FCPA Compliance and Ethics Blog

September 24, 2014

Lessons from GSK in China – Internal Controls, Auditing and Monitoring

InvestigationsOne of the great things about writing your own blog is that sometimes you can get going on a subject and just explore it. While I think I might sometimes get carried away when I delve into a topic, I certainly learn much while doing so. This week appears to be such a situation where in studying and researching the GlaxoSmithKline PLC (GSK); I find that the case has much more to inform the compliance practitioner. So I am going to try and tie together some of the major lessons learned from the GSK Chinese enforcement action for the remainder of the week and present to you how such lessons might assist you in designing, implementing or upgrading a best practices compliance program. Today I want to look at internal controls, auditing and monitoring.

One of the questions that GSK will have to face during the next few years of bribery and corruption investigations is how an allegedly massive bribery and corruption scheme occurred in its Chinese operations? The numbers went upwards of $500MM, which coincidentally was the amount of the fine levied by the Chinese court on GSK. It is not as if the Chinese medical market is not well known for its propensity towards corruption, as prosecutions of the Foreign Corrupt Practices Act (FCPA) are littered with the names of US companies which came to corruption grief in China. GSK itself seemed to be aware of the corruption risks in China. In a Reuters article, entitled “How GlaxoSmithKline missed red flags in China”, Ben Hirschler reported that the company had “more compliance officers in China than in any country bar the United States”. Further, the company conducted “up to 20 internal audits in China a year, including an extensive 4-month probe earlier in 2013.” GSK even had PricewaterhouseCoopers (PwC) as its outside auditor in China. Nevertheless, he noted, “GSK bosses were blindsided by police allegations of massive corruption involving travel agencies used to funnel bribes to doctors and officials.”

Internal Controls

Where were the appropriate internal controls? You might think that a company as large as GSK and one that had gone through the ringer of a prior Department of Justice (DOJ) investigation resulting in charges for off-label marketing and an attendant Corporate Integrity Agreement (CIA) might have such controls in place. It was not as if the types of bribery schemes in China were not well known. In an article in the Financial Times (FT), entitled “Bribery built into the fabric of Chinese healthcare system”, reporters Jamil Anderlini and Tom Mitchell wrote about the ‘nuts and bolts’ of how bribery occurs in the health care industry in China. The authors quoted Shaun Rein, a Shanghai-based consultant and author of “The End of Cheap China”, for the following “This is a systemic problem and foreign pharmaceutical companies are in a conundrum. If they want to grow in China they have to give bribes. It’s not a choice because officials in health ministry, hospital administrators and doctors demand it.”

Their article discussed the two primary methods of paying bribes in China: the direct incentives and indirect incentives method. Anderlini and Mitchell reported, “The 2012 annual reports of half a dozen listed Chinese pharmaceutical companies reveal the companies paid out enormous sums in “sales expenses”, including travel costs and fees for sales meetings, marketing “business development” and “other expenses”. Most of the largest expenses were “travel costs or meeting fees and the expenses of the companies’ sales teams were, in every case, several multiples of the net profits each company earned last year.””

It would be reasonable to expect that internal controls over gifts would be designed to ensure that all gifts satisfy the required criteria, as defined and interpreted in Company policies. It should fall to a Compliance Officer to finalize and approve a definition of permissible and non-permissible gifts, travel and entertainment and internal controls will follow from such definition or criteria set by the company. These criteria would include the amount of the spend, localized down into increased risk such the higher risk recognized in China. Within this context, noted internal controls expert Henry Mixon has suggested the following specific controls. (1) Is the correct level of person approving the payment / reimbursement? (2) Are there specific controls (and signoffs) that the gift had proper business purpose? (3) Are the controls regarding gifts sufficiently preventative, rather than relying on detect controls? (4) If controls are not followed, is that failure detected?

Auditing Lessons Learned

Following Mixon’s point 4 above, what can or should be a company’s response if one country’s gifts, travel and entertainment expenses were kept ‘off the books’? This is where internal audit or outside auditors are critical. Hirschler quoted an un-named source for the following, ““You’d look at invoices and expenses, and it would all look legitimate,” said a senior executive at one top accountancy firm. The problem with fraud – if it is good fraud – is it is well hidden, and when there is collusion high up then it is very difficult to detect.”” Jeremy Gordon, director of China Business Services was quoted as saying “There is a disconnect between the global decision makers and the guys running things on the ground. It’s about initially identifying red flags and then searching for specifics.”

