The Alchemist of Comedy and Utility Industry Compliance

Harold Ramis died on Monday. For a generation of comedians and fans of comedy he was one of the driving lights of that genre. He was one of the screenwriters of Animal House and wrote the screenplays for both of the Ghostbuster movies, in addition to starring in them. His New York Times (NYT) obituary called him the “Alchemist of Comedy” and quoted from Paul Weingarten, who wrote, in The Chicago Tribune Magazine in 1983, “More than anyone else, “Harold Ramis has shaped this generation’s ideas of what is funny.”” So thanks Harold Ramis for Blutto, Otter, Founder, D-Day, Dr. Spengler and all the rest.

I am currently attending the Society of Corporate Compliance & Ethics (SCCE), 2014 Utilities & Energy Conference. As usual, it is an excellent event for the compliance practitioner. One of the things that I find not only intriguing but also extremely useful about this conference is the pairing of compliance practitioners from the fields of energy and utility. I did not attend the utility focused sessions for the first couple of years but now prefer those sessions because they focus so much on the process of compliance. While the actual compliance issues are not anti-bribery or anti-corruption, the process-oriented approach utilized in the utility energy can be a great set of lessons for the energy industry compliance practitioner to consider when looking at an energy company compliance regime.

On Monday there was a presentation by David Douglass, Federal Energy Regulatory Commission (FERC) Compliance at Kansas City Power & Light Company. Initially, Douglass presented several different compliance models, which the anti-corruption compliance practitioner can use to benchmark or evaluate your company’s compliance program. The first one Douglass termed the Compliance Maturity Model – Compliance at Every Level. It included:

• Step 1 – Reacting only and engaging in panic. The elements of this level of maturity include the admonition to “Get it done”. Typically under this step compliance is operating in isolation and can only marshal resources as necessary and where ever they might be found.
• Step 2 – Anticipating and acceptance of compliance. This increased maturity can help to bring about some efficiency, usually through the accepted use of automation. This allows a compliance practitioner to see connections between multiple programs and take steps to plan future approaches to ongoing and ad hoc compliance challenges as they might arise.
• Step 3 – Collaborating. Under this step, compliance moves to being seen as a collaborative partner with the business units. This allows the identification of risks, the assessment of the company’s exposure to those risks and to prioritizing actions to meet those assessed risk. Finally, the collaboration step can allow for the re-use of technological components for multiple purposes, thus reinforcing great cost savings and value.
• Step 4 – Orchestrating through and with the rest of the company. Under this ultimate step in the model, compliance works to help set enterprise wide objectives to help to coordinate enterprise wide risk analysis and response. The corporate wide visibility to risk analysis, management and remediation as well as compliance performance.

In addition to the above Compliance Maturity Model, Dougalss discussed two of the programs were set out by federal utility regulators. The first was the FERC’s Effective Compliance Program, which has the following seven standards:

1.  Internal standards and procedures to prevent and detect violations;
2. High-level management knowledge and oversight of internal compliance programs;
3. Reasonable (due diligence) efforts to screen out “poor performers”;
4. Reasonable internal communications and training efforts;
5. Reasonable steps to evaluate program effectiveness, including confidential reporting options for employees;
6. Creating and enforcing compliance incentives and noncompliance sanctions;
7. After detection of a violation, companies shall take reasonable, responsive steps.

He then cited to the North American Electric Reliability Corporation’s (NERC’s) four hallmarks of effective compliance programs, which included the following:

1.    Senior management / leadership

• Compliance Program is established in the company.
• Compliance Program is formally documented and widely disseminated throughout the organization.
• The Compliance Program is supervised by a high ranking company representative.
• The head of the compliance function has access to President / CEO and Board.
• The Compliance Program is designed and managed with independence.
• There are sufficient resources dedicated to implement Compliance Program.
• The Compliance Program has the full support of all company leadership

2.    Preventive measures are in place

• A sufficient frequency of review of compliance program occurs.
• There is sufficient frequency of training of employees on compliance program.
• There is sufficiency of subject matter training of employees on compliance program.

3.    Prompt detection, cessation, and self-reporting

• There is a sustainable process to internally assess compliance with regulations.
• There is a sufficient response to identification of wrong-doing or misconduct.

4.    Effective remediation

• There are effective internal controls and procedures present to prevent recurrence of misconduct.

Douglass also discussed the ‘3-lines of defense concept” for a best practices compliance program. Under this concept a properly constructed compliance program has three lines of defense to prevent a compliance incident. These three lines of defense are identified as (1) the Risk Content Owners line of defense; (2) the Risk Process Owners line of defense; and (3) the Risk Content and Content Monitoring Owners line of defense.

 I.                Risk Content Owners

This first line of defense is the business owner(s) who are on the front lines for any company. Their roles include management of day-to-day business risks and to recommend actions to manage and treat that risk. This group also is tasked with complying with the company’s risk management process. Where appropriate, this group will implement risk management processes where applicable and this group will execute risk assessments and identify emerging risk.

 II.             Risk Process Owners

This second line of defense is typically the company legal and compliance departments. Not only are these the standard setters in an organization but they may also be charged with certain monitoring tasks. This group should establish policy and process for risk management. This group is the strategic link for a company in terms of risk. It should provide guidance and coordination among constituencies. It should identify enterprise trends, synergies, and opportunities for change. This group should also initiate change, integration and operationalization of new compliance best practices. Typically this group is the liaison between the third and first lines of defense. Lastly, this group will oversee certain risk areas and in terms of certain enterprise objectives such as compliance with regulations such as Foreign Corrupt Practices Act (FCPA), Export Control, etc.

III.           Risk Content and Monitoring Owners

This third, and final, line of defense is generally thought of as the Assurance Providers and consists of senior management, Internal Audit and up to the Board of Directors. Its roles include either working with or through senior management and/or the Board of Directors. This line of defense is tasked to rationalize and systematize risk assessment and governance reporting so that it is not only transparent but useful and stored in a manner that can be retrieved if a regulator comes calling. It will provide oversight on risk management content/processes, followed by the second line of defense. Finally, it will provide assurance that risk management processes are adequate and appropriate.

