FCPA Compliance and Ethics Blog

May 22, 2015

On the Oregon Trail: the BHP Enforcement Action and High-Risk Hospitality

Oregon TrailToday we celebrate American exceptionalism. As noted in ‘This Date in History’, on this date in 1834 the first wagon train, made up of 1,000 settlers and 1,000 head of cattle, set off down the Oregon Trail from Independence, Missouri, on the Great Emigration. After leaving Independence, the giant wagon train followed the Santa Fe Trail for some 40 miles and then turned to its northern route to Fort Laramie, Wyoming. From there, it traveled on to the Rocky Mountains, which it passed through by way of the broad, level South Pass that led to the basin of the Colorado River. The travelers then went southwest to Fort Bridger and on to Fort Boise, where they gained supplies for the difficult journey over the Blue Mountains and into Oregon. The Great Emigration finally arrived in October, completing the 2,000-mile journey from Independence in five months.

The settlers who took off on this Great Emigration on the Oregon Trail did not have anything in the way of a road map. Fortunately for the modern day anti-corruption compliance practitioner, you do have road maps that can guide your compliance with the Foreign Corrupt Practices Act (FCPA) going forward. Over the past few years the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have put out significant and detailed information on compliance failures, which have led to FCPA enforcement actions. For any Chief Compliance Officer (CCO) or compliance practitioner, these enforcement actions provide solid information of lessons learned which can be used as teaching points for companies. Further, these lessons can be used as road maps to review compliance programs to see what gaps, if any, may exist and how to implement solutions.

This trend continued with the release of the SEC FCPA enforcement action involving BHP Billiton Ltd. (BHP) this week. First and foremost to note is that it was a SEC enforcement action involving violations of the internal controls provision of the FCPA. There was no evidence of bribery leading to any DOJ enforcement action. Yet as I have been writing and saying for almost one year, SEC enforcement of the internal controls provision of the FCPA is increasing and companies need to pay more attention to this part of the FCPA. A bribe or offer to bribe does not have to exist for an internal controls violation to occur. CCOs and compliance practitioners need to be cognizant of compliance internal controls and put effective compliance internal controls in place that can be audited against to test their effectiveness.

The BHP enforcement action revolved around the company’s hospitality program for the Beijing 2008 Olympics. Every CCO and compliance practitioner should study this enforcement action in detail so that they can craft appropriate compliance internal controls for high dollar entertaining for big time sporting events. For any company that may be planning for high dollar hospitality spends for the 2016 Brazil Olympics, this enforcement action lays out what you should and should not do in your compliance program. But this holds true for any major sporting event such as the Super Bowl, World Cup or you name the event.

BHP had a paper program that appeared robust. As laid out in the Cease and Desist Order, “BHPB developed a hospitality application which business managers were required to complete for any individuals, including government officials, whom they wished to invite.” The application included these questions to be fully answered:

  • “What business obligation exists or is expected to develop between the proposed invitee and BHP Billiton?”,
  • “Is BHP Billiton negotiating or considering any contract, license agreement or seeking access rights with a third party where the proposed invitee is in a position to influence the outcome of that negotiation?”
  • “Do you believe that the offer of the proposed hospitality would be likely to create an impression that there is an improper connection between the provision of the hospitality and the business that is being negotiated, considered or conducted, or in any way might be perceived as breaching the Company’s Guide to Business Conduct? If yes, please provide details.”; and
  • “Are there other matters relating to the relationship between BHP Billiton and the proposed invitee that you believe should be considered in relation to the provision of hospitality having regard to BHP Billiton’s Guide to Business Conduct?”

So the right forms were in place and some of them were fully filled out. However, as the Cease and Desist Order made clear, an effective compliance program does not end at that point. Now would be an appropriate time to recall that high risk does not mean you cannot engage in certain conduct. High risk means that to have an effective compliance program, you have to manage that risk. A basic key to any effective compliance program is oversight or a second set of eyes baked in to your process. BHP formally had this oversight or second set of eyes in the form of an Olympic Sponsorship Steering Committee (OSSC) and Global Ethics Panel Sub-Committee.

Where BHP failed was that “other than reviewing approximately 10 hospitality applications for government officials in mid-2007 in order to assess the invitation process, the OSSC and the Ethics Panel subcommittee did not review the appropriateness of individual hospitality applications or airfare requests. The Ethics Panel’s charter stated that its role simply was to provide advice on ethical and compliance matters, and that “accountability rest[ed] with business leaders.” Members of the Ethics Panel understood that, consistent with their charter, their role with respect to implementation of the hospitality program was purely advisory. As a result, business managers had sole responsibility for reconciling the competing goals of inviting guests – including government officials – who would ““maximize [BHPB’s] commercial investment made in the Olympic Games” without violating anti-bribery laws.”

But there was more than simply a failure of oversight by BHP. The Cease and Desist Order noted that not all of the forms were filled out with the critical information around a whether a proposed recipient might have been a government official. Even more critically missing was information on whether the proposed recipient was in a position to exert influence over BHP business. Moreover, BHP did not provide training to the business unit employees who ended up making the call as to whether or not to provide the hospitality on payment of travel and hospitality for spouses. The Cease and Desist Order stated that BHP “did not provide any guidance to its senior managers on how they should apply this portion of the Guide when determining whether to approve invitations and airfares for government officials’ spouses.” Finally, there were no controls in place to update or provide ongoing monitoring of the critical information in the forms.

All of this led the SEC to state the following, “As a result of its failure to design and maintain sufficient internal controls over the Olympic global hospitality program, BHPB invited a number of government officials who were directly involved with, or in a position to influence, pending negotiations, efforts by BHPB to obtain access rights, or other pending matters.” This led to the following, “BHPB violated Section 13(b)(2)(B) because it did not devise and maintain internal accounting controls over the Olympic hospitality program that were sufficient to provide reasonable assurances that access to assets and transactions were in executed in accordance with management’s authorization.” Perhaps it was stated most succinctly by Antonia Chion, Associate Director of the SEC’s Division of Enforcement, in the SEC Press Release announcing the enforcement action when he said, “A ‘check the box’ compliance approach of forms over substance is not enough to comply with the FCPA.”

There is also clear guidance from the SEC about how BHP was able to obtain the reduced settlement it received. BHP “provided significant cooperation with the Commission’s investigation”. Moreover, the Cease and Desist Order laid out the remedial steps the company took. These steps included: (1) creation of compliance group independent of the business units; (2) review of its anti-corruption program and implementation of certain upgrades; (3) embedding of anti-corruption managers into the business units; (4) enhancements of “its policies and procedures concerning hospitality, gift giving, use of third party agents, business partners, and other high-risk compliance areas”; (5) enhancement of “financial and auditing controls, including policies to specifically address conducting business in high-risk markets”; and (6) enhanced anti-corruption compliance training.

FCPA compliance is a relatively simply exercise. That does not mean it is easy. For travels on the Great Emigration on the Oregon Trail, travel was neither simple nor easy. If you want to send government officials to high profile sporting events or provide other high dollar hospitality, the FCPA does not prevent you from doing so. But it is a high risk and to be in compliance you must to manage those high risks appropriately, all the way through the process. The BHP enforcement action provides you a detailed road map of what to do and what not to do.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

May 20, 2015

Levi Strauss and Auditing of Third Parties

Levi StraussToday we celebrate innovation. On this day in 1873, a patent to create work pants reinforced with metal rivets was granted. This marked the birth of one of the world’s most famous garments: the blue jeans. Jacob Davis, a tailor in Reno, Nevada, presented the idea to Levi Strauss in 1872 when he wrote Strauss a letter about his method of making work pants with metal rivets on the stress points to make them stronger. Davis didn’t have the money for the necessary paperwork and proposed that Strauss provide the funds and that they get the patent together. Strauss agreed and the patent for “Improvement in Fastening Pocket-Openings”, the innovation that would produce blue jeans, was granted.