There are legitimate reasons to hold medical conferences, such as to make physicians aware of products and the latest advances in medicine, however, this legitimate purpose can easily be corrupted. Hirschler quoted Paul Gillis, author of the China Accounting Blog, for the following “Travel agencies are used like ATMs in China to distribute out illegal payments. Any company that does not have their internal audit department all over travel agency spending is negligent.” Based on this, GSK’s auditors should have looked more closely on marketing expenses and more particularly, the monies spent on travel agencies. Hirschler wrote, “They [un-named auditing experts] say that one red flag was the number of checks being written to travel agencies for sending doctors to medical conferences, although this may have been blurred by the fact that CME accounts for a huge part of drug industry marketing.”

Another issue for auditing is materiality. If GSK’s internal auditors had not been trained that there is no materiality standard under the FCPA, they may have simply skipped past a large number of payments made that were under a company’s governance procedure for elevated review of expenses. Further, if more than one auditor was involved with more than one travel agency, they may not have been able to connect the dots regarding the totality of payments made to one travel agency.

Ongoing Monitoring

A final lesson learned for today is monitoring. As Stephen Martin often says, many compliance practitioners confuse auditing with monitoring. Monitoring is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. Auditing is a more limited review that targets a specific business component, region, or market sector during a particular timeframe in order to uncover and/or evaluate certain risks.

Here I want to focus on two types of ongoing monitoring. The first is relationship monitoring, performed by companies such Boston-based Catelas, through software products. It was reported in a Wall Street Journal (WSJ) article, entitled “Glaxo Probes Tactics Used to Market Botox in China”, that internal GSK emails showed the company’s China sales staff were instructed by local managers to use their personal email addresses to discuss marketing strategies related to Botox. The Catelas software imports and analyzes communications data, like email, IM, telephony and SMTP log files from systems such as Microsoft Exchange Servers and Lotus Notes. The software then leverages social network analysis and behavioral science algorithms to analyze this communications data. These interactions are used to uncover and display the networks that exist within companies and between the employees of companies. Additionally, relationships between employees and external parties such as private webmail users, competitors and other parties can be uncovered.

The second type of monitoring is transaction monitoring. Generally speaking, transaction monitoring involves review of large amounts of data. The analysis can be compared against an established norm which is derived either against a businesses’ own standard or an accepted industry standard. If a payment, distribution or other financial payment made is outside an established norm, thus creating a red flag that can be tagged for further investigation.

GSK’s failure in these three areas now seems self-evident. However, the company’s foibles can be useful for the compliance practitioner in assessing where their company might be in these same areas. Moreover, as within any anti-corruption enforcement action, you can bet your bottom dollar that the regulators will be assessing best practices going forward based upon some or all of GSK’s miss-steps going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

January 9, 2013

Marks of Excellence – the Lakers 33 Game Winning Streak and FCPA Compliance Tools

Sorry Bill Simmons, but today we celebrate one of the great modern day records of any American sports franchise. On this day 41 years ago, the Milwaukee Bucks beat the Los Angeles Lakers to end the Lakers 33 game winning streak. This is the longest winning streak of any professional American sports team. 1971-72 was the greatest season in Laker history with the team winning the then record of 69 games for the season, topped off with a National Basketball Association (NBA) championship, after a 4-1 romp over the New York Knicks in the finals. By any measure, the Lakers achieved true greatness in that season.

One of the more interesting areas of Foreign Corrupt Practices Act (FCPA) compliance work is its evolving nature (although some might say more frustrating). However, as compliance work and compliance programs mature the tools, products and services available to help companies better manage the business of compliance continues to evolve as well. Several articles recently caught my attention and, in particular, one product caught my eye. Two of the articles appeared in the Financial Times (FT) and spoke to the advance in the sophisticated nature of compliance tools available. The final article was in the New York Times (NYT) and focused on a systemic failure by the US Air Force in the implementation of a computer upgrade that spoke to the difficulties a compliance practitioner can face in implementing a new compliance regime or engaging in a system upgrade.

