Yahoo! has now been forced to undertake another extensive search for a Chief Executive Officer to help salvage its underperforming business. Today it was announced that Scott Thompson would be stepping down from his recently appointed position at the company in the wake of allegations surrounding the accuracy of his education record. The scenario that Yahoo! is now in serves as a reminder to organisations of the importance of conducting thorough background checks on new senior executive appointments as a means of avoiding potential shareholder disputes and detrimental publicity.

Not long after Scott Thompson was appointed CEO of Yahoo! in January 2012, rumours began circulating about the authenticity his academic credentials as detailed on his CV. Mr Thompson’s CV listed an accounting and computer science degree from Stonehill College in the United States. Daniel Loeb, the boss of the hedge fund Third Point who own 5.8% of Yahoo!, claimed that Mr Thompson had not in fact graduated with a degree in computer science. The discrepancy in Mr Thompson’s record was deemed to be the result of an “inadvertent error” by Yahoo!. Mr Loeb initiated a number of inquiries on behalf of other shareholders as to how Yahoo!’s vetting process had not picked up that Mr Thompson never graduated with a degree in computer science.

This case divided opinion as to the seriousness of Mr Thompson’s misrepresentation, particularly as his performances in previous roles had earned him considerable acclaim. However, Yahoo! had exposed themselves to potential litigation by using Mr Thompson’s degree information on regulatory filings, and the ongoing discussions about his background continued to be a distraction from becoming established in his new role. So much so that the decision has been made that Mr Thompson is to step down as CEO. Not only will Yahoo! now have to undertake another expensive and time consuming search for his replacement, his departure also comes at the expense of other existing directors who were responsible for his employment. More so, over the past number of weeks Yahoo! has been the focus of considerable media attention for all the wrong reasons, and its board’s reputation to make decisions in the best interests of all stakeholders tarnished.

This is certainly not the first time a company has suffered the indignity of having to replace senior executives. Last year the chief executive of InterContinental Hotels Group’s Asia-Pacific operations, Patrick Imardelli, resigned after it was discovered that he had misrepresented his academic record on his CV.

This issue could have been addressed if companies:

  • Conducting a detailed background check to ascertain the overall accuracy of an individual’s CV including all previous work and study credentials
  • Detailed research into the person’s profile in International media in each of the markets where they have lived, carried on business or managed people
  • Interviews with other colleagues, business associates, and previous employers to address the overall integrity of the person in all markets in which they have worked
  • Interviews with the person to assess their understanding of compliance and legal risks, their approach to ethical and integrity issues and their answers to a series of hypothetical corporate situations posing ethical challenges and testing their responses along the way
  • The conducting of psychometric testing based on integrity issues to assess independently the responses to certain situations

Background screening and integrity assessments should be an essential part of the hiring and promoting process. This is important with all new employees, but even more so with those moving into senior positions. The incident involving Mr Thompson will for some time remain a blight against Yahoo! in the eyes of some of its shareholders, but they will no doubt adopt screening measures to heavily scrutinise all candidates in the future. Whilst undertaking extensive screening operations can be time consuming and costly, it is not as damaging to an organisation as disharmony amongst shareholders when it is discovered that a recently appointed individual’s credentials are false.


For more information on the Red Flag Group, click here.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. 

February 21, 2012

A Seat at the Table – Compliance in the Contract Tender Process

After all the due diligence on the sales agents and representatives has been completed and they are ready to help you land that large international contract, what is the role of compliance? I would argue that compliance has as central a role to play in any international contract tender process as any other support group in your company; be they legal, tax, HR or another department. If you put compliance at the mix when preparing your response to RFP your company will be much better served than calling them after an issue arises during the contract execution. What are some of the areas that compliance can be of use during contract negotiations?


It certainly should not surprise anyone to be made aware that your company is legally responsible for its subcontractors in the execution of a contract. This is also true in the anti-corruption context, whether under the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. This means that any direct tier subcontractor, which your company might use to complete an international contract, needs to be thoroughly vetted under your compliance regime as a foreign business partner. The reason for this is the same as an agent, subcontractors are acting on your company’s behalf, and hence your company is responsible for them. If you can perform due diligence on all parties which your company will need to execute the contract in the pre-contract phase, it will make things run more smoothly and efficiently after your company is awarded the contract and moves into the execution phase.