Until Strauss opened a factory in 1880 the “waist overalls”, as the original jeans were known, were manufactured by seamstresses working out of their homes. Levi’s 501’s, previously known as “XX”, were soon a bestseller, and by the 1920s they were the top-selling work pant in the US. Over the decades the fad has grown and today they are a firm staple in closets around the globe.

I thought about this innovation and sustained excellence when I sat through a presentation at Compliance Week 2015 by two ladies from BakerHughes Inc. (BHI) Jennifer Ellison, Senior Legal Compliance Manager, and Marianne Ibrahim, Senior Counsel, on Audits and Investigations. They focused on three aspects of the company’s audit program in its compliance function, types and purpose of Foreign Corrupt Practices Act (FCPA) audits, planning for the audit and interviewing all in conjunction with your audit program for third parties.

When planning for such an audit they laid out the following steps. You should plan out four to six weeks in advance, you should perform the audit with your legal counsel’s lead to preserve privilege, work with the business sponsor to establish key business contacts, discuss audit rights and processes with the third party, you should prepare initial document request lists for financial information queries, take the time to review findings from previous audits and resolutions and also review details of opened and closed internal investigations, if there are any Code of Conduct questionnaires available take care to review and finally be cognizant of any related Department of Justice (DOJ) and Securities and Exchange Commission (SEC) enforcement actions.

They noted you should try and determine the entry points of foreign government involvement. They broke this down into (1) direct and (2) indirect. In the direct category they listed the following areas: customs and duties, corporate taxes and penalties, social security or national insurance issues for employees, obtaining in-country visas and work permits, public official gifts and entertainment, training of and attendant travel for employees of government owned entities, procurement of business licenses and permits to perform work and, finally, areas around police escort and security. In the indirect category, some of the key areas to review are: customs agents and freight forwarders, visa processors, commercial sales agents, including distributors and, finally, those who might be consultants or other channel partners.

Document review and selection is important for this process. They said that you should ask for as much electronic information as possible well in advance of your audit. They did recognize that it is much easier to get database records for internal audits than audits of third parties. One item they made sure to ask for in advance was records in database or excel format and not simply in .pdf. They suggested you ask for the following categories of documents; trial balance, chart of accounts, journal entry line items, financial and compliance policies, prior audited financial statements, bank records and statements, a complete list of agents or intermediaries and revenue by country and customer.

When you are ready to commence your interviews, they emphasized that the lead interviewer needs to be culturally sensitive, patient and must negotiate a good working relationship with auditors, who will be reviewing the documents from the forensic perspective. Regarding potential interviewees, they related you should focus on those who interact with government entities, foreign government officials or third parties, including those personnel involved with:

  • Business Leadership
  • Sales/Marketing/Business Development
  • Operations
  • Logistics
  • Corporate Functions: Human Resources, Finance, Health, Safety and Environmental, Real Estate and Legal.

For the interview topics, they suggested several lines of inquiry. Initially they noted you should conduct the audit interview as precisely that, an audit interview and not an investigative interview. You should not play ‘got-cha’ in this format. They said you should avail yourself of the opportunity to engage in training while you are interviewing people. The topics to interview on included:

  • General policies and procedures
  • Books and records pertaining to FCPA risks;
  • Test knowledge of FCPA and UK Bribery Act including facilitating payments and their understanding of your company’s prohibitions;
  • Regulatory challenges they may face;
  • Any payments of taxes, fees or fines;
  • Government interactions they have on your behalf; and
  • Other compliance areas you may be concerned about or that would impact your company, including: trade, anti-boycott, anti-money laundering, anti-trust.

Ellison and Ibrahim went into detail regarding the review you should make around the General Ledger (GL) accounts. They suggested you review commission payments to agents and representatives, any facilitating payments made, all payments around travel, meals and entertainment, payments made around training, gifts, charitable contributions, political donations and sales and promotion expenses. If there were payments made for customs or freight forwarders and other processing agents, permits, licenses, taxes and other regulatory expenses should be reviewed. Additionally any entries pertaining to community contributions and social responsibility payments should be assessed and, finally, they suggested that a review of any security payments, extortion payments, payments to legal consultants or tax advisors or fines and penalties should be considered.

Regarding bank accounts and cash disbursement controls, you should review the following:

  • Review controls around bank accounts and cash disbursements;
  • Identify and review authorized signers, approval levels, and bank reconciliations;
  • Ensure all bank accounts are included in the General Ledger;
  • Identify and review certain bank and cash disbursement transactions;
  • Identify offshore bank accounts.

In the area of cash funds review the following:

  • Review controls around petty cash funds;
  • Ascertain processes in place regarding disbursement and reconciliation of cash funds;
  • Identify and review payments to government officials, agents, or any unusual or suspicious activities; and
  • Identify and review certain bank transactions and test for any improper payments.

For gifts, travel and entertainment, you should explore payments made through employee-reimbursed expenses, scrutinize for any suspicious expenses submitted, expenses lacking adequate documentation, incorrect posting; and identify and review accounts associated with gifts, meals, entertainment, travel, or promotion. In the area of payroll, consider the risks around the use of ghost employees, hiring of relatives of government employees, and the use of bonus payments and be sure to request a payroll listing and review for any such persons.

Around training you should determine whether your company provides industry specific training to government entities, and review GL accounts and expenses for related items. In taking a look at payments under local law, you should obtain list of payments to the government required by local laws and identify and review payments to government authorities or employees, customs authorities or agents, income taxes authorities or license requirements. For payments made to third parties, you should review commission and expense payments for compliance with company policy and also trace payments to the third party’s bank account.

Ellison and Ibrahim provided solid, detailed information on not only what your audit protocol should be but also provided material on what you should look for and how you should do it. It was an excellent presentation.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

May 5, 2015

Ruth Rendell and Developing Better Compliance Solutions

Ruth Rendell MysteriesRuth Rendell died this past weekend. Along with Patricia Cornwell, she was one of the two greatest mystery writers for the past couple of decades. I thoroughly enjoyed her books which, as her New York Times (NYT) obituary said, were “intricately plotted mystery novels that combined psychological insight, social conscience and, not infrequently, teeth-chattering terror.” For a mystery writer, it does not get much better than those accolades. Another crime writer, the Scottish author Val McDermid, was quoted in the NYT that Rendell and P.D. James “transformed what had become a staid and formulaic genre into something that offered scope for a different kind of crime novel. In their separate ways they turned it into a prism for examining the world around them with a critical eye.” Rendell was truly an innovator and a one-of a-kind.

One of the things that Rendell continually challenged was our human bias. I thought about her writing when I read a recent article in the May issue of the Harvard Business Journal (HBJ), entitled “Outsmart Your Own Biases”, authored by Jack B. Soll, Katherine L. Milkman and John W. Payne. I found the article to have some interesting insights for the Chief Compliance Officer (CCO) or compliance practitioner. While noting that using your instincts is something we all engage in and can use to our benefit, the authors believe that “It can be dangerous to rely too heavily on what experts call System 1 thinking – automatic judgments that stem from associations stored in memory – instead of logically working through information that’s available.”

