FCPA Compliance and Ethics Blog

August 20, 2015

BNY Mellon and Lessons Learned In Hiring Family Members – Part II

Lessons LearnedIn yesterday’s post I reviewed the Securities and Exchange Commission (SEC) Foreign Corrupt Practices Act (FCPA) enforcement action involving the Bank of New York Mellon Corporation (BNY Mellon) around its hiring of sons and nephews of foreign governmental officials to obtain or retain business from certain foreign Sovereign Wealth Funds. I discussed the underlying facts and penalties assessed against BNY Mellon as laid out in the SEC Cease and Desist Order (the “Order”). Today I want to provide some guidance on what this enforcement action may mean for companies going forward when hiring the sons and daughters or close family relatives of foreign government officials.

The first thing to remember is there is nothing in the FCPA which prohibits the hiring of a son, daughter or close family member of a foreign government official. What the FCPA does make illegal is an action where a company “or any officer, director, employee, or agent acting on behalf of such issuer, in order to obtain or retain business, from corruptly giving or authorizing the giving of, anything of value to any foreign official for the purposes of influencing the official or inducing the official to act in violation of his or her lawful duties, or to secure any improper advantage, or to induce a foreign official to use his influence with a foreign governmental instrumentality to influence any act or decision of such government or instrumentality.” [citation omitted]

The actions of BNY Mellon were clearly designed to not simply curry favor with the foreign governmental officials involved but also to either grow the business or help to retain what the company already had in place with the un-named foreign Sovereign Wealth Fund. At this point most companies have a written FCPA compliance program in place; consisting of policies and procedures. Note, this does not mean that the compliance program is effective because for a compliance program to be effective, a company must actually be doing compliance. Many FCPA enforcement actions occur because an exception was granted to a policy or procedure and either the reason for granting the exception was inappropriate or there was no documentation as to why the exception was granted. In the case of BNY Mellon, it was the latter.

BNY Mellon offered high value, high prestige summer internship programs for “undergraduates as well as a separate summer program for postgraduates actively pursuing a Master of Business Administration (MBA) or similar degree. Admission to the BNY Mellon postgraduate internship program was highly competitive and characterized by stringent hiring standards.” The main purpose of these internships was to give BNY Mellon an opportunity to evaluate the interns as potential permanent hires to the company. There was a designated track for nomination to the internship program and internal company evaluation prior to offering candidates an intern position. In other words, there were policies and procedures around the process but BNY Mellon did not follow them.

Hiring Process

The first Red Flag, which BNY Mellon seemingly ignored in this entire process, was that each of the candidates were recommended to the firm by foreign governmental officials who held control of business relations between Sovereign Wealth Funds and the bank. Their requests that their close family relations be hired by BNY Mellon was contra to the banks own process of selecting candidates for its internship program from a exclusive group of universities and colleges in the US and UK. The Order noted, “Successful applicants had to achieve a minimum grade point average, and had to advance through multiple rounds of interviews in addition to having relevant prior work experience and a demonstrated affinity for and interest in financial services work.”

None of these indicia were present in the hiring of the foreign governmental official’s relatives at issue. There was no evidence the candidates met any of BNY Mellon’s own internal criteria for consideration to the internship program. Indeed, as the Order stated, “as recent graduates not enrolled in any degree program, the Interns did not meet the basic entrance standard for a BNY Mellon postgraduate internship.” Finally, to top it off, all three were hired sight unseen and “BNY Mellon decided to hire the Interns before even meeting or interviewing them.” 

The Internships

But BNY Mellon’s violative conduct did not stop by simply hiring the three close family relatives for its internship program. The three persons got benefits far more than simply a regular internship program. BNY Mellon designed special “Bespoke” internship programs for the three interns. As requested by their fathers and uncle, the three interns received “customized work experiences” which “were not regular undergraduate or graduate summer internships at all, but customized one-of-a-kind training programs. The internships were valuable work experience, and the requesting officials derived significant personal value in being able to confer this benefit on their family members.”

The internships were abnormally long, lasting six months, which was twice the normal length. Additionally they were “rotational in nature, meaning that Interns A, B and C had the opportunity to work in a number of different BNY Mellon business units, enhancing the value of the work experience beyond that normally provided to BNY Mellon interns.”

The Costs

In addition to the exceptions granted in the hiring process and the internships themselves, BNY Mellon also paid out money and non-monetary benefits in a manner different to others in the internship program. The Order stated, “BNY Mellon determined, because Interns A and B had already graduated from college, that Interns A and B should be paid above the normal salary scale for BNY Mellon undergraduate interns but below the scale for postgraduate interns. Intern C was unpaid. BNY Mellon also coordinated obtaining visas for all three of the Interns so that they could travel from the Middle East to work in the countries in which they were placed. BNY Mellon paid the legal fees and filing costs related to the visas. As the BNY Mellon Asset Management employee responsible for arranging two of the three internships wrote in a contemporaneous e-mail, the internships constituted an “expensive favor” for the requesting foreign official.” Indeed the Order cited to an email from one BNY Mellon employee who wrote, “I am working on an expensive ‘favor’ for [Official X] – an internship for his son and cousin (don’t mention to him as this is not official).” Further, BNY Mellon knew the request and accommodation was unethical, if not illegal, as the same employee wrote in another email, ““[W]e have to be careful about this. This is more of a personal request . . . [Official X] doesn’t want

[the Middle Eastern Sovereign Wealth Fund] to know about it.” The same employee later directed his administrative assistant to refrain from sending email correspondence concerning Official X’s internship request “because it was a personal favor.”

Lessons Learned Going Forward

I must emphasize once again that there is nothing illegal around the hiring of a close family member of a foreign governmental official. It does however present a higher risk for indicia of bribery and corruption and violation of the FCPA. A higher FCPA risk means you need to evaluate that risk more closely and manage that risk accordingly.

The obvious starting point for any hiring of a close family member of a foreign governmental official is whether the candidate is qualified for the position. If they are not qualified it is ‘Full Stop’ at that point. In the case of BNY Mellon there was no evidence any of the candidates had the academic background, the academic credentials, leadership traits or intangible skills to meet the bank’s normal internship hiring criteria. As with any other anomaly granted in a company’s normal process, there must be a documented reason for the exception, review by appropriate authority of the exception and documentation as to why the exception was granted. None of these steps were present in the BNY Mellon matter. Put another way, if you are hiring a family member or close relative of a foreign government official for any reason other than merit, it had better be a darn good one and well-documented as to your decision-making calculus with appropriate senior management oversight.