This tripartite model is an excellent way for a company to not only think through how to design an overall structure but as an outline to assess how well it may be doing in any one specific compliance area such as anti-corruption compliance under the FCPA. The first line of defense should be driven down to the Business Unit level. This will allow, indeed require, the Business Unit to buy into the overall compliance program. The legal and compliance departments are the key bridge that writes and leads implementation of the overall compliance program through training but also assesses whether the compliance program is effective and remains robust. The role of senior management is to provide overall leadership and deployment of resources throughout this entire process.

I have found that the anti-corruption compliance, or indeed the anti-money laundering (AML) or export-control practitioner can learn quite a bit from their peers in the utility industry. While they may not rise to the level of “Alchemist of Comedy”, as did Harold Ramis, you might want to listen to what they have to say.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Corruption in Turkey and Integrating Your Risk Assessment

One of the more public and ongoing corruption scandals in the world right now seems to be happening in Turkey. To say the events and facts are confused is an understatement. At this point there are not any international players who have been implicated but given the breadth and scope of what has come out of that country over the past month or so, it would only appear to be only a matter of time. It began in December when, according to the BBC, “The arrests were carried out as part of an inquiry into alleged bribery involving public tenders, which included controversial building projects in Istanbul. Those detained in the 17 December raids included more than 50 public officials and businessmen – all allies of the prime minister. The sons of two ex-ministers and the chief executive of the state-owned bank, Halkbank, are still in police custody.”

The Prime Minister claims that all of these arrests were simply political theater, generated by supporters of Fethullah Gulen, an influential Islamic scholar living in self-imposed exile in the US. Members of Mr. Gulen’s Hizmet movement are said to hold influential positions in institutions such as the police and the judiciary and the AK Party itself. Many believe the arrests and dismissals reflect a feud within Turkey’s ruling AK Party between those who back the Prime Minister, Recep Tayyip Erdogan. On Tuesday the Prime Minister and his supporters struck back at the police by removing approximately 350 police officers from their positions in the capital, Ankara. The Prime Minister and his supporters have also attacked the judiciary leading the investigation, claiming that it is all politically motivated.

In addition to the obvious turmoil based on the above, the country is feeling the fallout in the international monetary arena. In an article in the Financial Times (FT), entitled “Turkey warns of corruption probe risk”, reporter Daniel Dombey said that the country’s currency, the Turkish lira, had dropped 7.5% since the initial arrests back in December. He quoted the country’s Finance Minister, Mehmet Simsek, who said that there had been “some negative implications for the Turkish macro [economy].” Dombey also noted that the Turkish stock market had dropped almost 12% during the same time frame.

In the 2013 Transparency International (TI) Corruptions Perceptions Index (CPI), Turkey had a score of 50 which gave it a rank of 53 out of the 177 countries listed. It generally had better scores than other countries in southeastern Europe such as Greece and the Balkan countries. Other than Cyprus, it had better CPI scores than most other mid-eastern countries. But what about now and what does this mean for the US based multi-national who is currently doing business in Turkey or considering doing so?

One of the things that a compliance program must have is the flexibility to respond to changing events on the ground. Just as last summer’s GlaxoSmithKline PLC (GSK) corruption scandal in China brought attention to those issues in China, these very public events should bring the attention of your compliance team. My former This Week in FCPA co-host Howard Sklar said that a compliance program needed to be nimble in order to respond to such events in far-flung places. Risks change and they must be evaluated on a regular basis or in response to new facts on the ground, such as those which are present in Turkey.

There may also be more than anti-corruption risk at play in any given situation. If a company only looks at one type of risk, such as anti-corruption, rather than others such as export control or anti-money laundering (AML) it can lead to the concept of what is called the “functional trap” of labeling and compartmentalizing risk. In an article in the June issue of the Harvard Business Review (HBR), entitled “Managing Risks: A New Framework”, authors Robert Kaplan and Annette Mikes declare that good risk discussions must be integrative in order for risk interaction to be evaluated. If not, a business “can be derailed by a combination of small events that reinforce one another in unanticipated ways.”

The authors posit that it is difficult for companies to accurately and adequately discuss risk for a variety of reasons. One of these reasons is the aforementioned silo effect which can lead to a lack of discussion by a wide group regarding a number of risks, for example compliance risk; reputational risk; brand risk; credit risk; human resources risk are but a few of the types of risks mentioned in their article. The authors believe that one of the ways to knock down these silos when it comes to a more complete management of risk is to “anchor their discussions in strategic planning, one integrative process that most well-run companies already have” in place.

The authors cautioned that beyond simply introducing a systematic process for identifying and mitigating key risks, companies should also employ a risk oversight structure. The authors discussed the experience of the Indian IT company, Infosys, which uses a dual structure. It consists of a central team that identifies general strategy risks and then establishes central policy, together with a specialized, decentralized functional team. This second team designs and monitors policies and controls in consultation with local business units. These decentralized teams have the authority and expertise to respond to changes in the company’s risk profile coupled with the nimbleness and agility of being in the field to deal with smaller issues before they become larger problems for the central team back in the corporate office.

I believe that the current political turmoil in Turkey provides an example of the diversity your compliance program and risk assessment must maintain. Just as it is important to perform due diligence on third party representatives, before execution of an appropriate contract, the real work is in managing the relationship. In risk management, you must identify and assess the risk but the real work begins in managing the risk. This is where the rubber meets the road.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Interview with Jon Rydberg

Ed. Note-today I continue with my series of interviews with thought leaders in the compliance arena. Today, I post an interview of Jon Rydberg, CEO and Founder of Orchid Advisors.

Where did you grow up and what were your interests as a youngster?