The authors believe the problem is that “Cognitive biases muddy our decision making… and even when we try to use reason, our logic is often lazy or flawed.” They cite the cause of this problem to be that “Instead of exploring risks and uncertainties, we seek closure – it’s much easier. This narrows our thinking about what could happen in the future, what our goals are, and how we might achieve them.” Finally, as a solution they suggest, “By knowing which biases tend to trip us up and using certain tricks and tools to outsmart them, we can broaden our thinking and make better choices.”

The authors suggest that to “debias” your decisions, you must broaden your perspective on three fronts. These are (1) thinking about the future, rather then simply one objective; (2) thinking about objectives, rather than simply the circumstances in front of you; and (3) thinking about options, rather than thinking in isolation.

Thinking About the Future

This is more than simply hedging your bets. The authors believe that “Because most of us tend to be highly overconfident in our estimates, it’s important to “nudge” ourselves to allow for risk and uncertainty.” They suggest that you use the four following techniques. (1) Make three estimates. The author’s state, “To improve your accuracy, work up at least three estimates—low, medium, and high—instead of just stating a range. People give wider ranges when they think about their low and high estimates separately, and coming up with three numbers prompts you to do that.” (2) Think twice. They suggest that you should “make two forecasts and take the average” because they believe that “when people think more than once about a problem, they often come at it with a different perspective, adding valuable information. So tap your own inner crowd and allow time for reconsideration: Project an outcome, take a break (sleep on it if you can), and then come back and project another.” (3) Use premortems. I found this exercise very interesting. The authors explained, “In a premortem, you imagine a future failure and then explain the cause. This technique, also called prospective hindsight, helps you identify potential problems that ordinary foresight won’t bring to mind.” (4) Take an outside view. Here, “You need to complement this perspective with an outside view—one that considers what’s happened with similar ventures and what advice you’d give someone else if you weren’t involved in the endeavor.”

Thinking About Objectives

The authors believe that too often, “people unwittingly limit themselves by allowing only a subset of worthy goals to guide them, simply because they’re unaware of the full range of possibilities.” You should generate objectives and you can work to sort through them as you progress because by “Articulating, documenting, and organizing your goals helps you see those paths clearly so that you can choose the one that makes the most sense in light of probable outcomes.”

The authors suggest two steps will help to ensure that you are “reaching high – and far – enough with your objectives.” First is that you should seek the advice of others, however you should “Outline objectives on your own before seeking advice so that you don’t get “anchored” by what others say. And don’t anchor your advisers by leading with what you already believe… If you are making a decision jointly with others, have people list their goals independently and then combine the lists.” Second you should cycle through your objectives by tackling them one at a time because by “looking at objectives one by one rather than all at once helps people come up with more alternatives. Seeking a solution that checks off every single box is too difficult—it paralyzes the decision maker.”

Thinking About Options

Here the authors believe you should have a “critical mass of options to make sound decisions, you also need to find strong contenders—at least two but ideally three to five.” They note, “Unfortunately, people rarely consider more than one at a time. Managers tend to frame decisions as yes-or-no questions instead of generating alternatives.” The authors also believe that corporate groupthink tends to avoid a loss rather than reaching for a win. To overcome this, they suggest two techniques.

First you should perform a joint evaluation because evaluating options in isolation do not ensure the best outcomes. They write, “A proven way to snap into joint evaluation mode is to consider what you’ll be missing if you make a certain choice. That forces you to search for other possibilities… That simple shift to joint evaluation highlights what economists call the opportunity cost—what you give up when you pursue something else.” Second they propose you should use the “vanishing-option test” which requires you to “Assume you can’t choose any of the options you’re weighing and ask, “What else could I do?” This question will trigger an exploration of alternatives… That might prompt you to consider investing in another region instead, making improvements in your current location, or giving the online store a major upgrade. If more than one idea looked promising, you might split the difference.”

Why is all this important for the CCO or compliance practitioner? It is because we are presented with options that appear to be simply Go/No Go or even one-off decisions. A Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-corruption program should require a variety of responses. Just as all risks are different, the management of risks can be handled differently. As a CCO or compliance practitioner you cannot be Dr. No living in the Land of No; you must be proactive to come up with solutions to help your business unit folks to no only do business in compliance with the relevant laws but to actually do business. Just as Ruth Rendell was able to weave an intricate story line into the traditional mystery format, you, as the CCO or compliance practitioner, should be able come up with solutions to the compliance issues that you face.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

May 4, 2015

The Who and Advanced Compliance Solutions

ACSLast week I was thrilled to see The Who on their 50th anniversary (and farewell) tour. It was a great night of watching Pete Townshend and Roger Daltrey work through their long career of great songs. Both were quite animated and clearly enjoyed working together. They ended their show with the classic Won’t Get Fooled Again from their iconic album Who’s Next. As the show ended they said their good-byes and it felt like saying good-bye to a very long time friend.

I thought about this farewell as an introduction to my new compliance consulting company, Advanced Compliance Solutions (ACS), which I have founded to help me better serve the compliance field going forward. ACS allows me to focus more on issues unique to the Foreign Corrupt Practices Act (FCPA), UK Bribery Act and other similar anti-bribery and anti-corruption laws. In this post I wanted to highlight some of the current offerings that I am able to make through my new entity.

My new website, http://www.advancedcompliancesol.com, and consulting company are designed to guide you through the creation, implementation and enhancements for a best practices compliance program. (Big shout our to Rebecca Rosen and her team at Sales Enabled for the design.) Operating a global company, large or small presents its challenges. And while you may assume that your employees share your commitment to your values and ethical practices, how business is done country-to-country varies. How individuals chose to conduct themselves varies, too. The key is that you should evaluate your risks and then manage them through your Code of Conduct and compliance program.

Your Code of Conduct and compliance program needs to reflect not only your mission and values, but also needs to account for the numerous cross-border regulations that your company is obligated by law to follow. Your Code of Conduct and compliance program must not only specify what is and is not acceptable operating behavior, it must also provide a mechanism for employees to report code violations. And it must address the risks associated with what your business does, where and how it operates and with whom you do business. While not freeing you from legal exposure, a well thought out, communicated, trained and maintained code of conduct and compliance program can minimize your exposure to risk and minimize your penalties should a violation occur.

One of the prime focus areas for ACS is risk management. For example in the arena of mergers and acquisitions (M&A) risk management requires an evaluation of the target’s risk profile, followed by the creation and implementation of a work plan that incorporates ongoing review policies. These plans need to be tailored to the risks or red flags identified, essentially enhancing compliance and ethics policies and programs and internal controls both pre and post-closing. By finding red flags early in the process or later pre-closing allows the acquiring company to renegotiate purchase terms to account for potential anti-corruption issues. If the red flags are prevalent and serious enough they may even suggest cancelling the transaction. ACS can assist your company to properly identify and manage the risks of an international transaction, enabling you to pursue profitable business endeavors.