But your risk management does not stop simply with the hiring process. If the foreign governmental official is the person who made the request for the hiring of the family member, this is a Red Flag not to be overlooked. Your analysis needs to be on the role of that foreign governmental official in awarding new business to your company or in retaining old business. If the foreign governmental official has direct or even strong indirect control over such business relation, this may present such a direct conflict of interest, this may be a risk that you cannot manage. A good rule of thumb here is whether there is full transparency in the hiring with the foreign government involved with your company. In the case of BNY Mellon, they did not want anyone in the Sovereign Wealth Fund to know BNY Mellon had hired the son or nephew. That is a clear sign transparency is lacking and someone, somewhere is engaging in unethical conduct, if not breaking the law.

Finally, if you do decide to move forward and hire the close family member, you need to assign that new hire to work not associated with the business relationship between your company and the foreign government involved. Just as in the lifecycle of third party management, managing the relationship after a contract is inked is in many ways the most critical element; the same is true in the employment relationship involving close family members of foreign government officials.

Ultimately, you need to have internal controls to ensure effective compliance going forward. You cannot have customer relationship managers making the calls on hiring which over-ride the Human Resources (HR) procedures. There must be not only HR review but also mechanisms to flag for compliance review such hires. Lastly, there needs to be sufficient senior management oversight because this is such a high-risk proposition.

I hope you have enjoyed and found this two-part series on the BNY Mellon FCPA enforcement action and the lessons learned from it useful. The SEC Order provides a clear road map to the Chief Compliance Officer (CCO), compliance practitioner, HR professional or anyone else who reads it on the steps you should take in the hiring of a close family member of a foreign government official with which you are doing business. It may take some additional effort than simply having your business unit employees make the call on who to award prestigious internships to in order to obtain or retain business but in the long run you will have a better run company for doing so. FCPA enforcement is not a game and by doing compliance will make your company a more accurtely operated  entity.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

February 12, 2015

Maurice Gilbert, CCI and Ten Questions A Board Should Consider About Compliance

Maurice GilbertFor those of you in the compliance world who do not know Maurice Gilbert, you should. I could probably write an entire post on the number of hats that he wears. For the Chief Compliance Officer (CCO) or compliance practitioner, two of the most significant are as Managing Director at Consileum Inc., which I consider to be one of the premier compliance related search firms in America and as Founder and Managing Editor of Corporate Compliance Insights, known as CCI in the compliance world (full disclosure – I blog and write for CCI). If you are looking for some of the country’s top compliance talent for a corporate compliance position Maurice should be about the first person you call when even thinking about such a task. He can help you to define the scope of the position and then craft the position to attract some great talent for you to consider. Of course, you should always know one of the country’s top compliance talent recruiters because you never know when the right opportunity might be presented by a client to Maurice and you could perfectly fill the bill.

However it is his other hat that I want to highlight today. As Founder and Managing Editor of one of the top online compliance resources, Maurice leads a team that continually generates and posts some of the most insightful and useful pieces of information around the entire panoply of issues related to compliance. From my world of anti-corruption compliance, to trade-compliance, corporate boards and governance, auditing and much more, CCI is a resource you should have on your favorites toolbar. It was through Maurice and CCI that I was introduced to the writings and assorted wisdom of Jim DeLoach, who is one of my favorite contributors to read on CCI.

DeLoach is a Managing Director with global consulting firm Protiviti. He regularly writes and blogs on issues relating to Enterprise Risk Management (ERM). He put out such great material and a plethora of it that Maurice persuaded him to put it together for us in an eBook, entitled “Making Risk Management Work for You. In the section entitled “10 Questions You Should Ask About Risk Management”, DeLoach lists 10 questions he says that a board and senior management should think about when considering ERM. I have used this section as a basis to reformulate the questions from a compliance perspective.

  • What are the company’s top compliance risks, how severe is their impact and how likely are they to occur? – Just as managing enterprise risk at a strategic level requires focus, the same is true for compliance. This requires you limiting your top risks to a handful so they can accurately be assessed and managed. DeLoach suggests that you should be emphasizing no more than five to 10 risks. Furthermore, “Day-to-day risks are an ongoing operating responsibility.”
  • How often does the company refresh its assessment of the top [compliance] risks? – As the Department of Justice (DOJ) continually reminds us, your compliance risk assessment process should be responsive to change in the business environment. It is now mandatory that teams have in place “a robust process for identifying and prioritizing the critical [compliance] risks, including emerging [compliance] risks, is vital to an evergreen view of the top risks.”
  • Who owns the top compliance risks and is accountable for results, and to whom do they report? – While this might seem self-evident in any best practices compliance program it is not always opaque within an organization. Clearly your CCO should own the top compliance risks and manage them but there should also be proper board oversight and reporting. DeLoach warns, “Gaps and overlaps in risk ownership should be minimized, if not eliminated.”
  • How effective is the company in managing its top [compliance] risks? – Just how effective is your compliance regime is a key question that any CCO or compliance practitioner needs to be thinking about on a regular basis. However, for the board and senior management level, there should be “a robust process for managing and monitoring each of the critical [compliance] risks.” Moreover, your “risk management capabilities must be improved continuously as the speed and complexity of business change.”
  • Are there any organizational “blind spots” around [compliance] warranting attention? – Some practitioners believe that the entire Foreign Corrupt Practices Act (FCPA) enforcement regime is a failure because companies are still engaging in bribery and corruption. But the simple fact is that since corporations are made up with people there will always likely be wrongdoers. DeLoach notes that “Cultural issues and dysfunctional behavior can undermine the effectiveness of [compliance] risk management and lead to inappropriate risk taking or the undermining of established policies and processes.” He cites several examples including “lack of transparency, conflicts of interest, a shoot-the-messenger environment and/or unbalanced compensation structures may encourage undesirable behavior and compromise the effectiveness of risk management.”
  • Does the company understand the key assumptions underlying its [compliance] strategy and align its competitive intelligence process to monitor external factors for changes that could alter those assumptions? – You might not think it could happen in a compliance regime but if a company fails to recognize that its business paradigm is changing, it could be too late to affect an appropriate compliance strategy for a new product line/service offering or breaking into a new geographic territory. Here DeLoach believes that while “no one knows for sure what will happen that could invalidate the company’s strategic assumptions in the future, monitoring the validity of key assumptions over time as the business environment changes is a smart thing to do.”
  • Does the company articulate its risk appetite and define risk tolerances for use in managing the business? – This is one area that always bears discussion. For some companies there is enough business in the middle of the road that they feel like they do not have to go up to the line of a FCPA violation to garner sales, while other companies have done deals that may have been lawful but, at the end of the day, had awful consequences for the business. Just because you can do something does not mean you should do it and a large part of such a calculus is round your risk appetite dialogue. DeLoach believes such ongoing conversations can assist to “bring balance to the conversation around which risks the enterprise should take, which risks it should avoid and the parameters within which it should operate going forward. The risk appetite statement is decomposed into risk tolerances to address the question, “How much variability are we willing to accept as we pursue a given business objective?” For example, separate risk toler­ances may be expressed differently for objec­tives relating to earnings variability, interest rate exposure, and the acquisition, develop­ment and retention of people.”
  • Does the company’s [compliance] risk reporting provide management and the board information they need about the top risks and how they are managed? – Compliance reporting should begin with relevant information about the critical compliance risks and how those compliance risks are managed. DeLoach believes that some of the questions you should be asking under this prong are along the lines of the following: “Are there opportunities to enhance the [compliance] risk reporting process to make it more effective and efficient? Is there a process for moni­toring and reporting critical [compliance] risks and emerging [compliance] risks to executive management and the board?”
  • Is the company prepared to respond to extreme [compliance] events? – DeLoach calls it an extreme event but I would ask, what will you do if your company is on the front page of the New York Times (NYT), Wall Street Journal (WSJ), Financial Times (FT) or any other similar media outlet for a compliance related violation or issue? Do you have a response plan in place? More so “Has it prioritized its high-impact, low-likeli­hood risks in terms of their reputational effect, velocity to impact and persistence of impact, as well as the enterprise’s response readiness?”
  • Does the board have the requisite skill sets to provide effective [compliance] risk oversight? – This goes to the heart of frustrations from both the compliance function side and the board side of the equation. Does your board and senior management have specific FCPA or other relevant anti-corruption training and understand your business model well enough to provide input regarding critical compliance risk issues on a timely basis? From the board’s perspective they may feel the information they receive is asymmetrical and that they do not receive enough material information to render good decision-making. From the CCO or compliance practitioner’s perspective, they may feel that they cannot get enough time in front of the board, audit committee or senior management to properly educate them on the issues.