I spent the majority of my life in Connecticut but lived in the Los Angeles area for approximately nine years. My wife and I moved back to the east coast in 2009 to be with family. Growing up the son of two teachers and a two-time valedictorian meant my childhood was destined to be focused on academics, leaving little time for other interests such as golf and soccer. My true childhood passion was entrepreneurship, only I didn’t know it at the time. My parents would say that I was good at generating ideas, starting a project and then losing focus only to do it all over again with another new idea. I guess you could classify my childhood to resemble that of a early-stage venture capitalist.

Where did you go to college and what experiences there led to your current profession?

My father was a teacher at the local high school. So, naturally that meant I had to attend the local preparatory school, Avon Old Farms. It was an incredible experience being surrounded by the best and brightest of student athletes and tenured professors. After high school, I received a BS in Mechanical Engineering and an MBA in Corporate Finance from Bucknell and Rensselaer, respectively. And, I was only a few classes short of a Masters in Accounting before my career escalated and my free time for academic interests became hard to come by

How did my current career spawn from that? It likely began with my first job, designing packaging for explosive devices in accordance with DOT regulations. Shortly after I was managing R&D efforts for tactical weaponry that were destined for Aerospace & Defense giants such as Lockheed, Boeing and United Technologies. In the early 2000s I led the A&D industry segment a global audit and consulting firm Protiviti and had a similar client service role for Ernst & Young. Almost every product I’ve touched since day one has been subject to a federal or state regulation. Today, I am the CEO of a national consulting practice focused on Transforming the Compliance Ecosystem^TM.

You have worked both in Big 4 accounting firms and in corporations. What lessons did you learn from these different types of employment experiences?

#1 – The concepts of compliance, internal control and internal audit are too often misunderstood, including amongst top executives. Unfortunately, the concepts are thought of us impediments, not enablers, of high-end business performance or beneficial elements of the corporate governance structure – until it is too late. The Orchid team offers an open invitation to any person or firm that wishes to partner on our initiative to enhance the perceived value of these functional areas.

#2 – Achieving compliance, comfortably, means establishing it as an equal business metric to quality, safety and financial performance. Human nature will drive people to focus on incentivized areas, obviously. So, concepts like a ‘balanced scorecard’ add value to ensuring the long-term viability of the organization and protects owner interests.

#3 – Don’t be afraid of recognizing when help is needed, no one knows everything. Take the opportunity to learn from those who’ve seen both the good and the bad elsewhere.

You have worked with a variety of US governmental agencies. Are there any general guidelines that you can give the compliance practitioner to who might be presenting to or working with a government agency for the first time?

Yes, I think it can be summed up with my favorite phrase – there is a big difference between being compliance and having a compliance program. The point is, Federal and State agencies have a job to do in both establishing new legislation and then regulating it. The role of a regulator isn’t loved but there’s not much we can do about it. A best practice approach is to build trust, be honest and transparent and recognize that continuous improvement begins with a self assessment and ends with a written compliance plan.

What led you to found Orchid Advisors and how do you hope to change the Compliance Ecosystem^TM?

I had worked with a number of high-profile attorney’s on various compliance projects who knew the law inside and out but who had little practical implementation experience. It was clear to me that someone, or some firm, had to be created to bridge the gap between those who could recite the regulations chapter and verse and those who make and ship widgets on a daily basis. Orchid Advisors was launched to ‘operationalize’ compliance with a proprietary methodology called the Compliance Ecosystem^TM.

The Compliance Ecosystem^TM takes the concept of compliance (as a department or impediment to execution) to a whole new level. Much like the Japanese approach to manufacturing processes and total quality development, the Compliance Ecosystem embeds compliance control into: (1) Business strategy; (2) Corporate culture; (3) Process and technology; and (4) Continuous improvement. Furthermore, it emphasizes the importance of managing compliance not only within the four walls of your business, but also at your suppliers, distributors and other supply chain partners.

And, the beauty of our methodology is that it applies to every industry, any company size or structure and any regulation. That being said, our initial focus includes: Anti-bribery (FCPA, UK Bribery, etc.); ATF firearms compliance; ITAR compliance; Import / Export compliance and Sarbanes-Oxley compliance.

You recently released the book “Anti-Bribery Leadership”, authored with myself. Who do you think should read this book and why?

Our book is unique. As Matt Kelly, Editor of Compliance Week stated, “it isn’t Shakespeare and it’s not intended to be.” This guide is specifically designed to be short and laser focused for high-level corporate executives, board members and corporate attorneys. In 60 pages we’ve provided:

• A list of questions that those executives should be asking their own organizations;
• A compliance methodology accepted by the Federal Government;
• Examples of high-risk areas drawn from our own Department of Justice and Securities and Exchange Commission investigations; and
• Tools to govern the ongoing operations of the business.

Anti-Bribery Leadership: Practical FCPA and U.K Bribery Act Compliance Concepts for the Corporate Board Member, C-Suite Executive and General Counsel is available in both bound and eBook versions. You can purchase a bound copy by clicking here and an eBook version on Kindle by clicking here. The eBook version is currently a Top Ten best-seller.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Risk Assessments in an Anti-Money Laundering Compliance Program

Today we celebrate that noted British comedian who made his fame in America – Bob Hope.  He had a successful film career largely thanks to the series of seven “Road” movies he made with Bing Crosby and Dorothy Lamour, including Road to Singapore (1940), Road to Morocco (1942), Road to Utopia (1946) and Road to Rio (1947). Hope is also known for his entertainment of US military forces overseas. In 1941, after America’s entrance into World War II, Hope began performing for US troops abroad; he would play shows for more than a million American servicemen by 1953. Some 65 million people watched him perform for troops in Vietnam on Christmas Eve in 1966, in his largest broadcast. Hope also became a legend for his countless TV specials, which he would perform over the course of some five decades. He hosted the Academy Awards ceremony a total of 18 times, more than any other Oscars’ host.