Travel to Company Facilities

As a part of the tender process, your company may be required to bring a foreign governmental official or group of officials to view your US operations. This can occur for a number of legitimate reasons, yet care must be followed under both the FCPA and Bribery Act. Your company can pay bona fide and reasonable expenses that are directly related to either (1) the promotion, demonstration or explanation of products or services; or (2) the execution or performance of a contract. Bona fide promotional expenses may also include trips to manufacturing facilities to observe your company’s production and quality control processes or to conduct inspection and testing called for in a contract of sale.  There can also be to facilities where the training offers a legitimate opportunity to demonstrate products and services. There are some guidelines that need to be followed and they are as follows:

• Any reimbursement for air fare will be for economy class.

• Do not select the particular officials who will travel. That decision will be made solely by the foreign government.

• Only host the designated officials and not their spouses or family members.

• Pay all costs directly to the service providers; in the event that an expense requires reimbursement, you may do so, up to a modest daily minimum (e.g., $35), upon presentation of a written receipt.

• Any souvenirs you provide the visiting officials should reflect the business and/or logo and would be of nominal value, e.g., shirts or tote bags.

• Apart from the expenses identified above, do not compensate the foreign government or the officials for their visit, do not fund, organize, or host any other entertainment, side trips, or leisure activities for the officials, or provide the officials with any stipend or spending money.

• The training costs and expenses will be only those necessary and reasonable to educate the visiting officials about the operation of your company.

One of the keys is having any such travel approved by your Compliance Department prior to the travel actually occurring. In addition to the above guidelines there should be a written agenda, reviewed and approved by the compliance representative before the travel occurs. Lastly, all costs associated with the travel and entertainment must be recorded in the Company’s books and records as cost of sales and not an operating expense. The written agenda approved by the compliance representative needs to be maintained and verified by after-action reports so that the entire process is documented.

Testing and Evaluation

If your company manufactures a product, your international customer may well ask to test and evaluate products as a part of the contract tender process. These products may only be provided to support such opportunities. The testing and evaluation of samples should only occur if required by a public tender. Exceptions may be made if the samples are formally requested in writing by the potential government customer in connection with a legitimate contract opportunity. Care should be made so that any product samples are delivered to the foreign governmental agency issuing the tender, not to an individual employee or official, or to a third party. There should be a formal written request identifying the specific number of samples to be tested and evaluated from the potential government customer. The number of samples requested should be reasonable in light of the overall potential contract. All costs associated with the provisioning of sample products for testing and evaluation must be recorded in the Company’s books and records as cost of sales and not an operating expense.

Evaluation of Compliance Risk

Just as other types of risk should be evaluated in any internal contract review process, the compliance risks should also be evaluated. What is the Transparency International – Corruption Perceptions Index ranking of the country or government where the contract will be executed? Are there other sources which can be accessed, such as World Check’s Country Check rating, the Mintz Group’s heat map “Where the Bribes Are”, or the FCPA Database, which aggregates several different types of information but specifically the national anti-corruption and anti-bribery laws applicable to local jurisdictions across the globe. Using these sources and perhaps others, you can put together not only a risk evaluation plan but also a risk mitigation plan for management which they can take into account when the decision of Bid/No Bid or pricing is finalized.

The Compliance Department is more than simply the group which performs the due diligence, trains on compliance and responds to inquiries. It can, and should, play an active role in landing contracts. A mature compliance program can be a great benefit for a company, not only in evaluating risk from the compliance perspective but also preparing the necessary steps so that if a contact is awarded, it can be executed in a time efficient manner. But it must have a seat at the table.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

January 24, 2012

How Charles Ponzi Can Inform Your Compliance Program

Yesterday, I used some of the wisdom from current CIA Director General David Petraeus to suggest how senior management might move forward with a compliance program. Today I will use a very different individual to help inform your third party due diligence, Charles Ponzi.

My colleague Tracy Coenen writes an invaluable blog entitled The Fraud Files Blog. She consistently writes about detecting fraud in all its forms. In a recent post,entitled “Ponzi Scheme and Investment Fraud Red Flags”, Tracy identified many Red Flags which might come up if you performed some due diligence on a Ponzi scheme or persons promoting it. In her blog post, she listed “some red flags about the “investment” you’re considering that might indicate it is a Ponzi scheme” and they are as follows:

  • Promoters are not registered to sell investments (Consider doing a background check through Financial Industry Regulatory Authority (FINRA) if the promoter is U.S. based.);
  • Promoters have a history of being investigated and/or disciplined for actions related to investments (Google is your best friend for this one.);
  • Promoters and/or founders of the business/investment have criminal, bankruptcy, or civil court histories that are troubling (Use PACER to search all federal court records for a nominal fee. State courts generally have their own online systems, and access to them is growing daily.);
  • Difficulty in verifying whether there is a legitimate business behind the investment (Again, Google is your friend!);
  • Groundbreaking “new technology” or other special (but super-secret) methods or assets, which are going to take the world by storm and be the greatest thing since sliced bread;
  • Complicated alleged business model that prevents an experienced investor from understanding how money is really made;
  • The alleged performance of the company is suspiciously higher than competitors or companies in related industries;
  • No objective third-party information can be found about the company;
  • Elaborate explanations for why the business cannot be verified;
  • Unusually high rates of return offered on the investments (Note that this one is the most common across all Ponzi schemes.);
  • Returns on investment are guaranteed (Not to be confused with an annuity from a reputable company with a guarantee in the contract.);
  • Promoter downplays the amount of risk investors will be exposed to, often  using phrases such as “a sure thing”;
  • Reluctance to provide documentation supporting claims being made about the investment and the business behind it;
  • Address of the “business” is a mail drop location, virtual office, or small private office that couldn’t possibly hold a business the size that is being claimed (Google Maps is very helpful for this one.);
  • Few (if any) employees in the operation other than the founder and/or promoter;
  • Background of the principals of the business is mismatched with what the business does (Use Google to find out what kinds of jobs they held previously, and compare it to what they’re supposedly doing now.); and
  • Company’s alleged success is related to a recent announcement of some sort, rather than historical financial results (This one is even worse if the information in the announcement can’t be verified, and it appears to just be a PR stunt for the benefit of potential investors.).

One of the things that struck me in reading Tracy’s list of Ponzi scheme Red Flags is how closely they mirror those which may appear in a Foreign Corrupt Practices Act (FCPA) or UK Bribery Act due diligence investigation. Additionally the Red Flags would seem to organize themselves into four general areas:

  1. Something seems out of the ordinary.
  2. Reluctance of party to supply information/difficulty of verifying information.
  3. The scheme is not verifiable by data, only anecdotally.
  4. Mismatch in business experience with the product or services offered.

In due diligence training, I always tell people to listen to their guts, or if the hair on the back of their neck stands up, pay attention. Not listening to your internal warning system can lead your company down a path that it may well not desire to travel. Red Flags are so called for a reason and if they are raised they must be sufficiently clear. Tracy Coenen’s list of Red Flags for Ponzi schemes is one which any corporate compliance officer should take to heart.

Tracy Coenen, CPA, CFF  has also written a useful book for helping companies and individuals detect fraud and Ponzi schemes and investment frauds entitled, “Expert Fraud Investigation: A Step-by-Step Guide.” She can be reached via email at tracy@sequenceinc.com.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

November 17, 2011


Ed. Note-we are pleased to host a posting today from Michelle Sherman.

Agatha Christie had a novel take on invention being the mother of necessity.  She disagreed and said, “[I]nvention, in my opinion, arises directly from idleness, possibly also from laziness.  To save oneself trouble.”  She may have been onto something when you think about businesses that are turning to outside vendors to research employees and job candidates for them.  Whether or not these outside vendors are the best solution, however, remains to be seen.

1.  Companies Should Have An Internal Procedure For Researching Job Candidates And Employees On The Internet

We recommended in a January 2011 blog post, that businesses establish an internal procedure for making employment decisions based on Internet research, so they would not run afoul of state and federal laws that prohibit job discrimination based on protected factors.  See http://www.socialmedialawupdate.com, Social Media Research + Employment Decisions: May Be A Recipe For Litigation.  The protected factors include, for example:  (1) Race, color, national origin, religion and gender under Title VII of the Civil Rights Act of 1964; and (2) Sexual orientation, marital status, pregnancy, cancer, political affiliation, genetic characteristics, and gender identity under California law.  Most states have their own list of protected factors, which should be considered depending on where your company has employees.

Not surprisingly, the legal risks of making employment decisions using the Internet have become a real concern for businesses, especially when you consider that 54% of employers surveyed in 2011 acknowledged using the Internet to research job candidates.  The actual number of employers using the Internet is probably higher, and sometimes companies may not even be aware that their employees are researching job candidates and factoring that information into their evaluations.  This is yet another reason to establish an internal procedure for researching job candidates, and communicating your procedure to employees who are participating in the employment process.

There is nothing wrong with researching people on the Internet so long as it is done properly.  The Internet has a wealth of useful information, some of it intentionally posted by job applicants for employers to consider such as LinkedIn profiles.

With this “necessity” to do Internet searches properly, some businesses have turned to outside vendors to do the research for them, and, thereby, try to reduce their legal exposure and the administrative inconvenience of doing it themselves.  At least one of these vendors has received letters concerning its business practices from the Federal Trade Commission (“FTC”) and, more recently, two U.S. Senators.