The first FT article was by Jennifer Thompson, entitled “Rogues revealed by bad language”. In this article Thompson reported on research by Ernst & Young on information they received from the US Federal Bureau of Investigation (FBI). Thompson reported that “Phrases such “as “nobody will find out”, “cover up” and “off the books” are among those most likely to litter the in-boxes of corporate rogues, according to fraud investigators deploying increasingly popular linguistic software.” Moreover, “Expressions such as “special fees” and “friendly payments” abound for those embroiled in bribery cases, while rogue employees feeling the heat are likeliest to write that they “want no part of this” as well as the somewhat misguided “don’t leave a trail”.”

The technology angle is that there is software available which performs linguistic analysis that “initially protects employee anonymity, can flag uncharacteristic changes in tone and language in electronic conversations and can be tailored for particular types of employees, such as traders.” Further, Thompson noted that the “use of technology is set to grow as compliance departments police sprawling organisations to avert potentially costly mistakes.”

The second FT article was by Richard Waters, entitled “Counter-terrorism tools used to spot fraud”. In this article Waters detailed how “JPMorgan Chase has turned to technology used for countering terrorism to spot fraud risk among its own employees and to tackle problems such as deciding how much to charge when selling property behind troubled mortgages. The technology involves crunching vast amounts of data to identify hard-to-detect patterns in markets or individual behaviour that could reveal risks or openings to make money.” While the article focused on the use of the software to spot fraudsters, I believe that such techniques could well be brought in to help in the fight against corruption and bribery.

Another area where technology has come into play to help compliance programs is in due diligence. Most compliance practitioners are aware of the various levels of due diligence, that being Levels I, II and III. One difficult question has been how does a company perform in-country native language source business information investigations, without paying someone to put ‘boots on the ground’ and then have to pay for a translation, sort of due diligence Level I (a). I was recently introduced to a software tool by Arachnys Information Services Ltd (Arachnys) and I can tell you that it does some really cool stuff and can certainly help to fill a gap. Arachnys software can run your designated search terms in local media, such as newspapers or other sources, and not simply through a Google search database. It can then translate the local source for you and deliver the results to your computer. This software allows a compliance practitioner to perform in-country computer based due diligence at a level that I had not previously seen available. And as I said, it is really cool.

The final article was by Randall Stross, entitled “Billion-Dollar Flop: Air Force Stumbles on Software Plan”. In this article Stross discussed the failure by the Air Force to install and implement ‘off-the-shelf software’ which was originally budgeted at $628MM. In November of last year, the Air Force “canceled a six-year-old modernization effort that had eaten up more than $1 billion. When the Air Force realized that it would cost another $1 billion just to achieve one-quarter of the capabilities originally planned –  and that even then the system would not be fully ready before 2020 – it decided to decamp.” While there were numerous reasons given for the failure, the main reason attributed was that there was not “a single accountable leader” who “has the authority and willingness to exercise the authority to enforce all necessary changes to the business required for successful fielding of the software.”

The failure of the Air Force’s attempt to modernize its software speaks to one of the issues present when implementing or scaling up a compliance regime. First, do not start with the ‘Big Bang’ approach and try to do everything at once. There is usually more success by scaling implementation or enhancement down into manageable chunks. Next is the point raised above, that being that there must be a leader who not only has the authority but the willingness to exercise the authority to make the changes. Additionally, coupled with this type of leader, is the need for local buy-in which is important, as is empowering small groups to make the necessary decisions.

So today we celebrate the greatness of the Lakers and their phenomenal season of ‘71-72. In the compliance world, best practices are evolving but so are the tools which you can implement into your compliance program. The mining of data has many uses. Some companies such as Catelas Inc. can look at the relationships of persons and parties involved. Other software, such as that available through VisualRisk IQ, can mine the data and come up with financial or data points for further investigation. On the due diligence front, Arachnys software can help fill in holes for your in-country native source business information searches. Lastly, do not fall into the trap of the US Air Force; manage not only the expectations but the entire compliance process.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

October 23, 2012

Money, Money, Money: Use of Big Data in Your Compliance Program

What is No. 2 on the biggest selling rock and roll album of all-time list? It’s Pink Floyd’s Dark Side of the Moon. In addition to learning that there is no “dark side” to the Moon as it is all dark really; my favorite cut off the album was the song Money. I was thinking about that song and how it might have some relevance to the Foreign Corrupt Practices Act (FCPA) or Bribery Act, in a rock and roll sort of way, when I came across an article in the October issue of the Harvard Business Review, entitled “Big Data: The Management Revolution” by authors Andrew McAfee and Erik Brynjolfsson. The authors’ basic premise is that by exploiting vast new flows of information, a company can improve its performance. However, to do so there must be a corresponding change in the company’s decision-making culture. In business today, many companies are concerned about having not the new thing but the new, new thing. In the FCPA world we might call that evolving best practices as it is another way to phrase many of the emerging business techniques and strategies that can have application to the FCPA compliance practitioner.