I have only scratched the surface of DeLoach’s thoughts on ERM. I urge you to go to the CCI site and download the entire work. Did I mention the best thing about CCI and DeLoach’s book? It is free on the CCI site. So after you download DeLoach’s book, stick on the site and noodle around to find something that interests you or could be of assistance in your compliance practice. Don’t forget to check out CCI’s job listing because Maurice has that other hat that he wears as well.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

January 22, 2015

Both Sides Now and Asking the Right Compliance Questions

Judy CollinsOne of my favorite singers has always been Judy Collins. Like most of us, I was introduced to her through her interpretation of Joni Mitchell’s song Both Sides Now which she released in 1967. Joni Mitchell did not record her own version of this song until 1969. It was not until the 1990s that I became aware that Mitchell’s inspiration for the song was that she gave up a child she bore out of wedlock in the early 1960s. She managed to put all that pain into one of the most beautiful ballads I have ever heard. I also did not know that Judy Collins was the inspiration for the Crosby, Stills, Nash & Young song Suite: Judy Blue Eyes until I read an article about her in a recent Wall Street Journal (WSJ) article in Weekend Confidential column by Alexandra Wolf, entitled “Judy Collins”.

I thought about how long I mis-understood the genesis and import of these two songs when I read a recent article in the Winter 2015 edition of the MIT Sloan Management Review, entitled “The Power of Asking Pivotal Questions” by Paul J. H. Schoemaker and Steven Krupp. The authors posit that “In a rapidly changing business landscape, executives need the ability to quickly spot both new opportunities and hidden risks. Asking the right questions can help you broaden your perspective — and make smarter decisions.” Their findings showed that to help managers make better decisions they needed to (1) examine broad market trends and less visible undercurrents; (2) seek out diverse viewpoints to allow multiple views of complex issues; and (3) actually push back if consensus comes together too quickly. They posed six questions, which I believe have some direct insights and are important for the Chief Compliance Officer (CCO) or compliance practitioner so I have adapted their findings directly for the compliance function.

Think Outside In. The authors ask, “How well do you understand the implications of broad market trends and less visible undercurrents for your business and for upcoming strategic choices?” Here I think compliance practitioners need to understand not only what your business does but equally importantly where it is going. This is also true about where compliance itself is going as the Department of Justice (DOJ) now requires that companies which enter into Deferred Prosecution Agreements (DPAs) keep abreast of both technological innovations and also industry trends in compliance. To engage in some of the authors’ suggestions, you need to go to conferences outside the compliance function and to leverage your current networks and join new ones.

Explore Future Scenarios. In this query, you will need to consider, “How thoroughly have you analyzed major external uncertainties and future scenarios that could significantly impact your business decisions?” The authors point to war-gaming as an example of scenario planning. While a CCO may feel like he or she only has time to put out fires, you need to consider what may become the ‘elephant in the room’. Consider the example of GlaxoSmithKline PLC (GSK) in China. The new Chinese government had clearly been signaling an upcoming drive against bribery and corruption. It was only a matter of time until a western company got caught up in its dragnet. Yet, even with specific knowledge of a high ranking party functionary making internal whistleblower claims, GSK not only could not uncover its own systemic corruption but was caught flat-footed when Chinese officials brought forward substantive allegations and evidence of corruption. To help with this issue, the authors suggest you ask questions about the external business environment and to “scout for the periphery” of emerging compliance or regulatory trends. You should also follow developments in your industry to anticipate where the DOJ or Securities and Exchange Commission (SEC) might be going next with enforcement.

Be a Contrarian. This question focuses on diversity of opinions by asking, “Do you regularly seek out diverse views to see multiple sides of complex issues, and do you purposely explore important problems from several angles?” This is an ongoing battle that many corporate senior managers, including compliance practitioners, face, that being to “promote diverse and creative friction.” A CCO must learn to ask if the compliance team team has sought sufficient contrarian input and been exposed to all sides of an issue before reaching a decision. While it is possible to counter the tendency of many compliance practitioners to go along to get along; offering contrarian compliance views are particularly essential when tackling major strategic decisions in an uncertain environment. The authors recommend you use such techniques as fostering constructive debate in meetings, pushing back when consensus groups form too quickly and designate specific devil’s advocates to argue the case against the prevailing views or conventional wisdom.

Look for Patterns. Taking a more analytical approach, the authors inquired as to whether “you deploy multiple lenses to connect dots from diverse sources and stakeholders, and do you delve deep to see important connections that others miss?” Connecting the dots entered the lexicon most prominently after 9/11. However it is an importance concept for the compliance practitioner as well. You need to be able to “amplify discrete data points, connect them and take decisive action” because many compliance practitioners are limited by selective perception and seek information that confirms what they wish to believe.