What does Bob Hope have to do with compliance? First he was a comedian and second he reinvented himself several times. The anniversary of his birthday reminded me of an article written by Carole Switzer, the co-founder and President of the Open Compliance and Ethics Group (OCEG), for Compliance Week Magazine entitled “Analyze This: The Value of Business Risk Assessments.” In her article, one in a continuing of her series of GRC Illustrated articles, Switzer says that anti-money laundering (AML) compliance programs, like therapy are “difficult to define and relatively easy to avoid.” She quoted Larry David, co-creator of Seinfeld and creator of “Curb Your Enthusiasm” for the following thought on therapy, “I know enough about myself now to know that I really don’t need to know anymore.” Unfortunately, as Switzer notes, many companies have the same problem when it comes to their AML programs.

Switzer discusses a recent report by the UK Financial Services Authority (FSA) which highlighted four general reasons that UK banks failed to have effective AML programs. The same four reasons hold true for non-banking sector US companies in the area of AML.

(a) Denial. The FSA reported that one-third of the banks “failed to review their business-risk assessment program on a regular basis. Additionally, about one-third of the companies scrutinized also failed to alter their risk assessments in response to new developments and insights, such as when allegations of major corruption were levied against a customer or when a country’s risk profile spiked due to regime change.”

(b) Grandiose delusions (imagine a bank with grandiose delusions!). The FSA found that too many “customer-facing “relationship managers” could override customer risk scores produced by the risk-assessment program—without sufficient evidence to support the decision to disregard the score.”

(c) Borderline suspicious. Bank personnel did not understand how the AML risk assessment was generated and indicated that they were “confused” regarding what score indicated that a customer was a high risk.

(d) Avoidance coping. The FSA noted that institutions “inappropriately low risk weightings for high-risk factors, “sometimes overtly”; while “other banks chose to ignore well-known high-risk indicators and other adverse information from a variety of sources, “such as links to certain business activities commonly associated with higher levels of corruption.”

Fortunately Switzer laid out her thoughts on what an effective business risk assessment program should contain. From this risk assessment, you can identify where your company should focus its AML resources, determine how changes might affect your company, and where your program may need enhancement. She is quite clear that without an effective risk assessment, “your AML program will be inefficient as well as ineffective.” She sets our five steps to take.

1. Define the Risk. Switzer says that “At the forefront of any good business risk assessment program is an executive vision. The executive sponsorship must ask themselves diffi­cult, critical questions.” This is largely because while there are certainly known risks to a business there are also risks you and your company may not be aware of so it is important to define what you know but leave it flexible enough to cover the unknown when it becomes known to you. Switzer lists some of the questions that you might begin with, which include: What are the inherent risks in our current business? What controls do we have in place? How much risk, after the business risk assessment process is instituted, remains? Should we close business locations? Should we add additional controls? Should we put spending restrictions in place? Are other industries at the same level of risk?
2. Gather Intelligence. In this step, after executive sponsorship has set the strategy in motion, you must gather intelligence to truly understand the exposure across the organization’s products, services, and customer base. The AML team should consult local business and compliance leaders to gain key insight. The specific steps include: (1) Develop the business risk assessment questionnaire. (2) Determine what controls are currently in place. (3) Review the external risk. (4) Understand the magnitude of each risk factor. (5) Gather and normalize all data for review.
3. Review the Findings. Once a full business assessment has been conducted and all the data collected, a full analysis of the data is performed at multiple levels. The overall picture of risk is reported to business line, regional leaders, and enterprise leaders. Switzer’s specific steps include (1) Creation of full evaluation reports of all measured data. (2) Involve AML staff, regulators, and critical business leaders in your review. (3) Utilize external, unbiased consultation to determine product and service risk for remediation.
4. Decide How to Proceed. Switzer advises that after you come to an understanding of your exposure and risk, your vision has been set, and you have gathered data and reviewed it, you can set a course to move ahead. However, she cautions that “continual review of the plan’s impact on the business, even at this stage, is critical.”
5. Implement the Plan. At this final step, after your company has defined its strategy, determined, by measurement, the exposure to AML risk, understood and evaluated the areas of potential risk and then “determined a path to accept, resolve and eliminate, it’s time to go to work setting the plan into motion—however, just because you are now implementing doesn’t mean you can relax. Constant scrutiny, learned best practices, and ongoing monitoring are critical.”

Switzer concludes by stating that “Risk assessment programs must evolve quickly as risks and crimes do. Building in a good system of correction and monitoring that can flex with your organization is critical.” So just as Bob Hope reinvented himself as the tastes of society changed, your risk assessment should be a “living, breathing process.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

From Trick or Treat through Thanksgiving: Examining the Past to Prepare for the Future

Ed. Note- For those of you who do not know her, Mary Shaddock Jones is one of the compliance professions I regularly rely on for advice. I continually ask her to send over some guest posts as they are always topical, top notch and provide practical advice for the compliance practitioner. I will be out of pocket over the next two weeks and Mary has agreed to take over the lion’s share of posts for my blog. Today she begins her series with a topical post on chocolates and the pre-holiday season from Halloween to Thanksgiving. I know you will not only enjoy her series but get quite a bit out of them.

This summer, the Securities and Exchange commission charged Texas-based medical device company Orthofix International with violating the Foreign Corrupt Practices Act (“FCPA”) through improper payments of bribes (code named “chocolate”) to officials at Mexico’s government-owned health care and social services institution, Instituto Mexicana del Seguro Social (“ IMSS”), in order to obtain or retain business.  Sure, for those of you who regularly read Tom Fox’s blog, this is old news.  However, since he is off and today is Halloween, I thought I would start a series for the next two weeks re-examining some of the more recent, and perhaps not so recent cases with a fresh set of eyes.

The practical pointer for today’s blog is straightforward – it is imperative that companies which have FCPA exposure audit both their petty cash accounts, and all expenses coded to training and promotion. This is apparently where the improper expenditures were “hidden” by employees of Orthofix.  In my experience, companies need to be closely reviewing what little case law or factual allegations exist with regard to the FCPA so that they too know where to find any potential problems that may exist within their own company.  There are only so many ways to hide the dollar.  If you find yourself sitting in front of the DOJ and/or SEC in the future on allegations related to a violation of the FCPA…you will not gain any “chocolate points” if you haven’t implemented a robust compliance program.  But as FCPA practitioners have said over and over again – simply having a Code of Business Conduct, an Anti-Corruption Policy Manual and even person to person training is not enough.  You have to be proactive in trying to find what others don’t want to be found.  That is why the Orthofix employees didn’t book the improper payments as “bribes”.  They aren’t stupid.  They know this is one red flag that will stop the energizer bunny in its tracks.  So instead, they disguise the improper payments in a way that they think is clever.