What are some of the key risk factors you should consider? Some are as follows:

  • Business Development – Does the seller provide gifts or other incentives to encourage purchase, like travel, gifts or entertainment?
  • Compliance Programs – Has the seller implemented anti-corruption policies and procedures and if so are they adequate?
  • Geography – Does the seller, either by itself or through third parties, operate or conduct business in countries that score poorly on the Transparency International’s (TI) Corruption Perception Index (CPI)?
  • Government Business – To what extend does the seller’s revenues rely on government licenses, permits and other authorizations?
  • History – Does the seller have a history of suspicions or corruption allegations?
  • Industry – Historically has the industry been the focus of heavy anti-corruption enforcement?
  • Third Party Intermediaries – How reliant has the seller been on third parties in dealing with government officials for business development efforts?

ACS is designed to help you do so, in a timely and cost effective manner.

One lesson learned from the Morgan Stanley Declination was that there are things you can do to enhance your compliance program which do not cost a lot of money and do not induce compliance fatigue. Prominently featured in the Declination was an item named as the ‘compliance reminder’, which was related to email reminders that were sent out to the then Managing Director, Garth Peterson, who was convicted of violating the FCPA.

Over seven years, Morgan Stanley sent out 35 emails reminding employees of the firm’s Code of Conduct, policy against conflicts of interest and about FCPA compliance. Based on this information, I developed, in conjunction with Maurice Gilbert of Corporate Compliance Insights (CCI), 10 short videos about compliance topics that can be sent out to employees via email. Each video is from 3-5 minutes in length and concerns an issue relevant to anti-corruption compliance. The topics are basic enough to provide an introduction into the FCPA, UK Bribery Act or other law and are informative enough to provide substantive information to any employees you might send them to.

The topics include: What is the FCPA?; Anti-Corruption Enforcement Across the Globe; What is the Intersection Between the FCPA, Anti-Corruption and Corporate Ethics? FCPA Enforcement Actions – Case Studies on the Good and Bad; Why Do the DOJ and SEC Both Enforce the FCPA? What FCPA Issues Are Raised by Your Sales Structure? How to establish an effective compliance program; How to conduct a business and risk assessment; and Special topics and issues under the FCPA. You can purchase and download each of these videos directly for use as compliance reminders in satisfaction of the guidance provided by the Morgan Stanley Declination.

The new website also contains a listing of the books I have written which you can click through to order. And finally, a note about speaking engagements. I can speak directly to your FCPA compliance issues or more broadly on compliance and ethical leadership. So if you need an expert to speak at your next corporate event, give me a call.

I was more than excited to see The Who play last week. It was a sad at the end but they and their music will always live in my heart. But I am equally excited to announce my new compliance consulting venture. I can bring a level of expertise and efficiency to your compliance needs that cannot be rivaled. When you retain ACS, you can be assured that I will be working on your project. So give my new website a look and I would enjoy hearing what you think about it. And while you are at it, consider Advanced Compliance Solutions for your next compliance project.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

April 28, 2015

King Arthur Week – the Pentecostal Oath and Code of Conduct – Part II

Mort D'ArthurOne thing for which King Arthur is remembered are his chivalric knights. He helped create this legend, in large part, by establishing a Code of Conduct for the Knights of the Round Table. The King required each one of them to swear an oath, called the Pentecostal Oath, which was Arthur’s ideal for a chivalric knight. The Oath stated, “The king established all his knights, and gave them that were of lands not rich, he gave them lands, and charged them never to do outrageousity nor murder, and always to flee treason; also, by no mean to be cruel, but to give mercy unto him that asketh mercy, upon pain of forfeiture of their worship and lordship of King Arthur for evermore; and always to do ladies, damosels, and gentlewomen succor upon pain of death. Also, that no man take no battles in a wrongful quarrel for no law, ne for no world’s goods. Unto this were all the knights sworn of the Table Round, both old and young. And every year were they sworn at the high feast of Pentecost.” (Le Morte d’Arthur, pp 115-116)

Interestingly, the Oath first appeared in Sir Thomas Malory’s Le Morte d’Arthur and in none of the prior incarnations of the legend. In Malory’s telling, after the Knights swore the Oath, they were provided titles and lands by the King. The Oath specifies both positive and negative conduct; that is, what a Knight might do but also what conduct he should not engage in. The Pentecostal Oath formed the basis for the Knight’s conduct at Camelot and beyond. It was clearly a forerunner of today’s corporate Code of Conduct.

The foundational document of any Foreign Corrupt Practices Act (FCPA) compliance program is its Code of Conduct. This requirement has long been memorialized in the US Sentencing Guidelines, which contain seven basic compliance elements that can be tailored to fit the needs and financial realities of any given organization. From these seven compliance elements the Department of Justice (DOJ) has crafted its minimum best practices compliance program, which is now attached to every Deferred Prosecution Agreement (DPA) and Non-Prosecution Agreement (NPA). These requirements were incorporated into the 2012 FCPA Guidance. The US Sentencing Guidelines assume that every effective compliance and ethics program begins with a written standard of conduct; i.e. a Code of Conduct. What should be in this “written standard of conduct”.

Element 1

Standards of Conduct, Policies and Procedures (a Code of Conduct)

An organization should have an established set of compliance standards and procedures. These standards should not be a “paper only” document, but a living document that promotes organizational culture that encourages “ethical conduct” and a commitment to compliance with applicable regulations and laws.

In the FCPA Guidance, the DOJ and Securities and Exchange Commission (SEC) state, “A company’s code of conduct is often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted in its charging documents, the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.” Indeed, it would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it. When assessing a compliance program the DOJ and SEC will review whether the company chapter has taken steps to make certain that the code of conduct remains current and effective and whether a company has periodically reviewed and updated its code.

In each DPA and NPA over the past 36 months the DOJ has stated the following as item No. 1 for a minimum best practices compliance program.

  1. Code of Conduct. A Company should develop and promulgate a clearly articulated and visible corporate policy against violations of the FCPA, including its anti-bribery, books and records, and internal controls provisions, and other applicable foreign law counterparts (collectively, the “anti-corruption laws”), which policy shall be memorialized in a written compliance code.

In an article in the Society for Corporate Compliance and Ethics (SCCE) Complete Compliance and Ethics Manual, 2nd Ed., entitled “Essential Elements of an Effective Ethics and Compliance Program”, authors Debbie Troklus, Greg Warner and Emma Wollschlager Schwartz, state that your company’s Code of Conduct “should demonstrate a complete ethical attitude and your organization’s “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” Your Code of Conduct must be aimed at all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.” This would also include all “management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.”

There are several purposes identified by the authors that should be communicated in your Code of Conduct. Of course the overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this by communicating what is required of them, to provide a process for proper decision-making and then to require that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company “upholds and supports proper compliance conduct.”

The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. To that end, I suggest that your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasize it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

As I often say, the three most important things about your FCPA compliance program are ‘Document, Document and Document’. The same is true of communicating your company’s Code of Conduct. You need to do more than simply put it on your website and tell folks it is there, available and that they should read it. You need to document that all employees, or anyone else that your Code of Conduct is applicable to, has received, read, and understands the Code. For employees, it is important that a representative of the Compliance Department, or other qualified trainer, explains the standards set forth in your Code of Conduct and answers any questions that an employee may have. Your company’s employees need to attest in writing that they have received, read, and understood the Code of Conduct and this attestation must be retained and updated as appropriate.

The DOJ expects each company to begin its compliance program with a very public and very robust Code of Conduct. If your company does not have one, you need to implement one forthwith. If your company has not reviewed or assessed their Code of Conduct for five years, I would suggest that you do in short order as much has changed in the compliance world.