To overcome this information bias, the authors suggest that you utilize the following strategies. One is to “Look for competing explanations to challenge your observations” as this allows you to “engage a wide range of stakeholders, customers and strategic partners to weigh in.” A second is that when you are “stuck trying to recognize patterns or interpret complex data, step away, get some distance and then try again. Sleep on the data, since the mind continues to process information when resting.” This is because each time you take “a break, and then reengaged, he got a deeper understanding and asked better questions.” Finally, do not forget the power of pictures, visualization and charts. You can “use visual graphs or flowcharts to juxtapose the larger picture with the individual puzzle pieces. Pattern recognition is easier when all the information is clearly laid out and presented in different ways.”

Create New Options. Under this prong, the authors investigate whether “you generate and evaluate multiple options when making a strategic decision, and do you consider the risks of each, including unintended consequences?” The authors believe that few senior leaders will “engage in creative thinking.” This can also be true for the compliance practitioner. The authors posit that “When people feel pressed for time, they become less flexible and much prefer certainty to ambiguity. Ambiguity aversion is typically heightened in crisis situations and can lead to cognitive myopia, a narrow focus that can be counterproductive.” To overcome this tendency to cut corners when we are under the gun the authors suggest the following. The first technique is to not simply present “binary go/no-go decisions, reframe a situation to always examine several more options.” Particularly as a compliance practitioner, with or without legal training, you should always inquire as to what else might we do? The second suggestion is to utilize “impromptu meetings when time is limited to generate more options, including unconventional choices. The Midnight Rambler crew did this during a major crisis.” Finally, you should work to “review alternatives based on clear criteria and rank options accordingly.” From this you should work to “Clearly define decision criteria, make them explicit, weigh them and then score each option against the criteria to identify the best choice. Be disciplined when it comes to making tough trade-offs.”

 Learn From Failure. The authors want to know if you encourage experiments and “failing fast” as a source of innovation and quick learning? If there is one area that a compliance practitioner will always face, it is failure. There will always be instances where an employee violates your Code of Conduct or compliance program. It does not matter if you are the World’s Most Ethical Company or somewhere below that level in the compliance strata. But as Paul McNulty said, “What did you do about it when you found out?”, remember this is his Maxim Number 3. The authors write that “Learning from mistakes has much to do with a leader’s mind-set and the questions that he or she asks both before and after an unexpected event occurs. Strategic decision makers abandon the pursuit of perfection, allow some room for well-intentioned mistakes, and examine what went wrong and why. What matters is how well a team learns from setbacks and what mode of inquiry it allows. The best teams try to fail fast, often and cheaply in search of innovation.”

The authors suggest three steps to help facilitate McNulty’s Maxim Number 3. First is to “Shine a light on mistakes as a source of new learning.” Do not bury or hide your miss-steps. Be open about them. Second, you cannot learn from your mistakes unless you study them so if your compliance regime fails in some way, perform a root cause analysis to determine the reason. Lastly, use your miss-steps as teaching moments going forward. The authors note that you should “Publicize stories about failed projects that led to innovative solutions. Praise those who learned from their errors and try to extract learning from near misses.”


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

November 12, 2014

John Doar and the Bio-Rad FCPA Enforcement Action – Part II

John DoarJohn Doar died yesterday. He was perhaps most famously known for his role as the House Judiciary Committee Chief Counsel during the investigation of and impeachment proceedings against then President Nixon. However, it was his role in the civil rights movement in the South that in large part inspired me to become a lawyer. He rode with the Freedom Riders in Alabama; walked with James Meredith so that he could register to attend the University of Mississippi, then stayed in the same dorm room with Meredith while the campus rioted; prosecuted the KKK in Mississippi after the murder of three civil rights workers in 1964; and marched for voting rights with Dr. King in Selma. My favorite John Doar story was retold in his obituary in the New York Times (NYT), where he stopped a riot in its tracks with the following ““My name is John Doar — D-O-A-R,” he shouted to the crowd. “I’m from the Justice Department, and anybody here knows what I stand for is right.” That qualified as a full-length speech from the laconic Mr. Doar. At his continued urging, the crowd slowly melted away.”” In my book, he is right up there with Atticus Finch.

In an earlier post, I reviewed the Bio-Rad Laboratories, Inc. (Bio-Rad) Foreign Corrupt Practices Act (FCPA) enforcement action from the perspective of the Non-Prosecution Agreement (NPA) the company was able to secure with the Department of Justice (DOJ). Today I want to review the bribery schemes that the company used to either internally fund the bribes or attempt to evade internal detection. Both the NPA and the Securities and Exchange Commission’s (SEC) Order Instituting Cease-and-Desist Proceedings (Order). The compliance practitioner can use these bribery schemes not only for FCPA training but also to see if any such schemes or their indicia may be present in your company.

Initially I need to discuss the corporate structure. It was apparently quite decentralized. According to the Order, “Bio-Rad’s international sales organization (“ISO”) oversees the company’s international sales operations; this includes all locations outside the United States and Canada. In 2009, the ISO consisted of four sub-divisions: (1) Western Europe; (2) Asia Pacific; (3) Japan; and (4) Emerging Markets. Each sub-division had a general manager, reporting to the vice-president of ISO. The Asia Pacific sub-division included Vietnam and Thailand. The Emerging Markets sub-division included Russia and other eastern European countries. Some countries within the sub-divisions had a country manager who reported to the ISO sub-division general manager.” Emerging markets is clearly a high-risk area for pharmaceutical companies. If your business development or sales organization has such a designation, I would suggest that you check and see if there are sufficient protections in place to at least raise any red flags, which might need further investigation.

However, it was more than the management structure of the business operations that was decentralized, the compliance function was similarly structured. The NPA stated, “BIO-RAD also decentralized its compliance program such that its international offices were responsible for ensuring adequate compliance with its business ethics policy and code of conduct.” This decentralization so defanged the company’s compliance program that it could not perform even the most basic functions of a compliance organization; no due diligence on third parties, indeed no management of third parties at all from the compliance perspective; no risk assessments were performed and, finally, the most damning was that the compliance function could not even ensure compliance with the company’s own business ethics policy.

The Russia Scheme

However the company used third party representatives to facilitate the bribery scheme. In addition to the lack of due diligence or usual steps that a compliance practitioner might put in place to manage third parties under the FCPA there were several other items of note which constitute lessons learned by the compliance practitioner. First and foremost was the commission rate paid to these third parties, that being between 15%-30%. This alone may well have been enough to demonstrate “a conscious disregard for the high probability that the Russian Agents were passing along at least a portion of their commissions to Russian government officials to obtain profitable public contracts for the sale of medical diagnostic equipment.” Further, the payments made to these agents were sent to countries outside Russia, where neither the alleged services were delivered nor where the agents were legally domiciled. Moreover, not only did these agents have no offices in Russia, they had no employees in Russia either.