According to the SEC, in order to obtain cash for the bribes, the Promeca executives wrote checks to themselves, which they justified as “cash advances”.  A smart person in the accounting department would ask – what was the cash advance for?  What was bought?  Are their valid receipts which state what was bought, when was it bought, who was taken to dinner or lunch, what was discussed, etc?  In order to continue the deception, the executives submitted false receipts for imaginary expenses including meals and new car tires.   Practical Pointer:  It may be a boring and tedious task, and one which hopefully never uncovers questionable payments – but companies must have someone in charge of reviewing expense reports – for everyone – from the top dog on down to the dog walker.  Do you have a process in place for reviewing expense accounts?  If not, put one in place.

Unfortunately for Orthofix, the improper payments became too large to hide in expense reports; therefore, a new hiding place had to be located.  The next best thing to expense reports is training and promotional expenses.   Remember that the FCPA includes three affirmative defenses under its anti-bribery provisions – the first of which is “reasonable and bona fide expenditures related to certain promotional activities”.  If the FCPA allows the payment for “promotional expenses”, what better place to hide improper payments than in plain sight?   Just because someone calls an expense a promotional expense, does not mean that the Company does not have to trust, but verify.

Specifically, the FCPA permits payments if the payment to a foreign official was a “reasonable and bona fide expenditure, such as travel or accommodation expense, that was directly related to the demonstration of a product or service, or performance of a contract with a governmental agency.”  Unfortunately, I was unable to determine from the public filings how the training or promotional payments were characterized so as to allow them to remain undetected by the accounting department at Orthofix until hundreds of thousands of dollars in improper payments had been made.  However, the practical pointer for you is this – do you have a process in place which places controls over when expenditures can be made for travel and lodging/training and/or promotional/marketing expenses?

Consider the following policy language:

The FCPA permits the payment of reasonable and bona fide expenditures on behalf of a Government Official and directly related to (1) the promotion, demonstration, or explanation of products or services; or (2) the execution or performance of a contract with a non-U.S. government or agency thereof.

Travel and Lodging: No travel or lodging may be offered or given to a Government Official without the prior written consent of the Company Compliance Officer or his or her designee and must meet the following guidelines: (1) it serves a legitimate Company business purpose; (2) invitations to a Government Official are transparent, in writing, and clearly state the business purpose of the trip; (3) no payment is made directly to a Government Official either through an advance or reimbursement for expenses (the Company should directly purchase travel or lodging from those who provide them, utilizing a travel agent or other third party if possible); (4) providing “per diem” fees or expenses is avoided, particularly where meals are already being provided; (5) no cash payments to a Government Official are made whatsoever; (6) travel and lodging expenses are only provided for the identified Government Official and not for spouses, family, or friends of the Government Official; (7) travel arrangements are directly between the place of residence or employment of the Government Official and the intended destination of the business travel, with no non-business side trips; (8) no reimbursements are paid without presentation of appropriate receipts; (9) providing the travel or lodging is permitted under local law and regulations and guidelines of the recipient’s governmental entity (note that some customers have strict policies against receiving gifts); and  (10) other than the travel or lodging identified above, the Government Official is not compensated for his or her participation in the planned trip.

Guidelines for Entertainment: Unless prior written approval from the Company Compliance Officer or his or her designee is obtained, entertainment provided to a Government Official must meet the following guidelines: (1) it serves a legitimate Company business purpose; (2) providing the entertainment is permitted under local law and regulations and guidelines of the recipient’s governmental entity (note that some customers have strict policies against receiving gifts); (3) it is of the type and value that is reasonable (not lavish, excessive, or frequent); (4) it is in line with the local customs of the country where provided; (5) it is of a type that is appropriate (e.g. no strip clubs); and (6) it is accurately recorded in the Company’s books and records.

Guidelines for Marketing Expenses: Unless prior written approval from the Company Compliance Officer or his or her designee is obtained, marketing materials (such as pens, caps, or mugs) provided to a Government Official must meet the following guidelines: (1) they serve a legitimate Company business purpose; (2) they are of nominal value; (3) they are of the type and value that are customary and appropriate for the occasion;(4) they are branded with the Company’s name and/or logo; (5) they are permitted under local law and regulations and guidelines of the recipient’s governmental entity (note that some customers have strict policies against receiving gifts); and (6) they are fully and accurately recorded in the Company’s books and records.

Remember, it is not enough to simply have a policy in place; you must also conduct trainings (have the training in both English and the predominant local language of your employees) and audits to ensure compliance.

No more chocolates for today… tomorrow is All Saints Day.  Stay tuned to see who didn’t perhaps make the list of saints.

—————————————————————————————————————————-

Mary Shaddock Jones has practiced law for 25 years in Texas and Louisiana primarily in the international marine and oil service industries.  She was of the first individuals in the United States to earn TRACE Anti-bribery Specialist Accreditation (TASA).  She can be reached at msjones@msjllc.com or 337-513-0335. Her associate, Miller M. Flynt, assisted in the preparation of this series.  He can be reached at mmflynt@msjllc.com.

—————————————————————————————————————————–

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication.

How to Influence FPCA Compliance as a Minority JV Partner

How does a company work towards achieving compliance with the Foreign Corrupt Practices Act (FCPA) in a Joint Venture (JV) or other business relationship where it holds less that 50% of the control? That question is often faced by US companies when they enter into a JV in many countries which require a majority of local ownership or even a 50-50 split in ownership. Some tactics that the compliance practitioner might employ were discussed in an article in the June issue of the Harvard Business Review, entitled, “The Perils of Partnering in Developing Markets”, in which Johns Hopkins (Hopkins) Medicine International Chief Executive Officer (CEO) Steven J. Thompson wrote about his company’s experience in partnering with a charity in Turkey to build and operate a “state-of-the-art medical facility.”