What is the value of having a Code of Conduct? I have heard many business folks ask that question over the years. In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to “wave in a defense situation” by claiming that “see we have one”. But is such a legalistic code effective? Is a Code of Conduct more than simply, your company’s law? What is it that makes a Code of Conduct effective? What should be the goal in the creation of your company’s Code of Conduct?

Just as the Pentecostal Oath was required to be sworn out each year, you should have your employees recertify their adherence to your Code of Conduct. Moreover, just as King Arthur set his expectations for behavior your company should do so as well.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

April 16, 2015

Consumer Protection and Your Business

Filed under: Compliance,compliance programs,KYC — tfoxlaw @ 12:01 am

IMG_1145Ed. Note-today we have a guest post from Karen Schirmer, a Senior Advisor at Chartwell.

You’ve been hearing for a while now that the regulatory environment has been changing, and you follow the Consumer Financial Protection Bureau (“CFPB”) alerts to see if this new regulator will be looking at your type of business sometime in the near future. But you haven’t done anything new to prepare for greater consumer protection scrutiny because you’re too busy preparing for the upcoming state or bank examination. If this describes your organization, we understand that being proactive with limited funds and resources can be difficult. Nonetheless, consumer protection laws exist on the state and federal level, and states, banks, and other regulators are all taking a broader approach to their reviews. In this article, we will provide you with simple best business recommendations on how to get started with your consumer protection program.

Examine your collateral and marketing for consumer transparency

The most frequently cited violations of consumer protections have been unfair, deceptive, or abusive acts or practices (“UDAAP”) due to the lack of transparency of fees, unclear terms and conditions, and misleading statements deemed harmful to consumers. It is important that the consumer understands what the product or service is and the costs and terms of the products or services being purchased.   This includes all fees and fee limits, including inactivity, dormancy or service fees. Marketing, Packaging, Terms and Conditions, and overall Website language are places that have high risk of creating confusion for the consumer. These are good places to start your project review. Focus on the wording of your marketing and other collateral: is it in an active voice, using strong verbs and the simplest tense possible? Are explanations in everyday words, rather than excessive acronyms, abbreviations, or multiple negatives? Are several qualifiers used in explanations? If so, see if those explanations may be made more direct. Short, concise sentences are best. Look for consistency in terminology – if a transaction fee is the same as an activity fee, pick one term (this may be guided by regulation), define it, and use it throughout.

When evaluating either new or existing financial services products for consumer transparency, your standard of proof should be low, such as “likelihood” of being misled. A reasonable consumer’s overall or “net” impression counts, and omissions of key facts can lead a consumer to the wrong overall impression.

The format and proximity of material information is very important. Consumer disclosures and other key information, such as product function, terms and conditions, privacy and complaint notices should be in at least 8pt font (your product may need to follow a particular font requirement, per regulation) and whenever possible, clearly described on the first or second page, and linked in multiple places. It is prudent to identify any structural aspects of a product or terms and conditions that a consumer might not understand or would find surprising and add highlights or clarifications as appropriate.

Engage your privacy and data security teams 

With several high-profile data security breaches occurring in 2014, consumer confidence and trust in many financial products has eroded, and spending habits have changed accordingly.

The message is that companies offering financial products and services should look into strengthening their security infrastructure with data loss prevention, network security, encryption, and strong authentication and defensive measures. Other internal best practices include having a detailed data security policy that is communicated through training to employees and 3rd party stakeholders, and assigning controls and control owners to test security measures on a regular basis.

Privacy and transparency are interrelated. Companies must provide users with clear and complete information regarding any collection, use and disclosure of the collected data. Further, internal departments that have access to or may want to use the data must receive training on the limited uses for and protection of the data.

Enhance the consumer experience 

The consumer experience starts with the presentation of a product choice or choices, and the consumer is able to select options in an informed manner. Lack of understanding on the part of the consumer of the risks, costs or conditions of the product or service often leads to complaints.

Once the consumer has signed up for a product or service, it is important that the consumer may access his/her account information easily. The consumer should have ample free access to account information.

A consumer’s experience with a product is directly impacted by the quality of a company’s customer service function. The telephone number(s) for complaints of various types should displayed in multiple places (i.e. websites, receipts, postings, Terms and Conditions).

Effective and timely resolutions of complaints is critical in an environment where consumer protection gets strong attention from state Attorney General’s offices and Federal Agencies. Companies should have policies and procedures that include the following:

  1. A policy statement in support of consumer protection;
  2. An ongoing process of identifying consumer protection laws;
  3. A compliance management system to track the applicable requirements of the laws on a per business or per product basis;
  4. A written process specifically for complaints that raise compliance issues;
  5. A written process for using complaint data to fix practices and take corrective action; and
  6. A records-management process that includes the maintenance of complaint records, litigation, investigation, policies, procedures and reports of complaints resulting in operational changes. Responses and timeframes are tracked

Consumer protection is more than just providing disclosures. Your consumer protection review can be done in layers. Seek a commitment from senior management and/or Board of Directors, implement strategic projects such as the ones described above, add in training and on-going monitoring and you will be well on your way to having strong consumer protection compliance program.

Karen Schirmer has 12 years of experience directing Compliance teams, and drafting programs that identify requirements, risks, controls and methods of control validations. During her work as Compliance Director for Western Union, Inc. and Integrated Payments Systems Inc., she conducted independent reviews, and coordinated regulatory examinations.  As part of the First Data leadership team for 10 years, she drafted and directed the operations of the 2012-2013 Global Corporate Compliance Program.  For more information, please contact Karen at karenschirmer@chartwellcompliance.com.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, her affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication.

April 15, 2015

Five Step Process for Transaction and Continuous Controls Monitoring

Five Step ProcessMost Chief Compliance Officers (CCOs) and compliance practitioners understand the need for transaction monitoring. Whether it be as a part of your overall monitoring of third parties, employees, or to test the overall effectiveness of internal controls and compliance, transaction monitoring is clearly a part of a best practices compliance program. Further, while most compliance practitioners are aware of the tools which can be applied to transaction monitoring, they may not be as aware of how to actually engage in the process. Put another way, how do you develop a methodology for building a transactional monitoring process that yields sustainable, repeatable results?

I recently put that question to one of the leaders in the field, Joe Oringel, co-founder and principal at Visual Risk IQ. He explained to me that their firm has dissected data analytics and transaction monitoring into a five-step process they call QuickStart, which facilitates applying the process iteratively across a two to four month time frame. These iterations allow for, and reinforce the methodology’s repeated and practical application and reapplication. The five steps are (1) Brainstorm, (2) Acquire and Map Data, (3) Write Queries, (4) Analyze and Report, and (5) Refine and Sustain.

Brainstorm

Under this step, the transactional monitoring specialist, subject matter expert (SME), such as one on the Foreign Corrupt Practices Act (FCPA) or other anti-corruption law, and the compliance team members sit down and go through a multi-item list to better understand the objectives and set the process going forward. The brainstorming session will include planning the monitoring objectives and understanding the data sources available to the team. Understanding relationships between the monitoring objectives and data sources is essential to the monitoring process. During brainstorming, the company’s risk profile and its existing internal controls should be reviewed and discussed. Finally, there should be a selection of the transaction monitoring queries and a prioritization thereon. This initial meeting should include company representatives from a variety of disciplines including compliance, audit, IT, legal and finance departments, sales and business development may also need to be considered for this initial brainstorming session.