Apparently there were contracts in place with these agents. The services these agents were specified to deliver included, “acquiring new business, creating and disseminating promotional materials to prospective customers, distributing and installing products and related equipment, and training customers.” But it really is hard to deliver services if you have no employees. Apparently there were times these agents did deliver something identified as “distribution services” for the commission rates between 15%-30%. However the estimated value of these services for the company was between 2%-2.5% of the total sales.

Another area of obvious concern should have been the pre-payment of commissions to these agents. Any time you pre-pay before a service is delivered (other than a retainer into a lawyer’s trust account) you can potentially run into trouble. But Bio-Rad took it a step further by making pre-payments before contracts with the ultimate buyer were negotiated. Any ideas where those pre-paid commissions might have gone? Another area was the amount of the commissions. They were just less than $200,000, which happened to be the authority level of the head of Bio-Rad’s Emerging Markets business unit. So there was no oversight or second set of eyes on these pre-payments because it was within the manager’s authority level. Finally, these pre-payments were actually forbidden under the contracts but they were made anyway.

The Vietnam Scheme 

The Vietnam Country Manager had contracting authority up to $100,000 and sales commissions up to $20,000. From 2005-2009 Bio-Rad apparently paid bribes directly to health care workers so they would purchase the company’s products. When it was pointed out to the Country Manager this was illegal, he simply moved to a distributor “at a deep discount, which the distributor would then resell to government customers at full price, and pass through a portion of it as bribes…Between 2005 and the end of 2009, the Vietnam office made improper payments of $2.2 million to agents or distributors, which was funneled to Vietnamese government officials. These bribes, recorded as “commissions,” “advertising fees,” and “training fees,” generated gross sales revenues of $23.7 million to Bio-Rad Singapore.” 

The Thailand Scheme

In Thailand, it was an almost mundane bribery scheme involved compared to Russia and Vietnam. Bio-Rad acquired an interest in a Thai Joint Venture (JV) through an acquisition where it performed “very little due diligence” on the JV. Bio-Rad acquired a minority interest in the JV and it did not communicate directly with the JV’s distributors but only through the majority owners of the JV. The bribery scheme was funded through “an inflated 13% commission, of which it retained 4%, and paid 9% to Thai government officials in exchange for profitable business contracts.” The due diligence was so poor that Bio-Rad did not know that the prime third party sales representative for the JV were the same majority owners of the JV.

Tomorrow, I will discuss some of the internal controls that a company might employ to help prevent such a compliance failure as occurred at Bio-Rad.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

July 29, 2014

Bringing It All Home, the Two Tough Cookies Wrap It Up For You, Part II

Tales from the CryptNote-I asked the Two Tough Cookies if they could put together a series of blog posts wrapping up the lessons they have seen and learned and written about in their series of Tales from the Crypt. They graciously put together a series of posts on the seven elements of an effective compliance program from their 10 tales of Business Conduct. Today, Part II of a Three Part Series…

3. Exercise Due Diligence to Avoid Delegation of Authority to Unethical Individuals

This one is tough, especially in global organizations. In many countries, you simply cannot run a background check, as criminal records are not public. In others, you can run them, but the criminal offense must be related to the job to exclude the candidate from being hired.   In yet others, you can run them, but you can’t use them due to overly strict privacy rules. Then there’s the matter of cost relating to doing all this due diligence. The best thing you can do is determine the following:

  • First, is your business subject to a potential FCPA violation? If you are not “at risk” of public corruption because you are not engaging at any level with foreign government officials, then half the battle is won. Of course, you still run the risk of commercial corruption (bribes, kick backs, etc. with trading partners), but at least the spectre of government sanctions is not looming so large over you.
  • If you are “at risk” of an FCPA violation (you have interaction with govt. officials, including customs) have you developed a robust due diligence program, based on some corruption index to determine the level of due diligence required for your staff, your trading partners?
  • Have you identified your red flags thoroughly to spot anomalies in your business that would signal a deeper view is recommended?
  • Do you have staff to conduct the due diligence, or a vendor to do it on your behalf?
  • Are background checks run on everyone, or just certain individuals, or certain risk areas?
  • Have you taken a hard look at your gift policies to determine whether or not there are glaring holes that could give rise to inappropriate influence in business dealings?
  • Have you taken cultural considerations under advisement in your gift policies? Are they more stringent, or lax, compared to the US? Are the gift policies in Russia different than the gift policies in the US, because someone convinced someone else that you just can’t get things done without greasing a palm here or there?
  • Do you have a formal committee reviewing all charitable contributions, or, are ‘charitable contributions” acceptable as “facilitation” to get non-discretionary government functions moving along? Does your organization allow “facilitation payments” – if so, you better take a second, third, fourth look….

The point I’d like to emphasize here is that even companies that make it on the “World’s Most Ethical Companies” list also make it to the DOJ’s investigation list for foreign corruption, or violation of embargoes, sanctions, and the like. People interpret rules when the rules change, depending on the country. People then make mistakes in favor of what makes business sense to them, in their country, in their environment. You just have to make sure you’ve done what’s reasonable to prevent those mistakes.

  1. Communicate and Educate Employees on Compliance and Ethics Programs

Here’s where the tone from the top, middle and bottom are key to your culture. This is probably the most important thing you want to measure. I am fond of saying 90% of a good ethics & compliance program is communication, and 10% is actions/deeds. While deeds do speak louder than words, it’s the communications – what you say, how you say it, what you mean by it, your intent – that frames up the actions of others.     So you want to measure

  • Are the messages the same, the deeper you get into the organization? Is the understanding of the messages cascading from above the same the further down you go? Easy enough to measure with post-learning survey tools. Give all top, middle, and lower management the same “meeting in a box” and see if the understanding after delivery is the same. Reminds me of that campfire game, where the story starts at one end of the circle, and is completely different by the time the last person hears the tale. Your objective, of course, is to ensure that every person in the corporate audience hears the same message, and has the same take-aways, no matter who is telling the tale.
  • What kind of audience do you have? Does everyone have access to a computer, or do you have the challenge of manufacturing workers, with multiple languages and facilities to manage, and no technical means of reaching them? Have you done what’s necessary to ensure your training and communications mechanisms address every type of audience, or are pockets left out of the mix?
  • What learning aids do you have to help with understanding the code of conduct? Are the examples you use for harassment appropriate for your audience? Do you have a team of global reviewers who will not only preview your training, but offer suggestions on how to localize it to make it appropriate, meaningful and relevant to the teams they serve? If so, do they look at all communications pieces, or only certain ones? If only certain ones, which ones? And why?
  • Are there any leaders who go above and beyond when you launch your annual or quarterly training? I had an Asian business President who made sure he took the course the first day it was launched, and then sent a message to his leadership team about what he learned from the course, and what he wanted them to take away to their teams after they took the course. All of his team had the course done within the first month. I wanted to clone the guy, I swear!