While not directly discussed in the article it is certainly worth noting that in partnering to create hospitals overseas, Hopkins is always dealing with the FCPA as health care services generally and hospitals particularly are run by the foreign government in which the hospital is located. However, the problems Hopkins encountered and some of the solutions provide excellent insight into compliance challenges that a company might well face when it moves into a developing market. Thompson began by noting that as a non-profit Hopkins always takes a minority interest or none at all. This requires Hopkins to operate not as typical JV or other type of partner but “more like consultants with a broad range of responsibility and high level of authority.” The other thing that I found quite interesting was that as a non-profit, the most important thing to Hopkins is its good name; in other words it is far more concerned about reputational damage than financial loss. Some of the key lessons learned were as follows.

Filling the Local Talent Gap

Even if the country’s laws do not require that local persons be the entity’s managers, most local partners insist upon it. Thompson has learned that fighting this “rarely pays out.” Instead Hopkins seeks to team its advisors with the local executives, so that the advisors will have the ability to influence both “process and culture.” Overtime, Hopkins has found that the top local managers cannot push as hard or as strongly for innovation and culture change so that the Hopkins team can begin to take over the top management functions.

A key component for long term success is training. This includes local training in all aspects of hospital management and financial operations. Additionally, Hopkins establishes a strong recruiting pipeline for bringing back to Baltimore, the home of Hopkins, so that they can be trained at and see how the facilities are run in the US.

When Best Practices Collide with Culture

In most medical treatment outside the US, the culture is such that a Doctors judgment is never questioned. This is quite different from the Hopkins experience in the US, where other providers of health care are empowered to challenge the decisions of senior physicians where a patient’s health may be at risk. The Hopkins approach when “confronted with a culture clash is to determine whether we really need to challenge the culture.” With this approach, Hopkins found that it could accomplish its goals, “within the cultural constraints” in which it operated. When it could not do so, it “seeded the staff with professionals who could lead by example” so that in the case of the culture of deference to Doctors whose authority was not challenged, senior nurses were brought in from countries where such a tradition did not exist. Once others saw that patient outcomes were steadily improved, “they began to come around and the culture of deference receded.”

Mitigating Risk

In many ways, I found the Hopkins experience in mitigating risk to be the most interesting. Here Thompson said that the pre-agreement due diligence process, which he termed “choosing the right partner and learning to read the signs from up-front negotiations are critical”, were two of the most critical factors. He identified factors such as foreign institutions which only desired short-term profit or were trying to capitalize on the Hopkins name as “anathema to success.” He wrote that these factors can be ascertained through long conversations with potential partners about goals such as sustainable quality and commitment rather than on financial returns alone. Mimicking the requirements under the US Department of Justice’s (DOJ’s) minimum best practices compliance program, Hopkins requires strong contract language regarding the commitments made by any foreign partner. Lastly, if a relationship begins to sour or otherwise have problems, Hopkins is not afraid to rethink its position or even end the relationship after appropriate consideration. To help facilitate this from the legal perspective, Hopkins requires a “termination for convenience clause” in its contracts.

Project Checklist

Another interesting aspect of the Hopkins approach was in the implicit use of risk assessment. Thompson included the below chart to illustrate “How Johns Hopkins Sizes Up International Risk”. I found that these concepts speak to an on-going approach to risk assessment so that the process is continuous and therefore allows for continuous improvement.

Evaluating the Opportunity	Getting up to Speed	Operating Over Time
Assess the potential partner’s willingness to commit resources.	Engage experts to hire key personnel and to design processes.	Stabilize processes and create feedback loops.
Assess regional constraints.	Establish training and mentoring programs for local managers and professionals.	Transfer more responsibilities to local managers.
Work with your local partner on a project plan and a business plan.	Set up clinical, operations and financial performance metrics.	Establish local education and recruitment pipelines.
Ensure that your local partner has a clear understanding of, and realistic expectations for the project.	Establish quality, safety and efficiency processes.	Establish regional marketing programs.
	Set up a time for accreditation.	Consider new initiatives and expansion.

If Trouble Arises

Thompson concluded is article with a list of action items that you can perform if there are signs of trouble. So, following McNulty’s Maxim No. 3 of “What did you do to remedy it?”, I list the following actions steps your company can take at three different stages of a JV relationship.

1. In the Evaluation Phase

• If your concerns are modest, propose a smaller, several months-long pilot consulting project.
• If your concerns are serious, you would walk away from the deal.

2. In the Start-Up Phase

• Engage experts to hire the Key JV personnel and to design the appropriate processes.
• Increase the number of ex-pat professionals involved in the JV.
• Expand your support to local managers.
• If warranted, revise strategic plans and consider replacing the onsite management.
• If severe problems arise, consider scaling back or terminating the JV

3. As the Relationship Matures

• Strengthen your training and mentorship.
• Bring in subject matter experts (SMEs) to help solve defined problems.
• Retool processes that may be falling short.
• If required, reinstate key managers from your corporate headquarters or home office.
• Freeze or reduce the scope of the JV’s activities until problems are solved.
• Set up problems solving forums with partners in other countries.

Many US companies have struggled with how influence partners to comply with the FCPA in JV relationships. The Hopkins experience has some excellent steps that your company can take in the pre-formation stage, during contract negotiation, in post-execution contract management and then as the relationship matures. The process that Hopkins follows is one that clearly allows you to use influence, rather than the brute force of the majority right of control. It is a very good road map for you to consider and one that management should take a close look at when managing any overseas relationship.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Compliance Convergence: ICE Enforcement

Compliance convergence can take many forms. In an article entitled “Pass the ICE Test: Nine I-9 Record Keeping Tips” published in the February 6, 2012 edition of the Texas Lawyer, author Karen-Lee Pollak explores one of these important areas of compliance; that being immigration and employment. Federal law requires that all employers must verify new employee’s employment eligibility within three business days of hire. US employers are generally aware of the enforcement actions by US Immigration and Customs Enforcement (ICE) which has shifted its focus to employers, through increased worksite investigations, fines and penalties. Pollak provides nine points of guidance on what lessons employers “can learn to help their companies avoid punitive fines for faulty record keeping.