While the rest of the steps may seem self-evident in any transaction monitoring process, it is the brainstorming step which sets the Visual Risk IQ approach apart. This is because business knowledge is critical to sustaining and improving the transaction monitoring process. And because the process is iterative, periodic meetings to further understand the business pulse allow the most useful data to be monitored through the system. 

Acquire and Map Data

The second step is to obtain the data. There may be a need to discuss security considerations, whether or how to redact or mask sensitive data, and ensure files are viewable only by team members with a “need to know”. Balancing, which consists of comparing the number of records, checksums, and controls totals between the source file (as computed by the file export) and then re-calculated number of records, checksums, and control totals (as computed by a file import utility). Balancing is performed to make sure that no records are dropped or somehow altered, and that the files have integrity. Somewhat related is making sure that the version of the files used is the “right” one. For example if you are required to obtain year-end data year-end close could be weeks after the closing entries have been actually recorded, depending on the departments engaged in the year end processes.

Types of systems of record could include Enterprise Resource Planning (ERP) data from multiple transaction processing systems, including statistics on numbers and locations of vendors, brokers and agents. You may also want to consider watch lists from organizations such as the Office of Foreign Asset Control (OFAC), the Transparency International – Corruption Perceptions Index (TI-CPI), lists of Politically Exposed Persons (PEPs) or other public data source information. Some of the data sources include information from your vendor master file, general ledger journals, payment data from accounts payable, P-cards or your travel and entertainment system(s). You should also consider sales data and contract awards, as correlation between spending and sales as these may be significant. Finally, do not forget external data sources such as your third party transactional data. All data should initially be secured and then transmitted to the transaction monitoring tool. Of course you need to take care that your transaction monitoring tool understands and properly maps this data in the form that is submitted.

Write Queries

This is where the FCPA SME brings expertise and competence to assist in designing the specific queries to include in the transaction monitoring process. It could be that you wish to focus on the billing of your third parties; your employee spends on gifts, travel and entertainment or even petty cash outlays. From the initial results that you receive back you can then refine your queries and filter your criteria going forward. Some of the queries could include the following:

  • Business courtesies to foreign officials;
  • Payments to brokers or consultants;
  • Payments to service intermediaries;
  • Payments to vendors in high risk markets;
  • Round dollar disbursements;
  • Political contributions or charitable donations; and
  • Facilitation payments.

Analyze and Report

In this process step, you are now ready to begin substantive review and any needed research of potential exceptions and reporting results. Evaluating the number of potential exceptions and modifying queries to yield a meaningful yet manageable number of potential exceptions going forward is critical to long-term success. You should prioritize your initial results by size, age and source of potential exception. Next you should perform a root cause analysis of what you might have uncovered. Finally at this step you can prioritize the data for further review through a forensic review. An example might be if you look at duplicate payments or vendor to employee conflicts. Through such an analysis you determine if there were incomplete vendor records, whether duplicate payments were made and were such payments within your contracts terms and conditions.

Refine and Sustain

This is the all-important remediation step. You should use your root cause analysis and any audit information to recalibrate your compliance regime as required. At this step you should also apply the lessons you have learned for your next steps going forward. You should refine, through addition or deletion of your input files, thresholds for specific queries, or other query refinements. For example, if you have set your dollar limits so low that too many potential exceptions resulted for a thoughtful review, you might raise your dollar threshold for monitoring. Conversely if your selected amount was so low that it did not generate sufficient transactions, you could lower your parameter limits. Finally, you can use this step to determine the frequency of your ongoing monitoring.

Oringel concluded by emphasizing the iterative nature of this process. If you can establish your extraction and mapping rules, using common data models within your organization, you can use them to generate risk and performance checks going forward. Finally, through thoughtful use of transaction monitoring parameters, you can create metrics that you can internally benchmark your compliance regime against over time to show any regulators who might come knocking.

For further information on this process, contact Joe Oringel at Joe.Oringel@VisualRiskIQ.com

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

April 14, 2015

Lincoln Assassinated and HSBC’s Continued Self-Inflicted Woes

Filed under: Anti-Money Laundering,Compliance,compliance programs,HSBC — tfoxlaw @ 12:01 am

Lincoln AssassinationToday is the 150th anniversary of the first successful Presidential assassination attempt. It was on this day in 1865 that John Wilkes Booth shot President Abraham Lincoln at Ford’s Theater in Washington DC. Booth was not a lone gunman but led a group of Confederate sympathizers who attacked or planned to attack leading US government officials. Co-conspirator Lewis T. Powell burst into Secretary of State Seward’s home, repeatedly stabbing him and seriously wounding him and three others, while George A. Atzerodt, assigned to kill Vice President Johnson, lost his nerve and fled.

HSBC continues to stay in the news, unfortunately largely for the wrong reasons in the realm of anti-corruption, facilitating tax evasion and money laundering. In an article in the New York Times (NYT), entitled “HSBC Is Deemed Slow To Carry Out Changes”, reporters Jessica Silver-Greenberg and Ben Protess noted that earlier this month, federal prosecutors made a quarterly count filing as a part of their report on the bank’s Deferred Prosecution Agreement (DPA) “faulting the bank for weaknesses in spotting suspicious transactions and for enabling a corporate culture resistant to change.”

The filing itself was based upon the corporate monitor’s Michael Cherkasky’s “confidential 1000 page report submitted to prosecutors in January. That report, people briefed on the matter said, offered a more scathing assessment of the bank’s progress.” The monitor has been “evaluating HSBC’s global operations for cracks in its money-laundering controls. As such, he has reviewed the bank’s various business lines, including its sprawling operations in China.”

In the technology area, the filing noted the “bank’s technology systems, despite some improvement, still suffer from “fragmentation” and “lack of connectivity” the Justice Department filing said. With its creaky framework, the filing said, “the collection and analysis” of data could suffer.” This lack of technology to both check on customers or potential customers and then review the transactions they might engage in were a prime deficiency noted in the original 2012 enforcement action where “prosecutors found that HSBC facilitated money laundering on behalf of Mexican drug cartels, allowing at least $881 million in tainted money to course through its United States branches.”

But perhaps the more troubling finding in the prosecutors filing was around the culture at the bank. There was not specific criticism of the tone at the top of the bank or with senior management but with the employees’ attitudes towards meeting the obligations under the DPA. The filing said that “Change at the bank was met with resistance” providing at least one example; “When presented with negative findings from auditors, the filing said, managers at the bank’s United States unit for global banking and markets “inappropriately pushed back.” Ultimately, the resistance caused an internal audit report “to be more favorable to the business than it would have been otherwise.”

Interestingly HSBC itself pushed back against the government’s filing, at least in the press. The article noted that “In response to the filing, Stuart Levey, the bank’s chief legal officer said, “The Justice Department recognized in its letter that HSBC has made material progress toward meeting the most stringent compliance standards imposed to date upon a global financial institution.” Levey also said that “the bank was continuing to meet all its obligations under the deferred-prosecution-agreement and that its leaders “are making progress toward that objective and appreciate the monitor’s ongoing work.””