I’m also reminded of mandatory harassment training I gave in Brazil one year. I relied upon the canned on-line training to help with my meeting amongst management, who all spoke English well. I was planning on asking them to cascade the messages to their teams while I was there, but they pointed out that the training was a farce. Women, they told me, wanted wolf calls lobbed in their direction in Brazil – it was not only culturally acceptable, but encouraged. This was substantiated by the several women in the room. Check. Fortunately, I had other examples at the ready to use for a facilitated session, which I vetted with the women on the team prior to delivery. Lesson learned? Make sure your ethics & compliance steering committee has global membership, and are willing to preview your training and communications prior to launch to ensure cultural relevance. If you don’t do this, your ethics & compliance program will be perceived as a joke. Not a desirable outcome, I would say….

  1. Monitor and Audit Compliance and Ethics Programs for Effectiveness

So, how do you measure a non-event? I often ponder…. The challenge in highly ethical organizations is that you have, at first blush, very little to measure. If everyone’s doing a good job, how do you measure effectiveness. Is it because you have a great program that you have absolutely no calls on the hotline? Or is it that everyone is trembling in fear of retaliation the reason for no calls to the hotline? Hmmm.

Some of the things you can measure include

  • Indicators and ‘yardsticks’ – do you crawl, walk, or run to goals?
  • Do you seek periodic stakeholder feedback (including E&C council input)
  • What kind of documentation do you collect – trend analyses of HelpLine metrics, feedback on program enhancements as they are implemented, feedback on training and communications
  • Do you routinely conduct a “Lessons Learned” exercise after substantiated hotline calls?
  • Does your HR team engage in site assessments when a location, facility, or team seems to have a lot of issues that arise from a single manager or set of team leaders?
  • How often are your Code, policies, procedures updated and reviewed?   Are they tested for readability and understanding? Are they just published, or is training introduced for new policies as they are issued?
  • Do you conduct risk assessments and/or change training or communications based on perceived risk areas?
  1. Ensure Consistent Enforcement and Discipline of Violations

Does your organization allow for mistakes? Many will say they do, but when the rubber meets the road, you will find that they can be unforgiving for some transgressions, and unbelievably forgiving for others…. You will want to measure

  • Whether or not there appears to be wiggle room when folks stray. Deeds in this aspect do speak louder than words.
  • Are roles and responsibilities clearly defined, with escalation clauses when things go wrong?
  • Does your organization communicate when things go wrong as well as when things go right? I know one organization that struggled mightily when I suggested we let everyone know what actions we took for certain code violations. The attorneys were all worried that someone would sue, of course, but in the end, integrity prevailed. We were able to sanitize the situations in such a way to communicate what had been done, and what discipline was taken, without anyone learning personal details. Importantly, it drew a virtual line in the sand by publicizing transgression and discipline, so that people knew boundaries. Of course, this was after years of me observing that discipline seemed to be discretionary within the organization, and as a result, trust in management “doing right” was eroding significantly. It didn’t hurt that my observations were followed by multiple hotline calls saying the same thing… but it should never get to that point, should it?

Also measure whether or not policies and communications:

  • Encourage reporting
  • Identify resources to raise concerns
  • Prohibit retaliation for good faith concerns
  • Identifies management as the primary resource for issues or concerns
  • The average timeline to resolve complaints
  • Whether or not you benchmark reports that express fear of retaliation or unwillingness to consult with management first. This is tough to do, unless you build it in to your hotline reporting mechanism as a “customer service” function at the end of every call or report, actively soliciting this very feedback when a report is made.
  1. Respond Appropriately to Incidents and Take Steps to Prevent Future Incidents

So, you are at the point where you have confidence you have the right policies and procedures in place to keep yourselves honest. But in case someone didn’t get the memo of “expected behavior” you have to make sure you respond appropriately, and take steps to avoid future missteps. One organization I worked at realized the culture of an acquired subsidiary was so awful that it opted to sell it off rather than try to fix it. They had other issues in the larger organization, but they knew a bad deal when they saw it, and took steps to rid themselves of an untenable position. Another organization I worked at kept throwing money at a subsidiary, when it probably would have been better to toss in the towel. Different organization, different results, neither perfect, but it fit them as they saw things.

When gauging the culture of your organization, some things you want to look at are the rewards and sanctions for behavior:

Positive rewards:

  • Retention of employment
  • Recognition
  • Appreciation
  • Commendation
  • Monetary or stock reward

Negative sanctions:

  • Termination or Suspension
  • Demotion
  • Probation
  • Appraisal comments/warnings
  • Reduction in compensation or bonus

You also want to measure your Performance Appraisal Systems, and look to see whether or not they include sections on:

  • Demonstrated Ethics and values in workplace conduct
  • Good communication skills
  • Building trust with stakeholders
  • Being fair or equitable
  • Maintaining a high level of quality or integrity in decision-making
  • Reporting Concerns
  • Empowering subordinates to reporting concerns
  • Training and development initiatives for the team

Tomorrow the Two Tough Cookies sum it all up…

This publication contains general information only and is based on the experiences and research of the authors. The authors are not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The authors, their affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Authors give their permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the authors.


June 30, 2014

In Due Diligence and World Cup Bids: Follow the Money

Follow the MoneyFor those watching the 2104 World Cup, this year’s tournament has certainly been spectacular, from the US reaching the round of 16, the incredible goals scored by Robbie Van Persie and Tim Cahill, to yesterday’s heartbreak for Mexico, who led until the 88th minute, only to be tied and then loose in stoppage time to the Netherlands, this year’s event has been one for the ages. However one very large shadow hangs over the sport’s governing body, Fédération Internationale de Football Association (Fifa) and allegations of corruption in its award of the 2022 World Cup to Qatar.

There were reports as far back as 2011 that Mohamed bin Hammam, offered bribes to members of the Caribbean Football Union (CFU) at a meeting organized by the Fifa vice-president, Jack Warner. As reported by The Guardian, in a 2011 article, entitled “Fifa in crisis after claims against Jack Warner and Mohamed bin Hammam”, Owen Gibson reported, “nine of Fifa’s 24 executive committee members have been accused of corruption in recent months.” But these 2011 reports have paled in comparison to the reports detailed in the past few months regarding allegations of corruptions concerning the award of the 2022 tournament to Qatar.