Lesson No. 1: Make people responsible. Pollak believes that the “key to maintaining an effective I-9 program” is to designate specific supervisors, managers and employees to be responsible” and then provide them with continued training.

Lesson No. 2: Pick sides. There needs to be a clear document retention policy; whatever method is implemented the key is that if the company keeps some documents for some employees, “it must do so for all employees.”

Lesson No. 3: Mark the calendar. There should be a calendaring or tickler system which notifies the relevant personnel when employment verification documentation will be expiring. Ideally, Pollak believes a four month notice should be provided before such documents expire.

Lesson No. 4: Protect the paperwork. Care should be taken in your company’s filing system to keep current employee documentation separate from terminated employees. Further counsel should ensure that the company keeps all I-9 documents “in document retention schedules.”

Lesson No. 5: Schedule an audit. Pollak believes that your system should be independently tested via an audit by an “external auditor or trained employee who is not involved in the day-to-day I-9 process.” This has two benefits; first it should turn up any deficiencies in your program and allow you to correct them. Second, it demonstrates your company’s commitment to a robust compliance regime.

Lesson No. 6: Get ready. Typically there is little or no notice of an ICE audit, subsequently your company needs to be ready for any such eventuality. Pollak advises a company to draft a policy which sets out how your company will respond if the ICE auditors arrive. Other keys are to have your company’s documentation readily accessible and to have employee’s prepared for a surprise audit through training.

Lesson No. 7: Be serious. Pollak believes that a common mistake made by companies when they receive advance notice of an ICE audit is to fail to take the audit seriously. She reiterates that such an audit is very serious business and that no matter how friendly the auditors might seem they are not friends of the company.

Lesson No. 8: Take action. Pollak advises companies to put a process in place to handle a “no match” letter from the Social Security Administration. These letters can be useful tools to put an employer on notice that there is a problem with an employee’s social security number and this is an important step not to be missed.

Lesson No. 9: Take action (II). Pollak advocates that a company should “establish self-reporting procedures for the company to report to ICE any violations or discovered deficiencies.” This will help in any enforcement action going forward.

Many in-house counsel have a wide variety of roles in their employment. For counsel in a smaller company, it may include ICE enforcement issues, as well as anti-corruption compliance and export control enforcement. Pollak has provided some solid, concrete tips for ICE compliance in her article. Many of the points she raised can be used in the broader compliance convergence context as well.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

10 Global Compliance Trends for 2012

Many commentators looked back at the events of 2011 in the compliance arena and have looked forward into 2012. However, most of the commentators in the United States focused on the US Foreign Corrupt Practices Act for both their retrospective and Great Carnac tea leaf readings. This lack of international focus is rectified in the January, 2012 issue of the Compliance Week Magazine, in an article entitled, “Ten Global Compliance Trends to Watch in 2012” by Neil Baker. The issues presented on the list are matters which any compliance professional from a US company, which has international operations should review and be prepared to face.

1. Britain loses its voice in Europe. The author believes that Britain’s veto of France and Germany’s plans to bring closer governance of EU members will reduce the UK influence in compliance matters. He believes that this may lead to more Euro-centric regulatory zeal against US-style capitalism.
2. Tougher corporate governance rules. The author believes that the European Commission will adopt more detailed regulations on how companies should constitute their Boards of Directors, make decisions and manage risk generally.
3. Big 4 challenged? Baker believes that 2012 may be the end of the Big Four accounting firms domination of the international audit market. He believes that some firms may be split up and all firms will no longer be able to offer audit and consulting services.
4. Stricter data protection. Companies will face new rules on how they “capture, store and use personal information.” Levels of encryption may well need to be increased but most ominously, companies will be required to “notify regulators and member of the public if they discover a data breach.”
5. Bribery Act gets tested. Baker quotes my This Week in FCPA colleague Howard Sklar for the following, “Compliance Officers now have to ensure that rules are adhered to” [regarding the Bribery Act]. Or as Howard might also say, “At 12 months, take the over.”
6. Fair competition enforcement up. Baker believes that businesses’ anti-competitive behaviors became more pronounced due to the global recession. Now regulators are catching up to these behaviors and he anticipates greater enforcement.
7. Executive pay scrutiny continues. Baker believes that the UK government will “introduce new regulations on [executive] remuneration in 2012.” This legislation could include requiring shareholder vote and approval of executive compensation.
8. Japan gets governance. Independent Directors come to Japan Inc. Baker believes so but I have to disagree with him on this prediction. (See Olympus)
9. IT security more complex. The increase in the use of personal computing devices and persons working from home, will lead to significant data security headaches. Baker quotes Andy Fisher that “unless it is managed it will create a compliance time bomb.”
10. Cloud computing becomes the norm. The increase in cloud computing can lead to questions regarding which countries laws control data security; the home country of the company or the country where the data is stored.

This list that Baker has put together clearly portends greater compliance convergence. A Compliance Officer well versed in anti-corruption legislation across the world will have a myriad of laws to navigate to keep his company on the right side of anti-corruption laws. However, the Compliance Officer may well have a broader remit in 2012. Baker ends his piece with this cheery note, “There’s never a good time for a company to suffer a compliance failure, but 2012 would be a particularly bad time.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Coalition for Excellence in Compliance Releases Restricted Party Screening and Other Export Compliance Best Practices

Ed. Note-I often talk about compliance convergence. Today we host a guest post from our colleague and fellow UT Longhorn, Doug Jacobson. This article originally appeared in Doug’s blog, International Trade Law News. In his blog Doug discusses news, analysis and information on export control, sanctions, customs law, FCPA, anti-dumping and other international trade issues. We reprint his article, with his permission, in its entirety.