2.  The Business Practices Of Outside Vendors That Provide Social Media Background Checks Are Being Examined For Compliance With Privacy And Intellectual Property Laws

On May 9, 2011, the staff of the FTC’s Division of Privacy and Identity Protection sent a “no action” letter to Social Intelligence Corporation (“Social Intelligence”), “an Internet and social media background screening service used by employers in pre-employment background screening.”  The FTC treated Social Intelligence as a consumer reporting agency “because it assembles or evaluates consumer report information that is furnished to third parties that use such information as a factor in establishing a consumer’s eligibility for employment.”  The FTC stated that the same rules that apply to consumer reporting agencies (such as the Fair Credit Reporting Act (“FCRA”)) apply equally in the social networking context.  These rules include the obligation to provide employees or applicants with notice of any adverse action taken on the basis of these reports.  Businesses should also be mindful of similar state consumer protection laws that may be applicable and may afford additional rights to employees and applicants (e.g. California Investigative Consumer Reporting Agencies Act).

The FTC concluded by stating that information provided by Social Intelligence about its policies and procedures for compliance with the FCRA appears not to warrant further action, but that its action “is not to be construed as a determination that a violation may not have occurred,” and that the FTC “reserves the right to take further action as the public interest may require.”  This FTC “no action” letter was reported fairly widely, and probably increased the comfort level of businesses that wanted to use an outside service for Internet background checks.

On September 19, 2011, Senators Richard Blumenthal (D-Conn) and Al Franken (D-Minn) sent a letter to Social Intelligence with 13 questions regarding whether the company is taking steps to ensure that the information it is gathering from social networks is accurate, whether the company is respecting the guidelines for how the websites and their users want the content used, and whether the company is protecting consumers’ right to online privacy.  The letter raises some legitimate concerns, and requests a prompt response from Social Intelligence to the questions presented.

3.  Legal Assurances That Your Company May Want To Seek If Using An Outside Vendor

Some of the questions also warrant due consideration on the part of businesses receiving reports from outside vendors about how much weight they want to give the information provided.  Further, what the business may want in the form of legal assurances from the outside vendor that no laws (e.g. FCRA, privacy, copyright, or other intellectual property laws) have been violated in gathering the information or providing screenshot copies of pages from social networking sites.

Some of the questions from the Senators which raise these concerns include, for example:

1.  “How does your company determine the accuracy of the information it provides to employers?”  [Social Intelligence is reportedly collecting social networking activity dating back 7 years, and, therefore, may capture something that was later removed, or was a “tag” post through a picture that the job candidate was not responsible for making public, and may have removed once it came to his attention.]

2.  “Is your company able to differentiate among applicants with common names?  How?”  [e.g. Have they researched the correct “Jane Smith” of the hundreds on Facebook since social security numbers or other specific identifying information is not useful on social networking sites as it is with the standard background check.]

3.  “Is the information that your company collects from social media websites like Facebook limited to information that can be seen by everyone, or does your company endeavor to access restricted information.”

4.  “The reports that your company prepares for employers contain screenshots of the sources of the information your company compiles…These websites are typically governed by terms of service agreements that prohibit the collection, dissemination, or sale of users’ content without the consent of the user and/or the website….. Your company’s business model seems to necessitate violating these agreements.  does your company operate in compliance with the agreements found on sites whose content your company compiles and sells?”

5.  There appears “to be significant violations of user’s intellectual property rights to control the use of the content that your company collects and sells.  …. These pictures [of the users], taken from sites like Flickr and Picasa, are often licensed by the owner for a narrow set of uses, such as noncommercial use only or a prohibition on derivative works.  Does your company obtain permission from the owners of these pictures to use, sell, or modify them?”

4.  Conclusion

Establishing an internal procedure for using the Internet to make employment decisions is one more piece of a sound ethics and compliance program that addresses how your company is using social media.  If using an outside vendor to perform social media background checks is part of that policy, you should assure yourself that the company is acting in compliance with the relevant laws.  Further, if your company does decide to use an outside vendor, the company should not assume that employees will forego their own Internet searches of job candidates unless they are specifically instructed to follow the company’s procedure.

Michelle Sherman is special counsel at Sheppard Mullin Richter & Hampton where she practices business litigation and consults with businesses on legal and regulatory compliance issues relating to social media and the Internet.  Michelle is the editor and contributing author to the law firm’s Social Media Law Update blog.

Blog at WordPress.com.