Earlier this month, The Sunday Times rocked the sporting world with its article “Plot to Buy the World Cup” by Jonathan Calvert and Heidi Blake. In the article, they reported that a number of football officials took £3m in return for support of the Qatari bid. The BBC, in an article entitled “Qatar World Cup 2022: Investigator nears probe conclusion”, said “The Sunday Times claims to have obtained secret documents that implicate the former AFC president in corrupting members of football’s governing body to win the right to stage the 2022 World Cup. The newspaper alleges the documents, seen by BBC sports editor David Bond, show that Qatari Bin Hammam, 65, was lobbying on his country’s behalf at least a year before the decision to award the country hosting rights. They also allegedly show he had made payments into accounts controlled by the presidents of 30 African football associations and accounts controlled by Trinidadian Jack Warner, a former vice-president of Fifa.”

This initial account has been supplemented by additional reports detailing these allegations. In another article in The Guardian, entitled “Mohamed bin Hammam accused of payments to help Qatar World Cup bid”, Agence France-Presse wrote that “Bin Hammam also paid $1.6m into bank accounts controlled by the Trinidadian Jack Warner, also a former vice-president of Fifa, $450,000 of which was before the vote for the World Cup”, citing the report in The Sunday Times. Both Qatar and bin Hammam have denied any improprieties in the award of the bid to Qatar.

But there were more reports of payments to those voting on the Qatar bid beyond Jack Warner. In a June 16th report in the online publication, República, entitled “ANFA chief admits receiving money from Hammam” it reported that Nepal Football Association (ANFA) President Ganesh Thapa had been promised $800,000 from bin Hammam and had been paid $115,000. It also reported that Thapa’s son received $100,000 from bin Hamman. Thapa was quoted as saying that the money was for a business deal, “It is right that I received $115,000 but it was in connection with the business I have partnered with Hammam.”

There have been other issues raised regarding Qatar’s bid to host the World Cup. One is its treatment of the workers who are building the stadiums for the event and the appalling conditions that the workers building the stadiums to host the event are facing. In an article in the online magazine Slate, entitled “The Qatar World Cup Is a Human Rights Catastrophe. It’s Time to Do Something About It” Jeremy Stahl reported that the Nepali embassy has said 400 citizens of its country had died during construction in Qatar and India has reported that 500 of its citizens have died. The article quoted Sharan Burrow, the general secretary of the International Trade Union Confederation (ITUC), who said in an ESPN documentary “that at current rates, 4,000 people will die to make the 2022 World Cup a reality.” The ITUC itself had reported in March that there had been 1200 deaths in the construction of the facilities for the World Cup.

Another significant issue is the heat. Qatar can reach between 40-50C during the summer months, and for those of you who don’t read Celsius temperatures that translates to between 104 to 122 degrees Fahrenheit. I have been in such temperatures and I can assure you that is hot weather. However, although Fifa awarded the 2022 World Cup tournament to Qatar back in 2011, it has only now become aware of the fact that there is hot weather in the summer months in Qatar. If you have watched any games in this year’s tournament, you have seen European players wilt in 80+ degree, which for a Texan is rather pleasant. But no matter how much conditioned air you can pump into a stadium in Qatar, the fact is that it will be 120+ outside.

Even if the stadiums are air conditioned, how are you going to walk to them in that heat? To say that Fifa was unaware that it gets hot in the summer in Qatar seems disingenuous at best. As reported by Roger Blitz, in a Financial Times (FT) article entitled “Fifa faces quandary over World Cup in Qatar”, Sepp Blatter, Fifa President, has gone on record to say that awarding the 2022 World Cup to Qatar was “a mistake”.

But as my friend Mike Brown might say that when you are performing due diligence, ‘follow the money’. This is not only important in thinking about allegations of corruption in the award of the bid to Qatar but also in the overall context of Fifa and the World Cup. It has been estimated that over one-tenth of the world’s population is watching this year’s World Cup. In the US alone, the interest is so high its game against Portugal had more viewers than Game 5 (the final game) of the recent NBA championship. This could well lead to billions for the television rights in 2022 alone. That means that advertisers and sponsors will be paying a pretty penny to be associated with World Cup 2022. Do you think some of the current sponsors, such as Adidas, Coca-Cola, Sony or Visa will want to be associated with such allegations of corruption or deaths of workers from such appalling working conditions?

There is a chorus growing to move the 2022 World Cup from Qatar to another country. Speaking with its usual grownup voice, the FT editorial board has called for a re-vote on the location of the 2022 World Cup tournament venue, in an article entitled “Blow the whistle on Fifa, please”, they said, “The case for rerunning the bid for the 2022 competition looks unassailable. Final judgment should await a pending report into the Qatar bid by Fifa’s top internal investigator. But a string of controversies – among them the health concerns over staging the competition in Qatar’s furnace-like climate – means a new venue is now needed.” But more than simply re-voting on the 2022 bid, the FT said, “Western governments and lawmakers should therefore bring their influence to bear. The US Congress could consider holding hearings to examine the relations between American multinationals and Fifa. US companies have to abide by stringent anti-corruption laws. Congress would be right to examine the implications of US companies doing business with a major international body that has such weak governance. Such public hearings might make corporate sponsors reconsider their stance.”

What are the lesson for the compliance practitioner? Sometimes you need to step back and look at the big overall picture. If a deal has come into your company that is particularly high reward, it generally means that it was high risk. You may want to do a more in-depth look at all aspects of the deal, from the business partners involved, to your internal gifts, travel and entertainment for your employees involved in securing the contract. Putting a second or even third set of eyes on something might well protect your company if something does not seem right, feel right or look right.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

June 5, 2014

Citibank: Multiple Failure of Compliance as the Hammer Drops

FailureWhat is the cost of the failure to perform appropriate due diligence on a regular basis? What red flags should you look for when considering doing business with a customer, party in the sales channel or entity in the supply chain? All of these questions and more continue to swirl around Citigroup and its Mexican subsidiary Banamex over the ongoing investigation into allegations of fraud at Citi’s Mexico bank unit.

Citi had come to grief when there was a reported $400MM loss in Banamex involving the Mexican marine energy services company Oceanografía SA de CV. The problems arose after Banamex had extended $585MM in short-term credit to a company that Citi itself had warned its own bond investors was “from time to time subject to various accusations, including accusations of corrupt practices.” Oceanografía provided construction, maintenance and vessel-chartering services to the Mexican national energy company, Pemex’s exploration and production subsidiary. But Oceanografía’s fortunes, changed sharply in February of this year after it became the subject of a new government review that resulted in a suspension of Pemex contracts to Oceanografía for the next 20 months. Banamex had previously advanced as much $585 million to Oceanografía through an accounts receivable program, which would advance money to Oceanografía to provide services to Pemex. Pemex would then pay back Banamex, verifying invoices provided by Oceanografía to confirm that the work had been completed. In other words, Banamex was relying on Pemex’s ability to pay back the bank. But all of this ended when Pemex suspended its contracts with Oceanografía.