What is Big Data?

The authors differentiate ‘Big Data’ from other analytics through three key facets. First is the sheer volume of data that is now available to companies. The authors note that “more data comes across the internet every second than were stored in the entire internet twenty years ago.” The second difference is in velocity with the abundance of real-time or “nearly real-time information”. The authors believe that the “speed of data creation is even more important than the volume.” The final difference is in the form of the data; it is not simply numbers from structured databases but “big data takes the form of messages, updates and images posted to social networks, readings from sensors; GPS signals from cell phones, and more.”

A New Culture of Decision Making

While noting that the technical challenges in capturing or storing ‘Big Data’ can be formidable, the authors believe that the managerial challenges can be even greater. When data is scarce, expensive to obtain or not available in digital forms, the authors posit that “it makes sense to let well placed people make decisions, which they do on the basis of experience they’ve built up and patterns and relationships that that they’ve observed and internalized”, in other words “intuition.” The authors believe that when ‘Big Data’ is involved the Highest Paid Persons Opinion (HiPPO) must “be muted.”

There must be a shift in thinking by the decision makers. The authors believe that two key questions should be “What does the data show?” and then follow up with some more specific questions such as “Where did the data come from? “What kinds of analysis were conducted?” and “How confident are we in the results?” However, as important as these questions might be the bigger challenge by any decision maker using ‘Big Data’ is that they “can allow themselves to be overruled by the data”. The authors believe that nothing speaks louder to employees than “seeing a senior executive concede when data has disproved a hunch.”

Five Management Challenges

The authors write that there are five “particularly important areas” in the effective management of change when it comes to ‘Big Data’.

  1. Leadership. ‘Big Data’ does not erase the need for leadership’s vision and insight. However companies will succeed using ‘Big Data’ because leadership teams “set clear goals, define what success looks like, and ask the right questions.” The authors believe that the companies who lead the way in the use of ‘Big Data’ will be those who use these time honed techniques while changing the way they make decisions.
  2. Talent Management. While data scientists and other similar professionals skilled at working with large amounts of numbers will be important; the authors believe that “cleaning and organizing” the data so that a decision can be made will be equally important. They note that such skills are not currently taught in universities so that company personnel will need to develop the ability in “crossing the gap between correlation and causation.”
  3. Technology. The authors recognize that at the end of the day it is people who will analyze the data but that technology is “always a necessary component of a ‘Big Data’ strategy.” They also believe that the tools available to handle ‘Big Data’ are out there in the marketplace but there is still a skill set required that most IT departments do not have, which is to “integrate all the relevant internal and external sources of data.”
  4. Decision Making. Here the authors believe the key is that company personnel who understand the problem must be brought together with the right data and that these same personnel must have “problem solving techniques that can effectively exploit” the ‘Big Data’. This requires a company leadership which puts “information and the relevant decision making rights in the same location”. The authors termed it as the “not invented here syndrome” and that employees must work throughout the decision making calculus.
  5. Company Culture. In addition to moving away from the HiPPO syndrome noted above, executives must stop claiming that they are using data and analytics to make decisions when they are simply spicing up their reports “with lots of data that supported decisions they have already made”. The authors believe that the first question that a company should ask is not “What do we think?” but “What do we know?” Such an inquiry will allow businesses to gravitate away from making decisions based on “hunches and instinct” to those based upon the data.

What about the application of ‘Big Data’ to FCPA and Bribery Act compliance? I think this article shows the power of not only data analytics but also continuous monitoring. In their article the authors end by stating “Data-driven decisions tend to be better decisions.” The same is true in compliance. Whether you use a software tool, such as Catelas software to pull down large amounts of information and make decisions based upon this data or design a protocol to continually monitor segments of your information through the guys at Visual Risk IQ, cutting edge technology is available to assist the compliance practitioner. But with all data, the key is how to use it and I believe that compliance practitioners who can review large amounts of information from their own internal company and analyze it quickly and efficiently will be able to better protect their companies and keep them in compliance. This will inevitably lead to more complete and better decisions and companies will be able to respond more quickly to compliance challenges as they arise.