Monitor Cherkasky’s report and the Department of Justice (DOJ) filing bring up a couple of interesting points for speculation. The first is the continuing dialogue and debate on the effectiveness of DPAs and whether they actually do achieve their stated goals of changing corporate culture and behavior. The NYT article said that the DOJ filing, which came under the name of the President’s Attorney General-designee, as head of the US Prosecutor’s office, comes “at a time when prosecutors are grappling with repeat offenders on Wall Street”. Moreover, “the filing underscores the Justice Department’s efforts to stem the pattern of corporate recidivism.” Just how hard should the DOJ come down on HSBC? There are other more aggressive steps the DOJ could take, even at this point. These include “extending the five-year deferred-prosecution agreement or singling out culpable employees by name.” Indeed the article cited to a recent speech by the head of the DOJ’s criminal division, Deputy Assistant Attorney General Leslie Caldwell, where she said, “the government has “a range of tools” to deal with corporate recidivism, including extending the term of a deferred-prosecution agreement while prosecutors investigate accusations of new criminal conduct.”

How about tearing up the DPA and simply criminally prosecuting the bank on the facts it admitted to in the DPA? Caldwell also spoke to that possibility when she said in the same speech, “Make no mistake: The criminal division will not hesitate to tear up a D.P.A. or N.P.A and file criminal charges where such action is appropriate and proportional to the breach.” Since parties are required to agree to facts in any DPA or Non-Prosecution Agreement (NPA) it would seem that tearing up those settlement documents and then prosecuting those companies on the underlying facts would be a relatively straightforward matter.

The other party in this debate is the Attorney General-nominee herself. While at this point it is not clear if the GOP majority will ever let her nomination come up for a vote before the full Senate, what if the Senate Judiciary Committee decides to reopen the hearings on this issue and then shoehorn it into the larger ongoing academic and FCPA Inc. debate on DPAs (and NPAs and other settlement tools). What if the FCPA testified on the “Façade of FCPA Enforcement”? What if Ted Cruz came in to ask why the DOJ is even bothering to prosecute the British banking giant?

At the time of its settlement in 2012, the HSBC fine was the largest for any bank involving money laundering. The monitor’s report and DOJ court filing demonstrate that the settlement is still controversial and the conduct engaged in by the bank many years ago may well continue to resonate up to this day and well into the future.

But the negative news for HSBC did not end with the filing of the DOJ report. As reported in the Financial Times (FT), in an article entitled “French magistrates open formal criminal probe into HSBC”, Emma Dunkley wrote that the parent entity of the bank, HSBC Holdings, “has been placed under criminal investigation by French authorities and made to post €1bn bail over allegations that its Swiss private banking arm helped clients avoid taxes.” This is separate and apart from the investigations into the company’s Swiss banking unit, which has been indicted or is under investigation “over tax evasion allegations in several other countries, including the US, Belgium and Argentina.”

In another article in the NYT, entitled “HSBC Facing Criminal Investigation in French Tax Case, Chad Bray reported that the bank apologized after released documents “showed that its employees had reassured clients that the lender would not disclose details of their accounts to the tax authorities of their home countries and discussed options to avoid paying taxes on those assets. The bank has acknowledged previous “conduct and compliance failures” in its Swiss business and has said that it has overhauled its private banking business and reduced its client base in Switzerland by 70 percent since its peak.”

The woes of HSBC continue and indeed seem to be increasing. With the fallout from the monitor’s report and other ongoing investigations the bank may be in danger of having its DPA revoked. While HSBC is not the only poster child for Banks Behaving Badly it may find itself as the first bank to have its DPA torn up and either the entity or responsible individuals criminally prosecuted for recidivist behavior.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

April 8, 2015

The WPA and More Productive Compliance Meetings

WPA LogoOn this day 80 years ago, Congress created the Works Progress Administration (WPA), a central part of President Franklin D. Roosevelt’s New Deal. The WPA was established under the Emergency Relief Appropriation Act, as a means of creating government jobs for some of the nations many unemployed. Under the direction of Harry L. Hopkins, the WPA employed approximately 8 million people who worked on 1.4 million public projects before it was disbanded in 1943. Its programs were extremely popular and contributed significantly to Roosevelt’s landslide reelection in 1936.

I have always been amazed at the variety of works that the WPA had a hand in creating, from vast public building projects like the construction of highways, bridges, and dams to the careers of several important American artists, including Jackson Pollock and Willem de Kooning. Many of the most interesting art deco buildings still in use were built during the 1930s through the auspices of the WPA.

While the WPA constructed and led to many good works during its existence, one of the banes of corporate existence is the number of meetings that one must attend. Even worse than the raw number of meetings is the lack of any good that comes out of most meetings. Most meeting organizers have no clue how to run a successful or even useful meeting. I thought about this when I read a recent article in the Houston Business Journal (HBJ), entitled “10 ways to make your next meeting more productive by Dana Manciagli.

Manciagli began her piece by noting that researchers from the London School of Economics and Harvard University found that business leaders “spend 60% of their time in meetings, and only 15% working alone.” While this statistic alone is troubling enough, when you overlay that with the number of meetings where nothing is accomplished, it is clear to me you have a complete waste of time and resources. I do recognize that some companies have taken accomplishing nothing in meetings as a matter of corporate policy. General Motors (GM) took this to an art form in the well-documented GM Nod, which signified that there was agreement on an issue but that no one would actually do anything about it.

But for those who might want to actually accomplish something in a meeting, Manciagli pointed to Andrea Driessen whom she described as “chief boredom buster” at Seattle-based No More Bored Meetings . How is that for a moniker and company name? Manciagli related Driessen’s top ten tips for developing, running and ultimately having a successful meeting.

  1. Be a Know-it-all

Manciagli writes that because it is “natural to disengage when meeting content isn’t relevant. The most effective meeting hosts review all potential agenda segments to determine whether they apply to all attendees. If participants already know a particular content slice, then simply don’t cover that segment for the broader audience. Or if you have vastly different levels of awareness in the room, divide people accordingly to ensure maximum relevance for all.” Of course this means you will need to put some thought into your pre-meeting planning.

  1. No Problem? No Meeting!

We have all been subjected to it, the daily, weekly, monthly meeting check-in to see how the project is progressing. But Manciagli believes that “many of these less-than-productive meetings could be canceled or shortened if we identified the problem the meeting is intended to solve. And if we can’t find an identifiable problem, then don’t have the meeting.” Manciagli concludes, “Sometimes, it’s that simple.”

  1. Get Real

This is another pre-meeting planning point. Do you try to squeeze 13 action items for discussion and resolution into a 30-minute meeting? Conversely you do not need to book a 60-minute window to handle a couple of points. If you can handle a matter via email or need to go offline, do so.

  1. Prioritize, Prioritize, Prioritize!

Like its related cousin, Document, Document and Document, this phase should be more than simply a catchword. It should be an action item in your meeting planning process. Tackle your important issues first to “save time and solve your most pressing problem.”

  1. Play “Pass the Pad” To Avoid Late Arrivals

The biggest offender of this rule is, unfortunately, us lawyers. Why, because we are always (in our eyes) the most important. Yet not being able to start because someone is not present or having to repeat points is one of the worst problems there is around efficient meetings. The article notes, “Meeting productivity suffers when people arrive late, and the punctual are penalized.” Her solution is to require the latecomer to take notes in the meeting, writing “People learn quickly that they can either be on time, or become the dreaded note-taker if they are late. As host, you’ll see positive behavior change with little effort on your part.”

  1. Be a Meeting Bouncer

Manciagli tactfully writes about that “common meeting malady: the tangent talker.” I would perhaps less tactfully say there are way too many people who like to hear the sound of their own voices way too much. Manciagli suggests a little humor by “naming a tangent officer who monitors and records tangents for later. Use that parking lot! And you can lighten it up by using a toy police badge.” Nothing like a little corporate shame to keep things moving.