In a Wall Street Journal (WSJ) article, entitled “Citi Says Signs of Mexico Fraud Weren’t Escalated”, Christina Rexrode reported that Citi Chief Executive Officer (CEO) Michael Corbat told investors that employees “missed signs of trouble they should have recognized and elevated to superiors.” In a talk to investors Corbat was quoted as saying “There were telltales along the way” and he promised that “the bank would work on motivating and encouraging employees to raise their concerns when they notice potential problems.” But the problems ran deeper and were perhaps more systemic than simply the failure to escalate. Rexrode reported “People inside the bank have said the unit was allowed to operate as its own fiefdom, with New York employees struggling to get information about how the unit operated.” However, “A Citigroup spokesman said in a statement that “Banamex is absolutely subject to the same risk, control, anti-money-laundering and technology standards and oversight which are required throughout the company.””

These statements come on the heels of the dramatic firing of 11 Banamex employees just two weeks earlier. After meeting with the Citi Board of Directors, Corbat flew to Mexico City and terminated 11 employees. In an article in the New York Times (NYT), entitled “Citi Fires 11 More in Mexico Over Fraud”, Michael Corkery and Elisabeth Malkin reported that “Among those fired were four of the bank’s top executives in Mexico: its head of corporate banking, head institutional risk officer, head of trade finance and head of trade and treasury solutions. Some of the employees had worked at Banamex for as long as two decades and were not involved in the fraud directly. The bank fired many because they had not taken steps to detect the fraud or had ignored warning signs about the client.”

But apparently Citi expects there to be more disciplinary actions stemming form the matter. In an article in the Financial Times (FT), entitled “Citi fires 11 staff in Mexico unit”, Jude Webber, Camilla Hall and Kara Scannell reported that Corbat said in a memo to staff “Before our investigation concludes, we expect that several other employees, both inside and outside of Mexico, may receive forms of disciplinary action as well.” Two persons who may yet face such disciplinary action are “Manuel Medina-Mora, a Citi executive who oversees the Mexican operations and had his pay docked by $1.1m in March, or Javier Arrigunaga, Banamex chief executive.” Additionally, and perhaps more ominously for Citi, both the F.B.I. and prosecutors from the United States attorney’s office in Manhattan are investigating “Whether Citigroup willfully ignored possible warning signs”.

What red flags did Citi miss and for how long? One clue was reported in the NYT article, which noted that Oceanografía “is known among Mexican investors as politically connected but financially troubled. Credit rating firms in the United States, corporate bond investors and Mexican lawmakers have raised concerns about Oceanografía. In 2009, United States ratings firm Fitch warned about Oceanografía’s high leverage and poor cash flow generation. Fitch eventually withdrew its ratings because the company was not supplying enough information. In 2008, Standard & Poor’s noted that Mexico’s congress had investigated accusations of improper deals between Oceanografía and Pemex, though no wrongdoing was proved. Still, Oceanografía grew to become one of Banamex’s 10 largest corporate clients. The fraud erased 19 percent of the unit’s banking profits last year.”

These troubles were seemingly magnified in Mexico when the CEO of Oceanografía, Amado Yáñez Osuna, was arrested and charged with violating Mexican banking laws. In a WSJ article, entitled “Oil-Tinged Graft Scandal Roils Mexico, Laurence Iliff and Amy Gutherie reported “The arrest deepens a scandal that has sent shock waves across Mexico’s political landscape. That put a spotlight on long-simmering allegations that the country’s former ruling National Action Party, known as PAN, used Pemex to favor Oceanografía and other contractors during the party’s 12 years in power, which ended with the 2012 election of President Enrique Peña Nieto of the Institutional Revolutionary Party (PRI).” Further, during those “12 years, Oceanografía’s contracts with the oil monopoly swelled from a few million dollars a year to hundreds of millions of dollars, according to a review of the contracts by The Wall Street Journal. Most of the contracts were obtained in public bids, although some were assigned directly without bids, including one contract for about $65 million in the final months of the Calderón administration.”

The case took a far more ominous turn when authorities when Mexican authorities announced last week that they had issued arrest warrants for multiple Banamex executives. In an article in the FT entitled, “Mexico issues fresh set of Banamex arrest warrants” Jude Webber reported that “Mexico has issues more arrest warrants – including an unspecified number for staff at Citigroup’s Banamex unit – a day after detaining the owner of the oil services company at the centre of a $400m alleged fraud scandal that has rocked the bank since its disclosure there months ago.” In an article in the NYT entitled, “Mexico Authorizes Arrests In Fraud at Citigroup Unit” Elisabeth Malkin and Michael Corkery reported, “Attorney General Jesús Murillo Karam of Mexico confirmed on Friday that the authorities were seeking the former executives. He declined to say how many were involved.” Yes, there are warrants, but I won’t say who,” Mr. Murillo Karam told reporters.” Apparently not even Citigroup knows whose arrests may be imminent.

What are the lessons for the compliance practitioner? Three keys points are controls, escalation and oversight. What type of internal controls, or lack thereof, allowed one company to obtain such credit on what were basically receivables financing? What about allowing the Banamex unit to basically run its own show with little to no oversight from the corporate headquarters? Corkery and Malkin reported, “Citigroup is keen to demonstrate to regulators and investigators in the United States and in Mexico that it is cracking down on its employees for not catching the fraud. But the breadth of the punishment could also suggest that the bank, despite assurances that the fraud is confined this case, has had widespread problems with controls and oversight across its Mexican unit.” Moreover, in his memo to staff, Corbat said, ““we are reviewing our controls and processes in Mexico and strengthening any area we think falls short of our global standards or best practices.”” Corbat also noted Citi was looking at ways to encourage employees to increase escalation of issues earlier.

Moreover with these now imminent arrests of Banamex executives, Citi may be facing more serious charges in the US. Leaving aside the inane argument of a ‘rogue business unit’ it may be that the US parent choose not to look too closely at its high-flying and very profitable Mexican subsidiary. If, as it seems from the newspaper accounts, that Oceanografía was well known for the business tactic of under-bidding for contract and then making up the differences in cost overruns, this may not bode well for the Banamex executives or Citigroup. Likewise if there was one company that Banamex did business with, which engaged in such behavior, there may other similarly situated companies once a detailed investigation of the Citigroup unit is concluded.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014


Blog at WordPress.com.