And Pink Floyd? Just remember, Money, Money, Money…or listen to the You Tube version by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

February 24, 2012

Innovation and Compliance

Can compliance be innovative? Or can innovation inform your compliance program? Can some of the techniques and strategies of the world’s most innovative companies be brought to bear in the field of anti-corruption and anti-bribery?

I thought about those questions, and perhaps some others, while reading the March issue of Fast Company, with a cover title of “The World’s 50 Most Innovative Companies”. In his column, “From the Editor”, Robert Safian wrote about the “The Lessons of Innovation.” He said in reviewing the Top 50 most innovative company, he drew eight key themes. As I read these I thought about them and their relationship to compliance. So with a tip of the hat to Mr. Safian, here is my compliance spin on his eight key themes of corporate innovation.

1.      Compliance should be a strategy, not a tactic. Starbucks recognized that profit alone is a “fairly shallow aspiration, and it’s not enduring.” Most people want to do business with companies which do not engage in bribery and corruption. Indeed the UK Bribery Act enshrines this in its Six Principles of an Adequate Procedures by stating that a company should only conduct business with other ethical companies.

2.      Big companies need to be as nimble as small companies. Safian notes that the top four companies: Apple, Google, Facebook and Amazon.com all continue to “drive the agenda across the global economy.” This should also be true of your compliance program. You need to use the tools available to you to update your risk assessment if you move into new business lines, products or geographical areas. Similarly if one of your competitors comes under anti-corruption scrutiny, you should review any similar practices that your company might have, such as its sales model or vendors in the Supply Chain.

3.      Technology is disruptive in unexpected places. Here Safian gives the example of LegalZoom, which is “challenging the definition of a law practice” by providing useful legal forms and documents to consumers. In the compliance arena, the number of technological innovations is as broad as it is deep. Companies like Catelas and VisualRisk IQ have developed software products which can allow review and assessment of a large number of data points or other quantitative data. You can even get apps for smartphones which allow submission of expense requests directly to your compliance department.

4.      Compliance is a competitive advantage. Apple has never been publicly reported as going through a Foreign Corrupt Practices Act (FCPA) investigation. What is their stock price today and is it still undervalued? Even when it recently received negative publicity regarding its manufacturing facilities in China, it responded quickly and brought in an outside monitor to assess and report. Apple also annually assesses its third party vendors and makes that report public. Do you think that keeps vendors on their collective toes? You bet it does.

5.      Use of social media makes compliance better. My former speaking cohort, Stephen Martin, then General Counsel for Corpedia, often spoke about Code of Conduct 3.0, which is a web-based interactive tool which helps guide employees through a Code in an interesting and stimulating manner. The same is true of training. You no longer need to simply have a video conference to deliver compliance training around the world. Companies like Click4Compliance have interactive, web-based solutions that you can utilize. I noted above about the smartphone app which allows employees from around the world to submit expense requests to the compliance department and receive an instant response back from an assigned compliance team member.

6. Data is power. If you don’t document it, you can’t measure it. If you don’t measure it, you can’t assess it. If you don’t assess it, you can’t improve it. That is how an engineer tends to look at things. In the compliance world, if you don’t document it, it never existed (Cue drum roll for: document, document and document). Both are true. You have to document things to prove that you actually did them. But if you do not have data, you cannot determine if your compliance program is successful or improve it.

7.      Money is flowing. Here, Safian does not mean necessarily that more funding is available. However, in the compliance world what I believe that this means is forces, other than legal compliance, for example: the US Department of Justice (DOJ) or the UK Serious Fraud Office (SFO) enforcements are beginning to drive compliance. Insurance companies have developed insurance coverage for FCPA investigations; D&O insurers are requiring companies to have a compliance program to cover directors and officers sued in shareholder derivative actions based upon admitted FCPA violations; and perhaps most interestingly, banks and other financial institutions are reviewing anti-corruption compliance programs to determine if they meet minimum best practices and then writing maintenance of these programs into their loan covenants.