  1. Make it Multi-Sensory

It is not simply millennials who respond to social media. Most people do better when they are visually engaged. Manciagli suggests using more than simply oral presentations, use other tools, including the following: “Graphic illustration, in which someone draws out ideas in real time; Customer testimonials that emotionally inspire; Quizzes and games; Product demos; Surprise guests; Props that foster kinesthetic learning.”

  1. PPPPP

Everyone understands the Five P rule, aka prior planning prevents poor performance. As a meeting host, this means you must absolutely be prepared prior to the meeting. If there are technical issues, you should pass out that information prior to the meeting. Manciagli pointed out that “the more skin we all have in the game, the more likely we are to own and be accountable to group outcomes.”

  1. Hire an “Accountant”

Accountability. How many meetings have you attended where there was no accountability? Manciagli believes “Most meetings lack built-in accountability structures.” She gives the tangible hint to “ask everyone to record at least one goal related to the meeting that they’ll commit to completing in the next week or month, and have them check in with one another. Teams gain measurable accountability, and you get recognized for generating stronger results tied to your meetings.”

  1. Remember: Humor is No Joke

Humor has a big use in meetings, “The power of humor — if used effectively within the meeting mix — is no laughing matter. Indeed, there is a strong business case to be made for laughing while learning.” It can also lower the stress level in meetings, once again if used properly.

I am sure that you have your own horror stories of aimless, wandering meetings that go nowhere painfully slow. As a Chief Compliance Officer (CCO) or compliance practitioner, one of your most valuable items in a corporation is time. You can set an example about running an efficient and productive meeting and then lead your company down the path laid out in the article. Who knows, the results of what you start in your company may last as long as WPA work.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

April 2, 2015

Managing Your Third Parties in a FCPA Compliance Program

7K0A0501The building blocks of any Foreign Corrupt Practices Act (FCPA) anti-corruption compliance program lay the foundations for a best practices compliance program. For instance in the lifecycle management of third parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation and compliance terms and conditions in contracts. However, as many companies mature in their compliance programs, the issue of third party management becomes more important. It is also the one where the rubber meets the road of actually doing compliance.

In the March/April issue of Supply Chain Management Review is an article by Mark Trowbridge, entitled “Put it in Writing: Sharpening Contracts Management to Reduce Risk and Boost Supply Chain Performance”, that provides some useful insights into the management of the third party relationship. While the focus of the article was about having a “strategic approach to contracts management” I found the author’s “five ways to start professionalizing your approach to outsourcing contracts” as steps a compliance practitioner can use in the management of third party relationships, both on the sales side and those which come into your company through the Supply Chain.

By taking his analysis into the compliance realm, I believe there are concrete steps you can take going forward. The key is to have a strategic approach to how you structure and manage your third party relationships. This may mean more closely partnering with your third parties to help manage the anti-corruption compliance risk. It would certainly lead towards enabling your company to “control risk while optimizing the performance” of your third parties. To achieve these goals, I have revised Trowbridge’s prescriptions from suppliers to third parties.

I. Consolidate Third Parties but Retain Redundancy

It is incumbent that consolidation in your third party relationships on the Supply Chain side to a smaller number of suppliers will “yield better cost leverage.” From the compliance perspective it also should make the entire third party lifecycle easier to manage, particularly steps 1-4. However a company must not “over-consolidate” by going down to a single source supplier. Trowbridge advocates a diversified supplier base, with a technique he calls “dual-sourcing”. From the compliance perspective, you may want to have a primary and secondary third party that you work with in a service line or geographic area to retain this redundancy.

II. Keep Tabs on Subcontracted Work

This is one area that requires an appropriate level of management. If your direct contracting party has the right or will need to subcontract some work out, you need to have visibility into this from the compliance perspective. You will need to require and monitor that your direct third party relationship has your approved compliance terms and conditions in their contracts with their subcontractors. You will also need to test that proposition. In other words, you must require, trust and then verify.

III. When Disaster Strikes, Make Sure Your Company is Legally Protected Too

This is where your compliance terms and conditions will come into play. One of the things that I advocate is a full indemnity if your third party violates the FCPA and your company is dragged into an investigation because of the third party’s actions. Such an indemnity may not be worth too much but if you do not have one, there will be no chance to recoup any of your legal or investigative costs. Another important clause is that any FCPA violation is a material breach of contract. This means that you can legally, under the terms of the contract, terminate it immediately, with no requirement for notice and cure. Once again you may be somewhat constrained by local laws but if you do not have the clause, you will have to give written notice and an opportunity to cure. This notice and cure process may be too long to satisfy the Department of Justice (DOJ) or Securities and Exchange Commission (SEC) during the pendency of a FCPA investigation. Finally, you need a clause that requires your third party to cooperate in any FCPA investigation. This means cooperation with you and your designated investigation team but it may also mean cooperation with US governmental authorities as well.

You also need the ability to move between third parties if the need arises. This is the redundancy issue raised above. You do not want to be stuck with no approved freight forwarders or other transporters in a certain geographic area. If a compliance related matter occurs, you may well need certain contractual rights to move your work and to require your prime third party to cooperate with the transition to your secondary third party.

IV. Keep Track of Your Third Parties’ Financial Stability

This is one area that is not usually discussed in the compliance arena around third parties but it seems almost self-evident. You can certainly imagine the disruption that could occur if your prime third party supplier in a country or region went bankrupt; but in the compliance realm there is another untoward Red Flag that is raised in such circumstances. Those third parties under financial pressure may be more easily persuaded to engage in bribery and corruption than third parties that stand on a more solid financial footing. You can do this by a simple requirement that your third party provide annual audited financial statements. For a worldwide logistics company, this should be something easily accomplished.

Trowbridge says, “Automated financial tracking tools can also be used to keep track of material changes in a supplier’s financial stability.” You should also use your in-house relationship manager to regularly visit key third party relationships so an on-the-ground assessment can be a part of an ongoing conversation between your company and your third parties.

V. Formalize Incentives for Third Party Performance

One of the key elements for any third party contract under the FCPA or UK Bribery Act is the compensation issue. If the commission rate is too high, it could create a very large pool of money that could be used to pay bribes. It is mandatory that your company link any commission or payment to the performance of the third party. If you have a long-term stable relationship with a third party, you can tie compensation into long-term performance, specifically including long-term compliance performance. This requires the third party to put skin into the compliance game so that they have a vested, financial interest in getting things done in compliance with the FCPA or other anti-corruption compliance regime.

Additionally, as Trowbridge notes, “The fact is, linking contractual compensation to performance does make a significant difference in supplier performance. This is especially valuable when agreed upon key performance indicator (KPI) metrics can be accurately tracked.” This would seem to be low hanging for the compliance practitioner. If you cannot come up with some type of metric from the compliance perspective, you can work with your business relationship team to develop such compliance KPIs.

While Trowbridge’s article focused on the suppliers, I found his ideas easily transferable to the compliance field. Near the end of the article Trowbridge suggested ranking suppliers based upon a variety of factors including performance, length of relationship, benchmarking metrics and KPIs. This is a way for the compliance practitioner to have an ongoing risk ranking for third parties that can work as a preventative and even proscription prong of a compliance program and allow the delivery of compliance resources to those third parties that might need or even warrant them.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 5,244 other followers