The Coalition for Excellence in Export Compliance (CEEC) (pronounced “seek”), a voluntary group of experienced export compliance professionals from leading companies, law firms, research organizations and consulting firms, recently released a series of detailed and practical standards containing best practices on a wide range of important topics for export and sanctions compliance programs.

CEEC’s mission is to provide a uniform set of best practices that companies and trade compliance professionals could use to provide clarity over the existing patchwork of official and unofficial guidance regarding export and sanctions compliance requirements and programs. The best practices are not tied to any particular country’s laws or requirements and are intended to be applicable worldwide.

To date, CEEC has issued best practices covering a wide range of topics, including: screening, training, classification, personnel, management commitment, license determinations and use, and intangible exports. Additional compliance-related best practices topics will be issued by CEEC in the near future.

CEEC’s best practices on Restricted Party Screening  contains valuable guidance on restricted party screening programs and ways to implement screening programs. For example, CEEC’s restricted party screening best practices provides recommendations on the types of parties to be screened, how and when screening should be conducted, the structure of restricted party screening programs, the lists to check and how matches and potential matches to restricted party lists should be handled.

With respect to the types of parties to be screened, CEEC’s screening best practices note that both domestic and international transactions should be screened, since certain restrictions may apply to domestic transactions, domestic transactions may be part of an international transaction, and reputational concerns may exist. The screening best practices provide a detailed list of the types of parties that should be screened (to the extent applicable), including customers, suppliers, freight forwarders, banks, agents, ship to parties, etc.

CEEC’s screening best practices indicate that a “software tool should be used for screening” and that it should “employ a “fuzzy logic” algorithm to identify close as well as identical matches.” Of course, because restricted party list changes are often effective immediately, the “the automated screening tool must promptly update all applicable watch lists as these lists are changed and updated by issuing authorities.”

As for the structure of a restricted party screening program, CEEC’s screening best practices recommend that the screening process should be documented, and it could be “advantageous to centralize the screening program” in order to “minimize duplicative work and promote uniformity.”

Regarding the lists to check, CEEC advises that a “risk analysis should be done to determine which lists (by country, type, etc.) are needed for the organization to use for screening.” For example, it “may be appropriate to use different lists for different businesses, different categories of transactions, or different geographic locations.”

CEEC’s screening best practices provides specific information and guidance on the frequency of screening and at what point in the screening process screening should be done. For example, the best practices recommend that new business partners should be screened prior to the first transaction or other business dealing and that organizations “should consider implementing procedures to screen at the time the business partner is entered into the organization’s database, when background or credit checks are run, when quotes or proposals are requested, or at some other time, as appropriate.” The best practices indicate that “the intervals in between database screenings should be measured and limited in order to mitigate the risk of doing business with a restricted/prohibited/denied party.”

Finally, with respect to screening matches and potential matches, CEEC’s best practices state that an organizations’ restricted party screening process “must allow for a transaction to be halted unless and until any screening matches are cleared. To minimize business disruption, potential matches should be cleared as promptly as possible and the determination “should be documented.” When an actual match to a restricted party list occurs, the CEEC best practices advise that “depending upon the nature of the list, the legal applicability in the jurisdiction, and an evaluation of reputational concerns, the process must allow for determination by an authorized person whether the transaction may proceed . . . and this decision should be documented.”

CEEC members encourage comments and suggestions for improving the best practices and CEEC’s website contains a contact page for the submission of comments on their efforts to date.

============================================================================================

We wish a Happy Holidays to all and in spite of what Rick Perry may say, you can say Merry Christmas out loud.

Compliance Convergence: Deemed Exports

I write regularly about compliance convergence. One of the areas which converge with anti-corruption compliance is export control. Within the area of export control, a sub-area which is little discussed and less understood, is the area of deemed exports. I recently saw an article on this issue in the Oct/Nov issue of the SCCE Magazine, entitled “Understanding the compliance risk of deemed exports” by Anthony Hardenburgh. The author, Vice President of Global Trade Content for Amber Road (formerly Management Dynamics Inc,) laid out the regulations governing this issue and then delineates some controls to manage this export control risk of deemed exports.

What is a Deemed Export?

As a general rule, a deemed export occurs when US technology, which otherwise requires a license for export, is made available to a foreign national by verbal communication, visual inspection or practical use within or outside the United States. The deemed export rule is of great importance to both universities and in the business world. There are numerous ways in which a deemed export can occur. It can come through discussions by professional colleagues in academia, presenting a paper with licensed technology at a conference or by a plant tour of your company.

The consequences of a violation of the deemed export rule can be severe. An administrative penalty can be the greater of $250,000 or twice the value of the transaction involved for each administrative violation. Such a violation can also include the denial of export rights, which for a company with an international business can be devastating. There can also be a criminal penalty attached for serious violations, with a fine levied of up to $1MM and/or up to 20 years in prison. Indeed a University of Tennessee professor was criminally convicted and sentenced to 48 months in prison for “allowing foreign students access to export-controlled research”, in spite of warnings by the university compliance officer that such conduct was not allowed under the deemed export rule.

Risk Management

What steps can you, as a compliance officer, take to manage this risk? Hardenburgh notes that many compliance officers will not know or even understand everything happening in every university lab or company test facility. The management of this risk begins with preventative steps which Hardenburgh lists as follows:

• Written Export Control Policy, including Deemed Exports.
• Ongoing training on this Policy.
• Continuing communications to employees.
• Risk evaluation to determine if export licenses are required. If licenses are required make certain that such technology is not made available until the licenses are obtained.
• Monitoring the entire process to detect any deviations from the Compliance Program.
• Safeguard licensed technologies from viewing or release to foreign nationals.
• Document all steps taken.

Compliance Convergence

The steps that Hardenburgh has suggested will not sound new or radical to the compliance professional. Determining if a risk exists, evaluating that risk and then managing that risk is standard fair in the compliance world. The deemed export rule is just one additional risk that should fall under compliance through export control. Although the penalties can be severe, the solutions to manage the risk are relatively straight-forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011