8.      Copycats are history. Saflan notes that emerging market entrepreneurs aren’t just following the successes of others, they are creating new, distinct models”. In the compliance arena I believe that ‘out-of-the-box’ solutions are no longer best practices. Companies need to assess their specific compliance risks and then design programs to specifically manage those compliance risks. If your company uses a sales model of agents, one type of compliance management strategy may need to be employed. However, if your company is a manufacturing company, which sells through distributors, another compliance management strategy may be required. Do not simply purchase a compliance program off the shelf. Either design it to fit the needs (and realities) of your business model or work with an expert who can do so.

The innovation angle is not one that is usually in the front of the line at compliance conferences or in thinking through compliance programs. But if you listen to Lanny Breuer, Chuck DuRoss or any other DOJ speaker, they continually talk about evolving best practices in anti-corruption compliance. Any reader of Deferred Prosecution Agreements (DPAs) over the past 18 months is well aware of the changes in focus that the DOJ has in these documents. Certainly, many of the compliance techniques are driven by the compliance challenges in the individual companies. But if your company has engaged in mergers and acquisitions, why would it not follow the ‘enhanced’ compliance guidance found in the Johnson & Johnson DPA and train all high risk employees within 12 months of acquisition and perform a full compliance audit, within 18 months of acquisition? So my conclusion is that innovation in the compliance arena is key. As compliance programs mature and as companies mature in their approach to compliance, innovation will continue to lead best practices.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

February 28, 2011

After the Contract is Signed: How Frequently Should You Perform (FCPA) Due Diligence

Yesterday we participated in a workshop at the 2011 SCCE Utilities & Energy Compliance and Ethics Conference with Scott Lane, President of the Red Flag Group. In his presentation, he discussed a White Paper that he and his colleague James Walton recently released entitled, “Best Practices in Conducting FCPA /Anti-bribery Due Diligence”. We went back and read the article and found it to be an excellent resource for many questions relating to due diligence as required by the Foreign Corrupt Practices Act (FCPA) or any best practices anti-bribery and anti-corruption program. Today we will focus on the question of how often should a company perform due diligence on its foreign business relationships.

Lane and Walton begin by noting that due diligence is very hard to keep consistent as no two are ever the same. They believe it is important to keep a close watch on information sources, to search for improved providers, and ensure that the information you are looking at is useful for the business needs. The specific time frame for ongoing due diligence depends on the risk profile of a company’s foreign business relationship. They provide three benchmarks: (1) annually; (2) biennially; or (3) at contract renewal.

In making this determination, the authors suggest several risk factors which a company should evaluate in making this determination regarding the frequency of due diligence. these include:

Physical allocation of the partner: The authors define this risk as whether the foreign business partner is located in, or providing services to your company in a geographic area recognized as a high risk country. Reference can be made to the Transparency International Corruption Perceptions Index or another recognized country risk rating such as Country-Check.

Findings of the original due diligence: The authors define this factor as one based upon prior due diligence investigation. The key issues here are (1) were any Red Flags identified and (2) how were these Red Flags cleared?  It is assumed that if a Red Flag was raised in prior due diligence, then the Red Flag was cleared to enable the business relationship to come into existence. This also brings up an important point about Red Flags that is often overlooked. A Red Flag should not automatically mean that a foreign company cannot become a foreign business partner of your company. It does mean that the Red Flag must be investigated and cleared before such a foreign business relationship is created.

Type of partner: There are a side variety of foreign business relationship which require due diligence under the FCPA. As noted in several recent Deferred Prosecution Agreements, Alcatel-Lucent, Maxwell Technologies and the Panalpina settlements,  these can include resellers, agents, intermediaries, consultants, representatives, distributors, teaming partners, contractors and suppliers, consortia and joint venture partners. Those foreign business partners which are actively promoting your company in the market place put your company at the greatest risk and should therefore require more due diligence.

Type of customers the partner sells to: Most companies understand the motto  “Know Your Customer” but under FPCA, and other anti-bribery best practices, your company must also know the customers that your foreign business partner sells to or, in any other manner, interacts with. The more interaction with foreign governmental officials that your foreign business partner engages in, the more due diligence scrutiny is appropriate.

Amount of business being transacted by the partner: The authors point to this risk factor by noting that a company should keep a close watch on the dollar volume of business that it may engage in with a foreign business representative. We would suggest that a company should also review the relevant percentages of services or goods sold or services rendered for each foreign business partner. A company should certainly desire to know if a certain vendor provided a very high percentage of raw materials or any services critical to the delivery of products. Additionally if most, or all, of a company’s products are sold by or through one foreign business partner, this may call for greater due diligence scrutiny.

The authors end by noting that they believe the ideal solution for renewal of due diligence is a mixed approach based on risk. In most cases, renewals should be done annually or at least every two years. However, best practice also requires regularly checking whether the partner, or its directors, shareholders or senior executives are listed on any watch lists. This should be completed periodically – at least monthly.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

 

 

January 25, 2011

What are the Odds in Your FCPA Compliance Investigation?

The experts have spoken and the Astros are a 75-1 long shot to win the World Series. But that is just what the experts predict and as we are 3 weeks away from pitchers and catchers reporting for Spring Training I prefer to take the pink cloud approach, that at least as of now, the Astros have as good a chance as any team to make it to the Fall Classic. Of course, in the 50+ years of professional baseball in Houston, the Astros (and their predecessor Colt 45s) have made it that far only once. But at least it happened in my lifetime…

All of which brings us to this posting’s topic, Catelas software. In my transaction lawyer life, I do work for some medium to small software companies, which license software generally related to the energy industry. One of the best pitches you can make about a software product is along the lines of the following, “I have this software which can do some really cool stuff.” I recently saw a demonstration of Catelas software and came away thinking, this is some really cool stuff. But even more than such platitudes, the software allows the FCPA compliance professional a different way to continuously monitor within a company for possible Red Flags and to begin, organize and implement a FCPA compliance investigation in a more cost effective manner.

The Catelas software imports and analyzes communications data, like email, IM, telephony and SMTP log files from systems such as Microsoft Exchange Servers and Lotus Notes. The Catelas product then leverages social network analysis and behavioral science algorithms to analyze this communications data. These interactions are used to uncover and display the networks that exist within companies and between the employees of companies. Additionally, relationships between employees and external parties such as private webmail users, competitors and other parties can be uncovered.

From this data, Catelas creates visual relationship maps. These maps can assist a company focus resources in any FCPA compliance investigation on any persons within the company an individual under investigation has interpersonal relationships. The thesis of this approach is that data and information move through trusted relationships. A person who may be involved in a FCPA compliance matter, would be more likely to use such trusted relationships within a company, rather than involving others, to transmit data and information or to engage in any FCPA violative activity.

This approach can assist an investigator in not only finding out what may have transpired in the past but it also allows the investigator to focus who should be questioned going forward. Such relationship maps can also inform the overall investigation protocol by allowing a company to key in on certain persons and transactions; rather than simply running the entire company’s email database through a key word search program, or worse yet, having a law firm (presumably young associate) read every email, at the earliest, preliminary investigative stage.

By automatically uncovering who is talking to whom, when they connected and how well they know each other, the Catelas software product identifies both the internal and external people most likely to be involved. This allows a company to review more relevant data and from that point, expand the scope of any FCPA investigation as warranted. The Catelas approach can assist a FCPA compliance investigation in at least three ways.

1. Early Assessment: quickly ascertain the scope, cost and risk associated with an incident or case making you better prepared, earlier. Determine if there is a FCPA violation, who is involved, both internal & external and uncover all relevant content.

2. Data Identification & Collection: determine who and what to investigate before collecting a single email or pulling data from computers. Eliminate the need to re-collect later, avoid spoliation. Eliminate early irrelevant custodians and avoid over collection.
3. Compliance: quickly uncover inappropriate relationships, non-obvious connections and webmail information theft by dynamically monitoring communications patterns of employees, partners and consultants inside and outside your organization.

If any of this piques your interest, I would suggest you check out the Catelas website. It provides visuals on what I have been describing. You are probably wondering how the Catelas product relates to the Astros and their 75-1 shot at making the Big Dance next fall. Well, if you utilize this software product, I believe it would put your odds at much better than the Astros winning the World Series. Moreover, Catelas will allow you to conduct a more efficient, more cost effective and focused FCPA compliance investigation.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.
© Thomas R. Fox, 2011

Blog at WordPress.com.